Effective date: 9 July 2021
Your privacy is important to the Forsta group (which includes Confirmit, FocusVision, and Dapresy) (“Forsta”, “we,” “us,” or “our”). Forsta provides our customers with a wide array of tools so they can turn insight into stories that fuel action. If you would no longer like to be contacted by one of our customers that use our services, please contact the customer directly.
This privacy notice discloses the information practices for Forsta web sites (forsta.com, confirmit.com, dapresy.com, focusvision.com), our recruitment efforts, our relationships with vendors and partners, and our mobile applications (including AskMe, CAPI, Mobile Panel, SODA, and Confirmit Go), including what type of information is gathered and tracked, how the information is used, and with whom the information is shared.
This notice applies to personal data collected about Forsta customers, vendors, partners, web-visitors, registered account holders of our products, mobile app users, and applicants to positions at Forsta.
2. When does Forsta process my data?
There are two types of situations in which we may process your personal data.
2. A. For the first type, Forsta acts as on behalf of its customers, meaning we do not determine the purpose or means of the processing ourselves and instead our customers do (usually as a software-as-a-service (“SaaS”) provider for companies conducting data collection and reporting activities via the Internet or mobile apps). You may be submitting responses to web surveys or app surveys via mobile devices, and the template of the survey may state “Powered by Forsta.” or similar. Surveys launched by Forsta’s customers may be hosted on Forsta’s SaaS environments, or alternatively they may be hosted on the customer’s own servers. In this situation, Forsta is sometimes called the ‘data processor’ or ‘service provider’.
In these cases, please be aware that it is our customers who are initiating or performing the data collection, who determine from whom to collect personal data, and who define how to use the collected personal data. Our customers are often called ‘data controllers’ in such case. For more details about how a Forsta’s customer intends to use your personal data, please refer to the privacy notice of the Forsta customer from whom the email or the web survey originates. If you would no longer like to be contacted by one of our customers that use our services, please contact the customer directly.
In these cases, Forsta will process any and all personal data uploaded to or collected via the SaaS by our customers. However, Forsta intends to process such personal data with appropriate and adequate safeguards to prevent unauthorized breach or use. For more information related to Forsta’s role as a data processor, please see Section 3 below, “Forsta as a data processor.”
2. B. The second type of situation where we may process your personal data is when we interact with our customers, prospective customers, potential recruits, vendors, and partners, often through the Forsta websites. Forsta usually acts as the data controller in these instances as described in this notice. See Section 4 below for more information about these situations.
3. Forsta as a data processor
3.A. Our role as a processor
In relation to our roles as SaaS provider and data processor, Forsta processes information under the instructions of its customers and has no direct relationship with the individuals whose personal data Forsta collects or processes on behalf of its customer.
If you seek access to correct, amend, or delete inaccurate personal data, or if you seek to invoke any other rights in respect to the personal data under applicable laws, you should direct your query to Forsta’s customer as the data controller. We will honor and support any instructions our customer provide us with respect to your personal data. If Forsta is requested by Forsta’s customer to take actions on personal data (access, update, export, delete or other as required), we will respond within a reasonable timeframe in accordance with applicable laws.
If you would no longer like to be contacted by one of our customers that use our SaaS service, please contact the customer directly.
If you have reached out to our customer and are not getting a reply, you may approach Forsta in accordance with section 6 below.
3.B. Data storage, data access, data transfers, and data retention
Personal data that our customers collect from you may, subject to adequate confidentiality undertakings, and for the sole purpose of providing our customers with the services they have contracted from us, be accessed by personnel, contractors, and third-party services providers of Forsta and its affiliates. In any such case, the personnel granted access to your personal data will have been deemed by their managers to have a reasonable business need to do so.
Where Forsta transfers personal data to one of our affiliates or sub-processors, we will have legally compliant transfer mechanisms in place. See more details in Section 4.F. below.
For purposes of complying with data privacy laws throughout the EEA, Switzerland, the UK, and other jurisdictions, where Forsta transfers personal data to an entity which is outside of the EEA and in organized a jurisdiction which has not received an ‘adequacy decision’ or similar from the jurisdiction from which the data is being transferred, Forsta makes such transfers only if subject to an adequate transfer mechanism as described by applicable data privacy law, e.g., standard data protection clauses.
We will retain personal data our customers have instructed us to process for them for as long as needed to provide services to our customers in accordance with the contractual terms in our agreements with them. Our customers can at any time instruct for such personal data to be updated, exported, deleted, or as otherwise required. Forsta will retain personal data as necessary to comply with our legal obligations, resolve disputes, and in accordance with our customer agreements.
3.C. Security measures
Forsta operates under a strong security and privacy regime. If your personal data is stored on Forsta’s SaaS environments, you are welcome to read more about how we protect your personal data by applying industry leading security measures and performing ongoing security tests and controls. For Horizons, please refer here. For Dapresy, please see here. For FocusVision, see here.
3.D. Device information
When you download and use mobile apps produced by Forsta, at the instruction of our customers we automatically collect information on the type of device you use, operating system version, and where applicable, the device identifier (or “UDID”).
The mobile apps do not require location permission in order to be used. However, our customers who are using our mobile apps in order to collect personal data from you may request that the mobile apps collect your precise geolocation. Should location be requested, you will be prompted by the operating system of your device with a message that the mobile app has requested to access the device location (please note that Android OS 6 or older versions lack of this feature). You can accept or reject that request. If permission has been granted, this permission can be later changed at any time under the operating system settings area.
Depending on our customers’ use of the mobile app, the mobile app may also use beacons or similar technologies as part of the survey taking.
If you would no longer like this information to be used, please contact our customer directly.
3.E. Cookies and tracking technologies on the SaaS environment
4. Forsta as a data controller
4.A. Our role as a data controller
The security of your personal data is important to us. We follow generally recognized industry standards and all legally required measures to protect the personal data submitted to us during transmission and once it is received. In general, you can visit Forsta on the Internet without telling us who you are and without giving any personal data about yourself, except that we may log IP address and geolocation. There are times, however, when Forsta or our partners may request additional personal data from you to serve legitimate purposes.
Forsta will act as a data controller where, for example, you visit our websites and provide us with your contact details to obtain access to resources, or where we store your details as part of our management of accounts you have with us in your role as a customer. Forsta also acts as a data controller during recruitment processes, see section 4.Q below. Where Forsta acts as the data controller, you may choose to provide us with your personal data in a variety of situations. For example, you may want to give us information such as your name, physical address, email address, zip code, resume, phone number, and additional contact information. We intend to let you know how we will use such information and seek your consent when required by applicable laws before we collect it from you.
You may at any time revoke your consent or invoke rights in relation to the personal data provided to us in accordance with applicable laws. If you tell us that you do not want us to use this information to make further contact with you beyond fulfilling your requests, we will respect your wishes. If you give us personal data about somebody else such as a spouse or work colleague, we will assume that you have his or her permission to do so.
Forsta will also act as data controller when processing personal data for administrative and operational purposes related to our provision to customers of services under agreements we have with them. Processing of such personal data will serve administrative and operational purposes such as account management, invoicing and financial reporting, data protection and cybersecurity, and complying with our legal obligations.
Forsta does not request the disclosure of special categories of personal data or sensitive data.
You may contact Forsta in order to invoke your rights as a data subject under applicable laws in accordance with section 6 below.
4.B. Information required by applicable data privacy laws
- If you are located in the European Economic Area, the UK, or Switzerland and Forsta controls your personal data, Confirmit AS is the specific data controller responsible for your personal data unless otherwise stated in another more specific privacy notice. The operations of Confirmit AS are Forsta’s main establishment in the EEA for EU GDPR purposes. Confirmit AS can be reached at DataProtectionOfficer@confirmit.com. The operations of Confirmit Ltd. are Forsta’s establishment in the UK for UK GDPR purposes. It can be reached at DataProtectionOfficer@confirmit.com. The data protection officer for Forsta can be reached at DataProtectionOfficer@confirmit.com.
- Further contact details of our data protection officer are available in section 6 below.
- The purposes of the processing are either stated in the consent note we obtain from you prior to processing your personal data, or alternatively:
- To fulfill your transaction request;
- To provide you with a subscription;
- To provide you with support and consulting services;
- To verify your identity;
- To provide information on products, services, or callback requests;
- To send you specific marketing materials;
- To allow our business partners to contact you for marketing purposes;
- In connection with a job application or inquiry;
- To contact you about employment consideration; and
- To invite you to complete web surveys.
- The recipients of your personal data will be selected Forsta employees and third parties such as affiliates, hosting providers, web-based software tool providers, and contractors working for Forsta. All such recipients will always be under contract with Forsta ensuring data protection levels equivalent to those set forth in this privacy notice and required by applicable law. Further details may be provided upon request.
- Data Retention – We will retain your personal data for as long as reasonably necessary in accordance with the purpose of the processing as communicated to you as part of the consent or privacy notice.
- We will retain personal data we process about our customers for as long as needed to provide services to our customers in accordance with the contractual terms in our agreements with them. Forsta will retain such personal data as necessary to comply with our legal obligations and to resolve disputes.
- When we have no ongoing legitimate purpose to process your personal information, we will either delete or anonymize it. In cases where your personal information has been stored in backup archives, we will securely store your personal information, isolate it from any further processing and anonymize or delete it as soon as possible.
- To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
- You have the right to seek access to and rectification or erasure of your personal data in accordance with applicable laws as set forth in section 6 below.
- Where our processing of your personal data is based on your consent, you have the right to withdraw such consent at any time as set forth in section 6 below.
- Where applicable laws so prescribe, you have the right to lodge a complaint to a supervisory authority.
4.C. Information for Forsta business partners
If you represent a Forsta business partner, you may visit a Forsta website intended specifically for Forsta business partners. We may use information provided on that site to administer and develop our business relationship with you, the business partner you represent, and Forsta business partners generally.
4.D. Information for Forsta customers
If you work for a Forsta customer, you may visit a Forsta website intended specifically for Forsta customers. We may use information provided on that site to administer and develop our business relationship with you, the customer for which you work, and Forsta customers generally.We may also collect and process your personal data as necessary for the performance of the contract in place between the Forsta customer and Forsta in accordance with applicable data privacy laws.
4.E Other Forsta website notices
In some cases, specific Forsta websites may contain other notices about their use and the information practices applicable to those sites. Such notices will supersede this notice if it is not directly referenced.
4.F Cross-border flows of personal data
Forsta is a global organization with legal entities, business processes, management structures, and technical systems that cross borders.
Our privacy practices are designed to provide protection for your personal data in accordance with the laws applicable to each respective Forsta affiliate.
We may share your personal data within Forsta, or with service providers and transfer it to countries in the world where we or our service providers do business.
Transfers of your personal data between the Forsta group of companies are made subject to intra-group personal data transfer agreements which include the use of appropriate transfer mechanisms. Transfers of your personal data from the Forsta group of companies to their respective service providers will be subject to adequate contractual terms, including where required, EU/UK Model Clauses.
Some countries may provide less legal protection for your information. In such countries, Forsta will handle information in the manner we describe in this privacy notice.
4.G. Sharing with Services Providers and Business Partners
We may share your information with third parties who provide services on our behalf to help with our business activities under contractual terms providing adequate protection to your information. These companies are authorized to use your personal data only under our instructions and only as necessary to provide the contracted services to us. These services may include:
- Sending marketing communications
- Fulfilling subscription services
- Conducting research and analysis
- Providing data center facilities
Before we share personal information, we enter into written agreements with recipients which contain data protection terms that safeguard your data.
4.H. Passive collection
As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring and exit pages, the files viewed on our site (for example, HTML pages, graphics, or other), operating system, date and time stamp, and clickstream data to analyze trends in the aggregate and administer the site.
4.I. Cookies and Tracking technologies
Social Media Features – Our sites and services may include social media features, such as Facebook “Like” button and Twitter re-tweets, as well as share buttons or interactive mini-programs. These features collect the user’s IP address, the pages visited on the site or service, and set cookies to enable the features to function properly. Social media features are either hosted by a third party or hosted directly on the Website. Interactions with these features are governed by the privacy notices of the social media companies that provide them.
4.J. Mobile analytics
We use mobile analytics software to allow us to better understand the functionality of our mobile software on your phone. This software may record information such as how often you use the application, the events that occur within the application, individual and aggregated usage, performance data, and from where the application was downloaded. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.
4.K. Service quality monitoring
Certain web transactions may also involve you calling us or our calling you. Please be aware that it is Forsta’s general practice to monitor and in some cases record such calls for staff training or quality assurance purposes.
4.L. Personalized URL link
On occasion, we may personalize and customize websites for certain visitors. If you visit one of these sites, you may find it customized with references to products and services that we believe may be of interest to you based on your previous interactions with Forsta and information you have provided to us. While you are visiting these websites, we may collect information about your visit to better tailor the site to your interests. An invitation to visit one of these websites is usually presented as a personalized URL in an email, a notice on a website registration page, or as a response to you logging on to a certain website.
4.M. Disclosures required by law or to fulfill a business transition
We may also disclose your personal data as required by law such as to comply with a subpoena or other legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. If Forsta is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email or a prominent notice on our website of any change in ownership, uses of your personal data, and choices you may have regarding your personal data. We may also disclose your personal data to any other third party with your prior consent.
4.N. Links to non-Forsta websites
Forsta websites may contain links to other websites. Forsta is not responsible for the privacy practices or the content of those other websites.
4.O. Notification of changes
4.P. Information we acquire from third parties
We may receive information about you from other sources including publicly available databases or third parties from whom we have purchased data and combine this data with information we already have about you. This helps us to update, expand, and analyze our records, identify new customers, and provide products and services that may be of interest to you. If you provide us personal data about others or if others give us your information, we will only use that information for the specific reason for which it was provided to us.
Examples of the types of personal data that may be obtained from public sources or purchased from third parties and combined with information we already have about you may include purchased marketing data about our customers from third parties that is combined with information we already have about you to create more tailored advertising and products.
During recruitment processes, we will be in need of processing personal data about job applicants. Such processing will be in compliance with the laws of the jurisdiction in which we recruit. Our processes for retention and deletion of documents and data related to recruitment processes is set forth in “Forsta HR Data Retention Policy”. For any questions, please see Section 6 below.
4.R Do Not Track Signals
We do not collect or respond to Do Not Track signals and our websites do not function differently based on any Do Not Track preferences that may be received. For more information on Do Not Track signals, please visit https://allaboutdnt.com/.5. Forsta’s notice regarding the California Consumer Privacy Act (“CCPA”) (For California Residents)
Please note that this section relates to our direct consumers, such as business contacts who work for our customers. If you are a consumer of one of our customers (the business which sent you the survey which lead you here, for example), please contact that company directly, such as through the contact methods they provide in their privacy notices. We will not be able to carry out your requests to exercise your rights under the CCPA in relation to personal information controlled by our customers.
- Your Rights: Subject to certain exceptions, the CCPA affords you the following rights:
- Right to know/access personal information collected, disclosed, or sold.
- You have the right to request that we disclose the following information for the 12-month period preceding your request:
- The categories of personal information that we have collected about that consumer;
- The categories of sources from which the personal information was collected;
- The business or commercial purpose for collecting or selling the personal information;
- The categories of third parties with whom we share the personal information; or,
- The specific pieces of personal information we have collected about that consumer.
- Right to Request Deletion of Personal Information
- Right to Not Be Discriminated Against
- You are able to opt out of our sale of your personal information to third parties. You may do so by clicking here: “Do Not Sell My Personal Information.”
- We collected the following categories of personal information from consumers over the past twelve months:
- We have not sold personal information of consumers in the past twelve months.
- We have disclosed personal information to service providers for a business purpose in the past twelve months. The categories of personal information we disclosed are stated in the table above. We have contractual requirements in place with our service providers so that they will not further collect, sell, or use personal information except as necessary to perform our business purpose.
- We do not sell personal information of minors under 16 years of age without affirmative authorization.
To make any requests pursuant to this section, or if you have any questions or comments for us in regards to this section, please contact us at email@example.com. Alternatively, you can opt-out from Forsta’s newsletters, or from Forsta selling your data, at this website. See also Section 6 below.6. Privacy questions, access rights, incident reporting
If you have any questions about how we use your personal data or about this privacy notice, you can send an email to firstname.lastname@example.org. You can also contact us by mail at 300 Seventh Ave., 3rd Floor, New York, NY 10001, or you may contact us at the physical addresses of the office closest to you, see our list here.
If you would like to reach Forsta’s Data Protection Officer (as defined under the GDPR) you can contact DataProtectionOfficer@confirmit.com.
If you have an unresolved privacy or personal data use concern that we have not addressed satisfactorily, please contact your local data protection authority.
Upon request, Forsta will provide you with information about whether we control any of your personal data on our own behalf. If you wish to obtain a copy of particular information you provided to Forsta, if you become aware that the information is incorrect and you would like us to correct it, update it, or delete it, if you would like to exercise any of your legal rights such as those in relation to updating your preferences regarding how we use your personal data, or to withdraw consent, contact us at email@example.com. We will respond to your access request within a reasonable timeframe within the timelines prescribed by applicable law.
If you are enquiring or exercising any of your legal rights or want to withdraw your consent on behalf of personal data we collect and process under the instructions of our customers (see section 3 above), please direct your query to our customer, which is the data controller. If you contact our company in relation to this, we are under obligation to refer your enquiry to the data controller. We will honor and support any lawful instructions they provide us with respect to your personal information.
Before Forsta can assist you, provide you with any information, or correct any inaccuracies, we may ask you to verify your identity and to provide other details to help us to respond to your request. We will endeavor to respond within an appropriate timeframe.
Should you want to report an incident relating to Forsta’s security, confidentiality, or privacy, you are welcome to file a report by entering required data at http://securityincident.confirmit.com. Alternatively, contact firstname.lastname@example.org. International Transfers
For purposes of complying with data privacy laws throughout the EEA, Switzerland, and the UK, where Forsta transfers personal data to an entity which is outside of these areas and in organized a jurisdiction which has not received an ‘adequacy decision’ or similar from the relevant regulatory body, Forsta makes such transfers only if subject to an adequate transfer mechanism as described by the relevant data privacy law, e.g., standard data protection clauses, model clauses, standard contractual clauses, etc.
As related to transfers from the EU/Switzerland to entities organized in the USA, Forsta’s US-based affiliates (Confirmit, Inc., FocusVision Worldwide, Inc.) remain certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (see the U.S. Department of Commerce’s Privacy Shield List), and committed to the Privacy Shield Principles when processing personal data. However, Forsta does not rely on Privacy Shield for transfers of personal data to the USA due to the recent CJEU verdict that has invalidated it, instead relying on approved standard contractual clauses between our contractors, vendors, and affiliates.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Forsta continues to be subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Forsta may be required to disclose personal data in response to lawful requests by public authorities including to meet national security or law enforcement requirements.
Under certain conditions more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.8. Disclaimer
Note that Forsta as a provider of online survey software enables its customers to send emails to individuals asking them to participate in market research surveys or to provide customer and employee feedback. Forsta does not authorize, approve, or in any other way bear responsibility for emails sent out by customers.9. Minors and Children under the Age of 13
Forsta does not allow children under the age of 13 or children considered “Minors” as designated by the laws under which they fall, to use any of our services without proper consent from a parent or legal guardian. If you believe we might have any information from or about a Minor that was collected without proper consent, please contact us at the address provided below.10. Definitions
In this privacy notice, the term “personal data” includes:
- Under the laws of the United States, personal data shall include any “non-public personal information” as that term is defined in the Gramm-Leach-Bliley Act found at 15 USC Subchapter 1 §6809(4), and “protected health information” as defined in the Health Insurance Portability and Accountability Act found at 45 CFR §160.103.
- Under the laws of the countries in the European Economic Area (“EEA”), personal data shall have the meaning given to it in Directive 95/46/EC (the “EU Directive”) and in the General Data Protection Regulation (“GDPR”).
- Under the laws of Australia, personal data shall include information or an opinion about an identified individual or an individual who is reasonably identifiable: (a) whether the information is true or not; and (b) whether the information or opinion is recorded in a material form or not.
- Under the laws of California, personal data shall include any “personal information” as that term is defined in the California Consumer Privacy Act (“CCPA”) §1798.140(o).
“Data controller” means the party that determines the purposes or means of the processing of the personal data.“Data processor” means the party that processes the personal data on behalf of the data controller.“Personal information” generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.