Privacy Policy

Note on client model and project data. When we process personal data on behalf of our customers in connection with the provision of our services (for example, datasets, survey responses or research files that you provide us for analytical modelling or consulting), we act as a data processor and the processing is governed by the Data Processing Agreement that we concluded together, not by this Privacy Policy.

Note on processing from other group members. Scanmar B.V. is part of ScanmarQED group, consisting of companies marketingQED Limited, based in London, UK, marketingQED Incorporated, based in Illinois, US, and Roivenue s.r.o., based in Prague, CZ. You may have entered into a contractual relationship with one of these entities for PulseQED services that are being provided on the Platform. Depending on how you obtained access to the Platform, the data controller may differ. Where you contract directly with us, we are the controller as described in this Policy. Where you contract with another ScanmarQED group company — marketingQED Limited (UK), marketingQED Incorporated (US) or Roivenue s.r.o. (CZ) — that company is the controller of your personal data for those services, we act as its processor and provider of the Platform on its behalf under intra-group data processing arrangements. In that case this Policy applies mutatis mutandis on that company's behalf, and you may contact that controller and, where it is established in the UK, lodge a complaint with the UK Information Commissioner's Office (ICO).

Below are the categories of personal data, including examples that we process for the purposes set out in the following section. We refer to these categories in other parts of this Privacy Policy.

• Identification data. Name and surname (and, where relevant, job title), so we can identify you while concluding or fulfilling a contract with you or the entity you represent, or while you are using Platform.
• Contact details. Business e-mail address, business telephone number, and the company you represent, so we can make Platform available to you and communicate with you.
• Account and login data. Username, hashed password, multi-factor authentication factors, single sign-on identifiers, role and permission attributes within Platform, API tokens, and the timestamp of your last login.
• Payment and billing details. Client entity details, billing contact, purchase order references and invoice records, processed to manage and account for your subscription.
• Records of our mutual communication. Any personal data contained in e-mails, support tickets, in-app chat, calls and meeting notes that you exchange with us, including any attachments.
• Information about Platform usage and telemetry. Pages and features used, session timestamps, configuration changes, data-connector activity, IP address, device type, operating system and browser, and security and audit logs that record actions performed within the Platform. We use this data to operate Platform, monitor and improve performance, ensure security and integrity, and detect and prevent abuse.
• Information about Website usage. When you visit www.pulseqed.ai we automatically receive your IP address and information your browser sends, such as the pages you visit, time spent, referring URL, and operating system and browser version.
• Information from cookies and other tracking technologies. If you have enabled the storage of cookies in your browser, they send us additional information, for example about the pages you visit and your preferences. For more information on the use of cookies and similar technologies, please see Section D “Cookies and other digital identifiers” below.
  

B. PURPOSES OF PROCESSING

B.1. For our Clients and Platform users. If you are our Client or you use the Platform under a contract concluded between us and the entity you represent, your personal data, and where applicable personal data of your employees or contractors, will be processed for the following purposes:

• Provision of the Platform and performance of our contract. We process your personal data to make Platform available to you, manage your account, authenticate you, deliver the analytical, modelling, forecasting, reporting and advisory outputs agreed under the contract, and provide Client support. For this purpose, we process Identification data, Contact details, Account and login data, Records of our mutual communication and Information about Platform usage and telemetry. The legal basis is the performance of a contract or our legitimate interest in administering the contractual relationship with the entity you represent.
• Billing, accounting and protection of our rights and claims. We process your personal data to invoice you, collect payment, keep statutory accounting records, and to establish, exercise or defend legal claims (in judicial, extrajudicial, enforcement or similar proceedings). For this purpose, we process Identification data, Contact details, Payment and billing details and Records of our mutual communication. The legal basis is compliance with our legal obligations under Dutch accounting and tax law and our legitimate interest.
• Security, integrity and abuse prevention. We process Account and login data and Information about Platform usage and telemetry to monitor and protect the Platform, detect and prevent fraud, unauthorised access and other security incidents, and to investigate and respond to incidents. The legal basis is our legitimate interest in operating a secure service and, where applicable, compliance with our legal obligations.
• Improvement of the Platform. We process Information about Platform usage and telemetry on an aggregated and pseudonymised basis to understand how Platform is used, fix issues and improve features. The legal basis is our legitimate interest. This processing does not constitute automated decision-making producing legal effects on you.
• Compliance with legal obligations. We process personal data to comply with legal obligations imposed on us, including tax, accounting, anti-money-laundering, sanctions screening and similar requirements under Dutch and EU law. The legal basis is compliance with our legal obligations.
• Marketing communication and promotion of our services. We may send our newsletter and other marketing communication or process your personal data to promote our services. For this purpose, we mainly process Identification data and Contact details. If you are our Client, we are entitled to offer you similar services to those already provided based on our legitimate interest. Otherwise, we will only send you marketing communication based on your consent. You can withdraw your consent or object to this processing at any time, including via the unsubscribe link in any marketing message or by writing to privacy@scanmarqed.com. Withdrawal of consent does not affect the lawfulness of processing prior to such withdrawal.

B.2. For Website visitors. If you visit www.pulseqed.ai or subsequent subdomains, your personal data will be processed for the following purposes:

• Operation and security of the Website. We process Information about Website usage and strictly necessary cookies to operate the Website, deliver the content you request, and ensure its security and integrity. The legal basis is our legitimate interest. We generally retain this data for up to 24 months after your visit.

• Analytics and measurement. Subject to your consent given through the cookie consent banner, we use cookies and similar technologies to understand how visitors use the Website (for example, which pages are most viewed and how visitors navigate between them) so we can improve and optimise it. We retain this data for the duration of your consent and in any case no longer than 24 months. The legal basis is your consent.

• Marketing and promotion on the Website. Subject to your consent given through the cookie consent banner, we and our advertising partners use cookies and similar technologies to show you relevant content and advertising on the Website and on third-party plaftorms, and to measure the effectiveness of our marketing. The legal basis is your consent. You can withdraw your consent at any time via the cookie preferences link on the Website.

C. SOURCES OF PERSONAL DATA

We process the personal data that you (or the entity you represent) provide to us when concluding a contract, when registering on the Platform, when contacting us, and when visiting the Website.

We may also collect personal data automatically when you use Platform or visit the Website (such as Account and login data, Information about Platform usage and telemetry, Information about Website usage and Information from cookies and other tracking technologies). We may derive other data from the data set out above.

We may also receive personal data from our partners, including resellers, identity providers (where you authenticate via single sign-on) and integration partners (including advertising, web-analytics and CRM) that pass data to us based on your or your organisation’s instructions.

D. COOKIES AND OTHER DIGITAL IDENTIFIERS

Each time you visit the Website, we may store cookies – small files containing information about your visit – on your device and read them on subsequent visits. We use both session cookies (deleted after your visit) and persistent cookies that remain on your device for a set period, but no longer than 24 months. In addition to cookies, we may use other similar technologies, such as web beacons and pixel tags, that have a similar function to cookies.

We use four categories of cookies and similar technologies on the Website:

1. strictly necessary, required for the Website and Platform to function and to keep it secure,
2. preferences that remember your settings, such as language,
3. analytics that help us understand how the Website and Platform is being used, and
4. marketing used by us and our partners to deliver and measure relevant advertising.

All categories other than strictly necessary cookies are activated only with your consent given through the cookie consent banner. You can withdraw or change your consent at any time using the cookie preferences link on the Website and Platform.

Where cookies cause your data to be transferred to processors or third parties, those recipients are listed in Section E and, where applicable, in the cookie consent banner.

E. PROCESSORS AND OTHER PERSONAL DATA RECIPIENTS

The processing of your personal data involves processors who always act on our documented instructions and for the purposes set out in this Privacy Policy. The current categories of processors involved in the operation of the Website and the Platform include:

• Other companies within the ScanmarQED group that either provide shared services (such as IT, security, finance and Client support) on our behalf or are your contracting party when you are using our Platform;
• Cloud infrastructure and data hosting providers;
• Identity, authentication and single sign-on providers;
• Product analytics, error monitoring and observability providers used in connection with the Platform;
• Website analytics, marketing-automation and advertising providers (only where you have given consent through the cookie banner);
• Client-relationship-management, support and communication tools used to manage our interactions with you;
• Professional advisers, including auditors and legal counsel, where necessary.
  

F. INTERNATIONAL TRANSFERS OF PERSONAL DATA

We seek to keep personal data within the European Economic Area (“EEA”). However, some companies in the ScanmarQED group that support the Platform are located outside the EEA, in particular in the United Kingdom and the United States. Transfers to the United Kingdom rely on the European Commission’s adequacy decision for the United Kingdom; transfers to the United States rely on the EU-U.S. Data Privacy Framework where the recipient is certified, or otherwise on the Standard Contractual Clauses. You may request a copy of the relevant safeguards by writing to privacy@scanmarqed.com.

Where we need to use processors different from other group members that store or process personal data outside the EEA, we ensure that an appropriate safeguard is in place, in particular:

• an adequacy decision adopted by the European Commission, or
• the Standard Contractual Clauses adopted by the European Commission, supplemented by additional technical and organisational measures where necessary, available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

G. MEASURES FOR DATA PROTECTION

Protecting your data is our priority. For this reason, we have adopted, maintain and continuously improve technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage or disclosure. We are also ISO 27001:2022 certified.

These measures include role-based access controls and the principle of least privilege; encryption of data in transit and at rest; multi-factor authentication for administrative access; centralised logging and monitoring; vulnerability management, secure development practices and regular penetration testing; vendor and sub-processor risk assessment; documented incident-response and business-continuity procedures; and confidentiality obligations imposed on all personnel and processors with access to personal data.

H. RETENTION OF PERSONAL DATA

We retain personal data only for as long as necessary for the purposes for which it was collected, and in particular:

• Client relationship and Platform use: for the duration of the contractual relationship with the entity you represent and for the duration of the applicable statutory limitation period thereafter (typically up to seven (7) years after termination of the contract under the Dutch law, or longer where required by other applicable law).
• Accounting and tax records: for the period required by Dutch accounting and tax law (currently seven (7) years).
• Marketing communication: for the duration of the Client relationship and up to two (2) years thereafter, or until you withdraw your consent or object to the processing, whichever is earlier.
• Website analytics and marketing cookies: for the duration of your consent, and in any case no longer than twenty-four (24) months.
• Security and audit logs: for as long as necessary to ensure the security and integrity of the Platform, typically not longer than twelve (12) months, unless a longer period is required to investigate an incident or comply with a legal obligation.

I. YOUR RIGHTS RELATED TO PROCESSED PERSONAL DATA

You have the following rights under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) in relation to the processing of your personal data, which you can exercise by contacting us at privacy@scanmarqed.com. We will respond as soon as possible and, in any event, within one (1) month of receipt of your request. In exceptional cases, we may extend this period by a further two (2) months and will inform you of any such extension.

• Right of access. You have the right to obtain confirmation as to whether we are processing your personal data and, where we are, access to that data and to information about the purposes and scope of the processing, the recipients of the data, the duration of the processing, your rights, the right to lodge a complaint with a supervisory authority and the sources of the personal data. You can also ask us for a copy of the personal data we process; the first copy is free of charge; further copies may be subject to a reasonable fee.
• Right to rectification. You have the right to request that we correct inaccurate personal data concerning you and, where relevant, complete incomplete personal data.
• Right to erasure (“right to be forgotten”). You have the right to request the erasure of your personal data where one of the grounds set out in Article 17 GDPR applies. This right does not apply where processing is necessary for compliance with a legal obligation to which we are subject, or for the establishment, exercise or defense of legal claims.
• Right to restriction of processing. You have the right to request that we restrict the processing of your personal data in the cases set out in Article 18 GDPR.
• Right to data portability. You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where the processing is based on your consent or on a contract and is carried out by automated means.
• Right to object. You have the right to object, on grounds relating to your situation, to processing of your personal data based on our legitimate interest. You also have the right to object at any time to processing for direct-marketing purposes; we will stop such processing on receipt of your objection.
• Right to withdraw consent. Where processing is based on your consent, you can withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to such withdrawal.
• Right not to be subject to automated decision-making. You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. We do not carry out such processing in the operation of the Website or the Platform.
• Right to lodge a complaint. In addition to exercising your rights with us, you have the right to lodge a complaint with a supervisory authority, in the Member State of your habitual residence, place of work or the alleged infringement. For the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), Hoge Nieuwstraat 8, 2514 EL The Hague, Netherlands (https://autoriteitpersoonsgegevens.nl).