Chiasm Logo
Use casesHow it worksPlatformPricingTeamFAQDocs
Log inRequest demo
Chiasm Logo
Use casesHow it worksPlatformPricingTeamFAQDocs
Request demoLog in

Legal

Privacy Statement

Last updated: 19-06-2026

Chiasm B.V.

Chiasm B.V. (“Chiasm”, “we”, “us”, “our”) provides a cloud-based eye-tracking service that enables researchers and organisations to collect gaze data via participants’ webcams.

This Privacy Statement explains how we process personal data when:

  • You visit our website
  • You use our cloud-based services as a customer or user
  • You participate in a study using the Chiasm service

We are committed to protecting your privacy and processing personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Introduction

This Privacy Statement applies to our website, our cloud-based services, and studies conducted using the Chiasm service.

2. Identity of the Data Controller

For the purposes of this Privacy Statement:

Chiasm B.V.

Amsterdam, The Netherlands

Registered with the Dutch Chamber of Commerce (KvK) under number 99335719

Email: privacy@chiasm.eu

Depending on the context, Chiasm acts either as a data controller or as a data processor, as further explained below.

3. Processing Roles: Controller vs Processor

3.1 When Chiasm acts as data processor

When you participate in a research study or test conducted by a university, research institute, or organisation using the Chiasm service:

  • That organisation acts as the data controller
  • Chiasm acts as a data processor

In that case:

  • The controller determines the purpose and legal basis
  • The controller is responsible for informing you and obtaining consent
  • Chiasm processes data only on documented instructions of the controller under a Data Processing Agreement

If you have questions about a specific study, you should contact the organisation conducting the study.

3.2 When Chiasm acts as data controller

Chiasm acts as data controller for:

  • Website visitors
  • Users of our platform (account holders)
  • Participants who explicitly consent to storage and reuse of webcam images for Chiasm’s own research and product development

4. Categories of Personal Data

Depending on the context, we may process the following categories of data:

4.1 Website visitors

  • IP address
  • Browser and device information
  • Usage data (pages visited, timestamps, interactions such as sections viewed and links clicked)
  • Analytics cookies and similar technologies via Google Analytics 4, only if you accept analytics cookies in our cookie banner
  • Your analytics consent choice, stored locally in your browser (local storage)

We use Google Analytics 4 to understand how visitors use our website. Google may process data on servers outside the EEA; see Section 8. You can change or withdraw analytics consent at any time via the cookie settings link in our website footer; previously collected data may remain in aggregated form. For more information, see Google's Privacy Policy.

4.2 Platform users (researchers / customers)

  • Name
  • Email address
  • Login credentials
  • Account and project information
  • Organisation, subscription, plan, trial, usage, and entitlement information
  • Billing contact details, billing address, VAT or tax ID, invoice, receipt, and payment status information
  • Communication data

Payment card numbers and other raw payment method details are processed by our payment provider, Stripe. Chiasm does not receive or store full card numbers.

4.3 Research participants (as processor)

Depending on configuration and consent:

  • Webcam images (calibration / validation phase only)
  • Pseudonymous calibration models and training data
  • Technical metadata (timestamps, session IDs, browser information)

Gaze coordinates provided to researchers are processed in a pseudonymised or anonymised manner and do not directly identify individuals when no longer reasonably linkable to an identifiable person.

5. Purposes of Processing

We process personal data for the following purposes:

5.1 Website and communication

  • Operating and securing our website
  • Responding to inquiries
  • Marketing and information about our services, where permitted under applicable law and, where required, based on consent

5.2 Service provision

  • Providing access to the Chiasm platform
  • Operating, maintaining, and securing the service
  • Supporting integration and onboarding

5.3 Billing and account administration

  • Creating and managing customer accounts, subscriptions, trials, and entitlements
  • Processing checkout, payment, invoices, receipts, and billing portal sessions through Stripe
  • Calculating metered usage, overage fees, taxes, VAT, and billing status
  • Preventing billing abuse, handling failed payments, and resolving billing disputes

5.4 Research and product development (only with explicit consent)

  • Improving gaze estimation algorithms
  • Validating and developing new features
  • Internal research and quality control

6. Legal Bases

We rely on the following legal bases:

6.1 Contract (Art. 6(1)(b) GDPR)

  • For user accounts
  • For service provision to customers
  • For subscription management, checkout, payment handling, and billing support

6.2 Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)

Where Chiasm acts as data controller:

  • For storage and reuse of webcam images for Chiasm’s own research and product development, based on separate explicit consent
  • For website analytics cookies (Google Analytics 4), based on your choice in our cookie banner

Where Chiasm acts as data processor:

  • The legal basis for participation in studies is determined by the respective controller

6.3 Legitimate interests (Art. 6(1)(f) GDPR)

  • Website security
  • Improvement of anonymised or aggregated services
  • Fraud prevention, billing abuse prevention, and dispute handling

6.4 Legal obligations (Art. 6(1)(c) GDPR)

  • For tax, accounting, invoicing, and statutory record-keeping obligations

7. Webcam Images and Gaze Processing (Important)

7.1 Real-time processing

During participation in a study:

  • Webcam images are processed in working memory to calculate gaze positions
  • No permanent storage of images takes place during the experimental phase

7.2 Calibration and validation

During calibration and validation:

  • Short sequences of webcam frames may be stored
  • Storage takes place only with explicit consent
  • Only for internal research and product development

8. Processors, Recipients, and Transfers

Infrastructure. Personal data are primarily processed and stored within the European Economic Area on servers located in the Google Cloud Platform (Europe region). Google Cloud Platform provides cloud hosting and storage as a sub-processor on our behalf. It does not access personal data except as necessary to provide those infrastructure services and does not use it for its own purposes.

Other service providers. Where necessary to provide, secure, and bill for the Service, we also use processors who process personal data on our instructions, including:

  • Stripe, for hosted checkout, payment processing, subscription management, billing address and tax ID management, invoices, receipts, payment status, and billing portal sessions
  • Professional advisers, authorities, or counterparties where required for legal, tax, accounting, or dispute-resolution purposes

We do not sell personal data to third parties. We also do not receive or store full payment card numbers processed by Stripe.

Website analytics may be processed by Google LLC (Google Analytics 4) as a processor on our behalf when you accept analytics cookies.

Where processing outside the EEA is required, transfers take place only:

  • To recipients certified under the EU-US Data Privacy Framework, or
  • On the basis of Standard Contractual Clauses (Art. 46 GDPR)

9. Retention Periods

We retain personal data only as long as necessary:

  • Gaze positions: Up to 90 days, then anonymised or deleted
  • Webcam images (if consented): Up to 1 year
  • Calibration models: Until end of session
  • Logging: Up to 6 months
  • User accounts: For the duration of the account; following account termination, account data may remain available for export for up to 60 days, then deleted in accordance with the DPA and these retention periods unless retention is required by law
  • Subscription, billing, and entitlement records: For the duration of the account and as long as needed for billing, dispute handling, tax, accounting, and legal obligations
  • Invoices and tax records: For the statutory retention period required under applicable law

Payment method details stored in Stripe are retained by Stripe according to Stripe's services and your billing portal settings.

10. Security Measures

We implement appropriate technical and organisational measures, including, where applicable:

  • Encryption in transit and at rest using industry-standard methods
  • Role-based access control
  • Segregated environments
  • Logging and monitoring
  • Hosted payment collection through Stripe so raw card data is not handled by Chiasm systems

11. Your Rights

Where Chiasm acts as data controller, you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase your data
  • Restrict processing
  • Object to processing
  • Data portability

Where Chiasm acts as processor, you should contact the organisation conducting the study, which will handle your request as data controller. Chiasm will provide assistance where required.

12. Withdrawal of Consent

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

This applies where Chiasm acts as data controller.

13. Complaints

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence or the Netherlands (Autoriteit Persoonsgegevens).

14. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. The latest version will always be published on our website.

15. Contact

For questions about this Privacy Statement or our processing activities:

Chiasm B.V.

Email: privacy@chiasm.eu

Chiasm Logo

Browser-native eye tracking for modern research teams.

Product

How it worksPlatformPricingFAQ

Company

Chiasm B.V.

Amsterdam, The Netherlands

KvK Number: 99335719

Legal

Privacy policyTerms of serviceData Processing Agreement

Connect

contact@chiasm.eu

Request demo

© 2026 Chiasm. Built for the future of behavioral science. ·