Our Privacy Policy

Privacy is important as it helps us limit unwarranted interference in our lives.  As such, Heart+Mind Strategies is committed to protecting the privacy of all those with whom we interact.

Information We Collect

We are in the business of providing insights and consulting services to businesses, governments and other institutions such as associations and policy / advocacy groups.

As part of efforts to provide insights and consulting services, we often conduct primary market research.   In doing so, we collect information from respondents who have agreed to participate in the study and voluntarily disclosed information about themselves. Our legal basis for collection and processing of respondent-supplied personal data is consent; we do not collect personal data without the affirmative, and explicit consent of the research participant, or a respondent.

The vast majority of the time, individuals are not identified as having provided this information.  Rather, insights are reported in aggerate without responses being associated with any specific individual.  As responses are transferred into the data processing system, each response is assigned an ID number. This is considered a “Respondent ID” and only those numbers are seen on exported data.  We also conduct online and in-person research discussions with individuals and groups.  An individual’s responses, likeness/image and words are not shared without expressed permission from that individual.

In some cases, we are in possession of “personal data” or “personally identifiable information” (as defined under applicable law) from our clients, third party vendors, or partners for use in connection with our research efforts.  In these cases, we might be given contact information so we can send an invitation to participate in the study.  We might also obtain existing data, such as demographic, interest, or behavioral information from clients or vendors.

We might also collect information passively, such as from public postings and comments.

We also collect information from our clients and vendors, such as contact, business, and in some cases financial information about you in the course of administering our relationship with you or your employer. In those cases, our legal basis for the collection and processing of the information is our legitimate interest to perform our obligations under our contract with you or the company for which you work.

We may collect certain information regarding visitors to our website, including IP address, device and browser type, date and time of visit, name of the visitor’s internet service provider, state or country from which the website was accessed, web pages from which the visitors linked to the website, and behavior while on the website (e.g., which links were clicked or which pages were browsed). We may do so using cookies, which are small files placed on your internet browser when you visit our website, in order to offer you a more tailored experience in the future by, for example, understanding and remembering your particular browsing preferences. Occasionally, cookies, pixels, or web beacons may be placed on our website by service providers or partners; we do not permit personal data to be collected or accessed by these cookies, pixels, or web beacons. If you prefer not to receive cookies from our website you can disable their use in your browser settings. By doing so you may reduce the functionality of the web pages you view. Currently, our systems do not respond to browser do-not-track signals, and do not treat such do-not-track signals as “do not sell” signals under CCPA (as defined below).

Lastly, when visiting certain pages of our website, you are provided the option to sign up for our newsletters, white papers, or mailing lists, and if you do, we collect the information you supply for use in the promotion of our own business to you. If you wish to be removed from our email lists, please email us at solutions@heartandmindstrategies.com or other contact information listed on our website.

What We Do With Collected Information

The information we collect as part of our marketing research efforts is used for research purposes only. Research participant information and answers are not used by any entity as an aid for sales.  This information is shared with the client commissioning the study pursuant to our contract with that client, but not in a way to identify an individual (see description of Respondent ID above). In some cases, we may need to share personal data with third parties for ancillary services in support of a research project. In these cases, we contractually require the third party to follow all of the same privacy protection regulations as followed by Heart+Mind Strategies.

As to client data we collect, we do not use the information for any purpose other than to fulfill our obligations to clients. We keep client information secure at all times, and prevent the use and disclosure of it by our employees or any third parties.

We use information collected from our website and social media pages to improve and maintain our website.  We also use the information to understand how and by whom our website is being used.  The information provided to us remains confidential and will only be used by Heart+Mind Strategies for its own marketing activities.

We do not rent, sell or give personal data to any third party for the purpose of directly marketing any products or services, and have not done so in the preceding 12 months. However, you should be aware that certain laws to which we are subject, for example the California Consumer Privacy Act (the “CCPA”), define the terms “sell” and “sale” very broadly, such that some of our research-related activities—for example, the inclusion of a study participant’s photo or video in a market research deliverable for our client—might fall within the definition of “sale” under certain circumstances.

Under certain circumstances, we may be required to release personal data in response to a legal request from public authorities including to meet national security or law enforcement requirements, or in response to a subpoena or other legal process.

We do not discriminate financially between those who elect to supply their personal data to us and those who elect to not do so, provided, however, that to the extent a survey or other research study—the completion of which would result in the payment of a financial incentive or entry in a sweepstakes—involves the collection of data and you decline to consent to such collection, you would not be able to proceed to participate in the study, and (depending on the specific study) to the extent you are required to supply your contact information at the conclusion of a survey in order for us to fulfill the participation incentive and you decline to provide your contact information, you would not receive the participation incentive.

Under all circumstances, we will take reasonable steps to ensure your personal data is accurate, complete, current and relevant and being used only for the intended purposes. We will not process personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.

Personal Data Retention

We keep personal data for no longer than necessary for the purposes for which the personal data is collected or processed. The length of time for which we keep your personal data is determined by a number of criteria, including the purposes for which we are using the information, the amount, and sensitivity of the information, the potential risk from any unauthorized use or disclosure of the information, and our legal and regulatory obligations.  We are required by law to keep your personal data only for as long as is necessary for the purposes for which we are using it.

The Security of Your Personal Data

We will take all reasonable steps to ensure that your data is handled securely and in accordance with this privacy policy. All information you provide to us is stored on secure servers that are either ours or cloud-based services or web hosting providing partners with whom we have agreements.  We limit access to the information by our own employees, contractors, website service providers and to third parties who are authorized for the proper handling of such information at all times.  Third parties that provide us with support or services and that may also receive client or personal data are required by us to maintain security measures similar to ours with respect to such information. We will take reasonable precaution, consistent with industry standards and practice, to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

Unfortunately, we cannot guarantee the security of your data transmitted to our website, however, once we have your information, we will use strict security and confidentiality measures to try to prevent any unauthorized access.

Your Personal Data Rights

Before data collection begins, we will typically inform you if we intend to use your data for marketing purposes or if we intend to disclose your information to any third party for such purposes.  You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data or not giving verbal consent. You can also exercise the right at any time by contacting us at solutions@heartandmindstrategies.com.

You also have the following rights by law to know certain details regarding our data handling practices generally; this information is described above and elsewhere in this Privacy Policy. In addition, you have the right to request the following as to any personal data we have about you: that we provide access to any personal data we hold about you; that we update any of your personal data which is out of date or incorrect; where our basis for processing your personal data is consent, that your consent to further processing be withdrawn; where we received your personal data from a third party, inquire where the data originated; that we delete any personal data which we are holding about you; restrict the way that we process your personal data (including that we no longer “sell” your personal data as such term is defined in the CCPA); prevent the processing of your personal data for direct-marketing purposes; that we provide, or not provide, your personal data to a third party provider of services; that we provide you with a copy of any personal data which we hold about you; that we consider any valid objections which you have to our use of your personal data; and that you not be discriminated against for exercising any of your privacy rights. Under applicable law, certain personal data may be exempt from some of these requests in certain circumstances.

If you would like further information about these rights or would like to exercise any of them, including to opt out of the “sale” of your information as defined in the CCPA, please email us at: solutions@heartandmindstrategies.com.

By law, as well as for your protection, if you request that we take certain actions as to personal data we have about you, we are required to take certain steps to verify your identity. If we are not able to verify your identity, we may not be able to respond to your request. To verify your identity, we request, at point of submission of your request, that you supply your basic contact information, as well as certain other non-personally identifiable information (e.g., information relating to your last interaction with us, such as subject matter and type of study), and we endeavor to match at least two pieces of this information with information in our possession. In addition, as to those rights permitted by law to be exercisable by an authorized agent on your behalf, in addition to verifying your identity as described above, we require the agent to also supply written authorization from you to act on your behalf, except where restricted by law.

Note, some of these rights may not be applicable to information which we might collect or process from or about you in your capacity as our employee, job applicant, or independent contractor; there are other laws applicable to those relationships which are not addressed in this Privacy Policy. If you have any questions, please contact us.

Data Privacy Framework (DPF)

Heart+Mind Strategies is certified, and complies with the Data Privacy Framework (EU-U.S. DPF), including the UK and Swiss extensions sponsored by the U.S. Department of Commerce’s International Trade Administration (ITA) regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom (UK) and Switzerland to the United States.   

 
Heart+Mind Strategies adheres to the Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.  If there is any conflict between the policies in this privacy policy and the Data Privacy Framework, the Data Privacy Framework shall govern.  To learn more about the DPF, please visit https://www.dataprivacyframework.gov/.   We will not disclose information to a third party without applying the Notice and Choice Principles, as indicated by the DPF and the EU-US, as well as the UK, and the Swiss-US extensions. 
Where We Store Your Personal Data

The data that we collect from your visit is typically stored in servers located within the USA but it may also be transferred and stored outside the USA, in destinations such as Canada, Europe or Australia for our international staff, resources, or vendors to work on or organize.  If your data is handled outside the USA, or the EU, we apply additional safeguards based on domestic standards, as well as honoring additional requirements individual client agreements may stipulate to ensure adequate protections at all times.

Third Parties and Data Transfer Across Borders

We do not make your personal information available to anyone without your agreement unless it is for research purposes only, or if required by law.  This includes your name and e-mail address.

We may share your personal data with third parties for research-related purposes, such as data processing, and incentive fulfilment of prizes both within and outside the USA depending on project requirements.  Whenever that takes place, we always put additional safeguards in place to ensure USA and EU data protection laws and security measures are extended to those environments third party service providers operate.  Furthermore, all our third-party associations are contractually obligated to protect confidential data at the security standards, and practices that are equivalent to our own.

Careers

Any personal data which may be collected in the Careers sections of our Websites will be used solely for purposes of the consideration of possible employment. This information will not be used in connection with research or other aspects of our operations.

Minors and Data Collection

We never knowingly invite children under the age of 16 years to participate in research studies without parental consent.  If it is necessary and appropriate for a particular project to directly involve children under the age of 16 years, we take measures to ensure we have been given permission by the responsible adult in the manner required by law. We also do not “sell” (as defined in CCPA) personal information of persons under 16 without affirmative authorization. For more information on COPPA, please visit http://www.ftc.gov/ogc/coppa1.htm.

Modeling and Profiling

In certain circumstances we may utilize various analytical methods, and technologies in profiling your data for making aggregate assessments.  In general, this will not result in any legally significant decisions being made about you individually but as a possible member of a particular demographic group such as male or female, level of education or income you may report.  You have the right to appeal if any automated decision made about you is legally significant.  If you have any questions about this please contact us.

Compliance and Enforcement

Heart+Mind Strategies is subject to the investigatory and enforcement authority of the FTC.  We strive to model our policies according to guidelines of the Insights Association.  Contact us if you have questions about our Privacy Policy, or for processing a complaint. 

We also are certified and comply with the Data Privacy Framework (EU-U.S. DPF), including the UK and Swiss extensions, sponsored and regulated by the U.S. Department of Commerce’s International Trade Administration (ITA).  If you are concerned about our use of personal or client information, please contact us a solutions@heartandmindstrategies.com

Further, in compliance with the EU-U.S. DPF Principles, Heart+Mind Strategies commits to resolve complaints about your privacy, and our collection or use of your personal data.  European Union, British, and Swiss individuals with inquiries or complaints regarding this privacy policy should first contact us at the contact information listed above.

Heart+Mind has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US DPF Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Under limited circumstances, if your complaint is not resolved through these channels, a binding arbitration option may be available.   If required or permitted by law, you may also make a complaint to the data protection authority in the EU country where we may have operations or where we process personal data that relates to offering goods or services to you in the EU.


Heart+Mind Strategies is in the process of obtaining ISO/IEC 27001 certification (expected certification date: November 2023).   ISO 27001 is a holistic approach to information security: vetting people, policies, and technologies.   An information security management system (ISMS) implemented in compliance with this international standard adheres to Proactive Risk Management,  Confidentiality, Integrity, Security, and Availability of Information, Access controls, Cyber-resilience, Operational Excellence, and Prompt Communications.

Links to Other Websites

Our website may contain links to and from other websites.  If you utilize any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies or practices.  Please do your own due diligence before you submit any personal data to these websites.

Changes to the Privacy Policy

We may update this Privacy Policy from time to time by posting an amended version of the statement on one or more of our Websites. Please refer to this policy regularly.

Last update: October 23, 2023