1. Who we are and scope

This Privacy Policy explains how Clarity Health Technologies, Inc. (251 Little Falls Drive, Wilmington, DE 19808, USA) and Clarity Technologies SASU (9 rue des Colonnes, 75002 Paris, France) (together, “Clarity,” “we,” “us”) collect, use, disclose, and protect Personal Data when you use our websites, mobile apps, and when you participate in our research/clinical activities (the “Services”).

Unless stated otherwise, Clarity Inc. (US) and Clarity SASU (EU) act as data controllers. In some collaborations (e.g., for clinics), we may act as a processor or a HIPAA Business Associate under a Business Associate Agreement (BAA).

2. What we collect & sources

We collect data from:

• You: contact details, account/profile info, communications, preferences; optional demographic and health details you choose to provide.

• Automatically: device identifiers, OS/browser, IP, app/feature usage, crash logs, performance, and limited geolocation/approximate location.

• Clinical/research: study enrollment details, assessments, biosignals (e.g., EEG, eye tracking), responses and outcomes, per protocol/consent.

• From third parties: service providers (e.g., hosting, analytics), clinical partners, and, with your permission, wearables or EHR integrations.

We may create aggregated and de-identified data that no longer identifies you.

Research Contact List (No Health Data)

What we collect. If you join our research contact list, we collect only basic contact details (e.g., name, email, phone, country/region) and your outreach preferences. Please do not submit medical or health information.
Purpose. To recontact you about potential participation opportunities and company updates related to research recruitment.
Legal basis (GDPR/UK GDPR). Your consent (Art. 6(1)(a)); where appropriate, our legitimate interests in managing a contact list (Art. 6(1)(f)). We do not collect or process special-category data (Art. 9).
CPRA/US state privacy. We use your contact details only to communicate about research opportunities; we do not sell or share this data for targeted advertising.
Retention. We keep your contact details for up to 24 months of inactivity or until you withdraw consent, whichever is earlier, then delete or de-identify.
Sharing. We share with service providers (email/CRM/hosting) under contract. We do not share contact-list data with advertisers.
Transfers. Where data is transferred internationally, we use appropriate safeguards (e.g., SCCs/UK Addendum or other lawful mechanisms).
Your choices. You can withdraw consent or unsubscribe at any time via the link in our emails or by contacting us.
Minors. If required by law in your location, we will obtain parent/guardian consent before adding a minor to the list.
Important note. Do not include any medical or health details in free-text fields or attachments. If you voluntarily send health information, we will delete or redact it.

3. Purposes & lawful bases

3.1 Product & operations

• Provide, maintain, secure, debug, and improve the Services; authenticate; prevent abuse; support; communicate service updates.
  Legal bases: contract (Art.6(1)(b)), legitimate interests (Art.6(1)(f)), legal obligation (Art.6(1)(c)).

3.2 Research & clinical activities

• Conduct research/clinical studies; analyze de-identified data; publish results; comply with ethics/IRB and regulatory requirements.
  Legal bases: explicit consent (Art.6(1)(a), Art.9(2)(a)); scientific research with safeguards (Art.9(2)(j)); public interest in public health where applicable (Art.9(2)(i)); legal obligations.

3.3 Marketing & analytics

• With consent, send updates; measure campaign performance; run website/app analytics; personalize non-sensitive content.
  Legal bases: consent (Art.6(1)(a)); legitimate interests (Art.6(1)(f)) for limited first-party analytics where allowed. You can opt out anytime.

We do not use research/clinical data for advertising.

4. Cookies & similar technologies

We use cookies/SDKs for essential operations, analytics, and (if you consent) advertising/retargeting. You can manage preferences at “Cookie Settings” and we honor Global Privacy Control (GPC) signals where applicable. See our Cookie Notice for categories, vendors, and lifetimes.

5. Sharing your data

We share Personal Data with:

• Service providers/processors: hosting, storage, analytics, email/SMS, customer support, error monitoring, payments (when applicable), research logistics—bound by contract.

• Clinical/research partners: as described in consent/protocols.

• Affiliates: Clarity Inc./Clarity SASU for unified operations.

• Legal/compliance: to respond to lawful requests or protect rights/safety.

• Corporate transactions: mergers, acquisitions, financing, or asset transfers.
  

  We may share de-identified/aggregated data for research, statistics, and product improvement.

6. International transfers

We operate globally and transfer data to the United States, EU/EEA, UK, and other countries. We use appropriate safeguards, including EU Standard Contractual Clauses (SCCs) (and UK IDTA/Addendum) and supplementary measures. If we participate in the EU-U.S. Data Privacy Framework, we may rely on it for eligible transfers. We apply contractual onward-transfer and security obligations.

7. Retention

We retain Personal Data only as long as necessary for the purposes above, including research/regulatory obligations, dispute resolution, and tax/accounting. We define retention by category (e.g., account data, support tickets, device logs, research data). When no longer needed, we delete or de-identify it.

8. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit/at rest, access controls, logging/monitoring, least-privilege, secure development, and vendor risk assessments. If we detect a security incident affecting your data, we will notify you and/or authorities as required by law.

9. Children & minors

Our Services can involve minors only with verified parental/guardian consent where the law requires (e.g., COPPA; EU digital age of consent). Research involving minors follows ethics approvals and consent/assent procedures. (This updates legacy statements that our Services are “not intended for children.”)

10. Your rights

GDPR/EU/UK

You may have rights to access, rectify, erase, restrict, object, portability, and to withdraw consent at any time (without affecting prior processing). We respond within one month (extendable in complex cases). You can lodge a complaint with your local authority (e.g., CNIL in France).

U.S. state privacy (CA/CO/CT/VA/UT/OR/TX, etc.)

You may have rights to know/access, correct, delete, data portability, opt-out of sale/share, opt-out of targeted advertising and some profiling, and to limit the use of Sensitive PI. We respond within 45 days (extendable). If we deny your request, you can appeal and contact your state AG if needed.

How to exercise rights: use our web form (preferred) or email contact@clarity-technologies.com. We will verify your identity and respond within the applicable timeframe. You may use an authorized agent (CPRA). We do not discriminate for exercising rights.

11. “Sale/Share” and targeted advertising

We do not sell Personal Data in the traditional sense. If our use of online identifiers/advertising cookies is deemed a “sale” or “share” or “targeted advertising,” you may opt out at “Do Not Sell or Share My Personal Information” and via GPC.

12. Automated decision-making

We do not make decisions producing legal or similarly significant effects solely by automated means. If that changes, we’ll provide required notices and human-review options.

13. HIPAA

Clarity is not generally a HIPAA Covered Entity. Where we act as a Business Associate to a Covered Entity, we enter a BAA and handle PHI per HIPAA. Outside HIPAA contexts, health data is handled under this Policy and applicable privacy laws.

14. Subprocessors & disclosures

A current list of our primary processors (purpose, location, and legal mechanism) is available on request or via our website. We contractually require confidentiality, security, and data-protection obligations.

15. Changes to this Policy

We will post updates here and, for material changes, provide reasonable prior notice (e.g., in-app/email). Changes apply prospectively from the effective date; they are not retroactive. Your continued use after the effective date signifies acceptance. (This replaces the “immediate effect” language.)

16. Contact & EU representative / DPO

• EU: Clarity Technologies SASU, 9 rue des Colonnes, 75002 Paris, France

• US: Clarity Health Technologies, Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA

• Email: contact@clarity-technologies.com

• Data Protection Officer (DPO): Raphael Certain

• EU Supervisory Authority: You may contact your local authority (e.g., CNIL) at any time.