Discuss Privacy Statement

Introduction

Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you.

This Privacy Statement covers the information we collect about you when you use our platform, services, websites, and tools, or otherwise interact with us, unless a different policy is displayed. Discuss, we, our, and us refer to Discuss.io, Inc. We offer services to support the use of the Discuss platform for consumer insights. We refer to the Discuss platform, our services, websites, and tools collectively as "Services" in this document. Where we provide the Services under contract with a researcher or an organization (for example, your employer or the commissioning customer), that organization or researcher controls and determines the processing of any personal data for research activities hosted on the account, for which Discuss.io acts as a processor.

Other users of our Services like moderators, translators, and observers, may provide personal data that Discuss.io processes as a controller. For participants in research activities hosted on the platform, the organization or researcher contracting with Discuss.io controls and determines the processing of any personal data.

This Privacy Statement applies to the information and data collected by Discuss.io when you access and make use of Discuss’ Services as a customer, participant, website visitor or other type of invited user.

Our role in handling your information

Discuss may act as a Controller or Processor of personal data we collect, depending on the specific context. Our approach aligns with EU GDPR guidance on controller/processor roles.

Controller (we determine the purposes and means of processing):

When interacting directly with customers, website visitors, vendors, partners through our website, sales, marketing, etc. We control data processing in these scenarios.
When Discuss initiates a market research study that collects personal data directly from individuals. We determine the purposes and means of processing.
For Discuss’ own recruiting, human resources, accounting, operations and other internal processes. We control data processing for our own business functions.

Processor (we process data on behalf of customers per their instructions):

When contracted by a researcher/organization to collect personal data from individuals using the researcher’s sample and sources. The researcher determines purposes and means as the controller.
When providing Services that allow contracted researchers/organizations to collect personal data directly from individuals. The researcher determines purposes and means as the controller.
When conducting market research activities as contracted by researchers/organizations using their own sample sources. The contracted researcher/organization determines the purposes and means as the controller.
When storing, organizing or analyzing personal data from contracted research activities per the researcher’s instructions.
When transferring personal data or recordings to contracted researchers/organizations after research activities.

What information we collect about you

We process or collect information to provide, build, protect, improve, and promote our Services. Here are the categories of information we collect or process:

Account Information: When you sign up for an account, we collect your name, email address, password, and other details you provide.
Billing and Payment Information: For paying customers, we collect billing address, payment method, and transaction history.
Log data and device information, which includes internet protocol (IP) address, browser type and version, internet speed, time zone setting and location, and operating system and platform.
Sales and Support Data: Information you provide when interacting with our sales and support teams.
User Content or Interview Data: Quote form details, documents, video and audio recordings, discussion guides, screeners, survey responses, meeting room data, clips, labels, transcripts, reports, or other content you upload/transmit via our Services or that is generated as part of a contracted research project. This includes any derivatives from that data.
Usage Data: We collect details on how you and your devices interact with our Services, including service selections, clicks, pages visited, analytics, entry/exit pages, and usage metrics.
Research Participant Data: From research participants ("panelists", "respondents", or "participants"), we may collect contact details, demographic info, survey responses, and interview-derived data, like video and/or audio recordings, only after explicit consent has been provided.
Human Resources and Recruitment Data: For employees, contractors, and job applicants, we collect personal and professional data including:
- Identification and contact details (e.g., name, email, phone number, address, date of birth, emergency contacts)
- Employment and contractual information (e.g., job title, department, manager, work location, compensation, benefits, contract terms)
- Application and recruitment data (e.g., resume/CV, cover letter, references, interview notes, eligibility to work)
- HR and performance records (e.g., attendance, evaluations, training records, disciplinary history)
- Payroll and tax information (e.g., bank account details, salary data, tax ID, withholdings)
Cookie information and other identifiers to enable our systems to recognize your browser or device and provide, protect, and improve our products. For more information, see our Cookie Policy.
Third-party information, such as data about organizations, industries, lists of companies that are customers, website visitors, marketing campaigns, and other matters related to our business from affiliates and subsidiaries, our partners, or others that we use to make our information better or more useful.
Other Information: You may choose to submit additional personal information through surveys or registration forms, like when opting in to be part of one of our beta programs.

Discuss does not request the disclosure of special categories of personal data or sensitive data unless otherwise instructed by you and only after getting your explicit consent to do so. This may include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health information, and information about an individual's sex life or sexual orientation.

How we use information we collect

We use your personal data for specified, explicit and legitimate purposes, including:

To deliver our Services in connection with the projects, research, and transactions you initiate.
To provide customer support, technical assistance, and account-related services.
To verify your identity and help secure your account when accessing our platform.
To invite you to participate in surveys, interviews, focus groups, and other market research activities.
To send insights, updates, and relevant information about market research, our Services, and industry trends via email, newsletters, or events.
To personalize your experience with targeted content, recommendations, and features based on your activity.
To analyze usage patterns and performance data to improve and optimize our platform and offerings.
To monitor and protect our systems, infrastructure, and confidential data through cybersecurity measures.
To detect, investigate, and prevent fraud, misuse, or other unauthorized activities.
To comply with applicable legal obligations, regulatory requirements, and contractual commitments.
To aggregate or de-identify data for analytics, reporting, and other legitimate business purposes.
To retain personal data as long as your account remains active or longer where legally required.

We use automated and manual processing techniques when using information for these purposes. Our automated methods include artificial intelligence (AI), which is a set of technologies that allow computers to perform tasks that would typically require human knowledge and intelligence. Our manual methods frequently work in conjunction with, and support, our automated methods, and all of our data handling is subject to the security practices described here.

How we disclose information we collect

Discuss enables anyone on your team to consistently facilitate great feedback sessions, saving key moments and turning consumer conversations into actionable insights. We want to make our platform easy, collaborative, and accessible. This means disclosing information through the Services and to certain third parties.

Please note that information about you, your devices, and your behavior collected through third-party cookies, pixels, tags, or other tracking technologies for purposes of cross-context behavioral advertising may be considered a “sale” or “share” under certain US state laws. However, Discuss is not a data broker, and we do not sell personal information for monetary consideration.

Disclosing to other Service users

When you use the Services, we disclose certain information about you to other users:

For collaboration: You may share content containing information about you based on account permissions. For example, when you use the "Save Moment" feature, we display your name next to the saved moment so other users understand who saved it. Please use sharing features responsibly according to this Statement, your agreements, and internal policies.
Managed accounts: If you register with your employer's domain, your name, contact information, content, and past account use may become accessible to their administrators and other users with that domain.
Administrators: If you're an administrator, we may disclose your contact information to facilitate platform-related requests from users.

Disclosing to third parties

We only share it with certain trusted third parties as described below to operate, provide, analyze, customize, secure, and promote our Services:

Service Providers: We use companies like Amazon Web Services to provide, protect, promote, and improve our products. These providers are bound by strict contracts to only use your data as we instruct. You can find the full list of subprocessors in our Trust Center.
Legal/Regulatory Entities: We may share data with law enforcement, government agencies, or regulators if reasonably necessary to comply with laws, legal processes, or legitimate governmental requests.
Business Transactions: In the event of a merger, acquisition, bankruptcy, or other corporate transaction, your data may be transferred to the acquiring organization.
Organization Administrators: If you created an account with your employer's email domain, we may share your email with their administrators to coordinate access.
Other Users: If you participate in collaborative research activities, we may share your personal data with other authorized users per the account owner's contractual agreement.
Your Consent: We may share your data with any third parties when you give explicit consent for us to do so.

Data security and retention

As described in more detail on our Trust Center, we use a combination of technical, physical, and logical safeguards to secure your data. These safeguards include encryption of data in transit and at rest, access controls to restrict unauthorized personnel, secure network configuration and network security monitoring including intrusion detection/prevention, data transfer restrictions, staff security training and confidentiality agreements, regular third-party audits and penetration testing, and several other measures.

We retain personal data only as long as needed to fulfill the purposes outlined in this policy, unless a longer period is required by law. Some retention considerations include:

Duration of your account and use of our Services
Applicable statutes of limitations
Contractual obligations with customers
Legal holds required for litigation or investigations

When we no longer require your personal data, we securely delete or anonymize it. We regularly review our data inventories to only keep information still needed for business purposes.

Exercising your data rights

You have a number of ways to interact with the personal information that Discuss processes, including requesting a record of your information, updating or correcting it, and deleting it.

Request a Personal Data Report: You can submit an access request for your data by submitting a support ticket through this link.
Correct or Update Your Data: You can update your name, email address, and language preference through your Discuss account settings. If you have problems updating this information, please submit a support ticket.
Stop Us from Processing Your Personal Information: You can ask us to stop using your personal information for marketing emails by clicking “unsubscribe” on the emails you receive. In order to stop all processing of your personal information, you can request for your account to be deleted.
Delete Your Data: You can remove your personal information from Discuss by deleting your account. If your account is managed by your employer or organization, please contact your organization administrator to request deletion or opt-out of your account. For enterprise accounts, your employer controls the account and associated personal data.
Move Your Data out of Discuss: You can download the interview data you’ve stored in your Discuss account by following the steps here.
Lodge a Complaint: If you’re based in the EEA, Switzerland, or the UK and think that we haven’t complied with data protection laws, you have a right to lodge a complaint with your local supervisory authority.

We will respond to all requests within 30 days unless an extension is required by law. We may need to verify your identity before fulfilling requests.

International transfers of data

We collect information globally and primarily store that information in the United States. We may transfer, process, and store your information outside of your country of residence, to wherever we, Discuss, or our third-party service providers operate for the purpose of providing you the Services. Any such transfer of your personal data will be carried out in compliance with the applicable laws.

For purposes of complying with data privacy laws throughout the EEA, Switzerland, and the UK, where we transfer personal data to an entity outside of these areas in a jurisdiction which has not received an ‘adequacy decision’ or similar from the relevant regulatory body, we ensure such transfers are subject to an adequate transfer mechanism as described by the relevant data privacy law.

As described in our Data Privacy Framework certification, we comply with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from the EEA, Switzerland and the UK, respectively. Discuss.io, Inc. has certified that it adheres to the DPF Principles. Discuss remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “How we disclose information we collect” section of this Privacy Statement. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Discuss.io commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Discuss.io Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to ICDR-AAA, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR-AAA® DPF IRM Service are provided at no cost to you.

If you have an inquiry regarding our privacy practices in relation to our DPF certification, we encourage you to contact us. Discuss is subject to the investigatory and enforcement powers of the US Federal Trade Commission. You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the DPF Principles.

Additional information for users in specific regions

EU, UK and Swiss Users

The information in this section is specific to our European, Swiss, and UK users.

If you would like to reach Discuss’ Data Protection Officer (as defined under the GDPR) you can contact dpo@discuss.io.

Data Transfers

Information submitted to Discuss will be transferred to, processed, and stored in the United States and around the world. If you post or transfer any information to or through our Services, then that information will be hosted and accessed in the United States and around the world. Please note that the privacy laws of the United States may be different from those in the place where you are a resident.

Legal Basis for Processing

Performance of a Contract: when we provide you with our Services or communicate with you about them. This includes when we use your personal information to take and handle projects, set up sessions, and process payments.
Our Legitimate Business Interests: and the interests of our customers when we detect and prevent fraud and abuse in order to protect the security of our customers, ourselves, or others, when we improve our products, and when we promote our paid products to you.
Your Consent: when we ask for your consent to process your personal information for a specific purpose that we communicate to you. When you consent to our processing your personal information for a specified purpose, you may withdraw your consent at any time, and we will stop processing your data for that purpose.
Compliance with a Legal Obligation: when we use your personal information to comply with laws. For instance, we collect place of establishment and bank account information for identity verification purposes.

Users in California, Nevada, and Brazil

This information supplements the information in this Privacy Statement and applies to California, Nevada, and Brazil residents.

Rights

You may request that we:

Provide access to and a copy of certain information we hold about you.
Provide you with a summary of the categories of personal information we have collected or disclosed about you in the last twelve months; the categories of sources of such information; the business or commercial purpose for collecting or selling such information; and the categories of third parties with whom we shared such information.
Delete your personal data
Non-discrimination for exercising your privacy rights

To make privacy requests under CCPA or other Applicable State Privacy Laws, please submit a help desk request here.

Definitions

In this Privacy Statement, the term “personal data” includes:

Under the laws of the United States, personal data shall include any “non-public personal information” as that term is defined in the Gramm-Leach-Bliley Act found at 15 USC Subchapter 1 §6809(4), and “protected health information” as defined in the Health Insurance Portability and Accountability Act found at 45 CFR §160.103.
Under the laws of the countries in the European Economic Area ("EEA"), personal data shall have the meaning given to it in the General Data Protection Regulation (“GDPR”).
Under the laws of Australia, personal data shall include information or an opinion about an identified individual or an individual who is reasonably identifiable: (a) whether the information is true or not; and (b) whether the information or opinion is recorded in a material form or not.
Under the laws of California, personal data shall include any “personal information” as that term is defined in the California Consumer Privacy Act (“CCPA”) §1798.140(o).

"Applicable State Privacy Laws" means, as applicable: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (c) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; and (e) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.

For Applicable State Privacy Laws, the terms “business”, “consumer”, “controller”, “personal data”, “personal information”, “process”, “processing”, “sale(s)”, and “sell”, as used in this Privacy Statement have the meanings given in the Applicable State Privacy Laws

“Deidentified Data” means data information that is “deidentified” (as that term is defined by the CCPA) and “de-identified data” (as defined by other Applicable State Privacy Laws), when disclosed by one party to the other.

"CCPA" means California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.

“Data controller” means the party that determines the purposes or means of the processing of the personal data.

“Data processor” means the party that processes the personal data on behalf of the data controller.

“Personal information” generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.