nQuerio Privacy Policy for Research Teams

Last updated: January 22, 2025

Introduction

At nQuerio ("we," "us," or "our"), we provide a platform (the "Platform") that enables researchers ("Researchers," "Research Team Users," "You," or "Your") to manage research projects involving the collection of online questionnaire data ("Projects" or "Studies") from participants ("Participants"). Our mission is to create a secure, user-friendly environment for effective data collection, analysis, and collaboration, while promoting the highest standards of practice in research.

We are committed to safeguarding personal information. This Privacy Policy explains how nQuerio collects, stores, and processes the data of Research Team Users when providing the Platform and related services. It also clarifies how we protect this data, the purposes for which we use it, and your rights regarding that information. This Privacy Policy applies to Research Team Users, including principal investigators and their authorized research staff. To learn about how Participant data is handled, please see our Participant Privacy Policy.

We aim to comply with all applicable privacy and data protection laws, including PIPEDA (Canada), GDPR (EU), HIPAA (USA), Law 25 (Québec), and Law C-27 (Canada). If there are conflicts between these laws, or if additional local/state/provincial laws apply, We will comply with whichever is more stringent (where relevant). By using the Platform as a Research Team User, you confirm your agreement to the collection and usage of data as described in this Privacy Policy. While we strive to adhere to the highest privacy standards, we acknowledge that this policy has not yet been audited by an external expert due to the size of our company and its resources. If you notice any flaws or have suggestions for improvement, we encourage you to reach out and inform us.

For Researchers who qualify as Covered Entities or Business Associates under HIPAA, nQuerio can sign a Business Associate Agreement (BAA) if needed. If your research involves Protected Health Information (PHI) as defined by HIPAA, you are responsible for ensuring compliance and notifying us so that we can execute a BAA and implement any additional safeguards.

Additionally, nQuerio has established an independent ethics committee to oversee and advise on our decisions, ensuring they align with the best practices in scientific research. This committee reinforces our commitment to ethical principles and high standards of data privacy and integrity.

If you have any questions, please contact our Data Privacy Officer (DPO) at:
privacy@nquerio.com

1. What Personal Data We Collect and Why

When you use the Platform in your capacity as a Researcher, we may collect specific categories of personal data. Below, we describe the data we collect and the purposes for which we collect it (unless otherwise explained at the time of collection), as well as the legal bases for processing it under applicable laws.

Account Information

What we collect:

• Details such as your name, country of residence, professional or institutional email address, institutional affiliation, primary research area(s), languages spoken, and the login credentials you create for the Platform.

Why We Collect It:

• To fulfill our contractual obligations with you (e.g., providing services).
• To create and manage your user account, authenticate logins, and maintain secure access.
• To communicate about system updates, project status, and technical support.
• To address user-initiated questions or requests.
• To send news, special offers, or information about our services (only if you have consented).

Legal basis for processing:

• Contractual Necessity (GDPR Art. 6(1)(b)): We need this information to provide the Platform’s core functionalities.
• Legitimate Interests (GDPR Art. 6(1)(f)): For internal business purposes such as promoting our services and enhancing security, in a way that respects individuals’ rights.
• Consent (GDPR Art. 6(1)(a)): Primarily for optional marketing communication or additional services if you opt in.

Mandatory vs. Optional Data

Certain personal data (e.g., name, email, affiliation) is required to create your account and enable essential Platform features such as project creation and secure access. If you choose not to provide this mandatory information, some or all of the Platform’s functionalities may not be available to you. Optional data (e.g., fields for specialized profile info) can be skipped without affecting core services.

Verification Information

What we collect:

• To confirm your identity and affiliation, we may send a verification link to the email address you provide at registration. If required, we may also ask for documentation confirming your affiliation with a particular organization or institution.

Why We Collect It:

• To validate your identity, authenticate your logins, and ensure compliance with any relevant institutional or regulatory requirements.

Legal basis for processing:

• Legitimate Interests (GDPR Art. 6(1)(f)): To enhance security, confirm identity, and help prevent misuse or fraud.

Research Project Data

What we collect:

• Any information or materials you create, capture, or upload onto the Platform—such as study designs, questionnaires, research protocols, reports, or academic biographies for Participants.

Why We Collect It:

• To allow you to create, manage, and administer research studies.
• To maintain audit trails, versioning, and project histories.
• To analyze trends and insights that might help improve the Platform.

Legal basis for processing:

• Contractual Necessity (GDPR Art. 6(1)(b)): Providing services and core features of the Platform.
• Legitimate Interests (GDPR Art. 6(1)(f)): Enhancing or expanding our service offerings.

Participant Response Data

Context:

• While we serve as a data controller for the personal data we hold about Research Team Users (as described in this policy), for personal data provided by Participants in your research Projects, we act as a data processor on your behalf. As the Researcher, you are the data controller for that Participant data.

What we collect:

• All data collected from Participants through any research Projects you create and host on the Platform.

Why We Collect It:

• To meet our contractual obligations (e.g., facilitating data collection and management).
• To enable data exports and analyses as needed by you via the Platform.

Legal basis for processing:

• Contractual Necessity (GDPR Art. 6(1)(b)): To provide the services you’ve contracted for, such as storing and making data available for analysis.

Special Categories of Data (GDPR Art. 9) & HIPAA

If your Project collects sensitive data (e.g., health, race, religious beliefs, biometric data) under GDPR Art. 9, or health information subject to HIPAA, you acknowledge that you act as the data controller for such data. nQuerio’s role is strictly that of a data processor, and we will apply the appropriate safeguards. You are responsible for obtaining all necessary consents and approvals to collect and process sensitive data in accordance with applicable laws.

Service Offers & Data Processing Agreement (DPA)
As of now, each research project you create on nQuerio is subject to a separate Service Offer from nQuerio, detailing the scope of services, fees, and data processing obligations. This Service Offer also serves as (or incorporates) our Data Processing Agreement (DPA) for that specific project, setting out the roles and responsibilities of both parties under applicable data protection laws (e.g., GDPR). By accepting the Service Offer, you acknowledge that nQuerio processes Participant data strictly in accordance with the terms of the DPA and your documented instructions.

If you have questions about this arrangement or require additional clarifications—such as tailoring the DPA for specific legal or institutional requirements—please contact us at privacy@nquerio.com.

Activity Data

What we collect:

• Logs of your Platform actions, such as login timestamps, pages or sections visited, and edits or updates you perform.

Why We Collect It:

• To maintain and improve Platform functionality and security.
• To gather analytics and enhance user experience, where permitted by law (e.g., usage metrics).

Legal basis for processing:

• Contractual Necessity (GDPR Art. 6(1)(b)): Maintaining critical system functions and features.
• Legitimate Interests (GDPR Art. 6(1)(f)): Strengthening security and refining the Platform for better user experience.

Correspondence

What we collect:

• Communications you send to us or exchange via the Platform’s messaging features, including message content, timestamps, and any social media usernames you provide.

Why We Collect It:

• To respond to your inquiries, provide technical support, and handle user-initiated requests.
• To enable communication with Participants through the Platform when applicable.
• (Optionally) To help train or improve our customer support processes in a de-identified or aggregated manner.

Legal basis for processing:

• Contractual Necessity (GDPR Art. 6(1)(b)): Providing the functionalities you expect, such as messaging capabilities.
• Legitimate Interests (GDPR Art. 6(1)(f)): Optimizing our support systems and ensuring secure, reliable services.

User Research

What we collect:

• From time to time, we may conduct user research to refine the Platform. If you agree to participate, we might invite you to join video calls or screen-sharing sessions. Recordings will only be made with your permission.

Why We Collect It:

• To continually seek ways to improve and innovate our Platform and services, informed by direct user feedback.

Legal basis for processing:

• Legitimate Interests (GDPR Art. 6(1)(f)): Gaining insights to enhance Platform design, features, and security.
• Consent (GDPR Art. 6(1)(a)): If you choose to participate and agree to recorded sessions.

Additional Legal Obligations

Please note that all the information described above may also be processed based on Legal Obligations (GDPR Art. 6(1)(c)) to comply with laws, regulations, and other legitimate requirements (e.g., PIPEDA, HIPAA, Law 25).

For example, we may process your personal data to:

• Confirm your identity and protect against fraudulent or unauthorized activity.
• Satisfy applicable legal and regulatory requirements, or respond to legitimate requests from public authorities.
• Uphold, defend, or exercise legal rights—whether ours, yours, or those of third parties—where needed.
• Review our internal practices for compliance with legal, contractual, and policy standards.
• Implement and enforce our Terms & Conditions or other agreements related to the Platform.
• Detect, investigate, prevent, or address threats to security, unauthorized access, or any unethical or illegal behavior (including identity theft or cyberattacks).

2. Disclosure or Sharing of Data

Published Information and User-Generated Content

Any information you include in study materials (e.g., questionnaires, protocols) may be visible to Participants or, if applicable, other users on the Platform. If you choose to post content in a public or semi-public forum on the Platform, that content may be accessible to others who visit or use that forum.

Your Organization, Institution, and Research Oversight

We may disclose certain information (e.g., your name, email address, and details of your research activities) to your organization or institution if they request it. This allows them to monitor adherence to internal guidelines, confirm compliance with research ethics standards, and prevent potential fraud or misuse of funds. In addition, we may share non-identifiable data with ethics committees, Institutional Review Boards (IRBs), or other regulatory bodies where necessary to fulfill research requirements or comply with institutional, academic, or government standards.

Service Providers, Suppliers, and Contractors

To deliver and maintain our services effectively, we work with trusted third parties. We may share personal data with:

• Hosting & Infrastructure Providers
  For server hosting, database management, or cloud services.
• Verification & Security Vendors
  To authenticate accounts, prevent fraud, and strengthen our Platform’s security.

We keep an up-to-date list of our service providers (data processors) and links to their privacy practices:

1. Digital Ocean
2. AWS
3. Google Cloud Platform
4. CloudFlare Turnstile

Professional Advisors

We may share your personal data with professional advisors—such as lawyers, auditors, accountants, or insurers—when needed. This sharing is limited to what is reasonably necessary for them to provide the contracted services or advice.

Authorities, Others, and Legal Requirements

We may disclose your personal data if required by law or when we believe, in good faith, such disclosure is necessary to:

• Comply with subpoenas, court orders, or other legal obligations.
• Protect and defend our rights, property, or safety, as well as those of our users or the public.
• Investigate or prevent potential misconduct, fraud, or other security risks.
• Assert, exercise, or defend against legal claims.

Business Transactions

If our company undergoes a merger, acquisition, restructuring, or sale of assets, we may transfer your personal data to the acquiring entity or its advisors. We require that any successor entity uphold privacy protections at least as robust as those described in this Privacy Policy. We will notify you if your data becomes subject to a new privacy policy after the transaction.

3. International Data Transfers

Your personal data is primarily stored on our servers located in Toronto, Canada, but may also be processed by third-party service providers in other countries. This means your information could be maintained on computers outside your own state, province, or country, where data protection laws may differ from those in your jurisdiction.

By submitting your information or using our services, you acknowledge and agree to these potential cross-border data transfers. We will take all steps reasonably necessary to protect your data in accordance with this Privacy Policy. This includes following recognized legal frameworks—such as adequacy decisions or standard contractual clauses—and applying any additional safeguards (e.g., encryption) required by local regulations.

We rely on recognized legal instruments such as the EU Standard Contractual Clauses (SCCs) for transfers of personal data from the European Economic Area (EEA) to countries not deemed adequate by the European Commission. In certain cases, we may also conduct Transfer Impact Assessments (TIAs) to evaluate the specific risks and implement any additional contractual, technical, or organizational measures needed to safeguard data transfers.

We work diligently to keep these transfers compliant with relevant regulations, ensuring your personal data remains protected at all times and We will not transfer your data to an organization or a country unless we are satisfied that adequate measures are in place to safeguard your personal information.

4. Data Storage, Retention, and Security

4.1 Data Storage Location

• Primary Location: By default, data is stored on secure servers located in Toronto, Canada, which undergo regular independent audits.
• Regional Requirements: We may host data in a region requested by You, Your Institution or mandated by local regulations to ensure compliance with jurisdictional requirements (e.g., GDPR for EU-based researchers).

4.2 Retention Periods & Deletion

We aim to keep personal data only as long as necessary for the purposes described in this Privacy Policy—or as required by law. Below is an overview of how we handle different categories of data:

1. Account Information & Research Project Data
   • We retain your basic account details and relevant project information while you maintain an active account.
   • If you close your account, we typically retain these records for up to five years after account closure to comply with institutional record-keeping requirements, legal limitation periods, and potential audits. This timeframe aligns with standard practices for academic and institutional research record retention. After this period, data is either securely destroyed or anonymized, unless a legal obligation or ongoing dispute requires longer retention.
   • If your account becomes dormant yet holds any outstanding balances or ongoing obligations, we may keep data until those matters are resolved.
2. Activity Data
   • Non-identifiable usage data (e.g., page visits, login timestamps, analytics) may be retained for up to 12 months from its creation for security, troubleshooting, and analytics.
   • Afterward, we may either delete this information or aggregate and de-identify it for longer-term analysis.
3. User Research Data
   • If you participate in user research (e.g., product usability sessions), we will retain those recordings or notes only as long as they remain relevant to improving our services.
   • Once that data is no longer needed (e.g., the related feature is obsolete), we will delete or pseudonymize it.
   • You may also request deletion of any user research recordings that contain your personal data, and we will honor that request if no overriding legal requirement applies.
4. Aggregated & Anonymized Data
   • We may create anonymized or aggregated records (e.g., usage statistics or demographic insights) that are not linked to an identifiable individual. We reserve the right to retain these records indefinitely.
5. Exceptional Circumstances
   • We may keep certain data longer where required by law, where necessary to protect the vital interests of any individual, or in connection with ongoing legal claims, investigations, or other legitimate obligations.

Secure Disposal of Data

Once personal data is no longer needed for the purposes described in this Privacy Policy or any valid legal, contractual, or ethical requirements, we will securely dispose of it. This may include permanent deletion from our servers or transforming the data into an irreversible anonymized form.

Data Deletion Requests
You can request data deletion at any time by contacting us. We will honor valid requests in accordance with applicable regulations, though we may need to keep certain information where legally required (e.g., for compliance or dispute resolution).

4.3 Security Measures

• Data Encryption: We encrypt identifiable data both in transit (SSL/TLS) and at rest.
• Segregation of Identifiable Data: We maintain clear separation between Research Team User identifiable data (e.g., name, email) and other categories of data such as activity logs or research project files. When handling Participant data, we offer features to handle identifiable data so they are encrypted and stored separately from anonymized or aggregated research data to reduce privacy risks. Since we act as data processors on behalf of the Research Team Users in relation to Participant data, using this feature when applicable is the responsibility of the Research Team Users as data controllers of the Participant.
• Access Controls: We strictly limit data access to authorized personnel—whether part of your Research Team or our own staff—in compliance with Canadian privacy laws (including Law 25). Additionally, any nQuerio staff member who is assigned to support or contribute to a research project must sign a confidentiality clause. A copy of this clause can be provided upon request, for example, if it is needed for ethics board submissions.
• Breach Notification: In the event of a data breach, we will notify affected individuals and relevant authorities without undue delay. Under GDPR, we strive to issue a notification within 72 hours of discovering the breach. Where other local laws require a shorter timeframe or different procedures, we will comply with those requirements.
• User Responsibilities: To help maintain a secure environment, you are responsible for safeguarding your login credentials. Do not share your password or account access with others. If you suspect unauthorized access or notice unusual account activity, you must notify us immediately so we can investigate and take protective measures.

4.4 “Do Not Track”

Our Service does not currently respond to “Do Not Track” (DNT) signals sent by web browsers. DNT is a browser setting intended to inform websites that you do not wish certain information about your webpage visits to be collected over time and across websites. You can learn more about “Do Not Track” at www.allaboutdnt.com.

If you visit external websites (including third-party links on our Platform), those sites may track your browsing activities. Refer to each site’s own privacy settings or policies to configure how they handle DNT signals. You can enable or disable DNT by adjusting the preferences or settings page of your web browser.

5. Rights of Research Team Users

nQuerio is committed to respecting Your rights regarding Your Personal Data. These rights may vary based on applicable data protection laws (e.g., GDPR), and certain limitations or exemptions may apply.

1. Right to Access
   You may have the right to confirm whether We are processing Your Personal Data and, where We do, to request and obtain access to that data along with certain information about how it is processed.
2. Right to Rectification
   You may request that We correct any inaccurate or incomplete Personal Data about You. You can also update some of Your own account details at any time in Your account settings.
3. Right to Erasure
   In certain circumstances (e.g., if the data is no longer necessary for the purposes for which it was collected, or if processing is based on consent and You withdraw that consent), You can request that We erase Your Personal Data. Please note that We may retain certain information as required or permitted by law, contractual obligations, or for legitimate research or ethical considerations.
4. Right to Restrict Processing
   You may request that We restrict the processing of Your Personal Data if, for example, You contest its accuracy or object to Our processing. Where processing is restricted, We may continue to store Your Personal Data, but will limit its use to the extent permitted by law.
5. Right to Object to Processing
   You may have the right to object to Our processing of Your Personal Data for purposes based on legitimate interests (including profiling). If You object, We will stop processing Your Personal Data unless We can demonstrate compelling legitimate grounds to continue. You can also object at any time to the processing of Your Personal Data for direct marketing (if applicable).
6. Right to Withdraw Consent
   Where We rely on Your consent as the legal basis for processing Your Personal Data, You can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before You withdrew Your consent.
7. Right to Data Portability
   Where applicable, You may request a copy of Your Personal Data in a structured, commonly used, and machine-readable format so that You can transfer it to another service or platform.
8. Right to Complain to a Supervisory Authority
   If You consider Our processing of Your Personal Data to be unlawful, You have the right to lodge a complaint with Your local data protection authority or other regulatory body with jurisdiction over data protection.
9. Account Management and Data Export
   • Account Management: You can access and update Your account information at any time.
   • Data Export: You can export Your project-related data as allowed by Our platform features, noting that identifiable Participant data may be excluded unless Participants have provided specific permission.
10. Account Closure
    You may request closure of Your account, but We may retain certain data for legal, ethical, contractual, or security obligations.

How to Exercise Your Rights
You can submit a request to exercise any of the rights described above by contacting Us at privacy@nquerio.com. We may request specific information from You to verify Your identity and to process Your request. Whether or not We are required to fulfill Your request depends on various factors (e.g., legal obligations, the nature of the data, why We collected it). If We cannot fulfill Your request (in whole or in part), We will explain why, subject to any legal or regulatory restrictions.

We encourage you to contact us first at privacy@nquerio.com with any concerns or complaints. We strive to respond to all inquiries within 30 days. If you are not satisfied with our response, or believe we are processing your Personal Data in violation of applicable laws, you also have the right to lodge a complaint with your local data protection authority.

If You have any questions about these rights or how to exercise them, please contact Us at privacy@nquerio.com. We encourage You to contact Us first if You have any concerns or complaints, so We can address them directly.

6. Cookies and Other Tracking Technologies

We use cookies and similar technologies to:

• Enhance Your user experience and streamline navigation on the platform.
• Collect usage analytics to understand performance and improve features.

We will request Your consent before placing non-essential cookies on Your Device.

Here is a detailed list of the cookies we use and why:

7. Children’s Privacy

Our platform is not directed at individuals under 18. Research Team Users should only collect data from minors in strict compliance with applicable laws and institutional review requirements, including explicit parental or guardian consent when required.

For U.S.-based Researchers, the Children’s Online Privacy Protection Act (COPPA) may apply when collecting data from children under 13. Our Platform is not intended for children under 13 without verifiable parental consent. If you conduct research involving children under 13 in the U.S., you must ensure compliance with COPPA’s requirements.

If We become aware of unauthorized collection of Personal Data from individuals under the minimum age, We will take steps to remove it. For minors participating in studies, additional safeguards apply as mandated by law.

8. Changes to This Privacy Policy

We continually refine our services, introduce new features, and monitor legal developments. As a result, we may update or modify this Privacy Policy to reflect changes in our practices or in applicable law. When we make significant revisions that affect your rights or obligations, we will:

• Post the updated version on our website, along with a new “Last updated” date.
• Provide a notice of the changes (e.g., via email or a banner on our Platform), especially if they have a material impact on you and request your active consent to the updated terms where required by law.

Where local laws require, we will seek your consent for such changes. Otherwise, if you continue using our Platform after any updated version takes effect, you signify your acceptance of those changes. If you disagree with any modifications, please discontinue using our services. We encourage you to review this Privacy Policy periodically to remain informed about how we protect your information.

9. Data Privacy Officer (DPO) & Contact Information

Our DPO is responsible for:

• Monitoring and advising on data protection and privacy obligations within nQuerio.
• Serving as a point of contact for Research Team Users’ inquiries or complaints.
• Coordinating with authorities in the event of a breach or compliance issue.

If you have any questions or concerns regarding this Privacy Policy or the handling of your Personal Data, please contact our DPO:

Data Privacy Officer (DPO)
nQuerio
Email: privacy@nquerio.com

We are committed to collaborating with you to address and resolve any concerns about privacy and data protection.