1. Introduction and Scope

1.1 This Privacy Policy ("Policy") describes how Amberoc Inc., a Delaware corporation ("Amberoc," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our website (amberoc.com, amberoc.ai), our survey intelligence platform, and related services (collectively, the "Services").

1.2 This Policy applies to three categories of individuals:

1. Website Visitors: Individuals who visit our website without creating an account.

2. Customers and End Users: Organizations that subscribe to our Services ("Customers") and individuals authorized to use the Services under a Customer's account ("End Users").

3. Survey Respondents: Individuals who respond to surveys created and distributed by Customers through our Platform.

1.3 Important Note for Survey Respondents. When you respond to a survey powered by Amberoc, the organization that created the survey (the "Survey Creator") determines what data is collected, why it is collected, and how it is used. Amberoc processes Survey Respondent data on behalf of the Survey Creator. This Policy describes Amberoc's data practices; it does not govern how the Survey Creator uses your responses. For information about how a Survey Creator handles your data, please refer to that organization's own privacy policy or contact them directly.

1.4 Effective Date. This Policy is effective as of the "Last Updated" date above.

1.5 Contact. If you have questions about this Policy, please contact us at privacy@amberoc.com or at the address provided in Section 16.

2. Information We Collect

2.1 Information from Customers and End Users

We collect the following information from individuals who create accounts or use our Services:

1. Account Information: Name, email address, company name, job title or role, phone number, and login credentials.

2. Billing and Payment Information: Billing address, payment method details, and transaction records. Payment card details are processed by our third-party payment processor and are not stored on Amberoc systems.

3. Usage Data: Information about how you interact with the Services, including features used, survey creation and distribution activity, AI Feature usage, session duration, and configuration settings.

4. Communications: Information provided through customer support requests, emails, feedback, and other communications with Amberoc.

5. Integration Data: If you connect third-party tools or services to Amberoc, we may receive data from those integrations as necessary to provide the Services.

2.2 Information from Survey Respondents

When Survey Respondents complete surveys created through the Platform, we process the following data on behalf of the Customer who created the survey:

1. Survey Responses: Answers, selections, and any free-text input provided in response to survey questions.

2. Metadata: IP address (which may be used for geolocation and fraud detection), browser type and version, operating system, device type, language preference, and timestamps (including survey start time, completion time, and time per question).

3. Cookies and Tracking on Survey Pages: As described in Section 13, we may use strictly necessary and functional cookies on survey pages to ensure proper survey delivery and prevent duplicate submissions.

*Plain language note: Amberoc processes Survey Respondent data solely to deliver surveys and provide data quality services to the Customer who created the survey. We do not independently use or sell respondent data.*

2.3 Automatically Collected Information

When you visit our website or use the Services, we automatically collect:

1. Log Data: IP address, browser type, operating system, referring URL, pages visited, date and time of access, and clickstream data.

2. Device Information: Device type, unique device identifiers, screen resolution, and operating system version.

3. Cookies and Similar Technologies: As described in Section 13.

2.4 Information from Third Parties

We may receive information about prospective or current Customers from:

1. Business Contact Databases: Professional contact information from business data providers for sales and marketing purposes.

2. Referral Partners: Information provided by partners who refer prospective customers to Amberoc.

3. Public Sources: Publicly available information from company websites, professional networking platforms, and regulatory filings.

3. How We Use Information

3.1 Purposes of Processing

We use the information we collect for the following purposes:

1. Providing and Operating the Services: To create and manage accounts, deliver Platform functionality (including Blueprint, Sculpt, and Polish), process survey distribution, and generate analytics and reports.

2. Payment Processing: To process subscription payments, manage billing, and maintain financial records.

3. Communications: To send service-related communications (such as account notifications, security alerts, and product updates), and, with your consent where required, marketing communications about Amberoc products and services.

4. Security and Fraud Prevention: To protect the integrity of the Platform, detect and prevent fraudulent or unauthorized activity, and enforce our Terms of Use. This includes Sculpt's data quality functions, which analyze response patterns to identify potentially fraudulent or low-quality survey responses.

5. Improvement and Analytics: To understand how the Services are used, identify trends, diagnose technical issues, and improve Platform performance and features.

6. Aggregated and Anonymized Analytics: To generate statistical analyses and benchmarks that cannot identify any individual, Customer, or Customer's clients.

7. Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.

3.2 AI-Specific Data Practices

1. How Data Flows Through AI Features: When Customers use Blueprint, Sculpt, or Polish, the relevant Customer Data and/or Response Data is processed by our AI systems (and, where applicable, by third-party AI providers under contract with Amberoc) solely to generate the requested output.

2. What Is NOT Used for Model Training: Amberoc does NOT use Customer Data or Response Data to train, fine-tune, or improve general-purpose AI models, unless the Customer has explicitly opted in through a clearly disclosed consent mechanism.

3. Third-Party AI Processors: Where AI Features rely on third-party AI providers, Customer Data transmitted to those providers is subject to contractual restrictions that prohibit the provider from retaining or using the data for their own model training or other purposes. A current list of material third-party AI subprocessors is maintained in our subprocessor list, available upon request.

4. Usage Metadata: We may use aggregated, de-identified metadata about AI Feature usage (such as query types, error rates, and feature engagement) to improve the performance and reliability of AI Features.

4. Legal Bases for Processing (GDPR)

4.1 If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data on the following legal bases:

1. Performance of a Contract (Article 6(1)(b) GDPR): Processing necessary to provide the Services to Customers and End Users under our Terms of Use and applicable Order Forms, including account management, service delivery, and payment processing.

2. Legitimate Interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate business interests, including Platform security and fraud prevention, product improvement, direct marketing to business contacts (subject to your right to opt out), analytics and aggregated reporting, and enforcing our Terms of Use, where such interests are not overridden by your rights and freedoms.

3. Consent (Article 6(1)(a) GDPR): Processing based on your freely given, specific, and informed consent, including marketing communications (where consent is required under applicable law) and the use of non-essential cookies and tracking technologies.

4. Legal Obligation (Article 6(1)(c) GDPR): Processing necessary to comply with applicable legal requirements, such as tax and accounting obligations, regulatory reporting, and responding to lawful governmental requests.

4.2 Processing of Survey Respondent Data. With respect to Survey Respondent personal data, Amberoc acts as a data processor on behalf of the Customer (who is the data controller). The Customer is responsible for establishing the lawful basis for collecting respondent data. Our processing of respondent data is governed by our Terms of Use and, where applicable, a Data Processing Addendum entered into with the Customer.

5. Data Sharing and Disclosure

5.1 We may share personal information in the following circumstances:

1. Service Providers and Subprocessors: We engage trusted third-party service providers to assist in delivering the Services, including cloud hosting providers, payment processors, customer support tools, AI service providers, and analytics platforms. These providers are contractually obligated to process personal data only on our instructions and in accordance with applicable data protection requirements.

2. Within Our Corporate Group: We may share information with our affiliates and subsidiaries for the purposes described in this Policy, subject to appropriate safeguards.

3. With Customers (Response Data): Survey Response Data is provided to the Customer who created the survey. Amberoc does not independently determine how Response Data is used; the Customer controls such use.

4. Legal and Regulatory Requirements: We may disclose personal information when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, the safety of any person, or to investigate potential violations of our Terms of Use.

5. Business Transfers: In connection with a merger, acquisition, reorganization, asset sale, or similar transaction, personal information may be transferred to the acquiring entity or successor, subject to applicable data protection obligations.

6. With Consent: We may share information with third parties when you have provided your consent to do so.

5.2 Amberoc Does Not Sell Personal Information. We do not sell personal information, as defined under the California Consumer Privacy Act (CCPA/CPRA) or any other applicable law. We do not share personal information for cross-context behavioral advertising purposes.

6. International Data Transfers

6.1 Amberoc is based in the United States. If you are located outside the United States, your personal data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

6.2 For transfers of personal data from the EEA, UK, or Switzerland to the United States or other countries not recognized as providing an adequate level of data protection, we rely on the following transfer mechanisms:

1. EU-U.S. Data Privacy Framework (DPF): Amberoc complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.

2. Standard Contractual Clauses (SCCs): We enter into the European Commission's Standard Contractual Clauses (as supplemented by the UK Addendum, where applicable) with service providers and partners who process personal data outside the EEA/UK.

3. Adequacy Decisions: Where the European Commission or UK Secretary of State has issued an adequacy decision for a particular country, we may rely on that decision for transfers to such country. 6.3 You may request a copy of the relevant transfer mechanism by contacting us at privacy@amberoc.com.

7. Data Retention

7.1 We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention practices include:

1. Customer and End User Account Data: Retained for the duration of the Customer's subscription and for a reasonable period thereafter (typically 30 days for data retrieval, as described in our Terms of Use, followed by deletion within 90 days unless legal retention requirements apply).

2. Billing and Payment Records: Retained as required by applicable tax and accounting laws (typically 7 years).

3. Survey Response Data: Retained on behalf of the Customer for the duration of the subscription. Upon termination, Response Data is available for Customer retrieval for 30 days, after which it is scheduled for deletion within 90 days.

4. Usage Data and Log Data: Retained for up to 24 months for security, analytics, and product improvement purposes, then aggregated or deleted.

5. Marketing Contact Data: Retained until you unsubscribe or request deletion, or until we determine the data is no longer necessary.

7.2 When personal data is no longer required, we delete or anonymize it in accordance with our data retention procedures.

8. Data Security

8.1 Amberoc maintains technical and organizational security measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

1. encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);

2. role-based access controls and least-privilege principles;

3. regular security assessments and vulnerability testing;

4. employee security awareness training;

5. incident detection, response, and notification procedures; and

6. security practices designed to meet SOC 2 Trust Service Criteria for security, availability, processing integrity, confidentiality, and privacy.

*Plain language note: Amberoc maintains security practices designed to meet SOC 2 standards. We continuously work to strengthen our security posture and protect the data entrusted to us.*

8.2 No method of transmission or storage is completely secure. While we strive to protect personal information, we cannot guarantee absolute security.

8.3 In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected individuals and relevant supervisory authorities in accordance with applicable law.

9. Your Rights

9.1 Rights Under GDPR (EEA/UK/Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

1. Right of Access: The right to request confirmation of whether we process your personal data and to obtain a copy.

2. Right to Rectification: The right to request correction of inaccurate or incomplete personal data.

3. Right to Erasure: The right to request deletion of your personal data, subject to certain exceptions.

4. Right to Restriction of Processing: The right to request that we restrict the processing of your personal data in certain circumstances.

5. Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

6. Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.

7. Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

8. Right Not to Be Subject to Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

1. Right to Know: The right to request that we disclose the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share personal information.

2. Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.

3. Right to Correct: The right to request correction of inaccurate personal information.

4. Right to Opt-Out of Sale/Sharing: The right to opt out of the "sale" or "sharing" of your personal information. As stated in Section 5.2, Amberoc does not sell or share personal information for cross-context behavioral advertising.

5. Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

9.3 Exercising Your Rights

To exercise any of the rights described above, please contact us at: privacy@amberoc.com

We will respond to verified requests within the timeframes required by applicable law (generally within 30 days for GDPR requests and 45 days for CCPA/CPRA requests, with extensions as permitted by law).

Verification. To protect your personal information, we may need to verify your identity before fulfilling a request. For Customers and End Users, we will verify your identity through your account credentials. For other individuals, we may request additional information to confirm your identity.

10. Survey Respondent-Specific Provisions

10.1 Amberoc's Role. When you respond to a survey created through the Amberoc Platform, Amberoc processes your data as a data processor (or "service provider" under CCPA) on behalf of the Customer who created the survey. The Customer is the data controller (or "business" under CCPA) and determines the purposes and means of processing your survey response data.

10.2 Data Rights Requests. If you wish to exercise your data protection rights regarding information collected through a survey (including rights of access, deletion, correction, or objection), you should contact the organization that sent you the survey. That organization is responsible for responding to your request.

10.3 Amberoc's Assistance. If you are unable to identify or reach the survey creator, you may contact us at privacy@amberoc.com, and we will use commercially reasonable efforts to direct your request to the appropriate Customer. Amberoc will assist Customers in fulfilling data subject requests in accordance with our contractual obligations and applicable law.

10.4 Data Quality Processing. Amberoc's Sculpt module may analyze survey response metadata (such as response timing, completion patterns, and IP-based geolocation) to detect potentially fraudulent or low-quality responses. This processing is performed on behalf of the Customer to ensure data quality and does not constitute automated decision-making that produces legal effects on respondents. Flagged responses are provided to the Customer for review; Amberoc does not independently discard or act upon respondent data.

11. Do Not Track and Global Privacy Controls

11.1 Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry-standard interpretation of DNT signals, and our website does not currently respond to DNT signals.

11.2 We honor Global Privacy Control (GPC) signals as an opt-out of the "sale" or "sharing" of personal information where required by applicable law.

12. Children's Privacy

12.1 The Services are not directed to individuals under the age of 18. Amberoc does not knowingly collect personal information from children under 18.

12.2 Customers are prohibited from using the Services to collect data from children under 18 (as set forth in our Terms of Use). If we become aware that personal information has been collected from a child under 18, we will take steps to delete such information promptly.

12.3 If you believe that a child under 18 has provided personal information through our Services, please contact us at privacy@amberoc.com.

13. Cookies and Tracking Technologies

13.1 We use cookies and similar tracking technologies on our website and, in limited circumstances, on survey pages. These fall into the following categories:

6. Strictly Necessary Cookies: Required for the operation of our website and Platform, including session management, authentication, and security. These cookies cannot be disabled.

7. Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.

8. Analytics Cookies: Help us understand how visitors interact with our website and Services, enabling us to improve performance and user experience.

9. Marketing Cookies: Used to track visitors across websites to display relevant advertisements. We use marketing cookies only on our marketing website, not within the Platform or on survey pages.

   13.2 On survey pages, we use only strictly necessary and functional cookies to ensure proper survey delivery, prevent duplicate submissions, and support Sculpt data quality functions.

   13.3 Where required by applicable law, we obtain your consent before placing non-essential cookies. You can manage your cookie preferences through the cookie consent mechanism on our website.

   13.4 For detailed information about the cookies we use and how to manage your preferences, please contact us at privacy@amberoc.com.

14. Changes to This Privacy Policy

14.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the revised Policy on our website and update the "Last Updated" date.

14.2 If we make material changes to this Policy, we will provide notice through the Services, by email, or through other appropriate channels, at least thirty (30) days before the changes take effect.

14.3 Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with a revised Policy, you should discontinue use of the Services and contact us to close your account.

15. Additional Disclosures

15.1 California "Shine the Light"

California Civil Code Section 1798.83 permits California residents to request information about the disclosure of personal information to third parties for their direct marketing purposes. Amberoc does not disclose personal information to third parties for their direct marketing purposes.

15.2 Nevada Residents

Nevada residents may opt out of the "sale" of certain personal information. Amberoc does not sell personal information as defined under Nevada law. If you have questions, contact us at privacy@amberoc.com.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:

Amberoc Inc. Privacy Team
Email: privacy@amberoc.com