Sensemitter is now Emhance.

Read more

Legal:

Customer Privacy Policy

Privacy Notice

Non-Disclosure Agreement

Study Participant Privacy Policy

Terms of Service

Promotional Credit Terms

Study Participant Privacy Policy

Study Participant Privacy Policy

Last amended: 17 June 2026

We recognize the importance of protecting personal data and are committed to ensuring its security and responsible processing. This Privacy Policy explains how Sensemitter Services Limited ("Company," "we," "us," or "our"), in its capacity as a Data controller, collects, processes, and protects the personal data of Participants of our content and/or user experience and perception research, surveys, interviews, studies, or similar activities, which underpins the insights and deliverables we provide to our customers (collectively, "Study").

This Policy applies to all Participants - individuals of legal age (as defined by the laws of their jurisdiction) who have been invited and/or approved by us to take part in Study ("Participant", "you," "your"). Please read this Policy carefully to understand our privacy practices and your rights under applicable Data Protection Laws.

This Privacy Policy is available only in English, and all communications regarding data privacy and your rights will be conducted in English, unless otherwise required by mandatory laws in your jurisdiction.

BY PARTICIPATING IN STUDY YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREED TO THE PROCESSING OF YOUR PERSONAL INFORMATION AS OUTLINED IN THIS POLICY.

BY PARTICIPATING IN A STUDY YOU CONSENT TO THE USE OF AI-BASED TOOLS TO ANALYSE YOUR EMOTIONAL REACTIONS DURING THE STUDY SESSION. YOU UNDERSTAND THAT THIS ANALYSIS IS AUTOMATED AND MAY INCLUDE THE INTERPRETATION OF YOUR OBSERVABLE BEHAVIOURAL CUES AS FURTHER DETAILED IN SECTION 5 BELOW. IF YOU DO NOT WISH FOR YOUR DATA TO BE USED TO TRAIN, IMPROVE, OR ENHANCE OUR AI SYSTEMS BEYOND THE SPECIFIC RESEARCH STUDY IN WHICH YOU ARE PARTICIPATING, YOU MAY OPT OUT OF SUCH USE, AS EXPLAINED IN SECTION 5.

1. What categories of personal information we collect and why

We are a research and marketing technology company. We specialize in designing and conducting innovative research into user perception, behavior, and emotional response to digital content. Our research findings form the basis of the services and analytics we provide to our clients ("Services"), and also support the continuous development and improvement of our proprietary research Platform (as defined in our Terms of Service). In the course of our research activities, we collect and process your personal data for the following main purposes:

a. to establish and perform our agreement with you, including sending you invitations to participate in Studies, managing your participation, and providing you with relevant information or compensation where applicable;

b. to conduct our Researches; and

c. to develop, test, and improve our Platform, including the functionality of our proprietary AI algorithms (as further explained in Section 5 below), unless you have opted out of this use.

The categories of personal data we collect vary depending on the nature of each Study and our interaction with you, and may include:

Personal data you provide directly

This includes personal data you voluntarily provide when and/or after you accept our invitation to participate in a Study, sign an agreement to participate in a Study, communicate with us through recruitment platforms such as Prolific (www.prolific.com), User Interviews (www.userinterviews.com), Cint (www.cint.com), or any other platforms used for Study participant recruitment ("Recruitment Platforms"), or when you contact us directly outside of the Recruitment Platforms — for example, by email, phone, messaging services, or video calls. Please ensure that no personal data belonging to third parties is shared with us or visible during our video calls. If any such data is disclosed inadvertently, you may contact us at anonymize@emhance.ai and include a link to your interview for reference.

1.2. Participation Data

We collect only personal data that is relevant and necessary for the specific Study in which you choose to participate.

1.2.1. For Quantitative Study:

a. Screening Information: your responses to questions regarding your user experience, interests, habits, preferences, and the devices you use;

b. Recordings of your facial expressions during interactions with the object of the research (for example, a game, advertisement, video, or other media);

c. Derived Coded Data: insights reflecting your principal emotional reactions during engagement with the research object (as defined below).

1.2.2. For Qualitative Study we may collect all the data categories listed above under clause 1.2.1 (a) and 1.2.1 (c) (Quantitative Study), and additionally:

a. Your identifiers: your full name, gender, age, nationality, residential address, and contact information (email address, phone number, your Google Account details).

b. Recordings of your voice and/or facial expressions during interactions with the object of the research (for example, a game, advertisement, video, or other media), as well as recordings of your device screen while you engage with the research object;

c. Transcripts of interviews or sessions with you conducted and recorded as part of the Study;

d. On-Screen Information: any personal or device-related information that may unintentionally become visible to us during the course of Study sessions conducted via Google Meet or similar communication tools. This may include, without limitation, user identifiers, names, nicknames, photos, contact lists, file names, content previews, notifications, apps, services, or other elements displayed on the your screen while navigating your device.

1.3. Information Received from Third Parties.

 

When you participate in any Study studies through Recruitment Platforms, these platforms may provide us with the following personal data about you:

a. Your unique identifier assigned by the Recruitment Platform;

b. Your basic demographic details (e.g., first name, age, gender, nationality, country of residence);

c. Basic information regarding your user experience relevant to the requirements of a specific Study for which we recruit participants;

d. Any additional information as permitted by the respective Recruitment Platform's privacy policy.

We may also obtain your personal data from other third-party sources, where permitted or required by applicable law.

2. Sensitive Personal Data.

Other than as described below, we generally do not collect or process special categories of personal data, such as information related to your race or ethnicity, religious or philosophical beliefs, sexual life, political opinions, trade union membership, health, or genetic data. However, in order to conduct the Study we do process biometric data — namely facial-geometry and, in qualitative Studies, voice characteristics extracted from the Recordings — for the purpose of emotional and behavioural analysis, as described in Sections 5 and 5A. We process this biometric data only on the basis of your explicit consent (Article 9(2)(a) GDPR) and the additional consents required by applicable US state biometric laws. 

3. No Minors Data: Our Services are intended solely for individuals over the age of 18. Consequently, we do not knowingly collect personal data from individuals under the age of 18. If it comes to our attention that such data has been collected due to misleading or false information provided to us, we will promptly delete it.

4. Use of AI components

To conduct our Study activities, we use both proprietary AI systems (as described in Section 5 below) and third-party AI systems, including large language models developed by OpenAI, LLC ("LLMs"). For example, we may utilize these LLMs to analyze Respondents' answers across certain Study sessions in order to generate aggregated analytics as part of our Study outcomes.

We DO NOT use AI systems that infer emotions in workplace or in educational institutions.

5. Use of Recordings and Derived Data

During the course of the Study, we make Recordings of your participation (Clauses 1.2.1 (b) and 1.2.2 (b), which we further process as described in this clause below to: (a) capture and extract specific data from the recordings ("Captured Video Data"); and (b) interpret this Captured Video Data to produce Derived Coded Data (Clause 1.2.1 (c)).

Captured Video Data may include information such as facial expressions, and other observable behavioural cues. We use internal and third-party AI systems to analyse this data for the purposes of emotional interpretation. Specifically, the Captured Video Data is processed by proprietary algorithms within our Platform (as defined in our Terms of Service) and third-party AI systems, which convert it into coded formats (e.g., numerical or categorical values) representing emotional states or behavioural patterns.

Certain versions of the Recordings, Captured Video Data and/or Derived Coded Data may, be retained and used by us: (a) to improve the accuracy and functionality of our Platform's emotion recognition algorithms; (b) to enhance the diversity and breadth of our Platform's datasets; (c) to support advancements in human-computer interaction and usability analysis; (d) to share with our customers as part of the services we provide.

We obtain your consent to the recording and to the biometric processing described in this Section BEFORE any Recording is made, through the consent form and/or the consent step presented to you at the start of the Study session. The 30-day option described in the next paragraph applies ONLY to the optional, additional use of your data to train or improve our AI systems; it does not affect the requirement that recording and biometric processing be consented to in advance.

If you do not wish for your Captured Video Data or Derived Coded Data to be used for the purpose of improving our AI systems (as described in the final paragraph above), you may opt out of such use by contacting us at legal@emhance.ai before or within 30 (thirty) days following your participation in the Study. In such cases, your Captured Video Data and Derived Coded Data will be used solely for the specific Study in which you participated and will not be retained or repurposed to train or improve our AI algorithms. Your participation in the Study will not be affected by this choice.

You are hereby giving us your explicit consent in accordance with Article 9(2)(a) of the GDPR for the following use of the Recordings:

- Participation in the research study (recording face, voice, screen, etc.);

- Use of those Recordings and derived data to train and improve our own AI models.

- Use of those Recordings for analysis and training by third-party AI systems.

5A. Additional notice and terms for participants in US states with biometric privacy laws

This Section applies if you participate from Illinois, Texas, or Washington, and supplements the rest of this Policy. In the event of a conflict, this Section controls for those participants.

a. What we collect. To analyse your emotional and behavioural reactions, we collect and process biometric identifiers and biometric information within the meaning of the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington My Health My Data Act (MHMD Act) — specifically a scan of your facial geometry and, in qualitative Studies, voice characteristics (voiceprint), together with the Derived Coded Data generated from them.

b. Purpose. We collect and use this biometric data solely to conduct the Study, to produce the emotional/behavioural analysis and findings we deliver to our clients, and — only if you have not opted out under Section 5 — to improve our Platform's algorithms.

c. Consent and written release. We obtain your informed consent before collecting any biometric identifier. If you participate from Illinois, we additionally obtain your written release (as required by BIPA Section 15(b)) before collection, which states the biometric data being collected, the purpose, and the length of time for which it will be stored and used. If you participate from Washington, we obtain your separate consent for collection and a separate, distinct authorization before any sharing of your biometric/consumer health data, as required by the MHMD Act.

d. Retention and destruction schedule. We retain your biometric identifiers, biometric information, and the Derived Coded Data generated from them only for as long as needed to fulfil the purpose for which they were collected, and in any event we permanently destroy them no later than one (1) year after your last interaction with us (or sooner where required by applicable law). This is our publicly available retention schedule and destruction guideline for biometric data for the purposes of BIPA Section 15(a) and the destruction requirements of CUBI and the MHMD Act. The raw audiovisual Recording (as distinct from the biometric identifiers extracted from it) may be retained for longer as described in Section 6, on the basis of your explicit consent and solely as evidence of our analysis; we do not perform further biometric extraction on Recordings retained for that evidentiary purpose.

e. No sale; no profit; limited disclosure. We do not sell, lease, trade, or otherwise profit from your biometric identifiers or biometric information. We do not disclose them to any third party except: with your consent (or separate authorization where required); to our processors who act on our behalf under written confidentiality and data-protection obligations; or as required by law. We protect biometric data using the reasonable standard of care and security measures described in Section 10.

f. Your rights. You may withdraw your consent and request deletion of your biometric data at any time by contacting us at legal@emhance.ai. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. Summary of purposes and legal bases of your personal data processing

We collect and process your personal data for a range of purposes, as specified in the table below. The legal bases under which we process your personal data include:

a. Consent: We collect and process your personal data based on your explicit consent, which is obtained through consent forms, personal recorded communication with you, emails or checkboxes provided during your interactions with us. Your consent is documented and securely stored in our systems. You may withdraw your consent at any time by contacting us at legal@emhance.ai.

b. Contractual necessity: Processing of your personal data may be necessary for the performance of a contract to which you are a party or to take pre-contractual steps at your request.

c. Legitimate interest: We may process your personal data where it is necessary for our legitimate interests, such as improving our products and Services, ensuring the security of our Platform, and maintaining business relationships. When relying on legitimate interest, we always conduct a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

d. Legal obligation: We process your personal data when it is necessary to comply with our legal and regulatory obligations, including tax, accounting, anti-money laundering (AML), and data protection laws.

e. Vital interests and other legal bases: In exceptional cases, we may process your personal data to protect your vital interests or those of another person, or when processing is otherwise permitted under Article 6 of the GDPR.

We DO NOT sell, rent, or trade your personal data to third parties under any circumstances.

We DO NOT use personal data for marketing purposes.

Summary Table of Processing Purposes and Legal Bases

Category of Personal Data

Purpose of Processing

Lawful Basis (GDPR, Article 6)

Retention period

Your identifiers (clause 1.2.2 (a))

(a) to identify and communicate with you in connection with the Study; (b) to manage your participation; (c) to send you notifications and updates; (d) to respond to your inquiries; (e) to enter into and perform an agreement with you; (f) to communicate with you in the context of research engagement, including invitations and managing a database of potential respondents.

Art. 6(1)(b) Performance of a contract; Art. 6(1)(f) Legitimate interest (communications and research operations); Art. 6(1)(a) Consent (research-engagement communications).

Up to 12 months after the end of the relevant Study project or last contact, or as long as you have an active account with us (whichever is longer), unless a longer retention period is required by law.

Your payment information (banking details, VAT/tax ID, payment history)

To process payments, rewards, or reimbursements for your participation where we have a direct (off-Recruitment Platforms) agreement with you.

Art. 6(1)(b) Performance of a contract; Art. 6(1)(c) Legal obligation (tax and accounting).

Up to 12 months after the end of the relevant paid Study project or last contact, or as long as you have an active account (whichever is longer), unless a longer retention period is required by law.

Recordings — biometric components (the facial-geometry scan / voiceprint extracted from the Recordings under clauses 1.2.1(b) and 1.2.2(b))

To conduct the Study and process Captured Video Data into Derived Coded Data, as defined in Sections 5 and 5A.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent; plus consents required under BIPA/CUBI/MHMD.

Destroyed when the collection purpose is satisfied and in any event no later than one (1) year after your last interaction with us, unless a longer period is required by law.

Raw Recordings — audiovisual file retained as evidence (clauses 1.2.1(b) and 1.2.2(b))

To retain, where consented, the underlying audiovisual recording solely as evidence of our analysis and findings provided to clients; not subjected to further biometric extraction.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent.

Retained for the duration of the applicable client contract and our related evidentiary and record-keeping needs, after which it is deleted. You may withdraw consent and request deletion at any time (see Sections 5A and 11).

Captured Video Data and Derived Coded Data (clause 1.2.1(c))

To analyse your user reactions and behaviours as part of the Study objectives.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent.

Destroyed when the collection purpose is satisfied and in any event no later than one (1) year after your last interaction with us, unless retained in fully anonymised form that no longer identifies you.

Your On-Screen information (clause 1.2.2(d))

This data is not processed separately from the Recordings.

Article 6(1)(a) – Consent

Same retention as the Recording in which it appears (rows 3–4 above); promptly redacted or deleted where it is not necessary for the Study.

Screening information (clause 1.2.1(a))

(a) to assess your eligibility and suitability for a specific Study; (b) to communicate with you in the context of research engagement.

Article 6(1)(a) – Consent

Up to 12 months after the end of the relevant Study project or last contact, unless you consent to our retaining it longer to invite you to future Studies, in which case until you withdraw that consent..

Transcripts and session records (clause 1.2.2(c))

To document and analyse qualitative Study findings in an aggregated and anonymised manner.

Article 6(1)(a) – Consent

Identifiable transcripts deleted no later than 12 months after the end of the relevant Study project; aggregated and anonymised findings (which no longer identify you) may be retained without time limit.

Data from Recruitment Platforms (clause 1.3 above)

To manage your recruitment and ensure eligibility for a particular Study

Article 6(1)(f) – Legitimate interest (managing recruitment processes)

As per the respective Recruitment Platform’s privacy policy

Category of Personal Data

Purpose of Processing

Lawful Basis (GDPR, Article 6)

Retention period

Your identifiers (clause 1.2.2 (a))

(a) to identify and communicate with you in connection with the Study; (b) to manage your participation; (c) to send you notifications and updates; (d) to respond to your inquiries; (e) to enter into and perform an agreement with you; (f) to communicate with you in the context of research engagement, including invitations and managing a database of potential respondents.

Art. 6(1)(b) Performance of a contract; Art. 6(1)(f) Legitimate interest (communications and research operations); Art. 6(1)(a) Consent (research-engagement communications).

Up to 12 months after the end of the relevant Study project or last contact, or as long as you have an active account with us (whichever is longer), unless a longer retention period is required by law.

Your payment information (banking details, VAT/tax ID, payment history)

To process payments, rewards, or reimbursements for your participation where we have a direct (off-Recruitment Platforms) agreement with you.

Art. 6(1)(b) Performance of a contract; Art. 6(1)(c) Legal obligation (tax and accounting).

Up to 12 months after the end of the relevant paid Study project or last contact, or as long as you have an active account (whichever is longer), unless a longer retention period is required by law.

Recordings — biometric components (the facial-geometry scan / voiceprint extracted from the Recordings under clauses 1.2.1(b) and 1.2.2(b))

To conduct the Study and process Captured Video Data into Derived Coded Data, as defined in Sections 5 and 5A.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent; plus consents required under BIPA/CUBI/MHMD.

Destroyed when the collection purpose is satisfied and in any event no later than one (1) year after your last interaction with us, unless a longer period is required by law.

Raw Recordings — audiovisual file retained as evidence (clauses 1.2.1(b) and 1.2.2(b))

To retain, where consented, the underlying audiovisual recording solely as evidence of our analysis and findings provided to clients; not subjected to further biometric extraction.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent.

Retained for the duration of the applicable client contract and our related evidentiary and record-keeping needs, after which it is deleted. You may withdraw consent and request deletion at any time (see Sections 5A and 11).

Captured Video Data and Derived Coded Data (clause 1.2.1(c))

To analyse your user reactions and behaviours as part of the Study objectives.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent.

Destroyed when the collection purpose is satisfied and in any event no later than one (1) year after your last interaction with us, unless retained in fully anonymised form that no longer identifies you.

Your On-Screen information (clause 1.2.2(d))

This data is not processed separately from the Recordings.

Article 6(1)(a) – Consent

Same retention as the Recording in which it appears (rows 3–4 above); promptly redacted or deleted where it is not necessary for the Study.

Screening information (clause 1.2.1(a))

(a) to assess your eligibility and suitability for a specific Study; (b) to communicate with you in the context of research engagement.

Article 6(1)(a) – Consent

Up to 12 months after the end of the relevant Study project or last contact, unless you consent to our retaining it longer to invite you to future Studies, in which case until you withdraw that consent..

Transcripts and session records (clause 1.2.2(c))

To document and analyse qualitative Study findings in an aggregated and anonymised manner.

Article 6(1)(a) – Consent

Identifiable transcripts deleted no later than 12 months after the end of the relevant Study project; aggregated and anonymised findings (which no longer identify you) may be retained without time limit.

Data from Recruitment Platforms (clause 1.3 above)

To manage your recruitment and ensure eligibility for a particular Study

Article 6(1)(f) – Legitimate interest (managing recruitment processes)

As per the respective Recruitment Platform’s privacy policy

  1. Category of Personal Data

Your identifiers (clause 1.2.2 (a) above)

Purpose of Processing

(a) To identify and communicate with you in connection with the Study you are participating in;

(b) To manage your participation in the Study;

(c)  To send you notifications and updates regarding the Study;

(d) To respond to your inquiries or other direct communications;

(e) To enter into and perform an agreement with you;

(f) To communicate with you in the context of research engagement – including sending invitations to participate in our Study, notifying you of new or upcoming Study opportunities, providing relevant Study-related information or proposals, and managing a database of potential respondents for our future research activities.

Lawful Basis (GDPR, Article 6)

Article 6(1)(b) Performance of a contract (where we have a direct contract with you);

Article 6(1)(f) Legitimate interest (to facilitate effective communication in response to your inquiries or other communications);

Article 6(1)(f) Legitimate interest (to manage research-related operations and communications)

Article 6(1)(a) – Consent (where we communicate with you the context of research engagement)

Retention period

Up to 12 months after the end of the relevant Study project or last contact or as long as you have an active account with us (whichever is longer), unless a longer retention period is required by law (e.g., accounting obligations)

  1. Category of Personal Data

Your payment information (i.e. banking details, VAT/tax ID, payment history)

Purpose of Processing

To process payments, rewards, or reimbursements you’re your participation in the Study in case we have a direct (off-Recruitment Platforms) agreement with you

Retention period

Up to 12 months after the end of the relevant paid Study project or last contact or as long as you have an active account with us (whichever is longer), unless a longer retention period is required by law (e.g., accounting obligations)

Lawful Basis (GDPR, Article 6)

Article 6(1)(b) – Performance of a contract;
Article 6(1)(c) – Compliance with a legal obligation (tax and accounting requirements)

  1. Category of Personal Data

Your On-Screen information (clause 1.2.2 (c) above)

Purpose of Processing

This data is not processed separately from the Recordings

Lawful Basis (GDPR, Article 6)

Article 6(1)(a) – Consent 

Indefinite

Retention period

-

  1. Category of Personal Data

Screening information (clause 1.2.1 (a) above)

Purpose of Processing

(a) To assess your eligibility and suitability for specific Study 

(b) To communicate with you in the context of research engagement – including sending invitations to participate in our Studies, notifying you of new or upcoming Study opportunities, providing relevant Study-related information or proposals, and managing a database of potential respondents for our future research activities.

Lawful Basis (GDPR, Article 6)

Article 6(1)(a) – Consent Indefinite

Retention period

-

  1. Category of Personal Data

Recordings (clauses 1.2.1 (b) and 1.2.2 (b) above)

Purpose of Processing

To conduct the Study, to assess your behavioural responses during engagement with the object of the Study, and process Captured Video Data for conversion into Coded Data, as defined in Clause 5 above.

Lawful Basis (GDPR, Article 6)

Article 6(1)(a) – Consent Indefinite.

Retention period

-

  1. Category of Personal Data

Derived Coded Data (clause 1.2.1 (c) above)

Purpose of Processing

To analyse your user reactions and behaviours as part of the Study objectives

Lawful Basis (GDPR, Article 6)

Article 6(1)(a) – Consent Indefinite.

Retention period

-

  1. Category of Personal Data

Transcripts and session records (clause 1.2.2 (c) above)

Purpose of Processing

To document and analyse qualitative Study findings in an aggregated and anonymised manner.

Lawful Basis (GDPR, Article 6)

Article 6(1)(a) – Consent Indefinite.

Retention period

-

  1. Category of Personal Data

Data from Recruitment Platforms (clause 1.3 above)

Purpose of Processing

To manage your recruitment and ensure eligibility for a particular Study

Lawful Basis (GDPR, Article 6)

Article 6(1)(f) – Legitimate interest (managing recruitment processes)

Retention period

As per the respective Recruitment Platform’s privacy policy

Category of Personal Data

Purpose of Processing

Lawful Basis (GDPR, Article 6)

Retention period

Your identifiers (clause 1.2.2 (a))

(a) to identify and communicate with you in connection with the Study; (b) to manage your participation; (c) to send you notifications and updates; (d) to respond to your inquiries; (e) to enter into and perform an agreement with you; (f) to communicate with you in the context of research engagement, including invitations and managing a database of potential respondents.

Art. 6(1)(b) Performance of a contract; Art. 6(1)(f) Legitimate interest (communications and research operations); Art. 6(1)(a) Consent (research-engagement communications).

Up to 12 months after the end of the relevant Study project or last contact, or as long as you have an active account with us (whichever is longer), unless a longer retention period is required by law.

Your payment information (banking details, VAT/tax ID, payment history)

To process payments, rewards, or reimbursements for your participation where we have a direct (off-Recruitment Platforms) agreement with you.

Art. 6(1)(b) Performance of a contract; Art. 6(1)(c) Legal obligation (tax and accounting).

Up to 12 months after the end of the relevant paid Study project or last contact, or as long as you have an active account (whichever is longer), unless a longer retention period is required by law.

Recordings — biometric components (the facial-geometry scan / voiceprint extracted from the Recordings under clauses 1.2.1(b) and 1.2.2(b))

To conduct the Study and process Captured Video Data into Derived Coded Data, as defined in Sections 5 and 5A.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent; plus consents required under BIPA/CUBI/MHMD.

Destroyed when the collection purpose is satisfied and in any event no later than one (1) year after your last interaction with us, unless a longer period is required by law.

Raw Recordings — audiovisual file retained as evidence (clauses 1.2.1(b) and 1.2.2(b))

To retain, where consented, the underlying audiovisual recording solely as evidence of our analysis and findings provided to clients; not subjected to further biometric extraction.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent.

Retained for the duration of the applicable client contract and our related evidentiary and record-keeping needs, after which it is deleted. You may withdraw consent and request deletion at any time (see Sections 5A and 11).

Captured Video Data and Derived Coded Data (clause 1.2.1(c))

To analyse your user reactions and behaviours as part of the Study objectives.

Art. 6(1)(a) and Art. 9(2)(a) Explicit consent.

Destroyed when the collection purpose is satisfied and in any event no later than one (1) year after your last interaction with us, unless retained in fully anonymised form that no longer identifies you.

Your On-Screen information (clause 1.2.2(d))

This data is not processed separately from the Recordings.

Article 6(1)(a) – Consent

Same retention as the Recording in which it appears (rows 3–4 above); promptly redacted or deleted where it is not necessary for the Study.

Screening information (clause 1.2.1(a))

(a) to assess your eligibility and suitability for a specific Study; (b) to communicate with you in the context of research engagement.

Article 6(1)(a) – Consent

Up to 12 months after the end of the relevant Study project or last contact, unless you consent to our retaining it longer to invite you to future Studies, in which case until you withdraw that consent..

Transcripts and session records (clause 1.2.2(c))

To document and analyse qualitative Study findings in an aggregated and anonymised manner.

Article 6(1)(a) – Consent

Identifiable transcripts deleted no later than 12 months after the end of the relevant Study project; aggregated and anonymised findings (which no longer identify you) may be retained without time limit.

Data from Recruitment Platforms (clause 1.3 above)

To manage your recruitment and ensure eligibility for a particular Study

Article 6(1)(f) – Legitimate interest (managing recruitment processes)

As per the respective Recruitment Platform’s privacy policy

7. Sharing of your personal data

We only share your personal data with third parties when it is necessary to achieve the purposes described in this Policy and always in compliance with applicable data protection laws. We ensure that any such sharing is subject to appropriate contractual, technical, and organizational safeguards.

Your personal data may be shared with the following categories of recipients:

a. Customers and Business Partners: We may share anonymised or aggregated research insights with our customers and business partners as part of the services we provide. In certain cases, where strictly necessary (e.g., for quality control or research validation purposes). We may also share limited personal data—such as your feedback, in-game behavior, or excerpts from Recordings—provided such data is subject to appropriate safeguards, including minimization. Where any such excerpt contains biometric identifiers and you participate from Illinois, Texas, or Washington, we share it only with your consent or, for Washington, your separate authorization, as described in Section 5A. 

b. Service Providers and Subcontractors: We engage carefully selected third-party vendors, consultants, subcontractors and third-party AI systems to support various aspects of our operations, including Study execution, data processing, analytics, and platform development. These third parties act as data processors on our behalf and are contractually bound by strict confidentiality and data protection obligations under Article 28 GDPR.

c. Hosting and Infrastructure Providers: We rely on trusted infrastructure services, such as Google Cloud and Google Workspace, to securely host and manage our systems and your personal data. These providers operate in accordance with internationally recognized security and data protection standards, and we ensure their compliance through appropriate contractual arrangements.

d. Prospective Investors and Professional Advisors: in the context of financing, due diligence, or potential mergers/acquisitions, we may disclose your data to investors or their advisors, provided they are subject to strict confidentiality obligations.

e. Compliance with legal obligations. We may disclose your personal data when required to comply with legal obligations, including responding to subpoenas, court orders, or lawful requests from governmental or regulatory bodies. This may include compliance with tax, banking, anti-corruption, AML, accounting regulations, or other applicable laws.

f. Legal rights and safety. Your personal data may also be shared if it is necessary to establish, exercise, or defend our legal rights, protect our property, enforce our agreements, or prevent fraud or other illegal activities.

We require all third parties with whom we share your data to maintain appropriate security measures and comply with applicable data protection laws. Third parties are only permitted to process your personal data for specified purposes in accordance with our instructions.

8. Cookies and other Tracking Technologies

8.1. Technologies that we use on our website https://emhance.ai ("Website") are:

a. Cookies are small pieces of text entered into the memory of your browser by a website, allowing the website to store information on your device and later retrieve it. They help maintain website functionality and collect information about website usage. We use this information to improve our website, present content in the most efficient and engaging manner and assist in our marketing efforts.

b. Web beacons are tiny images with a unique identifier, which are not stored on the hard-drive of your device, but are embedded invisibly on web pages. We use web beacons in our marketing HTML-based emails to our subscribers. This allows us to collect information about how subscribers engage with emails and analyze statistics, including open rates and click-through rates. We use this information to improve our email communications and effectiveness of marketing campaigns.

8.2. The types of cookies we use are:

a. Session and persistent cookies:

- Session cookies last as long as your online session and disappear from your device when you close your browser.

- Persistent cookies stay on your device after you close your browser and last for a time specified in the cookie (unless deleted by you earlier).

b. First-party and third-party cookies:

- First party cookies are set by the website. Only we can read them.

- Third-party cookies are set by someone other than our website. You may adjust your browser settings to prevent the receipt of third-party cookies, or to provide notification whenever such third-party cookies are sent to you.

c. While the cookies that we use may change from time to time as we improve and update the website, they serve the following main purposes:

- Strictly necessary cookies are essential for the operation of the website, so that you can navigate it and use its features. Without them some parts of the website will not work.

- Functionality cookies allow the website to remember choices you make to provide better functionality and personalized features. These cookies may be set by us or by third-party services we have added to our pages. If you do not allow them then some or all of these services may not function properly.

- Analytics and performance cookies help us improve the performance of the website based on the information about how the website is used, for example, page views and traffic sources.

- Advertising and marketing cookies may be used to build a profile of your interests and show you relevant adverts on other websites. These cookies can be set through the website by us or our partners.

d. The list of cookies used on our Website is continuously monitored and displayed in real-time through Cookie Script. You can view the complete list of cookies, including their purpose, duration, and data usage details, at any time. Additionally, you can manage your cookie preferences in real-time via the cookie pop-up available on the Website landing page.

e. You can delete the cookies installed in the past and manage preferences for cookies in your browser settings. You can manage preferences for third-party cookies via the tools provided by those parties, including Google Ad Settings and the Google Analytics Opt-out Browser Add-on, and via the EDAA (EU), the Network Advertising Initiative (US), the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar services. If you block or delete cookies in your browser settings, this may mean that the website preferences will be lost and that you might not be able to access or use some of its features.

9. Where we process and transfer your information

We host and process your data in Europe (and the hosting services are purchased by us from Google Cloud). We may transfer personal data to jurisdictions outside of your home country and outside of European Economic Area (EEA) as necessary for the purposes of processing. You are entitled to learn about the legal basis of data transfers to a country outside the EU and about the security measures we take to safeguard your information. If we transfer personal data originating from the EEA to countries with not adequate level of data protection, we use one of the following legal bases: (i) Standard Contractual Clauses approved by the European Commission, or (ii) the European Commission adequacy decisions about certain countries. We take all steps necessary to provide suitable safeguards to protect your personal data during the cross-border transfer and to ensure that your data is treated in accordance with this Privacy Policy.

10. How we protect your information

We are committed to safeguarding your personal and confidential information ("PCI") through robust technical and organizational measures. Our security framework is designed to protect PCI from unauthorized access, use, disclosure, copying, modification, destruction, and accidental loss or misuse.

10.1. Security Measures in Place. We implement industry-standard security controls, including but not limited to:

a. Access Controls: we enforce strict access controls to ensure that only authorized personnel and contractors can access your PCI, based on the principle of least privilege.

b. Data Encryption: (i) in transit: 256-bit SSL/TLS 1.2 encryption; (ii) at rest: AES-256; (iii) backups: regular encrypted backups.

c. Secure Infrastructure: all our Services' infrastructure is hosted within Google Cloud. Google Cloud is ISO/IEC 27001, SOC 1/2/3, and GDPR-compliant.

d. Regular Security Audits: we conduct regular penetration testing, vulnerability assessments, and security audits.

e. Antivirus and Intrusion Prevention Systems (IPS): deployed to monitor and prevent unauthorized access and potential threats in real-time.

f. Incident Response: we have established protocols to promptly address any suspected data breaches and will notify you and applicable regulators within legally required timeframes if a breach occurs.

10.2. Privacy Commitment. We are fully dedicated to compliance with the GDPR and other applicable data protection laws. Our privacy measures include:

a. Mandatory Non-Disclosure Agreements for all employees and contractors handling your PCI.

b. Regular employee training on data protection best practices and GDPR compliance.

11. How you can control your information

11.1. If you reside in one of EEA jurisdictions, you have the following rights in relation to the processing of your information:

a. Right to request access.

b. Right to request correction.

c. Right to request erasure.

d. Right to object to processing.

e. Right to request restriction of processing.

f. Right to request the transfer of your personal data to you or to a third party (data portability).

g. Right to withdraw consent. If you have previously provided us with your consent to collect and process your personal data, you can change your mind and withdraw such consent at any time. However, this will not affect the lawfulness of any processing carried out before withdrawal.

h. Right to complain to a supervisory authority (https://edps.europa.eu/).

To exercise these rights, you can contact us by submitting a request to the email at the bottom of this section.

11.2. If you reside in the United States of America (USA), you have rights under certain USA state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:

a. Access.

b. Rectification.

c. Erasure.

d. Opt out of sale and sharing. You can opt out from the selling/sharing of your personal information, targeted advertising, or profiling by disabling cookies in your browser's cookie preference settings.

- Right to limit use and disclosure of sensitive personal information.

- Withdrawing your consent.

- Non-discrimination.

For participants located in US states with biometric privacy laws — including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington My Health My Data Act (MHMD Act) — additional terms apply, as set out in Section 5A. In summary: we obtain the consents those laws require (and, for Illinois, a written release) before collecting any biometric identifier such as a scan of facial geometry or a voiceprint; we obtain a separate authorization before sharing biometric/consumer-health data where Washington law requires it; we maintain the publicly available biometric retention and destruction schedule set out in Section 5A(d) and Section 6 (destruction no later than one year after your last interaction with us); we do not sell or otherwise profit from biometric data; and you may withdraw consent and request deletion of your biometric data at any time.

Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf, subject to verification. If we decline to take action regarding your request, you may appeal by emailing us; if your appeal is denied, you may submit a complaint to your state attorney general.

If you wish to exercise any of the rights set out above, please contact us at legal@emhance.ai. We will process your request free of charge and as early as possible, but always within one month, subject to identity verification.

12. How long we keep your information

We keep your information for as long as it is necessary for the purposes outlined in Section 6 above, and no longer than the retention periods stated in the table in Section 6 and the biometric destruction schedule in Section 5A. We may retain your information if required to do so by law or upon an order of a state authority.

13. Links to third-party websites

The Website may contain links to third-party websites that are not administered by us and are not governed by this Privacy Policy. We encourage you to familiarize yourself with the privacy policies and security practices of the linked third-party websites before providing them any personal data.

14. Changes to the Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, regulatory requirements, or to address feedback received from our customers. Any changes will be published on this page. When we post changes, we revise the "Last Updated" date at the top of this policy. If we make any material changes in the way we collect, use or share your information, we will notify you by prominently posting notice of the changes on our Website and Platform, and if required by applicable law we will request your consent for such changes.

15. Contact Information

If you have questions or comments regarding this Privacy Policy and our privacy practices, or you have any requests to exercise your legal rights, please contact us at: legal@emhance.ai

Registered address: Spyrou Araouzou, 2, FAYSA HOUSE, 2nd floor, Flat/Office 201, 3036, Limassol, Cyprus

***

Main Definitions

Applicable Data Protection Laws: the GDPR, the CCPA, and all other data protection and privacy laws applicable to the processing described in this Policy, including, where relevant to a Participant, the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, and the Washington My Health My Data Act.

BIPA: the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq.

CUBI: the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001.

MHMD Act: the Washington My Health My Data Act, RCW 19.373. 

CCPA 2018: the California Consumer Privacy Act 2018 and legislation supplementing this Act.

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Unless stated otherwise, for purposes of this Privacy Policy – Sensemitter Services Limited.

GDPR: the General Data Protection Regulation ((EU) 2016/679) and all legislation implementing or supplementing this Regulation.

Personal data, personal information: Any information relating to an identified or identifiable natural person.

Processing of personal data: Any operation or set of operations which is performed on personal data, whether or not by automated means. For the purposes of CCPA 2018 "sharing" of personal data shall not be read or mean "sale" of personal data.

Legal

Contact

© 2026 Emhance. All rights reserved.

Legal

Contact

© 2026 Emhance. All rights reserved.

Legal

Contact

© 2026 Emhance. All rights reserved.

Legal

Contact

© 2026 Emhance. All rights reserved.