Effective January 8, 2024
This privacy policy discloses the practices of Qstream Inc. (“Qstream” or “we” or “our” or “us”) concerning personal information we obtain by and through your use of the online, web-based applications and platform licensed by Qstream to you (the “Services’) or the Qstream website qstream.com (the “Website”). Qstream is committed to protecting the privacy of individuals who use the Services and the Website and has published this privacy policy to show what personal information is recorded and for what purpose.
By using the Services and the Website you are accepting and consenting to the use of your information as described in this Policy.
From time to time, we may revise this policy to reflect changes in applicable laws, regulations, or practices or features of our Services or the Website. In such case, this policy will be updated and posted under the Privacy Policy link on the home page of the Website. Your continued use of the Services and Website following any such change constitutes your acceptance of the Privacy Policy, as changed. Please be sure to check this page before proceeding to use our Services or the Website.
If you have any questions regarding this privacy policy or concerning your personal information stored by Qstream, you may contact us at privacy@qstream.com.
Collection and Use of Personal Data
Visitors
A visitor accessing the Website is not required to provide any personal information. If a visitor submits an informational request or enquiry to us, we may collect and retain such personal information as supplied by the visitor to facilitate return contact and answering of the request.
Registered Users
A Registered User is either: (i) an individual licensed to use the Services, or (ii) an individual identified by a company who licenses the Services. Qstream shall collect and store the Registered User’s email address and name pursuant to the Registered User’s use of the Services. This is used to identify the Registered User for purposes of logging in, and to send application notifications when action is required.
A Registered User may optionally provide a profile of themselves which can include a picture and/or a biographical description of themselves. The foregoing information is elective and not required for a Registered User’s use of the Services. Registered Users have the right to access their personal information and may view or amend it at any time while logged in to the Services in the Dashboard area of their account.
Through the use of the Services a Registered User may optionally be enrolled in one or more courses, and over a period of time be presented with questions from those courses. Qstream stores the responses from the Registered Users and may use them to dictate future scheduling and presentation of questions.
Qstream Registered Websites
Qstream will assign the Registered User a website from which the Registered User may access the Services (the “Registered Website”). Qstream will record that the Registered User is a member of the Registered Website. Optionally, in the event of a company managed Registered User, a Registered Website can be configured to grant access to a Registered User’s manager to view reports containing Registered User responses. Further, if the Services are licensed by a company, the company site administrator in their sole discretion may choose to apply arbitrary tags to Registered Users, such as “sales region” or “country”, to facilitate grouping in reports.
Should a Registered User wish to prevent their personal information being processed on the service, they may request to have their account removed by request to their own company administrator in the case of services licensed to a company, or by request to privacy@qstream.com in the case of a user registered independently. Upon removal of a user’s account, their personal information will be deleted and they will no longer have access to the service.
Choice
Individuals have the right to limit or restrict the processing of their personal information. For such requests, persons using the Qstream Platform should contact their company Qstream Program Manager, which can be done by clicking on the support links while logged into the Qstream Platform, or presented in email correspondence from the Qstream Platform. If you do not know who this is, or you are unable to contact this person, or you should have any other queries or requests with respect to how Qstream processes your personal data, you should contact us directly at privacy@qstream.com and we will endeavour to assist you.
Sensitive Information
Qstream does not use, require, or knowingly record any sensitive personal information. We request that the Registered Users of our Services not provide to Qstream any sensitive information (e.g. data about an individual concerning racial origin; political, religious or sexual opinion, beliefs or persuasions; criminal convictions; trade union memberships; etc.), and we reserve the right to remove any such information on discovery.
Cookies, Web Beacons and Logging
Cookies
Cookies are also used for the following purposes:
- to collect analytical statistics about use of the Services and your use of the Website. This helps us better understand user behavior, which parts of our websites people have visited most frequently, from what geographic regions, etc. Qstream uses the Google Analytics service to gather this information. Details of how Google use this information are available at: www.google.com/policies/privacy/partners;
- to further the Visitor experience of the Website and to provide visitors with useful information pertaining to the Website and the Services.;
- or by our third party service provider to display advertising to Visitors of the Website with advertising information based on their interest in the Website and the Services. Visitors may opt-out from receiving the targeted advertisements by visiting the NAI website opt-out page here: www.networkadvertising.org/choices or the DAA opt-out page here: www.aboutads.infoor, for EU users, the EDAA opt-out page here: youronlinechoices.eu.
Beacons
Qstream may use web beacons in emails it sends to record the status of email deliveries for Registered Users, such as bounced, delivered, opened, etc. Qstream uses this information collected from the Registered Websites for the purpose of delivery troubleshooting and statistical analysis pertaining to the Services.
Logging
Qstream may log access to its Services and Website and retain logs for a period of time to facilitate in monitoring and improving the performance, security, and functionality of the Services and the Website Logs may contain IP addresses, which may indicate the location of a user, or Registered User as applicable, accessing the Services or the Website.
Onward Transfer Principle
Qstream does not share, sell, rent or trade personal information to third parties for marketing or promotional purposes. Qstream may transfer personal information, solely as required to facilitate the essential operation of the service, to its infrastructure providers such as cloud service or data center operators.
Compelled Disclosure
Qstream reserves the right to use or disclose personal information provided to Qstream in response to a lawful request by public authorities, including to meet national security or law enforcement requirements, or if Qstream reasonably believes that use or disclosure is necessary to protect Qstream’s rights and/or to comply with a judicial proceeding, court order, or legal process.
Data Security and Integrity
Qstream takes data security seriously and has in place appropriate physical and virtual safeguards, procedures and policies to prevent unauthorized access, disclosure, alteration or destruction of personal information.
Qstream uses personal information supplied by or on behalf of Registered Users solely to facilitate use of the Services by said users and, where relevant, their managers or administrators. Qstream will take reasonable steps to verify the validity of personal information supplied, for example by validating email addresses and/or the source of data supplied.
Data Privacy Framework
Qstream Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Qstream Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Pursuant to the DPF, EU and UK individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should direct their query to privacy@qstream.com. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@qstream.com.
Qstream Inc.’s accountability for personal data that it receives in the United States under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, we remain responsible and liable under the DPF Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Qstream proves that it is not responsible for the event giving rise to the damage.
In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), Qstream Inc. commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF. EU or UK individuals with inquiries or complaints should first contact Qstream Inc, privacy@qstream.com.
Qstream Inc. has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf
EU General Data Protection Regulation (GDPR)
Qstream complies with the principles of the GDPR, which are designed to safeguard the personal data and rights of individuals. Qstream applies these principles not just to EU residents, but to all individuals using the Services regardless of where they may be located, thus affording equal protections to all.
Qstream requires access to minimal personal data to provide the Services, such as name and email address, and does not process any sensitive data. Qstream uses this data in order to provide the Services to you. However, Qstream takes the security of all of your data seriously, and has in place appropriate technical and organisational safeguards, including but not limited to, the use of encryption and firewalls to protect your data.
In the provision of its Services, Qstream contracts with its customers and acts wholly in the capacity of a Data Processor, while those customers act in the capacity of Data Controller, with respect to the data provided by them to Qstream, and this forms the legal basis for processing such data. This is an important point to note, as while Qstream is committed to upholding an individual’s rights under GDPR, certain of those rights may need the input or action from their Data Controller, who is responsible for their data.
Under the GDPR, individuals have various rights with respect to their data. In support of this users of the Service, may view, obtain or correct their personal information by logging in with their dashboard.
Individuals also have the right to object or restrict such processing, or have their data erased. In such instances, individuals should contact their Data Controller directly, which will typically be your Qstream Program Manager at your company or organisation. If you do not know who this is, or you are unable to contact this person, or you should have any other queries with respect to GDPR or how Qstream process your personal data, you should contact us directly at privacy@qstream.com and we will endeavour to assist you.
Sub-Processors
Definition: Qstream defines a Sub-processor as any business or service that customer data may pass through. A Sub-processor can be a legal person, for example a business, an SME, a public authority, an agency or other body. In order to support the Qstream application Services, Qstream uses a number of trusted infrastructure hosting providers to provide essential functionality. In the context of GDPR, where your personal data may be transferred to a third-party Sub-Processors.
Note that in the case of the Qstream Services, these infrastructure providers do not interact with or view your personal data but are used solely in the provision of technical infrastructure, but as they do technically process your data, it is important for you to know who there are.
In the course of operating its general business, and providing the services to its customers, including troubleshooting errors, obtaining feedback and responding to email requests, storing project plans, etc., Qstream uses a number of other trusted service providers.
Current Sub-processors: Qstream’s current list of Sub-processors is available below (“Sub-processor List”) and is hereby approved by the Data Protection Officer.
New Sub-processors: Qstream shall provide updates to this policy of any new Sub-processor(s) as they are deployed.
Agreements with Sub-processors: In each case, Qstream has thoroughly vetted, and put in place appropriate Data Processing Agreements with such sub-processors to ensure that they maintain sufficient protections for your data as required by GDPR. Qstream has entered into a written agreement with each existing Sub-processor and shall enter into a written agreement with each new Sub-processor, containing the same or materially similar data protection obligations as set out in this policy, in particular obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Regardless of whether or not they process any personal data, Qstream, though its vendor management program, vets such providers to ensure they meet any requirements for GDPR, and has appropriate data processing agreements in place.
Sub-processor List:
Legacy Platform
Airbrake: Error monitoring, logging, metrics data and IP addresses, processed and stored on rolling retention window, for the duration of the Agreement.
Airship: Mobile notifications delivery, device identifier and content summary, processed and stored transiently, for the duration of the Agreement.
Heroku: Platform as a Service, all Data types processed and stored transiently, for the duration of the Agreement.
Rapid7 InsightOps: Logging infrastructure, logging data and IP addresses, processed and stored on a rolling retention window, for the duration of the Agreement.
Mixpanel: User interaction analysis for use in product development, anonymization of data occurs prior to delivery to ensure they don’t handle PII, for the duration of the Agreement.
NewRelic: Performance & Error Monitoring, logging, metrics data and IP addresses, processed and stored on rolling retention window, for the duration of the Agreement.
Pusher.com: Live updates in the browser for admin features. Data processed and stored transiently, for the duration of the Agreement.
RedisLabs: Temporary storage for background processing, for the duration of the Agreement.
Legacy and MLP Platforms
APNs: Push notification delivery, contact data and content summary, processed and stored transiently, for the duration of the Agreement.
Atlassian: Product development and issue resolution, contains customer information required for issue resolution, for the duration of the Agreement.
Amazon Web Services: Hosting and infrastructure services, all Data types stored/processed, for the duration of Agreement.
Firebase by Google: Push notification delivery, contact data and content summary, processed and stored transiently, for the duration of the Agreement.
JW Player: Video hosting for customer video content, data processed and stored, for the duration of the Agreement.
SendGrid: Email delivery, contact data and content summary, processed and stored transiently, for the duration of the Agreement.
Workato: Integrations with customer systems, syncing customer data (including PII) to and from Qstream for the duration of the Agreement.
MLP Platform
DataDog: Performance and error monitoring, logging, metrics data and IP addresses processed and stored on a rolling retention window, for the duration of the Agreement.
Sentry: Error Monitoring, IP addresses, potentially PII, processed and stored on rolling retention window, for the duration of the Agreement.
Zoom Video SDK: Video recordings of employees of our customers as part of video scenario functionality, processed and stored for the duration of the Agreement.
Sub-processors used in Qstream for productivity purposes are Dropbox, Mix Panel, Zoom Meetings, Slack, Google Workspace
ChatGPT: Powers Qstream’s Microlearning AI Content Generator allowing content authors to create microlearning questions, question data processed and stored, for the duration of the Agreement.
Productivity
Sub-processors used in Qstream for productivity purposes are Dropbox, Mix Panel, Zoom Meetings, Slack, Google Workspace.
U.S. Government Agency Governing Authority
Qstream, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission.
Contact Information
Questions, comments or complaints regarding Qstream’s privacy policy or personal information collection and processing practices can be emailed to: privacy@qstream.com.