The full legal posture, in one place.

Who this covers

The Privacy Notice applies to anyone who interacts with Askable in one or more of the following capacities:

• Customer — corporate clients conducting research, interviews and studies (ad-hoc, subscription, or partner).
• Participant — individuals who participate in research studies, including Askable Labs sample sessions.
• Researcher — certified individuals who assist with research studies on behalf of Customers or the lab.
• Supplier — individuals providing goods and services to Askable.
• Applicant — individuals who apply for employment or other engagement with us.
• Event Attendee — individuals who register and attend an event we host.
• Visitor — anyone browsing the website or enquiring about our functions or activities via electronic means.

You may fall into more than one of these groups simultaneously; in that case, multiple sections apply to you.

Askable does not make decisions on insurability or creditworthiness, and the Platforms and services are not for US Fair Credit Reporting Act (FCRA) purposes.

Our role — controller vs. processor

As a controller (or joint controller between Askable entities)

We determine why and how we process personal data. We only collect and process personal data that is necessary for our functions and activities. Askable acts as a controller when it collects personal information directly from you, including:

• When you interact with the Platforms — register your account, visit our social media channels, enquire about our services, complete an online form, participate in marketing campaigns, participate in research studies (including Industry Stream studies), or respond to offers to participate.
• When you apply for a job with us, including engaging in interviews and contract negotiation.
• When you submit a rights request or a privacy complaint.
• When you interact with us in person, by email, by phone, by enquiry or feedback form outside the Platforms.
• When you register for or attend an event organised by Askable.

As a processor for Customers

When we process personal data on behalf of a Customer, we do so purely on the instruction of the Customer (as data controller), unless otherwise stated. It is important that you consider how your personal data may be handled by Customers by reading their privacy policies and any collection notices associated with their studies. Askable acts as a processor when we collect and process your personal data on behalf of our Customers:

• To facilitate the recruitment of participants for research-study opportunities.
• To provide our services and platform for the completion of research projects.
• To facilitate the use of our Platforms, including associated tools and services.

Categories of personal data we collect

The types of personal data we collect and process as a controller depend on our relationship with you. We limit the information we collect to what is reasonably necessary for one or more of our functions or activities.

• Analytics data — IP address, browser version, pages visited, time/date of visit, time spent on pages, cookie data, approximate location. Collected from Visitors, Customers, and Participants. You can enable or disable some of this sharing in your browser or device settings.
• Enquiries and chat data — name, email, phone number, and enquiry details when you contact us or use our chat function.
• Event-Attendee data — name, contact details, dietary requirements, accessibility requirements (where applicable), company and role, event-attendance details, photo, clothing size if we provide swag.
• Customer contact data — details of the company's nominated contact person (Customers are generally companies).
• Participant registration data — email, password (hashed), name, gender, town/suburb, date of birth, occupation status, mobile phone number, incentive payment preference, payment email address.
• Participant profile data — locational attributes, demographic information, family status, level of education, occupation industry, job title, employment type, LinkedIn profile (if connected), voice clip (if provided), reading level, study preferences. May include sensitive personal information you voluntarily provide during a study (race, ethnicity, health, religious or political beliefs, sexual orientation, union membership, criminal record). Responses are recorded via video, audio, transcripts, and text collection.
• Researcher registration data — name, email, password (hashed), mobile phone number, video recording of onboarding responses, qualifications and experience details.
• Supplier data — contact details, business name and registration number (sole traders/partnerships), bank-account details (for payment of invoices), role information.
• Applicant data — application, CV / résumé, employment history, references, interview notes, testing results (psychometric, aptitude), licences, certificates, qualifications, right-to-work documentation.
• Request for access or correction data — contact details and identity-verification data sufficient to verify you (e.g. certified photo ID).

Legal basis & purpose

Askable uses personal data under the following lawful bases. We do not use personal data for purposes unrelated to our services or functions.

We may use or disclose personal data for secondary purposes where it would be reasonable to expect us to do so, and that secondary purpose is related (or directly related, for sensitive data) to the primary purpose. We do not use sensitive data for direct-marketing purposes.

Industry Stream studies — sale and disclosure

Industry Stream studies are conducted directly by Askable. During your participation, Askable records your responses via video and audio recordings, transcripts, and text collection (“Records”). These Records may include sensitive information. The Records are:

• Aggregated with other Participant responses, reviewed, analysed, summarised, and made available to Askable Customers for their internal business and research use. Customers agree not to publish identifiable personal data publicly or distribute outside their authorised internal teams — Askable cannot control Customer behaviour and is not responsible for a Customer's breach of its agreement.
• Sold to third parties for inclusion in their own data sets and for their own purposes. We take reasonable measures (including contractual arrangements) to require third-party purchasers to hold the data securely.

Industry Stream consent is gated at registration. If you do not consent to the sale of the Records, or to the disclosure of the Records to Askable Customers, you cannot participate in an Industry Stream study. Responses may also be reviewed and analysed by AI tools and used to train or validate those AI tools and the underlying AI models.

Children's privacy

We do not provide our services to children under the age of 13. If we discover that a child under 13 has provided us with personal data, we will immediately delete it. Children aged 13 to under 18 are able to create an account and use the Askable Platform provided that a parent or legal guardian gives consent and agrees to supervise them. Customers may require parents or legal guardians to enter into a separate agreement where their research involves the collection of personal data of children aged 13–18.

Automated decision-making & profiling

Askable does not use your personal data in any automated processes to make decisions about you. Customers (as data controllers) may choose to auto-approve Participants for their study where screening responses meet certain criteria — this happens on the Customer's instruction, not ours.

Askable provides several AI features integrated into the Platform; they assist Customers to conduct, analyse, and synthesise research, but they do not make decisions about you:

• AI Moderated — a feature in Askable Sessions where an AI moderator facilitates an interview. We inform Participants before the session when the interview will be conducted by an AI moderator.
• Automated continuous discovery — live insights dashboard that uses AI to summarise insights, trends, and summaries from interview transcripts.
• Ask AI — a tailored LLM designed for research that can summarise and analyse a research-interview transcript.
• Askable Industry Streams — AI tools may review and summarise Participant personal data to create business insights for Customers.

Data storage

Askable stores personal data only in electronic format, either on-site or in the cloud. The primary data store is MongoDB Atlas, hosted on AWS servers located in Sydney, Australia. Personal data covered includes registration data, purchase / payment data, communications data, profile data, and data from study sessions including recorded video responses.

Other third-party providers are used to store specific types of personal data (payment processing, email and communications). The personal data stored by third-party providers relates to their respective functions and services. The current subprocessor inventory is published at trust.askable.com/subprocessors and mirrored in the Trust Center subprocessors tab.

Data sharing & transfers

We generally disclose your personal data for the purposes for which it was collected. We may disclose personal data about you to:

• Our Customers — when Participants choose to participate in research studies (or Researchers complete projects on their behalf), Askable shares Participant or Researcher personal data with Customers that have an account with us. In data-protection terms, the Customer is the controller of this data, and Askable acts as a processor.
• Sharing between Askable entities — personal data is shared between Askable Pty Ltd (Australia), Askable Limited (UK), and Askable Inc. (US) under an intra-group data-sharing agreement aligned with applicable data-protection laws.
• Our service providers — insurers, IT and technology providers, recruitment providers, professional advisers, and other processors. We have contractual arrangements in place with all service providers that include privacy, security, and data-breach reporting controls.
• Government departments, agencies, and enforcement bodies — where required or authorised by law.
• Third parties by consent — where you have agreed and the personal data was collected for the purpose of passing it on.
• Sale of business — in connection with the sale or transfer of all or part of our business. Personal data may be disclosed to a proposed new owner for due diligence and transferred on completion.
• Marketing vendor (Taboola) — if you accept the marketing cookie on our banner, Taboola collects truncated IP, browser type, and click events for retargeting / suppression. Taboola is an independent controller for this purpose; a contract is in place between Taboola and Askable.
• Industry Stream sale — Participant personal data collected as part of Industry Stream studies may be sold to third parties, subject to your prior consent. See the Privacy Notice for details.

Askable will not otherwise sell or share your personal data with advertisers, sponsors, content providers, or anyone else, unless we have your express permission, there is a lawful ability or requirement, or in the case of Industry Stream Participants who have consented.

International transfers

Askable operates its platform and services globally, providing services to clients and participants in a number of countries. We may transfer personal data across jurisdictions, including to Australia, the United Kingdom, and the United States.

When transferring information outside of the United Kingdom or the European Union, Askable applies appropriate safeguards:

• Transfer Risk Assessments are conducted before international transfers.
• Agreements incorporate EU Standard Contractual Clauses (SCCs).
• Agreements incorporate the UK International Data Transfer Addendum (UK IDTA) for UK-originating transfers.

Security controls

Askable manages and disposes of personal data securely by implementing a range of data-security practices, including:

• Data stored securely on a cloud database with strong automated security features.
• Use of PCI-DSS compliant service providers for payment solutions.
• External security advisors engaged to conduct penetration testing at least annually.
• Access to personal data is provided only to staff who require it to undertake their role.
• Data-access controls within Askable, including multi-factor authentication.
• Encryption of data in transfer and at rest.

The full control library is documented in the Trust Center controls catalogue: 97 controls across infrastructure security, organisational security, product security, internal procedures, and data & privacy.

Retention

We retain personal data for differing periods, depending on the purpose for which it was collected. We will destroy or de-identify personal data when our legal obligations to retain the information have expired and we no longer need it for the purposes for which it was collected (or any secondary purpose where allowed at law).

For the avoidance of doubt, we may reasonably consider that information is still required by us in order to recommence providing our services. Following destruction, we may retain de-identified and anonymised information that can no longer be associated with you, indefinitely.

Certifications & attestations

The technical posture underneath the data-handling commitments above is independently audited:

• SOC 2 Type II — AICPA Trust Services Criteria. Report available under MNDA.
• ISO/IEC 27001:2022 — Information Security Management System.
• ISO/IEC 27701:2019 — Privacy Information Management System.
• ISO/IEC 42001:2023 — Artificial Intelligence Management System.
• UK Cyber Essentials — NCSC baseline.
• GDPR compliant; CCPA compliant.
• Wiz Cloud Security Excellence — cloud posture recognition.

Certificates and the SOC 2 Type II report are available from the Trust Center resources page.

Brief-specific consent

Every research session you participate in has its own consent record. We ask you to agree before the session starts; the consent is tied to the specific brief, study purpose, intended use of the recording, and the Customer (where applicable). Consent is versioned — if the brief changes materially, a new consent record is created.

Withdrawal

You can withdraw consent at any time before release. If we are the data controller, withdrawal triggers deletion of the source recording from our systems; if we are processing on behalf of a Customer (data controller), we will relay the withdrawal request to the Customer.

Sensitive personal information

Sensitive personal information includes race or ethnicity, health, hobbies, religious or political beliefs, sexual practices and orientation, political opinions, trade-union membership, and criminal record. Where you voluntarily share this during a session, it is recorded as part of the session capture. We do not use sensitive data for direct-marketing purposes. Sensitive data is collected only where reasonably necessary or directly related to the Platforms and services we provide, and only where you have consented or its collection is permitted or authorised by law.

AI moderation transparency

Some Customers choose to use the AI Moderated feature, where an AI moderator facilitates the research interview. We inform research participants prior to the research interview where the interview will be conducted by an AI moderator. Audio responses are processed by speech-to-text and large language model providers under contracted-processor terms; the subprocessor list is published at trust.askable.com/subprocessors.

Identity verification & participant integrity

Participants are identity-verified at registration and re-verified at session. The platform records device-screen activity during application and screening-question completion to ensure quality and to enforce honest answering under the Terms — if a Participant breaches the Terms by changing answers to appear to be a best-fit, the breach is noted on the Participant's account record and may make them ineligible for future research.

Customer behaviour outside our control

When Askable processes personal data on behalf of a Customer, the Customer is the data controller. Askable does not control how Customers use or disclose your personal data once the recording, transcript, or screening data has been provided to them. Your personal data may be published, reproduced, or stored by Customers under their own policies. We require Customers to publish a Privacy Policy and any study-specific collection notices, but we are not responsible for Customers' breach of their own agreements.

Industry Stream consent (specific)

Industry Stream studies are conducted directly by Askable (Askable is the controller). Industry Stream Records are aggregated and made available to Customers, and may be sold to third parties. Consent for sale and disclosure is collected at the point of registration for an Industry Stream study. If you do not consent, you cannot participate. AI tools may review, summarise, and analyse the Records, and the Records may be used to train or validate Askable's AI tools and underlying AI models.

Payment & incentive integrity

Participants are paid via the incentive system (currently PayPal or GiftPay, by participant preference). The incentive amount, payment currency, payment status, and payment method are recorded for each session. Payment is contingent on completion of the session per the brief and the Participant's adherence to the Terms.

Researcher engagement

Certified Researchers conducting research on behalf of Customers via Project Delivery are bound by an engagement contract that incorporates the privacy and security controls described in this document. Researchers must use the Askable Sessions tool to conduct virtual research studies. Recording, transcript, and session metadata are collected by Askable on behalf of the Customer.

Complaints

Complaints about Askable's personal-data handling should first be directed to the regional Privacy Officer addresses on the Overview tab. If you are not satisfied with the outcome, you may contact the relevant data-protection regulator — OAIC (Australia), ICO (UK), your national DPA (EU), or CPPA (California). See Your Rights.

What cookies are

Cookies are small data files placed on your device by a website or web application. We use them, alongside other tracking technologies, to operate the Platforms, remember preferences, understand how the Platforms are used, and (where you opt in) for marketing.

Essential cookies

Required to operate the website and Platforms. They enable basic functions like page navigation, secure session management, and access to authenticated areas. Without them, the Platforms cannot function properly. Essential cookies do not require consent under either UK GDPR or EU GDPR.

Analytics cookies

Used to analyse usage of our websites and improve the platform and user experience. The lawful basis is consent — if you don't accept, we don't use them. Disabling these may affect your ability to use certain features and your user experience generally.

Marketing cookies (Taboola)

If you accept the marketing cookie on our cookie banner, Taboola collects data via its pixel for ad targeting and analytics. Taboola is an independent controller for this purpose, meaning Taboola and Askable determine their own data-processing purposes and means of processing for the data Taboola collects. A contract is in place between Taboola and Askable.

The types of personal data collected by Taboola are: browser type, truncated IP address, and click events. Their privacy notice is available on their website.

Web beacons / pixel tags

We may include small graphic images or other web-programming code, called web beacons (also known as pixel tags, web bugs, or clear GIFs), on our Services and in our messages. They are minute graphics with a unique identifier. They are used to track online movements of Site users, inform us what content is effective, monitor how users navigate the Services, count users, and count how many emails sent by us were actually opened.

Browser controls

You may choose to enable or disable some sharing of information with us via your browser or device settings. Disabling the sharing of some information may affect your ability to use certain features and your user experience generally.

To opt out of the sale or sharing of your personal data for cross-context behavioural advertising under the CCPA, email privacy@askable.com.

Acceptance & account

By using the Platforms, you accept the Terms and Conditions and the Privacy Notice. To register for a Participant, Customer, or Researcher account you must be at least 13 years of age; users under 18 require parental or guardian consent and supervision. Account credentials must be kept secure; Askable may suspend or terminate any account for breach of the Terms (including breach of the Participant honesty requirements during screening).

Permitted use

The Platforms are provided for the purpose of facilitating research, capturing sessions, and delivering structured outputs to Customers. You may not use the Platforms to:

• Provide false or misleading information, including dishonest answers to screening questions.
• Attempt to circumvent identity verification, screening, or quality-assurance controls.
• Reproduce, redistribute, or commercially exploit Participant personal data outside the scope of an authorised study.
• Probe, scan, or test the vulnerability of the Platforms, except under an authorised responsible-disclosure programme.
• Use the Platforms for any purpose prohibited by applicable law.

Fees, incentives, and payments

Customers pay Askable for the Platforms and services per the Askable Software Services Agreement or per-credit pricing as agreed. Participants are paid an incentive for completing a study; payment is by PayPal or GiftPay according to Participant preference, and is contingent on the Participant completing the session per the brief and adhering to the Terms. Researchers are paid by invoice on completion of each research project.

Intellectual property

All rights in the Platforms, the Askable trademarks, and the underlying software remain with Askable. Customers receive a non-exclusive licence to use research outputs delivered under their study. Industry Stream Records, where consented, may be sold by Askable to third parties; in that case Askable retains the rights necessary to do so per the Industry Stream consent.

AI features

The Platforms include AI features (AI Moderated, Automated Continuous Discovery, Ask AI, Industry Streams). These features may be enabled per-brief by the Customer (where Askable is processor) or by Askable directly (Industry Streams). Participants are informed before any session moderated by an AI agent. Outputs of AI features assist Customers to conduct, analyse, and synthesise research and do not constitute decisions made about Participants by Askable.

Withdrawal & deletion

Participants may withdraw consent at any time before release of a session. Account deletion is supported via the account settings; after deletion, Askable will destroy or de-identify personal data as set out in the Privacy Notice, subject to retention obligations at law.

Warranty & liability

The Platforms are provided on an “as is” basis except where otherwise required by mandatory consumer-protection law. Askable's liability is limited to the maximum extent permitted by applicable law. Customers receive the warranties set out in the Askable Software Services Agreement.

Indemnities

Customers indemnify Askable against losses arising from Customer breach of these Terms, breach of the Data Processing Agreement, or use of the Platforms outside their authorised scope. Participants indemnify Askable against losses arising from dishonest screening responses or breach of session consent.

Governing law

The Terms are governed by the laws of the jurisdiction in which the contracting Askable entity is incorporated:

• Australia & New Zealand — Queensland law (Askable Pty Ltd).
• United Kingdom & EU — England & Wales (Askable Limited).
• United States — Illinois (Askable Inc.).

Other policies

Askable publishes additional governance policies covering modern slavery, fair labour practices, gender, fairness & diversity, sustainability, and ethical behaviour & anti-corruption. The full set is indexed at askable.com/legal/.

The Trust Center publishes the operating controls, certifications, subprocessor list, and security update log. Visit security & certifications for the live record.

How to exercise a right

1. Email privacy@askable.com from the email address on your Askable account, or write to the regional Privacy Officer address on the Overview tab.
2. State the right you wish to exercise and (briefly) the personal data it relates to.
3. If the data we hold doesn't allow us to verify your identity, we may ask you to provide a certified photo ID.
4. We confirm receipt within 24 hours and respond substantively within 30 days (Australian Privacy Act) or 1 month (UK / EU GDPR).

Askable will not discriminate against you because you exercised an individual right set out above. There are no charges for requesting access to or correction of your personal data, although we reserve the right to charge reasonable administration fees in exceptional circumstances and will notify you in advance.