Quokka Hub Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly. When you register, book a call, or contact us through our website forms, strategy-call booking, or newsletter signup, you may provide your name, email address, company name, job title, and phone number.

1.2 Engagement Survey Responses. We collect responses to employee engagement surveys, including numeric ratings and free-text comments. Surveys are designed to be confidential and are reported to your employer in aggregated form. They are not technically anonymous. See Section 4 for how we handle free-text and the limited circumstances in which a response could be linked to you.

1.3 Onboarding and Offboarding Surveys. We collect responses to onboarding surveys (for example, Day 1 and 30/60/90-day check-ins) and offboarding or exit surveys. These survey types may be attributed to an individual and are visible to your employer's HR team rather than reported only in aggregate. Where a survey is attributed, you will be told before you respond.

1.4 DISC Assessment Data. We collect responses to DISC assessments and generate a behavioral profile (communication style, strengths, blind spots, and growth areas). DISC results are used across the platform, including the org chart, team dynamics views, communication coaching, and one-on-one prep briefs. Who can view a person's DISC profile is controlled by your employer's visibility settings.

1.5 One-on-One Data. Where your employer uses our one-on-one features, we collect meeting records, prep-brief content, and notes entered by participants. Notes labeled "private" are hidden from the other meeting participant but remain accessible to your employer's administrators for governance and auditing, and to Quokka for operating the Service. We retain a cached summary of past one-on-ones to personalize future briefs.

1.6 Information Collected Automatically. We collect IP address, device and browser type, and usage data (pages visited, actions taken) through cookies and similar technologies. We use analytics and product-experience tools, including Google Analytics and Microsoft Clarity, some of which capture session activity such as clicks, scrolling, and navigation. Where required by law, we request consent for non-essential cookies and tracking through our cookie banner.

2. Our Role: Controller and Processor

For some data we decide how and why it is used (we act as a "controller"). For other data we act only on the instructions of your employer (we act as a "processor").

• We are the controller for website visitors, prospects, newsletter subscribers, and consulting or retreat clients who contract with us directly.
• We are the processor for employee data inside the platform, including survey responses, DISC profiles, and one-on-one data. Your employer is the controller of that data.

If you are an employee and you want to access, correct, or delete data held in the platform, contact your employer first. We will support your employer in responding, but we generally cannot change or delete employee data without their instruction.

As controller, your employer is responsible for establishing a lawful basis for processing employee data, for informing employees about that processing, and for obtaining any consents required by law. Once data is shared with or held by your employer, we do not control how your employer uses it, and we are not responsible for an employer's use of employee data. Concerns about how your employer handles your data should be raised with your employer directly.

3. How We Use Information

We use personal data for the following purposes:

• Providing, maintaining, and securing the Services and dashboards.
• Scoring DISC assessments against our proprietary templates and generating profiles.
• Generating AI-assisted insights, including one-on-one prep briefs, communication coaching, and feedback theme summaries.
• Producing aggregated engagement reports and benchmarks for your employer.
• Communicating with you about the Services and, where permitted, marketing (you may opt out at any time).
• Safety screening, as described in Section 4.4.

On AI. We use AI to score, summarize, and rewrite content within the Services. We do not use your identifiable data to train or fine-tune general-purpose AI models. Some AI processing is performed by third-party AI providers acting as our subprocessors under confidentiality and data-protection terms (see Section 6).

4. How We Handle Confidential Survey Feedback

4.1 De-identification and Human Review. When free-text responses are collected, our system first removes identifying details automatically. A trained Quokka reviewer then checks the de-identified text before it is shown to your employer. This step exists to reduce the risk that a comment can be traced back to you. It means that Quokka personnel, bound by confidentiality, may read raw response text during review.

4.2 No Guarantee of Anonymity. De-identification and human review reduce reprisal risk. They do not make responses technically anonymous. Free-text comments can still reveal who wrote them through specific details. Please avoid including names or identifying specifics if you want to remain unidentifiable.

4.3 Aggregation Floor. Engagement results are reported at the company level. We do not provide team or department drill-downs that would isolate small groups.

4.4 Safety Screening. We apply limited automated screening, and a reviewer may also flag content, to surface responses that may indicate a serious risk of harm such as threats of violence or self-harm. This screening is best-effort. It cannot predict behavior and will not detect every risk, so we do not guarantee that any risk will be identified. Where we believe a response may indicate a serious risk, we may disclose the relevant response and identifying information to your employer's designated contacts or to authorities. This is the one circumstance in which a confidential response may be linked back to an individual. Responsibility for workplace safety rests with your employer.

5. Disclosure of Information

• To Your Employer. We share aggregated engagement reports. We share attributed onboarding and offboarding responses, DISC profiles, and one-on-one data as configured by your employer's settings. We do not share individual raw engagement survey responses except as described in Section 4.4.
• To Service Providers (Subprocessors). We use vetted third parties for hosting, analytics, AI processing, payments, and CRM or marketing. They are bound by confidentiality and data-protection terms and may use data only to provide services to us. A current list of subprocessors is available on request.
• De-identified Benchmarking. We retain de-identified data (with names, emails, and company identity removed and replaced by non-identifying labels) to produce industry benchmarks and to improve the Service. This data cannot reasonably be traced back to an individual or a company.
• Legal and Corporate. We may disclose data to comply with law, enforce our terms, or in connection with a merger, acquisition, or sale of assets.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

6. Subprocessors and International Transfers

We are based in the United States and process data in the United States. Where an employer engages us to process data originating from the United Kingdom, the EU, Canada, or Australia, that transfer is governed by a Data Processing Agreement with the employer, including the UK International Data Transfer Agreement or Addendum, Standard Contractual Clauses, or another lawful transfer mechanism appropriate to the region. A list of current subprocessors, including hosting and AI providers, is available on request. Employers can request a DPA before onboarding.

7. Data Retention

We keep personal data only as long as needed for the purposes above.

• Account and contact data: for the duration of the relationship and up to 24 months after.
• Survey, DISC, and one-on-one data: while the employer's account is active, then deleted or de-identified within 30 days of account closure or on the employer's instruction.
• Departed employees: when an individual leaves a customer organization, we de-identify their survey and DISC data and retain only the stripped version for benchmarking. Identifying records are removed from the active database.
• De-identified benchmarking data: retained on an ongoing basis, as it can no longer identify an individual.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your data, to object to processing, and to withdraw consent.

• Employees: direct requests about platform data to your employer (see Section 2). We will assist your employer.
• Everyone else: contact us at privacy@quokkahub.com.

California (CCPA/CPRA). We do not sell or share personal information. We collect the categories described in Section 1. You may request access or deletion, and you may request that we limit the use of sensitive personal information, which may include DISC profile data. We will not discriminate against you for exercising these rights.

9. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including access controls, encryption in transit, and tenant isolation between customer organizations. No system is completely secure. If we become aware of a breach affecting your personal data, we will notify affected parties as required by applicable law.

10. DISC and Insights Are Developmental Tools

DISC profiles and AI-generated insights are provided for communication and development purposes. They are not clinical, diagnostic, or psychological assessments, and they are not designed or validated for hiring, promotion, discipline, termination, or other employment decisions. Employers should not rely on them for those purposes. See our Terms of Service for related disclaimers.

11. Third-Party Links and Children

Our Services may link to third-party sites whose privacy practices we do not control. Our Services are intended for individuals 18 and older, and we do not knowingly collect data from anyone under 18.

12. Changes to This Policy

We may update this policy. Material changes will be reflected by a new Effective Date and, where appropriate, additional notice.