Privacy GDPR/CCPA


Alchemer GDPR/CCPA Command Center

Privacy 101

GDPR – Applicable to EU-based businesses and any business that controls or processes the data of EU citizens are required to comply with GDPR starting May 25, 2018 and beyond. This set of laws is the latest effort to ensure everyone has control of their data, and knows exactly where and how it’s used – requiring individual consent.

CCPA – This sweeping legislation creates requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information of residents of the State of California.

We are a business of data integrity

With Alchemer, you can have a peace of mind that data is collected, stored, and processed with the appropriate levels of sensitivity – always meeting or exceeding GDPR / CCPA compliance.

Centralized information always accessible

This is our central space where all things GDPR/CCPA are monitored. Stay informed with our GDPR/CCPA compliance and ongoing data privacy initiatives centralized here.

Disclaimer: While we confer with counsel and in-house compliance and security on various data privacy policies and regulations like the GDPR/CCPA, do not mistake this information to be a substitute for legal advice.

Latest GDPR/CCPA News & Resources

Alchemer’s Commitment to GDPR and CCPA

Alchemer is undertaking a number of efforts to not only comply with but to exceed the spirit of the regulation.

Alchemer and GDPR

  • Our GDPR Compliance

    open close
  • Documentation

    Information We Hold 

    We have conducted data audits to map data flows.

    We have documented what personal data we hold, where it came from, who we share it with, and what we do with it.

    Accountability and Governance

    Accountability 

    We have appropriate data protection policies, controls, and contracts.

    Local Representative 

    We have nominated a data protection lead and will have a local representative assigned.

    Management Responsibility 

    Decision makers and key people at Alchemer have demonstrated support for data protection legislation and promotes a positive culture of data protection compliance across the business.

    Information risks and data protection impact assessments 

    Alchemer manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

    Data Protection by Design 

    Alchemer has implemented appropriate technical and organizational measures to show we have considered and integrated data protection into our processing activities.

    Training and awareness 

    Alchemer provides data protection awareness training for all staff.

    Data processing contracts 

    Alchemer only processes data on the documented instructions of a controller and there is a written contract outlining the respective responsibilities and liabilities of the controller and our business.

    The use of sub-processors 

    Alchemer has sought prior written authorization from the controller before engaging the services of a sub-processor, and there is a Data Processing Addendum (DPA) in place.

    Operational base 

    Alchemer operates inside and outside of the EU.

    Breach notification 

    Alchemer has effective processes to identify and report any personal data breaches to its controller.

    Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA

  • Product Features

    open close
  • Alchemer has hundreds of robust features built and refined with data privacy in mind. Here are some of our favorites to use for GDPR compliance:

    Feature availability depends on account license type. Check our Feature List for more details.

    Visit our Documentation library to learn about the specifics of each and every Alchemer feature.

    Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA

  • GDPR Rights

    open close
  • The right to be informed.

    Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.

    The right of access.

    Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

    The right to rectification.

    Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organizations have one calendar month to respond to a request.

    The right to erasure.

    Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.

    The right to restrict processing.

    Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organizations are permitting to store the personal data, but not use it. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.

    The right to data portability.

    Individuals can obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

    The right to object.

    Individuals have the right to object to:

    • Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority (including profiling);
    • Direct marketing (including profiling);
    • Data processing for purpose of scientific/historical research and statistics.

    Rights in relation to automated decision and profiling.

    This right protects individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effects on them.

    Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA

  • FAQ

    open close
  • What happens when I make a data rights request as a survey respondent?

    Alchemer will identify the Controller of your information (our customer) and will convey your request to them. As they own and control your data, they are responsible for taking requested actions.

    Why do you need my email address and the survey link when I make a request?

    The link is used to identify the customer who sent you the survey, and in turn, is responsible for ensuring your request is honored.

    What happens when I make a data rights request as a survey creator?

    We will make all reasonable attempts to comply with your request directly. However, please understand that some information may not “forgotten” as a Customer, due to our obligations to be able to contact you.

    What if I need additional information about my company’s GDPR compliance?

    It is recommended that you confer with counsel to ensure your specific requirements under GDPR and other international law are followed. Alchemer can only assist with meeting compliance requirements by providing controls to aid in meeting obligations.

    What does Alchemer do with the information I provide in a survey?

    Alchemer only provides the platform used by our customers to conduct surveys. The individual responses to surveys are the property of the survey creator. Alchemer does not interact with your data except where explicitly permitted by the customer.

    Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA

Request a Demo

By accessing and using this page, you agree to the Terms of Use . Your information will never be shared.