California Residents

1.       Controller of the Persona Data:

InCrowd, Inc
480 Pleasant Street, Suite B100
Watertown, MA 02472

InCrowd Data Protection Contact & DPO:  privacy@incrowdnow.com

1.       SCOPE

This Notice applies to the processing of Personal Information that InCrowd transfers to and stores in the United States.

We’re committed to helping you understand how we manage and protect the information we collect. We take privacy seriously and have taken many steps to help safeguard the information we collect from you.

2.       PERSONAL DATA THAT WE COLLECT

1. InCrowd provides research solutions to its Clients, which are predominantly business customers, and individuals that may purchase products or participate to market research activities.
2. General Data: InCrowd collects Personal Information of healthcare professionals that register with our community of healthcare professionals (Crowd).
3. Communication Data: We may process information contained in or relating to any communication that you send to us or that we send to you. The communication data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms.
4. Usage data: We may process data about your use of our website and services. The usage data may include your IP address, geographical location, browser type, version and language, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. We may also collect and process data on the websites you visited before our sites that may be logged automatically if you are redirected to our site from our advertising campaigns. The source of the usage data is our analytics tracking system, marketing automation platform or other marketing technologies.
5. Market Research data: we might also collect Personal Information and anonymized and/or pseudonymized data produced by individuals’ participation in market research activities.
6. Information collected: The Personal Information that we collect may vary based on your interaction with InCrowd. As a general matter, InCrowd collects the following types of Personal Information:

Data collected from individuals in accordance with CPRA:

3.       PURPOSES OF DATA PROCESSING

InCrowd processes Personal Information that it collects directly from individuals registered with the Healthcare Community and indirectly in its role as a service provider for the following business purposes:

1. Operations: maintaining and supporting our products as well as delivering and providing the requested products/services;
2. Contractual; complying with contractual obligations related thereto (including managing transactions, reporting, invoices and other operations related to providing/receiving services to/from clients and individuals). This may include data included in Category A
3. Market Research: Allowing individuals to participate to market research surveys and interviews and related activities. We report back to clients the results in an anonymized and aggregated form.  
4. Publications: In certain occasions and strictly in accordance with your express instructions, we may process your Personal Information for the purposes of publishing such data on our website and elsewhere through our services.
5. Relationships and communications: Processing contact data for the purposes of managing our relationships and communicating with you by email and/or telephone.
6. Direct marketing: Processing contact data for the purposes of creating, targeting and sending direct marketing communications by email and making contact by telephone for marketing-related purposes. We do this for improving and facilitating your participation in market research activities.
7. Research and analysis: Processing usage data for the purposes of researching and analyzing the use of our website, for example monitoring, supporting, improving and securing our website, services and business generally. InCrowd has a legitimate interest in maintaining security conditions on our websites to prevent malware, or other types of attacks. security is essential to protect the personal data of customers and visitors.
8. Record keeping: Processing your Personal Information for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records in servers located in the United States. We do this to ensure that we have access to all the information we need to run our business properly and efficiently in accordance with this Notice.
9. Legal: Required by Law: for other business-related purposes permitted or required under applicable local law and regulation for example satisfying governmental reporting, tax, crime investigation and national security; and (7) as otherwise required by law. This may include data included in Category A;
10. In general as requested by the clients and individuals;

4.       SENSITIVE PERSONAL INFORMATION

InCrowd might process certain categories of data that under the CPRA is considered very sensitive. This data may be collected when individuals participate to market research activities carried out by InCrowd directly or on behalf of their clients. We are committed to handling this data with extreme care and only a few authorized people have access to it. Such data might include: information about your health, your ethnic origin, biometric data, etc. Where we process Sensitive Personal Information data,  we will always obtain your explicit consent to those activities unless:

1. Consent is not required by law;
2. To protect your vital interests where you are incapable of giving your consent;
3. For the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
4. Processing is necessary for reasons of public interest in the area of public health as required by the local law.

5.       AUTOMATED DECISIONS

We reserve the right to make automated decisions, including using machine learning algorithms about and website visitors in order to optimize the products and services offered and/or delivered. You may contact us if you would like any clarifications about the automated decisions.

We might analyze your participation to our surveys with the purpose to enrich the profiling data we hold about yourself. The profiling data that we have collected might be used for making manual or automated decisions that involve your participation to market research activities. As results of this processing, we will be able to send you market research activities within your sphere of expertise and interest.

You have the right to opt-out from automated decisions at any time. However, be advised that if you exercise this right, it may affect our ability to offer you survey opportunities and to maintain your membership in our network.

You may contact us if you would like any clarifications about the automated decisions.

6.       DIGITAL FINGERPRINT

1. Cookies: InCrowd may set and use cookies to enhance your user experience on the sites, such as retaining your personal settings and preferences.  You may set your browser to prevent or reject cookies, or you may manually delete any cookies set. If you reject the cookies on the sites, you may still be able to use the sites, but they shall be limited to certain minimal functionality. From time to time InCrowd may use third-party tracking utilities that use session ID cookies that track site usability and assist InCrowd in improving user experience. This Privacy Notice does not cover the use of cookies by our third party providers as we do not have access or control over these cookies. We may collect information on our sites or in our emails using web beacons and or tracking pixels (electronic images). We may use beacons to count visits, understand usage and campaign effectiveness and to tell if an email has been opened and acted upon.
2. InCrowd uses cookies for the following purposes:
   1. Trend Analyses: InCrowd may use IP addresses to analyze trends, administer the Sites, track Your movement within the Sites, and gather broad demographic information for aggregate use.
   2. Links to other sites: our sites include links to other websites whose privacy practices may differ from InCrowd’s. If you submit personal data to any of those sites, your information is governed by the privacy statements of those third-party sites.
3. Managing cookies: Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

• https://support.google.com/chrome/answer/95647 (Chrome);
• https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop (Firefox);
• https://help.opera.com/en/latest/security-and-privacy/ (Opera);
• https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
• https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac  (Safari);
• https://support.microsoft.com/en-gb/help/4468242/microsoft-edge-browsing-data-and-privacy (Edge).

7.       CHOICE WITH RESPECT TO USES AND DISCLOSURES OF PERSONAL INFORMATION

InCrowd recognizes that individuals have the right to limit the use and disclosure of their Personal Information, and we are committed to respecting those rights.  We apply a strict policy with respect to disclosures of Sensitive Personal Information including, when applicable, obtaining the explicit consent (i.e., opt in consent) of an individual prior to disclosing Sensitive Personal Information to a third party or using Sensitive Personal Information for purposes other than those for which it was originally collected or subsequently authorized by the individual.

8.       SALE OR SHARE OF INFORMATION FOR A BUSINESS PURPOSE

InCrowd has not shared or disclose any categories of Personal Information for a business purpose in the last 12 months.

9.       DISCLOSURE/TRANSFER OF INFORMATION FOR A BUSINESS PURPOSE

1. InCrowd may disclose your Personal Information to a third party for a business purpose. We do this by entering into a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract or as required by the law. Furthermore, service providers must comply with any privacy state of federal law and agree to provide adequate protections that are no less protective than those set out in this Notice.
2. InCrowd may have disclosed the following categories of Personal Information for a business purpose in the last 12 months. Please see the table included in section III for more information about the categories of personal information:
   1. Category A: Identifiers
   2. Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e)).
   3. Category C: Protected classification characteristics under California or federal law.
   4. Category F: Internet or other similar network activity.
   5. Category G: Geolocation data.
   6. Category H: Sensory data.
   7. Category I: Professional or employment-related information.
3. Disclosure: We may have disclosed your Personal Information for a business purpose to the following categories of third parties:
   1. Our affiliates and subsidiaries
   2. Service Providers and consultants
   3. Professional services organizations, such as auditors and law firms
   4. Our business partners
   5. Internet service providers
   6. Government entities
   7. Operating systems and platforms
   8. Survey hosting providers
   9. Validation providers
   10. Rewards fulfillment providers
   11. SMS and video conference service providers
   12. Customer and panel support services
   13. Credit card processor
   14. Tax authorities
4. Purposes of disclosure: We may have disclosed your Personal Information for the below purposes:
   1. Survey reporting
   2. Email services
   3. Authentication of medical licenses
   4. Identity verification of the panel members
   5. Offering and providing customer support
   6. Internal marketing campaigns for communicating new offers to our clients
   7. Internal marketing campaigns for improving and facilitating participation of Panel Members in market research activities
   8. Internal marketing engagement e.g. newsletters
   9. Honorarium processing and fulfillment
   10. Auditing purposes and governmental reporting
   11. Tax reporting
   12. Allowing participation in market research activities
   13. For complying with your requests or contract obligation we have with you
5. Other forms of disclosures: InCrowd also may disclose your Personal Information for other purposes or to other third parties when you have consented to or requested such disclosure or under the following circumstances:
   1. We respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
   2. We believe it is necessary to share information in order to investigate or prevent fraud, or to take action regarding illegal activities, situations involving potential threats to the physical safety of any person, or as otherwise required by law.
   3. We transfer information about you if InCrowd is acquired by or merged with another company. In this event, InCrowd will notify you before information about you is transferred and becomes subject to a different privacy notice.
   4. In response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
6. Deidentified information: We may also share aggregated or anonymous information that does not directly identify you. InCrowd may share anonymized aggregated demographic information with InCrowd partners.
7. Liability: InCrowd is potentially liable in cases of onward transfers of Personal Information to service providers , that, acting as agents on our behalf, process Personal Information in a manner inconsistent with applicable data protection regulations.

10.   DISCLOSURE/TRANSFER OF PERSONAL INFORMATION OUTSIDE US

The Service providers as described in section 10 might be based in US or in other countries. In these instances, InCrowd imposes strict contractual obligations with third parties to maintain a level of protection that is equal to the state or federal law and in line with the terms of this Notice.

In other instances, we may ask your consent to allow us to transfer your Personal Information into another country. In doing so we will provide you with full information about the transfer.

You may contact our DPO if you would like to know more about our international transfer assessment and/or copy of the transfer mechanism that we use for sharing your Personal Information outside your country of residence.

11.   ANTI-SPAM

InCrowd maintains a strict “No-Spam” policy, which means that InCrowd does not intend to sell, rent or otherwise give your email address to a third-party without your consent.

12.   DATA INTEGRITY, PURPOSE LIMITATION AND RETENTION

1. InCrowd will not process Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you. To that end, InCrowd will take reasonable steps to ensure that your Personal Information is reliable for its intended use, accurate, complete, and current.  InCrowd uses reasonable efforts to maintain the accuracy and integrity of your Personal Information and to update it as appropriate.
2. We retain your Personal Information as follow:
   1. Contact data will be retained for a minimum period of 2 years following the date of the most recent contact between you and us, or until an updating information request or removal request is made by you;
   2. Communication data will be retained for a minimum period of 2 years following the date of the communication in question or until a removal request is made by you;
   3. Usage data will be retained for a minimum period of 2 years or until a removal request is made by you following the date of collection;
   4. Market research data obtained during your participation in market research activities will be kept up to 5 years.
   5. We may retain your Personal Information as necessary (including a longer period) to comply with our legal obligations, resolve disputes and enforce our agreements.

13.   PERSONNEL ACCESS OF PERSONAL INFORMATION

Personnel from InCrowd may access and use your Personal Information only if they are authorized to do so and only for the purpose for which they are authorized.

14.   DATA SECURITY

InCrowd has implemented physical and technical safeguards to protect Personal Information from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Information is stored on a secure network with firewall protection, and access to InCrowd ‘s electronic information systems requires user authentication via password or similar means. InCrowd also employs access restrictions, such as limiting the scope of employees who have access to Customer Personal Information. Further, InCrowd uses secure encryption technology to protect certain categories of personal data.

Despite these precautions, no data security safeguards guarantee 100% security all of the time.

15.   YOUR RIGHTS AND CHOICES

Pursuant to the CCPA/CPRA and subject to certain exceptions and limitations, California residents may contact us to exercise their rights with respect to certain Personal Information that we hold about them. To the extent these rights may apply to you, they are described below.

1. Right to Know and Access your Personal Information Collected or Disclosed. You have the right to request that we provide you with details about the Personal Information we collect, use and disclose. You can submit your request as described in 17, and we reserve the right to conduct the verification described. In connection with this request, you are entitled to receive the following:
   1. The categories of your Personal Information that we have collected
   2. The categories of sources from which that Personal Information was collected
   3. The business/commercial purpose for the collection or selling or sharing personal information
   4. The categories of third parties to whom we disclose Personal Information
   5. The specific pieces of Personal Information we have collected about you (subject to some exceptions)
2. If we have disclosed, sold or shared (as those words are defined in the CCPA and CPRA) Personal Information to third parties, you are also entitled to receive:
   1. The categories of Personal Information that we have collected about you.
   2. The categories of Personal Information that we have sold or shared about you and the categories of third parties to whom the personal information was sold or shared, by category or categories of Personal Information for each category of third parties to whom the Personal Information was sold or shared.
   3. The categories of Personal Information that we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
3. Right to Delete Personal Information. You have the right to request deletion of the Personal Information we have collected about you (subject to some exceptions). You can submit your request as described in 17, and we reserve the right to conduct the verification described.
4. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
   1. Complete the transaction for which we collected the Personal Information, provide a service that you requested, or take actions reasonably anticipated within the context of our ongoing business relationship with you.
   2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
   3. Debug products to identify and repair errors that impair existing intended functionality.
   4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
   5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code 1546 seq.).
   6. Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
   7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
   8. Comply with a legal obligation.
5. Right to Correct Inaccurate Personal Information . You may request the correction of inaccurate Personal Information processed by InCrowd, and update or modify any Personal Data that is incorrect or incomplete. You may also notify us by using the contacts in section 17 to correct any inaccurate personal information we have about you.
6. Right to No Retaliation following the Exercise of a Consumer’s Privacy Rights. We will not discriminate against you for exercising any of your CCPA/CPRA rights. Unless permitted by the law, we will not:
   1. Deny you use of our services.
   2. Provide you a different level or quality of services.
   3. Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services
   4. Retaliate against an employee, applicant for employment, or independent contractor for exercising their rights under this title.
7. Right to Limit Use and Disclosure of Sensitive Personal Information. You have the right to limit the use and disclosure of your Sensitive Personal Information to that use which is necessary to perform our services.

16.   HOW TO EXERCISE YOUR RIGHTS AND IDENTITY VERIFICATION

1. You can exercise your rights by filling out the form found at https://preferences.incrowdnow.com/privacy. You may also submit a request at incrowdprivacyrequest@incrowdnow.com, reach us on toll free number 800-470-8213, or via postal mail at InCrowd, Attn: Compliance Department, 480 Pleasant Street, Suite B100, Watertown, MA 02472 USA
2. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable request related to your Personal Information.
3. As part of this process, we may ask to verify your identity. Your request must:
   1. Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative;
   2. Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
4. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable request does not require you to create an account with us. We will only use Personal Information provided in a verifiable request to verify your identity or authority to make the request.

17.    RESPONSE TIMING AND FORMAT

We endeavor to respond to a verifiable request within 45 days of its receipt.  If we require more time up to 45 more days, for a total of 90 days from the receipt, we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding receipt of a verifiable request if your data has been collected before January 1, 2022.  The response we provide will also explain the reasons we cannot comply with a verifiable request, if applicable.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

18.   RESPONSIBILITIES AND MANAGEMENT

InCrowd has designated the Privacy and Compliance Department to oversee its information security program, including its compliance with the Privacy Shield program. The Privacy and Compliance Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Notice also may be directed to Privacy@incrowdnow.com.

19.   CHANGE TO THIS NOTICE

This Notice may be amended from time to time, consistent with applicable data protection and privacy laws and principles. We will notify Members if we make changes that materially affect the way we handle Personal Information previously collected, and we will allow them to choose whether their Personal Information may be used in any materially different manner.

Virginia Residents

1.       Controller of the Persona Data:

InCrowd, Inc

480 Pleasant Street, Suite B100, Watertown, MA 02472

InCrowd Data Protection Contact & DPO:  privacy@incrowdnow.com

2.       SCOPE

Pursuant to the Virginia Consumer Data Protection Act (CDPA) InCrowd as adopted this Privacy Notice.

We’re committed to helping you understand how we manage and protect the information we collect. We take privacy seriously and have taken many steps to help safeguard the information we collect from you.

This Privacy Notice was established in January 2023.

3.       PERSONAL DATA THAT WE COLLECT

InCrowd provides research solutions to its Clients, which are predominantly business customers, and individuals that may purchase products or participate in market research activities.

1. General Data: InCrowd collects Personal Data of healthcare professionals that register with our community of healthcare professionals (Crowd).
2. Communication Data: We may process information contained in or relating to any communication that you send to us or that we send to you. The communication data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms.
3. Usage data: We may process data about your use of our website and services. The usage data may include your IP address, geographical location, browser type, version and language, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. We may also collect and process data on the websites you visited before our sites may be logged automatically if you are redirected to our site from our advertising campaigns. The source of the usage data is our analytics tracking system, marketing automation platform or other marketing technologies.
4. Market Research data: we might also collect personal data and anonymized and/or pseudonymized data produced by individuals’ participation to market research activities.
5. Information collected: The Personal Information that we collect may vary based on your interaction with InCrowd. As a general matter, InCrowd collects the following types of Personal Data:

Data collected from individuals:

4.       PURPOSES OF DATA PROCESSING

InCrowd processes Personal Data that it collects directly from individuals registered with the Healthcare Community and indirectly in its role as a service provider for the following business purposes:

1. Operations: maintaining and supporting our products as well as delivering and providing the requested products/services;
2. Contractual; complying with contractual obligations related thereto (including managing transactions, reporting, invoices and other operations related to providing/receiving services to/from clients and individuals). This may include data included in Category A
3. Market Research: Allowing individuals to participate to market research surveys and interviews and related activities. We report back to clients the results in an anonymized and aggregated form.  
4. Publications: In certain occasions and strictly in accordance with your express instructions, we may process your personal data for the purposes of publishing such data on our website and elsewhere through our services.
5. Relationships and communications: Processing contact data for the purposes of managing our relationships and communicating with you by email and/or telephone.
6. Direct marketing: Processing contact data for the purposes of creating, targeting and sending direct marketing communications by email and making contact by telephone for marketing-related purposes. We do this for improving and facilitating your participation in market research activities.
7. Research and analysis: Processing usage data for the purposes of researching and analyzing the use of our website, for example monitoring, supporting, improving and securing our website, services and business generally. InCrowd has a legitimate interest in maintaining security conditions on our websites to prevent malware, or other types of attacks. security is essential to protect the personal data of customers and visitors.
8. Record keeping: Processing your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records in servers located in the United States. We do this to ensure that we have access to all the information we need to run our business properly and efficiently in accordance with this Notice.
9. Legal: Required by Law: for other business-related purposes permitted or required under applicable local law and regulation for example satisfying governmental reporting, tax, crime investigation and national security; and (7) as otherwise required by law. This may include data included in Category A;
10. In general as requested by the clients and individuals;

5.       SENSITIVE PERSONAL INFORMATION

InCrowd might process certain categories of data that under the CDPA is considered very sensitive. This data may be collected when individuals participate to market research activities carried out by InCrowd directly or on behalf of their clients. We are committed to handling this data with extreme care and only few authorized people have access to it. Such data might include: information about your health, your ethnic origin, biometric data, etc. Where we process sensitive personal information data,  we will always obtain your explicit consent to those activities unless:

1. Consent is not required by law;
2. To protect your vital interests where you are incapable of giving your consent;
3. For the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;

6.       AUTOMATED DECISIONS

We reserve the right to make automated decisions, including using machine learning algorithms about and website visitors in order to optimize the products and services offered and/or delivered. You may contact us if you would like any clarifications about the automated decisions.

We might analyze your participation to our surveys with the purpose to enrich the profiling data we hold about yourself. The profiling data that we have collected might be used for making manual or automated decisions that involve your participation to market research activities. As results of this processing, we will be able to send you market research activities within your sphere of expertise and interest.

You have the right to opt-out from automated decisions at any time. However, be advised that if you exercise this right, it may affect our ability to offer you survey opportunities and to maintain your membership in our network.

You may contact us if you would like any clarifications about the automated decisions.

7.       DIGITAL FINGERPRINT

1. Cookies: InCrowd may set and use cookies to enhance your user experience on the sites, such as retaining your personal settings and preferences.  You may set your browser to prevent or reject cookies, or you may manually delete any cookies set. If you reject the cookies on the sites, you may still be able to use the sites, but they shall be limited to certain minimal functionality. From time to time InCrowd may use third-party tracking utilities that use session ID cookies that track site usability and assist InCrowd in improving user experience. This Privacy Notice does not cover the use of cookies by our third party providers as we do not have access or control over these cookies. We may collect information on our sites or in our emails using web beacons and or tracking pixels (electronic images). We may use beacons to count visits, understand usage and campaign effectiveness and to tell if an email has been opened and acted upon. InCrowd uses cookies for the following purposes:
   1. Trend Analyses: InCrowd may use IP addresses to analyze trends, administer the Sites, track Your movement within the Sites, and gather broad demographic information for aggregate use.
   2. Links to other sites: our sites include links to other websites whose privacy practices may differ from InCrowd’s. If you submit personal data to any of those sites, your information is governed by the privacy statements of those third-party sites.
2. Managing cookies: Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

• https://support.google.com/chrome/answer/95647 (Chrome);
• https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop (Firefox);
• https://help.opera.com/en/latest/security-and-privacy/ (Opera);
• https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
• https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac (Safari);
• https://support.microsoft.com/en-gb/help/4468242/microsoft-edge-browsing-data-and-privacy (Edge).

8.       SALE OF INFORMATION FOR A BUSINESS PURPOSE

InCrowd does not sell any categories of Personal Information for a business purpose in accordance with CDPA.

9.       TRANSFER OF INFORMATION FOR A BUSINESS PURPOSES

InCrowd might transfer personal information for business purposes by entering into a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract or as required by the law. Furthermore, service providers must comply with any privacy state of federal law and agree to provide adequate protections that are no less protective than those set out in this Notice.

1. InCrowd may transfer the following categories of Personal Information for a business purpose. Please see the table included in section 3 for more information about the categories of personal information:
   1. Category A
   2. Category B
   3. Category C
   4. Category D
   5. Category E
2. Transfer: We may have transfer your Personal Information for a business purpose to the following categories of third parties:
   1. Our affiliates and subsidiaries
   2. Service Providers and consultants
   3. Professional services organizations, such as auditors and law firms
   4. Our business partners
   5. Internet service providers
   6. Government entities
   7. Operating systems and platforms
   8. Survey hosting providers
   9. Validation providers
   10. Rewards fulfillment providers
   11. SMS and video conference service providers
   12. Customer and panel support services
   13. Credit card processor
   14. Tax authorities
3. Purposes of disclosure: We may have disclosed your personal information for the below purposes:
   1. Survey reporting
   2. Email services
   3. Authentication of medical licenses
   4. Identity verification of the panel members
   5. Offering and providing customer support
   6. Internal marketing campaigns for communicating new offers to our clients
   7. Internal marketing campaigns for improving and facilitating participation of Panel Members in market research activities
   8. Internal marketing engagement e.g. newsletters
   9. Honorarium processing and fulfillment
   10. Auditing purposes and governmental reporting
   11. Tax reporting
   12. Allowing participation in market research activities
   13. For complying with your requests or contract obligation we have with you
4. Other forms of disclosures: InCrowd also may disclose your personal data for other purposes or to other third parties when you have consented to or requested such disclosure or under the following circumstances:
   1. We respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
   2. We believe it is necessary to share information in order to investigate or prevent fraud, or to take action regarding illegal activities, situations involving potential threats to the physical safety of any person, or as otherwise required by law.
   3. We transfer information about you if InCrowd is acquired by or merged with another company. In this event, InCrowd will notify you before information about you is transferred and becomes subject to a different privacy notice.
   4. In response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
5. Deidentified information: We may also share aggregated or anonymous information that does not directly identify you. InCrowd may share anonymized aggregated demographic information with InCrowd partners.
6. Liability: InCrowd is potentially liable in cases of onward transfers of Personal Data to service providers , that, acting as agents on our behalf, process Personal Data in a manner inconsistent with applicable data protection regulations.

10.   DISCLOSURE/TRANSFER OF PERSONAL DATA OUTSIDE US

The Service providers as described in paragraph 9 might be based in US or in other countries. In these instances, InCrowd imposes strict contractual obligations with third parties to maintain a level of protection that is equal to the state or federal law and in line with the terms of this Notice.

In other instances, we may ask your consent to allow us to transfer your personal data into another country. In doing so we will provide you with full information about the transfer.

11.   ANTI-SPAM

InCrowd maintains a strict “No-Spam” policy, which means that InCrowd does not intend to sell, rent or otherwise give your email address to a third-party without your consent.

12.   DATA INTEGRITY, PURPOSE LIMITATION AND RETENTION

InCrowd will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you.  To that end, InCrowd will take reasonable steps to ensure that your Personal Data is reliable for its intended use, accurate, complete, and current.  InCrowd uses reasonable efforts to maintain the accuracy and integrity of your Personal Data and to update it as appropriate.

We retain your personal data as follow:

1. Contact data will be retained for a minimum period of 2 years following the date of the most recent contact between you and us, or until an updating information request or removal request is made by you;
2. Communication data will be retained for a minimum period of 2 years following the date of the communication in question or until a removal request is made by you;
3. Usage data will be retained for a minimum period of 2 years or until a removal request is made by you following the date of collection;
4. Market research data obtained during your participation in market research activities will be kept up to 5 years.

We may retain your information as necessary (including a longer period) to comply with our legal obligations, resolve disputes and enforce our agreements.

13.   PERSONNEL ACCESS OF PERSONAL DATA

Personnel from InCrowd may access and use your personal data only if they are authorized to do so and only for the purpose for which they are authorized.

14.   DATA SECURITY

InCrowd has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to InCrowd ‘s electronic information systems requires user authentication via password or similar means. InCrowd also employs access restrictions, such as limiting the scope of employees who have access to Customer Personal Data. Further, InCrowd uses secure encryption technology to protect certain categories of personal data.

Despite these precautions, no data security safeguards guarantee 100% security all of the time.

15.   YOUR RIGHTS AND CHOICES

Pursuant to the Virginia Consumer Data Protection Act (CDPA) and subject to certain exceptions and limitations, Virginia residents may contact us to exercise their rights with respect to certain Personal Information that we hold about them. To the extent these rights may apply to you, they are described below.

1. Right to Know and Access: You have the right to obtain confirmation about whether your Personal Data is being processed by InCrowd and to access it.
2. Right to Correct Inaccuracies: You may correct inaccuracies of your Personal Data, taking into account the nature of the personal data and the purposes of the processing. You may ask us to review your own Personal Data processed by us and correct, update, modify, or delete any data that is incorrect or incomplete.
3. Right to Deletion: You may request to have your Personal Data and the Personal Data obtained about you deleted.
4. Right to Obtain a Copy: You may request a copy of your Personal Data previously provided to InCrowd in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the Personal Data to another controller without hindrance, as the processing is carried out by automated means.
5. Right to Opt-out: You have the right to request to opt-out the processing of your Personal Data from:
   1. Targeted advertisement
   2. Sale of personal data
   3. Profiling in furtherance of decisions that produce legal or similar effects concerning you
6. Right to Avoid Discrimination: InCrowd will not discriminate against you for exercising any of your consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to you. Even if InCrowd does not process your personal information for the above purposes, you still have the opportunity to submit a request to opt-out.

16.   IDENTIFICATION OF THE DATA SUBJECT

We cannot respond to your request or provide you with Personal Information if we cannot authenticate your request using commercially reasonable efforts; we will make the necessary steps to verify your identity and the request. Making a verifiable request does not require you to create an account with us.  We will only use Personal Information provided in a verifiable request to verify your identity or authority to make the request.

17.   HOW TO EXERCISE YOUR RIGHTS

You can exercise your rights by filling out the form found at https://preferences.incrowdnow.com/privacy. You may also submit a request at incrowdprivacyrequest@incrowdnow.com, reach us on toll free number 800-470-8213, or via postal mail at InCrowd, Attn: Compliance Department, 480 Pleasant Street, Suite B100, Watertown, MA 02472 USA

18.    RESPONSE TIMING AND FORMAT

We endeavor to respond to a verifiable rights request within 45 days of its receipt.  If we require more time, up to 45 more days, for a total of 90 days from the receipt of your initial request, due to the complexity/number of your requests, we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

If we determine that we can’t comply with your request, we will explain the reasons for declining to take actions and instruction for how to appeal our decision.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

19.   PROCESS TO APPEAL THE CONTROLLER’S DECISIONS

Within 15 days of the notification of our decision, you have the right to appeal an InCrowd’s refusal to take action on a request by contacting our Data Protection Officer via email at Privacy@apollointelligence.net or via postal mail at InCrowd, Attn: DPO, 480 Pleasant Street, Suite B100, Watertown, MA 02472 USA.  Within 60 days of the receipt of your appeal, InCrowd will inform you about any action taken or not taken and provide written explanation of the reasons for the decision.

If we reject your appeal, you have the right to contact the Virginia Attorney General: https://www.oag.state.va.us/.

20.   RESPONSIBILITIES AND MANAGEMENT

InCrowd has designated the Privacy and Compliance Department to oversee its information security program, including its compliance with the Privacy Shield program. The Privacy and Compliance Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Notice also may be directed to Privacy@incrowdnow.com.

21.   CHANGE TO THIS NOTICE

This Notice may be amended from time to time, consistent with applicable data protection and privacy laws and principles. We will notify Members if we make changes that materially affect the way we handle Personal Information previously collected, and we will allow them to choose whether their Personal Information may be used in any materially different manner.

Privacy Notice for EEA, UK and Swiss Residents

I.          CONTROLLER OF THE PERSONAL DATA

InCrowd, Inc
480 Pleasant Street, Suite B100
Watertown, MA 02472
UK Data Protection Representative: Antonio Tropea, Managing Director – Europe, Survey Healthcare Limited, Citypoint Building, 9th Fl, 1 Ropemaker Street, London EC2Y 9HT, United Kingdom. UKDataProtectionRepresentative@incrowdnow.com.
EU Data Protection Representative: Fabio Musumeci, Privacy and Compliance Director, InCrowd Intelligence Operating, LLC: EUDataProtectionRepresentative@incrowdnow.com.
InCrowd Data Protection Contact & DPO:  privacy@incrowdnow.com

II.        SCOPE

This Notice applies to the processing of Personal Data that InCrowd transfers to and stores in the United States.

We’re committed helping you understand how we manage and protect the information we collect. We take privacy seriously and have taken many steps to help safeguard the information we collect from you.

This Privacy Notice was established in October 2022.

III.          PERSONAL DATA THAT WE COLLECT

InCrowd provides research solutions to its Clients, which are predominantly business customers, and individuals that may purchase products or participate to market research activities.

1. General Data: InCrowd collects Personal Data of healthcare professionals that register with our community of healthcare professionals (Crowd).
2. Communication Data: InCrowd may process information contained in or relating to any communication that you send to us or that we send to you. The communication data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms.
3. Usage data: InCrowd may process data about your use of our website and services. The usage data may include your IP address, geographical location, browser type, version and language, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. We may also collect and process data on the websites you visited before our sites may be logged automatically if you are redirected to our site from our advertising campaigns. The source of the usage data is our analytics tracking system, marketing automation platform or other marketing technologies.
4. Market Research data: InCrowd might also collect personal data and anonymized and/or pseudonymized data produced by individuals’ participation to market research activities.
5. Information collected: The Personal Data that we collect may vary based on your interaction with InCrowd.  As a general matter, InCrowd collects the following types of Personal Data:

          Data collected from our Community of Healthcare Professionals (Crowd):

IV.          PURPOSES OF DATA PROCESSING

InCrowd processes Personal Data that it collects directly from individuals registered with the Healthcare Community and indirectly in its role as a service provider for the following business purposes:

1. Operations: maintaining and supporting our products as well as delivering and providing the requested products/services;
2. Contractual; complying with contractual obligations related thereto (including managing transactions, reporting, invoices and other operations related to providing/receiving services to/from clients and individuals). This may include data included in Category A
3. Market Research: Allowing individuals to participate in market research surveys and interviews and related activities. Report back to clients results in an anonymized and aggregated form.
4. Publications: In certain occasions and strictly in accordance with your express instructions, we may process your personal data for the purposes of publishing such data on our website and elsewhere through our services.
5. Relationships and communications: Processing contact data for the purposes of managing our relationships and communicating with you by email and/or telephone.
6. Direct marketing: Processing contact data for the purposes of creating, targeting, and sending direct marketing communications by email and making contact by telephone for marketing-related purposes. We do this for improving and facilitating your participation in market research activities.
7. Research and analysis: Processing usage data for the purposes of researching and analyzing the use of our website, for example monitoring, supporting, improving, and securing our website, services and business generally. InCrowd has a legitimate interest in maintaining security conditions on our websites to prevent malware, or other types of attacks. Security is essential to protect the personal data of customers and visitors.
8. Record keeping: Processing your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records in servers located in the United State. We do this to ensure that we have access to all the information we need to run our business properly and efficiently in accordance with this Notice.
9. Legal compliance and vital interests: Processing your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or to protect your vital interests or the vital interests of another natural person.
10. Required by Law: for other business-related purposes permitted or required under applicable local law and regulation for example satisfying governmental reporting, tax, crime investigation and national security; and (7) as otherwise required by law). This may include data included in Category A
11. In general: as requested by data subjects;

V.          LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

InCrowd uses the following legal bases for processing your data in relation with the above identified purposes:

VI.        SPECIAL CATEGORY OF PERSONAL DATA OR SENSITIVE DATA

InCrowd might process certain categories of data that can be considered very sensitive. This data may be collected when individuals participate to market research activities carried out by InCrowd directly or on behalf of their clients. We are committed to handle this data with extreme care and only few authorized people have access to it. Such data might include: information about your health, your ethnic origin, biometric data, trade union membership, etc. Where we process special categories of personal data, “Sensitive Personal Data,” we will always obtain your explicit consent to those activities unless:

1. Consent is not required by law;
2. To protect your vital interests where you are incapable of giving your consent;
3. For the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
4. Processing is necessary for reasons of public interest in the area of public health as required by the local law.

Where this is allowed by law, you may have the right to withdraw that consent at any time.

VII.          AUTOMATED DECISIONS

We reserve the right to make automated decisions, including using machine learning algorithms about website visitors to optimize and provide better experience when navigating our websites. Only digital data as specified in section VIII are included in this processing.

We may analyze your participation in our surveys with the purpose to enrich the profiling data we hold about you. The profiling data that we have collected might be used for making manual or automated decisions that involve your participation in market research activities. As results of this processing, we will be able to send you market research activities within your sphere of expertise and interest.

You may contact us if you would like any clarifications about the automated decisions.

VIII.          DIGITAL DATA

1. Cookies: InCrowd may set and use cookies to enhance your user experience on the sites, such as retaining your personal settings and preferences.  You may set your browser to prevent or reject cookies, or you may manually delete any cookies set. If you reject the cookies on the sites, you may still be able to use the sites, but they shall be limited to certain minimal functionality. From time-to-time InCrowd may use third-party tracking utilities that use session ID cookies that track site usability and assist InCrowd in improving user experience. This Privacy Notice does not cover the use of cookies by our third-party providers as we do not have access or control over these cookies. We may collect information on our sites or in our emails using web beacons and or tracking pixels (electronic images). We may use beacons to count visits, understand usage and campaign effectiveness and to tell if an email has been opened and acted upon. You can review the cookies used by InCrowd’s website here.

2. Trend Analyses: InCrowd may use IP addresses to analyze trends, administer the Sites, to track your movement within the Sites, and to gather broad demographic information for aggregate use.
3. Links to other sites: our sites include links to other websites whose privacy practices may differ from InCrowd’s. If you submit personal data to any of those sites, your information is governed by the privacy statements of those third-party sites.
4. Managing cookies: Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
   • https://support.google.com/chrome/answer/95647 (Chrome);
   • https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop (Firefox);
   • https://help.opera.com/en/latest/security-and-privacy/ (Opera);
   • https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
   • https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac (Safari);
   • https://support.microsoft.com/en-gb/help/4468242/microsoft-edge-browsing-data-and-privacy (Edge).

IX.        CHOICE WITH RESPECT TO USES AND DISCLOSURES OF PERSONAL DATA

InCrowd recognizes that individuals have the right to limit the use and disclosure of their Personal Data, and we are committed to respecting those rights. We offer individuals the opportunity to opt out of disclosures of Personal Data to a third party or the use of Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.  We will comply with the GDPR with respect to disclosures of Sensitive Data including, when applicable, obtaining the explicit consent (i.e., opt in consent) of an individual prior to disclosing Sensitive Data to a third party or using Sensitive Data for purposes other than those for which it was originally collected or subsequently authorized by the individual.

X.        DISCLOSURE/TRANSFER OF INFORMATION FOR A BUSINESS PURPOSE

InCrowd may disclose your Personal Information to a third party for a business purpose. We do this by entering into a contract that describes the purpose and requires the recipient to both keep that Personal Data confidential and not use it for any purpose except performing the contract. Furthermore, third parties must comply with the GDPR and agree to provide adequate protections that are no less protective than those set out in this Notice.

1. Disclosure: We may disclose your Personal Information for a business purpose to the following categories of third parties:
   1. Our affiliates and subsidiaries
   2. Our clients or their agents
   3. Service Providers and consultants
   4. Professional services organizations, such as auditors and law firms
   5. Our business partners
   6. Internet service providers
   7. Government entities
   8. Operating systems and platforms
   9. Survey hosting providers
   10. Validation providers
   11. Rewards fulfillment providers
   12. SMS and video conference service providers
   13. Customer and panel support services
   14. Credit card processor
   15. Tax authorities
2. Purposes of disclosure: InCrowd may disclose your personal information for the below purposes:
   1. Survey reporting
   2. Email services
   3. Authentication of medical licenses
   4. Identity verification of the panel members
   5. Offering and providing customer support
   6. Internal marketing campaigns for communicating new offers to our clients
   7. Internal marketing campaigns for improving and facilitating participation of Panel Members in market research activities
   8. Internal marketing engagement e.g. newsletters
   9. Honorarium processing and fulfillment
   10. Auditing purposes and governmental reporting
   11. Tax reporting
   12. Allowing participation in market research activities
   13. For complying with your requests or contract obligation we have with you
3. Disclosures due to acquisition or merge: We may share your information in connection with a merger, sale of company assets, financing or acquisition of all or a portion of our business to another company, if any. In this event, InCrowd will notify you before information about you is transferred and becomes subject to a different privacy policy.
4. Anonymous information: We may also share aggregated or anonymous information that does not directly identify you. InCrowd may share anonymized aggregated demographic information with InCrowd partners.
5. Other forms of disclosures: InCrowd also may discloses your personal data for other purposes or to other third parties when you have consented to or requested such disclosure or under the following circumstances:
   1. We respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
   2. We believe it is necessary to share information in order to investigate or prevent fraud, or to take action regarding illegal activities, situations involving potential threats to the physical safety of any person, or as otherwise required by law.
   3. We transfer information about you if InCrowd is acquired by or merged with another company. In this event, InCrowd will notify you before information about you is transferred and becomes subject to a different privacy notice.
   4. In response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
6. Third party compliance: Such third parties must agree to use such Personal Data only for the purposes for which they have been engaged by InCrowd and they must either:
   1. comply with the GDPR, the Privacy Shield principles, or another mechanism permitted by the applicable European data protection law(s) for transfers and processing of Personal Data; or
   2. agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Notice.
7. Liability: InCrowd is potentially liable in cases of onward transfers of Personal Data to third parties, such as when third parties that act as agents on our behalf process Personal Data in a manner inconsistent with applicable data protection regulations.

XI.        TRANSFER PERSONAL DATA OUTSIDE THE EEA, UK AND SWITZERLAND

The third parties as described in paragraph X might be based in US or in countries other than EEA, UK and Switzerland. In these instances, InCrowd imposes strict contractual obligations and executes Standard Contractual Clauses with third parties to maintain a level of protection that is equal to the GDPR requirements.

In other instances, we may ask your consent to allow us to transfer your personal data into another country. In doing so we will provide you with full information about the transfer.

You might contact our DPO if you would like to know more about our international transfer assessment and/or copy of the transfer mechanism that we use for sharing your Personal Data outside your country of residence.

XII.        ANTI-SPAM

InCrowd maintains a strict “No-Spam” policy, which means that InCrowd does not intend to sell, rent or otherwise give your email address to a third-party without your consent.

XIII.        DATA INTEGRITY, PURPOSE LIMITATION AND RETENTION

InCrowd will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you.  To that end, InCrowd will take reasonable steps to ensure that your Personal Data is reliable for its intended use, accurate, complete, and current.  InCrowd uses reasonable efforts to maintain the accuracy and integrity of your Personal Data and to update it as appropriate.

We retain your personal data as follow:

1. Contact data will be retained for a minimum period of 2 years following the date of the most recent contact between you and us, or until an updating information request or removal request is made by you;
2. Communication data will be retained for a minimum period of 2 years following the date of the communication in question or until a removal request is made by you;
3. Usage data will be retained for a minimum period of 2 years or until a removal request is made by you following the date of collection;
4. In general we do not retain your personal data for more than 2 years since your last engagement/interaction with the Company;

 We may retain your information as necessary (including a longer period) to comply with our legal obligations, resolve disputes and enforce our agreements.

XIV.        PERSONNEL ACCESS OF PERSONAL DATA

Personnel from InCrowd may access and use your personal data only if they are authorized to do so and only for the purpose for which they are authorized.

XV.        DATA SECURITY

InCrowd has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to InCrowd ‘s electronic information systems requires user authentication via password or similar means. InCrowd also employs access restrictions, limiting the scope of employees who have access to Customer Personal Data. Further, InCrowd uses secure encryption technology to protect certain categories of personal data.

Despite these precautions, no data security safeguards guarantee 100% security all of the time.

XVI.        YOUR RIGHTS

Right of Access You have the right to obtain confirmation about whether your personal data is included in our databases. Upon request, InCrowd will provide an individual access to your personal data within the time frame dictated by the applicable data protection regulations. InCrowd will allow you to know what Personal Data is included in our databases and to ensure that such Personal Data is accurate and relevant for the purposes for which InCrowd collected the Personal Data. You may also request a copy of your data in a commonly used and machine-readable form.

1. Right of Rectification: You may review your own Personal Data stored in the databases and correct, update, modify, or delete any data that is incorrect or incomplete.
2. Right of Erasure: You may request to have the personal information that we have about you to be deleted from our servers. InCrowd will take reasonable steps, including technical measures, to comply with your request. In some circumstances your request might be rejected if it falls under one of the categories included in ART. 17.3:
   1. exercising the right of freedom of expression and information
   2. for compliance with a legal obligation
   3. for reasons of public interest in the area of public health
   4. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
   5. establishment, exercise or defense of legal claims
3. Objection: You may object, at any time, to your Personal Data being processed for a specific purpose.
4. Restriction of Processing:You may restrict processing of your Personal Data for certain reasons, such as, for example if you consider your Personal Data collected by us to be inaccurate or you have objected to the processing and the existence of legitimate grounds for processing is still under consideration.
5. Data Portability: You may request the Personal Data you provided to us in a commonly used and machine-readable form.
6. Right to Withdraw Consent: You have the right to withdraw your consent at any time, without affecting the lawfulness of our processing based on such consent before it was withdrawn, including processing related to existing contracts for our Services.
7. Right to complain to a supervisory authority: you might lodge a complaint about our processing of your personal data with your local Data Protection Authority; InCrowd will collaborate with the authority to resolve it.
8. Limitations: these rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

XVII.        HOW TO EXERCISE YOUR RIGHTS

You can exercise your rights by filling out the form found at https://preferences.incrowdnow.com/privacy. You may also submit a request at incrowdprivacyrequest@incrowdnow.com, via postal mail at InCrowd, Attn: Compliance Department, 480 Pleasant Street, Suite B100, Watertown, MA 02472 USA

XVIII.        RESPONSE TIMING AND FORMAT

We endeavor to respond to a verifiable request within 30 days of its receipt. If we require more time (up to two extra months), we will inform you of the reason and extension period in writing.

We will deliver our written response by mail or electronically, at your option.

The response we provide will also explain the reasons we cannot comply with a verifiable request, if applicable.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Request that we can’t process: We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. Making a verifiable request does not require you to create an account with us.  We will only use Personal Information provided in a verifiable request to verify your identity or authority to make the request.

Requests for Personal Data

InCrowd will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise:

1. legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or
2. requests received from the Data Subject.

XIX.        NOTIFICATION

InCrowd notifies Clients and individuals about its adherence to GDPR and other applicable data protection regulations, as well as the Privacy Shield principles, through its publicly posted website privacy notice available at: Coming Soon

XX.        RESPONSIBILITIES AND MANAGEMENT

InCrowd has designated the Privacy Department to oversee its information security program, including its compliance with the Privacy Shield program. The Privacy Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Notice also may be directed to https://incrowdnow.com/privacy/.

XXI.        ENFORCEMENT AND DISPUTE RESOLUTION

We commit to resolving individuals’ complaints related to our privacy practices or our collection, or use, or disclosure of Personal Data.  An individual may file a privacy complaint by contacting our DPO at privacy@incrowdnow.com. Further, individuals with questions or concerns about the use or disclosure of their Personal Data should contact us as outlined in Section XVII.

If an individual’s complaint cannot be satisfied through our internal complaint process, the individual may bring a complaint before the INSIGHTS ASSOCIATION PRIVACY SHIELD PROGRAM, a non-profit alternative dispute resolution provider located in the United States and operated by the Insights Association. The INSIGHTS ASSOCIATION PRIVACY SHIELD PROGRAM is designed to handle eligible complaints brought by Swiss and EU citizens about Privacy Shield Principles.  If you have any complaints regarding our compliance with the Privacy Shield Framework you should first contact us (as provided above).

If contacting us does not resolve your complaint or you do not receive timely acknowledgement of your complaint, please visit the INSIGHTS ASSOCIATION PRIVACY SHIELD PROGRAM website at https://www.insightsassociation.org/Resources/Privacy-Shield/Information-for-EU-Swiss-Citizens-to-file-a-complaint for more information and to file a complaint.  We will cooperate with the independent dispute resolution mechanism to resolve any complaint that is not resolved through our internal processes.

If a complaint regarding Privacy Shield compliance is not resolved by any of the above dispute resolution mechanisms, an individual has the possibility, under certain conditions, to invoke binding arbitration. Additional information about binding arbitration can be found here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

The above does not preclude your right to contact your local Data Protection Authority. We will collaborate with the DPA to find a solution to resolve the complaint.

XXII.        CHANGES TO THIS NOTICE

InCrowd will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. InCrowd personnel will receive training, as applicable, to effectively implement this Notice. Please refer to Section VIII for a discussion of the steps that InCrowd has undertaken to protect Personal Data.

This Notice may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.

XXIII.        DEFINITIONS

Capitalized terms in this Privacy Notice have the following meanings:

1. “Customer” means a prospective, current, or former partner, vendor, supplier, customer, or client of InCrowd. The term also shall include any individual agent, employee, representative, customer, or client of an InCrowd Customer where InCrowd has obtained his or her Personal Data from such Customer as part of its business relationship with the Customer.
2. “Data Subject” means an identified or identifiable natural living person in the European Union. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
3. “Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of InCrowd.
4. “Europe” or “European” refers to a country in the European Economic Area.
5. “Personal Data” as defined under Regulation (EU) 2016/679, the General Data Protection Regulation means any and all data (regardless of format) that (i) identifies or can be used to identify, contact or locate a natural person, or (ii) pertains in any way to an identified natural person. Personal Data includes obvious identifiers (such as names, addresses, email addresses, phone numbers and identification numbers) as well as biometric data, “personal data” (as defined in the GDPR), and any and all information about an individual’s computer or mobile device or technology usage, including (for example and without limitation) IP address, MAC address, unique device identifiers, unique identifiers set in cookies, and any information passively captured about a person’s online activities, browsing, application or hotspot usage or device location.
6. “Sensitive Data” is a subset of Personal Data which due to its nature has been classified by law as deserving additional privacy and security protections. Sensitive Personal Data consists of: (i) all government-issued identification numbers, (ii) all financial account numbers (including payment card information and health insurance numbers), (iii) individual medical records, genetic and biometric information, (iv) user account credentials, such as usernames, passwords, security questions/answers and other password recovery data, (v) data elements that constitute Special Categories of Data under the GDPR, namely EEA Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, and (vi) any other Personal Data designated by InCrowd as Sensitive Personal Data.

Privacy Shield Notice

I.          PRIVACY SHIELD FRAMEWORK

InCrowd remains certified with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield  Framework as set forth by the US Department of Commerce. Our Privacy Shield certification is available here.

InCrowd complies with the General Data Protection Regulation (GDPR), the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce when processing personal data of European Union and Swiss Citizens.

As part of the decision of the European Court of Justice (C-311/18 Schrems II) InCrowd transfers personal data to US via other compliance mechanisms in accordance with Chapter V of the GDPR including the Standard Contractual Clauses issued by the European Commission on the 4^th of June 2021.

If there is any conflict between the terms in this privacy notice and the GDPR or the Privacy Shield Privacy Principles, the GDPR and the Privacy Shield Privacy Principles shall govern. InCrowd acknowledges that as a participant in the Privacy Shield Framework we are under the enforcement authority of the Federal Trade Commission.

Individual resident in the European union and Switzerland may resolve their controversy as describe in paragraph XXI of the Privacy Notice for EEA, UK and Swiss residents.

If you would like to learn more why InCrowd remains Privacy Shield certified, please visit the Insights Association webpage about Privacy Shield Program: https://www.insightsassociation.org/Resources/Privacy-Shield.

You can also learn more about the Privacy Shield program, by visiting  https://www.privacyshield.gov/.

II.          RENEWAL

VERIFICATION

1. InCrowd will renew its Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
2. Prior to the re-certification, InCrowd will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, InCrowd will undertake the following:
   1. Review this Notice to ensure that it accurately describe the practices regarding the collection of Customer Personal Data.
   2. Ensure that this Notice informs about InCrowd’s participation in the Privacy Shield program and where to obtain a copy of additional information (e.g., a copy of this Notice).
   3. Ensure that this Notice continues to comply with the Privacy Shield principles and GDPR.
   4. Confirm that data subjects are made aware of the process for addressing complaints and any independent dispute resolution process (InCrowd may do so through its publicly posted website, its Privacy Notice and/or its Terms of Use).
   5. Review its processes and procedures for training Employees about InCrowd’s participation in the Privacy Shield program and the appropriate handling of Customer Personal Data.
3. InCrowd will prepare an internal verification statement on an annual basis.