Data Privacy &
Compliance Framework

Veritolytics is committed to the highest standards of data protection, respondent privacy, and regulatory compliance. This document governs how we collect, process, store, and protect personal data across all operational activities.

Last Reviewed & Updated: July 2026
GDPR Compliant
ESOMAR Member
Data Protection Act

This Privacy Policy applies to all personal data processed by Veritolytics in connection with its market research, panel management, survey programming, and data analytics services. By engaging with our services or participating in our panel, you acknowledge the terms of this policy.

01

Data Controller Information

The data controller responsible for your personal data is:

Company Name Veritolytics
Registered Office Navi Mumbai, Maharashtra, India
Telephone +91-870-012-7257
ESOMAR Membership Full Corporate Member
Data Protection Contact business@veritolytics.com
02

Scope & Application

This Privacy Policy applies to personal data processed by Veritolytics in relation to the following categories of individuals:

  • Survey Panelists & Research Participants — individuals who register on our proprietary panel (Veritopinion.com) and participate in market research surveys.
  • Client Contacts — employees, representatives, and authorised personnel of organisations that engage Veritolytics for research services.
  • Website Visitors — individuals who access veritolytics.com or any associated digital properties operated by Veritolytics.
  • Prospective Clients & Partners — individuals who submit enquiries, request quotations, or interact with Veritolytics for business development purposes.

This policy is governed by the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the UK GDPR (as incorporated into UK law by the European Union (Withdrawal) Act 2018), and applicable national data protection legislation. Where Veritolytics processes data on behalf of clients, separate data processing agreements govern those arrangements under Article 28 GDPR.

03

Data We Collect

The categories of personal data we collect depend on your relationship with Veritolytics.

3.1 Panel Members & Survey Respondents

  • Identity data: name, age, date of birth, gender
  • Contact data: email address, telephone number
  • Demographic data: household composition, income band, education level, employment status, occupation, geographic region
  • Behavioural & attitudinal data: survey responses and opinions provided during research participation
  • Profile data: product usage habits, media consumption, health conditions (where expressly consented to for healthcare research)
  • Technical data: device type, IP address (anonymised), browser type, survey completion metadata

3.2 Client Contacts

  • Identity & contact data: name, job title, business email, telephone number
  • Company data: organisation name, industry, company size
  • Transaction data: project history, invoicing records, contractual correspondence
  • Communication data: email exchanges, meeting notes, brief documents

3.3 Website Visitors

  • Technical data: IP address, browser type and version, pages visited, time spent, referral source
  • Cookie data: as detailed in Section 10 of this policy
Special Category Data

Veritolytics processes special category data (including health and medical information for healthcare research) only where explicit written consent has been obtained from the data subject, in accordance with Article 9(2)(a) GDPR. Such data is subject to enhanced security controls and stricter retention limitations.

05

How We Use Your Data

We process personal data only for the purposes for which it was collected. The primary purposes include:

Purpose Category of Data Legal Basis
Panel recruitment, profiling, and survey matching Identity, Demographic, Profile Consent
Survey fieldwork execution and data collection Behavioural, Attitudinal, Technical Consent
Project delivery and client reporting (anonymised aggregate data) Anonymised survey data Contract
Client account management and communication Identity, Contact, Transaction Contract
Invoicing and financial record-keeping Contact, Transaction Legal Obligation
Panel quality assurance and fraud prevention Technical, Behavioural Legitimate Interests
Website analytics and performance monitoring Technical, Cookie Legitimate Interests / Consent
Business development and service communications Identity, Contact Legitimate Interests
Data Minimisation Commitment

In accordance with Article 5(1)(c) GDPR, Veritolytics collects only the minimum personal data necessary for each specific processing purpose. Survey screening questions are designed to qualify respondents without collecting superfluous personal information.

06

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to applicable legal retention obligations. Our standard retention periods are as follows:

Data Category Retention Period Basis
Active panelist profile data Duration of panel membership + 12 months post-withdrawal Consent
Survey response data (identifiable) Anonymised immediately upon project close; raw data deleted within 30 days ESOMAR Code
Anonymised aggregate research data Indefinite (no personal data retained) Research purposes
Client contact and project records 7 years from project completion Legal Obligation
Financial and invoicing records 7 years (statutory financial record-keeping) Legal Obligation
Website visitor analytics data 26 months (standard analytics retention) Legitimate Interests
Prospect and enquiry contact data 24 months from last interaction Legitimate Interests

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Panelists may request early deletion of their profile data at any time (see Section 7).

07

Your Rights Under GDPR

Under Chapters III of the GDPR (Articles 12–22), data subjects whose personal data is processed by Veritolytics have the following rights. All requests may be submitted to business@veritolytics.com and will be responded to within 30 calendar days.

Right of Access Art. 15

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about the processing purposes, categories, recipients, and retention periods.

Right to Rectification Art. 16

You have the right to request correction of inaccurate personal data and completion of incomplete data held about you.

Right to Erasure Art. 17

You have the right to request deletion of your personal data where it is no longer necessary for its original purpose, where consent has been withdrawn, or where processing is unlawful. This right is subject to overriding legal retention obligations.

Right to Restriction Art. 18

You have the right to request that we restrict processing of your personal data in specific circumstances, including where you contest accuracy or have objected to processing.

Right to Portability Art. 20

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.

Right to Object Art. 21

You have the right to object to processing based on legitimate interests or carried out for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately without requiring justification.

Rights re: Automated Decisions Art. 22

You have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. Veritolytics does not make such automated decisions about individuals.

Right to Withdraw Consent Art. 7(3)

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. Panel members may withdraw by contacting us or via the panel portal.

Right to Lodge a Complaint

If you believe Veritolytics has not complied with applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority. For EU residents, this is your national data protection authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

08

International Data Transfers

Veritolytics operates globally and may transfer personal data to countries outside the European Economic Area (EEA) and UK in connection with its panel operations and client services. All international transfers are governed by appropriate safeguards in accordance with Chapter V GDPR.

The transfer mechanisms we rely on include:

  • Standard Contractual Clauses (SCCs) — The European Commission's approved SCCs are incorporated into data processing agreements with all sub-processors and panel partners located outside the EEA, ensuring equivalent data protection standards.
  • Adequacy Decisions — Where the European Commission has issued an adequacy decision for a third country, transfers to that country are made without requiring additional safeguards.
  • UK International Data Transfer Agreements (IDTAs) — For transfers from the UK, we utilise ICO-approved IDTAs or the UK Addendum to EU SCCs where applicable.

Transfer impact assessments are conducted for all data transfers to high-risk jurisdictions. You may request information about the specific transfer mechanisms applicable to your data by contacting us at business@veritolytics.com.

09

Third-Party Sharing

Veritolytics does not sell, rent, or trade personal data to third parties. We may share personal data only in the following circumstances:

  • Research Clients (Anonymised Data Only) — Research clients receive only anonymised, aggregated survey data. No personally identifiable information about individual respondents is disclosed to clients at any time. Survey responses are presented in aggregate statistical format only.
  • Technology Sub-Processors — We engage third-party technology providers (survey platforms, data hosting, quality verification tools) who process data on our behalf as data processors under Article 28 GDPR agreements. All sub-processors are contractually bound to GDPR-equivalent standards.
  • Panel Network Partners — In specific studies where additional sample is required, anonymised profile attributes may be shared with vetted panel router partners to facilitate quota fulfilment. No directly identifying data is shared.
  • Legal & Regulatory Authorities — We may disclose personal data where required by applicable law, court order, or regulatory authority — only to the extent strictly necessary to comply with such obligations.
  • Professional Advisors — Legal, financial, and audit advisors may access personal data where strictly necessary and subject to professional confidentiality obligations.

A full list of our current data processing sub-processors is available upon written request to business@veritolytics.com.

10

Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies in accordance with applicable e-Privacy regulations. Cookies are small text files placed on your device to enable website functionality and improve your experience.

You may manage, restrict, or withdraw consent to non-essential cookies at any time via your browser settings or by contacting us. Please note that disabling strictly necessary cookies may affect site functionality.

11

ESOMAR Compliance & Market Research Ethics

As a full ESOMAR Corporate Member, Veritolytics is bound by the ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics and the ESOMAR Code of Standards and Ethics. These frameworks govern all aspects of our research conduct, including:

  • Respondent Anonymity — Research participants are never individually identified to clients. All data delivered to research clients is in anonymised aggregate format. This is an absolute, non-negotiable commitment under the ESOMAR Code.
  • Informed Consent — Panelists provide informed consent prior to participation in any research study. The purpose of the research, data usage, and privacy rights are disclosed before participation commences.
  • Confidentiality of Research Results — We do not disclose the identity of research clients, proprietary study findings, or unpublished research results to third parties.
  • Distinction from Non-Research Activities — Survey data is used solely for research purposes and never for sales, marketing, direct solicitation, or credit-scoring of individual respondents.
  • Children in Research — Where research involves individuals under the age of 16, verifiable parental consent is obtained in accordance with ESOMAR guidelines and applicable child protection regulations (see Section 13).
  • Storage and Disposal — All personal data linked to research participation is securely disposed of in accordance with ESOMAR and GDPR retention guidelines.

The full ESOMAR International Code is publicly available at esomar.org.

12

Data Security

Veritolytics implements appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk of processing. Our security measures include:

Encryption

All personal data in transit is encrypted using TLS 1.2 or higher. Stored data is encrypted at rest using industry-standard AES-256 encryption protocols.

Access Controls

Access to personal data is restricted on a strict need-to-know basis. Role-based access controls and multi-factor authentication are enforced for all staff with data access.

Monitoring & Auditing

System access and data processing activities are logged and subject to regular internal security audits. Anomalous access patterns trigger automated alerts.

Staff Training

All personnel with access to personal data receive mandatory data protection training and are bound by confidentiality obligations as part of their employment terms.

Breach Response

In the event of a personal data breach, we are committed to notifying the relevant supervisory authority within 72 hours (Article 33 GDPR) and affected individuals where required (Article 34 GDPR).

Sub-Processor Controls

All data processing sub-processors are subject to security assessments and contractual obligations equivalent to those applicable to Veritolytics under GDPR Article 28.

13

Children's Privacy

Veritolytics does not knowingly collect personal data directly from children under the age of 13 without verifiable parental or guardian consent. Our standard panel membership requires applicants to be aged 18 or over.

For research studies specifically targeting respondents between the ages of 13 and 17 (where such research is necessary and legally permissible):

  • Written verifiable consent from a parent or legal guardian is obtained prior to any data collection.
  • Study materials are reviewed to ensure age-appropriateness and that no harm could arise from participation.
  • Data collected from minors is subject to enhanced security measures and is retained for the minimum necessary period.
  • All such studies comply with applicable national child data protection provisions, including Article 8 GDPR and ESOMAR guidelines on research with children.

If you believe that a child's personal data has been collected without appropriate consent, please contact us immediately at business@veritolytics.com.

14

Policy Changes & Version History

Veritolytics reviews this Privacy Policy at least annually and updates it whenever material changes occur to our data processing activities, applicable legal requirements, or operational practices.

In the event of material changes that affect your rights or the way we process your personal data, we will:

  • Publish the revised policy on this page with an updated effective date;
  • Notify active panelists via the registered email address associated with their panel account;
  • Notify active clients via their designated contact email where the changes are relevant to their data processing arrangements.
Version Date Summary of Changes
v2.0 July 2026 Full policy revision — updated retention schedules, expanded rights section, ESOMAR 2024 Code alignment
v1.1 January 2025 UK GDPR post-Brexit alignment; updated transfer mechanism references
v1.0 May 2018 Initial GDPR-compliant policy publication
15

Contact & Data Protection Enquiries

For any questions, requests, or complaints related to this Privacy Policy or the processing of your personal data by Veritolytics, please contact us through any of the following channels. All data protection requests will be acknowledged within 5 working days and resolved within 30 calendar days.

Data Protection Email

business@veritolytics.com

Preferred channel for subject access requests, erasure requests, and formal complaints.

Telephone

+91-870-012-7257

Available 24×7. For urgent data protection matters, please call directly.

Registered Address

Veritolytics, Navi Mumbai, Maharashtra, India

For written correspondence and formal legal notices.

Supervisory Authority Contacts

EU Residents: Your national Data Protection Authority (DPA) — find details at edpb.europa.eu.
UK Residents: Information Commissioner's Office (ICO) — ico.org.uk — Tel: 0303 123 1113.