Weevr

Weevr Privacy Policy

Last updated: 26 February 2025

This privacy policy (“Privacy Policy”) explains how Weevr Analytics Limited, a company incorporated in England and Wales with registered number 16549090 and registered office at 101 New Cavendish Street, 1st Floor South, London, United Kingdom, W1W 6XH (“Weevr”, “we”, “us”) collects, uses, stores and shares personal data in connection with Weevr’s website and survey analysis software-as-a-service platform available at weevr.io (the “Service”).

This Privacy Policy applies where Weevr processes personal data as a controller, including personal data relating to:

  • users who create or administer accounts;
  • customer contacts, billing contacts and supplier contacts; and
  • individuals who communicate with us, including through support, sales or security communications.

The Service is designed to process datasets that have been anonymised or de-identified by the customer prior to upload. Where Weevr processes personal data on behalf of a customer as a processor, such processing is governed by the applicable data processing agreement (“DPA”) with that customer and not by this Privacy Policy.

The Service is made available for business use only and is not directed to consumers or children. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that personal data relating to a child has been collected through the Service or our website, we will take reasonable steps to delete that information.

We may update this Privacy Policy from time to time to reflect changes to the Service, changes to our business practices, or legal or regulatory requirements. If we make changes that materially affect how we process personal data or your rights, we will provide reasonable notice, for example by email to the primary account email address or by notice within the Service. The updated Privacy Policy will take effect on the date stated in the notice or, if no date is stated, when the updated version is made available on our website.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you may contact us.

1. Personal Data Collected by Us

1.1. We may collect and process the following categories of personal data.

Account and contact information

We may collect personal data necessary to create and administer accounts and manage business relationships. This may include your name, business email address, telephone number (including switchboard or direct numbers), job title or role, company name, and similar professional contact details.

Billing and invoicing information

Where the Customer is invoiced for the Service, we may process billing contact details and invoicing information necessary to issue invoices, administer payments and maintain accounting and financial records. This may include billing contact name, business contact details, company information, and invoicing records. We do not collect or store full payment card details. Payments, where applicable, may be processed by our payment service provider.

Technical and usage information

When you access or use the Service or our website, we may automatically collect certain technical and usage information. This may include IP address, device identifiers, browser type, operating system information, log data, and usage analytics events (for example pages viewed, features used, and actions taken within the Service).

Communications information

Where you contact us for support, sales enquiries, security reporting, or other communications, we may process personal data contained in those communications, including contact details and the content of messages or attachments you provide.

Customer datasets

Datasets uploaded to the Service are intended to be anonymised or de-identified prior to upload. If personal data is nevertheless included within a dataset, Weevr may process such personal data on behalf of the relevant customer as a processor in accordance with the applicable data processing agreement.

1.2. We collect personal data in the following ways:

  • Directly from you, for example when you create an account, contact us, request support, subscribe to the Service, or otherwise communicate with us.
  • Automatically through the Service or website, including through system logs, cookies, and usage analytics when you access or interact with the Service.
  • From the Customer organisation you represent, where your employer or organisation provides your details as an account administrator, authorised user, billing contact, or other business contact.
  • From service providers, such as payment providers or infrastructure providers, where necessary to administer the Service, process payments, or maintain service security.

2. Purposes and Legal Basis

2.1 Purposes

Where Weevr acts as controller, we use personal data for the following purposes:

  • Service provision and administration, including creating and administering accounts, authenticating users, managing access, operating the Service, and communicating about service matters;
  • Customer support and communications, including responding to enquiries and providing technical support;
  • Billing and contract administration, including issuing invoices, administering payments, maintaining financial and accounting records, and managing our contractual relationship with the Customer;
  • Security and misuse prevention, including monitoring, investigating and preventing unauthorised access, fraud, abuse, and security incidents; and
  • Service improvement, including analysing performance and usage of the Service to maintain, improve and develop features, functionality and user experience.

2.2 Legal basis

Where Weevr acts as controller, we process personal data only where we have a lawful basis under the UK GDPR, including:

  • Performance of a contract. Processing is necessary to provide the Service under Terms of Service or other contract, administer accounts, provide support, and otherwise perform our contract with the Customer, or to take steps at your request prior to entering into a contract.
  • Legitimate interests. Processing is necessary for our legitimate interests, including operating and securing the Service, preventing fraud and misuse, maintaining service performance, handling customer relationships, and improving the Service, provided that those interests are not overridden by your interests or fundamental rights and freedoms.
  • Legal obligation. Processing is necessary for compliance with legal obligations, including maintaining accounting and tax records and responding to lawful requests from competent authorities.
  • Consent. Where required by applicable law, we will obtain your consent (for example, for certain non-essential cookies). Where we rely on consent, you may withdraw it at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.
  • Aggregated and de-identified information. We may create aggregated and de-identified information (including statistical information) from technical and usage information for the purposes of analysing and improving the Service. Such information is not intended to identify any individual.

2.3 Service providers

We may share personal data with third-party service providers who process personal data on our behalf in order to operate the Service and our business. These may include providers of:

  • cloud hosting, infrastructure and data storage services;
  • business communications and collaboration services;
  • payment processing and financial administration services;
  • technical support, system administration and security monitoring services; and
  • professional services supporting the operation and maintenance of the Service.

These service providers are authorised to process personal data only as necessary to provide services to us and are subject to appropriate contractual obligations, including confidentiality and data protection safeguards.

2.4 Additional disclosures

We may additionally disclose personal data:

  • to our professional advisers (including legal, accounting and other professional advisers) where necessary for obtaining advice or establishing, exercising or defending legal claims;
  • where required by law, regulation, court order, or request from a competent authority, or where necessary to protect the rights, property or safety of Weevr, our customers or others;
  • to a prospective buyer, seller, investor, lender or adviser in connection with an actual or proposed merger, acquisition, reorganisation, financing, or sale of all or part of our business, provided that appropriate confidentiality protections are in place.

2.5 No sale of personal data

We do not sell personal data, meaning we do not provide personal data to third parties in exchange for money or other valuable consideration. We also do not “share” personal data for cross-context behavioral advertising (targeted advertising) as those terms may be defined under applicable law. We may disclose personal data to vetted service providers who perform services for us and who are contractually required to use the data only to provide those services and to protect it.

2.6 Customer datasets

Customer datasets shall not be processed under this Privacy Policy and shall be governed by the applicable DPA.

3. International Transfers

We store and process personal data primarily within the United Kingdom and the European Economic Area (EEA). In some circumstances, our service providers or their sub-processors may process personal data outside the United Kingdom or the European Economic Area, for example in order to provide infrastructure services, technical support, security monitoring, or service continuity. Where personal data is transferred outside the United Kingdom or the European Economic Area, we will ensure that appropriate safeguards are implemented as required by applicable data protection law. These safeguards may include:

  • adequacy regulations issued by the UK Government;
  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
  • other lawful transfer mechanisms recognised under applicable data protection legislation.

4. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

We retain account administration and billing records, including invoicing information and related financial records, for six (6) years in order to comply with legal, accounting and tax obligations.

We retain security and service logs, including log data and technical identifiers, for up to one hundred and eighty (180) days, unless a longer retention period is required to investigate security incidents, prevent fraud or misuse, or comply with legal obligations.

Deleted data may persist in routine backups for a limited period. Such data will be removed in accordance with our backup and data lifecycle management processes.

5. Your Rights Under UK and EU Laws

5.1 Rights

Where Weevr processes personal data as a controller and applicable data protection law applies (including the UK General Data Protection Regulation and related GDPR legislation), you have the following rights:

  • the right of access, to request confirmation of whether we process personal data about you and to obtain a copy of that personal data;
  • the right to rectification, to request correction of inaccurate or incomplete personal data;
  • the right to erasure, to request deletion of personal data in certain circumstances;
  • the right to restriction of processing, to request that we restrict processing of personal data in certain circumstances;
  • the right to object, to object to processing based on legitimate interests in certain circumstances; and
  • the right to data portability, to request that certain personal data be provided to you in a structured, commonly used and machine-readable format.

Where we rely on consent as the lawful basis for processing, you also have the right to withdraw consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.

5.2 Exercising your rights

We may request information necessary to verify your identity before responding to your request. We will respond to requests relating to your rights without undue delay and, in any event, within one (1) month of receiving the request. Where necessary, this period may be extended by up to two (2) additional months where requests are complex or numerous. In such cases we will inform you of the extension and the reasons for it.

5.3 Complaints

If you believe that your personal data has been processed in a way that does not comply with applicable data protection law, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or another competent supervisory authority.

6. US Privacy Rights

This section applies where Weevr processes personal data as a controller and applicable United States state privacy laws grant rights to individuals in relation to that processing, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the California Online Privacy Protection Act (CalOPPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA) and the Virginia Consumer Data Protection Act (VCDPA).

6.1 Rights

Subject to applicable exceptions, you may have the right to request: (a) access to personal data we hold about you; (b) correction of inaccurate personal data; (c) deletion of personal data; and (d) a copy of certain personal data in a portable format. Under certain laws you may also have the right to opt out of certain processing, such as the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effect.

6.2 Do Not Track (CalOPPA)

Some laws require us to state whether we respond to browser “Do Not Track” (DNT) signals. We do not currently respond to DNT signals.

6.3 Submitting requests and verification

You may submit a request under this section by contacting us. We may need to verify your identity and, where relevant, your state of residence before responding. We will respond to verified requests within the timeframes required by applicable law. For example, certain laws require a response within 45 days, with a permitted extension of a further 45 days where reasonably necessary and where the individual is informed of the extension within the initial response period. Where permitted by applicable law, you may use an authorised agent to submit a request on your behalf. We will require appropriate evidence of the agent’s authority and may require you to verify your identity directly.

6.4 Appeals

Where an applicable law requires an appeal process (including under the Colorado Privacy Act, the Connecticut Data Privacy Act and the Virginia Consumer Data Protection Act), you may request an appeal of our decision by replying to our response or contacting us again, referencing “Privacy Rights Appeal”.

6.5 Non-discrimination

We will not unlawfully discriminate against you for exercising applicable privacy rights.

7. Security

We implement and maintain appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Data transmitted between users and the Service is protected using encryption in transit (such as SSL/TLS). Data stored within the Service is encrypted at rest using industry-standard encryption measures (including AES-256 where applicable). Access to systems and environments is restricted to authorised personnel on a need-to-know basis and subject to access control measures. The Service is hosted on cloud infrastructure, and data is stored using managed infrastructure and database services. We apply security controls appropriate to the nature of the Service, including secure configuration, monitoring, and vulnerability management practices.

While we take reasonable measures to protect personal data, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly if you suspect unauthorised access to your account or the Service.

8. Cookies

We use cookies and similar technologies on our website and within the Service to enable core functionality, maintain security, remember user preferences, and understand how the Service is used. Cookies used by the website or Service may include:

  • Strictly necessary cookies, which are required for core functionality of the website or Service, including authentication, session management and security;
  • Preference cookies, which allow the Service to remember settings or preferences selected by users; and
  • Analytics cookies, which help us understand how users interact with the website or Service and enable us to improve performance and functionality.

Cookies may be session cookies (which expire when you close your browser) or persistent cookies (which remain on your device for a specified period or until deleted). Please refer to our cookies policy to find out more.

We may collect usage analytics events and related technical data to monitor the performance of the Service, maintain security, and improve the Service and user experience. You may control or delete cookies through your browser settings. If you disable or block certain cookies, parts of the website or Service may not function correctly. Where required by applicable law, we will provide mechanisms for users to manage non-essential cookies.