Global Privacy Policy (GDPR Integrated)
This Privacy Policy outlines how we collect, use, disclose, and protect personal data in accordance with applicable privacy laws, including Singapore’s Personal Data Protection Act (PDPA), the California Consumer Privacy Act (CCPA/CPRA), and the European Union General Data Protection Regulation (GDPR), as well as the UK GDPR and the Swiss Federal Act on Data Protection (FADP).
1. Introduction
We are committed to protecting the privacy and security of your personal data. This Policy explains our practices when acting as a Data Controller or Data Processor under applicable laws, including GDPR, PDPA, and CCPA. We process personal data only for legitimate business purposes and in accordance with the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
2. Roles and Responsibilities
Under GDPR, we may act as either a Data Controller or Data Processor, depending on the context of processing. As a Data Controller, we determine the purposes and means of processing personal data. As a Data Processor, we process personal data on behalf of our clients in accordance with their documented instructions.
We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance and to serve as the primary contact point for data protection inquiries. DPO contact details can be found at the bottom of this page.
3. Information We Collect and How We Use It
We collect personal data such as names, contact information, login credentials, and usage data to deliver our SaaS services, support users, and comply with contractual and legal obligations.
We use essential technical mechanisms to support core functionalities and continued service delivery, such as enabling users to resume their survey responses or activities, troubleshooting, and platform optimisation where applicable. These mechanisms are strictly for operational continuity and not used for advertising, profiling, or analytics for commercial purposes.
Under GDPR, our lawful bases for processing may include consent, performance of a contract, compliance with legal obligations, protection of vital interests, performance of a task carried out in the public interest, and legitimate interests.
4. Your Privacy Rights
Depending on your location, you may have the following rights under applicable privacy laws:
- Access your personal data and receive a copy
- Correct or update inaccurate data
- Request erasure of your data ('right to be forgotten')
- Restrict or object to data processing - Withdraw consent at any time (without affecting prior lawful processing)
- Request data portability
- Lodge a complaint with a relevant data protection authority
5. International Data Transfers
We operate globally and may transfer personal data outside your country of residence. Where personal data is transferred internationally, we use transfer mechanisms such as Standard Contractual Clauses (SCCs) or other approved safeguards to ensure appropriate protection.
6. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or disclosure. Our information security program follows internationally recognized frameworks including ISO 27001, Soc 2 and is regularly audited by independent assessors to verify the effectiveness of our controls for security, availability, and confidentiality.
7. Data Retention
Personal data is retained only as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law.
8. Updates to This Policy
We may update this Policy periodically to reflect changes in legal or operational requirements. Updates will be posted on our website with the revised effective date.
9. Contact Information
For any questions about this Privacy Policy or your data protection rights, please contact us at compliance@engagerocket.co
