IcebergIQ Privacy Policy

---

Summary

This Privacy Policy describes how IcebergIQ processes Personal Data pertaining to natural persons who interact with it as website/other resources visitors/users or Prospective Corporate Client/Client representatives, and such Corporate Clients’ Customer representatives; meaning how such Personal Data is: Collected; Stored; Accessed; Processed and Shared, both online and by other means, such as by phone while addressing herein mentioned Corporate Client representatives and/or its Customers’ representatives; as well as which are the Lawful Bases towards such processing activities.

The primary goal of Processing Personal Data is to identify those Data Subjects who are representing a company/organization or sole trader either on its role of the service provider (above-mentioned Corporate Client of IcebergIQ) or the Customer or Prospective Client of such service provider. 

In terms of Lawful Basis for processing activities, Personal Data is exclusively processed under the scope and purpose of agreed Services between IcebergIQ and its Corporate Clients via a Service Contract (acceptance of the Terms of Service) and/or the Data Subject him/herself (natural person to whom such Data pertains to) via his/her Explicit Consent towards required Personal Data Processing Activities, where it becomes the applicable Lawful Basis.

Regardless of which of the above applies, every Data Subject maintains full control over the Personal Data that pertains to him/her as well as the Personal Data Processing Activities undertaken by IcebergIQ (as Data Subject's Rights defined both under the European General Data Protection Regulation [GDPR] and other Personal Data Protection Legislation that applies in the geography where the Data Subject resides).

I. Who is the Data Controller of Your Data?

II. Personal Data Collection

III. What Personal Data do We Process? 

IV. Types of Processing

V. With Whom is Personal Data Shared?

VI. International Data Transfers and Safeguards Employed

VII. Retention Periods

VIII. Storing of Personal Data

IX. Rights of the Data Subjects

X. Miscellaneous

XI. How is Personal Data Processed in a Secure Manner?

XII. Glossary

Applicability

IcebergIQ reserves the right to modify this Privacy Policy at all times by posting an updated version on its websites. The version is timestamp indexed, while identified by the Date at the beginning of this document after the title “IcebergIQ Privacy Policy.”

Use of Personal Data and Information

The Service Catalogue comprehends the following Services:

Customer Experience and Product Feedback

Corporate Clients in need of an ongoing feedback strategy from their Customers and Prospective Customers hire IcebergIQ to schedule and conduct interviews, and provide an analysis back to the Corporate Client, including the recordings of such interviews.

Given what is described above as our Service Catalog components, we Process Personal Data to enable the Services within our Service Catalog, which include the following purposes:

• Provide the service as described above including outreach to Data Subjects, scheduling and conducting of interviews, and providing this feedback to Corporate Clients;
• Correspond with Data Subject in regards to outreach and scheduling of interviewees;
• Marketing purposes that fall under the Legitimate Interest while not colliding with the Rights of the Data Subject nor legal ruling, since ours is a B2B service;
• Communicate and inform Corporate Client representatives about news and information related to our service. This occurs under a B2B perspective, nevertheless in some cases Personal Data is processed;
• Identify those Natural Persons who act as representatives of both the Service Provider and its Client under the scope of specific rendered services;
• Assess the professional feedback of those Natural Persons who act as representatives for both the Corporate Client as well as the Customer or Prospective Customer;

I. Who is the Data Controller of your Data?

IcebergIQ AS, a company established at Unit 323 - 233 Carlaw Avenue, Toronto, Canada M4M 3N6, is the entity that acts as the Data Controller for this Privacy Policy and all data processing practices herein contemplated. All questions or requests regarding the processing of Personal Data may be addressed to privacy@icebergiq.com

Data Privacy Officer/Data Protection Officer (DPO) contact:

Mr. Rui Serrano

Portugal, European Union

privacy@icebergiq.com

II. Personal Data Collection

IcebergIQ collects Personal Data either from its Corporate Clients or the Data Subjects themselves.

Where initial Personal Data collection results from a Contract with Corporate Client and that entity surrendering Personal Data pertaining to a natural person who is not aware of such sharing, IcebergIQ will proceed according to the ruling under the General Data Protection Regulation (GDPR) article 14, meaning that natural person shall be informed (over a direct contact) about which Personal Data has been gathered by IcebergIQ, its source and the “purpose” and “scope” of Processing plus his/ her rights under applicable Personal Data Protection Legislation.

Where Personal Data collection results from the operational delivery of IcebergIQ services, where applicable that occurs with the Consent of the Data Subject or under an existing Contract with the entity which employs that Data Subject, nevertheless always having the Data Subject informed under the Right to Information that is determined by most of Personal Data Protection Legislations around the globe and specifically the most demanding and comprehensive piece of such legislation at present, the GDPR.

III. What Personal Data do we process?

IcebergIQ processes the following categories of personal data and some examples of identifiers:

• Identification Data: First and last name, email address, phone number, title;
• Corporate Information: Employer company, invoices content;
• Business context information: Background of opportunity dealings;
• Service Feedback: Experience, timeline, product feedback;

As mentioned, although most of this Data reflects the business relationship between companies/entities, it may (in some cases) also clearly mirror the perspective of a specific natural person, hence making it Personal Data.

IV. Types of Processing

Personal Data is exclusively processed by IcebergIQ in a “manual” manner, meaning it is gathered and interpreted by humans; there is no automated processing or decision-making.

Business Profiling is an essential part of our Services, therefore, regardless of the fact that the goal is to qualify the existing status of business relationships, that may (in some cases) end up also constituting the qualification of the attitude of a natural person towards such business relationship, hence Profiling of the Data Subject.

The Principle of Data Minimization

IcebergIQ takes every reasonable step to ensure that Personal Data under its direct Processing activities (as the Processor) as well as any and all Personal Data conveyed to/shared with its Corporate Client (as the Controller), is limited to the amount and type that is necessary to deliver its Services as agreed to under the existing Service Contract.

Both unnecessary/irrelevant data (including Personal Data) shall not be processed or maintained, nor shall there be any redundant repositories; as no data or information shall be stored for any longer than required under the scope of agreed services and defined retention period.

V. With whom is Personal Data shared?

Third-Party Recipients

IcebergIQ resorts to partners that act as Processors, nevertheless none of those partners proceed with Personal Data Processing activities outside of the scope of their Processor role under IcebergIQ Services, as per Data Processing Agreements in place between IcebergIQ and those partners. Specifically:

• Zoom – records interviews;
• Rev – recordings are sent to Rev which produces transcripts of interview calls;
• Box – acts as the File Server/ Service for all client-related materials;
• Airtable – research findings are coded in Airtable and shared securely with each Corporate Client;
• Hubspot – the CRM;
• Google Cloud Platform – for sharing of project materials and contact information.

Additionally, IcebergIQ shares the information and data that results from its services with its Corporate Clients.

Besides what has been hereinabove mentioned, IcebergIQ does not share Personal Data pertaining to its users with any 3rd party entities.

VI. International Data Transfers and Safeguards Employed

Some of IcebergIQ’s partners (Processors or Controllers) are established in 3rd countries (meaning not EU Member States nor within the European Economic Area), therefore not enjoying an adequacy qualification by the European Commission pursuant to GDPR Article 45 ruling.

To make such transfers fully compliant with the GDPR, the Data Processing Agreements with those partners include the EU Standard Contractual Clauses in accordance with the European Commission Decision of 2020 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council and the recent outcome of the “Schrems II” court case ruling by the Court of Justice of the European Union (dated July 26th, 2020).

And, more relevant, IcebergIQ both ensures having internal Security Measures and Processes in place as performing a detailed assessment regarding such partners.

VII. Retention Periods

General Retention Criteria

IcebergIQ will maintain Personal Data pertaining to its Corporate Clients’ Users for the duration of the Services plus as per Legal requirements (e.g. invoices must be maintained by Law for seven years after document date).

With regards to the Corporate Client’s Customer Personal Data, IcebergIQ maintains it for the term of the agreement after having forwarded/made the Customer Feedback available to the Corporate Client, as a means of having in place some redundancy for such period.

In case of a potential legal dispute or for the period allowed by local legislation (in the geography where the Corporate Client is located) after the Services Contract has come to an end, IcebergIQ reserves itself the right under Legitimate Interest to maintain Personal Data that exclusively is relevant to allow legal defense; all other Personal Data shall be erased.

VIII. Storing of Personal Data

IcebergIQ is a Digital company, which means that the overwhelming amount of Data and information the company requires to operate is exclusively maintained under Digital format on IT Systems.

IcebergIQ will be storing Personal Data over the following platforms and purposes:

▪ AirTable – Houses the research;

▪ Box – File server;

▪ Google Mail – Email service.

IcebergIQ acts as the Controller and these “Partners” as “Processors,” meaning they will not undergo any “Personal Data Processing Activities” activities towards information registered, submitted or conveyed by IcebergIQ unless under the scope of contracted services and that is agreed and documented under an existing “DPA” between the parties.

IX. Rights of the Data Subjects

Personal Data Protection Legislation allows those natural Persons to whom Personal Data pertains to the exercise of some Rights, namely:

[GDPR] Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. IcebergIQ will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access.

[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:

• Know the categories of personal information we collect and the categories of sources from which we got the information;
• Know the business or commercial purposes for which we collect and share personal information;
• Know the categories of third parties and other entities with whom we share personal information; and
• Access the specific pieces of personal information we have collected about you.

[PIPEDA] Right of access – In all similar to the above description under the GDPR. Notwithstanding this fact and under section 38.13 of the Canada Evidence Act the disclosure of personal information of a specific individual is prohibited before a complaint is filed by that same individual in respect of a request for access to that information. The provisions of this Right do not apply to the information that is subject to the certificate following filing of complaint.

[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Customers may directly amend existing information on IcebergIQ’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not IcebergIQ Customers.

[GDPR] Right to erasure. The right to have Personal Data pertaining to him/ her that is under Processing by IcebergIQ erased and therefore Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents IcebergIQ from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[CCPA] Right to deletion – Again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/information. We may refuse the exercise of such right if it prevents us from exercising legal defence, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfil any open contractual obligations.

[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to him/ her. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[GDPR] The right to object to processing. The right to object to processing activities that have been qualified under this Privacy Policy has occurred under the Lawful Base of Legitimate Interest by the side of IcebergIQ. The exercise of this right may also occur where the Data Subject wishes to opt-out from an existing Service (and not necessarily canceling the Service). When exercising this right, the Data Subject must be specific about which processing activities are being requested to stop and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[CCPA] Right to opt out of sales – We do not "sell" your data.

[GDPR] Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. IcebergIQ will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may directly amend existing information on IcebergIQ’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not IcebergIQ Customers.

[GDPR] Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized third  parties within 72 hours of its occurrence.

[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding IcebergIQ’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. IcebergIQis however also available to provide any clarification towards those Data Subjects who may feel that it's Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead.

[PIPEDA] Right to submit a complaint – The natural person to whom Personal Data pertains may submit a complaint regarding the processing of Personal data to the Office of the Privacy Commissioner of Canada or the organization (IcebergIQ in the present case).

[CCPA] Right to be free from discrimination– You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data.

For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide  information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfil your request.

We will use the information you provide to make your CCPA rights requests to verify your identity, identify the personal information we may hold about you, and act upon your request.

We strongly recommend that you submit the email and postal address that you used when you created accounts, ordered subscriptions or signed up for a newsletter. After you submit a CCPA rights requests, you will be required to verify access to the email address you have submitted. You will receive an email with a follow-up link to complete your email verification process. You are required to verify your email in order for us to proceed with your CCPA rights requests. Please check your spam or junk folder in case you can't see the verification email in your inbox.

[PIPEDA] Right of Privacy – “… the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances …”; this means assuring the capacity of each natural person to decide upon WHICH Personal Data pertaining to him/ her can be Processed by WHICH entities under a specific “purpose” and “scope.”

Any “Data Subject” may exercise his/her rights under by reaching out to the IcebergIQ’ DPO through the e-mail address privacy@icebergiq.com.

If you have questions, complaints or wish to exercise your rights, please do make clear in your message:

• Purpose: Question; Complaint; Exercise of the “Data Subject’s” rights under applicable Personal Data Protection Legislation
• WHAT triggered your need to contact us?
• WHEN did the root cause which triggered the need to contact us take place?
• Why the need to provide alternative personal contact?

The “Data Subject” or his/ her legally authorized representative are the only “entities” that may exercise these Rights under applicable law, hence IcebergIQ is bound by law to ensure and document that the “Data Subject” or his/her legal representative has been the one interacting with the company while acting over his/ her “Personal Data.” The way to ensure such “authentication” with regards to “Data Subjects” who do not have digital credentials on any IcebergIQ web-based platform is to forward a code to that “Data Subject” via an alternative communication channel to the standard e-mail address which served the purpose of the initial contact and have the Data Subject, or the Authorized Representative submit such code back to IcebergIQ (this is a “two-factor authentication" method).

Important Note:

Since the GDPR is the most comprehensive enforceable piece of Personal Data Protection Legislation year to date while not colliding with other existing Personal Data Protection Laws on the globe, IcebergIQ observes its ruling towards those natural persons whose Personal Data it processes despite the fact that where applicable/ required the company will also and foremost observe the ruling of local legislation.

Submitting a Data Subject Request/ Complaint

Under the scope of Personal Data Protection, the Data Subjects may address IcebergIQ via:

• A written request, accompanied by all necessary information, to the following address: Unit 323 - 233 Carlaw Avenue, Toronto Canada M4M 3N6
• An e-mail to privacy@icebergiq.com

X. Miscellaneous

Links to Third-Party Sites. Our Websites may include links to other websites whose privacy practices may differ from those of IcebergIQ and belong to third-party entities that do not act as a Controller nor a Processor towards IcebergIQ services. If you submit personal data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

XI. How is Personal Data Processed in a Secure Manner?

IcebergIQ has its “IT Landscape” configured and monitored under the strictest Security market standards and has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under “GDPR” towards “Personal Data” Protection. This means to assure its Confidentiality and Privacy while under “Personal Data Processing Activities” performed by itself and its “Partners” within the scope of IcebergIQ-rendered services.

XII. Glossary

“Agreed Services” or “Services” means those Services being rendered by the Controller towards the Data Subject towards which he/she has agreed with and/or comprehending Processing legitimacy that derives from an existing and documented Lawful Basis.

“Controller” means the “Party” which determines the “scope," “purpose” and form of Personal Data Processing activities.

“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.

“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under applicable Personal Data Protection Legislation.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while replacing the Directive 95/46/EC and having become enforceable on May 25th, 2018.

“IT Landscape” means the set of IT assets and services of and at the disposal of either the Data Subject, IcebergIQ or its Partners that enables their Personal Data Processing to occur, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, firewalls, and web-based resources.

“Lawful Basis” means the enlisted lawful grounds that a Controller has to entice Personal Data Processing activities under “GDPR”, namely (but not limited to) having documented: the Data Subject’ Explicit Consent towards those Personal Data Processing activities; the Controller’ Legitimate Interest in proceeding with those activities; accessory legal obligations that the Controller must observe and which entitled it to proceed with such activities within the limits of GDPR ruling and inherent obligations.

“Partner” means any third-party entity (acting either as a Joint-Controller or Processor) towards which IcebergIQ may resort in order to ensure Personal Data Processing activities under an established Lawful Basis for Processing and exclusively within the scope of agreed Services.

“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify a specific natural person, the “Data Subject.”

“Personal Data Processing” means any operation or set of operations performed upon “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).

“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data."

“Processor” means the entity which proceeds with authorized Personal Data Processing activities on behalf of the “Controller."