USER RESEARCH INTERNATIONAL
Last Updated: March 24, 2022
During the course of our activities, we (User Research International LLC, User Research International UK Ltd; “The Group”) collect, store and process personal information about our staff, suppliers, clients, research participants, and other third parties.
We recognize the need to treat personal data in an appropriate, fair, lawful, and transparent manner, in accordance with prevailing Data Protection law in the United States, United Kingdom and European Economic Area including the General Data Protection Regulation 2016 (“The GDPR”) and The California Consumer Privacy Act (“The CCPA”).
This policy covers all registered entities of the Group. In the UK, our business entities are registered with the Information Commissioner’s Office and listed as a Data Controller for defined purposes. The Group also acts as a Data Processor when handing data on behalf of third parties.
This policy is a statement of the data protection policy adopted by The Group and provides transparency information about the way we use personal data. All staff must be familiar with and apply this policy and seek further advice if in doubt as to its application or otherwise when required.
This policy applies to treatment of Personal Data and sensitive information referred to as Special Categories Of Personal Data.
- “Personal Data” means any data relating to a living individual who can be identified from those data. This includes when the data can directly or indirectly identify an individual by any means reasonably likely to be used. Personal data can therefore be factual (such as a name, address, date of birth or employer) or it can be an opinion. It can also mean location data and online identifiers such as cookies and IP addresses. Such personal information must be dealt with properly however it is collected, recorded and used – whether on paper, electronically, or by other means.
- “Special Categories Of Personal Data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, genetic or biometric data used to identify an individual, physical or mental health condition, sex life and sexual orientation. Special category data can only be processed under strict conditions. Criminal conviction data are to be processed in a similar way to special category data with the conditions being set out under the Data Protection Act 2018 in Parts 1, 2 and 3 of Schedule 1.
The Group needs to collect and use certain types of personal data relating to the individuals with whom it deals in order to operate. These include current, past and prospective parties such as staff, suppliers, clients, research participants and other third parties.
The Group regards the lawful and correct treatment of personal data as important to the achievement of our objectives, to the success of our operations and to maintaining confidence between those with whom we deal and ourselves. We therefore ensure that we treat personal data fairly, lawfully and transparently.
To this end The Group fully endorses and adheres to the 7 Data Protection Principles, as set out in The GDPR. These principles must be adhered to by anyone who processes personal data.
- “Data Processing” is any activity that involves use of the data, such as obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. It also includes transferring personal data to third parties and other countries both inside and outside of the European Economic Area.
Specifically, the principles The Group abides by require that personal data:
- shall be processed fairly, lawfully and transparently;
- shall be obtained only for one or more specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
- shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed – known as data minimization;
- shall be accurate and, where necessary, kept up to date;
- shall not be kept for longer than is necessary for that purpose or those purposes;
- shall be subject to appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
- be processed in accordance with the accountability requirement in article 5(2) of the GDPR.
The Group complies with principles of data protection by design and default, through appropriate management and strict application of criteria and controls. This includes ensuring that The Group:
- observes fully the conditions regarding the fair and transparent collection and use of information. This means that the individual to whom the personal data relates (the “Data Subject”) must be told who the data controller is, the purpose for which the data are to be processed, and the identities of anyone to whom the data may be disclosed or transferred. For personal data to be processed fairly, lawfully, and transparently, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has given informed consent to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed (such as part of a contract entered into between the Data Subject and The Group). When Special Categories Of Personal Data are being processed, more than one condition must be met. In most cases the Data Subject’s explicit consent to the processing of Special Categories Of Personal Data will be required, although there are other conditions which may lawfully be used;
- meets its legal obligations to specify the purposes for which information is used. This means that personal data will not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data are processed, the Data Subject will be informed of the new purpose before any processing occurs;
- collects and processes appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Any data which are not necessary for the relevant purpose will not be collected in the first place;
- ensures the quality and accuracy of data used. Data which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data will be destroyed or rectified at the earliest opportunity;
- applies checks to determine the length of time information is held. Unless we explain otherwise to the Data Subject, we will hold personal information based on the following criteria:
i. For as long as we have reasonable business needs, such as managing our relationship with the Data Subject and managing our operations;
ii. For as long as someone could bring a claim against The Group;
- adheres to data retention periods in line with legal and regulatory requirements or guidance;
- ensures that data are processed in accordance with Data Subjects’ rights under The GDPR and other prevailing data protection law. These include: the right to be informed that processing is being undertaken, the right of access to personal information, the right to object to processing in certain circumstances, the right to correct, rectify, block or erase information which is regarded as wrong information and the right to be informed of the use of automated decision making or profiling using personal data;
- puts in place appropriate technical and organizational security measures to safeguard personal data from the point of collection to the point of destruction;
- ensures that personal data is not transferred to other countries, both inside and outside of the European Economic Area, without suitable safeguards in accordance with The GDPR, The CCPA, and other prevailing data protection law;
- treats people justly and fairly whatever their age, religion, disability, gender, sexual orientation, or ethnicity when dealing with requests for information; and
- sets out clear procedures for responding to requests for information from third parties. When dealing with enquiries from third parties, The Group will take steps before disclosing any personal information held by us to ensure that this is done in accordance with permissive provisions in the law or applicable exemptions. In particular, The Group will:
i. check the identity of the person making the enquiry and whether they are legally entitled to receive the information they have requested;
ii. request that the third party confirm their request in writing so the third party’s identity and entitlement to the information may be verified;
iii. refer requests to our Data Protection Officer for assistance in difficult situations; and
iv. where providing information to a third party, do so in accordance with the law.
The Group also ensures that:
- there is always someone with specific responsibility for and knowledge of data protection who will act as the internal and external point of contact, handle complaints from Data Subjects and report to the business on data protection risk;
- everyone handling personal data understands that they are contractually responsible for following good data protection practice;
- any third parties engaged to process personal data on our behalf are engaged under a contract which safeguards the data and complies with Article 28 GDPR;
- everyone handling personal data is appropriately trained to do so and that this training is refreshed at suitable intervals;
- everyone handling personal data is appropriately supervised;
- anybody wanting to make enquiries about handling personal data knows what to do and who to refer enquiries to;
- queries about handling personal data are promptly and courteously dealt with;
- methods of handling personal data are clearly described;
- methods of handling personal data are regularly assessed and evaluated, particularly if new processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
- performance with handling personal data is regularly assessed and evaluated;
- a regular review and audit is made of the way personal data is held, managed and used, including where new categories of personal data are processed or where processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
- appropriate records of processing records are maintained in accordance with Article 30 GDPR;
- breaches of personal data are promptly assessed, contained and mitigated;
- breaches of personal data are reported to the ICO and Data Subjects where necessary; and
- a breach of the rules and procedures identified in this policy by a member of staff may lead to disciplinary action being taken.
The Group uses personal information collected through our Services for purposes described in this policy or otherwise detailed when ensuring the informed consent of Data Subjects. For example, we may use personal information to:
- provide and deliver Services, including securing, troubleshooting, improving, and personalizing Services;
- operate our business, such as improving our internal operations, securing our systems, and detecting fraudulent or illegal activity;
- understand you and your preferences to enhance your experience and enjoyment using our Services and to match you to research studies that The Group or its clients are planning to conduct;
- respond to your comments and questions and provide customer service;
- send you related information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages, including when confirming your schedule for a research survey, or when sending gratuity information for participating in a research survey;
- communicate with you about promotions and other news about products and services offered by The Group and selected partners, including informing you about upcoming research opportunities for which you may qualify; and
- link or combine information about you with other personal information we get from third parties, to help understand your needs and provide you with better and more personalized service.
The Group has appropriate security measures in place which are designed to protect personal data and prevent its damage, loss, misuse, and unauthorized access, processing, disclosure, alteration, and destruction.
The Group takes any breach of personal data very seriously. Any breach will be fully investigated and reported to the ICO within 72 hours in line with The GDPR and other legislation. Where there is potential for the harm of individuals, data subjects will also be informed.
DATA SUBJECTS’ RIGHTS
Under The GDPR and The CCPA, Data Subjects have a right to request a copy of the personal information The Group holds about them, or to request that it be updated, corrected, or removed (in which case we will address the request promptly and will notify our clients of all such requests or changes).
Where we are able, The Group will update information as requested by Data Subjects. In line with The GDPR and The CCPA, we will respond to Data Subjects requests within 1 month, or 2 months for complex requests.
YOUR INFORMATION CHOICES
- Please contact us at firstname.lastname@example.org to request access, updates, corrections or removals of personal information for which you are the Data Subject. We may decline requests that are unreasonable, excessive, or prohibited by law, could adversely affect the privacy or other rights of another person, or where we are unable to authenticate you as the person to whom the data relates. We reserve the right to charge you a fee, as permitted by applicable law.
- All promotional emails from URI are opt in. You can opt out of receiving promotional emails from URI by following the instructions in those emails. If you opt out, we may still send you non-promotional emails, such as emails about your accounts or our ongoing business relations. You can also send requests about your contact preferences, changes to your information including requests to opt-out of sharing your personal information with third parties by contacting us at email@example.com.
- Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services provided on this and other websites.
Our third-party analytics and advertising partners may provide you with options to opt-out of certain information collection. For more information about the applicable choices they provide you, please visit: Google Analytics.
- There are many ways through which web browser signals and other similar mechanisms (for example, “Do Not Track”) can indicate your choice to disable tracking, and, while we and others give you the choices described in this policy, we do not currently support these mechanisms.
CHANGES TO THIS POLICY
The Group may change this policy from time to time. If we make any changes to this policy, we will change the “Last Updated” date above or provide such notice or obtain informed consent to changes as may be required by applicable law.
If you have any questions, concerns, or complaints, please contact us at:
By email: firstname.lastname@example.org
By phone: (425)-242-8030
Postal address: 17602 NE Union Hill Rd., Redmond, WA 98052