Please read this notice carefully before proceeding. It explains who collects your personal data, why, how it is used and retained, and your rights under applicable privacy laws including CCPA/CPRA (California), EU GDPR, UK GDPR & DPA 2018, India DPDPA 2023, Singapore PDPA, and Philippines DPA 2012. Your participation is entirely voluntary. By selecting ‘I Consent’ at the first question, you confirm you have read and understood this notice.
1. Who We Are
Milestone Technologies Inc. (“Milestone”, “we”, “us”) is the Data Controller / Data Fiduciary responsible for personal data collected through this survey, delivered via SurveySparrow, for our customer satisfaction and Net Promoter Score (NPS) programme.
2. Survey Platform — SurveySparrow (Third-Party Processor)
SurveySparrow operates as: Data Processor (EU/UK GDPR, India DPDPA §8(2)); Data Intermediary (Singapore PDPA); Personal Information Processor / PIP (Philippines DPA, Sec. 3(l)); and Service Provider (CCPA/CPRA §1798.140(ag)). Under all frameworks, SurveySparrow is contractually bound to: (a) process data only on Milestone’s documented instructions; (b) implement appropriate security measures; (c) not sub-process without prior written authorisation; and (d) delete or return all personal data on termination. Privacy Policy: www.surveysparrow.com/privacy-policy.
3. Personal Data Collected
3.1 Data You Provide
Identity (name, job title); Contact (business email, phone — if voluntarily provided); Organisational (company name); Opinion & Feedback (CSAT/NPS scores, ratings, written comments).
3.2 Data Collected Automatically
Technical metadata (timestamp, device/browser type, IP address, approximate country/region geolocation); Behavioural data (time per question, page navigation within the survey).
3.3 CCPA/CPRA Categories (California Residents)
The above maps to: Identifiers (name, email, IP, device IDs); Professional/Employment Information (job title, company); Internet/Electronic Activity (browser, device, navigation); Geolocation (country/region only); Inferences (satisfaction scores derived from responses).
4. Purposes of Processing & Legal Basis
We process your data for the following purposes. The legal basis under each framework is noted in parentheses. (i) Measuring CSAT and NPS: Consent under all frameworks (EU/UK GDPR Art. 6(1)(a); DPDPA §7; PDPA Sec. 13(b); Philippines DPA Sec. 12(a); CCPA/CPRA — disclosed purpose, not a sale). (ii) Identifying service gaps and product improvement: Consent (same bases as above). (iii) Longitudinal tracking of satisfaction trends: Consent plus Legitimate Interests (EU/UK GDPR Art. 6(1)(a)+(f); DPDPA §4; PDPA Sec. 13(b)+(d); Philippines DPA Sec. 12(a)+13(e); CCPA/CPRA — not a sale or sharing). (iv) Internal reporting and management analytics: Legitimate Interests (EU/UK GDPR Art. 6(1)(f); DPDPA §4; PDPA Sec. 13(d); Philippines DPA Sec. 13(e); CCPA/CPRA — internal business operations, not a sale). (v) Follow-up on your feedback (only where separately consented): Consent (all frameworks; CCPA/CPRA — consent-based, not a sale).
CCPA/CPRA — No Sale or Sharing
Milestone does NOT sell (§1798.140(t)) or share (§1798.140(ah)) your personal information for cross-context behavioural advertising. California residents may submit a ‘Do Not Sell or Share’ request at any time to confirm this, though no opt-out mechanism is required as we do not engage in these activities.
5. Data Retention
Indefinite Retention Policy
Milestone retains all survey response data INDEFINITELY in identifiable form to enable longitudinal (historical) mapping of client satisfaction trends. You are explicitly informed of this at the point of collection as required under all applicable laws. Legal bases: explicit consent; legitimate business interest in uninterrupted historical records for strategic planning, quality benchmarking, and executive reporting. Data is not anonymised or pseudonymised, as individual-level tracking is necessary for accurate longitudinal analysis.
Jurisdiction notes: EU/UK GDPR indefinite retention of identifiable data creates tension with the storage limitation principle; Milestone relies on explicit consent and documented legitimate interests as the dual legal basis. CCPA/CPRA – justified by the ongoing longitudinal analytics purpose as a continuing business need. Singapore PDPA & Philippines DPA – the ongoing nature of the longitudinal mapping purpose constitutes continuous necessity. India DPDPA 2023 – the longitudinal mapping purpose constitutes an ongoing and continuous purpose. All retained data is stored in access-controlled, encrypted systems with full audit logging, role-based access, and an internal data access register reviewed at least annually. If you exercise your right to erasure/deletion, all personal data including all historical records across all survey cycles, in all systems including backups, will be permanently deleted within 30 days of your verified request, with no residual dataset remaining.
6. Data Sharing & Disclosure
Milestone does not sell, rent, or trade your personal data. Data is shared only with: (a) SurveySparrow – solely for hosting/operating the survey, under a binding Data Processing / Service Provider Agreement; (b) Internal Milestone teams (customer success, product management, senior leadership) on a need-to-know basis, including identifiable data in internal reports/presentations accessible only to authorised personnel; (c) Legal obligation – where required by law, court order, or regulatory authority; (d) Business restructuring – in a merger, acquisition, or asset sale, data may transfer to a successor entity bound by equivalent protections, with at least 30 days’ prior notice to you.
CCPA / CPRA - Right to Know About Disclosures
The only third party to whom Milestone discloses personal information is SurveySparrow, acting as a contracted Service Provider. This does not constitute a ‘sale’ or ‘sharing’ under CPRA.
7. International / Cross-Border Data Transfers
SurveySparrow is a US-based platform; your data may be transferred to, stored, and processed in countries outside your jurisdiction. Safeguards by jurisdiction: EEA residents (EU GDPR) – Standard Contractual Clauses (SCCs, EC Decision 2021/914) in DPA with SurveySparrow; UK residents (UK GDPR/DPA 2018) – International Data Transfer Agreement (IDTA) as approved by the ICO; India residents (DPDPA §16) – transfers only to Government-notified countries or under contractual safeguards; Singapore residents (PDPA Sec. 26) – binding contract ensuring equivalent PDPA-level protection; Philippines residents (DPA Sec. 21) – NPC-approved contractual clauses with NPC notification where required; California residents (CPRA) – SurveySparrow is a contracted Service Provider; transfer does not constitute a sale or sharing.
8. Your Privacy Rights
To exercise any right, contact privacy@milestone.tech. We respond within the timeframes required by applicable law. Response timeframes: EU/UK GDPR – 1 month (up to 3 months for complex requests); India DPDPA 2023 – 30 days; Singapore PDPA – 30 days (reasonable extension with notice); Philippines DPA – 15 business days (access) / 15 working days (other rights); CCPA/CPRA – 45 days (+ additional 45 days with notice).
8.1 EU / UK GDPR (EEA & UK Residents)
Access; Rectification; Erasure (see §8.5 below); Restriction of Processing; Data Portability; Object to processing based on legitimate interests; Withdraw Consent at any time without affecting prior lawful processing; Lodge a Complaint – EU: national supervisory authority; UK: ICO at ico.org.uk.
8.2 India DPDPA 2023 (India Residents)
Access to information summary; Correction, Completion & Erasure; Grievance Redressal (response within 30 days); Nominate another individual to exercise rights in event of death/incapacity; Complaint to the Data Protection Board of India (DPBI) if grievance is unresolved.
8.3 Singapore PDPA (Singapore Residents)
Access (including disclosure history from past year); Correction; Withdraw Consent (processing ceases within a reasonable timeframe); Data Portability (where applicable under PDPA provisions); Complaint to PDPC at pdpc.gov.sg.
8.4 Philippines DPA (Philippines Residents)
Right to be Informed; Access; Rectification; Erasure or Blocking (where processing violates the DPA); Object (including to direct marketing); Data Portability; Complaint to the National Privacy Commission (NPC) at privacy.gov.ph.
8.5 CCPA / CPRA (California Residents)
California residents have specific rights under CCPA (effective 2020) and CPRA (effective 2023). Milestone does not discriminate against you for exercising any of these rights.
Right to Know (categories and specific pieces of PI collected, sources, purposes, third parties); Right to Delete (see §8.6); Right to Correct inaccurate PI; Right to Opt Out of Sale or Sharing (Milestone does not sell or share – no opt-out mechanism required, but requests honoured); Right to Limit Use of Sensitive Personal Information (we do not collect SPI through this survey); Right to Non-Discrimination (no difference in quality or pricing); Authorised Agent (proof of authorisation required).
8.6 Right to Erasure & Our Indefinite Retention Policy
If you exercise your Right to Erasure (EU/UK GDPR Art. 17), Right to Deletion (CCPA §1798.105), Right to Correction/Erasure (DPDPA §12), or equivalent right under PDPA or Philippines DPA, Milestone will permanently delete all personal data associated with your survey responses – including all historical records across all survey cycles, in all systems including active databases, archival stores, and backups – within 30 days of your verified request. Because Milestone does not anonymise data, no residual dataset will remain. Note: erasure will remove your data from our longitudinal dataset, which may affect completeness of historical analysis for your account.
9. Data Security & Breach Notification
Milestone and SurveySparrow implement appropriate technical and organisational security measures, including: encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access controls; regular penetration testing and vulnerability scanning; incident response and breach notification procedures; and an internal data access register for historical survey datasets. Breach notification obligations by jurisdiction: EU GDPR – National Supervisory Authority within 72 hours; individual notification if high risk. UK GDPR/DPA 2018 – ICO within 72 hours; individual notification if high risk. India DPDPA 2023 – Data Protection Board of India as prescribed by DPBI regulations. Singapore PDPA – PDPC within 3 calendar days of becoming aware; individual notification if significant harm. Philippines DPA – NPC within 72 hours (NPC Form available at privacy.gov.ph); individual notification required. CCPA/CPRA – California AG and affected consumers in an expedient manner; direct consumer notification required under §1798.150.
10. Contact Details, DPOs & Grievance Redressal
To exercise any right, withdraw consent, raise a concern, or submit a grievance, contact: privacy@milestone.tech.
11. Children's Privacy
This survey is intended for business professionals and is not directed at individuals under 18 (or such higher age as required by applicable law). Milestone does not knowingly collect personal data from minors. India DPDPA 2023 – processing of children’s data
(under 18) requires verifiable parental consent. Philippines DPA – data of minors requires consent of legal guardians per NPC guidelines. CPRA/COPPA – we do not knowingly collect personal information from consumers under 16 without opt-in consent. If you believe a minor has submitted responses without parental consent, contact privacy@milestone.tech immediately so we can delete the relevant data.
12. Changes to This Notice
Milestone may update this notice to reflect changes in applicable law, regulatory guidance, or data practices. Material changes will be communicated via the survey platform or by email (where contact details are held) with at least 14 days’ prior notice. The version number and effective date will always reflect the current version. Continued participation in surveys after notice of changes constitutes acceptance.