Survey Consent & Privacy Notice

Please read this notice carefully before proceeding with the survey. This notice explains who is collecting your personal data, why it is being collected, how it will be used and retained, and the rights available to you under applicable data protection and privacy laws across multiple jurisdictions.

This notice is designed to comply with the following laws:

  • CCPA / CPRA: California Consumer Privacy Act 2018 & California Privacy Rights Act 2020 (United States - California residents
  • EU GDPR: EU General Data Protection Regulation 2016/679 (European Economic Area residents)
  • UK GDPR & UK DPA 2018: UK General Data Protection Regulation & UK Data Protection Act 2018 (United Kingdom residents)
  • DPDPA 2023: India Digital Personal Data Protection Act 2023 (India residents)
  • PDPA: Singapore Personal Data Protection Act 2012 (Singapore residents)
  • Philippines DPA: Philippines Data Privacy Act 2012, Republic Act No. 10173 (Philippines residents)

Your participation is entirely voluntary. By selecting ‘I Consent’ at the first question of this survey, you confirm that

1. Who We Are

Milestone Technologies Inc. (“we”, “us”, or “Milestone”) is the Data Controller/Data Fiduciary responsible for the personal data collected through this survey. This consent notice explains how we collect, use, store, and protect your personal data in connection with our customer satisfaction and Net Promoter Score (NPS) survey programme, delivered via SurveySparrow.

2. Survey Platform - Third-Party Data Processor / Service Provider

This survey is administered via SurveySparrow, a third-party software platform. The role of SurveySparrow under each applicable law is as follows:

SurveySparrow is contractually bound to:

  • (a) process your data only on documented instructions from Milestone;
  • (b) implement appropriate security measures;
  • (c ) not sub-process without prior written authorisation; and
  • (d) delete or return all personal data upon termination of the agreement.

SurveySparrow’s Privacy Policy: www.surveysparrow.com/privacy-policy

3. Categories of Personal Data / Personal Information Collected

3.1 Data You Provide Directly

  • Identity Data: Full name and job title (if voluntarily provided
  • Contact Data: Business email address and/or phone number (if voluntarily provided)
  • Organisational Data: Company or employer name
  • Opinion & Feedback Data: Customer Satisfaction (CSAT) scores, Net Promoter Scores (NPS), ratings, written comments, and suggestions

3.2 Data Collected Automatically by SurveySparrow

  • Technical Metadata: Survey completion timestamp, device type, browser type, IP address, and approximate geolocation (country/region level)
  • Behavioural Data: Time spent per question, page navigation patterns within the survey

3.3 CCPA / CPRA - Categories of Personal Information

For California residents, the above data maps to the following CCPA/CPRA statutory categories:

  • Identifiers: Name, email address, IP address, device identifiers
  • Professional / Employment Information: Job title, employer/company nam
  • Internet / Electronic Activity: Browser type, device type, survey navigation behaviour
  • Geolocation Data: Approximate country/region level only
  • Inferences: Satisfaction scores and feedback derived from your responses

Sensitive Personal Data / Information

This survey is not designed to collect sensitive personal data (special category data under EU/UK GDPR), sensitive personal data under DPDPA, or sensitive personal information (SPI) under CPRA.

Please do not include health information, financial details, religious beliefs, biometric data, racial or ethnic origin, sexual orientation, or similar sensitive information in any free-text responses.

Philippines DPA note: We do not intentionally collect privileged information as defined under Sec. 3(l) of the Philippines DPA.

4. Purposes of Processing & Legal Basis

We process your personal data for the following specific, explicit, and legitimate purposes:

5. Data Retention - Indefinite Retention for Historical Data Mapping

Important: Indefinite Retention Policy

Milestone retains all survey response data INDEFINITELY. This is a deliberate and explicitly disclosed practice to enable longitudinal (historical) mapping of client satisfaction trends over time. Your responses will be preserved in their original identifiable form as part of a continuous dataset that tracks how individual client sentiment, product performance, and service quality evolve across months and years. You are being explicitly informed of this at the point of collection as required under all applicable laws listed in this notice.

5.1 Justification for Indefinite Retention

  • Longitudinal analytics necessity: Historical comparison of CSAT and NPS scores is only possible if prior data points are preserved in their original form. Deletion would destroy the integrity of the trend dataset.
  • Explicit consent: You are providing fully informed, explicit consent to indefinite retention of identifiable data by completing this survey's consent question.
  • Legitimate business interest: Milestone has a legitimate, documented business interest in maintaining an uninterrupted record of customer feedback for strategic planning, quality benchmarking, and executive reporting.
  • No anonymisation or pseudonymisation: Data is retained in identifiable form throughout its lifecycle. This is necessary for accurate longitudinal mapping at the individual client level.

5.2 Jurisdiction-Specific Retention Disclosures

  • EU / UK GDPR: Indefinite retention of identifiable personal data creates tension with the storage limitation principle. Milestone relies on explicit consent and documented legitimate interests as the dual legal basis.
  • CCPA / CPRA: Personal information will not be retained beyond what is reasonably necessary for the disclosed purposes. Indefinite retention is justified by the ongoing longitudinal analytics purpose, which is a continuing business need.
  • Singapore PDPA: Data will be retained as long as it is necessary for the purposes stated herein. Milestone considers indefinite retention necessary given the ongoing longitudinal mapping purpose.
  • Philippines DPA: Data will be retained only for as long as necessary for the fulfilment of stated purposes. The ongoing nature of the historical mapping purpose constitutes continuous necessity.
  • India DPDPA 2023: Data will be retained until the purpose for which it was collected is no longer being served. The longitudinal mapping purpose constitutes an ongoing and continuous purpose.

5.3 Ongoing Security Safeguards for Retained Data

  • All retained data will be stored in access-controlled, encrypted systems with full audit logging
  • Access to historical datasets is limited to authorised personnel with a documented and approved business need
  • An internal data access register will be maintained documenting who accesses historical survey data and for what purpose
  • Regular internal reviews of access controls will be conducted at least annually
  • If you exercise your right to erasure / deletion, all personal data associated with your responses including all historical records will be permanently deleted from all systems including backups within 30 days of your verified request

6. Data Sharing & Disclosure

Milestone does not sell, rent, or trade your personal data to any third party. Your personal data may be shared only in the following limited and specific circumstances:

  • SurveySparrow (Service Provider / Data Processor): Solely for hosting and operating the survey platform, under a binding Data Processing Agreement / Service Provider Agreement.
  • Internal Milestone Teams: Customer success, product management, and senior leadership, on a strict need-to-know basis only.
  • Internal Reporting: Identifiable response data may appear in internal presentations and reports accessible only to authorised Milestone personnel.
  • Legal Obligation: Where required by applicable law, regulation, court order, or regulatory authority in any jurisdiction.
  • Business Restructuring: In the event of a merger, acquisition, or asset sale, personal data may be transferred to a successor entity. You will be notified in advance with at least 30 days' notice, and the successor entity will be bound by equivalent protections.

CCPA / CPRA - Right to Know About Disclosures

California residents have the right to know the categories of third parties to whom their personal information is disclosed. The only third party to whom Milestone discloses personal information is SurveySparrow, acting as a contracted Service Provider. This does not constitute a ‘sale’ or ‘sharing’ under CPRA.

7. International / Cross-Border Data Transfers

SurveySparrow is a US-based platform. Your data may be transferred to, stored in, and processed in countries outside your jurisdiction of residence, including the United States. The following safeguards apply:

8. Your Privacy Rights

Your rights depend on your jurisdiction of residence. To exercise any right, use the contact details in Section 10. We will respond within the timeframes required by applicable law.

8.1 EU / UK GDPR Rights (EEA & UK Residents)

  • Right of Access: Request a copy of personal data we hold about you, including confirmation of processing and a copy of the data itself.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data. See Section 8.7 for how this interacts with our indefinite retention policy.
  • Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: EU residents: contact your national supervisory authority. UK residents: contact the Information Commissioner's Office (ICO) at ico.org.uk.

8.2 India DPDPA 2023 Rights (India Residents)

  • Right to Access Information: Request a summary of personal data processed and processing activities.
  • Right to Correction, Completion, and Erasure: Request correction of inaccurate data, completion of incomplete data, or deletion of personal data no longer necessary for the stated purpose.
  • Right to Grievance Redressal: Lodge a grievance with the Data Fiduciary's Grievance Officer. Response within 30 days.
  • Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity.
  • Right to Complaint: File a complaint with the Data Protection Board of India (DPBI) if the grievance is unresolved.

8.3 Singapore PDPA Rights (Singapore Residents)

  • Right of Access: Request access to personal data held about you and information about how it has been used or disclosed in the past year.
  • Right to Correction: Request correction of inaccurate personal data.
  • Right to Withdraw Consent: Withdraw consent at any time. We will cease processing within a reasonable timeframe, subject to legal or business constraints.
  • Right to Data Portability: Request transmission of your data to another organisation (where applicable under PDPA portability provisions).
  • Right to Lodge a Complaint: Contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

8.4 Philippines DPA Rights (Philippines Residents)

  • Right to be Informed: Be informed of the collection, processing, and retention of your personal data.
  • Right to Access: Request access to your personal data and the manner in which it has been processed.
  • Right to Rectification: Request correction of inaccurate, incomplete, outdated, or unlawfully obtained data.
  • Right to Erasure or Blocking: Request deletion or blocking of personal data where processing violates the DPA.
  • Right to Object: Object to processing of your personal data, including processing for direct marketing.
  • Right to Data Portability: Request a structured, commonly used electronic copy of your personal data.
  • Right to Lodge a Complaint: Contact the National Privacy Commission (NPC) at privacy.gov.ph.

8.5 CCPA / CPRA Rights (California Residents)

California Privacy Rights - Mandatory Disclosure

California residents have specific rights under the CCPA (effective 2020) and CPRA (effective 2023). Milestone does not discriminate against you for exercising any of these rights.

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the purposes for collection, the categories of sources, and any third parties to whom it is disclosed.
  • Right to Delete: Request deletion of personal information we have collected. See Section 8.7 for interaction with our retention policy.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: Opt out of the sale or sharing of your personal information. Note: Milestone does not sell or share personal information. No opt-out mechanism is currently required but requests will be honoured.
  • Right to Limit Use of Sensitive Personal Information: Request that we limit the use of your sensitive personal information to necessary purposes. We do not collect SPI through this survey.
  • Right to Non-Discrimination: You will not receive different quality of service or pricing for exercising your CCPA/CPRA rights.
  • Authorised Agent: You may designate an authorised agent to submit requests on your behalf. Proof of authorisation will be required.

8.6 Response Timeframes by Jurisdiction

8.7 Right to Erasure & Indefinite Retention

How Deletion Works Given Our Indefinite Retention Policy

If you exercise your Right to Erasure (EU/UK GDPR Art. 17), Right to Deletion (CCPA §1798.105), Right to Correction/Erasure (DPDPA §12), or equivalent right under PDPA or Philippines DPA, Milestone will permanently delete all personal data associated with your survey responses.

This includes all historical records across all survey cycles, stored in all systems including active databases, archival stores, and backups; within 30 days of your verified request.

Because Milestone does not anonymise data, there is no residual dataset that will remain after deletion. Your complete response history will be fully removed.

Please note: Exercising your right to erasure will remove your data from our longitudinal dataset, which may affect the completeness of historical analysis for your account.

9. Data Security

Milestone and SurveySparrow implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Role-based access controls and multi-factor authentication for all internal systems
  • Regular security assessments, penetration testing, and vulnerability scanning
  • Incident response and data breach notification procedures compliant with all applicable laws (see below)
  • An internal data access register for all historical survey datasets

9.1 Breach Notification Obligations by Jurisdiction

10. Contact Details, DPOs & Grievance Redressal

To exercise any right, withdraw consent, raise a concern, or submit a grievance, please contact us on privacy@milestone.tech

11. Children's Privacy

This survey is intended for business professionals and is not directed at individuals under the age of 18 (or such higher age as required by applicable law in your jurisdiction). Milestone does not knowingly collect personal data from minors.

  • India DPDPA 2023: Processing of personal data of children (under 18) requires verifiable parental consent.
  • Philippines DPA: Personal data of minors requires consent of their legal guardians per applicable NPC guidelines.
  • CPRA / COPPA: We do not knowingly collect personal information from consumers under 16 without opt-in consent.

If you believe a minor has submitted responses through this survey without parental consent, please contact us immediately at privacy@milestonetech.com so we can delete the relevant data.

12. Changes to This Notice

Milestone reserves the right to update or amend this notice to reflect changes in applicable law, regulatory guidance, or our data practices. Where material changes are made, we will notify you via the survey platform or by email (where contact details are held) with at least 14 days’ prior notice before the changes take effect. The version number and effective date at the top of this notice will always reflect the current version. Continued participation in surveys after notice of changes constitutes acceptance.

Skip to content