Definitions No. 1

“Syno group of companies” / “Syno” all references in this Privacy policy to Syno include Syno and its parent, subsidiary and affiliated companies. All references to “us” or “we” refer to Syno, including but not limited:

• UAB Syno International, a private limited civil liability company, incorporated and operating pursuant to the legal acts of the Republic of Lithuania, under legal entity code 302748928;
• Syno Poland sp. z o. o. (Syno Poland), a company incorporated and operating pursuant to the legal acts of Poland, under registration code 0000667223;
• Syno International (UK) Limited (Syno UK), a company incorporated and operating pursuant to the legal acts of the United Kingdom, under registration code 11839775;
• Asia Syno International PTE. LTD. (Syno Asia), a company incorporated and operating pursuant to the legal acts of Singapore, under registration code 201717773E;
• Syno International Inc. (Syno Korea), a company incorporated and operating pursuant to the legal acts of South Korea, under registration code 110111-6387941;
• Syno International Danışmanlık Hizmetleri Limited Şirketi (Syno Turkey), a company incorporated and operating pursuant to the legal acts of Turkey, under registration code 0788092246100001;
• UAB Syno Mexico (Syno Mexico), a company incorporated and operating pursuant to the legal acts of Mexico, under code USI200206S97.

“Syno systems and platforms” means all the Syno systems and platforms and services which are provided by Syno, such as Syno Manager, Syno Tool, Syno Library, Syno Rewards, Surveyo24, etc. to natural or legal persons, i.e. clients, users, respondents, panellists, website visitors, other parties, third-parties and etc.

“Services” means services of Syno systems and platforms which are provided by Syno to natural or legal persons, i.e. clients, users, respondents, panellists, website visitors, other parties, third-parties, etc.

“Day” means any business day, which is not Saturday or Sunday or national holiday.

Definitions No. 2

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” means sensitive personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

“Non-personal data” means any information and data which is not personal data, and from which it is not possible to identify a data subject.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data subject” means an individual person whose personal data and special categories of personal data was processed / is processed / will be processed by a data controller and / or data processor.

“Data controller” means:

• Syno or any of company which belongs to Syno indicated in Section “Definitions No. 1” in definition “Syno”;
• Natural or legal person, which orders services of Syno systems and platforms, and which, alone or jointly with others, determines the purposes and means of the processing of personal data, and who receives and processes personal data in Syno systems and platforms in individual cases when Syno helps / doesn`t help to process personal data.

“Data processor” means:

• A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (Syno). Currently Syno uses below indicated data processors which help to process personal data:

Amazon (AWS) https://aws.amazon.com/ (server provider)

Interneto vizija https://klientams.iv.lt/ (server provider)

UAB “Rakrejus” https://www.rackray.com/ (server provider)

Cint https://www.cint.com/ (service provider)

Pollfish https://www.pollfish.com (service provider)

InnovateMR https://www.innovatemr.com/ (service provider)

Inbrain https://www.inbrain.ai/ (service provider)

Google https://www.google.com/ (service provider)

Huuray https://huuray.com/ (service provider)

Tango cards https://www.tangocard.com/ (service provider)

Microsoft https://www.microsoft.com/ (service provider)

NeoCurrency https://neocurrency.com/ (service provider)

Zendesk https://www.zendesk.com/ (service provider)

Fixed & Mobile Pte. Ltd. https://www.dtone.com/company/about-us (service provider)

Virtual Incentives https://www.virtualincentives.com/ (service provider)

• Syno or any of the company which belongs to Syno indicated in Section “Definitions No. 1” in definition “Syno” which processes personal data on behalf of the data controller, when the data controller orders services of Syno systems and platforms. Syno may use sub-processors, including affiliates of Syno as well as third party companies (included but not limited to the ones indicated above as Syno data processors), to provide, secure or improve the Services, and such sub-processors may have access to personal data.

“Consent of the Data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“General data protection regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

“California Consumer Privacy Act” is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority. (CCPA)

Information we collect

• When a data subject visits Syno websites, Syno collects and stores information about the data subject, data subject`s computer and / or device. More about this you can read in Cookies policy on https://www.synoint.com/cookies-policy. Basically, Syno collects: IP address, the website from which you access our website, http answer code, data and time of access.
• Personal data about Syno employees: e-mail, telephones No., name, surname, postal code, date of birth, country, address, gender, bank account details, wage, CV (curriculum vitae), photos, payments details, education data, holidays, etc. Personal data about data subjects, who apply to open positions in Syno ( https://www.synoint.com/job-career): e-mail, telephones No., name, surname, postal code, date of birth, country, address, gender, CV (curriculum vitae), motivational letter, education data, experience data, hobbies, other skills.
• Non-personal data – metadata (data / information that provides information about other data), when the data subject uses Syno websites or services, such as: status, creation date and time, last modification date and time, files names, type, size, various identifiers.
• Personal data when data subject contacts Syno (for example by https://www.synoint.com/contact): name, e-mail, request, message content, consents.
• When Syno conclude business (cooperation) relations, orders or agreements, Syno processes: name and surname of authorized representative, representative email, signatures.
• When a data subject (if it is legal person) creates an account (including cases when Syno creates an account by data subject request) to use services of Syno systems and platforms or apply for the provision of other services, Syno might collect: e-mails, telephone No., user names, passwords, details of payments, data on services provided, postal code, data about company’s employees, contact data of company`s data protection officer, contact data of company`s representative, signatures.
• When a data subject (if it is natural person) creates an account (including cases when Syno creates an account by data subject request) to use services of Syno systems and platforms or apply for the provision of other services, Syno might collect: e-mail, telephone No., user name, password, name, surname, postal code, date of birth, country, address, gender.
• Personal data when data subjects (such as panellists, respondents and other users and members), register to participate in Panels, Surveys, market research, public opinion polls and other market research activities: user name, password, e-mail, gender, age, postal code, country, phone number. More about this you can read in Terms and Conditions for Panellists and Respondents on https://www.synoint.com/terms-and-conditions-for-panellists
• Personal data and special categories of personal data when data subjects (such as panellists, respondents and others) respond to Syno questionnaires: region of workplace, type of work, shopping habits, travel, data about education, political view, religion view, health, languages. When data subject participates in rewards systems and intends to get rewards, Syno processes: e-mail, name, surname, user name, passwords, number of projects that they participated in.
• Information about the operations and services performed with Syno systems and platforms and other Syno products, such as: what services have been used, how much time, for what purpose.

Use of information

The protection and security of your personal data, sensitive (special categories) personal data and non-personal data are important to Syno. Therefore, Syno is committed to respecting and protecting the privacy of each person (i.e. data subject).

• Market research purposes (including market and public opinion research; customers and consumer’s insights; loyalty and rewards programs; provision of statistical information; provision of data collection, processing and reporting solutions; addition of the data received from third party about data subject to it’s profile information);
• Submitting the best deals and get acquainted with Syno services;
• Proper administration and management of agreements, orders, projects, other documents, services, etc.;
• Implementation of the requirements and provisions of the legislation;
• Quality control purposes of performed services by Syno.

Period of storage of information

Syno stores your personal data, sensitive (special categories) personal data and non-personal data for no longer than it is required by the data processing goals or is stated in legal regulations if there is a longer data duration provisioned. We aim not to store outdated or irrelevant information and ensure that personal data and other information would be updated consistently and correctly.

The term of data storage may be from 1 (one) to 10 (ten) years, unless the law specifies and / or is agreed otherwise.

For example:

• Syno stores personal data about data subjects, who apply to open positions up to 1 (one) year, unless agreed otherwise;
• Syno stores personal data about Syno employees up to 10 (ten) years, unless agreed otherwise;
• When a data subject creates an account/profile to use services of Syno systems and platforms, and is active – Syno stores data subjects data at least 3 (three) years from last activity. If the data subject has not been active for the entire duration of the 3 years period Syno deletes the stored data about the data subject. In case the data subject submits the request to delete stored data about him – Syno obliges to delete it within 30 days after receiving the request.

Syno periodically reviews all stored data and makes sure that inaccurate or out-of-date data is not processed.

Using children`s personal data

Syno websites, services of Syno systems and platform and other services, are not intended for minors.

Syno complies with General data protection regulation and also with Law on the legal protection of personal data of the Republic of Lithuania where indicated that persons under the age of 14 (fourteen) are considered to be minors.

In view of this, Syno takes the position that minors should not visit Syno websites and use Syno Services.

Syno confirms that it does not collect information and data from / about data subjects who are minors. If there are any cases when children want to visit in Syno websites and use Syno services or other Syno activities, they have to submit consents and permissions from their parents and implement other requirements specified in the General data protection regulation and on the Law of the legal protection of personal data of the Republic of Lithuania.

If we learn that a child under age 14 (fourteen) has improperly provided us with information, we will notify the child’s parent or legal guardian and thereafter delete the child’s personal information from our records.

Legal grounds for using your personal data

Syno shall use your personal data only where we have a legal ground to do so. We determine the legal grounds based on the purposes for which we have collected and used your personal data. In every case, the legal ground will be one of the following:

• Consent by data subject: for example, where you have provided your consent to create an account to use services of Syno systems and platforms and create your profile. You can withdraw your consent at any time.
• Our legitimate interests: where it is necessary for us to understand the quality of our services, etc. For example:

• We will rely on our legitimate interest when analyzing what services the data subject uses;
• It is in our legitimate interest to determine what services may be relevant to the interests of our clients, customers;
• As well we may record the voice and/or location of the data subject during face to face interviews for interviewer quality control purposes of performed Syno services;
• Syno analyses what content has been viewed on our sites, so that we can understand how they are used, etc.

• Performance of a contract / agreement with you (or in order to take steps prior to entering into a contract with you): for example, Syno offers services and you are going to pay fees for services. For this we need to use your contact details, etc.
• Implementing other contracts and agreements under which personal data are processed.
• Compliance with law: in some cases, we may have a legal obligation to use or keep your personal data.

Principles of data processing

Syno ensures that personal data, sensitive (special categories) personal data and non-personal data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

IP hashing is used for the purpose of pseudonymisation. Data at rest is encrypted using AES256 bit encryption. Data in transit is protected by Transport Layer Security (”TLS”).

Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding user role and authorization concept.

Implementation procedure of data subject rights

Syno ensures that according to the General data protection regulation would be implemented all rights of data subjects:

• Right to be informed;
• Right to access;
• Right to rectification;
• Right to erasure (Right to be forgotten);
• Right to restriction of processing;
• Notification obligation;
• Right to data portability;
• Right to object;
• Automated decision – making;
• Right not to be discriminated against for exercising the rights available to you under applicable data protection laws.

If you would like to implement any of these rights, or if you think that we process incorrect personal data about you, or you have any other questions regarding your rights, please contact by e-mail data.protection@synoint.com.

We will deal with your request within 30 days. If your request is complicated or if you have a large number of requests, it may take us longer. We will let you know if we need longer than 30 days to respond. If you ask us to delete your personal data or restrict how it is used, there may be exceptions to the right to erasure for specific legal reasons which, if applicable, we will set out for you in response to your request. We also have to inform, that we need specific information from you to help us confirm your identity, so please fill in all required information about you and submit your request as clearly and understandable as possible.

If you are unable to resolve the issues with Syno and if Syno engagement or a lack there of worries you that this privacy report or legal regulations requirements are not being adhered to, you have the right to contact State data protection inspectorate of the Republic of Lithuania (supervisory authority) or other institutions which are responsible for the supervision and control of legal acts which regulate personal data protection and implementation of data subjects rights.

Security of your personal data

Syno has implemented appropriate technical and organizational controls to protect your personal data against unauthorized processing and against accidental loss, damage or destruction.

But we must inform, that you are responsible for choosing a secure password when we ask you to set up a password to access parts of our sites, Syno systems and platforms. You should keep this password confidential and you should choose a password that you do not use on any other site. You should not share your password with anyone else, including anyone who works for us. Unfortunately, sending information via the internet is not completely secure. Although we will do our best to protect your personal data once with us.

If you suspect that passwords have been compromised, please inform about this immediately by e-mail info@synoint.com and / or data.protection@synoint.com.

We also ask you to read more about the Syno security in Security policy on https://www.synoint.com/security-policy.

International data transfers

Data we collect may be transferred to, stored and processed in any country or territory where any of Syno companies exist or service / servers providers (data processors) are based or have facilities. While other countries or territories may not have the same standards of data protection, Syno will continue to protect personal data that we transfer in line with this privacy policy and other procedures by Syno.

We may transfer your personal data we collect outside European Economic Area (EEA) and by accepting this Privacy Policy you explicitly permit us to do so. We may also transfer your personal data to countries for which adequacy decisions have been issued, and/or use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses or their equivalent under applicable law. Whenever we transfer your personal data out of the European Economic Area (EEA), we ensure similar protection and put in place at least one of these safeguards:

• We will only transfer your personal data to countries that have been found to provide an adequate level of protection for personal data;
• We may also use specific approved contracts with our service providers, servers’ providers, data processors, data sub-processors, that are based in countries outside the EEA using European Commission’s Standard Contractual Clauses. These contracts give your personal data the same protection it has in the EEA;
• We have informed the supervisory authorities about these transfers if applicable;
• We have received all necessary permissions and consents for transferring of personal data.

Syno informs you that for proper provision of services, your personal data may be accessed by the Syno companies having respective data processing agreements in place between the companies.

In most cases, Syno only provides non-personal data to other countries.

Who we share your personal data with

Depending on where you live, we may share your personal data but just in exceptional cases. We do not share your personal data with other people or organizations that are not directly linked to us, but Syno may disclose personal data, profiling data, or other data to third parties as follows:

• We may disclose your personal data to any law enforcement agency, court, regulator, government authority or other organization if we are required to do so to meet a legal or regulatory obligation, or otherwise to protect our rights or the rights of anyone else;
• With agents, consultants, contractors or partners of Syno in connection with services that these individuals or entities perform for, or with, Syno. These agents, contractors or partners are restricted from using this information in any way other than to provide services for Syno;
• We may reveal your personal data to any other organization that buys, or to which we transfer all, or substantially all, of our assets and business. If this sale or transfer takes place, we will use reasonable efforts to try to make sure that the organization we transfer your personal data to uses it in line with our privacy policy;
• We may share your personal data in other specific cases, when we have the right to provide this data, and the other party has the right to receive this data;
• When we believe that disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with suspected or actual illegal activity;
• We will not share your personal data with anyone else in other cases unless we have your permission / consent to do this.

CCPA Privacy notice

Under the California Consumer Privacy Act (“CCPA”), California residents have certain special rights related to their personal information.

Under CCPA, “personal information” includes, but is not limited to names, postal and addresses, IP addresses, and social security or other identification numbers. “Sell” is broadly defined under CCPA. Its meaning includes “…renting, releasing, disclosing, disseminating, making available,[and] transferring…”

If you’re a California resident, some of your interactions with Synowill be governed by CCPA. Specifically, in connection with services we provideto our clients, we might, from time to time, provide some personal information about you to our clients or other collaboration partners, such as your contact information or certain combinations of anonymized or pseudonymized demographicand other information.

As a California consumer, you have the right to opt-out of this “sale”of your personal information. You may exercise this right by filling out theform below, or by submitting request via email to data.protection@synoint.com , or by contacting us via post addressing it to DPOattention: UAB “Syno International”, Address: Vilniaus str. 35, Vilnius, 01119,Lithuania.

If you choose to exercise your right to opt-out (either directly or viaan authorized agent), we may request certain personal information such as emailaddress and postal code in order to verify that you (and, as applicable, youragent) do in fact authorize the request.

Do not sell my personal information.

Concepts and meanings of your consents

In Syno systems and platforms and services, you can see the consents and permissions which we ask you to mark.

In below we provide a broader and more detailed explanation of these consents and permissions:

“I confirm that I have read the Privacy Policy and agree to Terms and conditions” and means that you have read all these documents and you agree with the content and conditions set in these documents.

“I agree to participate in surveys and other market research activities” means that you freely and indecently agree to provide your opinion, personal data, answers to various questions which we ask in surveys and questionnaires, and you can get a reward for it.

“I agree to get newsletters and notifications” means you agree to get information from us on behalf of the panel owner about services, panel related offers, suggestions, news and changes.

“I agree to share my profile information with third-parties for market research purposes” means you agree to get more surveys from our partners, from other parties, and also it means that you might get more rewards for this. When profile data can be shared, then the surveys should be more relevant to you.

“I agree that third-party data is added to my profile for market research purposes” means you agree that information related to your personal data received from third-party would be added to your profile information.

“I agree to the collection and or sharing of my advertising identifiers or other identifiers” means you agree to help us analyze your information better, more detailed, clearly understand your answers and provide better services.

“I agree to share my sensitive data for market research purposes” means you agree that in surveys there could be questions about your special categories of personal data. In this case, surveys would be more adapted for you and more informative for us. It is likely that you will receive more surveys that are relevant to you.

Most of your consents can easily be revoked at any time by writing an email to data.protection@synoint.com (if it is related to the processing of your personal data) or info@synoint.com (if it is related to other topics), or you can easily revoke most of your consents in Syno systems and platforms by yourself.

Data protection officers (DPO)

In adherence to the General Data protection regulation, Syno has assigned the following Data protection officers:

• General counsel Jurgita Sakalauskiene (on legal side)
• Chief Technology Officer Albertas Jurgelevičius (on IT side).

You can read more about our Data protection officers on www.synoint.com/dpo.

If you would like to contact Syno Data protection officers, you have questions related to the processing of your personal data, the protection of personal data, or other matters related to personal data, please contact us by e-mail data.protection@synoint.com.

Actual and useful links under this Privacy policy:

• General data protection regulation (current version): https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=LT
• Law on the legal protection of personal data of the Republic of Lithuania (current version): https://www.e-tar.lt/portal/lt/legalAct/TAR.5368B592234C/VCRurdZydD
• International data transfers using model contracts: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
• About General data protection regulation: https://eugdpr.org/
• Amazon (AWS) Privacy notice: https://aws.amazon.com/privacy/
• UAB Interneto vizija Privacy policy: https://sutartys.iv.lt/preview/privatumo_politika.php
• UAB Rakrejus Privacy policy: https://www.rackray.com/lt/privatumo-politika/
• Cint Privacy notice: https://www.cint.com/participant-privacy-notice
• Google Privacy policy: https://policies.google.com/privacy?hl=en

Applicable law and changes

Syno is committed to protecting the privacy and security of all Personal Data collected or received by Syno. Syno strives to conform its privacy practices with applicable international, national and/or local laws and regulations. This Privacy policy is governed by the laws of the Republic of Lithuania.

Syno reserves the right to modify the terms and conditions of this Privacy policy or alter or end its services at any time at its sole discretion. You are responsible for ensuring that you will regularly review the present Privacy policy. If you choose to continue using Syno services after any modifications to the present Policy is made, you will be considered to have fully and unconditionally accepted the aforementioned modifications to this Privacy policy. The main and always updated version of this Privacy policy is posted in English on www.synoint.com/legal.

This Privacy policy might be used by the following sites:

www.synoint.com, www.synorewards.com, www.surveyo24.com, https://app.synopanel.com/

Effective date: 2018/05/18

Last updated and revised version: 2023/01/01