Zurvey.io Privacy Policy
The service provider of Zurvey.io, Neticle PLC. (seat: H-1016 Budapest, Naphegy utca 28. fszt. 2.; Company registration number: Cg.: 01-10-141188) as data controller (‘Service Provider' or ’Data Controller’) respects the personal rights of the data subjects (’Data subject’ or ‘User’), especially the data protection rights determined by the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (’GDPR’) and the Data Protection Act 112 of 2011. Data controller undertakes to apply these laws and expresses to be bound by these provisions.
The basic principles for data processing
Personal data shall be:
- processed lawfully, fairly and, in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, the principles of data processing (‘accountability’).
Data Controller
Neticle PLC
Registered seat: H-1016 Budapest, Naphegy utca 28. fszt. 2.
Postal address: H-1016 Budapest, Naphegy utca 28. fszt. 2.
Registration number: 01-10-141188
Phone number:
Email: info@zurvey.io
Web: zurvey.io
Regarding data privacy and terms of use questions please contact our CIO whose role includes the Data Protection Officer position as well:
- Zoltán Csikós, co-founder and CIO
- zoltan.csikos@neticle.com
- Address: H-1016 Budapest, Naphegy utca 28. fszt. 2.
The purpose and legal title of data processing
Data Controller will use the personal data of the Data Subjects given on the registration form or otherwise exclusively for the following purposes:
a) Provide access to the services of Zurvey.io (‘Services’);
b) Customer services related services, relationship management;
c) Sending newsletters about the new releases and educational contents, including Onboarding Support, Renewal Support, Technical Support, Commercial Support (Billing, Invoicing, Upgrade / Downgrade, Quota extension, Feature extension / downgrade, training). Users can unsubscribe from newsletters anytime. Neticle may use a ticketing system in order to track and manage support requests;
d) collecting demo requests.
The Data Controller process the personal data of the Data subject on the basis of the consent of the Data subject (GDPR Article 6 (1) a)).
Scope of personal data processed
The scope of personal data processed:
(i) surname and first name
(ii) email address
(iii) IP address
(iv) telephone number
(v) business scope / industry
(vi) position
(vii) billing address
(viii) credit/debit card data
Data Controller receives the personal data directly from the Data subject.
Cookie Policy
Both Zurvey.io website and platform use cookies. The Service Provider only uses cookies for analytics, marketing, and to improve user experience, and does not share cookie related data other providers than the ones listed below.
When visiting the Data Controller’s website, the Data subject’s browser may store a cookie. Some of the cookies used by us are indispensable for the proper operation of the site, while others collect information related to its use, allowing to upgrade the site to offer more convenient services. Temporary or “session cookies” are erased when the browser is closed while “permanent cookies” stay in your browser for a longer time.
"Session cookies" facilitate browsing our site and using its functions. Among others, they store the actions taken on the site related to a function or service. Without the use of "session cookies" the site’s operation cannot be guaranteed. Their term of authorization is limited to the duration of the visit; "session cookies" expire whenever the Data subject ends the session or closes the browser.
Performance cookies gather information about how the Data subject uses the website in order to be able to improve the website, its functions and services to suit the needs of the visitors to offer them high quality, user-friendly experience.
Advertising cookies are used to select advertisements that the visitors are interested in and enable the data controller to display such advertisements on the websites of third parties to them. They also help measure the performance of the Service Provider’s campaigns based on the information gathered with them.
The website uses the following cookies:
Cookie | Description | Duration |
---|---|---|
__cfduid | The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | 1 month |
_ga | This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. | 2 years |
_gid | This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form. | 1 day |
_gat_gtag*** | Google uses this cookie to distinguish users. | 1 minute |
test_cookie | This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies. | 15 minutes |
__hstc | This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). | 1 year |
hubspotutk | This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts. | 1 year |
__hssrc | This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. | |
__hssc | This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp. | 30 minutes |
JSESSIONID | Preserves users states across page requests. | session |
messagesUtk | Stores a unique ID string for each chat-box session. This allows the website-support to see previous issues and reconnect with the previous supporter. | 1 year |
collect | Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels. | session |
__hmpl | Collects information on user preferences and/or interaction with web-campaign content - This is used on CRM-campaign -platform used by website owners for promoting events or products. | persistent |
ptq.gif | Sends data to the marketing platform Hubspot to the visitor's device and behaviour. Tracks the visitor across devices and marketing channels. | session |
embed/v3/counters.gif | Collects information on user preferences and/or interaction with web-campaign content - This is used on CRM campaign -platform used by website owners for promoting events or products. | session |
HUBLYTICS_EVENTS_53 | Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement- This is also allows the website to limit the number of times that the visitor is shown the same advertisement. | persistent |
i18n-cached-public-locale | Used by Google DoubleClick to register and report the website user's actions after view in Google or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user. | 1 year |
pagead/1p-user-list/# | Google.com advertisement support | session |
r/collect | This cookie is used to send data to Google Analytics about the visitor's device and behaviour. It tracks the visitor across devices and marketing channels. | session |
mailerlite:webform:shown:1324576 | Used to remember if somebody is already on the mailing list of Zurvey.io. | persistent |
The Service Provider uses the following platform related cookies in order to improve the Services:
Cookie | Description |
---|---|
zurvey_session | Work session for the user, used for logins to the platform. |
remember_web_**** | A cookie used for the remember me function during logins. |
survey_*** | We track if a respondent has already started to fill in a survey or not |
finished_*** | We track if a respondent has finished a survey or not |
isMenuCollapsed | We track if a user is using the platform’s left menu open or closed. |
Users can use their browser settings to manage how they receive, store, process or block cookies.
These links show you how Users can do it in the popular web browsers:
- Google Chrome https://support.google.com/chrome/answer/95647
- Internet Explorer https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
- Mozilla Firefox https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
- Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
- Microsoft Edge: https://support.microsoft.com/en-us/help/4027947/microsoft-edge-delete-cookies
Users shall consider that blocking cookies completely might make the website or platform unusable.
Facebook Pixel Policy
The Service Provider’s website or app utilizes the Pixel service of Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA (“Facebook”). The Facebook Pixel is a small piece of Javascript code that allows the Service Provider to follow the actions of Users after visiting the website or application and tracking how Users use the Services. The collected data remains anonymous. Nonetheless, Facebook saves and processes the collected data. This pixel records information about the User’s browser session, which it sends to Facebook, along with a hashed version of the Facebook ID and the URL viewed. Every Facebook user has a unique, device-independent Facebook ID that allows the Service Provider to address and recognise Users across a range of devices using the Facebook social network so that the Service Provider can address the Users for marketing campaigns using Facebook ads. The user information will be deleted after 180 days, until the User revisits the Service Provider’s website. No personal information about individual visitors to the website will be disclosed to the Service Provider and the Service Provider can only advertise to website customer target groups in a targeted way once the customer target group has reached a critical mass. This makes it impossible for the Service Provider to discover the identity of individual Users. Facebook is able to connect the data with the User’s Facebook account and use the data for their own advertising purposes, in accordance with Facebook’s Data Use Policy found under https://www.facebook.com/about/privacy/. Facebook Conversion Tracking also allows Facebook and its partners to show Users advertisements on and outside Facebook. In addition, a cookie will be saved onto the User’s computer for these purposes. Please click here if you would like to revoke your permission: https://www.facebook.com/ads/website_custom_audiences/
Google Tag Policy
Zurvey.io portal will use Google Tags to retarget Users with ads, legal details can be found:
- https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/
- https://support.google.com/tagmanager/answer/9323295?hl=en
- https://policies.google.com/privacy?hl=en
If the User doesn’t want Google to follow their clicks: https://support.google.com/accounts/answer/32050
Duration of the data processing
Data controller will use and store the personal data until the purpose is satisfied. In certain, special cases, the Data Controller may control the personal data after the purpose has been satisfied.
Data processors
Data controller uses the services as data processing, of the following companies:
- Microsoft Azure Cloud (cloud processing and storage provider) https://azure.microsoft.com/
- Hubspot (marketing, sales and service software): https://www.hubspot.com/
- Mailerlite (email marketing): https://www.mailerlite.com/
- Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) payment service is integrated to our system in order to facilitate online payments.
By giving consent to the use of their personal data in accordance with this Policy, Users accept that the Service Provider transmits or provide the following pieces of their personal data to Stripe Payments Europe, Ltd.: cardholder name, email address, unique customer identifier, order ID, bank account details, payment card details, card expiration date, CVC code, date/time/amount of transaction, merchant name/ID, location. The purpose of data transmission: to carry out online payment transactions transmitting the required dataset between the merchant and the payment service provider to carry out online payment transactions, providing transaction data retrieval possibilities for merchant partners. As a payment services provider, Stripe has its own obligations with regard to the personal data of Users. Stripe can therefore also be regarded as a data controller. Stripe’s Privacy Policy applies to any data processing Stripe performs as a data controller. Users’ personal data may be stored and processed in any country by Stripe where they have operations or where they engage service providers. Stripe may transfer personal data that they maintain about Users to recipients in countries other than the country in which the personal data was originally collected, including to the United States.If the User is located in the European Economic Area (“EEA”), the UK or Switzerland, Stripe complies with applicable laws to provide an adequate level of data protection for the transfer of the User’s Personal Data to the US. Stripe Inc. is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles in connection with personal data transfers from the EEA, the UK and Switzerland. For more, see Stripe’s Privacy Shield Policy.
Data transfer
Data controller may transfer the personal data of the Data subject to the competent authorities based on inquiries in accordance with the relevant statutes.
Rights of the Data Subjects
1. Transparent information, communication
The controller shall take appropriate measures to provide any information and any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. Information and access to personal data
The Data controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
- the identity and the contact details of the controller and, where applicable, of the controller's representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
3. Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
4. Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
5. Right to erasure, right to be forgotten
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services.
- The Data Controller may refuse to erasure the data if processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
6. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
7. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
8. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
9. Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Restrictions
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
a) national security;
b) defense;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
f) the protection of judicial independence and judicial proceedings;
g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
i) the protection of the data subject or the rights and freedoms of others;
j) the enforcement of civil law claims.
Remedies
In the case of a personal data breach, the Data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Authority of the National Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH) (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; tel: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data controller shall communicate the personal data breach to the data subject without undue delay.
In the event of the breach of the data protection rights the Participant may bring the matter before a court.
Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
16 July 2020
Neticle PLC.