Sapience Privacy Policy

Last updated: October 2025

Introduction

Sapience (ICENSE BV, “we,” “our,” “us”) is committed to protecting the personal data of participants, clients, partners, and other individuals who interact with us. This Privacy Policy explains how we collect, use, share, and protect personal data across our research, business, and online activities.

Sapience carries out behavioural, media, and market research projects, sometimes involving eye-tracking, physiological measures, or observational studies. Our outputs are provided to clients in anonymised and aggregated form.

Depending on the project, Sapience may act as:

• a data processor (when we carry out research on behalf of a client), or
• a joint controller (when we jointly determine research methods and purposes with a client).

These roles are clarified in agreements with our clients, in line with GDPR requirements.

Principles of data protection

We process personal data in accordance with the GDPR’s core principles:

• Lawfulness, fairness, transparency – we only process data when there is a valid legal basis and we provide clear information.
• Purpose limitation – data is collected only for specified purposes and never reused for incompatible ones.
• Data minimisation – we collect the least amount of data necessary.
• Accuracy – we take reasonable steps to keep personal data up to date.
• Storage limitation – we retain personal data only as long as necessary for the stated purpose, then delete or anonymise it.
• Integrity and confidentiality – data is secured through technical and organisational measures.

We apply Privacy by Design and Default where appropriate and continue to expand its systematic application across our research practices.

Categories of data we process

Depending on the nature of our projects, we may process:

• Research participant data
• Demographic details (e.g., age group, gender)
• Survey and interview responses
• Eye-tracking or attention data
• Physiological or biometric data (e.g., heart rate, skin response)
• Video/audio recordings (used only for analysis, deleted promptly)
• Incidental third-party data
• Incidental content (e.g., people appearing in public spaces, content from social media feeds such as posts, names, or photos) may be captured during research. This content is never analysed, is blurred or masked before processing, and is deleted immediately after use and in any case within 90 days.
• Client data
• Contact details, contracts, and communication history.
• Website visitor data
• Usage data such as IP address, browser type, and analytics cookies.
• Employee, contractor, and partner data
• Information required for HR, collaboration, and compliance.

Legal grounds for processing

We rely on the following GDPR legal bases:

• Consent (Art. 6(1)(a), Art. 9(2)(a) GDPR) – for example, when participants agree to take part in a study and allow us to process their personal data. This may include demographic or survey data, recordings, or in some cases biometric or physiological data (such as eye-tracking or heart rate measures). Where special categories of personal data are involved, we rely on the participant’s explicit consent.
• Legitimate Interests (Art. 6(1)(f) GDPR) – for the limited and incidental processing of third-party data that may appear during research activities (e.g., bystanders in video recordings, voices in audio recordings, or content from participants’ social media feeds). Such processing is restricted to what is strictly necessary, is never analysed, and is subject to a balancing test to ensure that fundamental rights and freedoms are not overridden. When relying on legitimate interest, we carry out and document a balancing test to ensure rights and freedoms are not overridden.
• Contractual Necessity (Art. 6(1)(b) GDPR) – when processing is required to perform a contract with the data subject or to take steps prior to entering into a contract. For example, this applies when we process:
• Client and business partner contact details to manage projects, deliver research outputs, and handle invoicing.
• Supplier information to manage agreements with panel providers, subcontractors, or service vendors.
• Participant details when fulfilling incentive payments or reimbursements linked to study participation.
• Legal Obligations (Art. 6(1)(c) GDPR) – when processing is required to comply with laws or regulations to which Sapience is subject.
• Statistical Research (Art. 89 GDPR) – Much of Sapience’s processing is carried out solely for statistical purposes. Outputs of our research are always anonymised and presented in aggregate form, never linked to identifiable individuals. Where incidental personal data of third parties is captured, it is processed only to the extent necessary to achieve the statistical purpose, is never analysed, and is promptly anonymised or deleted.

Data retention

• Recordings from studies are deleted promptly after analysis and in any case no later than 90 days after the end of the project.
• Anonymised research data may be stored for up to 5 years for validation and reporting before secure deletion.
• Contact data (e.g., participants who sign up, client contacts) are retained as long as necessary for communication and then securely deleted, usually within 3 years of inactivity.
• Business records (contracts, invoices) are retained as required by law.

Sharing of personal data

We do not sell personal data. We only share it with:

• Service providers who support our research or operations, bound by confidentiality and data processing agreements.
• Clients – We normally share only anonymised and aggregated insights. In very rare cases, and only with the participant’s explicit prior consent as recorded in the consent form, we may share recordings (e.g., video or audio) for research purposes. Where appropriate, we apply safeguards such as blurring or masking to minimise identifiability and protect privacy.
• Authorities, if required by law.

Where we act as a processor, we only process data under the client’s instructions.

International transfers

If personal data is transferred outside the European Economic Area (EEA), Sapience ensures appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs), or
• Transfers to countries recognised as providing adequate protection.

Rights of data subjects

Individuals whose data we process may exercise the following GDPR rights:

• Access, rectification, erasure
• Restriction of processing
• Data portability
• Objection to processing (including for legitimate interest)
• Withdrawal of consent (without affecting prior lawful processing)

Requests can be made at any time via the contact details below.

Research participation and transparency

• Participation in research is voluntary and always based on informed consent.
• Participants receive detailed consent forms explaining the study purpose, data collected, and rights.
• For third parties whose data may appear incidentally (e.g., social media contacts), direct notification is not feasible. In these cases, Sapience relies on the GDPR’s statistical research provisions (Art. 89) and applies strong safeguards, including anonymisation, masking, and short retention.

Security measures

We apply appropriate technical and organisational measures, including encryption, restricted access, and secure storage. Our partners and subcontractors are carefully selected and contractually bound to ensure GDPR compliance.

Contact us

Questions regarding privacy and data protection can be directed to: info@wearesapience.com

You also have the right to lodge a complaint with the Belgian Data Protection Authority:

Autorité de protection des données / Gegevensbeschermingsautoriteit

Rue de la Presse 35, 1000 Brussels

Website: https://www.gegevensbeschermingsautoriteit.be

Email: contact@apd-gba.be