At its core, Sticky by Tobii is about understanding people. To be able to do so, we process information about the response of study participants, some of which may constitute personal data. This white paper outlines how Sticky by Tobii handles personal data, and how we ensure privacy of study participants is always respected. The General Data Protection Regulation EU (2016/679) (the “GDPR”) is the main regulatory framework under which Sticky by Tobii processes personal data. This document will provide you with the insights needed to understand how Sticky by Tobii meets the regulatory framework of the GDPR. When you use the Sticky by Tobii service, you can rest assured that all data processing is safe, ethical and regulatory compliant. We are responsible for any processing of personal data, and we will not transfer any personal data to you. Staying up to date and governing personal data is a continuous work in progress. We will therefore keep this document updated with any recent questions or improvements not yet included in this description.

This guide is intended to help Sticky by Tobii customers better understand the privacy aspects of Sticky by Tobii. We recommend that you consult with a legal expert to obtain guidance on the specific requirements applicable to your organization, as this guide does not constitute legal advice.

Sticky is a leading provider of cloud-based impact testing and measurement of emotional response to creative material, based on eye tracking with a live audience. A study where response to a stimulus is collected based on eye tracking technology is called an “Experiment” in this document. Our services are available both in consultancy form, in which we deliver a complete analysis, and in the form of access to our web-based platform, which enables you to independently design and execute an Experiment.

Experiments are based on either one the following two technologies:

Sticky is designed with privacy in mind. Data collection is limited to what is strictly needed for an Experiment. Sticky records and analyzes the following data:

Videos are recorded using the participants web-camera. The recording uses a virtual guide (a set of .jpg images followed by instructions) assisting the Participant in his or her participation in the Experiment. During this process, the participant is instructed on where and how to sit in relation to the webcam’s recording area. This to ensure that the video capture is limited to those parts (e.g face, head) of the participant that are necessary to perform the Experiment. The Participant is instructed to make sure that no other individuals are present for the duration of the Experiment.

Screen recording (if web element)

When a web element is used in an experiment, the participants’ screen will be captured during the time that the web element is displayed on the screen. Participants will be asked to share their desktop screen before the recording starts. The screen recording may in some cases constitute collecting personal data, but we strongly recommend that you design experiments that do not collect personal data.

Tobii hardware only records gaze data (by which is meant where on the screen a participant is looking). As the technology is based on near-infrared technology, no video of the participant is recorded. The output from this type of data collection does not constitute personal data, as it is not possible to identify an individual based on output data.

A survey tool is included in the Sticky service. It enables the ability to pose ancillary questions to participants, as part of an Experiment. If survey questions are poorly designed, the answers to them may constitute personal data, however that is typically not the case.

Panel specification questions, could, like survey questions potentially contain identifiable data or sensitive data.

By design, our system does not receive, record or process any of the following: IP-address (other than as is strictly necessary for transferring data over the internet), Participants’ name (surname, given name), location data (address, postal number or similar), telephone number(s), social security number.

In some instances, panel providers provide a code for each panelist which may be recorded in our systems. If combined with the information held by the panel provider, such code may enable the identification of a panelist. We will however never support any such action. The code is used to re-invite panelists that participated in a previous experiment.

While the Sticky by Tobii service relies on the close study of participants’ attention, we will never transfer any actual personal data to you. Any reports that you receive will be scrubbed of identifying information. This enables you to treat the reports freely, without having to exercise caution to protect the privacy of the participants or to comply with GDPR. Purpose and legal grounds Typically, we collect data either on basis of a legitimate interest, or consent. Sticky is a cutting-edge neuromarketing tool providing you as a client unique insight in consumer and user groups behaviors and preferences. The data collected is used to build a view of a population’s (panel’s) gaze or emotional response to a stimulus. We have cautiously limited the amount of data collected, processed and stored together with measures taken to govern this data and in the largest extent make it anonymized.

Participants are informed of data collected, it’s intended use and how and why it’s stored. Participants must consent to these terms before any privacy data is and can be shared with Tobii. Data is only recorded and processed in accordance with the consent.

Survey questions and panel specifications are anonymized in accordance with our storage policy and subsequently do not constitute personal data. Webcam video recordings and screen recordings are stored for up to 90 days for quality assurance, after which they are deleted.

Sticky data centers are located at AWS in the U.S., East coast. Data is transferred to this location independently from where the data is collected. Personal data may be transferred to other countries in accordance with the Tobii Group Privacy Policy.

When using Sticky by Tobii, no personal data will be transferred to you. Thus, it is not necessary for us and you to enter into a Data Processing Agreement. In the event of a breach Tobii has established routines, procedures and resources to ensure that a possible breach is reported, evaluated and acted upon timely, adequately and if needed reported to applicable authorities.

The Data Protection Office organizes and is responsible for the compliance with GDPR at Tobii. The Data Protection Officer at Tobii can be contacted on dpo@tobii.com for privacy related questions.

We hope this document answered your questions regarding how we govern data and comply with the GDPR framework. Please let us know in case you still have any unanswered questions, we would be happy to explain any parts further to you!