PRIVACY POLICY

Updated 11 December 2023

1.1. Purpose

Privacy policy of SS Holdings Group, LLC D/B/A Sago, branded as “Sago”, for people who are engaging with us or our digital platforms as research or prospective clients, as research partners or participants (e.g., consumers, healthcare professionals, patients, or business individuals).

1.2. Policy

Your privacy is important to us.

It is Sago’s policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, and other sites we own and operate.

In the event our site contains links to third-party sites and services, please be aware that we have no control over the content and policies of those sites and cannot accept responsibility or liability for their respective privacy practices.

Our privacy policy aims to bring you all the necessary transparency for a positive and confident experience with our services. Additional information may be provided to you as necessary when you sign up for a particular product or service.

Our privacy policy complies with global research industry Codes and Standards, as well as all pertinent laws governing privacy.

1.2.1 What Information Do We Collect

Information we collect falls into one of two categories: “voluntarily provided” information and “automatically collected” information.

“Voluntarily provided” information refers to any information you knowingly and actively provide us when using or participating in any of our services and promotions.

“Automatically collected” information refers to any information automatically sent by your devices while accessing our products and services.

We only collect and use your personal information lawfully, fairly, and in a transparent manner. We systematically respect the principle of minimization, which implies collecting and processing only what is strictly necessary to achieve our legitimate objective. We do not aim any of our products or services directly at children under the national child age consent, and we do not knowingly collect personal information about children under the national child age consent.

We process personal data that we need in order to carry out our business. We only process personal information in a way that is compatible with the purposes for which we collected it or subsequently authorized by the data subject. We take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.

The information notice that is sent to you before any collection or processing details the applicable legal basis, which depends on the services you use and how you use them. This means we only collect and use your information on the following grounds:

In order to respect your choice when we request consent from you:

“Personal information” only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question. Or who can be indirectly identified from that information in combination with other information. For example, name, contact details, location, consumer options/preferences, video/audio recordings… We may ask your consent for processing such information — for example, when you register an account or when you contact us via email, social media, or any similar technologies — which may include your name, your email, your phone/mobile number… When you contact us, you shall consent to your name and email address being used so we can respond to your inquiry.

Participation in all market research projects is voluntary and based on consent. Respondents may opt out of any market research project, at any time.

Personal information may also include “Sensitive information” or “Special categories of data” which is a subset of personal information that is given a higher level of protection. The types of sensitive information that we may collect about you include:

• Racial or ethnic origin
• Political opinions
• Religious or Philosophical beliefs
• Sexual orientation
• Sexual practices or sex life
• Medical or Health conditions
• Trade union membership

We will obtain your affirmative express consent (opt-in) if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of your opt-in choice. We will also treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

In addition, we ensure that strengthened security measures are applied to these data, in order to avoid any breach of confidentiality, integrity, and availability.

A “Cookie” is a small piece of data that our website stores on your computer and accesses each time you visit. We use cookies to collect information about you and your activity across our site to understand how you use our site and to enable you to access and use our website. At all times, you may decline cookies from our site.

Please refer to our Cookie Policy for more information.

You may withdraw your consent at any time using the facilities we provide; however, this will not affect any use of your information that has already taken place.

While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further inquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

In order to allow the performance of a contract or transaction at your request:

For example, if you purchase a product, service, or subscription from us, we may need to use your personal and payment information in order to process and deliver your order.

 

In order to follow our legitimate interests:

Where we assess whether it is necessary for our legitimate interests, such as for us to provide, operate, improve, and communicate our services, we consider our legitimate interests to include:

• research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests,
• business development, including operating and improving our website, associated applications, and associated social media platforms,
• security and fraud prevention, and to ensure that our sites and apps are safe, secure, and used in line with our terms of use.

 

When you visit our website, our servers may automatically log the standard data provided by your web browser. It may include your device’s Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details about your visit. The data we collect can depend on the individual settings of your device and software. We recommend checking the policies of your device manufacturer or software provider to learn what information they make available to us.

Additionally, if you encounter certain errors while using the site, we may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem. You may or may not receive notice of such errors, even at the moment they occur, that they have occurred, or what the nature of the error is.

Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons.

“Transaction data” refers to data that accumulates over the normal course of operation on our platform. This may include transaction records, stored files, user profiles, analytics data, and other metrics, as well as other types of information, created or generated, as users interact with our services.

We consider “User-generated content” to be materials (text, image and/or video content) voluntarily supplied to us by our users for the purpose of publication, processing, or usage on our platform. All user-generated content is associated with the account or email address used to submit the materials.

Please be aware that any content you submit for the purpose of publication will be property of the client after posting (and subsequent review or vetting process). User-generated content cannot be used for purposes beyond market research (i.e., advertisements and customer testimonials) without express written permission.  Once published, it may be accessible to third parties not covered under this privacy policy.

In order to comply with the law:

In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further inquiries about how we retain personal information in order to comply with the law, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

1.2.2 How Do We Ensure the Security of Your Personal Information

Because we are ISO 27001 certified, we comply with high international standards for computer security and the protection of personal information.

When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use, or modification.

You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services. For example, ensuring any passwords associated with accessing your personal information and accounts are secure and confidential.

We comply with laws applicable to us in respect of any data breach.

 

1.2.3 How Long Do We Keep Your Personal Information

We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this privacy policy.

For example, if you have provided us with personal information as part of creating an account with us, we may retain this information for the duration your account exists on our system. If your personal information is no longer required for this purpose, we will delete it or make it anonymous by removing all details that identify you.

However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation (i) such as reporting of Incentive payments on a yearly basis to federal and/or state regulatory authorities pursuant to legal requirements or (ii) for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes.

Except as otherwise permitted by law, regulation, or EU-U.S. Data Privacy Framework Principles, we destroy or anonymize personal data after it no longer serves a purpose of processing as contemplated above and/or once a lawful basis for processing it ceases to exist.

 

1.2.4 Who Are the Recipients of Your Personal Information and Where Are They Located

We may disclose personal information to:

• a parent, subsidiary, or affiliate of our company in order to provide product support
• third-party service providers for the purpose of enabling them to provide their services, including (without limitation) IT service providers, data storage, hosting and server providers, analytics, error loggers, debt collectors, maintenance or problem-solving providers, professional advisors, and payment systems operators
• our employees, contractors, and/or related entities in order to support the product
• our existing or potential agents or business partners in order to support the product
• credit reporting agencies, courts, tribunals, and regulatory authorities, in the event you fail to pay for goods or services we have provided to you
• courts, tribunals, regulatory authorities, and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights
• third parties, including agents or sub-contractors, who assist us in providing information, products, services, or direct marketing to you
• an entity that buys, or to which we transfer all or substantially all of our assets and business

 

Third parties we currently use include:

• Google Analytics for product usage metrics (unless prohibited by national data protection authorities)
• Google Ads and LinkedIn Insights Tag to measure our marketing campaigns
• Google Cloud Natural Language for text sentiment and for image analytics (brand/logo recognition)
• Azure Application Insights for logging and troubleshooting user issues
• Azure Cognitive Services for image analytics and machine text translation
• Amazon web services for data storage, compute, and image processing
• Help Scout for managing and responding to customer support requests
• Twilio for video interview capabilities
• Rev for video transcription services
• Hotjar for product usage metrics
• Drift Chatbot to help site visitors to navigate and make decisions
• Marketo (our Automation tool) to record and process user-submitted information
• Sense to get account insights
• Research Defender, Imperium, IPQualityScore, RelevantID, and MaxMind to identify suspicious respondents, eliminate fraudsters and bad actors, and ensure accurate and high-value datasets

 

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy, which they will be required to assume as it is the basis for any ownership or use rights we have over such information.

The personal information we collect is stored and/or processed in the United States, or where we or our partners, affiliates, and third-party providers maintain facilities.

The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.

 

1.2.5 Which Are the Security Measures in Place?

Access to private, sensitive, and confidential information, including your personal information, is restricted to authorized employees with legitimate business reasons.

All employees are expected to always maintain the confidentiality of personal information, and failure to do so will result in appropriate disciplinary measures.

We follow reasonable technical and management practices to help protect the confidentiality, security, and integrity of data stored on our system. While no computer system is completely secure, the measures implemented by our website reduce the likelihood of security problems to a level appropriate to the type of data involved. We employ physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of any personal contact information. We encrypt the transmission of sensitive information using secure socket layer technology (SSL).

 

1.2.6 What Are Your Rights

• Access: You may request details of the personal information that we hold about you. We reserve the right to limit such access where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.
• Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our website or the products and/or services offered on or through it.
• Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such a person’s consent to provide the personal information to us.
• Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.
• Correction: If you believe that any information, we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.
• Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example processing transaction data), we will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services. Respondents are not discriminated against for their answers. Selection for participating in a study relies on research project objectives. Participation in studies is not related to any fees, and membership in our panel will also have no costs.
• Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.

You have the right to choose (opt-out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. If you wish to opt out, all you need to do is contact us at [email protected]. If you contact us to opt out, we will explain the options available and comply with your request as required by the Principles and the applicable law. Please note that applicable laws allow certain exceptions to your ability to opt-out, such as where we are parties to a contract that is still being performed, where the law requires us to maintain information tow claims or tax reports, or otherwise. In such cases, we will retain and continue to use your information only to the extent permitted or required by law. The above opt-out right doesn’t apply where the sharing of your personal data is with a third party who is acting as our agent (such as our service providers who perform services that help us to run our business). We won’t provide your personal data to a third party under these circumstances unless we have a contract in place with that third party that requires the third party to comply with the DPF Principles.

Under European, Australian, and Canadian data protection laws, you also have the following rights:

• Downloading of Personal Information: We provide a means for you to be provided with the personal information you have shared through our site. Please contact us for more information.
• Restrict: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.
• Objecting to processing: You have the right to object to the processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.
• Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or another easily readable machine format. You may also have the right to request that we transfer this personal information to a third party.
• Deletion: The data controller of a project may have a right to request that we delete the personal information we hold at any time, and we will take reasonable steps to delete personal information from our current records. If you ask us to delete your personal information, we will let you know how the deletion affects your use of our website or products and services. There may be exceptions to this right for specific legal reasons which, if applicable, we will set out for you in response to your request. If you terminate or delete your account, we will delete your personal information without undue delay. Please be aware that search engines and similar third parties may still retain copies of your personal information that has been made public at least once, like certain profile information and public comments, even after you have deleted the information from our services or deactivated your account.

 

We would respond to your requests without undue delay and at the latest within one month of receipt of your request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

1.3. United States Considerations

The purpose of this privacy policy is to inform you about the processing of your personal data by Sago and its entities in accordance with research industry Codes and Standards relating to the USA and additionally the country in which each Sago company is based.

Sago companies comply with all pertinent Federal and State laws governing privacy, including but not limited to the enacted California Consumer Privacy Act (CCPA) and recently amended California Privacy Rights Act (CPRA).

For questions or concerns relating to privacy, you may contact us by email at [email protected].

All requests to exercise your rights must be accompanied by the details necessary to process your request. A copy of proof of identity may be requested if necessary.

 

1.4. European Considerations

The purpose of this privacy policy is to inform you about the processing of your personal data by Sago and its entities in accordance with the European Data Protection Regulation (the GDPR) and the UK GDPR, the amended French Data Protection Act, the new Spanish Fundamental Law on Data Protection (the NLOPD), the new German Federal Data Protection Act (the BDSG), and the UK Data Protection Act (the DPA).

Sago has signed internal EU Commission Standard Contractual Clauses and UK Addendum to safeguard its international transfers of personal data.

You have the right to lodge a complaint with your national data protection authority. You can find more information about your data protection rights on your authority’s website.

Sago has appointed a Data Privacy Officer in each European country to be your privileged interlocutor regarding the processing of your personal data. If you wish to contact a DPO, you can write to them at the following addresses:

• DE: [email protected]
• FR: fr@ sago.com
• SP: es@ sago.com
• UK: uk@ sago.com

All requests to exercise your rights must be accompanied by the details necessary to process your request. A copy of proof of identity may be requested if necessary.

1.5. Canadian Considerations

The purpose of this privacy policy is to inform you about the processing of your personal data by the Sago and its entities in accordance with the laws of Ontario and the applicable federal laws of Canada.

If you have any questions or comments about this Privacy Policy, you may contact us at [email protected] or via postal mail at:

370 King St. West, 5th Floor, Box 4
Toronto, ON, Canada, M5V1J9

 

1.6. Australian Considerations

The purpose of this privacy policy is to inform you about the processing of your personal data by Sago and its entities in accordance with the federal Privacy Act, the Australian Privacy Principles, and States and Territories’ legislations.

The Central Server is located in an Australian data centre with a fully redundant network with No Single Point of Failure, contains Multiple Layers of Network Security and is also secured with Windows Firewall and IPsec Policy.

You can change your information at any time, through the profile tab in your member portal. We are obliged by law to ensure that your information is accurate and up to date at all times.

If you have any queries or complaints in relation to your personal information, please don’t hesitate to get in touch: [email protected]

You will need to outline what information you would like access to or identify your concerns. We will endeavour to respond to you within 3 business days.

1.7. Data Privacy Framework (DPF) Specificities

We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF Program, and to view our certification, please visit https://www.dataprivacyframework.gov/. We commit to subject to the DPF Principles all the personal data received from the EU in reliance on the EU-U.S. for as long as we retain the personal data.

Sago receives personal data from EU and UK employees, respondents, panel members, clients, and website visitors. Sago will process their personal data for the following purposes:

For complaints concerning Human Resources (HR) Personal Data and Personal Data other than HR, at no cost, you may file a complaint concerning how we process your Personal Data. We will take steps to remedy issues arising out of our alleged failure to comply with the DPF Principles. All you need to do is contact us at [email protected]. If your complaint cannot be resolved through our internal processes, we cooperate with the panel established by the Data Protection Authorities (DPAs).

Under certain circumstances and following the procedures and subject to conditions set forth in the DPF Annex I, you may also be able to invoke binding arbitration to address complaints about Sago’s compliance with the DPF Principles.

We are subject to the investigatory and enforcement powers of the FTC, the DOT or any other U.S. authorized statutory body.

We will disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

When we transfer personal data to a third party acting as a controller, we comply with the DPF Principles. We also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with your consent and that the recipient will provide the same level of protection as the DPF Principles and will notify us if it makes a determination that it can no longer meet this obligation. Those contracts provide that, when such a determination is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.

When we transfer personal data to a third party acting as an agent, (i) we transfer such data only for limited and specified purposes; (ii) we require (usually by contract) at least the same level of privacy protection as is required by the DPF Principles; (iii) we take reasonable and appropriate steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with the organization’s obligations under the Principles; (iv) we require the agent to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), we take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) we will provide a summary or a representative copy of the relevant privacy provisions of our contract with that agent to the Department of Commerce upon request.

If we transfer personal data to a third party acting as an agent on our behalf who processes such data in a manner inconsistent with the DPF Principles, we remain liable under the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, we commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

When we become subject to a court order that is based on non-compliance or an order from a U.S. statutory body (e.g., FTC or DOT) listed in the DPF Principles or in a future annex to the Principles that is based on non-compliance, we will make public any relevant EU-U.S. DPF-related sections of any compliance or assessment report submitted to the court or U.S. statutory body to the extent consistent with confidentiality requirements.

1.8. How Can You Find Out About Changes to This Policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy.

If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.

If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.

1.9. Contact Us

For any general questions or concerns regarding your privacy, you may contact us using the following details:

US	[email protected]
EU	DE: [email protected] FR: dpo.fr@ sago.com SP: dpo.es@ sago.com UK: dpo.uk@ sago.com
Canada	[email protected]
Australia	[email protected]