Privacy

What we do

OpenScouter handles special-category data including biometric indicators, health-adjacent information, and neurodivergent profiles. We process this data under explicit consent with strict purpose limitation: accessibility research only, nothing else.

Lawful basis and consent

• GDPR Article 9(2)(a) explicit consent — We process special-category data (biometric emotion scores, ND profiles) on the basis of explicit consent only. We do not rely on legitimate interests for the most sensitive data.
• Multi-layer consent — Testers see a summary layer in plain English, plus a detailed expandable layer that names each AI provider (Anthropic, OpenAI, Google) and discloses the legal basis. Consent version is stored with every consent record for audit. Current version: v1.1.
• Purpose limitation enforced — Data is used exclusively for accessibility research. Not used for marketing, profiling, credit scoring, insurance underwriting, employment decisions, or any non-accessibility purpose. This constraint is enforced in consent text, AI system prompts, and platform design.

What data we collect

Three data streams are collected during active test sessions only:

• Browser interaction events — Clicks, scrolls, navigation, and keyboard events. No form values or passwords are captured.
• Facial emotion scores — Not raw video. The DeepFace microservice processes frames locally and discards the video immediately. Only derived scores are transmitted and stored.
• Voice transcripts — Text only, not audio recordings. Transcription runs via the browser's Web Speech API; no audio is retained.

When no session is active, the OpenScouter extension is completely dormant and collects no data. Tester names, emails, and database IDs are never sent to AI providers.

Right to erasure

• Deletion cascade across 9 tables — Consent revocation triggers deletion of all related data across session_events, facial_snapshots, voice_segments, session_notes, session_tokens, report_insights, reports, payouts, and sessions, in foreign-key traversal order to avoid constraint failures.
• Post-deletion verification — A programmatic count query confirms no orphaned records remain after deletion. If any data persists, the system flags it for manual intervention. ND categories are cleared on consent revocation.
• Self-service erasure — Testers can revoke consent and request data deletion from their Settings page at any time, without penalty and without contacting support. See our data deletion page for details.

Data access controls

• ND profile silo with audit log — Neurodivergent category data is treated as health data under UK GDPR. Every access to ND profiles is logged to a dedicated audit table recording the system component, the session or study, the action taken, and the timestamp.
• Five tracked components — Analyst agent, report writer, synthesizer, scoring pipeline, and admin dashboard. All access is logged and auditable.
• No tester identity shared with clients — Study reports use aggregate findings and anonymous tester labels. No client receives individual tester names, emails, or ND profiles.

Data protection assessment

• DPIA completed — A Data Protection Impact Assessment has been completed following the ICO's recommended template, covering all processing activities: facial emotion analysis, voice transcription, ND profiling, and AI processing. It covers 5 risk categories with residual risk assessment.
• International transfers via SCCs — Data transferred to Anthropic, OpenAI, and Google for AI processing uses Standard Contractual Clauses (SCCs) as the transfer mechanism. All three providers commit to not retaining customer data for model training under their API terms.
• Honest note on DPIA status — The DPIA is complete but pending formal DPO and data controller sign-off. A formal Data Processing Agreement review with AI providers specifically covering Article 9 data is outstanding and is a pre-enterprise pilot priority.

For the full privacy policy including data retention periods and your rights, see our Privacy Policy.