Client Terms and Conditions

BOUNCE INSIGHTS – STANDARD TERMS AND CONDITIONS FOR CUSTOMERS:

Version: 2

Last updated: 24th October 2022

The following sets forth the terms and conditions of the agreement between Bounce and Customers using the Bounce Platform.

1. DEFINITIONS

1.1 In this Agreement unless the context otherwise requires or unless otherwise specified the following words and expressions shall have the following meanings

“Agreement”	the agreement between Bounce and you under the Terms and Privacy Policy.
“Bounce and/or We”	Bounce Marketing Limited (a company registered in the Republic of Ireland with company number 647263 trading as Bounce Insights
“Bounce Account”	an account on the Bounce Platform to be used by the Customer to access the Services
“Bounce Platform”	the web-based application available through dashboard.bounceinsights.com, the website at www.bounceinsights.com, and any other form, media channel, mobile website or mobile application related, linked or otherwise, connected thereto.
“Charges”	the charges payable by the Customer for the supply of the Services in accordance with Clause 3
“Customer and/or “You””	the corporate entity firm, its agents or employees or person seeking to avail of the Services from the Company
“Intellectual Property Rights”	all intellectual property rights including patents, (including utility models and inventions), trade marks (including service marks, trade names and business names), design rights, copyright and related rights (including rights in respect of software), internet designations (including domain names), topography rights (including rights in respect of mask works and semiconductors), moral rights and database rights, (whether or not any of these is registered and including any application for registration of any such rights), know-how, confidential information and trade secrets for the full term of such rights and including any extension to or renewal of the terms of such rights and all rights or forms of protection of a similar nature or having similar effect to any of these which may exist anywhere in the world.
“Law”	the legislation and regulations of the Republic of Ireland.
“Privacy Policy”	the privacy policy available on the Bounce Platform.
“Parties”	collectively Bounce and the Customer
“Services”	The use of the consumer insights platform owned and operated by Bounce that allows Customers who sign up to use the services to conduct market research through surveys and other forms
“Terms”	the terms and conditions of this Agreement.

1 ACCEPTANCE

1.1 The Customer accepts and acknowledges to be bound by these Terms upon registering and opening an account as a Customer on the Bounce Platform.

1.2 Use of and access to the Bounce Platform are subject to your compliance with our Terms at all times.

1.3 Use of the Bounce Platform set up and administered by Bounce and participation in any Bounce activities as described in our https://bounceinsights.com/client-privacy-policy/ is governed by these Terms of use.

1.4 Supplemental terms may apply to certain Services, such as policies for a particular event, activity or promotion, and such supplemental terms will be disclosed to you in connection with the applicable Services. Supplemental terms are in addition to, and shall be deemed a part of, these Terms for the purposes of the applicable Services. Supplemental terms shall prevail over these Terms in the event of a conflict with respect to the applicable Services.

1.5 Bounce may amend these Terms from time to time. Amendments will be effective upon Bounce’s posting of such updated Terms at this location or the amended policies or supplemental terms on the applicable Service. Your continued access or use of the Services after such posting constitutes your consent to be bound by these Terms, as amended.

1.6 The Parties agree and acknowledge that the Bounce Platform may be operated by third party cooperation partners (“Third Party Website Services”).

1.7 You agree to be subject to and bound to additional terms and conditions of the Third-Party Website Services.

2 PRICE

2.1 Any price quoted by Bounce is a provisional price only but the actual price to be charged to the Customer shall be based upon such ruling price (less any discount allowed by Bounce) current as of the date of invoice. In accordance with these Terms, Bounce shall be entitled at any time up to the date of invoice to vary the price quoted to the Customer.

2.2 Unless otherwise expressly stated in writing, all prices are exclusive of, and therefore subject to the addition of VAT and any other applicable taxes and levies. This shall not apply to consumers and for consumers all prices shall be shown inclusive of VAT.

2.3 Any queries regarding billing on a Customer account must be raised with Bounce within 30 days.

2.4 All credit card/debit card details are entered on a secured page, and they are securely processed.

2.5 The Customer will be billed in Euro. If Bounce does not receive payment from the credit card/debit card issuer, the Customer agrees to pay all amounts due on the Customer ‘s account upon demand. If we do not receive prompt payment for all fees, charges and applicable taxes, the Customer will be in default, and we reserve the right to suspend the User’s account and access to the Services without notice.

2.6 Subject to any right of withdrawal under applicable law, fees, charges and applicable taxes are non-refundable.

3 PAYMENT OPTIONS

3.1 The Charges for the Services shall be set out on the Bounce Platform and shall be the full and exclusive remuneration of Bounce in respect of the performance of the Services. Unless otherwise agreed in writing by the Customer, the Charges shall include every cost and expense of Bounce directly or indirectly incurred in connection with the performance of the Services.

3.2 Bounce shall invoice the Customer on completion of the Services. Each invoice shall include such supporting information required by the Customer to verify the accuracy of the invoice, including the relevant purchase order number.

3.3 In consideration of the supply of the Services by Bounce, the Customer shall pay the invoiced amounts within 30 days of the date of a correctly rendered invoice to a bank account nominated by Bounce.

3.4 Customers may also opt to make payment for the Services using their debit or credit card via Stripe.

3.5 Stripe will store certain identifying information, such as your email address and your mobile phone number, and your credit cards and debit cards (“Payment Credentials”). Information stored as part of your Payment Credentials may include information such as your name, the account number and the expiration date, as well as associated information like your billing address and shipping address.

3.6 While you are logged in, Stripe will give you the ability to make purchases using your stored Payment Credentials.

3.7 Interest at the yearly rate as set out in the Courts Act, 1981 may be charged from day to day on all monies outstanding under the Agreement at Bounce’s discretion, on any overdue payments. Such interest will be payable on demand and may be charged and added to the balance of overdue payments, and thereby compounded, from time to time as Bounce may determine.

3.8 Any delay or default by the Customer in making payment in accordance with this Agreement shall render all sums owing to Bounce on any account whatsoever including the costs of recovery of such sums, due and payable forthwith without requirement for any notice to be given to the Customer, and interest will be charged in accordance with the Agreement with immediate effect until the date of actual payment.

3.9 The Customer shall not be entitled to withhold payment of any amount payable to Bounce by reason of any dispute or claim by Customer (whether or not the Services are to be provided by instalments and in such case each instalment is deemed to constitute a separate and distinct Agreement).

4 OBLIGATIONS OF THE CUSTOMER

4.1 Before a Customer may use the Bounce Services, the Customer shall properly and correctly register with Bounce, furnishing accurate information and fully adhering to such registration procedures as may be put in place by Bounce from time to time at its sole discretion. Only upon successful registration shall the Customer be entitled to use the Bounce Platform in accordance with these Terms and all applicable laws, rules and regulations.

4.2 Should a Customer furnish incorrect or misleading information in the registration process or update their profile with incorrect or misleading information at any time, Bounce reserves the right to suspend the profile with immediate effect and if necessary, terminate its engagement with the customer subject to the Terms.

4.3 Bounce shall provide the Customer with access to the Bounce Platform.

4.4 The Customer shall be responsible for all expenses incurred in the performance of their obligations under the Terms.

4.5 Bounce reserves the right to withdraw any survey in the cast that its contents do not respect the terms of this Agreement.

4.6 Bounce reserves the right to reject surveys either in the review phase or during the lifecycle of the survey, for several reasons including but not limited to low incident rate, asking multiple questions in one, asking demographic questions, asking simplified YES/NO screening questions and others.

4.7 Bounce reserves the right to terminate any surveys with low incident rate and at its discretion, issue a partial refund.

4.8 You may only use the Website and Application for lawful purposes and not in any way that breaches any applicable local, national or international laws or regulations. In the course of using the Bounce Platform you agree, without limitation, not to;

4.9 Upload, post, link to, email or otherwise transmit any information that is unlawful or fraudulent, or for unlawful or fraudulent purposes, in the reasonable opinion of Bounce or the country in which you reside;

4.10 Upload, post, link to, email or otherwise transmit any information that is abusive, defamatory, threatening, harassing, obscene, discriminatory, likely to cause distress, intended to incite hatred or is otherwise objectionable as determined by us in our sole discretion;

4.11 Upload, post, link to, email or otherwise transmit any unsolicited or unauthorised advertising, promotional materials, “junk mail”, “chain letters”, “phishing emails”, “pyramid schemes”, or any other form of solicitation;

4.12 Upload, post, link to, email or otherwise transmit any material that contains software viruses or any other computer files, or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment; or

4.13 Collect or store personal data about other individuals.

5 CUSTOMER INDEMNITY

5.1 The Customer agrees to indemnify, defend and hold Bounce, its officers, directors, employees, agents, licensors, and suppliers harmless from and against all claims, liabilities, losses, expenses, damages and costs, including legal fees, resulting from any breach of the Terms, breach of any warranty or any obligation of the Customer arising from or out of connection with the Services, including but not limited to:

i) any breach of any applicable Law by you;

ii) any misuse of or damage to the Bounce Platform, irrespective of the cause thereof, which occurs due to your conduct;

iii) any action, claim, proceeding or demand instituted or made against Bounce by a third party which arises directly or indirectly out of any conduct by you, in their use of the Bounce Platform;

5.2 This indemnity is a continuing obligation, separate and independent from your other obligations under this Agreement and this indemnity does not merge on completion of this Agreement.

6 SOFTWARE

6.1 The Customer shall neither personally nor through third parties bypass nor modify the security precautions of the Bounce Platform.

6.2 All Intellectual Property Rights in the Bounce Platform shall remain with Bounce. The Customer acknowledges that it has no right to have access to the Bounce Platform in source-code form. The Bounce Platform provided to the Customer must not be copied, modified, regressed, decompiled, reverse engineered and/or distributed.

6.3 The Customer shall keep their user name and password safe and shall not disclose such details to third parties or provide them with access to the Bounce Platform. The Customer shall be solely responsible for the confidentiality and security of their account. Any unauthorised third-party use must immediately be reported to Bounce.

6.4 Bounce reserves the right to revise, change and/or update the Bounce Platform in any manner in order to develop it further and improve it qualitatively. It is the Customer’s responsibility to assure that the latest version of the Bounce Platform is installed on the Customer’s Device.

6.5 The Customer consents to receipt of communication and notices through the Bounce Platform.

7 INTELLECTUAL PROPERTY

7.1 The Bounce Platform and all pages and content therein, including, but not limited to, text, graphics, audio, video, photographs, software, inventions, surveys, logos or other materials (“Materials”) are the intellectual property of, or are authorised for use by, Bounce and its licensors, business partners and affiliates, including all trademarks, service marks, copyrights, patents, database rights and trade secrets contained therein. The compilation, organisation and display of the content as well as all software and inventions used on and in connection with the Website are the exclusive property of Bounce. Except as expressly permitted in these Terms, you may not modify, copy, reproduce, create derivative works, republish, display, upload, post, transmit, distribute or use in any way content available on the Bounce Platform without the prior written consent of Bounce.

8 CONFIDENTIALITY

8.1 The Customer agrees to treat as secret and confidential and agrees not to disclose or allow to be disclosed to any person or otherwise make use of or permit to be made use of any unpublished information relating to Bounce’s Platform, Intellectual Property Rights, technology, or other know-how, business plans or finances or any such information relating to a subsidiary, supplier, where the information was received during the Term of this Agreement with Bounce’ and upon termination of their Agreement with Bounce for whatever reason the Customer shall deliver up to Bounce all working papers, computer discs and tapes or other material and copies provided to or prepared by them that relate to the Services.

9 TERMINATION

9.1 If the Customer or Bounce, suspects that you have failed to comply with any of the provisions of this Agreement, Bounce may, without notice to you: (i) terminate this Agreement and your use of the Bounce Platform and preclude your access to the Services.

9.2 Termination of this Agreement, for any reason, shall not affect the accrued rights, remedies, obligations or liabilities of the parties existing at termination.

9.3 If you no longer wish to use the Services, you can terminate this Agreement by emailing support@bounceinsights.com or by deleting your Bounce Account on the Bounce Platform. To delete your account, we erase all data which directly identifies you. Your right to erasure of the personal data we hold about you is explained in our privacy and cookies notice.

9.4 On termination of this Agreement for any reason, the Customer shall immediately pay any outstanding unpaid invoices and interest due to Bounce. Bounce shall submit invoices for any Services that it has supplied, but for which no invoice has been submitted, and the Customer shall pay these invoices immediately on receipt.

10 EXCLUSION

10.1 In the event of any breach of any obligations of the Customer under these Terms or any applicable law, the Customer may be temporarily or permanently excluded from the use of the Bounce Platform and the Services or from individual partial aspects of the Services at the sole discretion of Bounce.

11 LIMITATION OF LIABILITY

11.1 You acknowledge that the Bounce Platform has not been developed to meet your individual requirements. Bounce gives no condition, warranty, undertaking or representation to you, whether expressed or implied, in respect of the suitability, or fitness for purpose, of the Bounce Platform. This does not affect any statutory or other rights available to you.

11.2 Nothing in this Agreement excludes or limits the liability of Bounce for death or personal injury caused by Bounce’s negligence or for fraudulent misrepresentation other liability that cannot be excluded or limited by applicable law.

11.3 Bounce’s total liability to you in contract, tort, (including negligence or breach of statutory duty), misrepresentation or otherwise, arising in connection with the performance or contemplated performance of Bounce’s obligations under these Terms shall be limited to the aggregate of your total amounts paid to Bounce during the 3 months prior to the event giving rise to the liability.

11.4 Bounce shall not be liable for defects resulting from the improper use of the Bounce Service by you or by any other third party.

11.5 Bounce shall not be liable to you whether arising under these Terms or in tort (including negligence or breach of statutory duty), misrepresentation or however arising, for any Consequential Loss. “Consequential Loss” shall for these purposes mean: pure economic loss; loss of profits (whether categorised as direct or indirect, actual or anticipated); losses arising from business interruption; loss of business revenue, loss of income, loss of goodwill or reputation, anticipated savings; losses whether or not occurring in the normal course of business, wasted management or staff time; and loss or corruption of data.

11.6 These Terms, together with the Privacy Policy, set out the full extent of our obligations and liabilities in respect of your access to the Bounce Service. Except as expressly stated in these Terms, there are no conditions, warranties, representations, or other terms, express or implied, that are binding on us. Any condition, warranty, representation, or other term concerning the supply of the Bounce Service which might otherwise be implied into, or incorporated in, these Terms whether by statute, common law or otherwise, is excluded to the fullest extent permitted by applicable law.

12 ACTS BEYOND OUR CONTROL: FORCE MAJEURE

12.1 Sometimes the Bounce Service may be impacted by events beyond our reasonable control, known as “Force Majeure ”, events. “Force Majeure” means anything outside of our reasonable control, including, but not limited to, acts of God, fire, storm, flood, earthquake, explosion, accident, acts of the public enemy, war, rebellion, sabotage, pandemic, epidemic, labour dispute, power shortage, network failure, server crashes, deletion, corruption, loss or removal of data, including, without limitation, where you cease to be entitled to access the Internet or cease to have access to the Internet, for whatever reason, any act or omission (including laws, regulations, disapprovals or failures to approve) of any government or government agency.

12.2 If Bounce is wholly or partially precluded from complying with its obligations under these Terms by Force Majeure, then Bounce’s obligation to perform in accordance with these Terms will be suspended for the duration of the period of Force Majeure.

13 MISCELLANEOUS

13.1 Notices relating to these Terms. All notices given by Bounce to Members will be sent to their designated email address provided by them during the Bounce Registration Process.

13.2 Reliance on these Terms. We intend to rely on these written Terms and any document expressly referred to in them in relation to the subject matter of any agreement between us. We and you will be legally bound by these Terms.

13.3 References to ‘including’ and other similar expressions. In these Terms, words that appear after the expression ‘include,’ ‘including’, ‘other’, ‘for example’, ‘such as’ or ‘in particular’ (or any similar expression) will not limit the meaning of the words appearing before such expression.

13.4 We may transfer this Agreement to someone else. We may transfer our rights and obligations under these Terms to another organisation. We will contact you to let you know if we plan to do this. If you are unhappy with the transfer, you may contact us to end your membership within 14 days of us telling you about the transfer.

13.5 You require our consent to transfer your rights to someone else. You may only transfer your rights or your obligations under these terms to another person if we agree to this in writing.

13.6 These Terms will be governed by and construed in accordance with the laws of Ireland, and you hereby submit to the exclusive jurisdiction of the Irish Courts. If any provision of these Terms are found to be invalid or unenforceable by a court of law, such invalidity or unenforceability will not affect the remainder of the Terms which will continue in full force and effect.

DATA PROCESSING ADDENDUM

This Data Processing Addendum forms part of these Terms between Bounce and the Customer. By ticking ‘I agree’ during the process of registering and opening an account as a Customer on the Bounce Platform, you agree to be bound by this Addendum.

1. Terms of Addendum

This Addendum supplements the Terms and makes legally binding provisions for compliance with the Data Protection Laws as set forth in this Addendum. As per the requirements of relevant data protection law, all processing of personal data by a processor on behalf of a controller, shall be governed by a contract. The terms, obligations and rights set forth in this Addendum relate directly to the data processing activities and conditions laid out in Appendix A.

The terms used in this Addendum have the meanings as set out in the ‘definitions’ part of the document.

1.1 Definitions

In this Addendum, unless the text specifically notes otherwise, the below words shall have the following meanings: –

“Business Purpose” means the services to be provided by the Processor to the Customer as described in these Terms.

“Bounce Insights Platform” means the web-based application available through www.bounceinsights.com website, and any other form, media channel, mobile website or mobile application related, linked or otherwise, connected thereto.

“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies Addendum to the processing of personal data relating to him or her.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

“Data Subject” means the identified or identifiable living individual to whom the Personal Data relates.

“Data Protection Laws” means all applicable Data Protection Laws, including the General Data Protection Regulation (EU 2016/679) (“GDPR”), the Irish Data Protection Act 2018 and, to the extent applicable, the data protection or privacy laws of any other country.

“EEA” means the European Economic Area, which consists of the Member States of the European Union, as well as Norway, Iceland, and Lichtenstein.

“Effective Date” means the earlier of (i) the date that the Terms come into force.

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.

“Sub Processor” means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Customer.

“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR. For the purposes of this Addendum, it shall mean the Irish Data Protection Commission.

“Third-party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Words or expressions not defined in this Addendum shall have the meaning given to them under the GDPR and/or the Terms.

1.2 This Addendum is subject to the Terms. Interpretations and defined terms set forth in the Terms apply to the interpretation of this Addendum.

1.3 The Appendices form part of this Addendum and will have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Appendices.

1.4 A reference to writing or written includes email.

1.5 In the case of conflict or ambiguity between:

a) any provision contained in the body of this Addendum and any provision contained in the Annexes, the provision in the body of this Addendum will prevail;

b) the terms of any accompanying invoice or other documents annexed to this Addendum and any provision contained in the Appendices, the provision contained in the Appendices will prevail; and

c) any of the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum will prevail.

2. Personal data types and processing Purposes

2.1 The Customer and the Processor agree and acknowledge that for the purpose of the Data Protection Laws:

a) the Customer is the Controller and Bounce Insights is the Processor.

b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor.

c) Appendix A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Processor may process the Personal Data to fulfil the Business Purpose.

3. Obligations and Rights of the Processor

3.1 The Processor shall comply with the relevant Data Protection Laws and must: –

a) only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purpose in accordance and on the written instructions of the Controller;

b) ensure that people processing the data are subject to a duty of confidence;

c) safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Appendix A of this Addendum;

d) ensure that all processing meets the requirements of relevant Data Protection Laws;

e) ensure that where a Sub-Processor is used, they: –

i. inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors;

ii. have in place a written contract with the Sub-Processor containing the same data protection obligations as set out in this Addendum, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws; and

iii. understand that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant Data Processing Addendum, the initial processor remains fully liable to the Customer for the performance of the Sub-Processor’s obligations;

f) assist the Customer in meeting its data protection obligations in relation to: –

i. the security of processing under Article 32 of the GDPR;

ii. data protection impact assessments;

iii. consultations with any Supervisory Authority; and

iv. the investigation and notification of a Data Breach to the Supervisory Authority and to data subjects where required under the Data Protection Laws;

g) delete or return all personal data to the Customer as requested at the end of the contract unless EU or Member State law requires the storage of the personal data, in which case the Processor shall continue to ensure compliance with this Addendum and will only process the personal data to the extent and for as long as required under that law;

h) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for, and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer;

i) inform the Customer immediately if, in the Processor’s opinion, an instruction infringes the GDPR or other data protection laws of the EU or a Member State;

j) co-operate with Supervisory Authorities on request in accordance with Article 31 of the GDPR;

k) notify the Customer of a Data Breach within 72 hours of having become aware of a breach to support@bounceinsights.com;

l) where applicable, employ a Data Protection Officer; and

m) where applicable, appoint (in writing) a representative within the EU if required in accordance with Article 27 of the GDPR.

3.2 Nothing within this Addendum relieves the Processor of their own direct responsibilities, obligations, and liabilities under Data Protection Laws.

a) The Processor is responsible for ensuring that all its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of personal data and the terms set out in this Addendum.

b) Any transfer of personal data to a third country or an international organisation shall only be carried out on documented instructions from the Customer, unless required to do so by Union or Member State law. Personal data shall not be transferred to a third country unless the Processor has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws.

3.3 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Customer, containing: –

a) the name and contact details of the Processor(s) and, where applicable, the data protection officer;

b) the categories of processing carried out on behalf of the Customer;

c) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards; and

d) a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

3.4 The Processor shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the Supervisory Authority on request.

3.5 When assessing the appropriate level of security and the subsequent technical and operational measures, the Processor shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

4. Processor’s Employees

4.1 The Processor is responsible for ensuring that each of its employees, agents, subcontractors, or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this Addendum.

5. Obligations and Rights of the Controller (the Customer)

5.1 The Controller will comply with the Data Protection Laws in respect of the processing of Personal Data under this Addendum.

5.2 The Controller is responsible for determining the purposes and means of processing under this Addendum.

5.3 The Controller is responsible for identifying the legal basis for processing special category data. Where special category data is collected, the onus is on the Controller to ensure that sufficient privacy information is provided to Data Subjects in accordance with Article 13 GDPR, including but not limited to, why that information is being collected and under what legal basis.

5.4 The Controller is responsible for ensuring all data is adequate, relevant, and adheres to data minimisation principles.

5.5 The Controller must make available to the Processor all data that the Processor has agreed to process on behalf of the Controller in a timely fashion and in the agreed format.

5.6 The Controller is responsible for the quality and accuracy of the data.

5.7 The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship.

5.8 The Controller shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory data protection law requirements.

5.9 The Controller shall verify that the Processor has adequate and documented processes for data breaches, data retention and data transfers in place.

5.10 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the Controller must verify that similar Data Processing Addendums are in place between the initial Processor and Sub-Processor.

5.11 The Controller has authorised the use of the Sub-Processors detailed in Appendix B of this Addendum.

6. Security

6.1 The Processor will implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data

6.2 The Processor will implement such measures to ensure a level of security appropriate to the risk involved, as described in Appendix A.

7. Personal Data Breach

7.1 The Processor must notify the Customer of any Data Breach within 72 hours of having become aware of the following;

a) the loss, unintended destruction or damage, or corruption of part or all the Personal Data.

b) any accidental, unauthorised, or unlawful processing of the Personal Data; or

c) any incident regarding personal data that could be classified as a Data Breach.

7.2 Where the Processor becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:

a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

b) the likely consequences; and

c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

7.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Data Breach, the parties will coordinate with each other to investigate the matter. Further, the Processor will reasonably cooperate with the Customer in the Customer’s handling of the matter, including but not limited to:

a) assisting with any investigation; and

b) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Data Breach or accidental, unauthorised or unlawful Personal Data processing.

7.4 The Processor will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Data Breach without first obtaining the Customer’s written consent, except when required to do so by domestic or EU law.

8. Complaints, data subject access requests and third-party rights

8.1 The Processor will, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

a) the rights of Data Subjects under the Data Protection Laws, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

b) information or assessment notices served on the Customer by the Data Protection Commissioner or other relevant regulator under the Data Protection Laws.

8.2 The Processor will notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Laws.

8.3 The Processor will notify the Customer within 14 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws.

8.4 The Processor will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.

8.5 The Processor will not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer written instructions, or as required by domestic or EU law.

9. Term and Termination

9.1 This Addendum will remain in full force and effect so long as:

a) the Terms remains in effect; or

b) the Processor retains any of the Personal Data related to the Terms in its possession or control (Term).

9.2 Any provision of this Addendum that expressly or by implication should come into or continue in force on or after termination of the Terms in order to protect the Personal Data will remain in full force and effect.

9.3 If a change in any Data Protection Laws prevents either Party from fulfilling all or part of its obligations under the Terms, the Parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the Parties are unable to bring the Personal Data processing into compliance with the Data Protection Laws either party may terminate the Terms with immediate effect on written notice to the other party.

10. Penalties

10.1 By signing this Addendum, the Parties confirm that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the Addendum terms or breach the Data Protection Laws. If the either Party fails to meet their obligations, they may be subject to: –

a) investigative and corrective powers of Supervisory Authorities under Article 58 of the GDPR;

b) an administrative fine under Article 83 of the GDPR;

c) a penalty under Article 84 of the GDPR; or

d) pay compensation under Article 82 of the GDPR.

11. Warranties

11.1 The Processor and Customer warrants and represents that:

a) it has no reason to believe that the Data Protection Laws prevents it from providing any of the Term’s contracted services; and

b) considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:

i. the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage;

ii. the nature of the Personal Data protected; and

iii. comply with all applicable Data Protection Laws and its information and security policies, including the security measures required in Clause 6.1.

11.2 The Customer warrants and represents that the Processor’s expected use of the Personal Data for the Business Purpose and as specifically instructed by the Customer will comply with the Data Protection Laws.

12. Notice

12.1 Any notice or other communication given to a party under or in connection with this Addendum must be in writing and delivered to:

For the Processor: Data Protection Officer, dataprotection@bounceinsights.com.

12.2 Clause 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Appendix A

1. Processing Details

a) The Controller named in this Addendum has appointed the Processor regarding specific processing activity requirements.

b) These requirements relate to the submission of surveys to the Processor including specification of the target criteria to each survey to specific audience segments. The Processor will distribute the survey based on the targeting criteria specified by the Customer, collect the survey responses from the Processor’s app-users who have agreed to take the Processor’s surveys (the “Survey Respondents”) and provide the Customer with reports (the “Reporting Deliverables”).

c) The processing activities relate to delivering surveys to target users i.e., the Data Subject, such surveys will be used in order to gather demographic profiling information on the Data Subject and are for the purpose of utilising the Personal Data to conduct market research and will not unduly infringe the Data Subjects’ fundamental rights, freedoms and interests.

d) The Processor shall be entitled to process data collected while fulfilling the Business Purpose in order to optimise and improve their services.

e) The Processor reserves the right to retain the data collected while fulfilling the Business Purpose for a period of up to three years. This data can be retained solely for the purpose of optimising and improving the Processor’s service.

f) The requirement for the named Processor to act on behalf of the Controller is regarding the below type(s) of personal data and categories of data subjects: –

i. The survey questions and the responses to such questions (the “Researcher Survey Data”);

ii. certain anonymous statistical and socio-demographic data pertaining to the statistical and socio-demographic profile of anonymous Survey Respondents who have participated successfully in the survey process;

iii. The Processor’s app-users.

g) The Processor can demonstrate and provide sufficient guarantees as to the implementation of appropriate technical and organisational measures taken to ensure data security and protection: –

a. Technical Measures

i. Security Classification: Bounce Insights platform data is segregated into various collections on our backend services. The reason for this is to allow certain access control restrictions to be implemented on these collections and subdocuments in order to restrict access to only those with the adequate privileges.

ii. Access to information: Customers on the Bounce Insights dashboard have fine grained access controls applied to them to restrict the survey results and user information available to them. Customers will only be shown the aggregate results to surveys that they have published for research conducted through the Bounce Insights platform. Customers also can add team members to their account who then have the same level of access as the parent customer. This access can be revoked at any time of the parent customers choosing.

iii. Data encryption: All data transmitted / used across the Bounce Insights platform is encrypted both at rest and whilst in transit.

iv. Data storage: No data is stored on the Bounce Insights platform and any data sent to backend services is encrypted in transit using HTTPS & SSL.

v. Penetration testing: Penetration testing is performed on the Bounce Insights platform annually by an external provider. This is performed with the aim of highlighting and exposing flaws / exploits in the system that could be exploited by a malicious actor. Dependency bots are used to discover vulnerabilities in all dependencies used by the Bounce Insights platform and update these to versions in which the dependency has been patched / fixed.

vi. Data backups: Backups of Bounce Insights platform data are performed on a frequent basis and retained for a period of 30 days. This ensures that in the event of a catastrophic incident minimal platform data is lost as these backups can be restored. These backups are encrypted at rest and can only be accessed by senior members of Bounce Insights.

b. Organisational Measures

i. Access to information: Staff at Bounce Insights will only be granted access to the information that they need to fulfil their role within the organisation. Staff who have been granted access must not pass on information to others unless they have also been granted access through appropriate authorisation.

ii. Training: Staff at Bounce Insights must conduct annual mandatory data protection training.

iii. Policies: Staff at Bounce Insights must adhere to robust data security policies including the Data Protection Policy, Information Security Policy, Clear Desk Policy, Data Protection Impact Assessment Policy, and Data Breach Notification Policy and Procedures.

Appendix B

1. Authorised Sub-Processors

SUB-PROCESSOR NAME	PURPOSE OF PROCESSING	TYPE OF DATA PROCESSED
Google Firebase	Database & authentication	Bounce Insights Platform users’ account details. The Customers contact information and account details.
Mixpanel	Platform analytics	Bounce Insights Platform users’ account details and location data.
LogRocket	Platform analytics	Bounce Insights Platform users’ account details and location data.
Stripe	Payments processor	Financial information
Elastic	Platform monitoring and to facilitate debugging	Bounce Insights Platform users’ account details and location data.
Revolut	App user rewards provider	Bounce Insights Platform users’ email address, mobile phone number and name.
PayPal	App user rewards provider	Bounce Insights Platform users’ email address, mobile phone number and name.
Tango Rewards	App user rewards provider	Bounce Insights Platform users’ email address, mobile phone number and name.
Slack	Platform alerts (webhooks)	Bounce Insights Platform users’ account details.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Records user consent for cookies in the advertisement category
cookielawinfo-checkbox-analytics	11 months	Records user consent for cookies in the analytics category
cookielawinfo-checkbox-functional	11 months	Records user consent for cookies in the functional category
cookielawinfo-checkbox-necessary	11 months	Records user consent for cookies in the necessary category
cookielawinfo-checkbox-others	11 months	Records user consent for cookies in the other/unclassified category
cookielawinfo-checkbox-performance	11 months	Records user consent for cookies in the performance category
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the CookieYes plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	Provides spam protection and distinguishes between humans and bots.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Used to store information about the time a sync with the lms_analytics cookie took place for users
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
_ga	2 years	Calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_138017392_1	1 minute	Google uses this cookie to distinguish users.
_gat_UA-138017392-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_ga_RFDCRNP6J3	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
GoogleAdServingTest	session	This cookie is used to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	Used to check if the user's browser supports cookies.
UserMatchHistory	1 month	To provide ad delivery or retargeting
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.

Cookie	Duration	Description
intercom-id-gz33jl8i	8 months 26 days 1 hour	No description
intercom-session-gz33jl8i	7 days	No description
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
__gpi	1 year 24 days	No description