Privacy Policy for PsyData Labs L.L.C.
Effective Date: 2026-07-02 (July 2, 2026)
PsyData Labs L.L.C. (“PsyData Labs”, “PsyData”, “PDL”, “we”, “us”, “our”) provides behavioral analytics, psychological signal processing, and AI-assisted products. This Privacy Policy explains what personal information we collect, why we collect it, how we use it and share it, and the rights available to you. This notice is a standalone document, you do not need other PDL policies to understand our practices.
Name, email, account IDs, authentication tokens, billing contact information, and support communications.
Interaction telemetry such as session duration, navigation paths, feature usage, and device/browser characteristics when you use our services, subject to your consent and product settings.
Where you opt in to enhanced features, we may process self-reported sales, cognitive-load proxies, or sensor-derived signals described at collection time. We do not use D-PSY for clinical diagnosis.
Our systems may generate scopes, segments, or risk indicators from behavioral and psychological inputs. High-impact inferences are subject to human review where required by law or our AI governance program.
IP address, logs, cookies, ad similar technologies, and security monitoring data.
We do not sell personal information as “sale” is defined under the CPRA offering required opt-out mechanisms.
Where GDPR applies, we reply on contract, legitimate interest balanced against your rights, consent for special categories, and legal obligation. You may withdraw consent without affecting lawfulness of prior processing.
We share data with service providers under written agreements required confidentiality, security, and sub-processing controls. Categories include cloud hosting, analytics, customer support, and security monitoring. We require processors to process data only on our instructions.
When we transfer personal data outside your control, we implement appropriate safeguards such as Standard Contractual Clauses and transfer impact assessments when required by GDPR Chapter V and CPRA cross-border rules.
We retain personal data only as long as necessary for the purposes described, including legal, accounting, and security requirements. Retention schedules vary by data class (S0-S4). When retention ends, we delete or irreversibly de-identify data subject to backup rotation cycles.
We maintain administrative, technical, and physical safeguards aligned with the NY SHIELD Act, NY GBL § 899-aa, SOC 2, and ISO 27001 / 27701 programs, including access controls, monitoring, and vendor diligence.
Depending on location you may have access to delete, correct, port, restrict, or object to processing, and to opt out of sale/share or limit use of sensitive personal information (CPRA §§ 1798.100 - 1798.125). EU/UK data subjects may lodge complaints with supervisory authorities.
Please contact our Privacy (privacy@psydata.org) or Legal (legal@psydata.org) teams. You can also use our Data Subject Access Request form.
We respond within 45 days for CPRA requests (45-day extension permitted with notice) and one month for GDPR requests (extendable by two months where complex).
Our services are not directed to children under 13 (or 16 where applicable). We do not knowingly collect children’s data without verifiable parental consent (COPPA / CPRA minor rules).
Where automated processing procedures legal or similarly significant effects, we provide meaningful information, opportunity to contest, and human review per GDPR Art. 22 and our Human-in-the-Loop program.
We use cookies and similar technologies as described in our Cookie Policy. You may manage preferences through in-product controls and browser settings.
If a breach of security affects your personal data, we will notify you and regulators as required by GDPR Art. 33-34 (without undue delay, within 72 hours to authorities where feasible) and NY SHIELD/CPRA rules.
We may update this policy with notice via our website, our various platforms, or email for material changes. Continued use after the effective date constitutes acceptance where permitted by law.
At or before collection we disclose categories collected, purposes, retention, and whether we sell or share. California residents may submit verifiable requests via privacy@psydata.org. Authorized agents must provide signed authorization. We do not discriminate against consumers for exercising CPRA rights (§ 1798.125).
Residents of states with comprehensive privacy laws may have additional rights to access, delete, correct, and opt out of target advertising or profiling; submit requests to privacy@psydata.org with jurisdiction noted.
Where required, PsyData appoints an EU/UK representative and documents processing activities (GDPR Art. 30). Cross-border transfer mechanisms are maintained in writing
Psychological signals and precise behavioral inferences may constitute special category or sensitive personal information. We collect such data only with explicit consent or another valid Art. 9 basis and implement additional access controls (S3/S4).
We may use de-identified or aggregated datasets for analytics. We commit to not re-identified data except with technical and contractual safeguards and legal review.
You may opt out of marketings emails via unsubscribed links. Product-critical service messages may still be sent.
Our services may link to third-party sites with separate privacy practices; we are not responsible for their content.
We conduct DPIAs (GDPR Art. 35) for high-risk processing including certain psychological profiling and AI deployments.
RoPA entries include purposes, categories, recipients, transfers, retention, and security measures, reviewed annually.
We investigate privacy complaints within 30 business data where feasible and document remediation.
Data Protection Lead, PsyData Labs L.L.C., New York.
Email: privacy@psydata.org
Personal Information, personal data, sale, share, sensitive information, and profiling are used as defined under CPRA and GDPR where applicable.
Behavioral data means interaction telemetry.
Psychological Signals means opt-in constructs described at collection;
Inferences means automated outputs.
Additional disclosures may apply for UK GDPR, Swiss FADP, or Canadian PIPEDA where we offer services - contact our Privacy team (privacy@psydata.org) for jurisdiction-specific supplements.