At Wondering, we're committed to complying to the GDPR by following best practices and providing our customers with the necessary processes and tools.

The General Data Protection Regulation (GDPR) is a legal framework set out by the European Union. It sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). The regulation mandates that EU users must be given a number of data disclosures, with the aim to give users control over their personal data.

We remain committed to continually make sure we meet GDPR requirements to ensure that our customers and end users who are supported and impacted by the regulation can use our services. Below is some information about investments and processes we've established to adhere to this regulation:

You can find information about each of the third-party data subprocessors we rely on and share information with here.

We have an ongoing commitment and investment in security to ensure that data is kept safe. This includes adhering to security best practices such as automated vulnerability detection, two-factor authentication continuous security awareness training for staff etc.

At Wondering, we support an individual's right to access and export their own personal data, and also the data of their end users. Subject access requests can be made in writing by emailing us at [email protected]. We will provide a response to subject access requests within 30 days of receiving the request. If we need to extend the time to carry out your request, we will let you know. We do not charge a fee for the right to access or the right to export, however, we may charge a fee is we deem the request to be excessive. We will let you know if this is the case. On some occasions we will need to verify your identity before we carry out your request so that we are certain that any response to your request relates to you.

At Wondering, we support an individual's right to be forgotten, as well as the rights of their end users. In exercising this right we will delete all data from our own systems, as well as any external parties we rely on to provide our services. Right to be forgotten requests can be made by emailing us at [email protected].

At Wondering, we support an individual's right to rectify their own personal data. This can be done either directly through your account, or by emailing us at [email protected].

Wondering acts as a data controller in the relationship between Wondering and our customers (research study creators), for the personal information you give us in order to use our service (registration information for example).

Wondering does not sell personal data to third parties. We only share your information with our service providers who help us operate our business, in which case those third parties are required to comply with the GDPR framework.

You can find information about each of the third-party data subprocessors we rely on to provide our services here.

Wondering is the provider of a research platform, and not the owner of the collected responses to research studies on the platform. The study creator (our customer) is responsible for the data they collect and is thus data controller of the respondent data.

Wondering is the processor and stores information on behalf of the study creators. As long as your (as the study creator) account is active you have full control over the data you collect, and the time period for which you store the data. You are able to delete or export user data such as responses to your studies from your account using the data retention period setting in your account. We honor all deletions, and all form data which has been deleted by you is permanently deleted from our back-ups within in line with our back-up policy.