Data Protection & Privacy on Emojot’s Platform

Privacy Policy

Last Updated: September 2025

Introduction

Emojot, Inc. (“Emojot,” “we,” “our,” or “us”) provides a cloud-based business-to-business (B2B) experience management platform. Emojot acts as both a data controller of its own information and a data processor on behalf of business clients who use our platform to collect and analyze feedback from their customers and employees.

Emojot complies with the EU–U.S. Data Privacy Framework (EU–U.S. DPF) and the UK Extension to the EU–U.S. DPF as set forth by the U.S. Department of Commerce. Emojot has certified to the U.S. Department of Commerce that it adheres to the EU–U.S. DPF Principles with respect to personal data received from the European Union and the United Kingdom in reliance on the DPF. If there is any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view Emojot’s certification, please visit https://www.dataprivacyframework.gov.

Information We Collect

Business Users

Information used to create and manage accounts, authenticate subscriptions, and enable secure platform access (e.g., name and email address).

End-Customers of Business Clients

Information voluntarily submitted by customers of our clients via surveys, feedback forms, or complaint channels (e.g., name, email, phone number, customer identification number, feedback text, ratings, service-related complaints).

Employees of Business Clients

Information voluntarily submitted by employees of our clients for employee experience surveys and workplace feedback (e.g., name, email, phone number, employee identification number, feedback text, opinions, or complaints).

Marketing and Lead Generation

We may collect personal information in the course of our marketing and lead generation activities. This may include names, business contact details (such as email address, phone number, company, and role), and other information voluntarily provided when individuals register for demos, webinars, download resources, participate in events, or engage with our marketing campaigns. Such data is used to provide relevant information about our services, respond to inquiries, and manage marketing communications.

Technical and Operational Data

Information automatically collected to support security and operations, including IP addresses, browser type, operating system, device identifiers, access times, referring website addresses, and system usage logs. We may also use cookies and similar technologies to improve user experience and analyze how our site and services are used.

We do not collect payroll or employee benefits information. We do not sell personal data.

How We Use Personal Data

Emojot processes personal data to:

Authenticate business user accounts and manage subscriptions.
Enable clients to capture, analyze, and respond to customer and employee experiences.
Facilitate clients to complaint-handling, service-quality improvements, and personalize customer/employee experiences.
Conduct analytics, reporting, and system performance monitoring.
Use personal data gathered through Emojot’s own marketing and lead generation activities to conduct business development, respond to inquiries, send relevant communications, and provide information about our products and services, subject to applicable opt-out and consent requirements.

Lawful Basis for Processing

We only collect and process personal data where we have a lawful basis to do so. Lawful bases include:

Consent (where you have given consent, such as for customer/employee experience management, personalisation, complaints handling and marketing communications).
Contract (where processing is necessary for the performance of a contract with our clients).
Legitimate interests (such as improving services, system monitoring and issue tracing).
Legal obligations (where processing is required to comply with applicable laws).

Where we rely on consent, individuals have the right to withdraw it at any time. Where we rely on legitimate interests, individuals have the right to object to such processing.

Onward Transfers of Personal Data

We may disclose personal data, under the DPF Principles, to:

Service providers / processors (e.g., cloud hosting, analytics, customer support, security monitoring).
Regulatory and law enforcement authorities where required by law.

In particular, Emojot Inc. remains responsible and liable under the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Emojot Inc. proves that it is not responsible for the event giving rise to the damage.

Cross-Border Data Transfers

Emojot operates globally, with data hosting in the United States. Personal data collected in the EU, UK, or other jurisdictions may be transferred to the U.S. or other countries where Emojot or its service providers operate. These transfers are made in compliance with applicable data protection laws.

For transfers from the EU and UK, Emojot relies primarily on its certification under the EU–U.S. DPF and the UK Extension.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Emojot commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Emojot commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms, with respect to personal data received or transferred pursuant to the Data Privacy Framework.

Where other mechanisms are required (e.g., Standard Contractual Clauses), Emojot will implement appropriate safeguards to ensure adequate protection.

Data Privacy Framework Compliance

Access, Correction, and Deletion: Individuals have the right to access personal data we hold about them, request corrections, or request deletion, subject to contractual and legal limitations.

Choice: Individuals may opt out of having their personal data disclosed to third parties or used for purposes materially different from the purpose(s) for which it was collected. Sensitive personal data, if ever collected, will only be used with explicit consent.

Accountability for Onward Transfer: Emojot requires third parties to provide at least the same level of protection as required under the DPF Principles.

Recourse, Enforcement, and Liability: Emojot’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Independent Recourse Mechanism

In compliance with the EU–U.S. DPF and UK Extension, Emojot commits to resolve complaints about our collection or use of personal data. Individuals in the EU or UK with inquiries or complaints should first contact Emojot at:

security@emojot.com

If we are unable to resolve the matter directly, we will cooperate with EU Data Protection Authorities (DPAs), JAMS, or UK Information Commissioner’s Office (ICO), our designated independent recourse mechanisms. In certain cases, binding arbitration may also be available under the DPF.

Security and Data Retention

Emojot employs industry-standard security measures, including encryption in transit and at rest, identity access management, multi-factor authentication, continuous monitoring, and vulnerability management.

Personal data is retained only as long as necessary to fulfill the purposes described in this policy, or in accordance with client agreements and applicable laws. When data is no longer required, it is securely deleted or anonymized in line with industry standards.

Your Rights

Individuals may exercise the following rights in accordance with applicable data protection laws:

Right to access, correct, or edit personal data.
Right to request deletion of data.
Right to restrict or object to certain processing.
Right to data portability.
Right to unsubscribe from marketing communications at any time (via unsubscribe links or by contacting us at security@emojot.com).

Third-Party Offerings and Links

Our website and platform may include links to third-party products or services. These third-party sites have their own privacy policies, and Emojot is not responsible for their content or practices. We encourage users to review the privacy statements of such sites.

Contact Information

For any questions or concerns regarding this Privacy Policy or our data practices, please contact us at:

Emojot, Inc.
Email: security@emojot.com
Address: 2108 N ST, STE N, Sacramento, CA 95816

Updates to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. We will post the revised policy with an updated revision date.