Effective Date: 14 May 2026
EngageRocket Pte Ltd (“EngageRocket,” “we,” “us,” or “our”) is a people analytics and employee experience platform headquartered in Singapore. We help organisations measure and improve employee engagement, performance, and development through our suite of SaaS products and support services.
This Privacy Policy explains how we collect, use, disclose, and protect personal data across all of our services, websites, and business activities. We maintain an information security and privacy governance programme aligned with internationally recognised standards. EngageRocket is certified to ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018, has completed SOC 2 Type II attestation, and processes personal data in accordance with applicable data protection laws, including the GDPR, UK GDPR, and Singapore PDPA where applicable.
We are committed to the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
This Policy covers personal data we collect from and about the following individuals:
Website Visitors — individuals who visit engagerocket.co, our social media pages, or interact with our marketing content, events, webinars, or forms.
Customer Contacts — representatives of organisations who evaluate, purchase, or administer EngageRocket services (including CRM and marketing contacts).
Platform Users — employees, team members, or other individuals who access or use EngageRocket services through a customer organisation’s account, including through integrated third-party platforms (such as Microsoft Teams).
Survey Respondents — individuals who participate in engagement surveys, 360-degree feedback, or other assessments administered through our platform.
This Policy does not apply to personal data processed in the context of employment or recruitment. Such personal data is handled in accordance with our internal policies and applicable laws. For the purposes of this Policy, “personal data” means any information relating to an identified or identifiable individual.
Understanding our role matters because it determines who is responsible for decisions about your personal data.
When we act as a Data Controller: We determine the purposes and means of processing. This applies when we collect data directly from website visitors, marketing contacts, and prospective customers — for example, when you visit our website, sign up for a webinar, or contact our sales team.
When we act as a Data Processor: We process personal data on behalf of our customers, strictly in accordance with their documented instructions and where applicable, our Data Processing Agreement (DPA), available at EngageRocket’s Trust Center (trust.engagerocket.co). This applies to personal data submitted to, generated through, or processed within the EngageRocket platform by or on behalf of a customer organisation, including employee data, survey response data, 360 feedback data, assessment data, and platform usage data associated with that customer account.
In these circumstances, the customer is the data controller and determines the purposes and means of processing. The customer is also responsible for identifying the applicable legal basis for processing, where required by applicable data protection laws. This Privacy Policy provides general information about how EngageRocket protects and handles personal data, but it does not replace the customer’s own privacy notice or the terms of the applicable customer agreement and Data Processing Agreement.
If you are a platform user, survey respondent, or assessment participant whose personal data has been submitted by your employer or another EngageRocket customer, please contact that organisation first to exercise your privacy rights or to understand how your personal data is used. Where required under our customer agreements or applicable law, we will support the customer in responding to such requests.
We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance. Contact details are provided in Section 13.
The data we collect depends on how you interact with us and the choices you make.
4.1 Data You Provide Directly
Website Visitors and Marketing Contacts:
Identifiers such as your name and business email address
Professional information such as company name, job title, functional role, and seniority level
Communication preferences and marketing consent status
Any information you provide through contact forms, event registrations, or direct communications with us
Platform Users (provided by you or your organisation):
Business information such as your name, job title, reporting line, email address, phone number, and country
Account credentials and authentication information, such as your email address, username, password-related credentials, single sign-on identifiers, or authentication tokens, where applicable. We do not store passwords in plain text.
Billing information, such as billing address, transaction records, and limited payment information. Where payment card details are required, they may be processed by our payment service providers in accordance with applicable security requirements.
Support Interactions:
Troubleshooting and support data, including the content of your communications with our support team and any related diagnostic information
4.2 Data We Collect Automatically
When you visit our websites or use our platform, we automatically collect certain technical information:
Device and browser data — IP address, browser type, operating system, device identifiers, and system configuration
Usage data — pages viewed, features used, clickstream data, date/time stamps, referring/exit pages, and search queries
Location data — approximate location derived from your IP address (we do not collect precise GPS location without your consent)
We use essential technical mechanisms, such as session management, to support core functionality, authentication, security, troubleshooting, platform performance, and operational continuity. These mechanisms are not used for advertising or commercial profiling unless permitted by applicable law and, where required, with your consent. Any processing of customer-controlled platform data remains subject to the applicable customer agreement and Data Processing Agreement.
4.3 Data from Third-Party Sources
We may receive information about you from publicly available sources, marketing partners, data providers, and social media platforms. This may include your name, business email address, company, job title, professional profile information, and business interest signals relevant to EngageRocket’s products and services. We use this information to maintain accurate records, respond to enquiries, support account based marketing, manage events, identify potential customer needs, and communicate with relevant business contacts in accordance with applicable law.
We process personal data only for specific, legitimate purposes. Where EngageRocket acts as a data processor on behalf of a customer, the customer determines the applicable purposes and legal basis for processing. In those circumstances, EngageRocket processes personal data in accordance with the customer’s documented instructions, the applicable customer agreement, and our Data Processing Agreement.
The table below sets out our processing activities and, where GDPR applies, the corresponding legal basis.
| Purpose | Legal Basis (GDPR) |
| Providing and operating our websites and platform services | Performance of a contract; Legitimate interests |
| Communicating service updates, technical notices, and administrative messages | Legitimate interests (administering the service) |
| Processing transactions, billing, and invoicing | Performance of a contract |
| Responding to support requests and enquiries | Performance of a contract; Legitimate interests |
| Hosting and administering events, webinars, and training sessions | Performance of a contract; Legitimate interests |
| Sending marketing communications (email, SMS, or phone) | Consent; Legitimate interests (where permitted by applicable law) |
| Personalising your experience and displaying relevant content | Legitimate interests; Consent (where required) |
| Analysing usage trends to improve our services and develop new features | Legitimate interests |
| Ensuring the security and integrity of our websites and services | Legitimate interests |
| Conducting audits, data analysis, and fraud prevention | Legitimate interests |
| Complying with legal obligations and responding to lawful requests | Legal obligation; Legitimate interests |
| Reviewing compliance with applicable usage terms | Legitimate interests |
| Generating aggregated or de-identified insights for analytics, benchmarking, and service improvement | Legitimate interests |
We do not use personal data collected or processed through our platform services, including survey responses, 360 feedback, and employee data submitted by or on behalf of customers, for advertising, commercial profiling, or any purpose outside the scope of the applicable customer agreement and Data Processing Agreement. We also do not process such personal data for purposes that are prohibited or restricted by applicable law.
We use cookies and similar technologies to operate our websites and platform, maintain security, support service functionality, understand website usage, and, where permitted, support marketing activities.
On the EngageRocket platform, we use functional cookies and similar technologies that are necessary to support core platform functionality, such as session management, authentication, security, user preferences, troubleshooting, platform performance, and operational continuity. These platform cookies are not used for advertising or commercial profiling.
On our public websites, we may use additional cookies and similar technologies, including analytics and marketing cookies, to understand how visitors interact with our websites, improve website performance, deliver relevant content, and measure campaign effectiveness.
Where required by applicable law, non-essential website cookies are used only with your consent. You can manage your cookie preferences through the cookie consent controls available on our website, including our consent management tool, or through your browser settings. Disabling certain cookies may affect your ability to use some website or platform features.
We share personal data only where necessary to provide, secure, support, improve, and administer our services, or where required or permitted by applicable law. Where we engage third parties to process personal data on our behalf, we use appropriate contractual safeguards, including data processing terms where required.
We may share your personal data with the following categories of recipients:
Service Providers — Contracted third parties who perform functions on our behalf, such as cloud hosting and infrastructure providers, payment processors, communications platforms, and analytics services. These providers process data only as instructed by EngageRocket and are bound by data processing agreements.
Event Co-Sponsors — If you register for an event co-hosted with a partner organisation, your registration information may be shared with that co-sponsor. Their use of your data is governed by their privacy policy.
Advertising Partners — We may share limited data with third-party advertising networks to understand website usage, manage campaigns, and measure marketing effectiveness, where permitted by applicable law and, where required, with your consent. This sharing is described in Section 6 above.
Legal and Regulatory Authorities — We may disclose personal data where required by law, regulation, court order, or government request, or where necessary to protect our rights, safety, or property. Where permitted by applicable law, we will notify you of such a disclosure.
Business Transfers — In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have.
EngageRocket operates globally and may transfer personal data to countries outside your country of residence, including countries that may not offer the same level of data protection as your home jurisdiction.
Where we transfer personal data from the European Economic Area (EEA) or the United Kingdom to a country that has not been deemed to provide an adequate level of protection, we implement appropriate safeguards, including:
Standard Contractual Clauses (SCCs) approved by the European Commission, available at EngageRocket’s Trust Center (trust.engagerocket.co)
Where required, we also assess the legal and practical risks associated with international transfers and implement supplementary measures designed to protect personal data in accordance with applicable data protection laws, including the UK International Data Transfer Agreement or UK Addendum where applicable.
Other lawful transfer mechanisms as required by applicable law
You may request a copy of the safeguards we use by contacting us at the details provided in Section 13.
We maintain a comprehensive information security programme that includes appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.
Our controls are independently assessed against internationally recognised security and privacy standards. EngageRocket is certified to ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018, and has completed a SOC 2 Type II independent attestation covering relevant trust service criteria to verify the effectiveness of our controls for security, availability, and confidentiality.
Our technical and organisational measures include encryption of data in transit (TLS/SSL) and at rest, access controls and authentication, regular vulnerability assessments and penetration testing, employee security awareness training, and incident response procedures. While we apply appropriate technical and organisational measures designed to protect personal data, no system or method of transmission or storage can be guaranteed to be completely secure.
EngageRocket will never request your account credentials. Never share your username or password with anyone, and report any suspicious activity to us and/or your organisation’s representative immediately.
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, enforce our agreements, maintain security and audit records, and meet legitimate business, accounting, tax, compliance, and operational requirements.
When we act as a Data Processor, retention of customer and platform data is governed by the applicable customer agreement and Data Processing Agreement. Customers may request deletion, return, or export of their data in accordance with those agreements.
When we act as a Data Controller, we determine retention periods based on the nature of the personal data, the purpose for which it was collected, applicable legal requirements, limitation periods, audit and compliance requirements, security needs, and legitimate business needs. In general:
Marketing contact data is retained while we have a legitimate business relationship with you or you remain subscribed to our communications. If you unsubscribe, we may retain limited suppression records to honour your opt-out.
Website usage and analytics data is retained in aggregated, pseudonymised, anonymised, or de-identified form where appropriate for trend analysis, website improvement, security, and service optimisation.
Account, billing, support, security, and audit records are retained for as long as needed to provide services, maintain service quality, meet legal or contractual obligations, support audits, resolve disputes, and protect the security of our services.
When personal data is no longer required, we delete, anonymise, de-identify, or securely dispose of it, unless continued retention is required or permitted by law.
Depending on your location and applicable law, you may have some or all of the following rights regarding your personal data. We will respond to verified requests within the timeframes required by applicable law.
11.1 Rights Under GDPR (EEA, UK)
Access — Request a copy of the personal data we hold about you
Rectification — Request correction of inaccurate or incomplete data
Erasure — Request deletion of your data (“right to be forgotten”), subject to legal exceptions
Restriction — Request that we restrict processing of your data in certain circumstances
Objection — Object to processing based on legitimate interests or for direct marketing
Data Portability — Receive your data in a structured, commonly used, machine-readable format
Withdraw Consent — Withdraw consent at any time, without affecting the lawfulness of prior processing
Complaint — Lodge a complaint with your local data protection authority
11.2 Rights Under PDPA (Singapore)
Access — Request access to your personal data and information about how it has been used or disclosed in the past year
Correction — Request correction of errors or omissions in your personal data
Withdrawal of Consent — Withdraw consent for the collection, use, or disclosure of your personal data, subject to legal or contractual restrictions
Data Portability — Where applicable, request the transmission of your data to another organisation
11.3 How to Exercise Your Rights
To exercise any of these rights, please contact us at compliance@engagerocket.co. We will verify your identity using a method appropriate to the type of request. You may also designate an authorised agent to make requests on your behalf; we may require the agent to provide written authorisation and verify their identity.
If your personal data has been submitted to us by your employer (our customer), please direct your request to your employer in the first instance. Where we process personal data on behalf of a customer as a data processor, the customer is responsible for responding to requests relating to that data, including requests for access, correction, deletion, restriction, objection, or portability. We will assist our customers in handling these requests in accordance with our Data Processing Agreement and applicable law, and may forward your request to the relevant customer where appropriate.
Where EngageRocket acts as a data controller, we will respond to verified requests in accordance with applicable data protection laws. Where EngageRocket acts as a data processor for customer controlled platform data, we may not be able to respond directly to certain requests unless instructed by the relevant customer or required by applicable law, but we will support the customer in responding to the request as required under our Data Processing Agreement.
You may opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email, or by contacting us directly. Service-related communications (such as product updates and security notices) are a necessary part of the service and cannot be opted out of.
EngageRocket does not engage in automated decision-making that produces legal or similarly significant effects on individuals.
Our websites and services are not directed at children. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will take appropriate steps to delete it.
If you have questions about this Privacy Policy, wish to exercise your data rights, or would like to contact our Data Protection Officer, please reach out to us:
Email: compliance@engagerocket.co
Data Protection Officer
EngageRocket Pte Ltd
Our websites may contain links to third-party websites or services whose privacy practices differ from ours. We are not responsible for the content or privacy practices of those sites. We encourage you to review the privacy policy of every website you visit.
We may update this Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will notify account holders by email and post a prominent notice on our website. We encourage you to review this page periodically.
© 2026 EngageRocket Pte. Ltd.
. 
Copyright © 2025 EngageRocket Pte Ltd. All rights reserved unless otherwise stated.
