Brandr Global ehf. – Privacy Policy

Effective date: May 2025

This Privacy Policy explains how Brandr Global ehf. (“Brandr”, “we”, “our”) collects, uses, shares, stores, and protects personal data across our websites and services, including brandr Index and brandr Employer Index research activities. It also explains your rights and how to exercise them.

We comply with the EU/EEA General Data Protection Regulation (GDPR) and other applicable privacy laws.

1) Who we are & how to contact us

Controller (for this website and Brandr-initiated research):
Brandr Global ehf.
Borgartún 25, 105 Reykjavík, Iceland
Registration no.: 4305190500 — VAT: 138794
Website: brandrindex.com
Email (general & privacy): hello@brandrindex.com

Data Protection Officer (DPO): dpo@dattacalabs.com

Note: We do not publish a phone number for privacy inquiries. Please contact us by email.

2) Scope & roles (Controller vs Processor)

• Website, CRM, and Brandr-initiated research: Brandr acts as Controller.
• Client-commissioned research (brandr Index/brandr Employer Index for a client): the client is the Controller and Brandr is the Processor.

When we act as Processor, we handle personal data strictly under the client’s written instructions and our data processing agreement.

3) What data we collect

3.1 Website & platform

• Technical/usage data: IP address, timestamps, pages viewed, referral URLs, approximate location, browser/OS, device identifiers.
• Cookies & similar technologies: see Section 10.

3.2 Communications & CRM

• Contact details and messages when you email us or submit forms.
• B2B CRM records (e.g., name, role, company, work email/phone, interaction history).

3.3 Clients & billing

• Contract and contact details for clients and vendors.
• Invoicing and payment records as required for finance, accounting, and audit.

3.4 Recruitment & HR

• Applicants: CV, cover letter, contact details, interview notes.
• Employees: HR/payroll data required by law.
• Special categories: processed only where legally required for HR; safeguards apply.

3.5 Customer & Market Research (brandr Index / brandr Employer Index)

For brand/market research, we may process:

• Survey responses (ratings, choices, open-text).
• Optional background info (e.g., gender, age, education, income, residence/city).
• Technical/fraud-prevention metadata (e.g., IP address, device/browser information, timestamps, quality-control flags).
• Incentive/prize details (if applicable): minimal contact data, stored separately and only for fulfillment.
  We do not intentionally collect special-category data in surveys. If such information appears in open text, we delete or redact it.

Panel providers. When recruitment is handled by a panel company, the panel acts as a separate Controller for panelist contact/recruitment data.

4) Where we get data

• Directly from you (forms, emails, surveys, events).
• From your organization (if you’re a client contact).
• From our service providers (e.g., security/operations logs).

5) Why we use data (purposes & legal bases)

5.1 Website & platform

• Operate, secure, and improve our site/services; prevent fraud/abuse (legitimate interests, and consent for non-essential cookies where required).

5.2 Communications, CRM & marketing

• Respond to inquiries; manage customer relationships (contract / legitimate interests).
• Send service updates and similar communications (legitimate interests).
• B2B marketing with appropriate opt-out controls (legitimate interests) or consent where required.

5.3 Clients & billing

• Provide contracted services; administer accounts; comply with legal/accounting duties (contract / legal obligation).

5.4 Recruitment & HR

• Evaluate candidates; manage employment (contract / legal obligation; consent where required).

5.5 Research (brandr Index / brandr Employer Index)

• Conduct brand/market research and deliver aggregated/de-identified insights to clients (legitimate interests of client/Brandr; consent where required by law).
• Administer incentives/prizes (contract / legitimate interests).
• Quality assurance and fraud prevention (legitimate interests).
• Comply with legal obligations (legal obligation).

6) How we share data

We may share personal data with:

• Service providers / sub-processors who host, maintain, or support our services under data processing agreements and confidentiality (examples relevant to research include QuestionPro and Dropbox).
• Professional advisers (legal, accounting) under confidentiality.
• Authorities where required by law.

Client deliverables in research. Clients receive aggregated and/or de-identified outputs by default. We do not share raw or row-level personal data with clients.

Sub-processor list. Our current sub-processor list is available on request.

7) International transfers

For research projects, raw survey data are stored by QuestionPro on servers in Seattle, United States. Where personal data are transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or other lawful safeguards and implement appropriate measures consistent with GDPR requirements.

8) Retention – how long we keep data

We keep personal data only as long as necessary for the stated purposes or as required by law.

• Website/technical logs: typically 90 days, unless needed longer for security or investigations.
• CRM & communications: up to 36 months after the last interaction.
• Billing & finance: per statutory accounting/audit retention.
• Recruitment (unsuccessful applicants): 12 months after the process ends (unless you consent to a longer period).
• Research:
  • Identifiable survey data (incl. technical metadata): 12 months after study close, then deleted or anonymized.
  • Incentive contact details: 90 days after fulfillment.
  • Aggregated/anonymized insights & benchmarks: may be retained indefinitely.

If you need the retention details for a particular project, contact us or your project lead.

9) Security

We implement appropriate technical and organizational measures to protect personal data, including role-based access and least-privilege access controls. We also require our processors to implement appropriate safeguards consistent with GDPR.

10) Cookies & similar technologies

We use necessary cookies to operate our site and, where permitted, Google Analytics 4 (GA4) and the Meta Pixel for analytics/measurement and to understand the effectiveness of our communications. Where required by law, non-essential cookies/pixels are used only with your consent. You can manage your preferences via our consent banner and browser settings.

11) Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict or object to processing, portability, and to withdraw consent (where processing is based on consent). You also have the right to lodge a complaint with your data protection authority.

• If Brandr is acting as Processor for a client research project, please send your request to the Controller (our client) first.
• Otherwise, contact hello@brandrindex.com or our DPO at dpo@dattacalabs.com.
  We generally respond within one month, consistent with GDPR. We may request reasonable information to verify your identity.

12) Changes to this notice

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date at the top of this page. Where appropriate, we may also notify you via email or a service notice.

Company & contact information

Brandr Global ehf.
Borgartún 25, 105 Reykjavík, Iceland
Registration no.: 4305190500 — VAT: 138794
Website: brandrindex.com
Email (general & privacy): hello@brandrindex.com
DPO: dpo@dattacalabs.com