Human8 Privacy Statement

Last update April 2025

To switch language for this text, please check this link.

Introduction and purpose of this Privacy Statement

You are reading this privacy Statement to understand how Human8 Europe NV, with registered office at Evergemsesteenweg 195, 9032 Wondelgem with company number 0708.926.379, representing its affiliates and subsidiaries (hereinafter referred to as “Human8”, “Human8 Group”, “We” or “Us”) handles (processes) your personal data/personal identifiable information (hereinafter referred to as “Personal Data”; “Data” or “PII”)).

Although this document focuses on the General Data Protection Regulation (GDPR) because our headquarters are in the European Union, we are committed to following all privacy regulations in regions where we conduct market research. This includes, but isn’t limited to, the United States, Asia-Pacific (APAC), and South Africa. Where local laws differ from the GDPR, we ensure compliance by, e.g., offering specific opt-in choices or using approved data transfer methods.

This Privacy Statement (“Statement“) explains how Human8 processes your Data according to data protection laws, especially the GDPR. It describes how we use this Data, our security measures, and your rights as a data subject (research participants, website users, clients, suppliers, and business contacts).

It applies to Personal Data collected through:  

• Market Research Activities (MRA) (e.g., (online) surveys, communities, panels, interviews and focus groups) 
• Business Activities/Operations (BA) (e.g., own marketing, website interactions, contractual relationships, job applications) 
• Social media presences (on LinkedIn, Instagram, X, Xing) 

This Statement distinguishes between data processing for Market Research Activities (mainly for participants) and our Business Activities/ Operations. 

“Participant” means anyone involved (engaged or interested) in Market Research Activities (e.g., survey respondents, panel members, focus group participants) 

Other terms in this statement align with the definitions in the General Data Protection Regulation (GDPR): 

• ‘Process’ and/or ‘processing’ means any operation or set of operations performed on personal data/PII, such as collection, recording, storage, use, sharing, pseudonymization, anonymization, erasure, alteration, or destruction, as defined in Article 4(2) of the GDPR. 
• ‘Personal Data/PII’ means any information that relates to you and could—directly or indirectly—identify you. This includes: 
• Basic details (e.g., name, email, address, phone number);  
• Digital identifiers (e.g., IP address, cookies, device ID);  
• Sensitive data (e.g., health information, race, religious beliefs – where applicable);  
• Other details like your opinions, location data, or even work history if linked to you. 

We do not consider truly anonymous data (where no one can trace it back to you) as personal data. 

Where to Find/Table of Contents

(Click any section to jump right there!)

Introduction and purpose of this Privacy Statement

1. Who we are
2. Our “Role” (Position) under Data Protection Laws
   2.1 (For Participants:) Our Role(s) in Market Research Activities (MRA):
   2.2 For Client/Business partner/Applicants/others: Our Role in Business Activities/Operations
3. Who to contact if you have privacy questions?
   3.1 For all privacy concerns:
   3.2 When we act as a Data Processor:
4. Processing of your Personal Data
   Overall
   4.1 Market Research Activities (MRA) Data Processing: What Participants Need to Know
   4.2 Business Operations: Data Processing for Clients, Partners, and Applicants (Non-MRA)
5. Use of Artificial Intelligence (AI)
6. How We Keep Your Data Safe.
7. Sharing and Transfers of Personal Data
   7.1. Who We Share Data With
   7.2 No Unauthorized Data Sharing
   7.3. Transfer of Data inside and outside the European Economic Area (EEA)
8. Your Rights under Data Protection Law(s)
9. Updates to this Statement
10. Cookies on our Website
11. How to contact us
    11.1 Human8 Data Protection Officer (DPO) and GDPR Representative
12. Lead Supervisory Authority
13. Translations of this Statement (alternative languages)

ANNEX A

 

1. Who we are

Human8 is a global market research group. We conduct consumer insights research for our clients. More details about our roles in data processing are below [cf. 2. Roles].

Human8 is committed to following all applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) (Regulation 2016/679). All of our entities follow the stringent GDPR requirements and other applicable privacy regulation to protect your personal data.

As members of the European Society for Opinion and Marketing Research (ESOMAR), we follow its ethical research standards, ensuring high-quality and trustworthy market research.

For U.S. business partners, interested individuals, or participants, please also refer to our Region-Specific Privacy Notice with additional information: https://www.wearehuman8.com/content/uploads/2024/05/US-Entity-privacy-policy.pdf

For users who are Chinese citizens, please refer to: https://info.human8-square.io/privacy-policy/china-chinese/

If you need this Statement in another language or a translation, an overview of AI-based translations is available at the end of this document.

2. Our “Role” (Position) under Data Protection Laws

General:

Human8s ‘Role’: Unless otherwise communicated, we may process your personal data as a data controller, data processor, or joint controller, depending on the specific circumstances.

• Data Controller: We decide how and why (Purpose and Mean) your personal data is processed. Equivalent terms include ‘controller’, ‘responsible party’, ‘controlling organization’, ‘business’ (CCPA/CPRA), and ‘business operator.’
• Data Processor – When we process personal data on behalf of a client, following their instructions. Equivalent terms in other privacy laws include ‘service provider’, ‘operator’ and ‘entrusted business operator.’
• Joint Controller – We jointly decide how and why your personal data is processed with another party (e.g., our clients).

These distinctions define our responsibilities toward you and other parties involved, such as our clients. They also determine how this Privacy Statement applies to our processing activities, as explained below.

2.1 (For Participants:) Our Role(s) in Market Research Activities (MRA):

In general, we conduct market research for our clients or on behalf of our clients, and our role may vary. We often act as a Data Processor, while our client is the Data Controller. This is common when we get your personal data directly from the client.

However, in some cases, we may act as an independent data controller, depending on the nature of the study and our contractual agreements.

2.1.1 When we act as a Data Processor:

We process your Personal Data only according to our clients’ instructions. Our clients are the Data Controllers. We have a contract with our clients, including a Data Processing Agreement as required by law, like Article 28 GDPR.

Our market research projects are usually conducted on behalf of companies/our clients with a legitimate interest in the results. To avoid affecting the study’s objectivity, we may not reveal the client’s name before the study. Instead, we’ll tell you about the client’s industry. You can ask for the client’s name after the study, unless the client has a legitimate reason to keep it private (for example, to protect a new product launch).

Our clients are responsible for informing you how they will use your personal data. As a data processor, Human8 is not responsible if this information is incomplete. Our clients are solely responsible for explaining the processing and use of your personal data. If their activities go beyond the market research purposes in this Statement, they will provide more details separately.

2.1.2 When we act as a Joint Controller:

If we and our clients jointly determine the purpose and essential means of processing your personal data, we act as joint controllers under data protection laws.

In such cases, we and our clients enter into a Joint Controller Agreement (JCA) in accordance with Article 26 GDPR. This agreement clearly defines each party’s responsibilities for compliance to applicable privacy regulation, transparency (inform You of the necessary privacy information), and data protection.

Information about the processing of personal data, in accordance with applicable laws—particularly Articles 13 and 14 of the GDPR—is provided jointly by both controllers. This information is made available to data subjects through privacy policies published on their official websites and, specifically, in this Statement

2.1.3 When we act as an (independent) Data Controller:

In certain cases, we act as an independent Data Controller when processing your personal data for Market Research Activities (MRAs). This applies, for example, when we approach, recruit, and invite you to participate in an MRA, such as using our own participant member databases, or through our own Market Research Community (e.g., “Collective,” formerly FutureTalker or Consumer Village) or other non-client databases in these cases, we independently decide how and why your personal data is processed.

We also act as an independent Data Controller in managing and maintaining our own participant member database, which individuals can register for or to whom we may send invitations to participate in Market Research Activities.

Information about the processing of Personal Data, as required by law, especially Articles 13 and 14 GDPR, is provided in our privacy policy on our websites and in this Statement.

For more detailed information about how your personal data is handled in MRA, please refer to Section 4: Description of the Processing of Your Personal Data (Categories of Data, Purpose, General Legal Base, and Retention Period 4.1 and 4.2) of this privacy statement.

2.2 For Client/ Business partner/Applicants/others: Our Role in Business Activities/Operations

(Information for Visitors/Visitors of our Website, Newsletter Subscriber; Clients, Business contacts, Supplier, Applicant and other individuals who contact us outside of MRA)

When we carry out our business activities/operations and collect your personal data—whether as a visitor to our websites, an applicant, a subscriber to our newsletter, a client, a supplier, a business contact, or any other individual who reaches out to us—we process your personal data on behalf of Human8. The entity within Human8 to whom you initially provide your personal data acts as the primary data controller.

Most of our administrative, technical, financial, commercial, and legal processing activities and services are centralized within our parent company, Human8 Europe NV (based in Belgium). In these cases, Human8 and its subsidiaries or affiliates may act as joint controllers and/or data processors in relation to your personal data. An Intra-Group Agreement is in place within the Human8 Group, which defines our roles and responsibilities and ensures necessary data protection arrangements.

Information about the processing of your personal data, in accordance with applicable laws—particularly Articles 13 and 14 of the GDPR—is provided both in this Statement and in our company’s Privacy Policy available on our website.

Additionally, it is possible for one entity of Human8 to receive services directly or indirectly from another entity within the group. For example, when a local entity conducts market research activities on behalf of a client and requires assistance from another entity within Human8, the assisting entity acts as a sub-processor for the personal data. In such cases, an Intra-Group Agreement is in place, including a Data Processing Agreement to ensure compliance with applicable laws, especially Article 28 of the GDPR.

For more detailed information about how your personal data is handled in our BA, please refer to Section 4: BA-Description of the Processing of Your Personal Data of this privacy statement.

3. Who to contact if you have privacy questions?

3.1 For all privacy concerns:

Please contact our Data Protection Officer (DPO):
Email: dpo@wearehuman8.com or use the contact details provided below. (cf Point 11 contact)

3.2 When we act as a Data Processor:

We will forward your request (e.g., access, deletion) to the relevant client (Data Controller) without undue delay. The Data Controller/client is legally obligated to respond to your request.

Please note: Client Identity in research:
You will usually receive the Data Controller’s contact details at the start of the research.
In rare cases (e.g., to preserve research integrity and prevent bias), we may disclose the client after the research concludes upon request.
If you withdraw consent post-disclosure, we will delete your Personal Data immediately.

Our commitment:

• We aim to address all inquiries, regardless of our role (Controller/Processor), within 4 weeks.
• Complaints will be escalated to the Controller and our DPO for resolution.
• For unresolved issues, you may lodge a complaint with your local data protection authority (e.g., Belgian GBA for EU-based inquiries).

If you have any questions or concerns about this statement or the processing of your personal data, please contact the Human8 Data Protection Officer (DPO) using the contact information provided below under “11 Human8 DPO and Representative“.

4. Processing of your Personal Data

Overall

Data protection laws require us to have a valid reason (legal base) for using your personal data. Depending on where you are and what we’re doing with your data, these reasons may include:

• Your Permission/explicit consent: You’ve given us clear permission to use your data for specific purposes. This is important under laws like GDPR in Europe, CCPA in the USA, and similar laws in South Africa, Brazil, India, Canada, Japan, and Australia.
• To Fulfil a Contract (Contractual Necessity): We need your data to fulfil the obligations outlined in our contract with you, which includes the Terms and Conditions you agree to when you participate. For example, if you’re a panel member, we need your contact details to send you surveys or research requests as part of the agreement defined in the Terms and Conditions.
• It’s Required by Law (Legal Obligations): We might be required to use your data to follow legal obligations, like tax reporting or compliance with other local laws (e.g., GDPR, CCPA, POPIA, PIPEDA, and others).

We Have a Legitimate Reason (Legitimate Interests): We can use your data if we have a genuine and fair reason, as long as it doesn’t interfere too much with your privacy. For example, we believe market research is a legitimate interest. We carefully balance our needs with your privacy rights and only use your data in fair and reasonable ways. Examples of Legitimate Interests: Improving our services, understanding customer trends, and developing new products to better meet your needs.

4.1 Market Research Activities (MRA) Data Processing: What Participants Need to Know

4.1.0 What We Use Your Data For (Purpose) in General

We use and process your personal data for market research purposes, which includes all Research related steps:

1. Sending you invitations, organizing and conducting research activities, and communicating with you about research opportunities. This may involve selecting participants based on criteria such as age, location, or interests.
2. Providing and maintaining the online research platform
3. Hosting the Data; Storing the research data securely
4. Handling data, such as transcribing interviews, summarizing responses, or translating answers.
5. Analyzing data and creating research reports for our clients.
6. Profiling may be used to group participants for research purposes, but this will not have any legal or significant effects on you (it is only for research quality and targeting, never for automated decision-making that affects your rights.)
7. Use of anonymized research results: We always share research results with the client who commissioned the study. These results may include pseudonymized and/or anonymized quotes or participant responses, but never any personal data that could directly identify you.

In some cases, anonymized research findings may also be used in marketing materials, trade publications, conferences, or other public communications. Any information used in this way is fully anonymized and carefully reviewed to ensure it cannot be linked back to any individual. For example, quotes will never include your name or any other identifying details without your explicit consent. A typical quote might appear as follows:

“I like this product because it’s easy to use.” (quote: woman, user, age 20–29)

4.1.1 Data Sources & The Types of Personal Data We Use:

Sources: We may collect your personal data from these sources:

• Directly from you: e.g., Become a member of our panel and directly enter your information. Answer surveys, whether for recruitment or during a research project. Participate in interviews or focus groups. Use our research platforms or communities (e.g., “Collective”). Contact us with inquiries or requests related to our research activities.
• From our clients: If our client provides us with your information for research purposes.
• Public sources: Such as public social media profiles or public directories.
• Third parties: Like panel partners or list providers, but only when this is allowed by law.

If your data is collected from non-direct sources, we will inform you at the time of first contact and disclose the source. Specifically, we will:

• Notify you during the initial contact (e.g., when inviting you to participate)
• Inform you about the source of your data and the specific purposes for processing
• Make it clear if your data came from a public source.
• Use your data solely for the purposes described

If you ask us to remove your personal data from our records, we will do so as soon as possible. If we have shared your personal data with others, we will also tell them to delete it.

Types of Personal Data We Collect in General

The types of personal data we collect depend on the research project. This may include:

• Contact Information: Your name, address, email, and phone number.
• Demographic Information: e.g., your age, gender, location, education, income, and employment details.
• Behavioral Data: e.g., your opinions, preferences, product usage, and purchasing behavior.
• Technical Data: e.g., your device’s IP address, browser type, and cookies.
• Sensitive Data: ssometimes, we may ask about things like your health or political views. We will only collect this kind of information if you give us clear permission (explicit consent) and if the law allows it.

We take extra precautions to protect sensitive data, including encrypting it and restricting access to only those who need it.

4.1.2 Our legal basis for using your Data in General

Unless otherwise stated and without a legal basis, Human8 will only use your personal data for conducting market research. We only process your personal data when we have a valid legal reason to do so. We will never use your data for advertising or any other purposes unless you have given clear consent. If we ever plan to use your data in a new way, we’ll inform you in advance.

These legal bases may include:

Legal Basis MRA	Description
Consent (and additional, explicit consent where required by law)	We ensure that when we rely on your consent for processing of your data, We or our clients have obtained your informed, explicit, and unambiguous consent. Explicit consent is required for collecting sensitive data, using images where you identifiable, or for cross-border transfers. You can withdraw your consent anytime with effect for the future – – see the “Your Rights” section for details.
Contractual Necessity (by accepting the Terms and Conditions provided before participating)	To participate in our research activities, we need to collect and use certain personal data — such as your contact details (e.g., name, email) and some basic demographic information (e.g., age, gender, location, or target group). This helps us manage your participation, ensure the quality and fairness of the research, and provide any incentives we’ve promised (such as prize draws or vouchers). By accepting the Terms and Conditions and joining our research, you agree to the processing of only the data that is strictly necessary for these specific purposes.
Legitimate Interest (only where permitted by local legislation)	We may process your personal data when we have a legitimate interest to do so — but only if that interest is not overridden by your rights and freedoms. These interests may include: Improving our services and research methodologies Keeping our systems secure and preventing fraud anonymized or pseudonymized your data and performing data analytics and generating insights Providing customer support or responding to your inquiries Conducting limited direct marketing (only where legally permitted and with opt-out options) Before relying on this legal basis, we carefully assess the potential impact on your privacy. Where needed, we apply safeguards — like data minimization, access controls, and pseudonymisation — to protect your personal data. You always have the right to object to this type of processing. See the “Your Rights” section for details.
Legal obligations	We may use your data if it’s required by law—for example, to comply with reporting requirements or respond to official requests from authorities.

4.1.3 Data Protection Measures:

We use the following measures to protect your personal data:

• Pseudonymization: We minimize the use of directly identifiable information wherever possible.
• Data Minimization: We only collect the personal data that we need for research.
• Secure Deletion/Anonymization: We make sure your data is securely deleted or anonymized when we no longer need it.

For more information on how we protect your data, please see section “6 How We Keep Your Data Safe.”

4.1.4 How Long We Keep Your Data / Retention Periods in General

We keep your personal data only as long as necessary for the purposes for which it was collected, or until you ask us to delete it. This also depends on whether you withdraw your consent or object to us processing your data.

• Panel Data: If you are a panel member, we keep your data as long as you are a member. When you leave the panel, we will delete your data.
• General Retention: We will keep your personal data for no more than 2 years after the research project ends, or for the period required by law (for example, 8 years for financial data). We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
• Data Processed for Clients: If we are processing your data for a client, they determine how long we keep the data. We can only keep the data as long as our agreement with the client lasts. After that, we must return or delete the data, according to the client’s instructions.

After the retention period ends, we will securely delete or anonymize your data.

4.1.5 Overview What data we collect and why for MRA

This table outlines the types of personal data we may process, why we do so, the legal basis that allows it, and how long we keep your data. We always process your data responsibly and in compliance with applicable data protection laws, including those that apply to children’s data.

Categories of Personal Data MRA	Purpose MRA (see Section 4.1.0 for details)	Possible Legal Basis MRA	Retention Period MRA (as outlined in Section 4.1.5)
Electronic Identification/Metadata (e.g,,IP address, user ID, device identifiers, browser details, geolocation, cookies)	(Includes: a) Managing research; b) Providing and maintaining the research platform; c) Hosting data; d) Data handling; e) Analysis and creation of research reports) This data helps recognize and authenticate users in digital environments, and provides context about other data without containing the content itself )	– Legitimate Interest (security, fraud prevention, system admin) – Consent (non-essential cookies, tracking)	As outlined in Section 4.1.5 — generally not longer than 2 years after the research ends
Contact Information (e.g., name, email address, phone number)	– Manage your participation – Communicate with you and provide support – Deliver rewards or incentives	– Contractual Necessity, – Consent, – Legitimate interest: (Customer support, communication)	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
Demographic Data (e.g., age, date of birth, gender, nationality)	– Organize and analyse research – Create research reports – Segment target audiences	– Contractual Necessity, – Consent	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
Educational Qualifications (e.g., degree, educational institution, professional skills)	– Research segmentation – Analytical profiling – Audience targeting	– Contractual Necessity, – Consent	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
Personal Interests & Lifestyle (e.g. Data types: Lifestyle and Preferences, Hobbies and Personal Interests * Interests and Activities  Community involvement )	– Understand behavioral patterns – Build research profiles – Create aggregate insights	– Contractual Necessity, – Consent	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
Financial Details (e.g., bank account number, IBAN, payment details)	– Process incentive payments or prize rewards	– Contractual Necessity, – Consent – Legal Obligation (where applicable)	Up to 7 years where legally required, otherwise based on agreement
Contact History (e.g., support requests, participation records)	– Customer service – Operational management – Resolve disputes or inquiries	-Legitimate Interest (Customer service, operational purposes) – Consent (Marketing-related communications)	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
Unique IDs (e.g., survey identifiers, panel participant IDs)	Security measurements: Anonymizing or pseudonymizing data for research Ensure data quality Maintain platform functionality	– Contractual Necessity, – Consent, – Legitimate Interest	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.
In some circumstances Public Information (e.g., publicly available social media data or records)	For research and statistical goals (Desk research, social Media analysis), draw up collective profiles, profiling, processing your answers to surveys and provide results to the client.	– Legitimate Interest (Research and analysis)	Max. 18 months, or earlier if an objection is submitted.
Photos, Images, or Sound Recordings (Audiovisuals) (e.g., Audio-visual content that it’s either created during research activities or uploaded/posted by the participant.	See Section 4.1.0 for details. Used during specific research activities or uploaded by you – May be part of interviews or diary studies	– Contractual Necessity (if stated as essential part of the Research) – Explicit Consent (All identifiable recordings)	Generally not longer than 2 years after the research ends. We may keep it longer if needed for analysis, legal reasons, or other legitimate purposes.

In special cases, we comply with applicable local laws regarding children’s personal data.

Children’s Personal Data: We allow children under the age of 16 to participate and process personal data in accordance with applicable local laws. We collect personal data from users under the age of 16 or the lower age limit only to the extent permitted and in compliance with legal requirements

See Section 4.1.0 for details. Manage participation of minors where permitted – Ensure compliance with legal obligations

– Explicit consent from both the child (if applicable) and their legal guardian

Same retention rules apply: not longer than 2 years after research ends

Additional Notes

• Unless we inform you otherwise and have a valid legal basis, Human8 only uses your data for the purposes described above.
• If we plan to use your personal data for new or additional purposes, we will notify you in advance and seek your explicit consent if required. For example: we will not use Your Personal Data for advertising purposes unless You have freely given Your explicit and prior consent.

4.2 Business Operations: Data Processing for Clients, Partners, and Applicants (Non-MRA)

This section explains how we handle your Personal Data for general business purposes, outside of specific market research activities (MRA).

4.2.0 What We Use Your Data For (Purpose) in General

These purposes include

• Communicating with clients and suppliers.
• Managing our contractual relationships.
• Marketing our services (where permitted by law).
• Running our internal operations efficiently.
• Managing applications (e.g., job applications).
• Ensuring security and preventing fraud.

If we intend to use your Personal Data for purposes not originally communicated, we will inform you in advance.
For example, we may use your data for direct marketing where permitted by law and based on our legitimate interest, but you will always have the right to opt out at any time.
Where required, we will ask for your explicit consent before sending marketing communications..

4.2.1 Data Sources

We collect personal data from a few different places:

• Directly from you: When you contact us, fill out forms, or otherwise provide us with your information.
• Publicly available sources: We may use sources like LinkedIn, Xing, or Indeed to find information relevant to our business activities/operations.
• Third parties: We may receive your data from other companies or organizations, but only when legally permitted.

Important: If we get your data from a source other than directly from you, we will let you know where we got it when we first contact you. If you want us to remove your data from our systems, we will do so promptly.

4.2.2 Our legal basis for using your Data

Data protection laws require us to have a valid legal reason for processing your personal data.

Here’s what we rely on:

Legal Basis	Description
Consent (where required by law)	If we rely on your consent to process your data (e.g., for sending you newsletters), we will always ask for your explicit and informed consent. You can withdraw your consent at any time. See the “Your Rights” section below for details on how to do this. We will only use your data if you have given us clear consent to do so for a specific purpose. (e.g., Newsletter subscriptions (you must opt-in and can unsubscribe easily).
Contractual Necessity	We need to process your data to fulfill our obligations under a contract we have with you. (e.g., Managing our business relationship with you.)
Legitimate Interest	We may process your data based on our legitimate business interests, as long as those interests don’t override your rights and freedoms. We always consider the impact on your privacy (e.g., improving our services, enhancing security, and some direct marketing). We believe we have legitimate interests in: Improving our services. Making our systems more secure and preventing fraud. Conducting direct marketing (where legally allowed and with opt-out options). Providing excellent customer service and responding to your inquiries. Your Right to Object: You have the right to object to our processing of your data based on legitimate interests. Please contact us to exercise this right.
Legal obligations	If the processing is necessary to fulfill legal obligations

4.2.3 Data Protection Measures:

We implement various safeguards to protect your data:

• Pseudonymization: Minimizing the use of identifiable data.
• Data Minimization: Collecting only essential data for research purposes.
• Secure Deletion/Anonymization: Securely deleting or anonymizing data once it is no longer needed.

(Refer to “6. How We Keep Your Data Safe” for further details)

4.2.4 Retention Periods:

Personal data is retained according to legal standards and business needs, with secure deletion or anonymization after the retention period.

If necessary, data may be retained for up to three additional years, in compliance with legal warranty obligations

Please note: Applicant data will be deleted after the completion of the recruitment process in accordance with legal requirements.

4.2.5 Overview What data we collect and why

Below is an overview of the categories of data we may process, their purposes, legal grounds, and retention periods.
In special cases, we comply with applicable local laws.

Categories of Personal Data	Purpose (Cf. 4.2.2. Purpose)	Legal bases	Retention Period BA (Cf. 4.2.5 Retention Periods)
Contact information  (e.g., Name, e-mail address, phone number or any other relevant contact details)	To contact you, provide information, direct marketing, advertising, CRM, website logins.	– Contract, – Consent, – Legitimate Interest	Data is kept while our agreement is active, or until you withdraw consent/object, plus up to three years where legally required
Demographic data or basic personal information (e.g.,Age, date of birth, place of birth, gender, civil status, nationality)	Job applications, Statistics, CRM	– Contract, – Legitimate Interest (Customer relationship)	Data is kept while our agreement is active, or until you withdraw consent/object, plus up to three years where legally required
Contact history (e.g., mails, phone call logs, purchase history)	To manage business, client, and supplier relationships, and to support marketing efforts.	– Contract, – Consent, – Legitimate Interest	Data is kept while our agreement is active, or until you withdraw consent/object, plus up to three years where legally required
Educational and professional background information. (e.g. CV, education, degree, certificates, professional skills and activities.)	For job applications, research, and statistical goals.	– Contract, – Consent, – Legitimate Interest	Data is kept while our agreement is active, or until you withdraw consent/object, plus up to three years where legally required
Public information. e.g, Publicly available information, information on social networks.	Assessing qualifications for recruitment, verifying professional information.	– Legitimate Interest	18 months as of any objection has been filled.
Financial details.  (e.g,  Bank details, (branch identifiers, sort code, IBAN, BIC, account number.)	Accounting, invoicing, CRM.	– Contract,	In accordance with legal retention periods by national law (up to 10 years).
Special categories of Personal Data: (e.g, Information on race and origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sexual life or sexual orientation.)	Complying with legal requirements, managing relationships, providing services. We minimize processing this type of data.	– Explicit Consent, – Data made public by yourself.	Data is kept while our agreement is active, or until you withdraw consent/object, plus up to three years where legally required
Unique ID’s: (e.g.. Information that we collect in questionnaires or panels, participants unique identification number.)	statistical purposes, for anonymizing or pseudonymizing data.	– Contract, – Consent, – Legitimate Interest	We keep your data until our agreement ends, you withdraw consent, or object. After that, we delete or anonymize it, unless the law requires us to keep it longer (up to three years).
Electronic (online) identification & Meta data	Verifying user identity, managing systems, ensuring security, operational efficiency.	– Contract, – Consent, – Legitimate Interest	We keep your data until our agreement ends, you withdraw consent, or object. After that, we delete or anonymize it, unless the law requires us to keep it longer (up to three years).

Important note: In specific cases, we adhere to applicable local laws, which may require different handling of your data.

5. Use of Artificial Intelligence (AI)

We use AI technologies to improve our research quality, efficiency, and accuracy, while strictly protecting your data.

What We Mean by AI

• AI Tools: Technologies that assist with research tasks (e.g., summarizing, translation).
• AI Solutions: Hosted platforms or integrated systems using AI.

How We Use AI

AI is used for:

• Summarizing documents, transcribing audio, and translating languages
• Creating fictional personas or research images
• Anonymizing data to protect identities
• Searching databases and optimizing workflows
• AI-Conducted Interviews If we use AI (such as AI-Moderators/chatbots) to conduct interviews, you will be clearly informed and your explicit consent will be required. Human oversight is always provided.

Consent and Data Handling

By participating in our market research activities (MRA), you are asked to agree to our Terms and Conditions for Participants.

As outlined in those terms, by taking part in any research provided, organized, or conducted by us, you acknowledge and consent to the use of AI tools for processing your input and responses — including any personal data — strictly for research purposes.

Data Sharing and Security

• Internal AI: We use Microsoft Azure OpenAI, processing data in regional data centers to comply with local laws.
• External AI: Some tasks may use external AI (e.g., transcription, translation). These providers are contractually required to:
  • Follow privacy laws
  • Keep your data confidential and secure
  • Delete your data after processing
  • Never use your data for their own purposes

For more information, see our Link: Sub-processors for research and consultancy activities – Human8

Compliance and Data deletion

• All AI partners meet strict security and privacy standards.
• We do not use your personal data to train AI models without your explicit consent.
• All data processed by AI tools can be fully deleted after use.
• We comply with GDPR and all relevant privacy laws and follow ethical AI principles.

6. How We Keep Your Data Safe

How we protect your Personal Data

At Human8, we take the security of your Personal Data seriously. We have implemented appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse. These safeguards are designed based on the sensitivity, format, location, and storage of the data and include:

• Encryption and Data Masking: We protect your data when it is sent over the internet (for example, with SSL encryption) and when it is stored.
• Access Controls: Only authorized staff and trusted third parties who need your data for their work can access it.
• Firewalls & Security Protocols – Using industry-standard security measures to prevent unauthorized access.
• Data Loss Prevention (DLP) – We use AI-assisted tools to detect and prevent data leaks, such as scanning emails and attachments for sensitive information. Any suspicious activity is checked by our team.
• ISO 27001 Certification: Human8 Europe (Belgium, UK, Romania, US entity) is certified under ISO 27001 for information security management and follows its strict standards. Based on this, every Human8 entity is required to adhere to these data security measures.

Any processing of Personal Data in relation with security measurements is carried out under the following legal bases:

• Legitimate interest (Art. 6(1)(f) GDPR) – Ensuring data security.
• Legal obligations – Compliance with applicable data protection laws and or cybersecurity laws.
• Contractual obligations – Implementing security measures where required to protect confidential data.

All Human8 employees, contractors, and third parties handling your Personal Data are bound by strict confidentiality agreements and must follow our security policies. Access to data is limited to those who require it for legitimate business purposes.

7. Sharing and Transfers of Personal Data

We only share your Personal Data when necessary and legally permitted to fulfil the purposes outlined in this Statement.

When we share your data, we implement contractual safeguards and security measures to ensure compliance with data protection, confidentiality, and security standards. All third parties must meet our strict confidentiality and security requirements.

7.1. Who We Share Data With

• Within the Human8 Group: To enable efficient internal operations and business continuity. All entities adhere to the same high standards of data protection and confidentiality.
• Our Clients (as Data Controller and Sponsor of the MRA): We conduct Market Research Activities on behalf of clients, who are considered the “Data Owners.” Sharing your data with them is necessary to deliver our services. If you participate in a survey, poll, or community discussion, your screen name and posts may be visible to us, other participants, and the client. Any posts you make to a survey, poll or discussion in the community will in principle only be associated with your screen name. If you post any personally identifiable information yourself, we may at our discretion remove this for your own security. We recommend that you choose a screen name which does not resemble your real name. Also in this context it is possible that we share photos, image recordings, sound recordings or full datasets (e.g. answers to survey questions to help inform them about specific elements of their offer) we hold of you.  Your contributions (e.g. survey responses, photos, recordings) may be shared as pseudonymized or anonymized data, and sometimes in full form if required by the research.

Important: Our Client may combine data collected from the Market Research Activity carried out by Us on behalf of our clients with other data that they may hold about you. This Statement does not describe our client’s specific uses of your personal data, which information will be provided to you separately if this would deviate from the Market Research Purposes as set out above, but if you are not happy with your responses being used in this way, you should notify us prior to agreeing to participating to one of the Market Research Activities for which you are invited and for which you need to accept this Statement and any relevant terms and conditions of use. We can then determine with the client whether the use of your data can be limited and in that case whether it is possible to take part in the specific Market Research Activity.

• Research Partners/Service Providers (Supplier/Sub-Processor): We work with trusted external partners (e.g., moderators, interpreters, data processors) who help us run and support research. All partners are contractually bound to confidentiality, follow our strict data security requirements, and act only on our instructions.
• Law Enforcement or Regulatory Authorities: We may disclose Personal Data when required to comply with legal obligations or protect our legal rights.

7.1.1 Overview of Sharing Scenarios, Legal Bases, and Safeguards

Scenario	Purpose	Legal Basis	Safeguards
1. Internal – within Human8 (Corporate Group) (See the Annex A for our subsidiaries and affiliates)	To enable efficient business operations and support Market Research and Business Activities/Operations.	Legitimate interest in efficient business operations.	Intra-Company Agreement ensuring compliance with data protection standards. All entities adhere to the same data protection and security requirements.
2. With Our Clients (as Data Controllers and Sponsors of the MRA)	To conduct Market Research Activities (MRA) on their behalf. Clients receive insights based on research findings, including pseudonymized and/or anonymized data. May include voluntary contributions (e.g., photos, recordings, survey responses).	– Necessary for contract performance. – Legitimate interest in delivering services. – Explicit consent when required.	Data Processing Agreement (DPA) or Joint Controller Agreement (JCA). EU Standard Contractual Clauses (SCC) for international transfers.
3. With Our Service Providers (Please find a list of our standard sub-processors via this link: Sub-processors for research and consultancy activities – Human8 )	To facilitate essential services including IT, hosting, cloud storage, data analysis, moderation, translation, and technical support.	Necessary for service provision. – Service providers act as data processors under our instructions.	Data Protection or Data Processing Agreements (DPA). EU SCCs for cross-border transfers. Onboarding process and supplier risk assessment in place.
4. With Law Enforcement or Regulatory Authorities	To comply with legal obligations, respond to lawful requests, or protect legal rights	– Legal obligation. – Legitimate interest in legal defence.	Disclosure limited to what is legally required. Confidentiality safeguards where applicable.

7.2 No Unauthorized Data Sharing

• We do not sell, rent, or lease your data to third parties as defined under the California Consumer Privacy Act (CCPA).
• We do not share Personal Data collected for one client with another. We maintain clear boundaries between client engagements to avoid cross-contamination of data.

7.3 Transfer of Data inside and outside the European Economic Area (EEA)

Cross-border Data transfer:

As a global network, your Personal Data may be transferred outside the country where it was originally collected.

We may transfer Personal Data to clients or third-party service providers located outside your country to facilitate Market Research and Business Activities/Operations.

Your Personal Data may be processed in jurisdictions with different data protection standards.
However, we comply with the high standards of the GDPR and other applicable privacy regulation and implement appropriate safeguards to protect your data, regardless of location.

• When transferring data outside the EEA, we ensure that Personal Data is handled securely and lawfully.
• Where required, we rely on legal safeguards, such as:
  • Standard Contractual Clauses (SCCs) approved by the European Commission (cf. https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en)
  • Adequacy decisions where the European Commission (or other countries) has determined a country provides an adequate level of data protection.
  • Explicit consent, when legally required.

We carefully assess each transfer on case-by-case basis and ensure that all necessary agreements and security measurements that your data remains protected. Additionally, we maintain internal data protection agreements across our organization to uphold GDPR compliance and security standards.

Where required by applicable privacy laws (e.g., GDPR Article 49, POPIA Chapter 9, or China’s PIPL), we will obtain your explicit consent before transferring your data outside the jurisdiction where it was collected. This applies to transfers for Market Research Activities (MRA) or to utilize our regional IT infrastructure (storage locations: EU, Australia, US, China).

8. Your Rights under Data Protection Law(s)

Under various data protection laws, including but not limited to the GDPR, you have certain rights regarding your Personal Data. Under data protection laws like the GDPR, you have specific rights regarding your personal data. Some of these rights may be limited or subject to exceptions, depending on local laws.

Right	Description	Possible limitations/exceptions
Right to Access	You can ask us what personal data we have about you and get a copy of it.	We may deny access if it affects the rights and freedoms of others or if the request is clearly unreasonable.
Right to Rectification	You can ask us to correct any information about you that is wrong or incomplete.	None
Right to Erasure (‘Right to be Forgotten’)	You can ask us to delete your personal data in certain situations.	We do not have to delete your data if we need it to comply with a legal obligation, for public interest reasons, or for legal claims. If we delete your data, we will inform third parties processing your data about the request.
Right to Restrict Processing	You can ask us to limit how we use your personal data in specific situations.	We can continue processing your data if it is needed for legal claims or to protect the rights of others.
Right to Data Portability	You can ask for your data in a format that you can easily use and transfer to another organization, where technically feasible.	This only applies to data you gave us and that we process based on your consent or a contract.
Right to Object	You can object to us using your data for legitimate interests, including direct marketing. If you object to direct marketing, we will stop.	We can continue processing if we have compelling legitimate grounds that override your interests.
Right to Withdraw Consent	If we use your data based on your consent, you can withdraw it at any time. Withdrawing your consent doesn’t affect what we did with your data before you withdrew it.	Withdrawal does not apply where processing is required by law.
Rights Related to Automated Decision-Making	You have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affects you, unless the processing is necessary for a contract, authorized by law, or based on explicit consent.	Does not apply if processing is necessary for a contract, authorized by law, or based on explicit consent.

 

Important notes:

• No “Automated Decision-Making”: We do not use automated decision-making or profiling (as defined by data protection laws) when processing your Personal Data for market research activities. All processing involves human oversight.
• Exercising Your Rights: It is generally free to exercise your rights. However, if a request is clearly unfounded or excessive, we may charge a reasonable fee or decline the request.

• Response Time: We will respond to your request within 4 weeks /one month (for simple requests) or three months (for complex or multiple requests).
• Exceptions: Certain exceptions may apply when exercising these rights, meaning you may not be able to fully exercise them in all situations, and this may be further limited by national/local laws.

• Right to lodge a complaint: If you are unsatisfied with how we process your data, you have the right to file a complaint with the relevant data protection authority (Contact information see section 11).
  However, we encourage you to contact us first, so we can address your concerns directly.

9. Updates to this Statement

Human8 may modify and update this Statement at any time. The latest update date is displayed at the top of this Statement, and the most recent version will always be accessible on our websites. We encourage you to check our websites regularly to stay informed about our latest Statement and practices.

10. Cookies on our Website

We use cookies, and other online identification technologies such as web beacons, or pixels to provide users with an improved user experience. See link. https://www.wearehuman8.com/cookiepolicy/

11. How to contact us

To exercise your rights or for more information, please contact us using the provided contact details. We will review your request and respond in accordance with applicable laws.

11.1 Human8 Data Protection Officer (DPO) and GDPR Representative

11.1.1 Human8 Data Protection Officer (DPO) and “Representative”:

We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws, including the GDPR. The DPO is supported by a data protection team responsible for implementing data protection measures across the organization. We also engage external legal advisors for additional support.

For privacy-related questions, data subject requests, or complaints, please contact the Human8 DPO via:

• Email: dpo@wearehuman8.com
• Phone: +32 (0)9 269 1500
• Postal Mail: Attn. Human8 DPO, Evergemsesteenweg 195, 9032 Wondelgem, Belgium

11.1.2 Roles and Responsibilities

• Processor/Joint Controller Scenarios: The DPO acts on behalf of Human8. When Human8 processes data for clients (e.g., Market Research Activities), the DPO serves as a primary contact but may redirect specific data subject requests to the client (controller) as needed. The DPO ensures requests are addressed within GDPR timeframes
• Non-EEA Entities: Human8 Europe (Belgium address above) is the designated GDPR representative under Article 27 for all non-EEA entities, acting as the liaison for data subjects and supervisory authorities

11.1.3 Subsidiary Contacts for localized inquiries

The DPO/data protection team remains the main contact but can facilitate communication with regional entities.

The four main regional hubs/entities are as follows:
EMEA: Belgium (headquarters) Human8 Europe	Evergemsesteenweg 195 – 9032 Wondelgem; Belgium
APAC: Hong Kong APAC – Human8 APAC	31-32/F, Hysan Place, 500 Hennessy Road, Causeway Bay, Hong Kong
Americas: Michigan, USA USA – Gongos LLC	150 W. 2nd Street, Suite 300 Royal Oak, Michigan 48067 USA
Africa: Johannesburg, South Africa ZA – Columinate Pty Ltd	Glasgow House, Building G – 54 Peter Place, Office Park, Sandton 2060
China/Shanghai 亚碧恩商务 咨询（上海）有限公司	Shanghai, 200041, People’s Republic of China Please refer to our China privacy policy available here

Subsidiary contact details are available in [Annex A].

12. Lead Supervisory Authority

In accordance with Article 56 of the GDPR, we have designated the Belgian Data Protection Authority as our Lead Supervisory Authority, as Human8’s main establishment is located in Belgium. The Lead Supervisory Authority is primarily responsible for overseeing our cross-border data processing activities. We encourage you to direct any complaints regarding Human8’s processing of your Personal Data to this authority.

Contact Details for the Belgian Data Protection Authority:

• Name: Data Protection Authority
• Address: Rue Montoyer 30, 1000 Brussels, Belgium
• Telephone: +32 (0)2 274 48 00
• Email: contact@apd-gba.be
• Website: https://www.dataprotectionauthority.be/

You also have the right to lodge a complaint with your local data protection authority.

For contact details of other local data protection authorities, please refer to the following link: EDPB Members

Other Non EU-Authorities

United Kingdom Information Commissioner’s Office

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Telephone: +0303 123 1113 (or +44 1625 545745 if calling from overseas) Fax: 01625 524510 Email: [Not provided] Website:www.ico.org.uk

(You can find further details on non-EU data protection authorities here: https://iapp.org/resources/global-privacy-directory/)

13. Translations of this Statement (alternative languages)

The primary language of this Privacy Statement is English.

For your convenience, AI-generated translations into other languages are available below. Please note that these translations are provided as a courtesy and may not fully capture the nuances of the original text. In the event of any discrepancies between the translations and the English version, the English version shall prevail. We strive to ensure the accuracy of these translations, but we recommend consulting the English version for legal purposes.

Privacy Policy – Human8

ANNEX A

Contact to local entities	Operation adress	Country
EEA
Eyeka SA	79 Rue la Boetie Paris, 75008 France	France
Happy Thinking People France SAS	20 Rue Des Capucines, 75002 Paris	France
InSites DE GmbH	Factory Campus, Erkrather Strasse 401,40231 Düsseldorf	Germany
Happy Thinking People GmbH	Blumenstraße 28, 80331 München	Germany
InSites Consulting BV	Watermanweg 30-42; 3067 GG Rotterdam	The Netherlands
ISC Research SRL	Strada Dr. Liviu Gabor, 2 Timisoara, Timis, 300004 Romania	Romania
Non EEA – (EMEA)
InSites Consultants Limited	The Ministry; 79-81 Borough Rd, London, SE1 1DN	United Kingdom
Join the Dots Holdings Limited	Sevendale House; 7 Dale Street, Manchester; M1 1JA	United Kingdom
Space Doctors Limited	16 Wilbury Grove, Hove, East Sussex, BN3 3JQ	United Kingdom
Columinate Pty Limited	Glasgow House, Building G – 54 Peter Place, Office Park, Sandton 2060	South Africa
Non EEA – APAC
Direction First Pty. Ltd.	Level 9, 227 Elizabeth Street, Sydney 2000 – Australia	Australia
Human8 APAC Limited Taiwan Branch	RM 97, 17F, Songren Road, Xinyi Dist., Taipei, Taiwan 110050	Taiwan
P.T. ABN Impact Indonesia	SCBD, Revenue Tower, 27th Floor, Jl. Jendral Sudirman No. 52-53, Senayan, Kebayoran Baru, Jakarta Selatan 12190, Indonesia	Indonesia
ABN Impact (Philippines) Inc.	9/F, WeWork, Uptown Bonifacio Tower Three – 36th St. Corner 11th Ave, 1634 BGC, Taguig City	Philippines
ABN Impact Pte. Ltd.	71 Robinson Road, #14-01, Singapore 068895	Singapore
Asia Business Network (Thailand) Ltd.	2 Silom Edge Building , 12th Floor, Room No. S12030, Silom Road, Suriyawong, Bangrak , Bangkok 10500, Thailand	Thailand
Non EEA – CHINA
InSites Consulting (China) Limited	Room 05-128, No. 819 West Nanjing Road,	China/Shanghai
亚碧恩商务 咨询（上海）有限公司	Shanghai, 200041, People’s Republic of China	China privacy statement link