Privacy notice

When you use our platform as a researcher, organisation admin, or team member, we are the data controller for your account data.

We collect:

• Account information (name, email, company)
• Usage data (features accessed, login times)
• Billing information (processed by payment provider)
• Analytics (PostHog, anonymised)

Legal basis: Contract performance (Article 6.1(b)) and legitimate interests (Article 6.1(f)).

When you participate in a survey or interview created by one of our Customers, we are a data processor and our Customer is the data controller.

What this means:

• Our Customer determines what data to collect and why
• Our Customer is responsible for obtaining your consent
• Our Customer must respond to your GDPR rights requests
• We process your data only on behalf of and according to our Customer's instructions

We process:

• Interview and survey responses
• Optional demographic information (age, occupation, location)
• Quality-assurance data (country, region, city, ISP, timezone, and a one-way hashed IP address) retained for fraud prevention and sample quality purposes — this data cannot be used to identify an individual
• Consent timestamp (recorded when a participant accepts the research consent statement)
• Technical data (device type, timestamps)

We use artificial intelligence to analyse research data:

• AWS Bedrock (Claude): Text analysis, thematic coding, insight generation — EU (Frankfurt)
• Azure OpenAI (GPT): Text analysis, real-time interview chat, summarisation — EU (Sweden)
• Azure Speech Services: Real-time voice-to-text for AI-moderated interviews (voice audio is not stored; only text transcripts are retained) — EU (Sweden)

Your data is not used to train AI models. AI providers process data in real-time and do not retain it for model improvement.

Data minimisation: All AI processing runs within our own EU cloud infrastructure. Customer Data does not leave our cloud boundary and is not shared with or retained by AI providers. Research participants are typically pseudonymised before they enter the platform, as Customers generally use external panel providers that handle consent and pseudonymisation upstream. Meaningful retains only non-identifying quality-assurance data per response (country, region, city, ISP, timezone, and a one-way hashed IP) which cannot be linked back to an individual.

Your data may be accessed by:

• The Customer: The organisation that invited you has full access to your responses
• Customer's team members: Researchers and analysts designated by the Customer
• Sub-processors: See our sub-processor list

Your data is never shared with other Customers or sold to third parties.

Data is retained for as long as the Customer keeps it on the platform. Customers can delete workspaces, projects, and data sources at any time.

• During subscription: Customer controls when to delete data
• Account termination: Data deleted within 90 days after Customer account closure

You have the following rights:

• Right of access (Art. 15): Request a copy of your account data
• Right to rectification (Art. 16): Correct inaccurate data via account settings or by emailing us
• Right to erasure (Art. 17): Delete your account via account settings or by emailing us
• Right to data portability (Art. 20): Export your data in JSON format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to lodge a complaint: Contact your supervisory authority

To exercise these rights, email contact@meaningful.app. We will respond within 30 days.

You must contact the organisation that invited you to participate. They are responsible for providing you with a copy of your data, correcting inaccuracies, deleting your data upon request, and responding within 30 days.

If you cannot reach the organisation, email contact@meaningful.app with your email address, the approximate date you participated, the topic of the research, and your request. We will forward your request to the Customer and follow up to ensure they respond.