Policy for handling, use, and processing of biometric personal data by QQA Robotica AI S.A.S

Update: July 16th, 2024

POLICY FOR HANDLING, USE, AND PROCESSING OF BIOMETRIC PERSONAL DATA BY QQA Robotica AI S.A.S

QQA Robotica AI S.A.S,values your privacy and cares about the way in which your personal information is treated. This online privacy statement (“Privacy Statement”) describes QQA Robotica AI S.A.S privacy practices in relation to how we may collect information from you in the course of our business and the QQA Robotica AI S.A.S platform and websites available at Www.QQA.ai. QQA.AI (the QQA Robotica AI S.A.S homepage), www.QQA.ai. QQA.AI (the subscriber login page to access and use QQA Robotica AI S.A.S platform) and Www.QQA.ai. QQA.AI (a platform for delivery of certain QQA Robotica AI S.A.S in-product applications), or such other websites as we may operate from time to time. The QQA Robotica AI S.A.S homepage provides information about QQA Robotica AI S.A.S online legal risk management products and services (referred to in this Privacy Policy as the “QQA Robotica AI S.A.S platform”), and the subscriber login pages provide the means by which authorized subscribers access and use the Robotica AI S.A.S platform. In addition to our Privacy Policy, your use of the QQA Robotica AI S.A.S platform and websites is subject to the terms and conditions of the Legal Notices.

The present document shall apply to all personal, biometric, sensitive data, among others, and any other type of information that is used or stored in the databases and files of QQA Robotica AI S.A.S. It respects the criteria for the acquisition, collection, use, processing, exchange, transfer, and transmission of personal data and sets forth the obligations and guidelines of QQA Robotica AI S.A.S for the management and processing of personal data stored in its databases and files. This Policy is applicable to QQA Robotica AI S.A.S's processes when they must handle the processing of data (public data, semi-private data, private data, biometric data) as both the Data Controller and Data Processor.

At QQA Robotica AI S.A.S, we value your ability to understand, access, correct, be informed about the treatment and handling, transfer, restrict processing, and delete your personal data. When you are asked for consent for the processing of your personal data by QQA Robotica AI S.A.S, and you provide your authorization, you will have the right to withdraw your consent at any time, exercising your data and privacy rights. To help safeguard the security of your personal data, you must log in to your account and your identity will be verified, before your personal data is deleted.

1. THE PURPOSE

This Policy on the Processing of Biometric Data by the QQA Robotica AI S.A.S ("hereinafter"“the Policy”) is to ensure that the processing of biometric data by the QQA Robotica AI S.A.S takes place in accordance with the principle of “do no harm”, the QQA Robotica AI S.A.S protection mandate and the Rules on Personal Data Protection (“the Rules”) It also seeks to ensure that those Rules are applied in a manner that takes into account the specific features of biometric data and the opportunities and risks associated with their processing.

2. DEFINITIONS

2.1. Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing or use of personal data.

2.2. Personal Data: Any information linked or that can be associated with one or more specific or determinable individuals. These data are classified as public, semi-private, private, and sensitive:

2.2.1. Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information regarding the civil status of individuals, their profession or occupation, and their status as a merchant or public servant. By nature, public data may be contained, among others, in public records, public documents, gazettes, official bulletins, and court judgments that are duly enforceable and not subject to confidentiality.

2.2.2. Semi-Private Data: Data that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Data Subject but also to a certain sector or group of people or to society in general. Examples include databases containing financial, credit, commercial, service-related information, and information from third countries.

2.2.3. Private Data: Personal data that, due to its intimate or reserved nature, is of interest only to its Data Subject, and its processing requires prior, informed, and express authorization. Examples include databases containing personal phone numbers and email addresses; employment data; data on administrative or criminal offenses, managed by tax administrations, financial entities, and entities managing social security common services; databases on asset or credit solvency, databases with sufficient information to evaluate the personality of the Data Subject, and databases of operators responsible for providing electronic communication services.

2.2.4. Sensitive Data: Sensitive data are those that affect the privacy of the Data Subject or whose misuse may lead to discrimination.

2.2.5. Biometric Data: This policy requires enhanced protection of personal data whose disclosure could cause harm to individuals. Includes biometric data. these are the data that will make it possible to determine the user's preferences, based on his or her ocular analysis.The personal data to be processed and handled in this policy are biometric data, because for neuromarketing analysis our devices capture the following information:

1. Facial recognition

2. Neural activity information

3. Voice (eventually)

4. Eye Pupillometrics

2.3. Data Processor: Natural or legal person, , who, either alone or in association with others, carries out the processing of personal data on behalf of the Data Controller.

2.4. Data Controller: Natural or legal person, who, either alone or in association with others, decides on the database and/or the processing of data.

2.5. Database Administrator: Collaborator responsible for controlling and coordinating the proper application of data processing policies once stored in a specific database, as well as implementing the guidelines dictated by the Data Controller and the Data Protection Officer.

2.6. Data Protection Officer: The natural person who assumes the role of coordinating the implementation of the legal framework for the protection of personal data, processing requests from Data Subjects for the exercise of rights

2.7.Data Subject: Natural person whose personal data is subject to processing. 2.9. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

3. PRINCIPLES

Be transparent about its use of biometric data, and ensure the rights of Data Subjects are upheld whenever such data are processed. The Policy also commits QQA Robotica AI S.A.S to regularly review its implementation to ensure that the processing of biometric data does not inadvertently jeopardise the rights or safety of Data Subjects. It also aims to ensure that any new privacy enhancing technologies that may be developed over time can be adopted, enabling increased security of biometrics use cases.

4. DATA IDENTIFICATION

In the field of preference identification and biometric data collection, an advanced system has been developed that allows for detailed information gathering on user interaction with visual content, such as videos. This system is not based on the creation of traditional biometric data templates, but rather on the collection of specific data related to ocular behavior.

The system collects information such as gaze direction, the amount of time users fixate on certain directions, changes in pupil size, and the frequency of blinks while users watch a video. This data is automatically processed, allowing the machine to analyze it efficiently and effectively.

This method of storage and analysis enables individualization of each user, facilitating the execution of automatic actions and the creation of profiles based on observed preferences and behaviors. For example, based on the analysis of ocular data, the system can infer which parts of the video capture the user's attention the most, which generate more interest, and which are less appealing.

In terms of identification and authentication, it is essential that the biometric data collected from different individuals be clearly distinguishable. These data act as unique identifiers for each person, similar to how an ID number identifies a person in an administrative context. Although these biometric data cannot reconstruct the original brain activity, their ability to uniquely identify each individual within the framework of automated processing is sufficient for the purposes of the system.

Unlike an ID number, biometric data is not arbitrarily assigned to a person. Instead, it is generated directly from the observation of unique and unalterable physical characteristics of the individual, without the need to resort to third-party documents or databases. This approach ensures a high level of accuracy and security in preference and behavior identification, providing valuable information that can be used to enhance content personalization and user experience.

5. DATA COLLECTION

5.1. PRIVATE PERSONAL DATA

Participant Registration:

When a participant registers in our system to participate with your biometric data to link analysis of your preferences based on ocular and neural activity., they will be asked to provide certain basic information, including their name, email, and identification number (ID or ID card).

This information will not be stored in our databases and will only be used to contact the participant and verify his/her identity.

Invitation to Video Call:

Once the participant has completed registration, they will be sent an invitation to join an online video call via Zoom. This invitation will provide details about the date and time of the video call, as well as a link to join.

Identity Verification:

During the video call, a representative from our team will be present to verify the participant's identity. The participant should have their identification document (ID or ID card) handy during the call.

The representative of our team will be in charge of the verification and therefore will be responsible for data management, however in this video call will only verify the identity will not be storage, use, or collection of personal data, or biometric data.

Verification Process:

During the video call, the participant will be required to show their identification document in front of the webcam so that the team representative can verify that the name and photograph on the document match the participant's appearance in real-time. Additionally, the participant will be asked to perform certain actions to confirm their identity, such as smiling, moving their head, or blinking, to ensure that the person in the video call is indeed the same as the one on the identification document.

Verification Outcome:

Once the verification is completed, the participant will be informed whether they have been approved or not. If approved, they will be allowed to proceed with the registration process and participate in the corresponding event or activity. In case any issues arise during verification, additional instructions will be provided to the participant on how to proceed to resolve the situation.

This process ensures efficient and accurate verification of participants' identities, thereby contributing to maintaining the security and integrity of our events or activities. Upon completion of the verification process, a verification code will be issued to the participant. QQA Robotica AI S.A.S will not store, use or collect data from the video call, and if a participant restricts the use of the data, all deleted data will be completely removed from the system and a confirmation receipt will be sent to the participant.

5.1. BIOMETRIC DATA IDENTIFICATION PROCESS

Data Collection:

Once the user has been verified and registered on the platform, they are invited to participate in the identification of biometric data. The user provides their explicit consent for the collection and processing of their biometric data.

Specific biometric data related to ocular behavior while the user interacts with visual content, such as videos, is collected. This data may include gaze direction, the amount of time the user fixes their gaze on certain directions, changes in pupil size, and the frequency of blinks.

Processing and Analysis:

The collected biometric data is processed using advanced technology to analyze user behavior. Facial recognition algorithms and behavioral analysis techniques are used to identify patterns and user preferences.

The results of the biometric data analysis are used to understand user preferences, which are used for NeuroMarketing purposes. After the process is completed on the platform, it generates the results. QQA Robotica AI S.A.S does not store the biometric data that led to the result. Therefore, the data projected through codes is deleted from our system, platform, device, and only the result of the user's preferences remains.

This process ensures precise and secure identification of the individual, as well as privacy protection by eliminating sensitive data after verification and obtaining the results.

6. TYPE OF DATA

In our company, we handle two main types of data: biometric data and personal private data. These types of data are essential for carrying out our operations and providing our services effectively and securely.

Biometric Data

Biometric data pertains to the unique physical and behavioral characteristics of an individual. It includes information such as gaze direction, pupil size, blink frequency, and other patterns of ocular behavior. These data are used to identify and authenticate users, as well as to conduct behavior and preference analysis for NeuroMarketing purposes. Our company collects and processes biometric data securely and in compliance with relevant privacy regulations.

Personal Private Data (ID Number)

Personal private data is information that identifies or can be used to identify a specific individual. It includes data such as identification numbers (IDs), names, addresses, email addresses, and other sensitive personal information. In our case, the ID number is considered personal private data, as it can uniquely identify an individual.

These data are primarily used for identity verification and user registration on our platform. Our company implements robust security measures to protect the privacy and confidentiality of this data, including the deletion of data once it is no longer needed for the intended purposes.

In summary, our company manages and responsibly uses biometric data and personal private data, ensuring the security and protection of our users' privacy at all times.

7. AUTHORIZATION OF OWNER

For the processing and handling of personal data, the authorization of the Owner is required, except in cases expressly indicated. In advance and/or at the time of collecting personal data, QQA Robotica AI S.A.S will request authorization from the Data Owner to collect and process their data using automated technical means, written or oral, that allow proof of authorization and/or conduct to be retained. The personal data collected will have the purposes described in this policy.

Authorization from the Owner will not be necessary in the following cases:

Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or health emergencies.
Processing of information authorized by law for historical, statistical, or scientific purposes.

7.1 REQUEST FOR AUTHORIZATION FROM THE DATA SUBJECT

Authorization for the use, handling, and/or processing of data will be managed by QQA Robotica AI S.A.S through mechanisms that guarantee its subsequent consultation and the expression of the Owner's will through the following means:

In writing.
Orally.
Through automated channels.
Through unequivocal actions of the data subject that allow it to be reasonably concluded that authorization was granted.

QQA Robotica AI S.A.S, in advance and/or at the time of collecting personal data, will clearly and expressly inform the Data Owner of the following:

The processing and use to which their personal data will be subjected and the purpose thereof.
The rights they have as Data Owner;
The identification, physical or electronic address, and telephone number of QQA Robotica AI S.A.S

8. DATA OBTAINED

The data obtained includes personal and biometric information collected during the registration process on our platform. To ensure the security and privacy of our users, we request prior authorization to collect and process personal data such as names, email addresses, and identification numbers. Additionally, through advanced biometric analysis techniques, we gather data related to users' eye behavior while interacting with visual content, such as videos. These biometric data include gaze direction, blink frequency, and other visual patterns, and are used to uniquely identify users and analyze their preferences for NeuroMarketing purposes.

9. DATA PROCESSING AND HANDLING

The processing and management of data carried out by our company is a fundamental part of our strategy to offer personalized and relevant services to our customers. In our process, we gather personal data that enables us to understand users' preferences after they have watched a video on our platform. This data includes information such as viewing duration, interactions during the video, specific sections that capture their attention the most, and any post-viewing actions. By utilizing advanced data analysis techniques and information processing, we can extract patterns and behavioral trends that help us better comprehend the individual needs and preferences of consumers.

Once we have obtained these valuable insights, we generate a result that summarizes the observed preferences and behaviors of each user. This result becomes a valuable resource that can be used for targeted and personalized marketing campaigns. Our company has the capability to market these results to third-party companies interested in reaching specific audiences with their products or services. By sharing this data responsibly and ethically, we contribute to creating more relevant and satisfying experiences for both users and companies seeking to connect with consumers.

It is important to emphasize that we maintain high standards of privacy and security at all times. We comply with all data protection regulations and laws to ensure that our users' information is handled securely and their privacy is respected. Additionally, we offer users the option to control how their data is used and provide transparency about our data handling practices. We firmly believe in the importance of user trust and strive to maintain that trust through our policies and actions regarding data privacy and security.

10. PURPOSES OF DATA COLLECTION AND HANDLING

Data Collection in Our Company: Objectives and Benefits

The primary objective of data collection in our company is neuromarketing and the commercialization of the results to third parties. Below is a detailed explanation of how these objectives are achieved and the benefits they offer.

Digital NeuroMarketing

Deep Understanding of the User

Data collection allows us to gain a deep understanding of user preferences and behaviors while watching videos. This includes data such as:

Viewing Duration: The amount of time a user spends watching a video.
Interactions: Specific actions the user takes during the viewing, such as blinking.
Areas of Interest: Parts of the content that capture the user's attention the most through ocular analysis.

With the collected information, companies can personalize video content shown to each user. This level of personalization results in greater relevance and appeal for the user, increasing the likelihood of positive interaction with the content.

Strategy Optimization.

The collected data also enables continuous optimization of marketing strategies. By analyzing behavior patterns, campaigns can be adjusted to be more effective, focusing efforts on what truly resonates with and appeals to the consumer.

Results to Third Parties

The data derived from ocular analyses contain valuable information that, in conjunction with brain activity analysis, will help determine consumer preferences, interests, and behaviors.

Sale of Analytical Information Results

The analytical information derived from our data becomes a valuable resource for third parties. Companies in various sectors hire our services to host their videos on our platform, allowing consumers to view their content and ultimately understand consumer behavior and the emotions experienced while watching the video. These companies can use these insights to design and adjust their own marketing strategies, products, and services.

It is important for consumers and users to understand that their data is not sold to third parties. Instead, a company (third party) hires us to provide a report based on neuromarketing that details the preferences and emotions experienced by users while watching the video. The data received by the company (the third party) will not include personal or biometric data, as we only deliver a final report highlighting the moments when the user experienced emotions such as disgust or enthusiasm due to ocular and neural activity.

QQA Robotica AI S.A.S explicitly states that the data obtained will only reflect emotions presented by the consumer while watching the video and will not include any identification data. As a result, we deliver a final report that answers all marketing-related questions without storing or providing any consumer data.

Understanding Consumer Intentions

The results we commercialize provide companies with a clear understanding of consumer intentions. This includes:

Presented Emotions: Emotions displayed while watching the video.
Preferences: Specific likes and dislikes.

The feedback obtained through the commercialization of our data also helps companies improve their videos through which they market products and services.

Transparency and Trust

We ensure high standards of privacy and security at all times. We clearly inform users about how their data will be used and provide options for controlling the use of their information. This approach fosters user trust and ensures that our data collection and commercialization practices are conducted ethically and responsibly.

In summary, data collection in our company not only allows us to improve digital marketing strategies but also provides valuable insights to third parties, helping them better understand consumer intentions and optimize their own operations and marketing campaigns.

11. CYBERSECURITY SYSTEM FOR THE PROTECTION OF BIOMETRIC AND PERSONAL DATA

To ensure the security of biometric and personal data, QQA Robotica AI S.A.S implements a robust cybersecurity system involving two key roles: the Data Custodian and the Data Controller. This system is based on the principles of data protection by design and by default, ensuring that all aspects of data processing comply with the highest standards of security and privacy.

Responsibilities Data Custodian

Secure Storage

Implement advanced security measures to protect data at rest and in transit, including data encryption.
Ensure that databases are segregated, with biometric data stored separately from personal data, which will only include the ID.
Store personal ID data in encrypted digital database tables. The encryption key will be stored in a key vault in our platform, inaccessible to hackers.

Controlled Access:

Manage data access permissions, ensuring that only authorized personnel have access to sensitive information.
Utilize multi-factor authentication (MFA) and role-based access control (RBAC) to enhance security.

Monitoring and Auditing:

Establish detailed audit logs for all activities related to access and processing of biometric data.
Continuously monitor the system to detect and respond to any suspicious or unauthorized activity.

Infrastructure Maintenance:

Ensure that the technological infrastructure is up-to-date with the latest security patches and updates.
Conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security risks.

Responsibilities Data Controller

Data Governance:

Define and maintain privacy and data protection policies that comply with applicable regulations.
Ensure that all data collection, processing, and deletion processes comply with these policies.

Transparency and Consent:

Clearly inform users about how their data is used and obtain their explicit consent before collecting and processing their biometric and personal data.
Provide mechanisms for users to access, correct, and delete their data, ensuring their rights over their information.

Data Minimization:

Implement the principle of data minimization, collecting only the information necessary to fulfill the specified purposes.
Apply pseudonymization techniques to protect personal data associated with biometric data.

Impact and Risk Assessment:

Conduct data protection impact assessments (DPIAs) to identify and mitigate risks before implementing new systems or processes.
Document and manage privacy and security risks, ensuring appropriate measures are taken to mitigate them.

Specific Security Measures

Advanced Encryption:

Biometric data is protected by state-of-the-art data security measures, including encryption of data at rest and in transit to minimize the risk of unauthorized access.
Data will be stored in encrypted digital database tables with an encryption key, which is stored in a key vault on our platform, inaccessible to hackers.

Prevention of Unauthorized Disclosure:

Systems are designed to prevent the unauthorized disclosure of biometric data through technical means, including 'one-way encoding' of biometric images and the use of proven algorithms for biometric template conversion and matching.

Database Segregation:

Despite the need to maintain a link between these data sets, database instances are segregated, with biometric data records stored separately from the personal data with which they are associated.

Audit Logs:

Audit logs are established for the use of all biometric data processed by QQA Robotica AI S.A.S, ensuring comprehensive tracking and accountability in data handling.

User-Centered Approach:

A beneficiary-centered (or user-centered) approach to data ownership is incorporated into the system architecture and associated policies, ensuring that the Data Subject is informed about the processing, can access their data, understand how it has been used, and make decisions about its continued processing.

Data Minimization and Pseudonymization:

The principle of data minimization is effectively implemented with regard to the processing of personal data linked to a biometric profile, strictly limited to the information necessary to meet the specified purpose.
Pseudonymization techniques are applied to the processing of personal data associated with biometric data.

The implementation of a robust cybersecurity system, with clearly defined roles for the Data Custodian and Data Controller, ensures that QQA Robotica AI S.A.S handles biometric and personal data securely and responsibly. This comprehensive approach guarantees the privacy and security of our users while complying with regulations and providing high-quality services.

12. CONSENT OF THE OWNER

Consent of the Owner refers to the explicit, informed, and voluntary agreement given by an individual (the data subject) to allow the collection, processing, and use of their personal data, including biometric information, by QQA Robotica AI S.A.S. This consent must be obtained before any data is collected or processed and must be based on a clear understanding of how the data will be used, stored, and shared.

Explicit Agreement: Consent must be clear and unequivocal, provided through an affirmative action such as checking a box on a form, signing a document, or clicking an "I agree" button.
Informed Consent: The data subject must be fully informed about the nature of the data being collected, the purpose of its collection, how it will be used, who it will be shared with, and the risks involved. This information should be presented in a clear, concise, and easily understandable manner.
Voluntary Consent: Consent must be given freely, without any form of coercion or undue influence.
Revocable: The data subject must have the right to withdraw their consent at any time. The process for withdrawing consent should be straightforward and clearly communicated.
Specific: Consent must be specific to the outlined data processing activities.

Implementation in Practice

Transparent Communication: Provide clear, detailed information to data subjects about what data will be collected and why.
Clear Options: Offer clear options for providing consent, such as checkboxes or electronic signatures.
Documentation: Maintain records of all consents obtained. This includes recording the date and time of consent and the information provided to the data subject.
Continuous Updates: Inform data subjects about any changes in data processing practices that might affect their consent. Obtain renewed consent if the purposes for data processing change significantly.
User Control: Provide tools and interfaces that allow data subjects to manage their consent preferences easily. This includes accessing their data, updating their consent preferences, and withdrawing consent.

12.1 IMPORTANCE OF CONSENT OF THE OWNER

Legal Compliance: Ensures compliance with data protection laws and regulations, which require explicit consent for processing personal and biometric data.

Trust and Transparency: Builds trust with users by demonstrating a commitment to transparency and respect for their privacy.

Ethical Data Use: Promotes ethical data practices by ensuring that data subjects have control over their personal information and how it is used.

In conclusion, Consent of the Owner is a fundamental principle in data protection, ensuring that individuals maintain control over their personal and biometric data. It requires explicit, informed, and voluntary agreement from the data subject, with mechanisms in place for easy withdrawal of consent and ongoing transparency. This approach not only ensures legal compliance but also fosters trust and ethical data management.

13. USE AND NON-STORAGE

Use and Non-Storage refers to the practice of processing personal data, including biometric information, in such a way that these data are used for a specific purpose and then not permanently stored in any database. This approach ensures that sensitive data is used only when absolutely necessary and is deleted immediately after fulfilling its purpose, minimizing the risks associated with prolonged data storage.Personal and biometric data are only processed for clearly defined and legitimate purposes. Once the purpose has been fulfilled, the data is not stored or retained.

After the data has been used for its specific purpose, it is securely and completely deleted from all systems and records, ensuring it is not stored long-term. By not permanently storing personal and biometric data, the risk of data breaches, unauthorized access, and other security issues is significantly reduced.

This practice helps comply with data protection regulations that emphasize minimizing data storage and protecting individual privacy. Data is used in real-time or for a very short period for the specific purpose for which it was collected. Once this purpose is fulfilled, the data is immediately deleted. While the data is being used, robust security measures are implemented to protect the information from any unauthorized access or misuse.

Records of all data processing activities are maintained to ensure transparency and accountability in the use and deletion of the data.Training all employees and stakeholders on the importance of use and non-storage of data and on the proper procedures for handling and deleting personal and biometric data.

Ensures that individuals’ privacy is protected by minimizing the amount of time personal and biometric data is at risk.Decreases the risk of data breaches and unauthorized access, as data is not stored beyond what is necessary.Helps comply with data protection laws and regulations that require the minimization of data storage.

Builds user trust by demonstrating a commitment to protecting their privacy and minimizing risks associated with data storage. In conclusion, the concept of Use and Non-Storage is fundamental to data protection, ensuring that personal and biometric information is used only when necessary and deleted immediately afterward. This approach minimizes risks, protects individuals' privacy, and complies with data protection regulations, thereby strengthening trust and ethical data management.

14. DATA PROTECTION AND SECURITY

To ensure the safe and responsible handling of biometric data, QQA Robotica AI S.A.S implements strict data protection measures. The integrity and confidentiality of our users' information is a top priority, and we adopt a rigorous approach to comply with privacy and security regulations. Below, we describe the specific measures we take to protect biometric data and how we design our systems to guarantee maximum security and transparency for our users:

Biometric data is protected by state-of-the-art data security measures, including the encryption of data at rest and in transit to minimize the risk of unauthorized access.

Systems are designed to prevent the unauthorized disclosure of biometric data through technical means, including the ‘one-way encoding’ of biometric images and the use of proven algorithms for biometric template conversion and matching;
Notwithstanding the need to maintain a link between these datasets, database instances are segregated, with biometric data records stored separately from the personal data with which they are associated.
Audit trails are established for the use of all biometric data processed by QQA Robotica AI S.A.S.

When designing biometric systems and having regard to the functional needs of the biometric system, QQA Robotica AI S.A.S must ensure that:

A beneficiary-centric (or user-centric) approach to the ownership of the data is built into the system architecture and associated policies, ensuring that the Data Subject is informed about the processing, can access their data, understand how it has been used, and make decisions about its continued processing.
The principle of data minimization is effectively implemented with regard to the processing of personal data linked to a biometric profile, which is strictly limited to information that is necessary to meet the specified purpose.
Pseudonymization techniques are applied to the processing of the personal data associated with the biometric data.

15. BIOETHICAL STANDARDS FOR THE POLICY OF PROTECTION OF BIOMETRIC AND PERSONAL DATA

15.1 Principle of Autonomy:

The principle of autonomy focuses on respecting individuals' capacity to make informed decisions about their own biometric and personal data. To uphold this:

Explicit and informed consent will be obtained from individuals before collecting, processing, or transferring their data. Clear and understandable information will be provided about the purpose of data collection, how it will be used, who will have access to it, and the potential risks involved.
Ensure individuals have access to all relevant information about the processing of their data, enabling them to make informed decisions. This includes providing easy access to privacy policies and data practices.
Allow individuals to withdraw their consent at any time, ensuring their data is securely deleted upon withdrawal of consent.

15.2 Principle of Beneficence:

The principle of beneficence refers to the obligation to maximize benefits and minimize risks for individuals whose data is being processed. To achieve this:

Only collect and use the data necessary to fulfill specific and legitimate purposes, avoiding excessive or unnecessary data collection.
Conduct data protection impact assessments (DPIAs) to identify and mitigate potential risks before implementing new systems or processes for biometric data.
Implement robust security measures to protect personal and biometric data against unauthorized access, loss, alteration, or disclosure. This includes the use of encryption, multifactor authentication, and role-based access control.

15.3 Principle of Non-Maleficence:

The principle of non-maleficence focuses on the obligation not to cause harm to individuals whose data is being processed. To uphold this:

Adopt measures to prevent the misuse or abuse of biometric and personal data, including the implementation of strict policies against discrimination and unauthorized data usage.
Establish clear and effective procedures to respond to data breaches and other security incidents, including timely notification to affected individuals and the implementation of corrective measures.
Ensure that all data processing practices align with ethical and legal principles, respecting the dignity and rights of individuals.

15.4 Principle of Justice:

The principle of justice refers to the obligation to treat all individuals fairly and equitably in the processing of their data. To achieve this:

Ensure that the processing of biometric and personal data does not result in discrimination or unfair treatment based on characteristics such as race, gender, sexual orientation, religion, or health status.
Provide equal access to all individuals to their personal and biometric data, as well as mechanisms to correct and delete their data.
Maintain transparency in all data processing practices, providing clear and accessible information on how data is handled and allowing for independent monitoring and auditing.

15.5 Principle of Responsibility:

The principle of responsibility refers to the obligation of organizations to be accountable for the processing of personal and biometric data. To uphold this:

Establish monitoring mechanisms to ensure ongoing compliance with data protection standards and bioethical principles.
Maintain detailed records of all data processing activities, including obtained consent, conducted impact assessments, and implemented security measures.
Provide training to all employees, collaborators, and stakeholders on data protection policies and bioethical principles, ensuring they understand and respect these principles in their daily work.

15.6 Principle of Transparency:

The principle of transparency refers to the obligation of organizations to be open and clear about their data processing practices. To achieve this:

Provide clear and detailed information on how biometric and personal data is collected, used, stored, and shared, using accessible language and avoiding technical jargon.
Allow individuals easy access to their personal and biometric data, as well as information on how it is being used.
Regularly update and review data protection policies to reflect changes in laws and best practices, and effectively communicate these changes to all stakeholders.

The bioethical standards for the policy of protection of biometric and personal data are essential to ensure that data is handled responsibly, ethically, and legally.

These principles not only protect the rights and privacy of individuals but also strengthen trust and transparency in the organization's data handling practices. By adhering to these principles, QQA Robotica AI S.A.S will ensure ethical and secure management of personal and biometric data.

16. HOW LONG WE KEEP YOUR PERSONAL INFORMATION

In our policy for managing biometric and personal data, we adopt a limited retention approach that ensures maximum privacy and security for our users. In this context, we commit to not retaining or storing the personal data provided beyond what is strictly necessary to fulfill our objectives and obligations.

Principles

1.1. Limited Retention: We commit to retaining and storing only the ID associated with each individual in our records. This ID serves as a unique reference to identify users in our systems, without revealing their actual identity.

1.2. Deletion of Biometric and Personal Data: Once the report is obtained or the task for which biometric or personal data was provided is completed, we proceed to permanently delete all this information from our records. This includes any biometric data, as well as other personal data that may have been provided.

1.3. Data Security: We implement robust security measures to protect both the ID and any other data stored for the necessary time. This includes data encryption, restricted access, and other security controls to prevent unauthorized access or any misuse.

1.4. Transparency and Accountability: We maintain a policy of full transparency regarding our data management. We inform our users about our limited retention procedures and ensure them that their data will be treated with the utmost care and responsibility.

17. BENEFITS FOR USERS

17.1. Enhanced Privacy: By deleting biometric and personal data after its use, we ensure the privacy and confidentiality of our users, avoiding any risk of exposure or misuse of the information.

17.2. Increased Trust: Our limited retention approach inspires trust among our users, demonstrating our commitment to protecting their privacy and data security.

17.3. Regulatory Compliance: By complying with the principles of limited retention, we ensure compliance with applicable data protection regulations and laws, thus guaranteeing an ethical and legal management of personal information.

In conclusion, our policy for managing biometric and personal data with limited retention reflects our commitment to privacy, security, and transparency in the treatment of user information. By deleting personal data after its use, we protect the rights and privacy of our users while complying with the highest ethical and legal standards in data management.

18. NEURO-RIGHTS

QQA Robotica AI S.A.S is committed to respecting the privacy, identity, and brain activity of each user across all our services and products. We recognize the importance of safeguarding personal information and ensure that any data collected is handled with the utmost care and confidentiality.

In this regard, we implement strict measures to limit access to user data. We only access specific data, such as eye detection and recognition, which is combined with the recorded brain activity during the study. This data provides valuable insights into the user's emotions while watching the video, helping us better understand their responses and experiences.

It's essential to emphasize that this information is solely used to enhance our services and products. We never share or sell personal data to third parties without the explicit consent of the user. Additionally, we commit to securely storing this data and permanently deleting it once it's no longer needed for our specific purposes. In summary, at QQA Robotica AI S.A.S, we strive to ensure the privacy and security of our users at all times. We carefully limit access to data and pledge to use it responsibly and ethically to continually enhance the user experience.

In addition to our commitment to data privacy and security, QQA Robotica AI S.A.S also values and respects the neuro-rights of every individual. We acknowledge that brain activity is an intimate and personal aspect of the human experience, and we are dedicated to protecting the integrity and dignity of each user in processing their brain data.

Neuro-rights are fundamental rights related to autonomy and cognitive freedom. At QQA Robotica AI S.A.S, we ensure that our methods and practices uphold these rights at all times. This entails ensuring that users have control over their brain information and that their consent is transparently and voluntarily obtained.

Furthermore, we pledge to use brain information ethically and responsibly, avoiding any form of manipulation or exploitation. We strive to utilize this data in ways that benefit users and enhance their experience without compromising their autonomy or freedom of thought.

In summary, at QQA Robotica AI S.A.S, we not only commit to protecting the privacy and security of our users' data but also strive to respect and safeguard their fundamental brain rights. This comprehensive approach reflects our dedication to ethics and respect in all our practices and services.

19. RESPONSIBILITIES AS DATA PROCESSOR

QQA Neurosft, as Data Processor, shall fulfill the following responsibilities, without prejudice to other provisions established in this law and in others governing its activity:

a) Ensure the Data Subject, at all times, the full and effective exercise of the right to habeas data.

b) Preserve the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.

c) Promptly carry out the updating, rectification, or deletion of data in the terms of this law.

d) Update the information reported by the Data Controllers within five (5) business days from its receipt.

e) Process the inquiries and complaints made by the Data Subjects.

f) Adopt an internal manual of policies and procedures to ensure the proper compliance with this law and, especially, for the handling of inquiries and complaints by Data Subjects.

g) Record in the database the legend "claim in process" as regulated in this law.

h) Insert into the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.

i) Allow access to the information only to individuals who are authorized to access it.

20. DATA PROCESSOR

The data processor for the databases covered by this policy is QQA Robotica AI S.A.S, with the following contact information:

Email Address: Legal@Robotica AI S.A.Sai.com
Phone: +1-888-909-3676

21. DATA CONTROLLER

The individual responsible for data management and processing will be our Data team, who act in subordination and therefore on behalf of our company, QQA Robotica AI S.A.S.

Email Address: Legal@Robotica AI S.A.Sai.com
Phone: +1-888-909-3676

22. COMPLAINT AND CLAIM RIGHTS

The data subject can exercise their rights to file a complaint regarding their data by sending a written request to QQA Robotica AI S.A.S, either via email to Legal@Robotica AI S.A.Sai.com , indicating in the subject line "Exercise of the right of access or inquiry," or by postal mail sent to Legal@Robotica AI S.A.Sai.com. The request must contain the following information:

Name and surname of the data subject.
Copy of the ID card of the data subject and, if applicable, of the person representing them, as well as the document proving such representation.
Description of the facts and request specifying the request for correction, deletion, revocation, or rectification.
Address for notifications, date, and signature of the applicant.
Supporting documents for the request made, when applicable.

If the complaint is incomplete, the interested party will be required to correct the deficiencies within five (5) days following the receipt of the complaint. If twenty (20) days have passed since the date of the requirement without the applicant providing the requested information, it will be understood that they have withdrawn the complaint.

Once the complete complaint is received, a legend stating "complaint in process" and the reason for it will be included in the database within a maximum term of one (1) business days. This legend must be maintained until the complaint is decided.

QQA Robotica AI S.A.S will resolve the complaint request within a maximum period of fifteen (15) business days counted from the date of receipt. If it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date when their complaint will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term.

Once the complaint process is exhausted, the data subject or heir may [finish the sentence].

23. AUTHORIZED RECEIVERS OF INFORMATION

QQA Robotica AI S.A.S will provide information of the data subjects from its databases to the following authorized persons or entities:

To the data subjects, their heirs, or their legal representatives;
To public or administrative entities exercising their legal functions or by court order;
To third parties authorized by the data subject or by law.

24. REQUEST FOR DELETION OF PERSONAL DATA

The data subject shall have the right to object to, and request the deletion of their personal data for any reasons related to their particular situation, at any time during the processing of personal data of which they are the owner. To do so, they must submit a request for deletion, correction, and/or updating of personal data. QQA Robotica AI S.A.S, as the controller, will no longer process the personal data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

In the event that personal data is processed for direct marketing purposes, the data subject shall have the right to object and request deletion at any time during the processing of personal data concerning them for such marketing. When the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes. However, they will not be able to participate again in our projects through which the analysis of their ocular biometric data and brain activity detection is carried out

25. VERIFICATION OF AUTHORITY TO REQUEST OR RECEIVE INFORMATION

For the management of the consultation or complaint request, the applicant must provide the following documents to prove their ownership or authority to receive the required information, according to the following cases:

Data subject: Copy of the identification document.
Heir: Identification document, death certificate of the data subject, document proving the capacity in which they act, and the data subject's identification document number.
Legal representative and/or attorney: Valid identification document, document proving the capacity in which they act (Power of Attorney), and the data subject's identification document number.

26. VERIFY PROCESS

The process by which the participant verifies their identity is as follows:

26.1. Participant Registration:

When a participant registers in our system, they will be asked to provide certain basic information, including their name, email, and identification number (ID or ID card).

26.2. Invitation to Video Call:

26.3. Identity Verification:

26.4. Verification Process:

26.5. Verification Outcome:

27. REVIEW AND UPDATES TO THIS POLICY

In order for QQA Robotica AI S.A.S to remain responsive to social, technological, and legal changes in this field, this policy will be reviewed by the QQA Robotica AI S.A.S Directorate at least once a year.
The periodic review will be facilitated by an annual report from the Data Protection Officer (DPO) to the QQA Robotica AI S.A.S Assembly, providing an overview of QQA Robotica AI S.A.S's biometric data processing operations involving an assessment of their ongoing necessity and proportionality.
The report will also provide an evaluation of the challenges experienced in the implementation of this policy, legal and technological developments, and changing attitudes and approaches to the use of biometric data by States, humanitarian actors, and other relevant non-state actors to QQA Robotica AI S.A.S operations.
The periodic review will also take into account any new use cases and processing modalities regarding biometric data.
Following the periodic review, QQA Robotica AI S.A.S will update this Policy accordingly.

Promulgates,

QQA Robotica AI S.A.S

Legal Representative