QRCSurvey ("we," "us," or "our") operates qrcsurvey.com and associated survey infrastructure. This policy explains how we collect, use, and protect personal data for three distinct groups: survey panel members, website visitors, and research clients. Where your rights differ by jurisdiction—GDPR, UK GDPR, CCPA, APPI, PDPA—we note that explicitly.
1. Data we collect and why
1.1 Panel members
When you join QRCSurvey as a panel member, we collect: name, email address, professional profile data (job title, company, industry, seniority), demographic information relevant to research targeting, and device identifiers used for deduplication and fraud prevention.
Legal basis (GDPR/UK GDPR): Consent (Art. 6(1)(a)) for marketing communications and optional profile attributes. Legitimate interests (Art. 6(1)(f)) for fraud detection and platform security. We maintain timestamped consent records with version tracking.
Retention: Active panel profiles are retained for the duration of panel membership. Inactive profiles (no activity for 24 months) are archived for 12 months then permanently deleted. Survey response data is retained for seven years for audit purposes, in anonymized form after 36 months.
1.2 Website visitors
We collect standard server log data (IP address, browser type, referring URL, pages visited, time on site) for security monitoring and analytics. We use Google Analytics 4 with IP anonymization enabled. We do not use third-party advertising cookies.
If you submit a contact form, we collect the information you provide (name, email, company, message content) and retain it for 36 months or until you request deletion.
1.3 Research clients
Client account data (contact information, billing details, study specifications) is retained for seven years to satisfy accounting and contractual obligations. Study-specific data—respondent files, quota specs, quality audit reports—is retained for five years unless the client requests earlier deletion subject to our data processing agreement.
2. How we use data
Panel member data is used to: match respondents to relevant studies, run our 23-checkpoint quality validation framework, prevent fraudulent participation, calculate and deliver survey incentives, and send study invitations and operational communications.
We do not sell panel member data to third parties. We do not use panel member data for advertising purposes outside the QRCSurvey platform. Anonymized, aggregated response data may be used for internal quality benchmarking and published research (see Section 5).
3. Data sharing
Survey response data delivered to research clients is governed by our Data Processing Agreement (DPA). Client DPAs specify data handling obligations, retention limits, and sub-processor restrictions. Clients receive response-level data, not panel member identity data, unless explicitly required by study design and consented by panel members.
We share data with sub-processors necessary to operate our platform: cloud infrastructure (AWS, EU-region by default), analytics (Google Analytics 4), fraud detection signal providers (Sift Science, IPQS), and email delivery (Postmark). All sub-processors are bound by our data processing terms and operate under equivalent data protection standards.
We participate in cross-panel fraud exclusion sharing with three industry partner networks. Profiles flagged as fraudulent are shared in anonymized, hashed form only. No personally identifiable information is transmitted in these exchanges.
4. International transfers
QRCSurvey operates globally. Data from EU/EEA panel members is processed on EU-region infrastructure and transferred internationally only under Standard Contractual Clauses (SCCs) approved by the European Commission. UK panel member data is processed under UK GDPR SCCs. APAC panel member data is processed in compliance with the relevant national privacy law and APEC Privacy Framework cross-border transfer rules.
5. Your rights
Depending on your jurisdiction, you have the right to: access your personal data, correct inaccurate data, delete your data ("right to erasure"), restrict or object to processing, data portability, and withdraw consent without affecting the lawfulness of prior processing.
California residents (CCPA): You have the right to know what personal information we collect, the right to delete, the right to opt out of sale (we do not sell personal information), and the right to non-discrimination. To exercise these rights, contact [email protected].
To exercise any of these rights, email [email protected] with the subject line "Privacy Request" and specify the right you wish to exercise and your jurisdiction. We respond to verified requests within 30 days (GDPR) or 45 days (CCPA).
6. Security
We are ISO 27001 certified (certificate number available on request). We implement AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and quarterly penetration testing by an independent security firm. We maintain a documented incident response plan and notify affected parties of breaches within 72 hours of detection, as required by GDPR Article 33.
7. Cookies
We use strictly necessary cookies (session management, security), functional cookies (user preferences), and analytics cookies (Google Analytics 4, with IP anonymization). We do not use advertising or targeting cookies. You can manage cookie preferences through our consent banner or by adjusting your browser settings. Declining non-essential cookies does not affect your ability to use the site.
8. Contact and supervisory authority
Data Protection Officer: [email protected]
If you are located in the EU/EEA and are not satisfied with our response to a privacy request, you have the right to lodge a complaint with your local data protection supervisory authority. UK residents may contact the Information Commissioner's Office (ICO).
Changes to this policy will be posted at this URL with a revised effective date. Material changes affecting panel member rights will be communicated by email to active panel members at least 30 days before taking effect.