Last Revised: December 5, 2023 (previous versions)

This Privacy Policy sets out how we collect, use and protect any information that you give us when you use our online platform, our websites and the resources we make available on our websites, such as our guides, videos and more. We refer to our platform, engagements, websites and resources collectively as the “ThoughtExchange services”. This Privacy Policy is part of the broader terms that apply to your use of the ThoughtExchange services, which include (as applicable) the Subscription Terms published at https://thoughtexchange.com//subscription-terms/, the Terms of Use published at https://thoughtexchange.com/participant-leader-terms-of-use/, or other signed agreement between you and us. Any capitalized terms that are undefined here have the same meaning as in the Subscription Terms or the Service Descriptions published at https://thoughtexchange.com/services-description/, as applicable.

Our Cookie Policy can be found at https://thoughtexchange.com/cookies/.

We may change this Privacy Policy by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This Privacy Policy is effective from December 05, 2023.

* * *

1. OUR APPROACH TO PRIVACY

We’re asking permission to collect your information. Before you access our online platform, we ask you for your permission to collect information about you and use it in providing our service. You give us this consent by clicking on a button or other feature saying something to the effect of “I accept,” “I consent”, or “I agree” to the Terms. By using the ThoughtExchange services you give us consent to collect your information in connection with your use of those services.

Each Engagement is either anonymous or confidential, as the Customer or Leader elects.

If you participate in an anonymous Engagement, we take great care to keep your thoughts and identity separate, but there is a slight chance that you might be associated with a thought you provide.

If you participate in a confidential Engagement, the Customer (including its Leader and other Authorized Users) will have access to any identity information you provide and associate you with the thoughts or other input you provide.

ThoughtExchange minimizes risk by collecting only information that is necessary for processing. The information that we do collect is not highly sensitive (such as financial or health information). The information collected by the platform mainly consists of your name, basic contact and demographic information (age, nationality, ethnicity, etc...) and comments and opinions in the form of survey answers, thoughts and ratings. Our website may also collect comments and basic contact and demographic information including your address, postal code and job title. In addition, should there be a security breach, we have procedures in place to promptly notify you and to mitigate potential negative consequences.

We handle your information like it belongs to you. We believe that your personal information belongs to you. This means you have the right to withdraw your consent, access your information, correct it, take it back for yourself, or have it erased. This Privacy Policy describes each of these rights in more detail below.

Customers are responsible for your information as well. As a Participant, you should be aware that where we have a separate contract with a Customer for leading Engagements, the Customer has choices and control over the data in that Engagement, including your personal information, and whether the Engagement is anonymous or confidential. For example, the Customer may have given us your name and contact information in the first place. In addition, the Customer can control access to Engagements, remove thoughts from an Exchange, or use, delete or retain data from one or several Engagements. These choices and instructions may result in the access, disclosure, modification or deletion of certain or all of your personal information.

If you are not comfortable providing the information requested by a Customer through an Engagement or with the Customer’s choice to run an Engagement as anonymous or confidential, you should not participate in that Engagement or provide that information.

Children’s Privacy Protection. We do not knowingly collect personal information from children under the age of majority unless we are performing services for a Customer who is responsible for obtaining the appropriate parental or guardian's consent. If we become aware or reasonably believe that we have received personal information of a child under the age of majority without appropriate consent, we will take prompt steps with our Customer to remove such information. If you suspect that we have received the personal information of a child under the age of majority without appropriate consent, please contact us at privacy@thoughtexchange.com

2. WHAT INFORMATION DO WE COLLECT

In an Engagement there are 3 main types of information that our platform collects from Participants, either directly or as a result of participation in the Engagement. There are other types of information collected, which we discuss closer to the end of this section.

• Your input. During an Engagement we ask Participants to provide input. These are your written thoughts in response to open-ended questions and ratings that you assign to your thoughts and the thoughts of others, according to how you value those thoughts. We may also ask you to provide other information, such as general demographic information (for example, your age range) or an answer to a satisfaction question, survey, or interview. This is all input.
• Your identity. This includes your name, email address, phone number, or other contact information that specifically identifies you as a Participant. We may have received this information directly from you when you registered to be part of an Engagement, or we may have received it from the Leader to invite you into the Engagement.
• Association information that connects your input to your identity. This is anything that enables someone else to know that a specific thought, rating, or any other input came from you personally as a Participant.

We also collect the following information:

• Information collected from Leaders and other Authorized Users. If you are a Leader or Authorized User accessing the ThoughtExchange services as a representative of your organization, then in creating Engagements you provide us with your identity and textual information to describe the process (e.g., a title and background text) as well as attachments such as images or documents or videos that provide background for Participants as well as comments you may enter for specific Participant thoughts in the Discover step. We may also gain access to certain confidential information, including, but not limited to, the names and email addresses of your Participants, access to personal information or data contained in your engagement and information about your organization not directly related to your engagement. We may ask you to answer customer experience survey questions to help us assess overall Leader satisfaction with the ThoughtExchange application and gather additional feedback to help us improve our products and services. When participating in an experience survey you may be asked for your consent to contact you by phone or email to provide an opportunity for additional input. Customer experience participation is always optional.
• Information imported from CSV files. We provide Leaders with the option to upload simple text files that are used to store tabular data and are known as “CSV files” to the ThoughtExchange services. Uploaded information is then imported into the ThoughtExchange services and can be used by Leaders to facilitate the Engagement creation process. Our Customers are responsible for obtaining all required consents from each individual to transfer any personal information to us. We place contractual restrictions on the type of information that our Customers can upload to the ThoughtExchange services, but, ultimately, we have no control over and are not responsible for any personal information that Leaders may improperly upload to the ThoughtExchange services. If you believe that your personal information has been provided to us improperly, please contact us by using the information in the “concerns and how to contact us” section below, and we will take steps to delete the information from our systems. Provided we do so, we will have no further obligations to you with respect to such information.
• Information automatically collected by our software. When you visit, use, or leave our services by clicking links or buttons or other user interface affordances we automatically receive information through our software and other software that we use to host and manage your Engagement.

This kind of information includes:

• the internet protocol (IP) address of your computer or the proxy server that you use to access the web; and
• the actions you took in our application so that we can see which features are being used and in what ways.

Customized Experience and Service Development. We may also gather information about you and other Participants collectively, such as which of our services are used most. The data aggregated for these purposes does not contain any identifying information, and in some cases a token is used to anonymize the data.

As part of your use of our website and resources, you may have provided us with the following information:

• Name and job title;
• Contact information including email address;
• Demographic information such as postcode, preferences and interests;
• Your comments if you are using any commenting features on our website; and
• Other information relevant to customer surveys and/or offers.

3. HOW DO WE USE YOUR INFORMATION

In an Engagement, your input (thoughts, ratings, survey and interview answers) are shared with others, while your identity is kept confidential and the association of your input to your identity is kept completely private.

Things we need to do with your input. In order for an Engagement to work, we need to be able to share your input as a Participant with the Leader, and with other Participants if the Engagement is an Exchange. In an Exchange, others are able to see any thoughts you enter and the cumulative effect of ratings you assign. In addition, the Leader may choose to make this input public or, if they are a public entity, they may be legally required to make your input public. We also compare your input to the input of others, aggregate your input with the input of others, and analyze and reach conclusions from all of that. This aggregated information is used to analyze trends or patterns in the data.

We may decide NOT to publish your thoughts as part of an Engagement. An Engagement may be moderated – meaning your thoughts may be removed. This moderation may be done by us or by the Leader during the Engagement. A thought may be removed if it is rude or hurtful to a person or group, or if it does not answer the question asked. We (here including the Leader) reserve the right to remove a thought for other reasons if we see this to be in the best interest of the Leader or other Participants, or if we feel for some other reason that it is important to do so. It is the decision of the Leader to remove content (add context for flagging of offensive/harmful content).

In addition, your thoughts, even if shared as part of an Engagement, will be accessible only for so long as the Engagement is accessible and will be deleted when the Engagement is deleted, but may be exported, saved, or otherwise retained by the Leader or by the Customer’s other Authorized Users.

What we need to do with your identity. We need to know who is participating in each Engagement, as does the Customer running that Engagement. The Leader needs to know who they are having the conversation with. Beyond that, however, we don’t share your personally identifying information with any other person for the Engagement to work. For that reason, under this Privacy Policy, we treat your identity information as confidential among you, the Customer (including their Leader) and us.

What we need to do with association information that connects your input to you. In order for an Engagement to work, we need to know that particular input has come from you, and we use that information as part of the Engagement.

At the same time, we need completely candid responses -- even (and maybe especially) when they are controversial or uncomfortable. We want you to feel free to speak freely and honestly, without fear of being shamed or otherwise having to face negative repercussions for doing so.

Aside from the limited exceptions described in the paragraph below, association information isn’t shared with anyone else, including the Leader. The Leader doesn’t own or have access to or the right to use association information.

For an anonymous Engagement, association of your input as a Participant with your identity is kept private between us (that is, you the Participant and ThoughtExchange). We, ThoughtExchange, know it and use it, but unless you consent, we are compelled by law, or we feel morally obligated to do so, we won’t share it with anybody else, including the Customer.

For a confidential Engagement, the Customer (including its Leader and other Authorized Users) will have access to any identity information you provide and be able to associate you with the thoughts or other input you provide.

How do we use information automatically collected by our software. Information collected automatically by our software that can be used to identify you is treated the same as any other identifying information. The details are explained above, but our essential obligation is to keep it confidential, and to keep private any association of this information with any other input you provide. Included in this information is aggregated information from your web browser which is not personally identifiable. Where it is, such as IP address, that information is removed within 30 days of being collected.

How do we use aggregated information. We use aggregated information to customize your experience and the experiences of Participants in order to provide you and other Participants with better questions and choices for prioritizing thoughts and a more intuitive experience. The data aggregated for these purposes does not contain any identity information, or uses a token to anonymize the data. We also use information and content that you and other Participants provide to us to conduct research and development for the improvement of our services.

How do we use information collected through our website. We use the information we collect through our website to understand your needs and provide you with a better service, in particular for the following reasons:

• internal record keeping;
• improvement of our products and services;
• sending promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided; and
• from time to time, we may also use your information to contact you for market research purposes. We may use the information to customize the website according to your interests.

Our website may allow you to post comments. If you post a comment you grant us the right to display your comment on our website. We may also use your comment, along with your name and other personal information, to identify you in other content including websites and documents with no compensation due to you and with no further requirement for us to seek permission.

4. WHO CONTROLS AND HAS ACCESS TO YOUR INFORMATION

Who controls your information? The Customer (other than for solely website and resource use) and we jointly share control over your information as described in this Privacy Policy.

If you reside in the United States, our U.S. subsidiary corporation, Fulcrum Management Solutions Inc. controls your identity and association information. If you reside in Canada or outside the United States, your identity and association information is controlled by Fulcrum Management Solutions Ltd. If you have any concern about providing information to us or having such information displayed or otherwise used in any manner permitted in this Privacy Policy and the other Terms, you should NOT visit our websites, participate in an Engagement or otherwise use our services.

Who has access to your identity information? Within our organization, only authorized personnel have access to your identity information. Authorized personnel are limited to our employees or contractors who have a legal obligation to protect your privacy that is consistent with this Privacy Policy.

From time to time, our personnel may access your information to provide you with technical and administrative support and suggestions on how to improve your experience using the ThoughtExchange services. You may request that your personal information remain private from our support personnel by contacting privacy@thoughtexchange.com.

We at ThoughtExchange don’t share your information, but Customers and other Participants who have access to your information could decide to share it, and we have no responsibility for their actions. In general, public entities (such as school districts) have a legal obligation to share much of their information, while private entities do not have the same obligation and generally do not share their information publicly. As a result, your input into different Engagements may be shared differently.

External Processing. We may engage third parties as service providers to process your information and support the delivery of the ThoughtExchange platform to our Customers. Additional information about our subprocessors can be found at thoughtexchange.com/subprocessors/. Third parties utilized by ThoughtExchange include those located in the following countries: Canada and the United States.

Compliance with Legal Process and Other Disclosure. We may need to disclose your identity information, including information that connects you to your input, when required by law, subpoena, or other legal process, whether in the United States, Canada, or other jurisdictions. We may also disclose this information if we have a good faith belief that disclosure is reasonably necessary to: (1) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (2) enforce this agreement, investigate and defend ourselves against any third-party claims or allegations, or protect the security or integrity of our services; (3) exercise or protect the rights, property, or safety of our employees, personnel, other Participants or members of the public; or (4) address a credible threat to the life or safety of yourself or others. We attempt to notify Participants about legal demands for their personal information when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority.

We will not use or share your Information for direct marketing. We do not share any personal information with third parties for their direct marketing purposes. We can’t control what your Leader does with information that they control. Your Leader may or may not choose to share your information with third parties.

Our website may contain links to other websites of interest. Once you have used these links to leave our website, we are not responsible for the protection and privacy of any information which you provide when visiting such sites and such sites are not governed by this Privacy Policy.

5. WHERE IS YOUR DATA STORED

If the Customer has notified us that it is a Canadian public entity subject to a Canadian Freedom of Information and Protection of Privacy Act, we store and access information from their Participants in Canada in accordance with that Act. Otherwise, we may host your information in either Canada or the United States at our discretion as permitted by law.

6. HOW DO WE KEEP YOUR INFORMATION SECURE

We have implemented administrative and technical security safeguards designed to protect the personal information that we collect in accordance with applicable law and industry standards. To protect information stored on our servers, we use data encryption, Secure Sockets Layer (SSL) cryptography, multifactor authentication, regularly monitor our system for possible vulnerabilities and attacks, and use a secured-access data centre. However, since the Internet is not a 100% secure environment, we cannot ensure or warrant the security of any information that you transmit to us. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. To learn more, please visit thoughtexchange.com/security/.

7. HOW LONG DO WE RETAIN YOUR INFORMATION

We retain the information you provide while your Engagements are ongoing or as needed to provide you services. We may retain your information even after expiration of your subscription in order to maintain your data history if you subsequently re-subscribe or if retention is reasonably necessary to comply with our legal obligations, meet regulatory requirements, resolve disputes, prevent fraud and abuse, or to enforce these Terms of Use. We may retain information, for a limited period, if requested by law enforcement. Our service team may retain information for as long as is necessary to provide support-related reporting and trend analysis. You may request us to permanently delete your information at any time, including at the end of your subscription period. We will normally retain your data for at least six months after the end of your subscription period. If you enter into a separate agreement with us in connection with your subscription to the ThoughtExchange services, we will retain and delete your data in accordance with any requirements set out in that agreement.

8. YOUR PRIVACY RIGHTS

Because you own your information, you retain control over it. Among other things, you can:

• Withdraw your consent to our collection and use of your information at any time.
• Access your information and, if you wish, obtain a copy of your information.
• Correct any of your information that is not correct. Changing your mind on how you express a thought or rated another thought in an Engagement is not a correction. We consider it to be correct at the time you entered it.
• Have your information erased from our service. However, you acknowledge that a Leader may provide us with information about you in connection with a future Engagement.

If you want to take any of the above actions, you can contact our customer service team with your request, and they will show you how to do it, or will make sure that it gets done for you. If we have to do this manually, our goal is to have it done within 30 days. To exercise these rights, please contact our Data Privacy Officer at privacy@thoughtexchange.com.

EU PRIVACY RIGHTS

Additional privacy rights. If you are a resident of or are located in Europe, you may have additional rights under the General Data Protection Regulation (“GDPR”) in addition to those described above.

• In certain cases, you may request that we restrict our use of your information.
• Where we rely on our legitimate interests to collect information, you may have the right to object to the use of your information.
• If you believe we have infringed your rights under the GDPR, you have the right to lodge a complaint with a supervisory authority.
• You can request to view the essence of our joint controller agreements.

To learn more about your rights and to locate contact details for EU data protection authorities please see ec.europa.eu/justice/data-protection/bodies/authorities/.

Legal bases for collecting information. We rely on the following legal bases for collecting and using your information that is subject to the GDPR where:

• We have your consent to do so (for example, by clicking “I accept” or any similar phrase to our Terms).
• We have a legitimate interest to collect your information that is not overridden by your privacy rights (to improve the ThoughtExchange services or to communicate with you about the ThoughtExchange services).
• We need your information to perform a contract with you (for example, we may need information about users to perform our obligations under a contract for the ThoughtExchange services).
• We have a legal obligation to collect your information (for example, to prevent or investigate illegal behaviour in connection with the use of the ThoughtExchange services).

International Transfers. International Transfers. Under the GDPR, we may only transfer your information out of the European Economic Area and Switzerland to other regions if certain protections are in place. The protections we rely on include transferring your information to a country that the European Commission considers to have adequate privacy protections in place (such as Canada), registration in the EU-US Data Privacy Framework and Swiss-US Privacy Shield (in the case of third-party providers in the US) and standard contractual clauses in our agreements with third-party providers.

CALIFORNIA PRIVACY RIGHTS

Additional privacy rights. If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (“CCPA”). These rights may include:

• The right to request details of the categories of personal information that we collect.
• The right to restrict or object to certain processing.
• The right to request that we delete your personal information.
• The right not to be discriminated against for exercising your rights under the CCPA.

No sale of information. We do not sell your personal information.

CANADA PRIVACY RIGHTS

Additional privacy rights. If you are a Canadian resident, you may have additional rights under applicable law.

• You may vary your previously provided consent.
• You can request information about the third parties to which your information has been disclosed.

You also have the right to file a complaint with Data Privacy Authorities in Canada, the US, the EU or other applicable jurisdiction.

9. CONCERNS AND HOW TO CONTACT US

If there is a security incident we will immediately take steps to notify you and to mitigate potential negative consequences.

Concerns about privacy. If you have a concern about how we are treating you (and your information), we ask that you contact us at support@thoughtexchange.com or at

ThoughtExchange
Suite E, 1990 Columbia Avenue, Rossland, BC, V0G 1Y0.
Canada

If you have a concern about your personal information specifically and want to go directly to the top, you can reach out to privacy@thoughtexchange.com. This address will always go directly to our head Data Privacy Officer.

If you have a concern or question arising from the use of ThoughtExchange that you feel may not be ethical, please contact us at ethics@thoughtexchange.com.