NVD Select Sample Data Privacy Policy

1. Our Role: Technical Sample Aggregator & Supplier

Select Sample is operated by NuVoodoo Media Services, which is responsible for the collection and use of personal data. NuVoodoo Media Services ("NVD," "we," "us," or "our") provides technical routing and aggregation services for market research surveys. Our systems act as a secure bridge between sample panel providers and client survey platforms.

NVD follows a "Privacy by Design" and "Data Minimization" framework. We do not collect, store, or maintain personal data (PII) within our systems. Our infrastructure is designed to process data ephemerally, ensuring no persistent record of an individual's identity is created or held by NVD.

2. Data Minimization: The Pseudonymous ID Model

To protect individual privacy and comply with US and GDPR standards:

  • No PII: NVD does not ingest or store names, email addresses, or physical addresses.
  • Pseudonymous Identifiers: We only process a unique, non-descriptive ID (e.g., a "Panelist ID") provided by a third-party sample source.
  • Technical Transit: This ID is passed directly through to the client’s survey platform to facilitate research completion.
  • Zero Persistence: NVD does not maintain a database of these IDs. Once the redirect to the survey platform is complete, the transaction is finalized. No personal data is transmitted to or collected by NVD servers. Pseudonymized IDs are retained until they have been approved or discarded by the client at the end of each project.

3. US and International Compliance

NVD operates as a Technical Sub-Processor. Our compliance is anchored in the principle of Data Minimization by Design: we serve exclusively as a secure, ephemeral bridge for survey traffic. NVD does not collect, store, or perform substantive analysis on Personal Data (PII).

A. Our Compliance Mechanisms (Processor Obligations)

We align our operations with the requirements of UK GDPR/EU GDPR Article 28 (Processor Obligations) and US Privacy Standards (CCPA/CPRA) through the following:

  • Purpose Limitation & Data Minimization: In accordance with GDPR principles, we process data solely for the technical routing of survey traffic. NVD does not engage in data "mining," profiling, or the creation of persistent consumer datasets. Under US law (CCPA/CPRA), NVD functions as a Service Provider, ensuring we do not "sell" or "share" personal information.
  • Technical Security (Art. 32 GDPR): We utilize industry-standard encryption (TLS 1.2+) for all data in transit. Our infrastructure is architected to prevent "data at rest"; all pseudonymous tokens are processed in volatile memory and are discarded immediately upon the completion of the survey redirect.
  • Assistance to Controllers: We maintain minimal technical logs solely to assist Data Controllers (our Clients) in meeting their obligations for security incident reporting. These logs are pseudonymized and subject to a strict, short-term automatic purging cycle.
  • No Unauthorized Sub-processing: In compliance with GDPR processor mandates, NVD does not engage any secondary sub-processors to handle respondent data.

B. Reliance on Certified Panel Partners (Data Controllers)

Because NVD acts as a technical conduit, we rely on the primary Data Controllers (our Panel Partners) to establish the lawful basis for processing. Our partners adhere to international standards as follows:

  • Lawful Basis & Informed Consent: Our partners are responsible for obtaining valid, informed, and granular consent from respondents as required by UK/EU GDPR and relevant US state-level notice requirements. They obtain these permissions before any data enters the NVD technical bridge.
  • Data Privacy Framework (DPF) Certification: Our partners maintain certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. This provides an adequacy mechanism for international data transfers, ensuring that even when data traverses borders, it is protected by enforceable standards:
    • Notice & Choice: Ensuring respondents have transparency into data usage.
    • Accountability for Onward Transfer: Mandating that NVD—as the technical recipient—upholds the same high level of data protection as the Data Controller.
  • Respondent Rights Management (SARs & Erasure): Under both UK/EU GDPR and US privacy laws, the Data Controller (Panel Partner) retains the "identity key." They are the only entities capable of linking a pseudonymous ID back to an individual. Consequently, our partners are equipped to handle Subject Access Requests (SARs), the Right to Erasure, and the Right to Rectification. If a respondent exercises their right to withdraw consent, our panel partners manage the propagation of this withdrawal through their research ecosystem.

4. Data Security

All data is secured in transit:

  • Encryption: All redirects and data transfers are protected via industry-standard TLS encryption.
  • Server Logs: Minimal technical logs required for security and troubleshooting are automatically purged on a short-term cycle and do not contain personal identifiers.

5. Individual Rights (Access & Deletion)

NVD cannot identify, access, or delete an individual's specific record. NVD handles only a pseudonymous ID and does not maintain a database of participants.

  • To Exercise Your Rights: Research participants wishing to exercise their rights under GDPR or US state laws can contact the Panel Provider or Media Brand where they originally registered. These entities maintain the "key" that connects an identity to the ID passed through the NVD system.

6. Contact Us

For questions regarding our technical privacy protocols, please contact: NuVoodoo Media Services at research@nuvoodoo.com.