The Consumer Neuroscience Company
Education concept: Head With Lightbulb on digital background

Data Privacy Policy

This Privacy Policy provides information about how we process and protect your personal dataNeurons Inc processes the information you provide us, or we collect about you, in accordance with applicable rules. We are aware that your information is processed with respect for the confidentiality of the information and for your privacy. Furthermore, you can find information relating to our services and documents collected through use of these services alongside the reasoning for such collection. 

We strongly advise and encourage that you read our Privacy Policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your personal data in accordance with recent EU regulations.

Here in our personal data policy, you can find information on how we process and protect personal data related to test participants, job applicants, and client information.

Contact and personal data manager

Neurons Inc is the data controller for the personal data that is processed when you are, using our services, including the website. You can contact us at any time via the options below. If your inquiry concerns insight, deletion, correction, limitation, objection or data portability, please read the section “Your rights” first.

Business:
Neurons Inc
Oldenburg Allé 1, 2
2630 Taastrup
Denmark

E-mail: [email protected]

Which personal information we process and for what purpose

Depending on your relationship with us, we treat your personal information in different ways and for different purposes. You can read what applies to the specific area below.

Initially, it should be noted that we only collect the information that you consent on, information necessary to fulfill the relationship with you.

Test participants: We receive your information through online surveys or 3rd party recruitment companies to fulfil our studies for our clients. Consent is given before any questions are answered.

Job applicants: We receive information through our recruitment platform “Zoho recruit” which requires you to accept a 1-year storage of the data upon completion of the form.

Client information: We receive all client information through a “New Client Form” which is sent via e-mail to the specific point of contact.

When we collect and process your personal information, we must have a legal basis to carry out the processing. Our legal basis is consent which constitutes the legal basis for the collection and processing of the following personal data:

– Name
– E-mail
– Phone number
– Region of residence
– Consent

Test participants – outside Denmark

Purpose

How we use the collected personal information

The purpose of the data collection is 1) to ensure that we are testing participants that meet the desired criteria (e.g., based on age, gender), and 2) to assess emotional and cognitive responses to consumer-related products and services.

To this end, we use simple and fully anonymized data from participants who attend our segmented neuroscience studies (we abide by the EU GDPR rules for all studies conducted within the EU). The data is only for a single study at a time and is only stored until the study has been completed.

The legal basis for our processing of personal data

Prior to any test, the participants are requested to thoroughly read and sign a full consent form explaining how we will treat and store all personal, EEG and eye-tracking data. A link to the generic consent form can be found here.

For every study we use 3rd party recruitment companies who will store all your personal data, including but not limited to:

  • Name
  • E-mail
  • Phone number
  • Age
  • Gender
  • Region of residence
  • Consent

For every study we may ask more sensitive questions which can be found below:

  • City of residence
  • If you understand and read English
  • Employment status
  • Handedness
  • If you take any certain type of medicine
  • Which medicine you take
  • If you suffer from any specific psychological diseases like anxiety and depression
  • If you suffer from any neurological diseases like epilepsy and dementia
  • If you suffer from any physical diseases like cancer, severe handicaps or have pacemakers
  • If you are pregnant
  • If you have dreadlocks, wick, extensions or similar
  • If you use glasses in your every day

All the above information is only stored with the recruitment company which will have its own data privacy policy.

Neurons Inc only stores anonymized EEG and eye-tracking data for any country outside Denmark.

Deleting personal data

The Personal Data Act does not contain specific rules on when anonymized EEG and eye-tracking data must be deleted. Specifically, this must be decided by the administration, which acts as the data controller.

The data is only removed in case a participant requests us to remove the information during the study as the data will otherwise be fully anonymized and non-traceable.

As a rule, we merge study data in our database after 5 years.

How to protect your information

Your personal information is stored on secure networks and can only be accessed by a limited number of employees with rights to this type of information. These are also subject to our internal privacy policy, which safeguards your rights and ensures compliance with applicable law in the area. Among all business partners and suppliers who process personal data, a data processing agreement has been prepared.

How we use the collected personal information

All anonymized participant data are stored to ensure we can fulfill our services and products for our clients. As we are a consumer neuroscience company, we produce insights and knowledge through EEG (electroencephalography) and eye-tracking data from participants during in-person interviews. The data are always fully anonymized from the time of recording. This is both to meet the criteria of GDPR, but also to ensure a non-biased analysis of the data. Furthermore, as individual data are never used beyond log number information, there is no additional value in keeping person-sensitive data.

Test participants – within Denmark

Purpose

Is to have a database of potential participants who live in Denmark, specifically Zealand. The data is stored to ensure we can re-use participants for more than one study and that participants can opt-in to be contacted when new studies kick-off. The database of participants is also available for us to easier get in contact with interested participants.

The legal basis for our processing of personal data

Our legal basis is consent which constitutes the legal basis for the collection and processing of personal data. Neurons Inc’s test participant database is stored online in Gdrive through the company Gsuite. All data included in this database can be found below:

  • Name
  • E-mail
  • Phone number
  • Age
  • Gender
  • Region of residence
  • Consent

This data is stored in our database until a participant contacts Neurons Inc or opts out during one of our newsletter rounds.

During each study recruitment phase, more sensitive questions can be asked. These questions can include but are not limited to:

  • City of residence
  • If you understand and read English
  • Employment status
  • Handedness
  • If you take any certain type of medicine
  • Which medicine you take
  • If you suffer from any specific psychological diseases like anxiety and depression
  • If you suffer from any neurological diseases like epilepsy and dementia
  • If you suffer from any physical diseases like cancer, severe handicaps or have pacemakers
  • If you are pregnant
  • If you have dreadlocks, wick, extensions or similar
  • If you use glasses in their every day

All sensitive data is completely destroyed/deleted after the study for all participants who attended the study. All participants who did not attend the study will have their sensitive personal data deleted within 1 month.

Deleting personal data

The Personal Data Act does not contain specific rules on when anonymized EEG and eye-tracking data must be deleted. Specifically, this must be decided by the administration, which acts as the data controller.

The data is only removed in case a participant requests us to remove the information during the study as the data will otherwise be fully anonymized and non-traceable.

As a rule, we merge study data in our database after 5 years.

How to protect your information

Your personal information is stored on secure networks and can only be accessed by a limited number of employees with rights to this type of information. These are also subject to our internal privacy policy, which safeguards your rights and ensures compliance with applicable law in the area. Among all business partners and suppliers who process personal data, a data processing agreement has been prepared.

How we use the collected personal information

All anonymized participant data are stored to ensure we can fulfill our services and products for our clients. As we are a consumer neuroscience company, we produce insights and knowledge through EEG (electroencephalography) and eye-tracking data from participants during in-person interviews. The data are always fully anonymized from the time of recording. This is both to meet the criteria of GDPR, but also to ensure a non-biased analysis of the data. Furthermore, as individual data are never used beyond log number information, there is no additional value in keeping person-sensitive data.

HR recruit

Purpose

To find the right candidates to the positions that we are announcing online or offline. This is mainly done through Zoho Recruit for announcing open positions, and for registering applicants to the positions. Candidate information is stored on the Zoho Recruit platform. Unsolicited applications may also come through e-mail and are uploaded and stored in the Zoho Recruit platform and deleted from all e-mail locations.

For markers recruitment, announcements are only sent out locally on our Danish Facebook page, and through collaboration with local schools. Here, recruitment is done through email, where candidate information is stored until the recruitment process is over after which all non-hired candidate information is deleted from our accounts.

The legal basis for our processing of personal data

Our legal basis is consent which constitutes the legal basis for the collection and processing of personal data. Neurons Inc only store any personal or sensitive personal data in the secured online solution Zoho Recruit. The data stored includes, but are not limited to:

  • Name
  • Address
  • E-mail
  • Date of birth
  • Gender
  • Age
  • Ethnicity
  • Phone number
  • Resume
  • Photo
  • General health information
  • Police records

Deleting personal data

After the first sorting, all profiles that are not selected are deleted, both on email and Zoho Recruit.

When the right candidate has been found and the contract is signed, all candidates are deleted from Zoho Recruit and email.

If we want to keep candidate information, we gather informed consent from the candidate and keep their information for 1 year.

How to protect your information

Your personal information is stored on secure networks and can only be accessed by a limited number of employees with rights to this type of information. These are also subject to our internal privacy policy, which safeguards your rights and ensures compliance with applicable law in the area. Among all business partners and suppliers who process personal data, a data processing agreement has been prepared.

How we use the collected personal information

Prior to data collection, the applicant must consent to the storage of the personal information for 1 year before being able to transfer the resume and application to our servers.
The data is either directly stored in Zoho Recruit or on email. Zoho Recruit also sends a notification about the candidate, with the name and resume enclosed.
Candidate information is deleted if they are sorted away at either stage in the hiring process. The person being hired is transferred to the internal HR system.

Client information

Purpose

Neurons Inc mainly stores personal information on B2B clients as all solutions are for these purposes. We store client data in both Gdrive company Gsuite for specific studies, in our CRM system Monday.com for sales purposes and on e-mail to ensure we can communicate with the clients best possible.

Deleting personal data

The Personal Data Act does not contain specific rules on when anonymized EEG and eye-tracking data must be deleted. Specifically, this must be decided by the administration, which acts as the data controller.

The client data in Gdrive, Monday.com or e-mail will only be deleted from Neurons Inc’s servers in case the client becomes fully inactive.
In the case of inactivity, the client information is deleted after 3 years.

The legal basis for our processing of personal data

The legal basis for the storage of personal data is the connection to the clients either through business cards, in-person meetings, online meetings, direct e-mail or phone contact.

Name and e-mail addresses are obtained either through our newsletter subscription on our website or through [email protected] When the information on a client has been received it is only stored in our Google e-mail system for 3 years or until requested deleted.

How to protect your information

Your personal information is stored on secure networks and can only be accessed by a limited number of employees with rights to this type of information. These are also subject to our internal privacy policy, which safeguards your rights and ensures compliance with applicable law in the area. Among all business partners and suppliers who process personal data, a data processing agreement has been prepared.

How we use the collected personal information

All client data is only used for sales or project purposes to ensure Neurons Inc’s and the client’s best interest. The data is well protected and only used for the purposes described above.

Who we transfer and pass on personal information to

We use a number of external companies and services that process personal data on our behalf. These are ‘data processors’ for us. For all our data processors, we have entered into data processing agreements that ensure that our requirements for the protection of personal data are followed. Common to these is that we only transfer data. The data that we transmit belong to us and are not used for own purposes by the external company.

To the extent possible, we use data processors with datacenters located in the EU / EEA so that personal data is not transferred to insecure third countries.

In some cases, we may, under legitimate interest or legal obligation, disclose personal information to external companies. It could be, advisors, insurance companies, SKAT, municipalities and the like. Common to these is that they themselves become data controllers for the personal data they receive from us since they themselves decide purpose etc.

Data security

We have high standards of security, even when it comes to the protection of your personal information.

We make sure that we regularly review our information security policies and where necessary, we improve them. We understand the requirements of confidentiality and integrity. Therefore, we have implemented internal procedures and policies that ensure that we comply with our high-security standards and thus meet the requirements of appropriate technical and organizational security measures. We do our best to ensure the quality and integrity of your personal information. Security on all our IT is built-in and always active. We maintain the best prerequisites for protecting all our data and thus your information entrusted to us. We have Data Processing Agreements with our data servers, and also secured our processing of your information. Our IT security covers for example Malware protection, antivirus, and a firewall.

We as a company carry out risk assessments regularly, by reviewing potential harms and impacts to our system and our customer as well, this allows us to strengthen the safety for you as a customer continuously.

Rights

If you know or have a presumption that we treat personal data about yourself, you have some rights in relation to the treatment. The individual rights are elaborated below.

Should you choose to apply one of its rights, for example by asking for insight into which personal data we treat about yourself, you must contact us via e-mail [email protected].

When we have received the e-mail and subsequently verified the identity – to ensure that we do not provide personal data to unauthorized persons – we initiate the process.

  • The right to be informed: you have the right to be informed about the collection and use of their personal data, we provide in this Privacy Policy, if you have any other questions, please kindly contact us directly.
  • The right of access: you have the right to access your personal data.
  • The right to rectification: you are entitled to have inaccurate personal data rectified or completed if it is incomplete.
  • The right to erasure: you have a right to erasure or a right “to be forgotten”, please bear in mind that such right is not absolute and only applies to certain situations.
    The right to restrict processing: you have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances.
  • The right to object: the right to object to the processing of their personal data in certain circumstances.

You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone as a legal representative).

The above may be limited for the protection of other persons’ privacy, business secrets, intellectual property rights or other legal obligations that precede the above rights. You can also contact us if you have questions about the above, or if you believe your personal data is being processed in violation of the law.

Data requirements for data surveillance/data subject

We are obliged to inform the Data Inspectorate “Datatilsynet” if we have a data breakdown. Data burst can be several things. There may be unintended data that has been sent to error recipient, hacker attack, and so on. If we experience this, we will contact the Data Inspectorate within 72 hours, and in some cases the data subject. Michael Nielsen (DPO) is also helpful and will be notified of these cases.

Complaints and concerns

Please kindly contact us directly if you have any questions or concerns in regards to your personal data. If you have any complaints, we are willing to solve them together. We will address your request without undue delay and at the latest within one month of receipt. We may extend the time to respond by a further two months if the request is complex or we have received a number of requests from you personally.

Nevertheless, you are entitled to file a complaint with the Data Inspectorate if you are unhappy with the way we process your personal information. You will find the Data Inspectorate’s contact information at www.datatilsynet.dk

Changes to the Privacy Policy

The Privacy policy is continually modified when necessary. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this Privacy Policy or other notice on the Website. We strongly encourage and advise you to review this Privacy Policy often to stay informed of changes that may affect you, as your continued use of the Website signifies your continuing consent to be bound by this Privacy Policy. By all means, properly stored copies of this Privacy Policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this Privacy Policy. You can always see when the policy was last updated at the bottom of this page.

This document is version 1.0.1

The last update was September 18. 2019