Research Participant Privacy Policy

1. Who We Are and Our Role

eye square GmbH, Schlesische Straße 29-30, 10997 Berlin, Germany, operates the InContext online research platform. In the context of studies commissioned by third-party clients (the “Controller”), eye square acts as a Data Processor, processing participant data solely on behalf of and under the instructions of the commissioning client, in accordance with a Data Processing Agreement (DPA).

For questions about this Privacy Policy or data processing practices, please contact:

2. How You Access the Study

You access the InContext platform via a unique study link provided by the commissioning research client or a panel provider. eye square does not issue invitations directly to participants and does not have access to your contact details, panel registration data, or any information used to recruit you for the study.

Your participation in the study is voluntary. By proceeding past the consent screen, you agree to the data collection described in this policy.

3. What Data We Collect and Why

3.1 Study ID Variables (CI / TIC Variables)

To link your behavioral responses to the study dataset, the study link you receive contains one or more participant identifier parameters (referred to as “CI variables” or “TIC variables”). These identifiers are generated and assigned by the panel provider or commissioning client — not by eye square.

eye square stores these identifiers solely for the purpose of enabling data matching at the conclusion of the study. We do not independently hold the mapping between these identifiers and your personal identity. Such a mapping, if it exists, is held exclusively by the panel provider or commissioning client.

3.2 Behavioral Interaction Data

As you navigate the simulated media environment within the InContext platform, our system records your interactions — such as clicks, scroll behavior, viewing time, and responses to study stimuli. This data is linked exclusively to your CI variable and is used solely for the purposes defined in the applicable study scope.

No camera, microphone, biometric, or physiological data is collected at any point during this study type. The platform does not access or activate any such device capabilities.

3.3 IP Address

As is technically unavoidable with any web-based service, your IP address is transiently visible on eye square’s web servers at the point of connection. eye square does not store, analyze, or use your IP address for any purpose beyond establishing the technical connection required to serve the study. IP addresses are discarded upon session end and are not included in any research dataset or output.

4. What We Do Not Collect

eye square does not collect, store, or process any of the following in connection with InContext studies:

• Your name, email address, postal address, or any other directly identifying personal information
• Camera, webcam, microphone, or biometric data (no eye tracking in this study type)
• Persistent cookies, third-party cookies, pixel tags, or local storage technologies
• Device fingerprints, MAC addresses, IMEI numbers, or unique device identifiers
• Geolocation data
• Browser history or data from other applications on your device
• Social media profiles or account data

5. Data Retention

Respondent-level data (CI variables and associated behavioral interaction data) is retained for a maximum of 12 months following project completion, unless a shorter retention period is specified in the applicable Statement of Work (SOW) or Data Processing Agreement. Note: For studies involving personal data such as audio or video recordings (not applicable to InContext browser-based studies), a standard retention period of three months applies after study completion.

Upon expiry of the retention period, respondent-level data is permanently deleted or irreversibly anonymized. Aggregated, non-identifiable research outputs (such as summary statistics and study reports) may be retained beyond this period.

6. Data Sharing and Disclosure

eye square does not sell, rent, or otherwise disclose participant data to any third party for commercial, advertising, or any purpose other than the delivery of the contracted research services.

Data may be shared in the following limited circumstances:

• Commissioned research delivery: With the commissioning client
• Sub-processors: As strictly required for platform operation (e.g., hosting infrastructure), subject to appropriate data processing agreements
• Legal obligation: Where required by applicable law or regulatory authority

All sub-processors engaged by eye square are bound by contractual obligations no less protective than those set out in this policy.

7. California Consumer Privacy Act (CCPA)

To the extent you are a California resident, the following additional rights and disclosures apply under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• eye square does not sell or share your personal information with third parties for cross-context behavioral advertising or any commercial purpose.
• Personal information collected in connection with this study is used solely for the research purposes described in this policy.
• You have the right to know what personal information is collected about you, to request deletion of your personal information, and to opt out of the sale or sharing of personal information (though no such sale or sharing takes place).
• To exercise your CCPA rights, please contact us at dataprotection@eye-square.com. Please note that, as eye square holds only pseudonymous CI variables and does not have access to your name or contact details, we may need to work with the commissioning client or panel provider to locate and fulfill your request.

8. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access (Art. 15): to obtain confirmation of whether we process your personal data and receive a copy thereof
• Right to rectification (Art. 16): to have inaccurate data corrected
• Right to erasure (Art. 17): to request deletion of your data under certain conditions
• Right to restriction of processing (Art. 18): to request that processing be restricted in certain circumstances
• Right to object (Art. 21): to object to processing based on legitimate interests

Given that eye square holds only pseudonymous identifiers and does not have direct access to your identity, we may need to engage the commissioning client or panel provider to fulfill your request. To exercise these rights, please contact dataprotection@eye-square.com.

You also have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for eye square GmbH is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59-61, 10555 Berlin.

9. International Data Transfers

eye square processes data within the European Union. In cases where study data is transferred to a commissioning client located outside the EU/EEA (e.g., the United States), such transfers are governed by the applicable Data Processing Agreement and, where required, standard contractual clauses (SCCs) as adopted by the European Commission.

10. Security

eye square implements appropriate technical and organizational measures to protect participant data against unauthorized access, loss, or disclosure. These include encrypted data transmission (TLS), access controls, and pseudonymization of research datasets.

11. Changes to This Policy

eye square may update this Privacy Policy from time to time to reflect changes in legal requirements or our data processing practices. The current version is always available at the URL provided in your study consent screen. The version date is indicated on the first page of this document.

Summary: Data Collected in InContext Studies