1. Definitions

• “Data Subject” means an identified or identifiable natural person who is the subject of Personal Data (PI) as defined by the Privacy Shield Framework and applicable Data Protection Law;
• Privacy Shield’ encompasses the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). These frameworks enable secure transatlantic data transfers from the European Union / European Economic Area, the United Kingdom (including Gibraltar), and Switzerland to the United States while adhering to EU, UK, and Swiss data privacy laws.
• “Personal Data” refers to information that meets the following criteria:
  • It is transferred from the European Economic Area (EEA), Switzerland, and/or the United Kingdom to the United States, relying on the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
  • It relates to or concerns a specific individual.
  • It can be directly or indirectly associated with that individual.;
• “Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offenses or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.

2. Scope: Types of Personal Data Collected.

• This policy applies uniformly to Personal Information collected and used by Userlytics while providing Services to clients. Userlytics’ Employees, and all Testers, or Market research participants, who voluntarily offer data shall benefit from the rights and privileges afforded to data subjects by the Privacy Shield Framework.  Userlytics does not rely on the EU-U.S. or the Swiss-U.S. Privacy Shield to transfer data that originated in the EEA, Switzerland, or the UK to the U.S.
  This policy extends its scope to cover the personal data of Userlytics employees. All employees’ individually identified data collected, processed, or handled by the company shall be subject to the provisions outlined within this policy and aligned with the Data Privacy Framework Principles
• For the avoidance of doubt, in all processing activities, personal information must be limited to the information that is relevant for the purpose of processing; Userlytics shall not deviate from the purpose. 
• For more information on your rights, the purposes on collection, the type of data collected,  and scope of our processing activities, please refer to the Policies here:
  • Clients Privacy Policy
  • Testers Privacy Policy

3. Limitations on Scope.

• Userlytics provides services worldwide; therefore, we must simultaneously remain compliant with the laws of multiple jurisdictions. In the event we transfer Personal Data covered by this Policy to third parties acting as Controllers (as defined by applicable law), we will do so in accordance with the rights and notices given to Data Subjects. We shall only process Sensitive Data if voluntarily (or otherwise, contractually) consented to such processing. We shall, at all times, provide at least the same level of protections and rights granted to Data Subjects as set forth by the Privacy Shield Frameworks. If we fail to abide by such Frameworks, we shall take the appropriate steps to remediate the violations and notify the applicable parties of such violations.
• Userlytics commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

4. Onward Transfers.

• In the event we transfer Personal Data under the Data Privacy Frameworksto third parties, such as Controllers (generally, Clients), we will ensure said Controllers protect the rights given to Data Subjects under applicable law and that onward transfers shall be limited to the specified purpose established via the appropriate consent form.
• Userlytics engages in contract with all third-party controllers, which include a provision requiring the controller to cease processing or take other reasonable and appropriate steps to remediate upon notification that they are unable to maintain the same level of protection as mandated by the Frameworks.

5. Security and Protection

• Userlytics has dedicated Security and Data Privacy Teams to ensure that the appropriate measures are taken to protect against loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
• For more information on our Security Practices, please refer to the Security Information Page here.

6. Data Subject Access and Rights.

• Data Subjects have the right to request access to, correct, amend and/or delete personal data.  You may also object to our processing of your personal data or ask that we restrict the processing of your personal data in certain instances. For any requests or questions, please contact us at DPO@userlytics.com.
• You have the right to choose (opt-out) whether your personal information is (i) to be disclosed to a third party; or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Please keep in mind that some rights may be contractually withheld when a Tester voluntarily participates in the project. 
• For the avoidance of doubt, Userlytics will require affirmative, express consent (opt-in) from individuals for information that is (i) disclosed to third parties and/or (ii) use for the purpose other than for which it was initially collected and has been modified.
• Please see the Privacy Policy above for more information regarding our third-party transfers. 

7. Subprocessors and Third Parties.

• A subprocessor is a third party data processor engaged by Userlytics, who has or potentially will have access to or process data (which may contain Personal Data). Userlytics uses Third Party subprocessors, who may have access and process data on our behalf. Userlytics evaluates and performs due diligence on all subprocessors prior to onboarding; additionally, we have constant evaluation methods to ensure ongoing compliance with applicable data privacy law.
• Furthermore, Userlytics will (i) limit processing of Personal Data only for limited and specified purposes; (ii) require the third-party to provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (iii) take reasonable and appropriate steps to ensure that processing of the Personal Data transferred is in a manner consistent with Userlytics’ obligations under the Data Privacy FrameworkPrinciples; and (iv) require third-parties to notify Userlytics if it is determined that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing.
• For the avoidance of doubt, for all third party transfers, including those to Controllers or Subprocessors, we shall transfer only the information necessary to deliver Clients the purchased services.  

8. Enforcement, and Liability.

• As a member of the Privacy Shield organization, Userlytics is subject to the investigation and administration of the Federal Trade Commission. Userlytics supports Data Subjects utilizing their rights, while having a complete understanding of their data use. Userlytics shall be subject to disciplinary action if we have violated, or otherwise, have not complied with the Privacy Shield principles. 
• Userlytics shall respond, correct, and act on any complaint related to the collection, use, or disclosure of Personal Information. If Individuals have questions regarding data use or believe Userltyics has violated the Privacy Shield Framework, you should first contact us, using the contact information provided below. Userlytics shall then investigate the situation. Userlytics must comply with such requests in accordance with the Privacy Shield framework, contractual obligations, and the European Union (EU) data privacy laws (including the Standard Contractual Clauses established in Data Processing Agreements). For the avoidance of doubt, Userlytics shall comply with the EU’s supervisory authorities and the Swiss Federal Data Protection and Information Commissioner (FDPIC) when handling such complaints; this shall also apply to data held for third party stakeholders, such as clients, and employees of Userlytics. Userlytics shall bear the cost of said compliance. Userlytics shall remain liable under the Privacy Policy Principles if we process Personal Information in a manner inconsistent with the Privacy Policy Principles. Under certain circumstances, Data Subjects may be able to invoke binding arbitration to resolve disputes regarding Privacy Shield compliance. See https://www.privacyshield.gov/article?id=ANNEX-I-introduction for further information. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction
• If any request is unanswered, or otherwise, is not acted on by Userlytics, Individuals may, under certain circumstances, invoke binding arbitration under Privacy Shield; for additional information,see https://www.dataprivacyframework.gov/.
• Userlytics also may be required to disclose Personal Data in response to a lawful request, including to meet national security or law enforcement requirements. Userlytics is liable for the appropriate onward transfer of Personal Data to third parties.

9. Changes.

• Userytics may amend this Privacy Shield Statement from time to time consistent with the requirements of Privacy Shield. Notice regarding such amendments may be given for substantial changes.

10. Complaints and Notice.

• Userlytics adheres to Insights Association as our Independent Recourse Mechanism, in which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles. For more information, please visit the Insights Association website here. 
  • In compliance with the Privacy Shield Principles, Userlytics Corporation commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Userlytics at: DPO@Userlytics.com for any questions or concerns. 

• Userlytics has further committed to refer unresolved Data Privacy Framework complaints to the Insights Association, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.insightsassociation.org/Resources/Data-Privacy-Framework/Information-for-EU-Swiss-Citizens-to-file-a-complaint for more information or to file a complaint. The services of the Insights Association are provided at no cost to you.
• Corporation is committed to upholding the Privacy Shield Principles for the protection of personal data. In addition to our main operations, we have a subsidiary located in the European Union that fully adheres to the Privacy Shield Principles. Our subsidiary’s address is: C/ Pedro Heredia, 8 Madrid, 28028, Spain.
• Userlytics is committed to protecting the privacy of all data subjects. For questions or requests regarding our use of Personal Information, please contact us at:
  • Company name: Userlytics Corporation
  • Address: 1200 Brickell Avenue, Suite 1950 Miami, Florida (USA)
  • Phone Number: +1 888-809-0047
  • Contact email: dpo@userlytics.com

Additional questions about our
Privacy Shield Policy

Analytics tells you what,
Userlytics tells you WHY.