CANVAS PRIVACY NOTICE
1. Introduction
This Privacy Notice explains how Watermelon Research processes personal data in connection with the provision of Canvas and Canvas Index (together, “Canvas”).
This notice should be read alongside the Canvas Software as a Service Subscription Agreement (“Subscription Agreement”).
2. Roles Under Data Protection Laws
2.1 Customer Data and Respondent Data
For the purposes of applicable Data Protection Laws:
The Customer is the Data Controller of all Customer Data and Respondent Data.
Watermelon acts as Data Processor of such data.
Customer Data includes all data inputted into Canvas by or on behalf of the Customer, including Respondent Data and personal data relating to Authorised Users where such data forms part of Customer Data.
Watermelon does not determine the purposes or means of processing Customer Data or Respondent Data.
2.2 Authorised User Account Data
Watermelon acts as Data Controller in respect of personal data processed for the purpose of:
Creating and managing user accounts
Authentication and access control
Security monitoring and logging
Platform administration
Compliance with legal obligations
This data typically includes name, business email address, organisation, login credentials, IP address and usage logs.
3. Operational Models
Canvas may be provided on:
A managed research basis (where Watermelon assists with survey configuration, distribution and reporting); or
A self-serve basis (where the Customer independently designs, distributes and manages surveys).
In both models:
The Customer remains the Data Controller of Customer Data and Respondent Data.
Watermelon processes such data solely in accordance with the Customer’s documented instructions and the Subscription Agreement.
In self-serve deployments, Watermelon does not routinely access Customer Data except where necessary for support, maintenance, security, or to comply with legal obligations.
4. Customer Responsibilities
The Customer is solely responsible for:
Determining the purposes and lawful basis for processing personal data
Designing and configuring surveys
Selecting respondents
Providing appropriate privacy information to respondents
Obtaining all required consents
Ensuring data accuracy and data minimisation
Determining retention periods
Watermelon does not review, validate, or approve the legality, accuracy, or adequacy of Customer Data uploaded into Canvas.
5. How Watermelon Processes Customer Data
Watermelon processes Customer Data solely to:
Provide access to Canvas
Host, secure and maintain the platform
Provide support services
Monitor system performance and integrity
Generate anonymised Aggregated Data
Comply with legal and regulatory obligations
Watermelon does not:
Use Customer Data for its own marketing purposes
Sell Customer Data
Disclose Customer Data except as required to provide Canvas or comply with applicable law
6. AI-Assisted Functionality
Canvas may generate AI-assisted outputs based on Customer Data, including analytical summaries and text-based insights.
Such outputs:
Are generated within the Canvas service environment
Do not constitute automated decision-making producing legal or similarly significant effects
May be incomplete, contextually limited or subject to interpretation
Are provided on an “as is” basis as described in the Subscription Agreement
Watermelon does not use Customer Data or Respondent Data to train external AI models.
7. Aggregated Data
Watermelon may generate anonymised and aggregated statistical data derived from the operation of Canvas (“Aggregated Data”).
Aggregated Data:
Does not identify the Customer, Authorised Users or Respondents
Cannot reasonably be used to re-identify individuals
May be used to improve platform performance, security and functionality
Watermelon does not attempt to re-identify anonymised data.
8. Sub-Processors and Hosting
Canvas is hosted in Microsoft Azure data centres located in:
The United Kingdom or European Union (for customers contracting with Watermelon Research Limited); or
Australia (for customers contracting with Chime Australia Pty Limited).
Watermelon may engage sub-processors to support the provision of Canvas.
A current list of sub-processors is available at:
https://my-canvas.io/subprocessors
Watermelon remains responsible for its sub-processors in accordance with applicable Data Protection Laws.
9. Security Measures
Watermelon implements appropriate technical and organisational measures designed to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
These measures are consistent with recognised industry standards and Watermelon’s ISO/IEC 27001 certified information security management system.
10. International Transfers
Where personal data is transferred outside the United Kingdom, European Union or Australia, Watermelon ensures appropriate safeguards are in place in accordance with applicable Data Protection Laws.
11. Data Retention
Retention of Customer Data and Respondent Data is determined by the Customer in accordance with the Subscription Agreement.
Watermelon retains such data only:
For the duration of the Subscription Term;
In accordance with Customer instructions; and
As required to comply with legal obligations.
Authorised User account data is retained for the duration of platform access and for a limited period thereafter for security, audit and compliance purposes.
12. Data Subject Rights
Where Watermelon acts as Data Processor, data subjects should direct requests relating to Customer Data or Respondent Data to the relevant Customer as Data Controller.
Watermelon will assist Customers in responding to such requests where required by law and in accordance with contractual obligations.
Where Watermelon acts as Data Controller (in respect of Authorised User account data), individuals may contact Watermelon to exercise applicable rights under Data Protection Laws.
13. Contact
For privacy-related enquiries: CIO@my-canvas.io