Privacy Policy
Effective Date: Nov 1, 2025
Entity: Enumerate AI Inc. (“Enumerate AI”, “we”, “us”, “our”)
Registered Address: 8 The Green, Suite B, Dover, DE 19901, USA
Contact: privacy@enumerate.ai
1) What this Policy covers
This Policy explains how we collect, use, disclose, and protect Personal Information when you use our websites, web apps, mobile apps, or services (the “Services”). It applies to:
- Participants (e.g., interviewees, diary/app users, panelists)
- Client users (e.g., researchers, client administrators)
- Visitors to our sites
For most client projects, we act as a processor/service provider to the client (the controller/business) for participant data. We act as a controller/business only for data about our own website/app users, prospects, and vendors.
2) Key definitions
- Personal Information / Personal Data: information relating to an identified or identifiable person.
- Sensitive Personal Information (SPI): e.g., precise geolocation, government IDs, financial account credentials, health data, race/ethnicity, biometrics used to identify you, etc.
- Sell / Share (CCPA/CPRA): “Sell” means disclosure for monetary or other valuable consideration; “Share” means cross‑context behavioral advertising.
- Our position: We do not sell or share Personal Information and we do not engage in targeted advertising.
3. Notice at Collection (Categories, Sources, Purpose, Retention)
We collect data from you/your device, our clients, service providers, and public sources. We keep data only as long as needed for the purposes below or as required by law, then delete or de‑identify it (see §9).
| Category | Sources | Purposes | Typical Retention | Sold/Shared? |
|---|---|---|---|---|
| Identifiers (Name, email, account ID, IP) | You; Client; Device | Account/authentication; project delivery; security; fraud prevention | Project data: Project term + 24 months Account: Life of account + 24 months | No |
| Demographics (Age range, occupation) | You; Client | Research segmentation/reporting per client instructions | Project term + 24 months | No |
| Internet/Network Activity (Logs, device info, pages viewed) | Device; Analytics vendors | Site/app performance and security | 13–24 months | No |
| Audio/Visual (Interviews, voice, images) | You | Transcription, analysis, reporting to client per contract/consent | Project term + client-specified period (default 24 months) | No |
| Commercial Information (Invoices, payments) | You; Client | Billing, accounting, tax | 7 years (or per local law) | No |
| Geolocation (Approx. via IP) | Device | Security; fraud/abuse detection; analytics | 13–24 months | No |
| Sensitive PI (Only with notice/consent) | You | Study-specific purposes per client instructions | Project term + 24 months (unless law/contract shorter) | No |
Note: We do not use or disclose SPI to infer characteristics, except where strictly necessary or permitted by law.
4. Legal Bases for Processing (GDPR/UK GDPR)
- Contract Necessity (Art. 6(1)(b)): To provide the Services to clients and participants.
- Legitimate Interests (Art. 6(1)(f)): For security, fraud prevention, and service improvement, after balancing with your rights.
- Consent (Art. 6(1)(a)): For certain study data and optional cookies (where required).
- Legal Obligation (Art. 6(1)(c)): For tax, accounting, and regulatory requirements.
Special Category Data (Art. 9): We rely on explicit consent or other applicable conditions and client instructions.
5. How We Use Personal Information & AI Transparency
We use Personal Information to deliver and administer projects; capture diaries, interviews, and focus groups; generate transcripts and insights; operate, secure, troubleshoot, and improve the Services; communicate about accounts, updates, and security alerts; process payments and prevent fraud; and comply with law and enforce terms.
AI Transparency Statement
Our AI is Purely Supportive.
We utilize Artificial Intelligence (AI) technologies to assist in data analysis, transcription, and summarization. It is important to note:
- Human-in-the-Loop: Our AI tools are designed to augment human intelligence, not replace it. All critical outputs are intended for human review.
- No Automated Decision-Making: We do not engage in fully automated decision-making (including profiling) that produces legal effects or similarly significantly affects you without human involvement.
6. How We Disclose Information
We disclose Personal Information only to:
- Service Providers/Processors: Under written contracts (cloud hosting, content delivery, transcription, analytics, billing, support) with confidentiality and use‑limitation.
- Clients: Primarily aggregated/pseudonymized outputs; identifiable clips only per consent/instructions.
- Legal/Safety Recipients: Where required by law.
- Business Transfers: In merger/acquisition scenarios, with notice and honoring existing commitments.
We do not sell or share Personal Information.
7. International Transfers
Our infrastructure and vendors may be located in the U.S. and other countries. We implement appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum/IDTA, plus supplementary technical/organizational measures(e.g., encryption, least‑privilege, logging). The data exporter performs any required Transfer Impact Assessment (TIA); we provide inputs and implement measures. Default cloud processing regions are selected per project (e.g., eu‑west‑1 primary, others as instructed).
8. Cookies & Similar Technologies
We use essential cookies for core functions and minimal analytics to understand site/app performance and security. We do not use advertising or cross‑context behavioral advertising tags. Where consent is required (e.g., EEA/UK), you can manage preferences via our Cookie Settings link.
9. Data Retention & De‑identification
We retain Personal Information only as long as necessary for the purposes above or to comply with law, then securely delete or de‑identify it. De‑identified data is maintained without re‑identification, except as permitted by law.
10. Security
We employ administrative, technical, and physical safeguards aligned to industry standards (e.g., encryption in transit/at rest, MFA/least‑privilege access, logging/monitoring, vulnerability/patch management, backups/DR, secure SDLC, staff training). No method of transmission or storage is 100% secure.
11. Your Rights & How to Exercise Them
- GDPR/UK GDPR: You may request access, rectification, erasure, restriction, portability, objection, and withdraw consent without affecting prior processing. You may lodge a complaint with your supervisory authority.
- CCPA/CPRA & US States: Rights include know/access, correct, delete, portability, opt‑out of sale/share, limit SPI (CA), and non‑discrimination; some states include an appeal right.
- Global Privacy Control (GPC): We honor applicable browser signals (GPC) where required by law.
- When we act as Processor: For participant data processed on a client's behalf, please contact the client(controller/business). We will assist them in fulfilling your request.
- Verification: We verify requests (e.g., via account login or email). Authorized agents must provide proof of authority.
Contact: Requests may be submitted to privacy@enumerate.ai or via our privacy request portal: enumerate.ai/privacy-request
12. EU & UK Privacy Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the United Kingdom (UK) and European Union (EU).
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit the following website:
https://app.prighter.com/portal/11913438326
13. Dispute Resolution
This Privacy Policy and any disputes related thereto shall be governed by and construed in accordance with the laws of the State of Delaware, USA.