From 25th May 2018, the new EU General Data Protection Regulation applies across the European Union. We've been working hard behind the scenes to ensure that Gorilla is fully GDPR compliant, and this page gives an overview of the steps we have taken.
Gorilla allows scientists to run online research studies. For all research and participant data, we are the Data Processor and the scientist in charge of the experiment is the Data Controller. For account information and billing, we are the Data Controller.
This means that it us up to the scientists who use Gorilla to ensure their experiments are run in accordance with GDPR. We meet all the requirements of a Data Processor, but as the Data Controller, there are some responsibilities under GDPR that fall to the scientist.
We run several mailing lists for our account holders. One, Gorilla Offers, contains information about any promotions or special offers for either Gorilla itself or complimentary products from other companies. Under GDPR, this counts as marketing email. All users have had this mailing list disabled by default, and when they next log on, will have the option to opt in to receiving it again.
We also send emails to account holders on our other email lists. For example, we send service related emails whenever we make changes to the platform, or to inform about maintenance. These do not require explicit opt-in consent under GDPR, however if you are unhappy about receiving any of these emails, please accept our apologies. You can disable any of the mailing lists from your Account page.
We also send automated emails based on your actions within Gorilla. For instance, when you first create an experiment, we will send you an email that directs you to Experiment related support materials. You cannot opt out of these service related emails. They are designed to ensure you have the best possible information to make the best use of Gorilla.
Scientists can also use the platform to send emails to participants (we will never email a participant directly). As the scientist is the Data Controller for their participants, it is up to them to obtain consent to contact them. If you are a participant and are unhappy about having received an email from us, please accept our apologies and contact the scientist in charge of the experiment.
We use external suppliers for services such as web hosting, error tracking, email sending etc. You can see a full list of suppliers here. All our suppliers are either located in the EU and/or are part of the US-EU Privacy Shield, so you can be sure your data is safe and secure.