Privacy Policy

1. Scope: Who and What This Policy Covers

This Privacy Policy applies to personal information we process in connection with:

1. Website Visitors – when you visit our public websites or marketing pages.
2. Service Users – when you register for, access, or use the IQ Harvest platform.
3. Business Contacts – when you interact with us about partnerships, managed services, sales, support, or events.

Organization-Managed Workspaces: If you access IQ Harvest through a workspace provisioned by your employer or another organization (“Organization”), that Organization may control how certain data is configured, accessed, retained, and exported within the workspace (including via administrators or a third-party administrator such as a managed service provider). See Section 6.

2. Information We Collect

We collect information in three primary ways: (a) information you provide, (b) information collected automatically, and (c) information from your Organization or integrations (when enabled).

2.1 Information you provide

Depending on how you use the Services, you may provide:

• Account and profile information: name, email address, password, job title, department, organization name, and similar identifiers.
• Survey responses and form inputs: responses you submit through surveys, questionnaires, prompts, or forms in the platform.
• User content: use cases, posts, comments, attachments, and other content you submit within the platform (including content you choose to share internally or in a global community area, if enabled).
• Compliance acknowledgements: confirmations and sign-offs you complete within the platform (for example, acknowledging acceptable use or compliance policies).
• Support and communications: information you provide when you contact us (emails, chat messages, tickets, recordings or transcripts if provided, and related metadata).

2.2 Information collected automatically (device, usage, logs)

When you visit our website or use the platform, we may automatically collect:

• Device and connection data: IP address, device type, browser type, operating system, language, and approximate location (derived from IP).
• Log and event data: timestamps, pages/screens viewed, features used, clicks, referring URLs, and actions taken in the Services.
• Security and audit logs: login events, authentication data, fraud or abuse indicators, and administrative events.
• EULA/privacy acceptance records: version identifiers, acceptance timestamp, and technical metadata (e.g., IP address and user agent) associated with acceptance where relevant for audit, security, and compliance.

2.3 Information from your Organization or integrations (when enabled)

If your Organization connects third-party tools or systemsto IQ Harvest (or provides data into the workspace), we may process:

• Workspace provisioning details: workspace identifiers, user lists, role/permission settings, and admin configurations.
• Integration data: information from connected tools (for example, AI tool usage signals, governance-related information, or other data your Organization authorizes to be shared with IQ Harvest).

The specific integration data depends on the integrations your Organization enables and configures.

3. How We Use Information

We use personal information to operate, maintain, and improve the Services, including to:

3.1 Provide and operate the Services

• Create and manage accounts and user authentication
• Provide platform features (surveys, analytics, benchmarking, governance workflows, community features)
• Deliver customer support and respond to requests
• Administer workspaces and enforce settings as configured by Organizations and their administrators

3.2 Improve, secure, and troubleshoot

• Monitor performance, diagnose issues, and improve reliability
• Protect against fraud, misuse, and security incidents
• Enforce the EULA and applicable policies and terms

3.3 Analytics, benchmarking, and reporting

• Generate insights about platform usage and AI enablement trends
• Produce benchmarking and aggregated reporting

Important: When we use data for benchmarking, reporting, and certain improvements, we may convert data into De-identified Data and/or Aggregated Data (as described in Section 5).

3.4 Communications and marketing

• Send administrative communications (service updates, security notices, support messages)
• Send marketing communications where permitted by law (you may opt out at any time; see Section 10)

3.5 Legal and compliance

• Comply with applicable laws and regulations
• Respond to lawful requests and legal process
• Establish, exercise, or defend legal claims

4. Legal Bases for Processing (EEA/UK/Switzerland)

If GDPR, UK GDPR, or similar laws apply, we process personal information under the following legal bases, as applicable:

• Contract: to provide the Services you request and administer your account
• Legitimate interests: to secure, maintain, and improve the Services; prevent fraud; support business operations; and generate analytics/benchmarks (balanced against your rights)
• Consent: for certain cookies/marketing where required (you may withdraw consent)
• Legal obligation: to comply with applicable laws

See Appendix A for additional EEA/UK/Switzerland terms.

5. De-identified Data, Aggregated Data, and AI/ML Model Training

5.1 De-identified and aggregated processing

We may create De-identified Data and Aggregated Data from information processed through the Services. This means we apply measures intended to reduce identifiability (such as removal of direct identifiers and aggregation across users, groups, time periods, or organizations).

We use De-identified Data and/or Aggregated Data to:

• Improve Service performance and features
• Create benchmarking insights and statistical reports
• Understand trends in AI enablement and tool adoption

5.2 Model training is limited to De-identified Data only

IQ Harvest will only train or tune AI/ML models using De-identified Data (and/or Aggregated Data that is also De-identified).

We do not train general-purpose AI models on identifiable personal information, confidential workspace content, or organization-identified survey responses.

5.3 No intentional re-identification

We do not intentionally attempt to re-identify individuals or Organizations from De-identified Data.

6. Organization Workspaces, Administrators, and Third Party Administrators (Including MSPs)

If you use IQ Harvest through an Organization-managed workspace:

• Your Organization may designate Administrators and may authorize a Third Party Administrator (including an MSP) to manage the workspace.
• Administrators and Third Party Administrators may be able to:
• • Manage your access and permissions
  • Configure surveys and settings (including whether survey responses are collected anonymously or in an identifiable form)
  • Access, export, or delete workspace content and logs based on workspace configuration and the Organization’s policies

If you have questions about how your Organization uses or monitors workspace data, you should review your Organization’s internal policies and/or contact your Organization or its administrator.

7. How We Share Information

We do not “sell” personal information in the traditional sense. We may share personal information in the following circumstances:

7.1 With service providers (subprocessors)

We share information with vendors and service providers who help us operate the Services (for example, hosting, analytics, customer support tooling, security monitoring, and email delivery). They are authorized to process information only as needed to provide services to us and are required to protect it.

7.2 With your Organization and its administrators

If you use a workspace, we may share information with your Organization and its Administrators and authorized Third Party Administrators in accordance with workspace settings and the Organization’s instructions.

7.3 Community and public areas

If you post content to a public or “Global Community” area (where enabled), that content may be visible to other users and may be collected, read, and used by others. Please do not post confidential, proprietary, regulated, or personal information in public areas.

7.4 Third party content and links

The Services may display or link to third-party news sourcesor websites. We are not responsible for third-party privacy practices. Yourinteractions with third-party content are governed by their terms and policies.

7.5 Legal, safety, and business transfers

We may disclose information:

• To comply with law, legal process, or lawful requests
• To protect rights, safety, and security of IQ Harvest, our users, and others
• In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets (information may be transferred as part of that transaction)

8. Cookies and Similar Technologies

8.1 Cookies on our website

We use cookies and similar technologies (such as pixels and local storage) to:

• Enable website functionality
• Understand usage and improve performance
• Measure marketing effectiveness (where applicable)

8.2 Choices for cookies

Depending on your location and applicable law, you may be offered cookie controls. You can also manage cookies through your browser settings. If you disable cookies, some parts of the website may not function properly.

8.3 Do Not Track

Some browsers offer a “Do Not Track” signal. Because there is no uniform standard, our website may not respond to these signals.

9. Data Retention

We retain personal information for as long as reasonably necessary to:

• Provide the Services and maintain accounts
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Maintain security and prevent fraud

Workspace data retention may be controlled by your Organization’s workspace settings and applicable agreements.

De-identified and Aggregated Data may be retained longer for benchmarking and product improvement, to the extent permitted by law.

10. Your Choices

10.1 Account information

You may be able to update certain profile fields within the platform. Some information may be controlled by your Organization (for example, your role or workspace membership).

10.2 Marketing communications

You can opt out of marketing emails by using the “unsubscribe” link in those messages or contacting us at privacy@iqharvest.com. You may still receive non-marketing, service-related communications.

10.3 Community posting choices

If community features are enabled, you control whether you post content internally or publicly (where available). Do not post sensitive information in public areas.

11. Your Privacy Rights (Summary)

Your rights depend on where you live and applicable law. You may have the right to:

• Access personal information we hold about you
• Correct inaccurate information
• Delete personal information (subject to certain exceptions)
• Object to or restrict certain processing
• Receive a copy of your information (data portability)
• Opt out of certain disclosures or uses (where applicable)

Workspace users: If your request relates to data in an Organization-managed workspace (including survey responses collected in that workspace), your Organization may be the proper point of contact and may control the response. You can also contact us at privacy@iqharvest.com and we will route or respond as appropriate.

Appendix A provides additional details for EEA/UK/Switzerland.

12. International Data Transfers

IQ Harvest is based in the United States. If you access the Services from outside the U.S., your information may be transferred to and processed in the U.S. and other locations where we or our service providers operate.

Where required by law (including for EEA/UK/Switzerland transfers), we use appropriate safeguards, such as Standard Contractual Clauses or other valid transfer mechanisms.

13. Security

We maintain administrative, technical, and organizational measures designed to protect personal information against unauthorized access, loss, misuse, or alteration. However, no system can be guaranteed 100% secure.

14. Children’s Privacy

The Services are not directed to children, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, contact us at privacy@iqharvest.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice as required by law (for example, by posting an updated policy with a new effective date). Your continued use of the Services after the effective date means you have read the updated policy.

16. Contact Us

If you have questions or requests about this Privacy Policy or our privacy practices, contact:

IQ Harvest, Inc.
Email: privacy@iqharvest.com

Appendix A: EEA/UK/Switzerland Privacy Addendum

This Appendix applies to the extent the processing of Personal Data is subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and/or the UK GDPR.

A1. Roles: Controller vs. Processor

1. Workspace Data: Where you use an Organization-managed workspace, your Organization is typically the Controller and IQ Harvest acts as a Processor for workspace data (including survey responses and workspace usage data), generally under an MSA/DPA with the Organization.
2. Account/Security Data: IQ Harvest may act as a Controller for certain personal information necessary to operate the Services (for example, account registration information and security logs).

A2. Data Subject Requests

• Workspace Data: Requests relating to workspace data should generally be directed to your Organization (the Controller) or its administrator/Third Party Administrator.
• IQ Harvest Controlled Data: Requests relating to IQ Harvest-controlled account/security data may be sent to privacy@iqharvest.com.

A3. Your Rights

Subject to applicable law and exceptions, you may have rights to:

• Access, rectify, erase, restrict, or object to processing
• Data portability (in certain cases)
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with a supervisory authority

A4. International Transfers

If personal information is transferred outside the EEA/UK/Switzerland to jurisdictions without an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses and/or other valid mechanisms recognized by applicable law.

A5. Supervisory Authority Complaints

If you are in the EEA/UK/Switzerland, you may lodge a complaint with your local supervisory authority. We encourage you to contact us first at privacy@iqharvest.com so we can try to address your concern.