What information do we collect?
We collect information relating to you and your use of our services from a variety of sources. Some of this information is collected directly from you and some of this information is collected from your interaction with our Services, or from third parties.
Information we collect directly from you
- Contact details: When you contact us or subscribe to our content, such as our blog, we collect your contact details, including your name and email address.
- Registration details: When you register an account we collect your name, company name, email address, password and other information.
- Billing details: If you use a credit card for billing, we may collect information such as the cardholder's name, billing address, email address, credit card number, expiry date and credit card security code.
- Account settings: You can set or update various preferences and personal details on your account settings page or your profile. For example, your name, email address, default language or timezone.
- Survey data: We collect and store the survey responses that you submit If you have any questions about a survey you are taking, please contact your organization’s manager who signed up for the service.
- Employee data: We may collect employee data that you submit based on the attributes you have created. For example, performance grade, date of birth etc.
- Other data you intentionally share. We may collect your personal information or data if you submit it to us in other contexts. For example, if you provide us with a testimonial, participate in a TINYhr contest, or send us an email with comments or suggestions.
Information we collect from other sources
- Usage data: We collect usage data about you whenever you interact with our Services. This may include which web pages you visit, what you click on, when you performed those actions, and other activities. Our web servers also keep log files that record data each time a device accesses our servers. The log files contain data about the nature of each access, including the originating IP address. We may combine this automatically collected log information with other information we collect about you. We do this to improve our Services, to improve our marketing activities, for system analytics, or to monitor or improve functionality.
- Device data: We collect data from the device you use to access our Services, such as your IP address and browser type. This information may also tell us your location.
- Referral data: If you navigate to our website from an external source (such as a link on another website or via an email), we record information about the source that referred you to us.
- We and our marketing partners, affiliates, or analytics or service providers, use technologies such as cookies, beacons, tags, and scripts, to analyze trends, administer the website, tracking users’ movements around the website, and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis.
How do we hold the information we collect?
Security of your information
EngageRocket uses Stripe for processing payment online. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we make use of best-in-class security tools and practices to maintain a high level of security at Stripe. You can read more at https://stripe.com/docs/security/stripe.
Where your information is located
We use Amazon Web Services (AWS) cloud services for EngageRocket. You can read more on AWS security here: https://aws.amazon.com/security/.
How do we use the information we collect?
How we use your information
We use your personal information for a variety of purposes. In each case, the information we collect and hold is reasonably necessary for our business, including providing you with the services you would expect from us. We use your personal information to:
- Create an account with us: We need to collect and use your personal information to allow you to create an account and log in to that account.
- Provide you with our Services: This includes providing you with access and use of the EngageRocket platform and customer support, which may require us to access your information so that we can assist you with survey design or technical issues.
- Create de-identified aggregated benchmark data: To provide you with a better understanding of your survey results, we use your survey data in a de-identified aggregated form to compare your results to the results of other surveys. We also use your survey data to continually improve our survey benchmarks. None of your survey data will be disclosed to other unrelated customers in a non-aggregated or identifiable form. We may disclose aggregated, anonymous, or anonymized data to third parties for market research, academic research, benchmarking, or any other purpose. In all such instances, we will not disclose any identifiable information about you, your respondents, or your company.
- Manage our Services: We use your information internally to measure and analyze user behaviour so we can provide our Services and improve those Services. Some of these purposes include:
- To monitor, maintain and improve our Services and features.
- To personalize or customize your experience when you use our Services (including presenting our website in the best format for you or a device you use to access our website).
- To create new services or features.
- To enforce our Terms when we are made aware of potential breaches.
- To prevent potentially illegal, undesirable or abusive activities.
- To investigate complaints about you, or made by you.
- Contact you about services or your account: At times we may need to contact you via email, mail or telephone to tell you about matters, such as changes to our Services, terms or policies.
- Contact you for marketing purposes: We may also send you news and information about our products or Services that you either request from us, or we believe may interest you. In most cases, we will contact you via email.
- Respond to legal requests and prevent harm: If we receive a legal request or are informed of a situation that may cause harm, or potential harm, to someone, we may need to inspect your personal information or data to respond appropriately to that request or threat.
Who has access to your information?
We will share your personal information with third parties only in the ways that are described in this privacy statement. To provide you with our Services we will often need to disclose your personal information to our staff or service providers that we use to operate our business. Examples of our service providers include: hosting services; project management software; email service providers; system monitoring services; customer support services; and website analytics. These companies are only authorized to use your personal information only as necessary to provide these services to us.
Anonymity and pseudonyms
In most cases, the personal information that we disclose to our staff or service providers will be directly necessary to provide our services to you. However, there may be occasions where we may need to disclose your personal information to other people or organizations, including to:
- Our staff: We may need to disclose your personal information to people who work for us. These disclosures may be related to activities such as filling orders, processing payments and mail-outs, storing and managing documents, research, or providing professional advice.
- Enforce or apply our Terms: If you engage in or threaten any unlawful activity, we may reasonably believe that it is necessary to disclose your information to the police, a relevant authority or enforcement body, or your internet service provider, employer, supervisor or network administrator.
- Keep other entities associated with us informed: In some cases we may need to disclose your information to our agents, business affiliates, joint venture entities, partners, investors or any applicable subsidiaries or holding companies. The need to disclose your information to these entities may arise from a legal obligation we owe that entity, or to assist our or their legitimate business interests.
- Comply with legal requests: In some situations we may be compelled to disclose your information to third parties such as law enforcement officials or to comply with court orders, such as subpoenas.
- Merger: If EngageRocket is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of your personal information, and choices you may have regarding your personal information. We may also disclose your personal information to any other third party with your prior consent.
What are your rights to your information?
We will respond to requests to access and correct (if necessary) your personal information as soon as possible. You have the following options regarding accessing, correcting or limiting the use or disclosure of your personal information:
- Update your account details: You can update your registration and other account information on your account setting page or your profile. Information is updated immediately.
- Limiting use or disclosure: If you want to limit our use or the disclosure of your information to third parties, please contact us at email@example.com. However, please note that by limiting the use of your personal information by us, or its disclosure to third parties, you may also limit our ability to provide you with our Services.
- Retention: We will retain your information for as long as your account is active or as needed to provide you our Services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
- Blog: If you subscribe to our blog, we will use your name and email address to send you the newsletter. You may choose to stop receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails.
Information for Users of the EngageRocket Platform
If you are a user of the EngageRocket platform (for example a company administrator or respondent), we also collect, hold and process information about you on behalf of the Customer. This information includes data uploaded to the EngageRocket platform by the Customer (for example, your name, email address, employment and demographic data) and your survey responses and comments submitted using the EngageRocket platform.
To help us provide our Services to you and the Customer, we may transfer some of your personal information to our service providers (for example, support services or email service providers). Any transfers to our service providers are covered by our agreement with the Customer. Because we collect, hold and process your information on behalf of the Customer, you will need to contact the Customer if you want to:
- access, correct, amend or delete any information we hold about you; or
- stop receiving emails sent to you by the Customer using the EngageRocket platform.
Social media widgets
Links to other websites
We display Customer or User testimonials and other endorsements on our website. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial or any other endorsement, please contact us at firstname.lastname@example.org.
Blog and forums
Our website offers publicly accessible blogs. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To remove your personal information from our blog or community forum, please contact us at email@example.com. In some cases, we may not be able to remove your personal information, in such cases we notify you and explain why we are unable to fulfil your request.
Update on Personal Data Protection Act of Singapore
The Personal Data Protection Act of Singapore (the “PDPA”) establishes data protection laws that govern the collection, use and disclosure of Personal Data and came into effect on July 2, 2014. EngageRocket is a recognized Infocomm Development Authority of Singapore (IDA) Data Intermediary as a Software-as-a-Service (SaaS) Service Provider (IDA Cloud Booklet 2015). As a Data Intermediary EngageRocket complies with the Protection and Retention Limitation Obligations of the Act. Details are set out below.
Background of the PDPA
Whether and to what extent the obligations imposed by the Data Protection Provisions apply depends on (i) whether we are operating in the capacity of a data principal or a data intermediary when Processing Personal Data in the provision of the EngageRocket Service. “Processing” in relation to Personal Data under the PDPA means the carrying out of any operation or set of operations in relation to Personal Data, and includes recording, holding, organisation, adaptation or alteration, retrieval, combination, transmission, erasure or destruction.
Obligations imposed by the data protection provisions
The Data Protection Provisions generally require an organization (which term includes any individual, company, association or body of persons, corporate or unincorporated) to be responsible for Personal Data of individuals in its possession or under its control, and to develop and implement policies that are necessary to meet the following obligations:
1. The obligation to obtain, on or before the collection, the individual’s consent to the collection, use and disclosure of the individual’s Personal Data (the “Consent Obligation”).
2. The obligation to ensure that Personal Data is collected, used and disclosed only for purposes which consent was given or which a reasonable person would consider appropriate in the circumstances (the “Purpose Limitation Obligation”).
3. The obligation to notify the individual, on or before collection, use or disclosure, the purposes for which it is collecting, using and/or disclosing the individual’s Personal Data (the “Notification Obligation”).
4. The obligation to provide, upon the request of the individual, information about the ways in which the individual’s Personal Data has been or may have been used or disclosed in the year before the request, and allow the individual to correct his/her Personal Data (the “Access and Correction Obligation”).
5. The obligation to use reasonable effort to ensure that the Personal Data collected by or on its behalf is accurate and complete (the “Accuracy Obligation”).
6. The obligation to make reasonable security arrangements to protect the Personal Data and prevent unauthorised access, collection, use disclosure or similar risks (the “Protection Obligation”).
7. The obligation to cease retaining Personal Data or remove the means by which the Personal Data can be associated with an individual when the personal data is no longer necessary for business or legal purpose (“Retention Limitation Obligation”).
8. The obligation not to transfer Personal Data to a country or territory outside of Singapore except in accordance with the requirements under PDPA (“Transfer Limitation Obligation”).
9. The obligation to make information about its data protection policies, practices and complaints process available on request, and designating one or more individuals as its data protection officer to ensure that the organisation complies with the PDPA (“Openness Obligation”).
The PDPA applies only to Personal Data of individuals given in a personal capacity, for personal purposes and does not apply to “business contact information” which is defined in the PDPA as “an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes”. An organization is not required to obtain consent or otherwise comply with the PDPA in collecting, using or disclosing any business contact information disclosed in the course of a commercial transaction.
Personal data provided by subscribers to us
How we comply with the PDPA as a data intermediary with regards to personal data in the service
We act as a data intermediary in connection with the use of the Service by our Subscribers and their Agents. Data intermediaries who process Personal Data on behalf of other organisations are only required to comply with two obligations under the PDPA when Processing this Personal Data:
• the Protection Obligation; and
• the Retention Limitation Obligation
The Protection Obligation requires us to put in place appropriate administrative, physical and technical measures to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks to the Personal Data in our possession or under our control, regardless whether the Personal Data is stored in a central server, or on local storage media, or at facilities operated by a third party vendor. We utilize robust precautions to protect the confidentiality and security of the Personal Data within the Service, by employing technological, physical and administrative security safeguards, such as firewalls and carefully developed security procedures. These technologies, procedures and other measures are used in an effort to ensure that Personal Data is safe, secure, and only available to Subscribers and to those authorized to access such Personal Data. However, no internet, e-mail or other electronic transmission is ever fully secure or error free, so Subscribers should take care in deciding what information is transmitted, stored or hosted through the Service.
The Retention Limitation Obligation requires us to cease to retain Personal Data which is Processed or remove the means by which the Personal Data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which the Personal Data was collected is no longer being served by retention of the Personal Data; and, the retention of the Personal Data is no longer necessary for legal or business purposes.