IcebergIQ Privacy Policy
UPDATED JANUARY 18, 2024
1. INTRODUCTION AND WHAT THIS PRIVACY POLICY COVERS
2. COLLECTION AND USE OF PERSONAL INFORMATION
Personal Data Collection
What Personal Data Do We Process?
Types of Processing
The Principle of Data Minimization
3. DISCLOSURE OF PERSONAL INFORMATION WITH THIRD PARTIES
With Whom Is Personal Data Shared?
International Data Transfers and Safeguards Employed
4. RESIDENTS OF THE EUROPEAN ECONOMIC AREA ("EEA") & GDPR
5. RETENTION
6. STORAGE, LOCATION, AND TRANSFER OF PERSONAL INFORMATION
7. ACCESS, CORRECTION, AND ACCURACY
Submitting a Data Subject Request/Complaint
8. GLOSSARY
9. CHANGES TO THIS PRIVACY POLICY
Additional Information
1. INTRODUCTION AND WHAT THIS PRIVACY POLICY COVERS
This Privacy Policy describes how IcebergIQ processes Personal Data pertaining to natural persons who interact with IcebergIQ as website visitors, users of IcebergIQ resources or services, prospective Corporate Clients, Client representatives, and such Corporate Clients’ Customer representatives; meaning how such Personal Data is: collected; stored; accessed; processed and shared, both online and by other means, as well as which are the Lawful Bases towards such processing activities.
The primary goal of processing Personal Data is to identify those Data Subjects who are representing a company/organization or sole trader either in the role of the service provider (above-mentioned Corporate Client of IcebergIQ) or the Customer or Prospective Client of such service provider.
In terms of the Lawful Basis for processing activities, Personal Data is exclusively processed under the scope and purpose of agreed Services between IcebergIQ and its Corporate Clients via a Service Contract (acceptance of the terms of service) and/or the Data Subject him/herself (natural person to whom such data pertains) via his/her explicit consent towards required Personal Data processing activities, where it becomes the applicable Lawful Basis.
Regardless of which of the above applies, every Data Subject maintains full control over the Personal Data that pertains to him/her as well as the Personal Data processing activities undertaken by IcebergIQ (as Data Subject's rights defined both under the European General Data Protection Regulation [GDPR] and other personal data protection legislation that applies in the geography where the Data Subject resides).
IcebergIQ reserves the right to modify this privacy policy at all times by posting an updated version on its website. The version is timestamp indexed, while identified by the date at the beginning of this document after the title “IcebergIQ Privacy Policy.”
2. COLLECTION AND USE OF PERSONAL INFORMATION
The IcebergIQ Service Catalogue contains the following service:
Customer Experience and Product Feedback: Corporate Clients in need of feedback from their Customers and Prospective Customers hire IcebergIQ to schedule and conduct interviews, and provide an analysis back to the Corporate Client, including the recordings of such interviews.
Given what is described above as our Service Catalogue components, IcebergIQ processes Personal Data to enable the services within our Service Catalogue, which include the following purposes:
Provide the service as described above, including outreach to Data Subjects, scheduling and conducting of interviews, and providing this feedback to Corporate Clients;
Correspond with Data Subjects in regards to outreach and scheduling of interviewees;
Assess the professional feedback of those Natural Persons who act as representatives of the Corporate Client or the Customer or Prospective Customer;
Communicate and inform Corporate Client representatives about news and information related to our service. This occurs under a B2B perspective, nevertheless in some cases Personal Data is processed;
Receive and store information on those Natural Persons who act as representatives of both the Service Provider and its Client under the scope of specific rendered services;
Conduct marketing activities that fall under the Legitimate Interest and do not contradict the Rights of the Data Subject nor any legal ruling, since ours is a B2B service.
Personal Data Collection
IcebergIQ collects Personal Data either from its Corporate Clients or the Data Subjects themselves.
Where initial Personal Data collection results from a Contract with the Corporate Client and that entity surrendering Personal Data pertaining to a natural person who is not aware of such sharing, IcebergIQ will proceed according to the ruling under the General Data Protection Regulation (GDPR) article 14, meaning that natural person shall be informed (over a direct contact) about which Personal Data has been gathered by IcebergIQ, its source and the “purpose” and “scope” of processing plus his/ her rights under applicable personal data protection legislation.
Where Personal Data collection results from the operational delivery of IcebergIQ services, where applicable that occurs with the consent of the Data Subject or under an existing contract with the entity which employs that Data Subject. The Data Subject is always informed under the Right to Information that is determined by most personal data protection legislation around the globe and specifically the most demanding and comprehensive piece of such legislation at present, the GDPR.
What Personal Data Do We Process?
IcebergIQ processes the following categories of personal data and some examples of identifiers:
Identification Data: First and last name, email address, phone number, title
Corporate Information: Employer company, invoices content
Business context information: Background of opportunity dealings
Service Feedback: Experience, timeline, product feedback
As mentioned, although most of this data reflects the business relationship between companies/entities, it may (in some cases) also clearly mirror the perspective of a specific natural person, hence making it Personal Data.
Types of Processing
Personal Data is exclusively processed by IcebergIQ in a manual manner, meaning it is gathered and interpreted by humans; there is no automated processing or decision-making.
Business Profiling is an essential part of our Services, therefore, regardless of the fact that the goal is to qualify the existing status of business relationships, that may (in some cases) end up also constituting the qualification of the attitude of a natural person towards such business relationship, hence Profiling of the Data Subject.
The Principle of Data Minimization
IcebergIQ takes every reasonable step to ensure that Personal Data under its direct processing activities (as the Processor) as well as any and all Personal Data shared with its Corporate Client (as the Controller), is limited to the amount and type that is necessary to deliver its services as agreed to under the existing Service Contract.
Both unnecessary/irrelevant data (including Personal Data) shall not be processed or maintained, nor shall there be any redundant repositories; as no data or information shall typically be stored for any longer than required under the scope of agreed services and defined retention period.
3. DISCLOSURE OF PERSONAL INFORMATION WITH THIRD PARTIES
With Whom Is Personal Data Shared?
IcebergIQ relies on partners that act as Data Processors. None of those partners proceed with Personal Data processing activities outside of the scope of their Processor role under IcebergIQ Services, as per Data Processing Agreements in place between IcebergIQ and those partners. These partners may process data in the following ways: recording interviews (Zoom), transcribing interviews (Rev), storing client materials and research findings (Box, Airtable), and sharing project materials and customer contact information (Google Suite). Additionally, IcebergIQ shares the information and data that result from its services with its Corporate Clients.
Besides what has been mentioned above, IcebergIQ does not share Personal Data pertaining to its users with any third party entities.
International Data Transfers and Safeguards Employed
Some of IcebergIQ’s partners (Processors or Controllers) are established in 3rd countries (meaning not EU member states or within the European Economic Area), and therefore not enjoying an adequacy qualification by the European Commission pursuant to GDPR Article 45 ruling.
To make such transfers fully compliant with the GDPR, the Data Processing Agreements with those partners include the EU Standard Contractual Clauses in accordance with the European Commission Decision of 2020 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council and the recent outcome of the “Schrems II” court case ruling by the Court of Justice of the European Union (dated July 26th, 2020).
IcebergIQ ensures having internal security measures and processes in place as well as having performed a detailed assessment regarding such partners.
4. RESIDENTS OF THE EUROPEAN ECONOMIC AREA ("EEA") & GDPR
IcebergIQ processes Personal Data where the processing is necessary for the performance of a contract with our Clients, where the individual has provided consent, and otherwise where the processing is necessary for the purposes of the legitimate interests pursued by us or our Clients as data controllers.
When we process Personal Data on behalf of our Clients, we are acting as the data processor and our Client is the data controller.
If you are a resident of the European Economic Area (EEA), you have certain data protection rights. IcebergIQ aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Information (known as “Personal Data” under the EU General Data Protection Regulation). You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).
If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us by emailing privacy@icebergiq.com. Note that where we act as the data processor on behalf of our Clients, you will be required to contact the data controller directly to exercise your rights.
Please note that we may ask you to verify your identity before responding to such requests.
5. RETENTION
General Retention Criteria
IcebergIQ will maintain Personal Data pertaining to its Corporate Clients’ users for the duration of the services plus as per legal requirements (e.g. invoices must be maintained by law for seven years after document date).
With regards to the Corporate Client’s Customers’ Personal Data, IcebergIQ maintains it for the term of the agreement or longer, according to mutual agreement with the Corporate Client.
In case of a potential legal dispute or for the period allowed by local legislation (in the geography where the Corporate Client is located) after the services contract has come to an end, IcebergIQ reserves the right under legitimate interest to maintain Personal Data that exclusively is relevant to allow legal defence.
6. STORAGE, LOCATION, AND TRANSFER OF PERSONAL INFORMATION
IcebergIQ is a digital company, which means that the overwhelming amount of data and information the company requires to operate is exclusively maintained in digital format on IT systems. IcebergIQ stores Personal Data in various cloud-based platforms (Airtable, Box, Rev, Zoom, Google Suite) and for various purposes, including recording and transcribing calls, housing the research, storing client materials, and sharing documents.
IcebergIQ acts as the Controller and these Partners as Processors, meaning they will not undergo any Personal Data Processing Activities towards information registered, submitted, or conveyed by IcebergIQ unless under the scope of contracted services which are agreed and documented under an existing “DPA between the parties.
7. ACCESS, CORRECTION, AND ACCURACY
Rights of the Data Subjects
Personal Data Protection Legislation allows those natural persons to whom Personal Data pertains to exercise certain rights, namely:
[GDPR] Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. IcebergIQ will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access.
[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:
Know the categories of personal information we collect and the categories of sources from which we got the information;
Know the business or commercial purposes for which we collect and share personal information;
Know the categories of third parties and other entities with whom we share personal information; and
Access the specific pieces of personal information we have collected about you.
[PIPEDA] Right of access – In all similar to the above description under the GDPR. Notwithstanding this fact and under section 38.13 of the Canada Evidence Act the disclosure of personal information of a specific individual is prohibited before a complaint is filed by that same individual in respect of a request for access to that information. The provisions of this Right do not apply to the information that is subject to the certificate following filing of complaint.
[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Customers may directly amend existing information on IcebergIQ’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not IcebergIQ Customers.
[GDPR] Right to erasure. The right to have Personal Data pertaining to him/ her that is under Processing by IcebergIQ erased and therefore Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents IcebergIQ from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[CCPA] Right to deletion – Again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/information. We may refuse the exercise of such right if it prevents us from exercising legal defence, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfil any open contractual obligations.
[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to him/ her. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[GDPR] The right to object to processing. The right to object to processing activities that have been qualified under this Privacy Policy has occurred under the Lawful Base of Legitimate Interest by the side of IcebergIQ. The exercise of this right may also occur where the Data Subject wishes to opt-out from an existing Service (and not necessarily canceling the Service). When exercising this right, the Data Subject must be specific about which processing activities are being requested to stop and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[CCPA] Right to opt out of sales – We do not sell your data.
[GDPR] Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. IcebergIQ will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may directly amend existing information on IcebergIQ’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not IcebergIQ Customers.
[GDPR] Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized third parties within 72 hours of its occurrence.
[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding IcebergIQ’s processing activities over his/ her Personal Data towards any of the EU Member States’ data protection supervisory authorities. IcebergIQ is, however, also available to provide any clarification towards those Data Subjects who may feel that its processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, and to having such Personal Data processed in a secure manner with assurance of confidentiality. The Data Subject may submit a complaint via the request process defined below.
[PIPEDA] Right to submit a complaint – The natural person to whom Personal Data pertains may submit a complaint regarding the processing of Personal data to the Office of the Privacy Commissioner of Canada or to IcebergIQ.
[CCPA] Right to be free from discrimination– You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data.
For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfil your request.
We will use the information you provide to make your CCPA rights requests to verify your identity, identify the personal information we may hold about you, and act upon your request.
We strongly recommend that you submit the email and postal address that you used when you created accounts, ordered subscriptions or signed up for a newsletter. After you submit a CCPA rights request, you will be required to verify access to the email address you have submitted. You will receive an email with a follow-up link to complete your email verification process. You are required to verify your email in order for us to proceed with your CCPA rights requests. Please check your spam or junk folder in case you cannot see the verification email in your inbox.
[PIPEDA] Right of Privacy – “… the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances …”; this means assuring the capacity of each natural person to decide upon WHICH Personal Data pertaining to him/ her can be Processed by WHICH entities under a specific “purpose” and “scope.”
Any Data Subject may exercise his/her rights under by reaching out to IcebergIQ’s DPO by email at privacy@icebergiq.com.
If you have questions, complaints, or wish to exercise your rights, please do make clear in your message:
Purpose: Your question, complaint, and how you wish to exercise your rights as a Data Subject under applicable personal data protection legislation.
WHAT triggered your need to contact us?
WHEN did the root cause which triggered the need to contact us take place?
Why the need to provide alternative personal contact?
The Data Subject or his/ her legally authorized representative are the only “entities” that may exercise these rights under applicable law, hence IcebergIQ is bound by law to ensure and document that the Data Subject or his/her legal representative has been the one interacting with the company while acting over his/ her Personal Data. The way to ensure such “authentication” with regards to Data Subjects who do not have digital credentials on any IcebergIQ web-based platform is to forward a code to that Data Subject via an alternative communication channel to the standard e-mail address which served the purpose of the initial contact and have the Data Subject, or the Authorized Representative submit such code back to IcebergIQ (this is a “two-factor authentication" method).
Important Note:
Since the GDPR is the most comprehensive enforceable piece of personal data protection legislation to date, and does not contradict any other existing personal data protection laws on the globe, IcebergIQ observes the GDPR’s ruling towards those natural persons whose Personal Data it processes despite the fact that where applicable/ required the company will also and foremost observe the ruling of local legislation.
SUBMITTING A DATA SUBJECT REQUEST/COMPLAINT
Under the scope of Personal Data Protection, the Data Subjects may address IcebergIQ via:
A written request, accompanied by all necessary information, to the following address: Unit 323 - 233 Carlaw Avenue, Toronto, Canada M4M 3N6
An e-mail to privacy@icebergiq.com
Miscellaneous
Links to Third-Party Sites. Our website may include links to other websites whose privacy practices may differ from those of IcebergIQ and belong to third-party entities that do not act as a Controller nor a Processor towards IcebergIQ services. If you submit personal data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.
How is Personal Data Processed in a Secure Manner?
IcebergIQ has its IT Landscape configured and monitored under the strictest security standards and has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under GDPR towards Personal Data protection. The intent is to assure confidentiality and privacy under Personal Data processing activities performed by IcebergIQ and its Partners within the scope of IcebergIQ-rendered services.
8,. GLOSSARY
“Agreed Services” or “Services” means those Services being rendered by the Controller towards the Data Subject towards which he/she has agreed with and/or comprehending Processing legitimacy that derives from an existing and documented Lawful Basis.
“Controller” means the “Party” which determines the “scope," “purpose” and form of Personal Data Processing activities.
“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.
“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under applicable Personal Data Protection Legislation.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while replacing the Directive 95/46/EC and having become enforceable on May 25th, 2018.
"IT LandscapeI” means the set of IT assets and services of and at the disposal of either the Data Subject, IcebergIQ or its Partners that enables their Personal Data Processing to occur, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, firewalls, and web-based resources.
“Lawful Basis” means the enlisted lawful grounds that a Controller has to entice Personal Data Processing activities under “GDPR”, namely (but not limited to) having documented: the Data Subject’ Explicit Consent towards those Personal Data Processing activities; the Controller’ Legitimate Interest in proceeding with those activities; accessory legal obligations that the Controller must observe and which entitled it to proceed with such activities within the limits of GDPR ruling and inherent obligations.
“Partner” means any third-party entity (acting either as a Joint-Controller or Processor) towards which IcebergIQ may resort in order to ensure Personal Data Processing activities under an established Lawful Basis for Processing and exclusively within the scope of agreed Services.
“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify a specific natural person, the “Data Subject.”
“Personal Data Processing” means any operation or set of operations performed upon “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data."
“Processor” means the entity which proceeds with authorized Personal Data Processing activities on behalf of the “Controller."
9. CHANGES TO THIS PRIVACY POLICY
We may amend this Privacy Policy from time to time. Use of personal information we collect is subject to the Privacy Policy in effect at the time such information is collected, used, or disclosed. If we make material changes or changes in the way we use personal information, we will notify you by posting an announcement on our website or sending you an email prior to the change becoming effective. You are bound by any changes to the Privacy Policy when you use the website or services after such changes have been posted.
Additional Information
Questions regarding this Privacy Policy or IcebergIQ privacy practices should be directed to the Privacy Officer:
Data Privacy Officer/Data Protection Officer (DPO)
Mr. Rui Serrano
Portugal, European Union
IcebergIQ Inc, a company established at Unit 323 - 233 Carlaw Avenue, Toronto, Canada M4M 3N6, is the entity that acts as the Data Controller for this Privacy Policy and all data processing practices herein contemplated. All questions or requests regarding the processing of Personal Data may be addressed to privacy@icebergiq.com.
See our Canadian Privacy Policy here.