Privacy Policy

Privacy Policy for PsyData Labs L.L.C.
Effective Date: 2026-07-02 (July 2, 2026)

§ 1 - Introduction

PsyData Labs L.L.C. (“PsyData Labs”, “PsyData”, “PDL”, “we”, “us”, “our”) provides behavioral analytics, psychological signal processing, and AI-assisted products. This Privacy Policy explains what personal information we collect, why we collect it, how we use it and share it, and the rights available to you. This notice is a standalone document, you do not need other PDL policies to understand our practices.

§ 2 - Information We Collect

§ 2.1 - Identifiers and Account Data

Name, email, account IDs, authentication tokens, billing contact information, and support communications.

§ 2.2 - Behavioral Data (D-BEH)

Interaction telemetry such as session duration, navigation paths, feature usage, and device/browser characteristics when you use our services, subject to your consent and product settings.

§ 2.3 - Psychological Signals (D-PSY)

Where you opt in to enhanced features, we may process self-reported sales, cognitive-load proxies, or sensor-derived signals described at collection time. We do not use D-PSY for clinical diagnosis.

§ 2.4 - Inferences (D-INF)

Our systems may generate scopes, segments, or risk indicators from behavioral and psychological inputs. High-impact inferences are subject to human review where required by law or our AI governance program.

§ 2.5 - Technical and Security data

IP address, logs, cookies, ad similar technologies, and security monitoring data.

§ 3 - How We Use Information

We do not sell personal information as “sale” is defined under the CPRA offering required opt-out mechanisms.

§ 4 - Legal Basis (EEA/UK)

Where GDPR applies, we reply on contract, legitimate interest balanced against your rights, consent for special categories, and legal obligation. You may withdraw consent without affecting lawfulness of prior processing.

§ 5 - Sharing and Processors

We share data with service providers under written agreements required confidentiality, security, and sub-processing controls. Categories include cloud hosting, analytics, customer support, and security monitoring. We require processors to process data only on our instructions.

§ 6 - International Transfers

When we transfer personal data outside your control, we implement appropriate safeguards such as Standard Contractual Clauses and transfer impact assessments when required by GDPR Chapter V and CPRA cross-border rules.

§ 7 - Retention

We retain personal data only as long as necessary for the purposes described, including legal, accounting, and security requirements. Retention schedules vary by data class (S0-S4). When retention ends, we delete or irreversibly de-identify data subject to backup rotation cycles.

§ 8 - Security

We maintain administrative, technical, and physical safeguards aligned with the NY SHIELD Act, NY GBL § 899-aa, SOC 2, and ISO 27001 / 27701 programs, including access controls, monitoring, and vendor diligence.

§ 9 - Your Rights

Depending on location you may have access to delete, correct, port, restrict, or object to processing, and to opt out of sale/share or limit use of sensitive personal information (CPRA §§ 1798.100 - 1798.125). EU/UK data subjects may lodge complaints with supervisory authorities.

§ 9.1 - How to exercise these rights

Please contact our Privacy (privacy@psydata.org) or Legal (legal@psydata.org) teams. You can also use our Data Subject Access Request form.

We respond within 45 days for CPRA requests (45-day extension permitted with notice) and one month for GDPR requests (extendable by two months where complex).

§ 10 - Children

Our services are not directed to children under 13 (or 16 where applicable). We do not knowingly collect children’s data without verifiable parental consent (COPPA / CPRA minor rules).

§ 11 - Automated Decision-Making

Where automated processing procedures legal or similarly significant effects, we provide meaningful information, opportunity to contest, and human review per GDPR Art. 22 and our Human-in-the-Loop program.

§ 12 - Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy. You may manage preferences through in-product controls and browser settings.

§ 13 - Breach Notification

If a breach of security affects your personal data, we will notify you and regulators as required by GDPR Art. 33-34 (without undue delay, within 72 hours to authorities where feasible) and NY SHIELD/CPRA rules.

§ 14 - Changes

We may update this policy with notice via our website, our various platforms, or email for material changes. Continued use after the effective date constitutes acceptance where permitted by law.

§ 15 - California Notice at Collection (CPRA)

At or before collection we disclose categories collected, purposes, retention, and whether we sell or share. California residents may submit verifiable requests via privacy@psydata.org. Authorized agents must provide signed authorization. We do not discriminate against consumers for exercising CPRA rights (§ 1798.125).

§ 16 - Nevada and other US state privacy rights

Residents of states with comprehensive privacy laws may have additional rights to access, delete, correct, and opt out of target advertising or profiling; submit requests to privacy@psydata.org with jurisdiction noted.

§ 17 - EEA/UK representatives

Where required, PsyData appoints an EU/UK representative and documents processing activities (GDPR Art. 30). Cross-border transfer mechanisms are maintained in writing

§ 18 - Sensitive and Special Category Data

Psychological signals and precise behavioral inferences may constitute special category or sensitive personal information. We collect such data only with explicit consent or another valid Art. 9 basis and implement additional access controls (S3/S4).

§ 19 - De-Identified and Aggregated Data

We may use de-identified or aggregated datasets for analytics. We commit to not re-identified data except with technical and contractual safeguards and legal review.

§ 20 - Marketing Communications

You may opt out of marketings emails via unsubscribed links. Product-critical service messages may still be sent.

§ 21 - Third-party Links

Our services may link to third-party sites with separate privacy practices; we are not responsible for their content.

§ 22 - Data Protection Impact Assessments

We conduct DPIAs (GDPR Art. 35) for high-risk processing including certain psychological profiling and AI deployments.

§ 23 - Records of Processing

RoPA entries include purposes, categories, recipients, transfers, retention, and security measures, reviewed annually.

§ 24 - Compliant Process

We investigate privacy complaints within 30 business data where feasible and document remediation.

§ 25 - Contact

Data Protection Lead, PsyData Labs L.L.C., New York.

Email: privacy@psydata.org


Appendix A - Definitions

Personal Information, personal data, sale, share, sensitive information, and profiling are used as defined under CPRA and GDPR where applicable.

Behavioral data means interaction telemetry.
Psychological Signals means opt-in constructs described at collection;
Inferences means automated outputs.

Appendix B - Regional Addenda

Additional disclosures may apply for UK GDPR, Swiss FADP, or Canadian PIPEDA where we offer services - contact our Privacy team (privacy@psydata.org) for jurisdiction-specific supplements.