Skip to main content
Pagegazer

Data Protection

Last updated: May 2026

This page describes how Pagegazer protects participant and client data in commissioned research. It is intended as a starting point for procurement and security reviews. A Data Processing Agreement (DPA) Templates is available on request and can be signed before any participant data is collected.

1. Roles under the GDPR

For commissioned research, the client is the controller of the participant data and Scicovery GmbH (operating as Pagegazer) is the processor. We process participant data only on the documented instructions of the client, as defined in the engagement DPA and Statement of Work.

2. What we measure — and what stays on the device

Pagegazer studies are run in the participant’s browser. Depending on the study design, we measure:

  • Webcam-derived gaze coordinates (where on the screen the participant looked and for how long).
  • Webcam-derived heart rate (rPPG) and facial-expression classifications.
  • Behavioural data — clicks, scrolls, key presses, navigation paths, reaction times, choices.
  • Survey responses, where the study includes a questionnaire.

Raw camera images and raw video do not leave the participant’s device. eye tracking, heart-rate, and expression measurements are computed in the browser; only the derived numerical signals are transmitted. Participants are informed of this in the consent flow before any measurement begins.

3. Consent

Every study begins with an explicit, informed consent step that explains what is measured, how it is used, how long it is retained, and how to withdraw. Participants can decline or stop at any time. Where the study includes biometric measurements, consent is obtained under Art. 9 (2)(a) GDPR (explicit consent for special-category data).

4. Data residency and infrastructure

Production data is hosted in EU regions (Hetzner GmbH). Object storage uses Cloudflare R2 (EU region). Database backups are encrypted at rest and stored in the EU. Data in transit is protected with TLS 1.2+. Internal admin access uses role-based access control with audit logging.

5. Anonymisation and pseudonymisation

Where possible, participant records are stored under a pseudonymous identifier; identifying information is held separately and only joined where required for the agreed analysis. The standard practice is to delete all subejct data 3 months after engagement cloess, unless a longer or shorter retention has been agreed in writing.

6. Sub-processors

A current list of sub-processors (cloud provider, object storage, email provider, recruitment panel, etc.) is included in the DPA and updated as it changes. Clients are notified in advance of material changes and may object on reasonable grounds.

7. Security practices

  • Access to production systems is restricted to named engineers.
  • Application secrets are managed via environment variables in the deployment platform, never committed to source control.
  • The codebase undergoes routine dependency-vulnerability scanning.
  • Security incidents are reported to the client without undue delay, in line with Art. 33 GDPR.

8. International transfers

Where a sub-processor is located outside the EEA, transfers are governed by Standard Contractual Clauses or an adequacy decision. The DPA documents the specific transfer mechanism for each sub-processor.

9. Retention and deletion

Participant data is retained only as long as required to deliver the agreed findings. The default at engagement close is: deliverables retained per the contract; raw participant data deleted; client account data retained while the relationship is active and deleted on written request.

10. Contact

For DPA requests, sub-processor lists, security questionnaires, or any data-protection question, contact [email protected].