Privacy Policy

1. Person Responsible for the Protection of Personal Information

In accordance with Québec's Act respecting the protection of personal information in the private sector (Law 25), the person responsible for the protection of personal information at Enlightn is:

Adrien Vermeirsch - Founder & CEO - privacy@enlightn.io

You may contact this person for any question, request, or complaint related to the handling of your personal information.

2. Information We Collect

A. Client Information

When you create an account or use our platform as a research buyer, we collect:

• Email address

• Name and company information

• IP address

• Account credentials

• Usage data related to the platform (pages visited, features used)

• Communication records (emails, support requests)

B. Respondent Information

When individuals complete our profiling questionnaire (currently hosted through Fillout), we collect the following categories of information. This data is used to build participant profiles for matching to market research studies.

• Demographic information: gender, year of birth, ZIP code, and highest education level.

• Household information: free-text or voice description of household composition, living situation, and home ownership status.

• Employment information: free-text or voice description of job title, industry, company size, and daily responsibilities.

• Financial information: annual household income bracket (selected from predefined ranges).

• Vehicle information: vehicle ownership status (own, lease, or none), and free-text or voice description of vehicles owned or leased.

• Purchase behavior: categories of purchase decisions for their household (selected from a predefined list), free-text or voice description of major recent purchases, and free-text or voice description of planned future purchases.

• Technology and media: devices owned or used weekly (selected from a predefined list).

• Lifestyle information: free-text or voice description of hobbies and free-time activities.

• Voice recordings: several profiling questions offer voice mode as an alternative to typing. When a respondent uses voice mode, the audio recording is collected and processed. Respondents may always choose to type instead.

• Survey metadata: survey experience rating and the source through which the respondent accessed the survey.

• Behavioral and device data: during the profiling questionnaire, we collect behavioral signals related to how the questionnaire is completed (such as response patterns and interaction behavior) as well as device-level information through a third-party fraud detection provider (see Section 5). This data is used exclusively for quality assurance and fraud prevention.

What We Do Not Collect From Respondents

We do not collect respondent names, email addresses, phone numbers, or IP addresses. We do not knowingly collect information from individuals under the age of 18 — our profiling questionnaire includes an age verification step that rejects respondents under 18.

We do collect ZIP code, year of birth, and gender, which are quasi-identifiers. While none of these is a direct identifier on its own, we recognize that in combination they could in some cases allow re-identification. We apply technical and organizational safeguards to mitigate this risk (see Section 7).

3. How We Use Information

Client data is used to:

• Provide access to the platform and deliver our services

• Communicate about projects, deliverables, and account activity

• Improve our product and develop new features

• Ensure system security and prevent unauthorized access

• Comply with legal and contractual obligations

Respondent data is used to:

• Structure and analyze profiles: Open-ended text and voice responses are processed by artificial intelligence (see Section 4) to extract structured profiling attributes (e.g., job industry, household composition, vehicle type).

• Match respondents to studies: Structured profiles are compared against targeting requirements provided by research buyers. Only respondents with a strong match are invited to participate in a given study.

• Activate respondents: Matched respondents are invited to studies through permissioned supplier systems. We do not share the full respondent profile with buyers — buyers receive aggregate match data and activation outcomes.

• Improve matching quality: Activation outcomes (completion rates, disqualification rates, quality scores) are logged to improve future matching accuracy.

• Refresh stale profiles: Profiling data on technology, purchases, hobbies, and media use is flagged for refresh after 12 months. Demographic data (gender, education) is considered stable and is not subject to periodic refresh.

Respondent data is not used for advertising, marketing, or any purpose unrelated to research recruitment.

How Consent Is Obtained and Withdrawn

Clients consent to data collection through account creation and acceptance of our Terms of Service. You may withdraw consent by contacting privacy@enlightn.io or deleting your account, though withdrawal may affect our ability to provide services.

Respondents consent to data collection and use by accepting the terms and conditions checkbox presented at the start of the profiling questionnaire. By accepting, you consent to the following as a whole: the collection of profiling data described in Section 2B (including voice recordings if you choose voice mode, and behavioral and device data for fraud prevention), the processing of your responses by artificial intelligence for profile structuring (Section 4), the use of your structured profile for matching to market research studies, and the transfer of your data to service providers located in the United States (Section 6). Choosing voice mode is always optional — you may type your answers instead with no impact on your profile or matching eligibility. Respondents may withdraw consent at any time by contacting privacy@enlightn.io. Withdrawal will result in your profile being deactivated and excluded from future matching. Because respondent data does not contain direct identifiers, we may need context (approximate date of completion, source panel) to locate your record.

4. Artificial Intelligence and Automated Processing

We use artificial intelligence to process respondent data. This section explains what AI does in our system and how it may affect you.

How AI is used: Open-ended text responses and voice recordings from the profiling questionnaire are sent to an AI service provider (see Section 5) for structuring — converting free-text answers into standardized profile attributes. AI is also used to compare respondent profiles against study targeting requirements and assess match suitability.

How this affects respondents: AI-assisted matching influences which respondents receive study invitations. A respondent who is not matched to a given study will not be invited to that study. This means automated processing may affect access to paid survey opportunities.

Human oversight: Match recommendations are reviewed by a person before activation. The system is not fully autonomous.

Your rights regarding automated processing: Under Québec's Law 25, you have the right to be informed when a decision affecting you is made exclusively by automated processing. You also have the right to have such decisions reviewed by a person. If you believe an automated decision has affected you and you would like a human review, contact us at privacy@enlightn.io.

5. Sharing of Information

We share personal information only with the following categories of recipients, and only to the extent necessary to provide our services. We require all processors to commit to confidentiality, purpose limitation, breach notification, and data deletion obligations through data processing agreements.

Hosting provider — Amazon Web Services (AWS): Client and respondent data is stored on AWS infrastructure in the United States. AWS acts as a data processor under our instructions.

Data collection platform — Fillout: Respondent profiling questionnaire responses are collected through Fillout's platform. Fillout acts as a data processor.

AI provider — OpenAI: Open-ended text and voice responses are sent to OpenAI's API for structuring and analysis. OpenAI processes this data according to their API data usage policy, which states that API inputs and outputs are not used to train their models. OpenAI acts as a data processor.

Fraud detection provider — DeviceForensIQ: Device-level information (browser fingerprint, device metadata) is shared with DeviceForensIQ for quality assurance and fraud prevention during the profiling questionnaire. DeviceForensIQ does not receive profiling answers or respondent profile data. DeviceForensIQ acts as a data processor.

Research buyers (our clients): Buyers receive aggregate match data and activation outcomes for the studies they commission. They do not receive individual respondent profiles, names, or contact information. Buyers see that a respondent matched their criteria and whether the respondent completed the study — not the respondent's full profile.

Suppliers: When respondents are activated for a study, the activation is routed through the supplier (panel company) that originally hosts the respondent. The supplier already has a pre-existing relationship with the respondent. We do not share new personal information with suppliers beyond what is necessary to route the invitation.

We do not sell, rent, or trade personal information. We do not share data with advertising networks or data brokers.

6. Cross-Border Transfers

Enlightn is incorporated in Québec, Canada. However, personal information is transferred to and processed in the United States through our service providers (AWS, Fillout, OpenAI, DeviceForensIQ).

In accordance with Québec's Law 25, we have conducted a privacy impact assessment covering these cross-border transfers. The assessment evaluated the legal framework of the receiving jurisdiction, the sensitivity of the information transferred, the contractual safeguards in place with each provider, and the technical measures applied to protect the data during and after transfer.

The United States does not have a federal comprehensive privacy law equivalent to Law 25. To ensure an equivalent level of protection, we rely on a combination of contractual safeguards (data processing agreements with each provider specifying purpose limitation, confidentiality, breach notification, and data deletion obligations), technical measures (encryption in transit and at rest, API-based transfers with no persistent storage by AI providers), and organizational controls (access restrictions, respondent data stored without direct identifiers).

7. Data Security

We implement technical and organizational measures to protect personal information against unauthorized access, loss, alteration, or disclosure. These include:

• Encryption of data in transit (TLS) and at rest

• Access controls limiting who within the organization can access personal information, based on role and necessity

• Secure authentication for client accounts

• Regular review of access permissions

• Use of managed infrastructure (AWS) with built-in security controls

For respondent data specifically, we apply additional safeguards given the quasi-identifier risk (ZIP code + year of birth + gender):

• Respondent records are stored without names, email addresses, IP addresses, or other direct identifiers

• Access to respondent-level data is restricted to essential operations (profiling structuring, matching)

• Buyers do not receive respondent-level quasi-identifiers — they receive match outcomes, not raw profiles

No system is perfectly secure. If you believe your information has been compromised, contact us immediately at privacy@enlightn.io.

8. Data Retention

Client data: Retained for the duration of the client relationship and for 3 years following the last account activity, after which it is deleted unless retention is required by law.

Respondent profiling data: Retained as long as the profile remains active and useful for matching. Profiles are flagged as partially stale after 12 months for fields that change over time (technology, purchases, hobbies, media use). Stale profiles remain in the system and may be used for matching at reduced confidence until refreshed. Profiles that have not been refreshed or successfully matched within 24 months may be deleted. Because respondent data does not contain direct identifiers, we apply a principled retention approach rather than a fixed individual-level deletion schedule.

Voice recordings: Retained for as long as the associated profile is active. Voice recordings are used solely for AI-based structuring of responses (converting speech to structured text attributes) and are not played back or listened to by humans in the normal course of operations. Voice recordings are not used for speaker identification, voice authentication, or any biometric purpose.

Activation logs: Study-level activation data (match outcomes, completion rates, quality scores) is retained for 5 years for product improvement and client reporting purposes.

9. Your Rights

For Clients (applicable under PIPEDA and Law 25)

You have the right to:

• Access the personal information we hold about you

• Correct inaccurate or incomplete information

• Withdraw consent to certain uses of your data (though withdrawal may affect our ability to provide services)

• Request deletion of your account and associated data

• Receive your data in a structured, commonly used, machine-readable format (data portability)

• File a complaint if you believe your information is being handled improperly (see Section 12)

For Respondents

Because respondent data is collected without direct identifiers (no names, emails, or IP addresses), we may not be able to locate a specific individual's record in our system. If you completed a profiling questionnaire and wish to exercise your rights, contact us at privacy@enlightn.io with enough context (approximate date, source panel) for us to attempt to identify your record.

Where we can identify your record, you have the right to access your information (provided in JSON format within 30 days), correct inaccurate information, request deletion of your profile, or request that your profile be deactivated (excluded from future matching without deletion). You also have the right to data portability — receiving your data in a structured, machine-readable format.

For California Residents

Although Enlightn may not currently meet the revenue or volume thresholds that trigger full CCPA/CPRA obligations, we respect the privacy rights of California residents. If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used

• Delete personal information we hold about you (subject to the identification limitations described above for respondents)

• Opt out of the sale of personal information — we do not sell personal information

• Non-discrimination — we will not treat you differently for exercising your rights

We do not sell or share (as defined under the CCPA) personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes beyond what is necessary to provide our services.

To exercise any of these rights, contact us at privacy@enlightn.io.

10. Cookies and Analytics

We use limited analytics tools on our websites. We do not use advertising trackers, retargeting pixels, or third-party marketing cookies.

Framer Analytics (enlightn.io): Tracks page visits and basic interactions on our marketing website.

Microsoft Clarity (enlightn.io): Captures anonymized usage patterns such as click and scroll behavior. Clarity operates without setting tracking cookies. It does not collect personal identifiers.

Under Québec's Law 25, we provide a consent mechanism for analytics technologies on our websites. You may decline analytics tracking without affecting your ability to use our services.

11. Confidentiality Incidents

In the event of a confidentiality incident (unauthorized access, use, disclosure, or loss of personal information) that presents a risk of serious injury, we will:

• Take immediate steps to contain the incident and reduce harm

• Notify the Commission d'accès à l'information du Québec (CAI)

• Notify affected individuals without undue delay, describing the nature of the incident, the information concerned, and measures taken

• Maintain a register of all confidentiality incidents, whether or not they present a risk of serious injury

12. Complaints

If you believe your personal information is not being handled in accordance with applicable laws, you may:

1. Contact our person responsible for the protection of personal information at privacy@enlightn.io

2. If unsatisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) at www.cai.gouv.qc.ca

3. For matters under federal jurisdiction (PIPEDA), you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date at the top of this page. For significant changes affecting how we process respondent data, we will take reasonable steps to provide notice.

14. Contact

For any question, access request, or privacy concern:

Adrien Vermeirsch Founder & CEO, Person responsible for the protection of personal information Email: privacy@enlightn.io