GLOBAL DATA PROTECTION AND PRIVACY POLICY
1. INTRODUCTION
SurveyHeart ("we", "us", or "our") is a privacy-conscious, multilingual forms and survey platform operated from India. This Global Data Protection and Privacy Policy explains how we collect, use, store, share, and protect personal data of our users worldwide.
SurveyHeart complies with the EU General Data Protection Regulation (GDPR) and equivalent global frameworks, including:
- India: Digital Personal Data Protection Act, 2023 (DPDP)
- United States: California Consumer Privacy Act / Privacy Rights Act (CCPA / CPRA)
- United Kingdom: UK Data Protection Act 2018 / UK GDPR
- Singapore: Personal Data Protection Act 2012 (PDPA)
- Brazil: Lei Geral de Protecao de Dados (LGPD)
- Australia: Privacy Act 1988 (APPs)
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Where regional requirements conflict, this Global Policy applies unless the Regional Addendum below provides stricter protections.
2. ROLES AND SCOPE
2.1 Platform Roles
| Role | Description |
|---|---|
| Data Controller / Fiduciary | The person or organization (form creator) that determines why and how personal data is collected. |
| Data Processor / Service Provider | SurveyHeart processes data on behalf of form creators and according to their documented instructions. |
| Data Principal / Data Subject | The individual responding to a form or otherwise providing data. |
2.2 SCOPE
This policy applies to all personal data processed by SurveyHeart, whether collected through our website, mobile app, API, or integrations, regardless of where you are located.
3. TYPES OF DATA COLLECTED
- Account details (name, email, login credentials)
- Billing and payment data (if applicable)
- Form response data (text, numerical, uploaded files)
- Technical data (IP address, browser type, device ID, usage analytics)
- Optional demographic or preference data when provided voluntarily
We do not intentionally collect sensitive personal data unless explicitly configured by a form creator, who remains responsible for its lawful collection.
4. LEGAL BASIS FOR PROCESSING
4.1 UNDER GDPR
SurveyHeart relies on:
- Consent (Article 6(1)(a)) for marketing, cookies, and optional analytics
- Contractual necessity (Article 6(1)(b)) for providing account services
- Legal obligation (Article 6(1)(c)) for compliance with law
- Legitimate interest (Article 6(1)(f)) for fraud prevention, security, and improvement
4.2 UNDER OTHER JURISDICTIONS
Equivalent lawful bases apply under local laws (e.g., "Legitimate Uses" under India's DPDP).
5. Purposes of Processing
We process personal data to:
1. Provide, maintain, and improve our services
2. Authenticate users and manage accounts
3. Respond to support requests and communicate with customers
4. Enable form creators to collect and analyze responses
5. Comply with legal obligations and enforce our Terms of Service
6. Conduct anonymized analytics and platform improvements
6. Data Ownership and Responsibility
- Form and quiz creators own the personal data collected through their forms and quizzes.
- SurveyHeart does not sell the personal data collected through forms or quizzes, and does not share individual form or quiz responses with advertisers.
- Form and quiz creators are responsible for obtaining lawful consent from respondents or participants.
- SurveyHeart processes data collected through forms and quizzes strictly according to customer instructions, under executed Data Processing Agreements (DPAs) or Service Provider Agreements (SPAs).
7. International Data Transfers
7.1 Global Hosting
SurveyHeart uses secure data centers primarily located in India.
7.2 GDPR Compliance
For transfers from the EU/EEA to India or other non-EU jurisdictions:
- Transfers are governed by the EU Standard Contractual Clauses (SCCs, Decision 2021/914/EU).
- UK transfers use the UK Addendum to the SCCs (2022).
- SurveyHeart provides equivalent protections through encryption, access controls, and confidentiality agreements.
7.3 India (DPDP)
Data may be transferred freely except to countries restricted by the Government of India and as updated from time to time by official government notifications.
7.4 Other Jurisdictions
- US: No restrictions; transparency maintained.
- Brazil / Singapore / Australia / Canada: Transfers allowed where comparable protection is in place.
8. Data Retention
We retain our user's personal data only as long as necessary for:
- Providing services to users
- Legal compliance (tax, audit, or security)
- Legitimate business needs
RETENTION OF FORM CREATOR'S DATA AND RESPONSES
SurveyHeart retains user-generated forms and form responses as follows:
Active User:
If the form creator generates 30 or more cumulative responses across all forms within any rolling 6-month period, all forms and associated responses will continue to be retained.
Inactive User:
If the form creator generates fewer than 30 cumulative responses across all forms in the previous 6 months, all forms and associated responses will be deleted within 1 year from the date of the last response received on any of their forms.
Backups:
Deleted data may continue to exist in secure system backups for up to 90 days before being fully erased.
9. Data Security
SurveyHeart implements:
- Encryption in transit and at rest
- Role-based access control
- Multi-factor authentication
- Regular vulnerability assessments
- ISO 27001-aligned security procedures
Data access is restricted to authorized personnel under confidentiality obligations.
10. Data Subject Rights
Depending on your jurisdiction, you may have rights to:
- Access your data
- Correct inaccuracies
- Delete or erase data
- Restrict or object to processing
- Withdraw consent
- Data portability (GDPR)
- Non-discrimination (CCPA)
- Nominate a representative (DPDP)
All requests can be made at: [email protected]
Identity verification may be required.
11. Advertising and Cookies
SurveyHeart is supported by advertising. We may display ads across our services, including on the Thank-You page after a respondent completes a form, on both free and paid plans (please see our Terms of Service for how this applies to subscribers).
We work with third-party advertising partners, including Google (Google AdSense), to deliver and measure these ads. To do this, these partners may collect or receive device identifiers, IP address, cookies, and usage data. We do not share the individual form or survey responses you collect with advertisers.
We use cookies and similar technologies to operate the platform, to measure usage, and to deliver advertising. Where the law requires consent for advertising or other non-essential cookies (for example in the EU and UK), we ask for your consent before they are used.
You can learn how Google uses data from sites that show its ads at policies.google.com/technologies/partner-sites, and manage cookie preferences within your browser or settings panel.
12. Grievance Redressal and Data Protection Officer
Grievance Officer (India): [email protected] (response within 15 days)
Data Protection Officer (DPO): Mr. Vignesh Manickam
13. Regional Addenda
A. India - DPDP Act Addendum
- Children's data: parental consent required under 18 years.
- Cross-border: transfers restricted only to countries notified by the Government of India.
- Consent Managers: integration supported when the framework becomes operational.
B. European Union / UK - GDPR / UK GDPR Addendum
- SCCs (EU) and UK Addendum apply to all cross-border transfers.
- EU/UK customers are considered Controllers; SurveyHeart is Processor.
- Data Protection Impact Assessments (DPIAs) supported on request.
- 72-hour breach notification rule observed.
C. United States - CCPA / CPRA Addendum
- We do not sell your personal data for money.
- We use third-party advertising partners (see the Advertising and Cookies section) to show ads. Some of this activity may be treated as "sharing" for cross-context behavioral advertising under California law.
- California residents can opt out using the "Do Not Sell or Share My Personal Information" control on our site, and may request access, deletion, and correction.
- Sensitive data categories are treated with higher protection.
D. Brazil - LGPD Addendum
- Legal bases aligned with GDPR principles.
- Data subjects have the right to confirmation, access, correction, and portability.
E. Singapore - PDPA Addendum
- Breach notification within 3 days of awareness.
- Consent renewal required if data is used for a new purpose.
F. Australia - Privacy Act Addendum
- Principles 1-13 (APPs) observed for collection, disclosure, and storage.
- Cross-border disclosures only to entities with comparable protection.
G. Canada - PIPEDA Addendum
- Collection limited to reasonable purposes; informed consent mandatory.
- Transfers across borders disclosed in privacy notice.
H. China - PIPL (Out-of-Scope)
Due to strict data localization and government security assessment requirements, SurveyHeart does not host or process the personal data of Chinese citizens or residents until dedicated China servers are deployed. Users accessing the platform from China therefore do so at their own risk, and SurveyHeart is not responsible for any data policy violations in this case.
14. Conflict of Laws
If any provision of this policy conflicts with mandatory law in your jurisdiction, that law will prevail to the extent of the conflict.
Where multiple frameworks apply, the stricter standard shall govern.
15. Updates to this Policy
We may revise this policy to reflect regulatory, operational, or technological changes. Updates will be posted at www.surveyheart.com/privacy, and continued use of our services constitutes acceptance of the updated policy. Major data policy updates will be shared with all active users by email also. Active user is any user who is generating more than 30 responses in the last rolling 6 months.
16. Contact Us
Email: [email protected]
Postal: Compliance Office, SurveyHeart LLP, Awfis Space Solutions, 2nd Floor, Survey No 34, Kothaguda Junction, Kondapur, Hyderabad, Telangana, India - 500084
Response time: within 15 business days
Compliance Frameworks Referenced: GDPR (EU), DPDP (India), CCPA (US), LGPD (Brazil), PDPA (Singapore), PIPEDA (Canada), APPs (Australia)
Effective Date: 1st December 2025
Version: 1.2
Last Reviewed: 18 June 2026