Last updated on: October 17, 2023
Data Processor, or the entity that processes your data: Sawtooth Software Inc and Sawtooth Software UK Limited (“Sawtooth,” “we,” “our,” or “us”).
Data Controller(s): The survey author and/or entity that the survey relates to – a customer/user of ours or the client of our customer/user.
Data Recipient(s): The survey author, entity that the survey relates to, Sawtooth, and/or our sub-processors (e.g., Rackspace, AWS, or Microsoft Azure).
1. Why have I been directed to this webpage?
The general information published on this page is intended to supplement the specific information that you might have already been given (for example, the consent and privacy notice provided to you before or at the time of the research or survey) in connection with your participation in a research study conducted by us or a user of our survey software/application. The below information – which we are obliged to supply you with – applies to all data collected via our software/application. In the event that there is any contradiction between this general information and the specific information that you have already been given, the specific information takes precedence.
2. Who will process my personal information?
The information published in this notice applies to the use/process of the data collected during a survey, which may or may not include personal information; and Sawtooth Software (www.SawtoothSoftware.com) is the entity that provides the Data Controller with the software, web hosting, and/or application to process/store your survey data.
Sometimes, we are asked by the Data Controller to analyze the surveyed data. When that happens, we store the surveyed data that has been shared with us along with any additional personal information (if any) that the Data Controller includes while we analyze the data on behalf of the Data Controller.
Very rarely, we are asked by the Data Controller to design and complete the entire survey project. In that case, we are a joint Data Controller and a processor. Please contact us if you have questions about Sawtooth Software’s role in your particular survey project.
We use sub-processors, such as Rackspace, AWS, or Microsoft Azure, to store your data. Unless a customer or user requests for a data center in a country of his/her choice prior to the collection of your information, your information will be stored in the United States.
As the processor of your survey data, we generally do not access or view this information. The data is encrypted both at rest and in transit for security. Our sub-processors and data center service providers have restricted visibility for monitoring purposes only, and there is a low likelihood of human access to your data from these entities. Any exceptions to this general rule are detailed in the following paragraph.
On infrequent occasions, data may be accessed by our support and cloud engineering teams. This access is primarily for technical support, troubleshooting, and fixing technical issues. This is typically performed under the Data Controller’s direction or consent. Additionally, our Analytics team, under contractual agreements with Data Controllers, may have full access to your data for the purpose of specialized analysis, such as conjoint studies. If the Data Controller opts not to anonymize, de-identify, or tokenize the survey data, there's a possibility we could access your personal information. We treat such data as confidential data and only use it in authorized ways.
3. What are the types of personal data to be processed/transferred?
The Data Controller should inform you about the types of personal data that it intends to collect, process, transfer, and share in connection with the specific research study or survey project that you are participating in.
Please note that our software and application have the capability of collecting IP addresses and other system information. Whether your IP address (a type of personal information) is collected depends on whether the Data Controller elects to use this option.
Because we are almost always not in charge of the design of the research/survey design, we do not know the types of personal data that each Data Controller wishes to collect from their survey respondents. Hence, please review the Data Controller’s privacy notice provided to you prior to or at the time of the survey, or please contact the Data Controller for this information.
4. Is my personal data being transferred to a third country?
If you are a survey respondent outside of the United States, yes, your data will likely be transferred to a data center in the United States by default. We are not an entity that is self-certified in the EU-US Data Privacy Framework, we rely on EU/UK approved Data Processing Agreement, Standard Contractual Clauses, and additional supplementary measures (e.g., Transfer Impact Assessment) as the appropriate transfer mechanism.
However, sometimes, the Data Controller chooses to self-host the surveyed data. In that case, where your data resides is out of the control of Sawtooth Software, so you would need to contact the Data Controller to determine where they store data.
5. What is the purpose and legal basis of the processing?
In general terms, the Data Controller uses your data (including basic or sensitive personal information if any) to carry out academic or corporate market research. For specific information, please review the Data Controller’s privacy notice at the time of the collection of your personal information.
Sawtooth Software processes your data for the purposes of (1) survey data storage, (2) survey data transfer in the cloud, (3) troubleshooting technical issues, and/or (4) survey data analysis on behalf of the Data Controller.
Unless the Data Controller states otherwise in its privacy notice, the legal basis for us to process your information is consent. If you are a survey respondent who intends to submit your personal information to a survey, the Data Controller may be required to obtain your consent for the collection and the processing of your personal information prior to or at the time of the survey.
Types of research that may require consent as the legal basis:
- Panel research
- Qualitative and quantitative research based on free-found recruitment; random dialed telephone interviews
- Customer satisfaction research (not from client databases)
- Online surveys (e.g., web based or audience measurement surveys)
- Demographic segmentation based on research surveys
- Tracking based digital market research
Please note that your consent to use your personal information should be separate from your ethical consent to participate in a particular research study/survey project.
You are not legally or contractually obliged to supply us with your personal information for processing.
6. How can I access my personal information?
If you are a resident in the EEA, and your personal information is processed by us, you have the rights to:
Art. 13 GDPR – Information to be provided where personal data are collected from the data subject
Art. 15 GDPR – Right of access by the data subject
Art. 16 GDPR – Right to rectification
Art. 17 GDPR – Right to erasure (‘right to be forgotten’)
Art. 18 GDPR – Right to restriction of processing
Art. 20 GDPR – Right to data portability
Art. 21 GDPR – Right to object
Art. 22 GDPR – Automated individual decision-making, including profiling
If you are a resident in the state of California, and your personal information is processed by us, you have the following rights:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
Please contact the Data Controller first if you wish to exercise any one of your rights listed above. You may find the contact information of the Data Controller in the privacy notice provided to you by the Data Controller prior to or at the time of the survey. Where possible, we may assist if we have access to or control over your data.
If you have any questions regarding your rights in this context, please contact us at privacy@sawtoothsoftware.com.
7. How long is my information kept?
We keep your information for as long as the Data Controller (more specifically the researcher/survey author) keeps your information in our software, web hosting, or application. Please review the Data Controller’s privacy notice provided to you prior to or at the time of the survey, or please contact the Data Controller for this information.
8. Is my information shared with anyone?
Other than our sub-processors, we do not share or disclose your data with anyone else. We will never sell your data including your personal information.
However, we do not know what the Data Controller does with your data or personal information. Please review the Data Controller’s privacy notice prior to or at the time of the collection of your personal information and data.
9. Who can I contact?
If you have any questions about the processing of your data, please feel free to contact us.
|
Name and contact details |
Data Protection Officer |
UK Subsidiary |
|||
|
Name |
Sawtooth Software, Inc. |
Name |
Gary Baker |
Name |
Sawtooth Software UK Limited |
|
Address |
3210 N Canyon Rd, Ste 202, Provo, Utah, 84604 USA |
Address |
3210 N Canyon Rd, Ste 202, Provo, Utah, 84604 USA |
Address |
c/o Moore (Nw) LLP, Centurion House, Manchester, M3 UK |
|
|
|
|
|||
|
Telephone |
(801) 477-4700 |
Telephone |
(801) 477-4700 |
Telephone |
+44 (0)16176 85267 |
10. How do I complain?
If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint. In the UK, please contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (https://ico.org.uk/). In the European Economic Area, please contact the Supervisory Authority in your country. If you are a resident in the state of California, please use this form: Complaint Form - California Privacy Protection Agency (CPPA).