Stickybeak Privacy Statement

Introduction
Here we are asking all sorts of people all sorts of questions on behalf of all sorts of organisations and we get to talk about...PRIVACY. Ironic, given our very company name - Stickybeak - is an antipodean phrase for a nosey person.

But don’t be fooled, we take privacy very seriously. If people and organisations can’t trust us to do what’s right with their data, we are out of business. For this reason, our entire business has been built to accommodate current global privacy regulations and thinking. 

This privacy statement explains how we collect, use, store and share personal information, and outlines the choices and rights our data subjects have in relation to their information.

A few things to note
First, this privacy statement applies to all Stickybeak products in all markets and territories. We don't yet have any subsidiaries, but world domination has always appealed, so when we do, we’ll update this privacy statement to include them.

Second, we’ll use a few legal terms in here, but we’ll try to keep that to a minimum. We might refer to “personal information”, “personal data” or just “data” in this statement. These terms all refer to information about the people we deal with (our “data subjects”). 

Third, Stickybeak has three types of data subjects. “Originators” are people who hold a Stickybeak account and create surveys, forms or questionnaires. “Respondents” are people who complete a Stickybeak survey, form or questionnaire. “Visitors” are people who interact with our website and platform. All our data subjects are important to us! 

Fourth, this privacy statement applies only to the information we collect in our capacity as a “controller”. We’ll explain more about this in the next section. 

Stickybeak is a processor and a controller 
Stickybeak’s public polling platform enables our customers to reach, and survey and test ideas with, specific groups around the world using social media targeting. 

Our customers are the organisations that use our platform and products to conduct surveys (the originators we mentioned above). Stickybeak processes survey responses in our platform on behalf of our customers as “processor” or “service provider”. We will not access or use survey responses, other than to deliver the service to our customers, and so this privacy statement does not apply to survey responses. If you want to exercise any of your privacy rights in relation to survey responses, you will need to direct your requests or enquiries to the customer. 

But Stickybeak also acts as a “controller” in relation to some of the information we collect and process. This means that we are responsible for the information and the processing involved. This is the case for personal information we collect and process when you enter a prize draw, when you interact with our website and platform, or when you sign up to our services as an originator. The rest of this privacy statement is about the information we process as a controller.
Collection and processing of information about respondents Collection and processing of information about originators
Collection and processing of information about visitors
Storage and protection of personal information
Making privacy rights requests


Collection and processing of information about respondents

Our surveys are intended to be anonymous. This means that Stickybeak, and our customers, should not need to collect any personal information at all about respondents. As part of this, our customers should not ask respondents questions that require them to reveal personal identifiers or other personal information, and respondents should take care not to provide answers that might identify who they are.

The information we collect about respondents
Stickybeak will collect personal information about respondents in the following circumstances:
- When they enter a prize draw – If a respondent chooses to enter one of our awesome prize draws, we will collect their email address. If they win our prize draw (woo hoo!), we will NOT collect information about their selected method of payment (such as their bank or PayPal account number). Instead, we will email them a voucher. Our legal basis for collecting and processing this information is performance of contract. 
- If they agree to be included in our Respondent Database – If a respondent consents to being included in our Respondent Database, we will collect their email address, demographic information about them (like their age, gender, and location), and information about their interests. Our legal basis for collecting and processing this information is consent.
- Where a third party gives us information about them – We may collect personal information about respondents from third parties, including integration partners, either where respondents have given their consent, or where the third party is hosting information respondents have made publicly available. Our legal bases for collecting and processing this information are consent (where relevant) and legitimate interests.
- When they interact with our website and platform – See Collection and processing of information about visitors.

How we use or share respondent information
Stickybeak will use the personal information we collect about respondents to:
- Respond to enquiries 
- Communicate with respondents about prize draws
- With consent, communicate with respondents about surveys we think they may be interested in or may fit their profile
- Enable our customers to send their surveys to respondents
- Detect and prevent potentially illegal activities
- Enforce our agreements, where applicable.

We do not sell personal information to third parties, and we will only share personal information in the following ways:
- We share personal information with our trusted service providers, such as Google Cloud Platform, which will store and process the information solely on our behalf.
- We may share information in order to respond to legal requests, including in response to subpoenas, or otherwise as required by law.

Collection and processing of information about originators

Stickybeak needs to collect personal information about originators in order to deliver our services, and for a few other legitimate reasons explained below. Our legal bases for collecting and processing this information are performance of contract (where we need the information to meet service expectations or requests), legitimate interests (where we use information to improve our services and meet our legal obligations), and consent (where we use information to send marketing communications).

The information we collect about originators
Stickybeak will collect the following personal information about originators:
- Registration information – Originators need a Stickybeak account before they can use Stickybeak services. When they register for an account, we collect their first and last name, username, password and email address.
- Billing information – If originators make a payment to Stickybeak, we require them to provide their billing details, a name, address, email address and financial information corresponding to their selected method of payment (e.g. a credit card number and expiration date). If they provide a billing address, we will regard that as the location of the account holder.
- Account settings – Originators can set various preferences via their “account settings” for things like their default language, time zone and communication preferences (such as opting in or out of receiving marketing communications from Stickybeak).
- Profile information – When originators sign up for our services, they are asked to provide us with information about themselves and their organisation. Their profile will also include information about the types of plans they purchase, their account transactions, and the types of surveys they create.
- Information about their interaction with our website and platform – See Collection and processing of information about visitors.

How we use or share originator information
Stickybeak will use the personal information we collect about originators to:
- Deliver the services they have requested
- Communicate with originators about the services they are using, or in response to enquiries 
- With consent, communicate with originators about products or services we think they might be interested in
- Direct originators or their organisations to relevant features and services we offer and assist them to use services, based on their profile
- Detect and prevent potentially illegal activitiesEnforce our agreements, where applicable.

We do not sell personal information to third parties, and we will only share personal information in the following ways:
- We share personal information with our trusted service providers, such as Google Cloud Platform, which will store and process the information solely on our behalf.
- We may share information in order to respond to legal requests, including in response to subpoenas, or otherwise as required by law.

Collection and processing of information about visitors

Like most organisations, Stickybeak collects and processes data about how visitors use our services, via our website and platform. This data helps us understand what is working and what is not, so we can deliver and improve our products and services. Our legal bases for collecting and processing this information are performance of contract (where we need the information to deliver the services and functions requested) and legitimate interests.

The information we collect about visitors
Stickybeak will collect the following personal information about visitors:
- Usage information – Like everyone these days, we collect usage information about visitors whenever they interact with our websites and services. This includes which web pages they visit, what they click on, when they perform those actions, what they buy and so on.
- Device and browser data – We collect information from the device and application visitors use to access our services. Device data mainly means IP address, operating system version, device type, device ID/MAC address, system and performance information, and browser type. If a visitor is on a mobile device, we also collect the UUID for that device.
- Information from page tags – We use first party and third-party tracking services that employ cookies and page tags to collect data about visitors. This data includes usage and user statistics. Emails sent by Stickybeak or by users through our services also include page tags that allow the sender to collect information about who opened those emails and clicked on links in them.
- Log data – Like most websites today, our web servers keep log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system versions, device type and timestamps.
- Referral information – If a visitor arrives at a Stickybeak website from an external source (such as a link on another website like Twitter or in an email), we record information about the source that referred them to us.
- Cookies – We and our partners use cookies and similar technologies on our websites. We use certain cookies, that the visitor agrees to when they use our sites and, in the case of some cookies, for legitimate interests of delivering and optimising our services (where the cookie delivers essential functionality). Cookies are small bits of data we store on the device a visitor uses to access our services so we can recognise repeat users. Each cookie expires after a certain period of time, depending on what we use it for.

How we use or share visitor information
Stickybeak will use the personal information we collect about visitors to:
- Tailor and personalise online advertisements
- Analyse and improve the success of advertising campaigns
- Personalise services and provide visitors with personalised content
- Gather metrics about the survey taking experience 
- Troubleshoot problems with our services, fix bugs, and make improvements
- Infer a visitor’s geographic location based on their IP address
- Improve user experience, including by optimising for specific devices and browsers
- Maintain security, including by authenticating a visitor’s identity
- Identify and manage fraud, abuse or other unlawful activity
- Identify and understand trends in relation to the use of our services
- Create new services, features or content
- Track the success of our integrations and online referral processes.

We do not sell personal information to third parties, and we will only share personal information in the following ways:
- We share personal information with our trusted service providers, such as Google Cloud Platform, which will store and process the information solely on our behalf.
- We may share information in order to respond to legal requests, including in response to subpoenas, or otherwise as required by law.

Storage and protection of personal information 

We take information security very seriously. We take all reasonable steps to ensure that the personal information we hold is protected against loss or unauthorised access, use, modification, or disclosure. 

Most of the personal information we collect is stored electronically on the Google Cloud Platform. Google has implemented technical and operational security measures to protect this data for us. You can read more about those here. Stickybeak has also implemented reasonable technical and operational security measures to protect personal information, including:
- Making sure our systems, platforms and data centres are safe and secure 
- Protecting our platform and systems with passwords and multi-factor authentication
- Encrypting our data in transit and at restMaintaining up to date security policies, and ensuring our employees understand them
- Maintaining up to date security policies, and ensuring our employees understand them
- Maintaining security incident response policies and procedures, and ensuring we notify breaches where required.

Stickybeak is a global business and we may need to transfer personal information to other countries for storage or processing (for example when we use cloud-based data storage providers). Before transferring personal information to another country, we implement appropriate safeguards to ensure the information is protected. 

We retain personal information only for as long as we need to perform a service, meet our legitimate interests, or comply with applicable laws.

Making privacy rights requests

All Stickybeak’s data subjects have important privacy rights, listed below. To make a privacy rights request, or raise a concern about privacy, please email us at support@stickybeak.co. Please note that, because we try our best to ensure that survey responses are anonymous, it may not be possible to make privacy rights requests in relation to responses.

All data subjects have the right to:
- Ask us for a copy of the personal information we hold about them
- Ask us to correct their personal information if they believe it is wrong
- Opt out of marketing communications
- Withdraw their consent for us to process their personal information (for example in relation to being included in our Respondent Database)
- Complain to the relevant privacy regulator about the way we have processed their information.

Data subjects in certain countries (including countries in the European Union) also have the right to:
- Ask us to delete their personal information, if:
* the personal information is being processed on the basis of consent, and that consent has been withdrawn
* Stickybeak has already agreed to stop processing the information based on an objection, and we have no lawful purpose to retain it
* Stickybeak has no lawful basis to process the information
- Object to the processing of their personal information, where it is based on legitimate interests or relates to direct marketing
- Ask us to restrict the processing of their personal information.


Stickybeak Platform Terms of Use

Stickybeak Website Terms of Use