Legal

Privacy Statement

Last updated: 09-02-2026

Chiasm B.V.

Chiasm B.V. (“Chiasm”, “we”, “us”, “our”) provides a cloud-based eye-tracking service that enables researchers and organisations to collect gaze data via participants’ webcams.

This Privacy Statement explains how we process personal data when:

  • You visit our website
  • You use our cloud-based services as a customer or user
  • You participate in a study using the Chiasm service

We are committed to protecting your privacy and processing personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Introduction

This Privacy Statement applies to our website, our cloud-based services, and studies conducted using the Chiasm service.

2. Identity of the Data Controller

For the purposes of this Privacy Statement:

Chiasm B.V.

Amsterdam, The Netherlands

Registered with the Dutch Chamber of Commerce (KvK) under number 99335719

Email: privacy@chiasm.eu

Depending on the context, Chiasm acts either as a data controller or as a data processor, as further explained below.

3. Processing Roles: Controller vs Processor

3.1 When Chiasm acts as data processor

When you participate in a research study or test conducted by a university, research institute, or organisation using the Chiasm service:

  • That organisation acts as the data controller
  • Chiasm acts as a data processor

In that case:

  • The controller determines the purpose and legal basis
  • The controller is responsible for informing you and obtaining consent
  • Chiasm processes data only on documented instructions of the controller under a Data Processing Agreement

If you have questions about a specific study, you should contact the organisation conducting the study.

3.2 When Chiasm acts as data controller

Chiasm acts as data controller for:

  • Website visitors
  • Users of our platform (account holders)
  • Participants who explicitly consent to storage and reuse of webcam images for Chiasm’s own research and product development

4. Categories of Personal Data

Depending on the context, we may process the following categories of data:

4.1 Website visitors

  • IP address
  • Browser and device information
  • Usage data (pages visited, timestamps)

4.2 Platform users (researchers / customers)

  • Name
  • Email address
  • Login credentials
  • Account and project information
  • Communication data

4.3 Research participants (as processor)

Depending on configuration and consent:

  • Webcam images (calibration / validation phase only)
  • Pseudonymous calibration models and training data
  • Technical metadata (timestamps, session IDs, browser information)

Gaze coordinates provided to researchers are processed in a pseudonymised or anonymised manner and do not directly identify individuals when no longer reasonably linkable to an identifiable person.

5. Purposes of Processing

We process personal data for the following purposes:

5.1 Website and communication

  • Operating and securing our website
  • Responding to inquiries
  • Marketing and information about our services, where permitted under applicable law and, where required, based on consent

5.2 Service provision

  • Providing access to the Chiasm platform
  • Operating, maintaining, and securing the service
  • Supporting integration and onboarding

5.3 Research and product development (only with explicit consent)

  • Improving gaze estimation algorithms
  • Validating and developing new features
  • Internal research and quality control

6. Legal Bases

We rely on the following legal bases:

6.1 Contract (Art. 6(1)(b) GDPR)

  • For user accounts
  • For service provision to customers

6.2 Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)

Where Chiasm acts as data controller:

  • For storage and reuse of webcam images for Chiasm’s own research and product development, based on separate explicit consent

Where Chiasm acts as data processor:

  • The legal basis for participation in studies is determined by the respective controller

6.3 Legitimate interests (Art. 6(1)(f) GDPR)

  • Website security and analytics
  • Improvement of anonymised or aggregated services

7. Webcam Images and Gaze Processing (Important)

7.1 Real-time processing

During participation in a study:

  • Webcam images are processed in working memory to calculate gaze positions
  • No permanent storage of images takes place during the experimental phase

7.2 Calibration and validation

During calibration and validation:

  • Short sequences of webcam frames may be stored
  • Storage takes place only with explicit consent
  • Only for internal research and product development

8. Recipients and Transfers

Personal data are primarily processed and stored within the European Economic Area on servers located in the Google Cloud Platform (Europe region).

Where processing outside the EEA is required, transfers take place only:

  • To recipients certified under the EU-US Data Privacy Framework, or
  • On the basis of Standard Contractual Clauses (Art. 46 GDPR)

We do not sell personal data to third parties.

9. Retention Periods

We retain personal data only as long as necessary:

  • Gaze positions: Up to 90 days, then anonymised or deleted
  • Webcam images (if consented): Up to 1 year
  • Calibration models: Until end of session
  • Logging: Up to 6 months
  • User accounts: For duration of account

10. Security Measures

We implement appropriate technical and organisational measures, including, where applicable:

  • Encryption in transit and at rest using industry-standard methods
  • Role-based access control
  • Segregated environments
  • Logging and monitoring

11. Your Rights

Where Chiasm acts as data controller, you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase your data
  • Restrict processing
  • Object to processing
  • Data portability

Where Chiasm acts as processor, you should contact the organisation conducting the study, which will handle your request as data controller. Chiasm will provide assistance where required.

12. Withdrawal of Consent

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

This applies where Chiasm acts as data controller.

13. Complaints

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence or the Netherlands (Autoriteit Persoonsgegevens).

14. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. The latest version will always be published on our website.

15. Contact

For questions about this Privacy Statement or our processing activities:

Chiasm B.V.

Email: privacy@chiasm.eu