Review the Privacy Policy for Users of Our Services

Introduction

We are a mystery shopping service dedicated to protecting the privacy of all our users, including both business clients (companies using our evaluation services) and independent evaluators (mystery shoppers). This Privacy Policy explains what personal information we collect, how we use and share it, and your rights regarding that information. We are committed to complying with all applicable privacy laws and regulations, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) (as amended by the CPRA), Canada’s federal and provincial privacy laws (such as PIPEDA), and other relevant laws. By using our services or website, you acknowledge that you have read and agree to the practices described in this Privacy Policy.

Definition of Personal Information: In this Policy, “Personal Information” (or Personal Data) means any information that can identify you directly or indirectly. This includes obvious identifiers like your name and contact details, as well as information like IP addresses or customer account numbers. It also covers information that can be combined to identify an individual. We will only collect and process Personal Information as needed for our legitimate business purposes or as required by law, and we strive to do so in a fair and transparent manner in line with the principles of applicable law.

Information We Collect

We collect personal information from and about business clients and independent evaluators (mystery shoppers), as well as other individuals who interact with us (such as website visitors or those who communicate with us). The types of Personal Information we collect depend on your relationship with us, as described below:

From Business Clients (Company Representatives): If you are a client or represent a client business, we may collect your name, business contact information (such as email address, phone number, work address), job title or role, and any login credentials for our client portal. We also collect information about the services you request or contract for, and any feedback or communications you send us. This information is used to manage your company’s account, fulfill our contract with you or your employer, provide you with mystery shopping reports and related services, and communicate with you about updates or changes. We may also keep records of your inquiries or feedback for quality assurance.
From Independent Evaluators (Mystery Shoppers): If you sign up as an independent mystery shopper, we collect the personal details you provide during registration and in the course of our engagement. This may include your full name, contact information (email, phone, mailing address), date of birth or age (to verify eligibility), and demographic information relevant to assignment criteria (such as gender or other profile details, where allowed by law). We also collect any identification or documentation necessary for contracting or assignments (e.g. tax ID or social security number for payment, proof of qualifications, etc.), and financial information such as your bank account or payment details to compensate you for completed assignments. During registration or use of our platform, we record technical data like your IP address and device information for security and verification. Once you are onboarded, you may optionally provide additional profile information about your experience, preferences, or lifestyle to help us match you with suitable mystery shopping assignments. We also maintain records of your work for us: the assignments you undertake, your mystery shopping reports and submissions, your performance ratings, and payment history. If our service uses a mobile app for evaluators, we may collect geolocation data (with your consent) to confirm your presence at assignment locations or to offer nearby opportunities. You can disable location access at any time in your device settings if you do not want to share your GPS data. Any correspondence you have with us (emails, support inquiries, etc.) may also be retained in your file.
Information Collected During Assignments: In the course of performing mystery shopping assignments, you (the evaluator) might inadvertently collect personal information about third parties, such as the employees or service personnel of the business being evaluated (for example, an employee’s name or physical description might be noted in a report). We treat any such information included in your evaluation reports as part of the service data we handle for our business client. If you are a business client, it is your responsibility to ensure any personal data of your staff that is collected through a mystery shop is handled in accordance with privacy laws; we will process that data only to provide the service and as per your instructions. Generally, mystery shopping reports focus on performance metrics and do not seek sensitive personal details about individual employees or customers. Any personal identifiers in reports are incidental and used only for the client’s internal review.
From Website Visitors and Users: When you visit our website or use our online portals (either as a client or a shopper), we collect certain information automatically. This includes technical data like your IP address, browser type, device identifiers, pages viewed, and the dates/times of access. We and our third-party analytics providers (like Google Analytics) may use cookies or similar tracking technologies to gather usage information about how you navigate our site. This data helps us understand aggregate usage patterns and improve our website and services. For more details, see Cookies and Tracking below. We also collect any information you choose to submit through website forms (for example, if you request information or submit a query, we will collect your name, contact info, and the content of your message).
Special Categories of Data: As a rule, we do not actively seek to collect any sensitive personal data about you (such as data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health information, or information about sex life or orientation). We do not require such data for mystery shopping assignments. In rare cases where a specific assignment or project might involve collecting sensitive information (for instance, an accessibility compliance shop might note health-related needs), we will only process such data with your explicit consent or under a lawful exception as permitted by GDPR and other laws. We similarly do not intend to collect any information from children under the age of 18; our services and website are not directed to minors, and we do not knowingly collect personal data from individuals under 18 years old.

Where we ask for personal information, we will indicate if certain data is optional. You may choose not to provide optional information; however, this might limit your ability to use some features of our service or to receive certain assignments. We will only collect data that is adequate, relevant, and limited to what is necessary for the purposes described (following the principle of data minimization).

How We Use Personal Information

We use the collected Personal Information for the following business and operational purposes, depending on whether you are a client or an evaluator (or other user):

Providing and Improving Services: We primarily use your information to carry out our mystery shopping and customer experience evaluation services. For business clients, this means using your information to set up and manage your account, schedule and execute mystery shop evaluations as per our contract, deliver results/reports to you, and support any requests or inquiries you have. For independent evaluators, we use your information to determine your suitability for assignments, send or offer you appropriate mystery shopping opportunities, facilitate scheduling, and track the assignments you complete. We also use it to process payments to you for your work and to maintain a history of your performance (e.g. your completed shops and quality scores). In both cases, we use personal data to communicate with you about the services – for example, sending confirmations, reminders, service updates, or responding to your questions. Additionally, we may use data in aggregate form to analyze and improve our services, such as refining our training, questionnaires, or digital platform based on user behavior and feedback. Using personal data for internal research and service improvement is in our legitimate interests and helps us enhance and customize our offerings.
Administration and Contractual Obligations: Your information is used to fulfill our contract with you or your company. For clients, this includes carrying out obligations under service agreements, invoicing and account administration, and notifying you of any changes to our services. For independent shoppers, this includes maintaining your contract as an independent contractor, providing you with the necessary tools and information to perform your shops, and ensuring you get paid and receive relevant communications. We may also use your data for routine business administration such as record-keeping, audits, verifying your identity (especially for fraud prevention or when releasing payments), and enforcing our terms and agreements. These uses are generally necessary for the performance of a contract or to take steps at your request prior to entering a contract.
Legitimate Business Interests: We may process personal data as needed for our legitimate interests, provided such use is proportionate and respects your privacy rights. Examples include: maintaining the integrity and accuracy of our mystery shopper database, preventing duplicate accounts or fraudulent applications; ensuring the quality and consistency of our evaluation results; sending service-related announcements or surveys to improve your experience; and aggregating data to generate insights (e.g., trends in customer experience) that do not identify individuals. If we rely on legitimate interests, we will ensure these interests are not overridden by your rights and expectations. For instance, if you are an independent evaluator, it is in our legitimate interest (and yours) that we maintain performance records and reliability metrics to match you with suitable tasks and uphold service quality. If you are a client, it’s in our interest to understand your usage of our platform (e.g., via analytics) to improve features and support. We only use your data in ways that you would reasonably expect in the context of your relationship with us.
Marketing Communications: We do not sell your personal information to third parties for marketing. We may, however, use your contact information to send you occasional updates about new services or opportunities from us that are similar to those you have already signed up for or inquired about (permitted as per applicable law). For example, if you are a client, we might email you about a new feature in our reporting platform. If you are a registered shopper, we might notify you of new mystery shopping programs available in your area. You will always have the choice to opt-out of such communications. We will obtain consent where required by law (e.g., for certain marketing emails to individuals in Canada or EU). You can unsubscribe from marketing emails at any time by clicking the “unsubscribe” link, or contacting us directly, and we will honor your request promptly. Note that service-related communications (like assignment instructions, password resets, or critical notices) are not considered marketing and will be sent as needed for the performance of our services.
Legal Compliance and Protection: We may use your personal information to comply with applicable legal obligations. This includes using data for tax and finance purposes (e.g., maintaining payment records for independent contractors for tax reporting), satisfying record-keeping requirements, and responding to lawful requests by government authorities. If you exercise privacy rights or send us formal requests, we will use your information to address those requests and maintain documentation as required by law. Additionally, we may process personal information as necessary to protect our rights, property, or safety, or that of our clients, shoppers, or others. For example, we might use and retain data to investigate and prevent fraud, security incidents, or other abuse of our services. If needed, we will use personal information to enforce our agreements or to defend against legal claims.

In summary, we process personal information only for purposes that are compatible with those originally disclosed. We do not use your data in new ways without notifying you or obtaining consent when required. If we ever need to use your information for an unrelated purpose, we will inform you and, if necessary, seek your permission. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects without human review, except potentially in matching independent evaluators to assignments (and even then, such processing is necessary for contract performance and you have the opportunity to express preferences).

Cookies and Tracking Technologies

Like most websites, we use cookies and similar tracking technologies to ensure our website and online services function correctly and to collect analytics about usage. When you visit our site or log into the client or shopper portals, we may set a temporary session cookie to keep you logged in and remember your preferences; this cookie is essential for site navigation and expires when you close your browser. We also use cookies (or allow third-party analytics providers to use them) to gather information on how visitors use our site – for example, which pages are most frequently visited, how long users stay, and how they found our site. We might use Google Analytics or similar tools that use cookies to collect anonymous traffic data, which helps us improve content and user experience. These analytics cookies do not identify you personally, but they may log technical data like your IP address, device type, and browser information.

We do not use cookies for advertising or for sharing data with social media or data brokers. All cookie use is intended to service our legitimate interests of providing and enhancing our services. You have choices in managing cookies: most web browsers allow you to refuse or delete cookies via settings. However, please note that if you disable cookies, some features of our site (especially the logged-in areas for clients or shoppers) may not function properly, since cookies are required for login sessions.

Our site may recognize “Do Not Track” (DNT) signals from your browser; however, because we do not track users across third-party websites or engage in behavioral advertising, DNT signals have no material effect on our practices (we simply limit our data collection to what is described here regardless). For more information on our use of cookies and how to control them, you can contact us or refer to our Cookie Policy (if available).

How We Share and Disclose Information

We understand the importance of your personal information, and we handle it with care. We do not sell your personal data to third parties for profit. We only share your information in the following circumstances, and always with appropriate safeguards:

With Business Clients (Service Delivery): If you are an independent evaluator, we may share certain information about you with the specific business client for whom you perform an assignment. This is done strictly on a need-to-know basis to deliver the client’s report and validate the results. For example, a client may receive your first name or an identification code in the context of a report, especially if needed to confirm that a legitimate evaluation took place. The report content you submit (which might include your observations and any relevant photos or receipts) will be provided to the client, but typically it will not contain your full contact details or sensitive personal info. We never share an evaluator’s personal contact or financial information with a client. Clients are generally interested in the results of the shop, not the shopper’s identity; however, they may see some profile attributes (e.g., that you fit a certain customer profile like age range) if relevant to the assignment. This disclosure is inherent to the service – it allows clients to trust and act on the feedback provided. All clients are contractually bound to use such information only for their internal evaluation purposes and to protect it under applicable privacy laws.
With Independent Evaluators (Assignment Info): If you are a business client, we will share information with your assigned independent evaluators to the extent necessary for them to complete the mystery shop. Typically, this includes details like the location to visit, the scenario or instructions for the shop, and any specific areas to observe. It generally does not include personal data about you or your employees. In rare cases, if an evaluator needs to contact a specific person or use a provided alias as part of the scenario, we will facilitate that in a manner that doesn’t expose any more personal data than needed. Evaluators are required by our terms to keep client information confidential and use it solely for the purpose of completing the assignment.
With Service Providers and Partners: We use trusted third-party companies to help us run our business. These service providers (data “processors”) may need access to personal information to perform functions on our behalf. Examples include: IT and hosting providers (for data storage and cloud services), platform software providers (for managing mystery shop data and portals), payment processors (to issue payments to shoppers or handle client billing), scheduling or project management tools, and analytics services. We only share the data that is necessary for these vendors to perform their services. For instance, our payment processor will receive the information needed to remit your payment (such as your name and bank account details). All service providers are contractually obligated to protect your information, to use it only for the purpose we specify, and to comply with applicable privacy standards. We carefully vet our partners and regularly review their privacy and security practices. A list of key third-party processors can be provided upon request. We do not allow our vendors to use your data for their own marketing or other purposes.
Within Our Corporate Group: If our company is part of a group of affiliated companies, we may share personal information with our affiliates for business operations, storage, or support (for example, if we have subsidiaries in other countries that help deliver services). Any intra-group sharing is subject to strict access controls and, where data is transferred internationally within the group, we implement legal safeguards as described in International Data Transfers below.
For Legal Reasons: We may disclose personal information when required to do so by law or lawful request. This includes situations such as complying with a subpoena, court order, or other government demand; responding to requests from regulatory authorities (including to meet national security or law enforcement requirements); or as otherwise required by applicable laws and regulations. We will endeavor to notify you of such disclosure, if permitted, and only share the minimum information necessary. We may also disclose information if we believe in good faith that it is necessary to investigate or prevent fraud, security issues, or harm to someone’s safety, or to enforce our terms and protect our rights (or the rights of our clients/shoppers).
Business Transfers: If we undergo a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of our assets, your personal information may be transferred to the new owner or successor entity as part of that transaction. In such cases, we will ensure the confidentiality of the personal data during the transition and provide notice before any personal information is transferred or becomes subject to a different privacy policy. If the transaction does not complete, the prospective purchaser will be required to not use or disclose the information and to delete it. Any new owner will be bound by the terms of this Privacy Policy until it is updated or amended in accordance with the Changes section below.
Aggregated or De-Identified Data: We may share aggregated, anonymized data that cannot reasonably be used to identify any individual. For example, we might publish reports or insights showing overall customer satisfaction trends, average scores, or other metrics derived from mystery shopping results. This information would not contain personal identifiers and is used for industry research or marketing our services. Sharing data in this non-identifiable form poses no risk to your privacy and in many cases will not be subject to privacy law restrictions (since it’s no longer personal data).

No Sale of Personal Information: We want to reiterate that we do not sell or rent your personal information to data brokers or third parties for monetary value or for their independent use. In the context of CCPA, we also do not “share” your personal information for cross-context behavioral advertising. All transfers of personal data are only done as described above, primarily to deliver our services or as legally required. If this ever changes, we will update this policy and provide required opt-out mechanisms.

International Data Transfers

We are a global service – our clients and independent evaluators may be located in different countries, and we use cloud infrastructure that could be outside your home jurisdiction. Personal information may be transferred to, stored, or processed in countries other than your own, including the United States. For example, if you are in the European Economic Area (EEA) or United Kingdom, your data might be transferred to our servers or service providers in the U.S. or other jurisdictions which may have different data protection laws. When we transfer personal data internationally, we take steps to ensure it remains protected.

Specifically, for data originating from the EEA, UK, or Switzerland, we rely on appropriate legal transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) or other safeguards per GDPR Chapter V. These contractual agreements obligate the recipient to protect the personal data according to EU privacy standards. In some cases, we may also rely on the new EU-U.S. Data Privacy Framework or other frameworks if the recipient is certified under them (as of the effective date of this policy). For instance, our primary software platform or hosting provider may participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (or their successor programs) to ensure an adequate level of protection for personal data transferred to the U.S.. We conduct due diligence on our vendors’ privacy measures and keep ourselves updated on legal developments regarding cross-border data transfers.

If you are located in Canada, your personal information may be transferred outside of Canada (for example, to the United States) for processing and storage. In such cases, the information may be subject to the laws of the country where it resides, and may be accessible to that country’s government, courts, or law enforcement agencies. However, regardless of where your data is processed, we will maintain protections as described in this Policy. By using our services, you consent to the transfer of your information to jurisdictions which may not have the same level of data protection as your home country, but we will always protect it as described herein and in compliance with applicable law.

If you have questions about our international data transfer practices, or need more information about the safeguards in place, please contact us (see Contact Us section below).

Data Security

We take the security of personal data very seriously. We implement and maintain appropriate technical and organizational measures to protect your information from unauthorized access, loss, misuse, alteration, or destruction. These measures are designed to provide a level of security appropriate to the risk of processing your personal data. Our security program includes, for example: encrypted communication channels on our website (HTTPS), firewalls and network security controls, access controls ensuring that personal data is accessible only by staff or service providers who need it, regular security training for employees, and policies governing how we handle data. We utilize up-to-date software and technologies and work closely with our IT providers to patch vulnerabilities and monitor for potential threats. We also have procedures in place to deal with any suspected data breach, including notifying you and regulators as required by law in case of a breach affecting your data.

While we strive to protect our systems and services, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security of your information. You also have a role in safeguarding your data: we urge clients and shoppers to choose strong passwords and keep them confidential, and to notify us immediately if you suspect any unauthorized access to your account. We will continue to update and refine our security practices in line with industry standards and legal requirements to keep your personal data safe.

Data Retention

We will retain personal information for as long as it is necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention period may vary based on your relationship with us:

Business Clients: If you are a client, we generally keep your personal and account data for the duration of our business relationship. While you are an active client, we will retain your information to manage your account and provide services. If your company ceases to be a client or you stop using our services, we may retain limited information for a certain period after termination – for instance, to allow you to retrieve reports or data, to resolve any follow-up issues, or as required for legal purposes. By default, we might retain core account records for a short grace period (e.g. 30 days) after service termination to enable data export, unless otherwise agreed. Certain data may be kept longer if necessary (e.g. copies of invoices for financial records, which we might keep for several years as required by law).
Independent Evaluators (Mystery Shoppers): If you are an active mystery shopper with us, we retain your personal data throughout the period you are participating in assignments. We maintain historical records of your completed shops and payments as long as you remain in our network. If you become inactive and stop accepting assignments, we will archive or delete the majority of your personal data after a defined retention period. However, we will retain some restricted personal data for a number of years (such as up to 6 years) after your last activity. This limited retention is done to meet legal obligations (for example, maintaining payment records for tax and audit purposes, or evidence of assignments for any contractual claims) and to be able to respond to any inquiries or issues that arise post-engagement. We will delete or anonymize personal data that is no longer necessary beyond those retention periods. For example, we might keep your name and email in our system to ensure we don’t accidentally re-register you, and retain financial transaction records for 6 years as per statutory requirements, but purge detailed profile information after you have been inactive for that retention period. If you wish to reactive your status after a long period, you may need to provide some information again if it was removed.
Other Contacts and Website Users: If you contacted us for information or as a sales prospect (but you never became a client or shopper), we will keep your contact data only as long as necessary to respond to you and follow up, or until you opt-out of communications. For example, if you provided your email to receive a newsletter or marketing material, we retain it until you unsubscribe or the information is no longer needed. Website log data and analytics data are typically retained only for a short period (often 12-24 months) in aggregate form, unless we need to investigate security issues. Cookies may persist on your browser until they expire or are cleared.

In all cases, when our retention period ends, we will either delete your personal information or anonymize it (so it can no longer be associated with you) in a secure manner. If deletion or anonymization is not immediately feasible (for example, because the data is stored in backup archives), we will isolate it from any further use until deletion is possible. We continuously review the data we hold and erase or anonymize personal information when it is no longer needed.

Please note that we may retain information longer than stated above if required to do so by law (for example, a litigation hold or government order may compel us not to delete data). We may also retain information for a longer period in archival form for public interest archiving, scientific or historical research, or statistical purposes, if anonymized. If you have any specific questions about our data retention practices, you can contact us for more detail.

Your Privacy Rights

We respect your rights to control your personal information. Depending on your jurisdiction, you have certain legal rights regarding the personal data we hold about you. We have summarized those rights below. Please note that these rights are not absolute – they can vary by region and under certain conditions (for example, some rights apply only to residents of specific areas, and some have exceptions when required by law or for legitimate purposes). We will facilitate the exercise of your rights in accordance with applicable laws. The availability of these rights, and how to exercise them, are detailed below:

Rights of Individuals in the European Union/EEA (GDPR)

If you are in the European Union, United Kingdom, or another jurisdiction with similar laws, you have the following rights under the GDPR (and UK GDPR) with respect to your personal data:

Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to request a copy of the data and information about how we use it. This allows you to know what personal information we have about you and to verify that we are processing it lawfully. Some exceptions may apply; for instance, we might not be able to provide data that would reveal personal information about another individual or data that is legally privileged. We will inform you if any information is withheld and why, to the extent permitted.
Right to Rectification: You have the right to ask us to correct or update any inaccurate or incomplete personal data we hold about you. We encourage you to review your information regularly and you may correct some of it through your account profile if you have one. For any corrections you request, we may need to verify the accuracy of the new data you provide before making the change.
Right to Erasure: You have the right to request deletion of your personal data in certain circumstances. This is also known as the “right to be forgotten.” You can ask that we erase your data if it is no longer necessary for the purposes for which it was collected, if you have withdrawn consent (where consent was the basis for processing), or if you object to our processing (see below) and we have no overriding legitimate grounds to continue, or if we processed your data unlawfully, or to comply with a legal obligation. We will honor valid deletion requests and also instruct our service providers to delete your data, unless an exception applies. Common exceptions include situations where we need to keep data to comply with a legal obligation or to establish/exercise/defend legal claims. We will inform you of any data we cannot delete and the reasons (for example, “we cannot delete transaction records required for tax purposes”).
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain scenarios. For example, you can ask for processing to be restricted if you contest the accuracy of the data (until we verify it), or if our processing is unlawful but you don’t want the data erased, or if you need us to keep data you’d otherwise want deleted because you need it for a legal claim, or if you have objected to our use of your data and we are considering whether our legitimate grounds override yours. While processing is restricted, we will just store your data securely and not use it, except to the extent allowed by you or necessary for legal reasons.
Right to Object: You have the right to object to our processing of your personal data in certain cases. You can object at any time to processing of your data for direct marketing, and we will stop using your data for that purpose. You can also object if we are processing your data based on legitimate interests or for a task in the public interest/exercise of official authority. However, if we can demonstrate compelling legitimate grounds for the processing that override your rights and interests, or if processing is needed for legal claims, we may continue. We will carefully assess any objection. For example, an independent evaluator might object to profiling used in assignment matching, but if it’s essential for contract performance and has minimal privacy impact, we may have grounds to continue; we would inform you of our decision.
Right to Data Portability: You have the right, in certain situations, to receive your personal data from us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. This applies to data you provided to us, and that we process by automated means based on your consent or in performance of a contract. For example, you could ask us for a copy of the profile information you provided at sign-up so you can reuse it elsewhere. We will provide the data in a commonly used format (like CSV or JSON) that should be easily reusable. Portability does not apply to data we create about you (like internal notes or performance scores) as those are not provided by you, nor does it apply when processing is not automated (e.g., paper records).
Right to Withdraw Consent: Where we rely on your consent to process personal data (which is not often, as most of our processing is based on other grounds), you have the right to withdraw that consent at any time. For instance, if you consented to receive marketing emails, you can withdraw that consent by unsubscribing. If you consented to a particular optional data collection, you can contact us to withdraw it. Please note that withdrawing consent will not affect the lawfulness of processing that happened before the withdrawal, and if the consent was for a service feature, we might not be able to provide that feature to you after withdrawal. We will advise you if this is the case.
Rights related to Automated Decision-Making: GDPR gives you the right not to be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you. As noted, we do not engage in solely automated decisions that have such impactful effects without human involvement. If we ever use automated decision-making (for example, an algorithm that automatically approves or rejects an application to become a mystery shopper), you have the right to request human intervention, to express your point of view, and to contest the decision. We will also ensure any such processing is lawful (either necessary for a contract, authorized by law, or based on your explicit consent, with additional safeguards in place).
Right to Complain: As an EU/UK individual, if you believe we have infringed your data protection rights, you have the right to lodge a complaint with your country’s Data Protection Authority (DPA). For example, in the UK you can contact the Information Commissioner’s Office (ICO). We ask that you please attempt to resolve any issue with us first by contacting our Data Protection Officer (contact info below) – we are committed to resolving privacy concerns.

Legal Bases: Whenever we process your data, we ensure we have a valid legal basis under GDPR. Generally, the bases include: performance of a contract (e.g., we need your data to provide the mystery shopping services you requested, or to pay you as a contractor); legitimate interests (our business interests in improving our services, preventing fraud, etc., balanced with your rights); legal obligation (complying with laws); or in some cases consent (for example, for certain marketing or optional data uses). If you have questions about the specific basis for a particular processing activity, please contact us.

Rights of California Residents (CCPA/CPRA)

If you are a resident of California, you are protected by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). In compliance with these laws, we provide the following rights and information to California consumers:

Right to Know (Access): You have the right to request that we disclose what personal information we have collected, used, and disclosed about you over the past 12 months. This includes the categories of personal information, the specific pieces of information, the sources from which it was collected, the business purposes for collecting it, and the categories of third parties with whom we shared that information. (Much of this information is provided in this Privacy Policy.) Upon a verifiable request, we will provide this information to you in a readily usable format, generally free of charge, up to two times in a 12-month period.
Right to Request Deletion: You have the right to request that we delete personal information we have collected from you (and direct our service providers to do the same), with certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and instruct our providers to delete) your personal information from our records, unless an exception applies. Possible exceptions include situations where the information is necessary to complete a transaction or service you requested, to detect security incidents or protect against illegal activity, to comply with a legal obligation (such as record-keeping), or other reasons allowed by CCPA (which largely align with the exceptions under the GDPR right to erasure). If we deny a deletion request, we will explain the reason.
Right to Correct: California consumers have the right to request correction of inaccurate personal information maintained about them. If you find any of your information is incorrect, please let us know and we will take steps to verify and correct it as needed (consistent with the general right to rectification described above).
Right to Opt-Out of Sale/Sharing: The CCPA gives consumers the right to opt-out of the “sale” of personal information or the sharing of personal information for cross-context behavioral advertising. As noted, we do not sell your personal information to any third parties, and we do not share it for targeted advertising. Therefore, there is no need for you to submit a “Do Not Sell or Share My Info” request, as we don’t engage in those practices. We also do not knowingly sell or share the personal information of consumers under 16 years of age.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means, for example, we will not deny you services, charge you a different price, or provide a different level of quality because you exercised your privacy rights. The CCPA permits providing certain incentives (such as loyalty programs) in exchange for personal information, but we do not currently offer such programs. If that changes, we will update our practices to ensure they comply with CCPA’s requirements for non-discriminatory incentives.
Authorized Agent: You have the right to designate an authorized agent to make requests on your behalf (for access or deletion, etc.). If you choose to use an agent, we will take steps to verify the agent’s authority and may require that you directly confirm the request or verify your identity with us. Please have your agent contact us with proof of your authorization and their identity.

Categories of Personal Information Collected: In the past 12 months, we have collected (from consumers in California) the following categories of personal information, as defined by CCPA, to the extent that California law applies to our activities: identifiers (such as real name, alias, postal address, email, phone number, account username); personal information categories from Cal. Civ. Code §1798.80(e) (which overlap with identifiers and may include bank account or credit card numbers when provided for payment); characteristics of protected classifications (like age or nationality, which a shopper may provide – note we do not collect things like race or religion unless voluntarily provided); commercial information (records of services provided, such as the assignments a shopper completed or a client’s service history); internet or other electronic network activity (usage data as described under Website Visitors); geolocation data (if a shopper uses our app with location enabled); and professional or employment-related information (for example, a mystery shopper’s work history or qualifications, or a client contact’s job title). We collect these categories from the sources and for the purposes described in this Policy. We do not collect biometric information (like fingerprints) or sensory data (like audio recordings) from California consumers, except possibly if a mystery shop involves an evaluator making an audio recording as part of the assignment – and even then, it would only be with consent and as part of the client’s project. We also do not collect education information or sensitive personal information as defined by CPRA beyond what is necessary (for instance, a Social Security Number for a contractor for tax forms would be considered sensitive, but we use it only for that required purpose and not for inferring characteristics).

Disclosure of Personal Information: We may disclose the above categories of personal information to third parties for business purposes (as detailed in “How We Share Information”). In the past 12 months, categories of third parties to whom we disclosed information include: our service providers (e.g., cloud hosting, payment processors), business clients (receiving reports), and possibly advisors (e.g., accountants or lawyers in a business transaction or for compliance). All such disclosures are for legitimate business or legal purposes, and not for the third party’s commercial use. We do not sell data, so we have not sold any personal information in the past 12 months.

Rights of Individuals in Canada (PIPEDA)

If you are located in Canada, your privacy rights are protected by federal law (the Personal Information Protection and Electronic Documents Act, PIPEDA) and potentially provincial laws (like Quebec’s, etc.). We strive to adhere to all applicable Canadian privacy principles. Key rights and practices include:

Right to Information and Openness: You have the right to be informed about our personal information management practices, which is the purpose of this Privacy Policy. We aim to make our policies clear and understandable, avoiding excessive legal jargon, in accordance with PIPEDA’s openness principle. You are entitled to ask about our practices and we will provide information about how we collect, use, and disclose personal data, as well as the specific personal information we hold about you.
Right of Access: You have the right to access the personal information we hold about you, and to receive an explanation of how it has been used and disclosed. You may request copies of your personal records. We will respond to access requests within a reasonable time, and in any event within 30 days as mandated by Canadian law. If we need an extension to respond (for example, if the request is complex), we will notify you of the reason and get an extension if allowed. Access may be subject to limited exceptions (for instance, if providing certain information would reveal personal data about another individual or if it’s subject to legal privilege). Any information we can’t provide, we will inform you of the reasons.
Right to Correction: If any of your personal information is inaccurate or incomplete, you have the right to request a correction. We rely on you to provide up-to-date information and will gladly correct any inaccuracies. If we have disclosed incorrect information to third parties in the course of providing our service, we will (where feasible and appropriate) communicate the correction to them as well.
Consent and Withdrawal: In Canada, your personal information should typically be collected, used, or disclosed only with your knowledge and consent, except in specific circumstances permitted by law. By engaging with us as a client or shopper, you consent to our collection and use of your information as described. You have the right to withdraw your consent to any further collection or use of your personal information, subject to legal or contractual restrictions. For example, you can withdraw consent for marketing emails. Note that if you withdraw consent for uses that are integral to our service (e.g., storing your data), we may have to discuss terminating the service, since we cannot fulfill it without processing your data. We will inform you of any implications of withdrawal, and we will not unreasonably withhold services if they can be provided without that data.
Right to Challenge Compliance: If you have concerns about our privacy practices, you have the right to challenge our compliance with PIPEDA’s principles by contacting our designated Privacy Officer. We take complaints seriously and will investigate and try to resolve any issues. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the relevant provincial Privacy Commissioner. We will cooperate with investigations and provide all necessary information.

Right to Challenge Compliance: If you have concerns about our privacy practices, you have the right to challenge our compliance with PIPEDA’s principles by contacting our designated Privacy Officer. We take complaints seriously and will investigate and try to resolve any issues. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the relevant provincial Privacy Commissioner. We will cooperate with investigations and provide all necessary information.

Exercising Your Rights

How to Make a Request: If you wish to exercise any of the privacy rights applicable to you (whether under GDPR, CCPA, PIPEDA, or other laws), or if you have questions or concerns about how we handle your personal information, please contact us using the contact details in the next section. For convenience:

You may send your request via email to charles@mysteryshoppersservices.com (our Privacy Officer/DPO inbox).
You may also send requests by mail to our mailing address provided below (Attn: Privacy Officer/Data Protection Officer).
If we have provided an online web form for privacy requests (for example, a “Data Subject Access Request” or “CCPA request” form on our website), you can fill that out to submit your inquiry.

In your request, please include your name and sufficient contact information (such as email or phone) for us to reach you, and describe your request with sufficient detail so that we can understand and respond to it. For example, if you are requesting access, specify what information or processing activity your request pertains to (if not all personal data). If you are an authorized agent making a request on behalf of someone else, please include proof of authorization.

Verification Process: For certain requests, especially under CCPA (access or deletion requests) and to protect your data from unauthorized access, we will need to verify your identity. We may ask you to provide additional information that matches our records (for example, confirm a piece of data we have on file). For sensitive requests, we might require a government ID or similar proof, solely to confirm your identity, which we will only use for verification and then delete. If you have an account with us, we will verify through existing authentication (e.g., we might require you to make the request from the email associated with your account or log in to submit the request). If an authorized agent is making the request, we will require proof of their authority and may still verify with you directly. We will not fulfill a request unless we can verify the identity (and authority, if applicable) of the requestor to a reasonable degree of certainty, to prevent someone else from obtaining or deleting your data without permission.

Response Timing: We will respond to your request within the timeframe required by law. This means:

For GDPR-related requests, we will respond without undue delay and within one month of receipt of the request. We may extend this by an additional two months if necessary due to complexity or number of requests, but we will inform you of any extension within one month and explain why.
For CCPA requests, we will respond within 45 days of receiving a verifiable request, if possible, and at latest within 45 additional days (90 days total) if we inform you of the need for extension.
For Canada, we will respond to requests (or complaints) generally within 30 days of receipt, unless an extension is permitted and necessary.

Our response will typically be in writing, often via email. If we cannot fulfill your request, we will explain the reasons (legal justification, etc.). If you have an account, we may deliver the information through that account in a secure manner. For access requests, we will provide the information or a report of the data we have about you. For deletion requests, we will confirm deletion or explain which parts were deleted and which we retained (if any) under an exception. For correction, we will confirm the data is updated or provide an explanation if not.

We do not charge a fee for handling your requests unless they are manifestly unfounded or excessive (for example, repetitive requests without reason). In such cases, we may charge a reasonable fee or refuse to act on the request, as allowed by law. We will never charge for requests in jurisdictions that prohibit it. If you are unsatisfied with our response, you may inquire about it further. GDPR allows for an appeal process with us in some cases; if we were to refuse a request, you can contact us to contest the decision, and we will re-evaluate (and you always have the right to go to a DPA or court as well).

Contact Us (Questions or Complaints)

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

Business Evaluation Services
Email: charles@mysteryshoppersservices.com

We will do our best to address and resolve any privacy issue you bring to our attention. If you feel that we have not adequately addressed your concerns, you have the right to contact your local privacy regulator: this may be a Data Protection Authority (DPA) in Europe, the Office of the Privacy Commissioner in Canada, or your state’s Attorney General or the California Privacy Protection Agency for Californian residents. For example, EU users can contact the UK ICO or their country’s DPA, and Canadian users can contact the OPC. We would, however, appreciate the chance to deal with your concerns before you approach a regulator, so please consider reaching out to us first.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will post the updated Policy on our website and update the “Effective Date” at the top (if provided). If changes are significant, we may also notify you by additional means, such as by email notification or by prominently posting a notice on our site or within your account. We encourage you to review this Policy periodically for any updates.

Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of the revised terms, to the extent permitted by law. If we seek to use your personal information for a new purpose not originally disclosed, we will obtain your consent if required.

Effective Date: October 20th, 2025