Legal

Privacy Policy

Last updated

Spot Thought, Inc. (“Spot Thought”, “we”, “our”, or “us”) provides a software platform used by businesses (“Tenants”) to manage expert research, participant screening, communications, and related workflows.

In most cases, Spot Thought processes personal information on behalf of our Tenants, who act as the data controllers. Spot Thought acts as a data processor, handling personal information only in accordance with lawful Tenant instructions and our contractual obligations.

This Privacy Policy describes how Spot Thought handles personal information both (1) as a controller for our own business operations and (2) as a processor when handling data on behalf of Tenants.

Information We Process as a Controller

We act as a controller when we collect and use information to operate our own business, maintain our platform, and communicate with Tenant personnel and visitors to our website. This includes:

  • Account and profile information. If you create an account as a Tenant admin or internal user, we primarily use single sign-on (SSO) through your organization's identity provider (such as Microsoft or Google). In those cases, we receive your name, email address, and any profile details your provider shares with us. If SSO is not available, we may also collect a password you create for fallback authentication.
  • Device and technical information. We collect device type, browser type, operating system, IP address, and similar information to support login, security, and analytics.
  • Usage and log data. We automatically generate logs when you use our platform, including authentication events, API requests, activity timestamps, and other operational metadata.
  • Support and communications. We may collect information when you contact us for support or when we communicate regarding service updates or legal notices.

We use controller data for purposes such as:

  • Operating and securing our platform. Including authentication, troubleshooting, monitoring, and fraud prevention.
  • Improving the platform. We analyze aggregate patterns and system performance to improve reliability and product quality.
  • Business operations. Including billing, account management, legal compliance, and service notifications.

Information We Process on Behalf of Tenants (Processor Role)

Spot Thought primarily operates as a data processor. Our Tenants control which data is collected, how it is used, and for what purpose. We process this data only on their instructions.

Examples of data we process on behalf of Tenants include:

  • Screener responses. Information you provide when completing screening questionnaires, including demographic details, professional qualifications, research interests, availability, or other information requested by the Tenant.
  • Participant and expert information. Profile details, employment history, credentials, experience, and related data used by Tenants to identify and qualify participants.
  • Tenant-managed communications. Messages, scheduling details, and other information exchanged through the platform between Tenants and participants.
  • Files, notes, or content uploaded by Tenants. Any content Tenants store, transmit, or manage within Spot Thought.

If you are a participant completing a Screener or interacting with a Tenant through Spot Thought, please refer to that Tenant’s own privacy policy for details about how they use your information.

Screener Data

Our platform enables Tenants to create and distribute screening questionnaires (“Screeners”). When you respond to a Screener, we collect the information you submit and process it strictly on behalf of the Tenant.

  • Tenant controlled. Tenants determine what questions are asked, what data is collected, and how your responses are used.
  • No independent use. Spot Thought does not use identifiable Screener responses for our own product training, analytics, or marketing purposes.
  • Aggregate and de-identified analytics. We may use de-identified, aggregated operational insights to improve performance, reliability, and platform functionality.
  • Data retention. Screener responses are retained and deleted according to the Tenant’s instructions and our contractual obligations.

Tenants are responsible for providing privacy notices to participants and for determining lawful bases for processing under applicable laws.

Information Sharing

We do not sell or rent personal information. We may share information under the following circumstances:

  • Subprocessors and service providers. We use trusted vendors to support our infrastructure, including hosting, storage, communications, security, and analytics. These vendors may process personal information solely to provide their services to us.
  • Tenant-directed sharing. When acting as a processor, we share personal information only as instructed by the Tenant.
  • Legal and compliance obligations. We may disclose information if required by law or necessary to protect rights, safety, or security.

A current list of our subprocessors is available in our Trust Center.

Data Retention

We retain personal information for as long as necessary to provide our services, comply with our legal obligations, resolve disputes, and enforce agreements.

For data processed on behalf of Tenants, retention and deletion are governed by the Tenant’s instructions.

Cookies & Tracking Technologies

We use cookies and similar technologies to support the core functionality of our services. These technologies help us maintain secure sessions, keep users authenticated, and remember basic interface preferences.

We use two types of cookies:

  • Strictly Necessary. Used for authentication, session management, and security. These cookies are essential for the platform to function and cannot be disabled.
  • Functional. Used to remember user interface preferences, such as theme or layout settings. These cookies enhance your experience but do not track you across sites.

We do not use cookies for advertising, analytics, cross-site tracking, or behavioral profiling. We also do not use social media cookies. Because our use is limited to essential and functional purposes, we do not display a cookie consent banner.

Security

We implement administrative, technical, and physical safeguards to protect personal information, including:

  • Encryption. All customer data is encrypted in transit and at rest. Production data is stored on encrypted volumes using industry-standard key management practices.
  • Access controls. Access to systems and customer data is restricted using role-based access, authentication controls, and audit logging.
  • Monitoring and logging. We maintain security logs, conduct regular reviews, and monitor for unauthorized access or anomalous behavior.
  • Incident response. We maintain an incident response plan and will notify affected Tenants of security incidents in accordance with contractual and legal requirements.

Data Subject Rights

Individuals may have rights under applicable data protection laws, such as access, correction, deletion, or portability of their information.

  • Tenant-controlled data. If your information was collected by a Tenant through a Screener or other workflow, Spot Thought cannot fulfill these requests directly. Please contact the Tenant (data controller) for assistance.
  • Controller data. If Spot Thought controls your data (for example, as a Tenant admin), you may contact us directly to exercise your rights.

Changes to This Policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date and, when appropriate, notify Tenants through the platform or email.