Privacy is important as it helps us limit unwarranted interference in our lives. As such, Heart+Mind Strategies is committed to protecting the privacy of all those with whom we interact.
Information We Collect
We are in the business of providing insights and consulting services to businesses, governments and other institutions such as associations and policy / advocacy groups.
As part of efforts to provide insights and consulting services, we often conduct primary market research. In doing so, we collect information from respondents who have agreed to participate in the study and voluntarily disclosed information about themselves. Our legal basis for collection and processing of respondent-supplied personal data is consent; we do not collect personal data without the affirmative, and explicit consent of the research participant, or a respondent.
The vast majority of the time, individuals are not identified as having provided this information. Rather, insights are reported in aggerate without responses being associated with any specific individual. As responses are transferred into the data processing system, each response is assigned an ID number. This is considered a “Respondent ID” and only those numbers are seen on exported data. We also conduct online and in-person research discussions with individuals and groups. An individual’s responses, likeness/image and words are not shared without expressed permission from that individual.
In some cases, we are in possession of “personal data” or “personally identifiable information” (as defined under applicable law) from our clients, third party vendors, or partners for use in connection with our research efforts. In these cases, we might be given contact information so we can send an invitation to participate in the study. We might also obtain existing data, such as demographic, interest, or behavioral information from clients or vendors.
We might also collect information passively, such as from public postings and comments.
We also collect information from our clients and vendors, such as contact, business, and in some cases financial information about you in the course of administering our relationship with you or your employer. In those cases, our legal basis for the collection and processing of the information is our legitimate interest to perform our obligations under our contract with you or the company for which you work.
We may collect certain information regarding visitors to our website, including IP address, device and browser type, date and time of visit, name of the visitor’s internet service provider, state or country from which the website was accessed, web pages from which the visitors linked to the website, and behavior while on the website (e.g., which links were clicked or which pages were browsed). We may do so using cookies, which are small files placed on your internet browser when you visit our website, in order to offer you a more tailored experience in the future by, for example, understanding and remembering your particular browsing preferences. Occasionally, cookies, pixels, or web beacons may be placed on our website by service providers or partners; we do not permit personal data to be collected or accessed by these cookies, pixels, or web beacons. If you prefer not to receive cookies from our website you can disable their use in your browser settings. By doing so you may reduce the functionality of the web pages you view. Currently, our systems do not respond to browser do-not-track signals, and do not treat such do-not-track signals as “do not sell” signals under CCPA (as defined below).
Lastly, when visiting certain pages of our website, you are provided the option to sign up for our newsletters, white papers, or mailing lists, and if you do, we collect the information you supply for use in the promotion of our own business to you. If you wish to be removed from our email lists, please email us at email@example.com or other contact information listed on our website.
What We Do With Collected Information
The information we collect as part of our marketing research efforts is used for research purposes only. Research participant information and answers are not used by any entity as an aid for sales. This information is shared with the client commissioning the study pursuant to our contract with that client, but not in a way to identify an individual (see description of Respondent ID above). In some cases, we may need to share personal data with third parties for ancillary services in support of a research project. In these cases, we contractually require the third party to follow all of the same privacy protection regulations as followed by Heart+Mind Strategies.
As to client data we collect, we do not use the information for any purpose other than to fulfill our obligations to clients. We keep client information secure at all times, and prevent the use and disclosure of it by our employees or any third parties.
We use information collected from our website and social media pages to improve and maintain our website. We also use the information to understand how and by whom our website is being used. The information provided to us remains confidential and will only be used by Heart+Mind Strategies for its own marketing activities.
We do not rent, sell or give personal data to any third party for the purpose of directly marketing any products or services, and have not done so in the preceding 12 months. However, you should be aware that certain laws to which we are subject, for example the California Consumer Privacy Act (the “CCPA”), define the terms “sell” and “sale” very broadly, such that some of our research-related activities—for example, the inclusion of a study participant’s photo or video in a market research deliverable for our client—might fall within the definition of “sale” under certain circumstances.
Under certain circumstances, we may be required to release personal data in response to a legal request from public authorities including to meet national security or law enforcement requirements, or in response to a subpoena or other legal process.
We do not discriminate financially between those who elect to supply their personal data to us and those who elect to not do so, provided, however, that to the extent a survey or other research study—the completion of which would result in the payment of a financial incentive or entry in a sweepstakes—involves the collection of data and you decline to consent to such collection, you would not be able to proceed to participate in the study, and (depending on the specific study) to the extent you are required to supply your contact information at the conclusion of a survey in order for us to fulfill the participation incentive and you decline to provide your contact information, you would not receive the participation incentive.
Under all circumstances, we will take reasonable steps to ensure your personal data is accurate, complete, current and relevant and being used only for the intended purposes. We will not process personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.
Personal Data Retention
We keep personal data for no longer than necessary for the purposes for which the personal data is collected or processed. The length of time for which we keep your personal data is determined by a number of criteria, including the purposes for which we are using the information, the amount, and sensitivity of the information, the potential risk from any unauthorized use or disclosure of the information, and our legal and regulatory obligations. We are required by law to keep your personal data only for as long as is necessary for the purposes for which we are using it.
The Security of Your Personal Data
Unfortunately, we cannot guarantee the security of your data transmitted to our website, however, once we have your information, we will use strict security and confidentiality measures to try to prevent any unauthorized access.
Your Personal Data Rights
Before data collection begins, we will typically inform you if we intend to use your data for marketing purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data or not giving verbal consent. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
If you would like further information about these rights or would like to exercise any of them, including to opt out of the “sale” of your information as defined in the CCPA, please email us at: email@example.com.
By law, as well as for your protection, if you request that we take certain actions as to personal data we have about you, we are required to take certain steps to verify your identity. If we are not able to verify your identity, we may not be able to respond to your request. To verify your identity, we request, at point of submission of your request, that you supply your basic contact information, as well as certain other non-personally identifiable information (e.g., information relating to your last interaction with us, such as subject matter and type of study), and we endeavor to match at least two pieces of this information with information in our possession. In addition, as to those rights permitted by law to be exercisable by an authorized agent on your behalf, in addition to verifying your identity as described above, we require the agent to also supply written authorization from you to act on your behalf, except where restricted by law.
Data Privacy Framework (DPF)
Heart+Mind Strategies is certified, and complies with the Data Privacy Framework (EU-U.S. DPF), including the UK and Swiss extensions sponsored by the U.S. Department of Commerce’s International Trade Administration (ITA) regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom (UK) and Switzerland to the United States.
Where We Store Your Personal Data
The data that we collect from your visit is typically stored in servers located within the USA but it may also be transferred and stored outside the USA, in destinations such as Canada, Europe or Australia for our international staff, resources, or vendors to work on or organize. If your data is handled outside the USA, or the EU, we apply additional safeguards based on domestic standards, as well as honoring additional requirements individual client agreements may stipulate to ensure adequate protections at all times.
Third Parties and Data Transfer Across Borders
We do not make your personal information available to anyone without your agreement unless it is for research purposes only, or if required by law. This includes your name and e-mail address.
We may share your personal data with third parties for research-related purposes, such as data processing, and incentive fulfilment of prizes both within and outside the USA depending on project requirements. Whenever that takes place, we always put additional safeguards in place to ensure USA and EU data protection laws and security measures are extended to those environments third party service providers operate. Furthermore, all our third-party associations are contractually obligated to protect confidential data at the security standards, and practices that are equivalent to our own.
Any personal data which may be collected in the Careers sections of our Websites will be used solely for purposes of the consideration of possible employment. This information will not be used in connection with research or other aspects of our operations.
Minors and Data Collection
We never knowingly invite children under the age of 16 years to participate in research studies without parental consent. If it is necessary and appropriate for a particular project to directly involve children under the age of 16 years, we take measures to ensure we have been given permission by the responsible adult in the manner required by law. We also do not “sell” (as defined in CCPA) personal information of persons under 16 without affirmative authorization. For more information on COPPA, please visit http://www.ftc.gov/ogc/coppa1.htm.
Modeling and Profiling
In certain circumstances we may utilize various analytical methods, and technologies in profiling your data for making aggregate assessments. In general, this will not result in any legally significant decisions being made about you individually but as a possible member of a particular demographic group such as male or female, level of education or income you may report. You have the right to appeal if any automated decision made about you is legally significant. If you have any questions about this please contact us.
Compliance and Enforcement
We also are certified and comply with the Data Privacy Framework (EU-U.S. DPF), including the UK and Swiss extensions, sponsored and regulated by the U.S. Department of Commerce’s International Trade Administration (ITA). If you are concerned about our use of personal or client information, please contact us a firstname.lastname@example.org.
Heart+Mind has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US DPF Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Under limited circumstances, if your complaint is not resolved through these channels, a binding arbitration option may be available. If required or permitted by law, you may also make a complaint to the data protection authority in the EU country where we may have operations or where we process personal data that relates to offering goods or services to you in the EU.
Heart+Mind Strategies is in the process of obtaining ISO/IEC 27001 certification (expected certification date: November 2023). ISO 27001 is a holistic approach to information security: vetting people, policies, and technologies. An information security management system (ISMS) implemented in compliance with this international standard adheres to Proactive Risk Management, Confidentiality, Integrity, Security, and Availability of Information, Access controls, Cyber-resilience, Operational Excellence, and Prompt Communications.
Links to Other Websites
Our website may contain links to and from other websites. If you utilize any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies or practices. Please do your own due diligence before you submit any personal data to these websites.
Last update: October 23, 2023