Innerlogic Privacy Statement

Effective date: January 1st, 2026

Last updated: April 14th, 2026

This Privacy Statement explains how Innerlogic Inc. (“Innerlogic”, “we”, “us” or “our”) collects, uses, discloses and protects personal information in connection with our website, platform, surveys, support, and related services (the “Services”). This statement is intended to address our obligations under applicable Canadian privacy laws, including Quebec’s private-sector privacy law, and, where applicable, the General Data Protection Regulation (“GDPR”). Additional contractual terms, data processing addenda, in-product notices, or regional notices may apply in specific circumstances.

For most survey and workforce data processed through the Services, the organization that sponsors the survey or uses the Services (for example, your employer, client, association, or community organization) is responsible for the personal information and decides why and how it is used. In those cases, Innerlogic acts on that organization’s behalf as a service provider or processor. For information that we collect for our own business purposes — such as account administration, billing, website operations, security, fraud prevention, diagnostics, support, and compliance — Innerlogic acts as the organization responsible for that information.

If you are participating in a survey sponsored by an organization, that organization is responsible for survey content, participation terms, distribution lists, access permissions, and how it uses reporting. Questions about those topics should generally be directed to that organization first.

Please note: If you are participating in a survey sponsored by an organization, that organization is generally responsible for the survey’s purpose, participation terms, distribution list, and its own use of the reporting. Where a survey or a specific question is identified as optional, you may choose whether to participate or respond. If you have questions about a particular survey, please contact the sponsoring organization or Innerlogic at privacy@innerlogic.com

Scope

This Privacy Statement applies to personal information collected through the Services, including our website, application, customer support channels, and related business operations.

This Privacy Statement does not apply to information about Innerlogic employees, job applicants, or contractors acting in that capacity, which is governed by separate notices and internal policies.

If a customer agreement, order form, or data processing addendum conflicts with this Privacy Statement with respect to customer-controlled data, the applicable contract will govern to the extent of that conflict.

Personal information we collect

Depending on the Services used and the role of the individual involved, we may collect the following categories of personal information:

A. Customer account and business contact information. We may collect names, business email addresses, phone numbers, job titles, organization names, billing details, and similar business contact information for customer administrators, buyers, and support contacts.

B. Participant roster and workforce metadata. Customers may provide workforce or membership data needed to operate the Services, such as names, work email addresses, internal identifiers, department, team, location, reporting lines, tenure, role, and other organization-defined attributes.

C. Survey and feedback data. We may process survey answers, participation status, completion status, timestamps, and free-text comments. Customers may choose to ask optional demographic, equity, inclusion, or well-being questions that can reveal sensitive personal information. Where such questions are optional, respondents may choose whether to answer them.

Depending on the question and the context, optional demographic, equity, inclusion, disability, health, well-being, or similar responses may constitute sensitive personal information under applicable Canadian law or special-category data under the GDPR. Innerlogic does not require customers to ask such questions. Customers are responsible for determining whether such questions are appropriate for their use case and for identifying the lawful basis or consent mechanism required by applicable law. Innerlogic processes such customer-controlled data only as instructed by the customer and as permitted by applicable law.

D. Technical, usage, and security information. We may collect IP address, device and browser information, application logs, authentication events, session and cookie identifiers, crash and performance data, and other diagnostic or security telemetry generated through use of the Services.

E. Support, communications, and website information. We may collect information submitted through forms, emails, support requests, meeting notes, or similar interactions with us.

F. Information from integrations and service providers. Where enabled by a customer or needed to operate the Services, we may receive information from identity providers, HRIS or workforce systems, communication tools, cloud hosting providers, analytics providers, or other service providers.

G. How we collect and receive personal information. We collect personal information directly from individuals (for example, when someone completes a survey, creates an account, contacts us, or uses our website), automatically through use of the Services, and indirectly from customers, customer administrators, sponsoring organizations, enabled integrations, identity providers, and service providers. If you are a survey participant, some roster, workforce, or participation information may be provided to us by the sponsoring organization rather than by you directly.

Where personal information is requested directly from you, we generally indicate whether it is optional or reasonably necessary for the relevant purpose. Survey questions marked as optional do not need to be answered. Certain account, authentication, billing, roster, or operational information may be required to provide the relevant service or feature; if it is not provided, the Services or some features may not be available or may not function as intended.

How we use personal information

We use personal information as needed to:

• provide, host, maintain, secure, and support the Services;

• authenticate users, manage customer accounts, process billing, and administer contracts;

• import, organize, analyze, and present survey and workforce data in the Services;

• generate reporting, dashboards, themes, trend analyses, and benchmark outputs for customers;

• detect, prevent, investigate, and respond to fraud, misuse, unauthorized activity, and security or confidentiality incidents;

• communicate with customers and users about the Services, service updates, support matters, and, where permitted, marketing communications;

• comply with legal, regulatory, contractual, and recordkeeping requirements; and

• improve the reliability, accessibility, performance, and quality of the Services.

Where we process personal information on behalf of a customer, we do so in accordance with that customer’s instructions, our contracts with that customer, and applicable law. Customers remain responsible for their own organizational, employment, or management decisions, including any decisions made using reports or insights generated through the Services.

Legal bases for processing

When Innerlogic acts as the controller for account, website, support, billing, security, diagnostics, and similar business-operation data, we generally process personal information as necessary to:
(a) enter into and perform contracts;
(b) pursue our legitimate interests in operating, securing, supporting, improving, and defending the Services and our business, including network and information security, fraud prevention, diagnostics, service improvement, and general business administration, provided those interests are not overridden by the rights and freedoms of the individual;
(c) comply with legal obligations; and
(d) where required or appropriate, based on consent.

When Innerlogic acts as a processor or service provider for customer-controlled survey and workforce data, we process that information on the relevant customer’s documented instructions and in accordance with our contract and applicable law. The relevant customer is generally responsible for identifying the lawful basis for that processing and, where applicable, any additional condition required to process sensitive or special-category data.

Where we rely on consent, consent may be withdrawn at any time going forward, subject to legal or contractual restrictions. Withdrawal does not affect processing already carried out before withdrawal.

Survey reporting, de-identification, and free-text responses

Innerlogic generally provides customer-facing survey reporting in aggregated and de-identified form. Under applicable law, including Quebec law where applicable, de-identified information no longer permits a person to be directly identified, and Innerlogic applies reasonable measures designed to reduce the risk of re-identification. Unless expressly stated otherwise in writing for a specific offering or use case, Innerlogic does not represent that underlying survey-response data or response-level data is anonymized within the meaning of applicable law.

To deliver the Services, protect the platform, troubleshoot issues, support customers, carry out contractually permitted analytics, and comply with legal obligations, underlying survey-response data may remain linkable within Innerlogic in a controlled environment to the extent reasonably necessary for those purposes, with access restricted to authorized personnel and service providers who require such access.

To reduce re-identification risk in customer-visible reporting, we use administrative, technical, and product controls that may include minimum group thresholds, suppression of small cohorts, restrictions on drill-down, role-based access controls, and similar safeguards. Certain safeguards may be configured by the customer and/or enforced by the Services.

Free-text responses may contain information that identifies a respondent or another person. Depending on the context, risk, and product configuration, Innerlogic may suppress, summarize, redact, or withhold free-text content in reporting where reasonably necessary to reduce re-identification risk. We encourage respondents not to include unnecessary personal or sensitive information in free-text responses.

Minimum group thresholds are only one safeguard and are not treated as a guarantee that a person cannot be identified. Depending on the context, cohort size, available filters, free-text content, or the presence of sensitive attributes, Innerlogic may apply higher thresholds or additional suppression, summarization, redaction, or access controls.

AI-assisted features

Innerlogic may use AI-assisted tools, including tools provided by approved service providers or subprocessors, to help categorize, summarize, and analyze survey content; identify organization-level themes and trends; answer authorized user questions about customer results; and generate draft summaries, recommendations, and action-planning suggestions within the Services.

When AI-assisted features are used to process customer-controlled survey or workforce data, Innerlogic does so in accordance with the applicable customer agreement, the customer’s documented instructions, and applicable law.

Innerlogic does not use AI-assisted tools to make employment, compensation, promotion, discipline, termination, or similar decisions about identified individuals on behalf of customers, and does not currently use the Services to render decisions based solely on automated processing that produce legal or similarly significant effects about individuals.

Innerlogic does not use customer survey content or customer-controlled personal information to train public or shared foundation models.

Where AI-assisted functionality involves approved third-party providers or subprocessors, Innerlogic uses contractual, technical, and organizational controls designed to restrict use of customer content to the permitted service and to protect confidentiality and security.

Customers remain responsible for reviewing AI-assisted outputs and for any decisions they make using the Services. If Innerlogic materially changes how AI-assisted features process personal information, we will update this Privacy Statement and provide any additional notice required by law.

Disclosure of personal information

We may disclose personal information only as reasonably necessary for the purposes described in this Policy, including:

·       to the customer on whose behalf we process survey, workforce, or related service data, in accordance with our contractual obligations and applicable law;

·       to authorized service providers and sub-processors that help us deliver, host, maintain, secure, support, analyze, or improve the Services;

·       to professional advisors, auditors, insurers, and financing sources, where reasonably necessary for legal, compliance, audit, insurance, or corporate purposes and subject to appropriate confidentiality obligations;

·       where required or permitted by applicable law, including to comply with legal process, respond to lawful requests by public authorities, protect our rights or the rights of others, investigate fraud, security, or policy violations, or prevent or reduce the risk of harm.

We require service providers, sub-processors, and other third parties that process personal information on our behalf to protect it through appropriate technical, organizational, and contractual measures; to use it only for authorized purposes; to notify us of confirmed confidentiality or security incidents without undue delay, where legally required; and to return or securely delete the information when it is no longer needed, subject to applicable legal and regulatory retention requirements.

Data residency and cross-border processing

Innerlogic stores customer survey data in Canada.

Depending on the Services selected, the customer’s contractual requirements, and the technical configuration agreed with the customer, certain processing activities may occur in Canada or in another jurisdiction through approved service providers and subprocessors.

Where a customer agreement requires customer survey data to be stored and processed only in Canada, Innerlogic will configure and operate the relevant Services in accordance with that requirement, subject to the scope of services, integrations, AI-assisted features, and subprocessors expressly agreed for that customer.

Where personal information is communicated or made available outside Quebec, Innerlogic will do so only as permitted by applicable law. Where Quebec law applies, Innerlogic will conduct the assessment required by law before the transfer and put in place a written agreement that reflects the results of that assessment and the measures required to protect the information.

Where personal data subject to the GDPR is transferred outside the EEA, Innerlogic will rely on an adequacy decision or another valid transfer mechanism recognized under Chapter V of the GDPR, such as the European Commission’s standard contractual clauses, together with any supplementary measures required by applicable law.

Under Canadian law, including PIPEDA where applicable, Innerlogic remains accountable for personal information transferred to service providers for processing and uses contractual and other measures designed to provide a comparable level of protection while the information is being processed by those service providers.

Personal information processed outside Canada or outside the jurisdiction where it was originally collected may be subject to the laws of the destination jurisdiction and may be accessible to courts, law-enforcement agencies, national security authorities, regulators, or other public authorities in accordance with those laws.

Cookie and similar technologies

Our website and, where applicable, our application may use cookies and similar technologies for essential operations, authentication, security, preferences, analytics, and service improvement.

You may be able to control cookies through your browser settings or any cookie settings tools we make available. Some features of the Services may not function properly if essential cookies or similar technologies are disabled.

Where applicable, we will provide additional notice about technologies that can identify, locate, or profile users and about the controls or settings available in relation to those technologies.

Retention

We retain personal information only for as long as reasonably necessary for the purposes for which it was collected or received, to provide the Services, to comply with legal and contractual obligations, to resolve disputes, and to enforce our agreements.

Customer-controlled survey and workforce data is retained in accordance with our contracts with the relevant customer, that customer’s instructions, and applicable legal requirements. At the end of the applicable retention period or following termination of the Services, we delete or return customer-controlled data as required by contract, subject to routine backup cycles, legal holds, fraud-prevention needs, and records that we are required or permitted to keep by law.

We may retain aggregated statistics and other information that does not reasonably identify an individual for longer periods for internal reporting, service improvement, and business records.

Security and confidentiality incidents

Innerlogic uses administrative, technical, and physical safeguards that are appropriate to the sensitivity of the information and the way it is used. These safeguards may include access controls, confidentiality obligations, environment segregation, logging and monitoring, change management, vendor management, and other security practices designed to protect personal information against unauthorized access, use, disclosure, loss, theft, or modification.

Access to personal information within Innerlogic is restricted to personnel and service providers who need the information to perform their duties or provide services on our behalf.

If Innerlogic becomes aware of a security or confidentiality incident involving customer-controlled data, we will notify the relevant customer in accordance with our contract and applicable law. Where applicable law requires notice to affected individuals or regulators, we or the relevant customer will provide such notice as required by law and by the allocation of responsibilities in our contracts. Innerlogic maintains processes to assess, document, and respond to confidentiality or security incidents and to make notifications where required by applicable law or contract.

Your rights and choices

Subject to applicable law and appropriate identity verification, individuals may have the right to request access to personal information, request correction of inaccurate or incomplete information, withdraw consent where consent is the legal basis for processing, request deletion or restriction of processing, object to certain processing, request portability of certain information in a structured, commonly used technological or machine-readable format, and request information about or review of a decision based solely on automated processing where such rights apply.

These rights do not apply in every circumstance, and some rights vary depending on whether Innerlogic is acting as controller or as processor/service provider, the legal basis relied upon, and the applicable law.

If the personal information at issue is controlled by one of our customers — for example, survey responses, participation records, or workforce data submitted to the Services by your employer or another sponsoring organization — you should direct your request to that customer first. Innerlogic will assist the customer in responding to verified requests where required by contract or applicable law.

If Innerlogic is the controller for the personal information at issue, requests may be sent to privacy@innerlogic.com. We may request information reasonably necessary to verify identity before acting on a request. We will respond within the time required by applicable law.

You may also have the right to complain to the privacy or data protection regulator that oversees the applicable law, including the Commission d’accès à l’information du Québec, the Office of the Privacy Commissioner of Canada, or, for individuals in the EEA, the competent supervisory authority in the member state of their habitual residence, place of work, or alleged infringement.

Changes to this Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in the Services, our practices, or legal requirements. We will post the updated version on this page and revise the effective date above. Where required by law, we will provide additional notice or obtain consent for material changes.

Contact us

Innerlogic has designated a person responsible for the protection of personal information.

Privacy Officer

Innerlogic Inc.

Email: privacy@innerlogic.com

Mail: 86 Shirley Elliott crt, Bedford NS, Canada, B4B0Z8

If you have questions, requests, or complaints about this Privacy Statement or our privacy practices, please contact us using the details above.