Privacy Policy
Effective date: 1 June 2025
Entity: Enumerate AI Inc. (“Enumerate AI”, “we”, “us”, “our”)
Contact: privacy@enumerate.ai
Registered address: 8 The Green, Suite B, Dover, DE 19901, USA
1) What this Policy covers
This Policy explains how we collect, use, disclose, and protect Personal Information when you use our websites, web apps, mobile apps, or services (the “Services”). It applies to:
- Participants (e.g., interviewees, diary/app users, panelists)
- Client users (e.g., researchers, client administrators)
- Visitors to our sites
For most client projects, we act as a processor/service provider to the client (the controller/business) for participant data. We act as a controller/business only for data about our own website/app users, prospects, and vendors.
2) Key definitions
- Personal Information / Personal Data: information relating to an identified or identifiable person.
- Sensitive Personal Information (SPI): e.g., precise geolocation, government IDs, financial account credentials, health data, race/ethnicity, biometrics used to identify you, etc.
- Sell / Share (CCPA/CPRA): “Sell” means disclosure for monetary or other valuable consideration; “Share” means cross‑context behavioral advertising.
- Our position: We do not sell or share Personal Information and we do not engage in targeted advertising.
3) Notice at Collection (categories, sources, purpose, retention)
We collect data from you/your device, our clients, service providers, and public sources. We keep data only as long as needed for the purposes below or as required by law, then delete or de‑identify it (see §9).
| Category (examples) | Sources | Purposes (examples) | Typical retention | Sold? | Shared? |
|---|---|---|---|---|---|
| Identifiers (name, email, account ID, IP) | You; Client; Device | Account/authentication; project delivery; security; fraud prevention | Project data: project term + up to 24 months; Account: life of account + 24 months | No | No |
| Demographics (age range, occupation) | You; Client | Research segmentation/reporting per client instructions | Project term + 24 months | No | No |
| Internet/Network activity (logs, device info, pages viewed, cookies) | Device; Analytics vendors | Site/app performance and security | 13–24 months | No | No |
| Audio/Visual (interviews, voice, images) | You | Transcription, analysis, reporting to client per contract/consent | Project term + client-specified period; default 24 months unless contract says otherwise | No | No |
| Commercial information (invoices, payments) | You; Client | Billing, accounting, tax | 7 years (or local law) | No | No |
| Geolocation (approx. via IP) | Device | Security; fraud/abuse detection; analytics | 13–24 months | No | No |
| Sensitive PI (only with notice/consent) | You | Study-specific purposes per client instructions | Project term + 24 months (unless law/contract shorter) | No | No |
We do not use or disclose SPI to infer characteristics, except where strictly necessary or permitted by law.
4) Legal bases for processing (GDPR/UK GDPR)
- Contract necessity (Art. 6(1)(b)) to provide the Services to clients and participants.
- Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and service improvement, after balancing with your rights.
- Consent (Art. 6(1)(a)) for certain study data and optional cookies (where required)
- Legal obligation (Art. 6(1)(c)) for tax, accounting, and regulatory requirements.
Where special category data (Art. 9) is processed, we rely on explicit consent or other applicable conditions and client instructions.
5) How we use Personal Information
Deliver and administer projects; capture diaries, interviews, and focus groups; generate transcripts and insights; operate, secure, troubleshoot, and improve the Services; communicate about accounts, updates, and security alerts; process payments and prevent fraud; comply with law and enforce terms. We do not engage in automated decision‑making that produces legal or similarly significant effects without human involvement
6) How we disclose information
We disclose Personal Information only to:
- Service providers/processors under written contracts (cloud hosting, content delivery, transcription, analytics, billing, support) with confidentiality and use‑limitation;
- Clients (primarily aggregated/pseudonymized outputs; identifiable clips only per consent/ instructions);
- Legal/safety recipients where required by law; and
- Business transfers (merger/acquisition) with notice and honoring existing commitments.
We do not sell or share Personal Information.
7) International transfers
Our infrastructure and vendors may be located in the U.S. and other countries. We implement appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum/IDTA, plus supplementary technical/organizational measures(e.g., encryption, least‑privilege, logging). The data exporter performs any required Transfer Impact Assessment (TIA); we provide inputs and implement measures. Default cloud processing regions are selected per project (e.g., eu‑west‑1 primary, others as instructed).
8) Cookies & similar technologies
We use essential cookies for core functions and minimal analytics to understand site/app performance and security. We do not use advertising or cross‑context behavioral advertising tags. Where consent is required (e.g., EEA/UK), you can manage preferences via our Cookie Settings link.
9) Data retention & de‑identification
We retain Personal Information only as long as necessary for the purposes above or to comply with law, then securely delete or de‑identify it. De‑identified data is maintained without re‑identification, except as permitted by law.
10) Security
We employ administrative, technical, and physical safeguards aligned to industry standards (e.g., encryption in transit/at rest, MFA/least‑privilege access, logging/monitoring, vulnerability/patch management, backups/DR, secure SDLC, staff training). No method of transmission or storage is 100% secure.
11) Your rights & how to exercise them
- GDPR/UK GDPR: You may request access, rectification, erasure, restriction, portability, objection, and withdraw consent without affecting prior processing. You may lodge a complaint with your supervisory authority.
- CCPA/CPRA & other U.S. states: Rights include know/access, correct, delete, portability, opt‑out of sale/share, limit SPI (CA), and non‑discrimination; some states include an appealright.
- When we act as processor/service provider: For participant data processed on a client’s behalf, please contact the client(controller/business). We will assist them in fulfilling your request.
- Verification & authorized agents: We verify requests (e.g., via account login or email). Authorized agents must provide proof of authority and, where required, the consumer’s verification.
- Opt‑out of sale/sharing: we do not sell or share Personal Information and do not engage in targeted advertising. We honor applicable browser signals where required by law.
Requests may be submitted to privacy@enumerate.ai or via our privacy request portal: enumerate.ai/privacy-request