Privacy policy - speedyrating (part of 1. PARTIES 1.1. This Privacy Policy describes how Speedyrating collects, uses, stores, shares and protects your information on our plateform as a data controller and/or processor including, but not limited to, services provided at the domain (the “Site”); applications including, but not limited to, web and other software applications related to the Site (the “Applications”); 1.2. This Privacy Policy applies when you (“you”, “User” or “Respondent”) access, visit or use any portion of our plateform. For the purposes of this Privacy Policy, a “User” is a person who creates and showcase speedyrating surveys (data controller of Respondents data and data subject for your own data, as direct client of speedyrating), and a “Respondent” is a person who answers those surveys (data subject of user). 1.3. This Privacy Policy is part of, and is governed by, the terms and conditions set forth in the Speedyrating Terms of Use. 2. AGREEMENT TO TERMS OF PRIVACY POLICY 2.1. Any Service provided by speedyrating is purely voluntary. You are not required to provide any personal information to us unless you choose to access features of the Service that require such information. If you do not agree with the terms of this policy or Speedyrating’s Terms of Use related to the Service, then don’t share informations, exit the Applications, and stop using the Service. 2.2.Byhaving a speedyrating Account, you expressly consent to our use, disclosure and retention of your information as described in this Privacy Policy and in the Speedyrating Terms of Use. 3. CHANGES TO THE PRIVACY POLICY 3.1. We may adapt this Privacy Policy over time. We may also notify you of material changes to this Privacy Policy, before the effective date of the changes, by sending an email. If you do not accept the modified version of the Privacy Policy, you can terminate using the Service within the applicable fifteen (15) days period and the new terms won’t apply to you. Otherwise, the new terms will take effect after thirty (30) days. 4. RIGHTS TO ACCESS, RECTIFICATION OR ERASURE, OBJECTION OF PROCESSING 4.1. You have the right to access, rectification, opposition, erasure (“right to be forgotten”), and right to restriction of processing of your personal data by directing any such requests to Speedyrating (VAT number : 635955143B01 ) registered at Holstraat 235 5654BP Eindhoven. You can send the request to 5. PERSONAL INFORMATION ABOUT USERS AND RESPONDENTS SPEEDYRATING is used by survey “Users” and by survey “Respondents”. The information we receive from Users and Respondents and how we handle it differs, as set out below. 5.1. TYPEFORM USERS As a User, we collect information relating to you and your use of our Services from a variety of sources: (i) Information we collect directly from the User a) Registration information: information you provide to us when you register for an account. b) “My Account” settings: you can view and edit various preferences and personal details on “My Account” settings. For example, your default language, registered email, non-transactional communication preferences, Account name and Typeform URL. c) Typeform data: We store your typeform data (questions and responses) for you. d) Plan + Billing info: we store information about your Plan. If you subscribe to a paid plan, we require you to provide your billing details. (ii) Information we collect about the User indirectly or passively when interacting with us a) Usage data: Speedyrating collects usage data about Users whenever they interact with our services, including information they have elected to make publicly available. For example, TYPEFORM may share minimal service data with a select third-party for data enrichment purposes, provided that User has given prior permission to those third parties to share such information with other parties (i.e. TYPEFORM may share Users’ email addresses with a third party to obtain some information like company name etc) or it comes from publicly accessible sources like social media profiles. Enriching data allows us to analyse a deeper subset of data from which we may present personalized content. Prior to sharing data with any data enrichment vendor, TYPEFORM signs the corresponding Data Protection Agreement with the vendor to ensure that the data is adequately protected, that it has been lawfully obtained by vendors enabling TYPEFORM to use such data in connection with the Services, and to ensure vendors adopt adequate security controls. e) Information from cookies and page tags: TYPEFORM uses third party tracking services that employ cookies and page tags (also known as web beacons or web bugs) to collect aggregated and anonymized data about visitors to our websites. This data may include usage and User statistics. You can obtain full information about our cookie policy here 5.2 TYPEFORM RESPONDENTS As a Respondent, when you respond to typeforms hosted by TYPEFORM, we collect, on behalf and upon instructions of Typeform’s Users, information relating to you and your use of our services from a variety of sources: (i) Information we collect directly from the Respondent: typeform responses We collect and store the typeforms responses from Respondents. The Typeform User is responsible for that data and manages it. The Typeform User is usually the same person that invited the Respondent to take the typeform and sometimes they have their own privacy policy. When responding to a typeform you may provide personal information or data. Please note that TYPEFORM is not responsible for the content of that typeform, so if you have any questions about a typeform you are taking, please contact the Typeform User directly. (ii) Information we collect about the Respondent from other sources on behalf of TYPEFORM’s Users a) Usage data: on behalf of TYPEFORM Users, TYPEFORM collects usage data about Respondents whenever they interact with our services. b) Device and application data: on behalf of TYPEFORM Users, TYPEFORM collects data from the device and application the Respondent uses to access our services, such as, among other, the IP address, browser type and operating system. We may also infer the geographic location based on the Respondent IP address. c) Referral data: on behalf of TYPEFORM Users, TYPEFORM records information about the source that referred the Respondent to a typeform (i.e. a link on a website or in an email). d) Information from cookies and page tags: TYPEFORM uses third party tracking services that employ cookies and page tags (also known as web beacons or web bugs) to collect aggregated and anonymized data about visitors to our websites. This data may include usage and User statistics. You can obtain full information about our cookie policy as described in Section 7 below e) Email address: TYPEFORM records the email address if the User/Respondent provides it to us in order to send the Respondent a typeform notification email. (iii) TYPEFORM’S obligations as data processor when processing Respondents’ data on behalf of Users When TYPEFORM is processing Respondents’ Data on behalf of Users, the User who creates the typeform is the Data Controller in relation with the data of Respondents using such typeform, and TYPEFORM is the Data Processor of such Respondents data (hereinafter, User shall be referred to as the “Data Controller” and TYPEFORM as the “Data Processor”). For the processing of Respondents’ data on behalf of the Data Controller, the Data Processor undertakes to fulfil the following obligations: a) To treat the personal data only to carry out the provision of the contracted Services, in accordance with the instructions given in writing, at any time, by the Data Controller (unless there is a legal rule that requires complementary processing, in such a case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless the Law prohibits it on public interest grounds). b) To maintain the duty of secrecy with respect to the personal data to which the Data Processor has access, even after the termination of the contractual relationship, and to ensure that their employees have committed in writing to maintain the confidentiality of the personal data processed. c) To ensure, taking into account the available technology, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, that they will apply adequate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate, among other things: -The pseudonymisation and encryption of personal data; -The ability of ensuring the continued confidentiality, integrity, availability and resilience of the systems and services ; -The ability of restoring the availability and access to personal data quickly in the event of a physical or technical incident; -A process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures in order to ensure the safety of the processing. When evaluating the adequacy of the security level, special account shall be taken of the risks presented by the data processing, in particular as a consequence of the destruction, loss or accidental or unlawful alteration of the personal data transmitted, stored or otherwise processed, or the communication or unauthorized access to such data. In the event that the implementation of specific and concrete security measures is needed, those measures will be added to this Agreement by means of an Annex. d) To keep under their control and custody the personal data to which they have access in relation with the provision of the Service, and to not disclose them, neither transfer or otherwise communicate them, not even for their preservation, to persons unrelated with the provision of the Service covered by this Agreement. However, the Data Controller may authorize, expressly and in writing, the Data Processor to use another data processor (hereinafter, the “Subcontractor”), whose identification data (full company name and fiscal identification number) and subcontracted services must be communicated to the Data Controller, prior to the provision of the service, at least with one (1) month in advance. The Data Processor will also inform the Data Controller of any change envisaged in the incorporation or substitution of the Subcontractors, giving thus to the Data Controller the opportunity to object such changes. In case of making use of the power recognized in the previous paragraph, the Data Processor is obliged to transfer and communicate to the Subcontractor the whole obligations that for the Data Processor derive from this Agreement and, in particular, the provision of enough guarantees that he will apply appropriate technical and organizational measures, so that the processing complies with the applicable regulations. In any case, access to the data made by natural persons who render their services to the Data Processor, acting within the organizational framework of the latter by virtue of a commercial and non-labour relationship, is authorized. In addition, access to the data is granted to companies and professionals that the Data Processor has hired in their internal organizational framework in order to provide general or maintenance services (computer services, consulting, audits, etc.), as long as such tasks have not been arranged by the Data Processor with the purpose of subcontracting with a third party all or part of the Services provided to the Data Controller. e) To delete or return to the Data Controller, at their choice, all personal data to which they have had access in order to provide the Service. Likewise, the Data Processor undertakes to delete the existing copies, unless there is a legal rule that requires the preservation of the personal data. However, employees and other personnel working for the Data Processor are entitled to access Users and Respondents data as required to carry out their obligations under the terms of their contract. f) To notify the Data Controller, without undue delay, of any personal data security breaches of which he is aware, giving support to the Data Controller in the notification to the Spanish Data Protection Agency or other competent Control Authority and, if applicable, to the interested parties of the security breaches that occur, as well as to provide support, when necessary, in the carrying-out of privacy impact assessments and in the prior consultation to the Spanish Data Protection Agency, where appropriate, as well as to assist the Data Controller so they can fulfil the obligation of responding the requests to exercise certain rights. g) To bring, in writing, a record of all categories of processing activities performed on behalf of the Data Controller. h) To cooperate with the Spanish Data Protection Agency or with other Control Authority, at its request, in the fulfilment of its power. i) To make available to the Data Controller the whole information necessary to demonstrate the fulfilment of the obligations established under this Agreement, as well as to allow and contribute to the performance of audits, including inspections, by the Data Controller or by a third party authorized by them. If the Data Processor or any of his Subcontractors violates this Agreement or any regulation when determining the purposes and means of the processing, they shall be held responsible for such processing. Furthermore, if such Subcontractors are based in countries which do not have a legislation on data protection which is equivalent to the EU legislation (“Third Countries”), Data Processor shall establish all safeguards required by the EU legislation in order to comply with all obligations arising from transfers of data to Third Countries, and shall promptly inform Data Controller about such safeguards if so requested. 6. PURPOSES AND LEGITIMATE BASIS OF THE USE AND SHARING INFORMATION PURPOSES OF PROCESSING 6.1. We use the information we collect from you to perform the services requested in connection with the “Speedyrating Account” selected for the purposes described in the Terms of Use. 6.2. We also use your information to review, investigate and analyze how to improve the services provided. We may also collect and analyze your data to monitor, maintain and improve our services and features. We may internally perform statistical and other analysis on information we collect (technical and meta data) to analyze and measure user behavior and trends, to understand how people use our services, in order to. Improve and optimize our performance of such services, and to monitor, troubleshoot and improve our services, including to help us evaluate or devise new features. 6.3. We’ll be sending you Speedyrating product intro and tips via e-mail. 6.4. We do not sell your typeform data to third parties without your permission. We share your information with our service providers who help us to provide our services to you, in which case those third parties are required to comply with our privacy policy and any other adequate technical and organizational measures. We contractually bind these service providers by the corresponding Data Processing Agreements to keep your information confidential and to use it only for the purpose of providing their services and pursuant to the applicable privacy legislation in the EU. Speedyrating is based in the EU and complies with the GDPR framework as set forth by the EU regarding the collection, use, and retention of personal data from EU member countries. If you are located in the EU, we guarantee that we will only transfer your data to companies that are compliant with the GDPR. 6.5. Your data is not disclosed to any third party except (i) when we have your permission, (ii) when it is required by a competent authority in the exercise of its duties or (iii) as otherwise required by law. 6.6 We do not use your speedyrating data other than as described in this Privacy Policy and the Terms of Use. 7. LEGITIMATE BASIS OF PROCESSING Speedyrating use of your data for the purposes described above is based on the following legitimate basis: 7.1 Users’ Data If you are a User, we are entitled to use your data in order to fulfil our contractual obligations with you and, if you are acting on behalf of a legal person, we have a legitimate interest to use your data in order to maintain the relation with your company as a Speedyrating client. In addition, we are entitled by law to use your data for direct marketing purposes, in order to send you commercial communications related with Speedyrating products or services which are similar to the Services, since legislation on data privacy recognizes direct marketing to clients as a legitimate interest of use of personal data. In any case, you are entitled to ask, now or at any moment, not to send you any commercial communications. If you don’t want us to send you commercial communications, you can do it, now or at any moment. Additionally, all commercial communications you might receive in the future, will include an simple and free way for you to ask us not to receive further commercial communications. 7.2 Respondents’ Data If you are a Respondent, we are processing your data as Data Processor of the User that asked you to fill the survey, so we suggest that you read carefully the own privacy policies that such User might have established for the use of your data as a Respondent 8. COOKIES A cookie is a small string of information that the website you visit transfers to your computer for identification purposes. Cookies can be used to follow your activity throughout the our plateform and that information helps us to understand your preferences and improve your experience. 9. CANCELING YOUR ACCOUNT, OPTING OUT OF EMAIL, AND MODIFYING PERSONAL INFORMATION You may cancel your account and you may opt out of receiving any emails from Speedyrating at any time by changing the settings in your account settings page. Deleting your account will cause all the survey data in the account to be permanently deleted from our systems within a 30 days period, as permitted by law and will disable your access to any other services that require a speedyrating account. We will respond to any such request, and any appropriate request to access, correct, update or delete your personal information within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law. 10. RETENTION OF YOUR INFORMATION 10.1. We retain information for active Speedyrating Accounts as long as it is necessary and relevant for our operations. 10.2. The information we retain about you will be handled in accordance with this Privacy Policy during the maximum terms permitted by law, and will exclusively be used for the purposes described in section 9.1 above. After those terms, your information will be fully deleted. 11. HOW TO CONTACT US Send a request at 12. COMPLAINTS If you consider that any use of your data might breach any of your rights, you can lodge a complaint at any time by opening a support ticket from our Help centre or, alternatively, by filing a complaint before the Dutch Authority on Data Protection