Privacy Statement

Updated January 10, 2020

This privacy statement explains how Delighted (“Delighted”, “we”, “us”, “our”) handles personal data collected by us as a data controller during the normal course of business (sales, marketing, and support) (“Personal Data”), as well as how Delighted as a data processor handles all information input into the Delighted software or generated on behalf of Customers in connection with the services (“Customer Data”). Delighted complies with the EU-U.S. Privacy Shield framework and the Swiss Privacy Shield framework. It retains the American Arbitration Association/International Centre for Dispute Resolution (AAA/ICDR) for disputes. For specific information about GDPR, please visit https://delighted.com/gdpr.

1. DELIGHTED SOFTWARE AND SERVICES

Delighted creates experience management software for corporations, research companies, government agencies, universities, and other organizations. The software is accessed using a modern browser via the Internet. Delighted products are self-service; Customers determine and are solely responsible for what and how Customer Data is collected. Customer Data may include data collected from respondents (“Respondents”).

Customer Data may be collected in numerous ways, including via email, a web link, or mobile app.

Delighted acts as a data processor with respect to Customer Data and processes this data as instructed by Customers, who are the data controllers.

2. DATA COLLECTED DURING NORMAL BUSINESS TRANSACTIONS (UNRELATED TO THE SOFTWARE)

In the normal course of business, Delighted collects Personal Data such as contact information (e.g. name, address, phone number, e-mail address, and employer) and payment details for Customers. We may also collect browsing data from individuals who visit the Delighted website. In these circumstances, Delighted acts as a data controller. Delighted also acts as a data controller with respect to client relationship management data. This is data that Delighted needs in order to provide services to Customers, including performing contractual obligations, engaging in marketing activities, and providing support services (e.g. processing and responding to Customer inquiries and requests).

We process Personal Data in order to fulfil contractual obligations, based on the individual’s consent, or in accordance with our legitimate business interests in improving our services, software and website experiences for users. Where processing is based on consent, an individual may withdraw consent at any time by contacting us. Instructions for contacting us are provided below in Sections 4 and 5.

We retain Personal Data only for as long as necessary to fulfil the purposes of its collection, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of such personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For the https://delighted.com/ site, Delighted collects and analyzes aggregate visitor information, including the domain name, visited surveys, referring URLs, and other publicly available information. We use this information to improve our website and services and to customize the content of our pages for each website visitor.

Cookies may be used to deliver customized content to website visitors. Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies. A cookie is a small file that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

We use the following cookies:

  • Required Cookies. These cookies are required to enable core site functionality.
  • Functional Cookies. These cookies allow us to analyse site usage so we can measure and improve performance.
  • Targeting cookies. These cookies are used by advertising companies to serve ads that are relevant to your interests.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

In most cases Delighted collects Personal Data from you directly. Delighted may also obtain Personal Data from other Affiliated Companies within SAP’s Group of undertakings or from third parties, if the applicable national law allows Delighted to do so. Delighted will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided Delighted with it or the applicable national law. These third-party sources include Delighted business dealings with your employer and/or third parties you directed to share your Personal Data with Delighted.

Delighted may transfer your Personal Data to other Affiliated Companies within SAP’s Group of undertakings for the purpose to inform you about their latest products, service offers and events in the same way Delighted does under this Privacy Statements. In such cases, the SAP Groups will use the Personal Data for the same purposes and under the same conditions as set forth in this Privacy Statement.

As part of a global group of companies, Delighted has affiliates and third-party service providers within as well as outside of the European Economic Area (the “EEA”). As a consequence, whenever Delighted is using or otherwise processing your Personal Data for the purposes set out in this Privacy Statement, Delighted may transfer your Personal Data to countries outside of the EEA including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. Whenever such transfer occurs, it is based on the Standard Contractual Clauses (according to EU Commission Decision 87/2010/EC or any future replacement) in order to contractually provide that your Personal Data is subject to a level of data protection that applies within the EEA.

We maintain a database of user information which is used for internal purposes such as technical support, marketing-related activities, and to notify Customers of changes or enhancements to the services. Delighted uses secure services for online credit card payment transactions and does not record or store credit card information on its site or servers. Delighted may share Personal Data with third parties and shall remain responsible for such transfers.

Delighted does not sell Personal Data.

Your personal data may be passed on to third parties including companies within the SAP group; vicarious agents or service providers for purposes of processing and providing services to Delighted; and/or state agencies and bodies, e.g., based on entry requirements or police activities and investigations.

3. DATA COLLECTED BY CUSTOMERS

Customers own, and are data controllers of, Customer Data. Depending on how the Customer chooses to use the software, Customer Data may include personal data or personal information. Customers manage all Customer Data, as well as the users who create, manage, distribute, or report the Customer Data. To the extent that Delighted processes Customer Data, Delighted does so as a data processor on behalf of Customers.

Delighted processes Customer Data on behalf of Customers in a manner consistent with this Privacy Statement. Each Customer, in its capacity as a data controller, may process Customer Data in other ways. Respondents should check the Customer’s own privacy statement to learn how the Customer intends to process Respondent-specific data that may be included in Customer Data. If a Respondent submits queries to Delighted or otherwise seeks to exercise rights under applicable data protection legislation, Delighted will forward these requests to the relevant Customer, as can be reasonably determined, in accordance with our contractual arrangements.

Delighted treats all Customer Data as highly confidential. All Customer Data is safeguarded using industry-best security practices to prevent unlawful disclosure. Delighted does not sell or make available Customer Data except as requested by a valid court order, search warrant, subpoena, or otherwise as agreed by the parties or required by law.

Delighted processes Customer Data for the purpose of providing the software and services to Customers in accordance with the agreement with the Customer.

Delighted shall remain responsible for any transfers of Customer Data to third parties.

Delighted enables Customers to comply with various privacy-related regulations and laws. Features within the products may be used to modify and delete data, create anonymous surveys, and more. For details, please visit https://delighted.com/gdpr.

4. COMPLAINTS AND INQUIRIES

Delighted is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and individuals may contact the FTC regarding services provided by Delighted.

Individuals may also complain to a relevant supervisory authority. The contact details for the Irish Data Protection Commission are as follows:


If a Respondent wishes to make a complaint or inquiry about personal data or personal information that may have been collected by a Customer using Delighted, such Respondent should contact the Customer. If a Respondent requires additional assistance, the Respondent may contact Delighted Support.

Inquiries regarding this Privacy Statement may be sent to Delighted Support by emailing privacy@delighted.com.

Independent Recourse Mechanism: Any disputes are handled by the International Centre for Dispute Resolution (details below). Inquiries are free of charge.

5. DATA SUBJECT RIGHTS

In certain circumstances, individuals may have the following rights under data protection law in relation to personal data:

  • A right to access personal data that Delighted collects, uses, discloses, or sells (if applicable) about you
  • Rectification of inaccurate personal data
  • Erasure of personal data
  • Restriction of processing of personal data
  • Right to data portability
  • Right to object to processing of personal data
  • Right to withdraw consent to processing of personal data
  • Right to out-out of the sale of Personal Data, if applicable
  • Right to non-discriminatory treatment for exercise of data protection rights

If a Respondent wishes to exercise rights in relation to personal data or personal information that may have been collected by a Customer via Delighted, such Respondent should contact the Customer. If a Respondent requires additional assistance, the Respondent may contact Delighted Support.

If you wish to exercise rights in relation to Personal Data for which Delighted acts a data controller, you should contact privacy@delighted.com. If you are located in the State of California, you may also call toll-free using the numbers provided here. Please note, however, that Delighted can or will delete your Personal Data only if there is no statutory obligation or prevailing right of Delighted to retain it. Note further that if you request that Delighted deletes your Personal Data, you will not be able to continue to use any Delighted service that requires Delighted’ use of your Personal Data.

Delighted will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection rights you want to exercise. When feasible, Delighted will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by Delighted. This could include matching two or more data points you provide when you submit your request with two or more data points that are already maintained by us.

In accordance with the verification process set forth in the California Consumer Privacy Act (“CCPA”), Delighted will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If Delighted must request additional information from you outside of information that is already maintained by Delighted, Delighted will only use it for the purposes of verifying your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.

Delighted will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.

6. INFORMATION RELATED TO PRIVACY SHIELD

For details about the Privacy Shield program: https://www.privacyshield.gov/

Delighted complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU), the United Kingdom, and Switzerland to the United States, respectively, including the onward transfer liability provisions. Delighted has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

The key goals of Privacy Shield are to inform both EU and Swiss individuals about:

  • the right of individuals to access their personal data
  • the choices and means an organization offers individuals for limiting the use and disclosure of their personal data
  • the requirement for an organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements

Delighted’ Privacy Shield self-certification does not cover human resources data.

Privacy Shield may provide individuals the right to (i) access the data that we hold about them, (ii) request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield, or (iii) limit the use and disclosure of their personal information. In compliance with the Privacy Shield Principles, Delighted commits to resolve complaints about our collection or use of personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Delighted at: privacy@delighted.com.

Delighted has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association (AAA), an alternative dispute resolution provider located in the United States. If an individual does not receive timely acknowledgment of its complaint from us, or if we have not addressed an individual’s complaint satisfactorily, such individual should contact the AAA for more information or to file a complaint (contact details below). The services of the AAA are provided at no cost.

Customer Data is stored in a specific geographical region chosen by the Customer. Where it is necessary to transfer personal data from the European Economic Area to the United States, it is solely for the purpose of processing as per instructions from the controller or to comply with applicable laws.

Delighted implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.

Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.

Delighted self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Delighted is required to respond promptly to EU or Swiss individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.

Under Privacy Shield, an individual has the right, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Delighted must respond to individual complaints within 45 days. For additional information, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Delighted’s Independent Dispute Resolution (IDR) Provider is:

American Arbitration Association<
International Centre for Dispute Resolution
New York City, New York, USA

http://go.adr.org/privacyshield.html