GDPR Privacy Notice
Last updated: February 14, 2026
This GDPR Privacy Notice for Terac Inc. (doing business as Terac) ("we," "us," or "our") supplements our Privacy Policy and provides additional disclosures required under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and the Swiss Federal Act on Data Protection ("Swiss FADP"). It applies to individuals located in the European Economic Area ("EEA"), United Kingdom ("UK"), and Switzerland.
If you have questions about this notice or wish to exercise your rights, contact us at privacy@terac.com.
Table of Contents
- Data Controller
- Personal Data We Process
- Legal Bases for Processing
- Special Categories of Personal Data
- Automated Decision-Making and Profiling
- Data Recipients and Third-Party Sharing
- International Data Transfers
- Data Retention
- Your Rights Under GDPR
- Right to Lodge a Complaint
- Children's Data
- Cookie and Tracking Technologies
- Data Protection Officer
- Changes to This Notice
- Contact Us
1. Data Controller
Terac Inc. is the data controller responsible for your personal data under this notice.
Terac Inc. 149 New Montgomery St San Francisco, CA 94105 United States
Email: privacy@terac.com
Where we process personal data on behalf of our organizational clients (for example, research organizations using Terac to conduct studies), we act as a data processor. In those cases, the research organization is the data controller, and their privacy policy governs the processing. This notice covers only the processing for which Terac is the controller.
2. Personal Data We Process
We collect and process the following categories of personal data, depending on how you interact with our platform:
For Panelists (Research Participants)
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Name, username, date of birth, profile photo | Account creation, identity verification, participant matching |
| Contact Data | Email address, phone number, mailing address | Communication, notifications, two-factor authentication |
| Profile Data | Job title, employer, industry, education, skills, professional background | Matching participants to relevant research opportunities |
| Demographic Data | Age, gender, location, ethnicity, household income (where voluntarily provided) | Audience targeting for research studies |
| Financial Data | Payment method details, payout history, bank account information | Processing compensation and payouts |
| Interview Data | Voice recordings, video recordings, transcripts, screen share content | Conducting and recording research interviews |
| Behavioral Data | Platform usage, session data, feature interactions | Service improvement and personalization |
| Device and Technical Data | IP address, browser type, operating system, device identifiers | Security, fraud prevention, platform functionality |
| Referral Data | Referral links, referred contacts, commission history | Operating the referral program |
For Researchers (Organizational Users)
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Name, job title, organization name | Account management, authorization |
| Contact Data | Email address, phone number | Communication, notifications |
| Billing Data | Payment method, billing address, transaction history | Processing payments and invoicing |
| Usage Data | Studies created, interviews reviewed, platform interactions | Service delivery and improvement |
| Device and Technical Data | IP address, browser type, operating system | Security and platform functionality |
For Website Visitors
| Category | Examples | Purpose |
|---|---|---|
| Technical Data | IP address, browser type, referring URL, pages visited | Analytics, security, service improvement |
| Cookie Data | Session identifiers, preference cookies, analytics cookies | Platform functionality and analytics |
3. Legal Bases for Processing
Under the GDPR, we must have a valid legal basis for each processing activity. The table below outlines the legal bases we rely on:
| Processing Activity | Legal Basis | Justification |
|---|---|---|
| Account registration and management | Performance of contract | Necessary to provide you access to our platform and services |
| Conducting research interviews | Performance of contract | Necessary to deliver the research services you signed up for |
| Processing payouts and compensation | Performance of contract | Necessary to fulfill our payment obligations to panelists |
| Identity verification and fraud prevention | Legitimate interest | Ensuring the integrity of our research platform and protecting against fraudulent activity |
| Matching participants to studies | Legitimate interest | Connecting panelists with relevant research opportunities based on their profiles |
| Platform analytics and improvement | Legitimate interest | Understanding how our platform is used and improving the user experience |
| Customer support and communication | Legitimate interest | Responding to inquiries and providing assistance |
| Marketing communications | Consent | Sending promotional content, newsletters, and product updates (opt-in only) |
| Processing sensitive personal data | Explicit consent | Collecting demographic or special category data for research matching |
| Cookie and tracking technologies | Consent / Legitimate interest | Essential cookies rely on legitimate interest; analytics and marketing cookies require consent |
| Compliance with legal obligations | Legal obligation | Tax reporting, regulatory compliance, responding to lawful requests |
| Protecting vital interests | Vital interest | Emergency situations where processing is necessary to protect someone's life |
Legitimate interest assessments. Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
4. Special Categories of Personal Data
In the context of research studies, we may process special categories of personal data (also known as sensitive personal data), including:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Health data
- Data concerning sex life or sexual orientation
We only process special category data with your explicit consent, which you provide when you voluntarily disclose this information in your panelist profile or during research interviews. You may withdraw this consent at any time.
Where our organizational clients request collection of special category data in their research studies, they are responsible for ensuring an appropriate legal basis exists, and participants are clearly informed before any such data is collected.
5. Automated Decision-Making and Profiling
We use automated systems in the following ways:
-
Participant matching. We use algorithmic matching to connect panelists with relevant research opportunities based on profile data, demographics, and study requirements. This matching does not produce legal effects or similarly significant effects on you. You always have the choice to accept or decline any opportunity.
-
AI-moderated interviews. Our AI voice agent conducts research interviews. The AI agent records responses and generates transcripts. Human review is available for all interview outcomes, and no decisions with legal effects are made solely by automated means.
-
Fraud detection. We use automated systems to detect potentially fraudulent accounts or behavior. Flagged accounts are reviewed by a human before any adverse action is taken.
You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects concerning you. If you believe an automated decision has affected you in this way, contact us to request human review.
6. Data Recipients and Third-Party Sharing
We share personal data with the following categories of recipients:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Research organizations | Delivering interview transcripts, insights, and research results to our clients | Data processing agreements; data minimization |
| Cloud infrastructure providers | Hosting, storage, and computing (AWS, Vercel, Neon) | Standard Contractual Clauses; encryption |
| Payment processors | Processing payouts and billing (Stripe) | PCI-DSS compliance; data processing agreements |
| Communication providers | Email, SMS, and voice services (Resend, Twilio, ElevenLabs) | Data processing agreements |
| Analytics providers | Platform usage analytics (PostHog) | Data processing agreements; data minimization |
| AI service providers | Interview processing and analysis (Google Vertex AI, LiveKit) | Data processing agreements; encryption in transit |
| Authentication providers | Identity verification and login (Google, GitHub, Apple for social login) | Standard OAuth protocols; minimal data exchange |
| Professional advisors | Legal, accounting, and audit services | Professional confidentiality obligations |
| Law enforcement or regulators | When required by law or legal process | Only in response to valid legal requests |
We do not sell your personal data. We do not share your personal data for third-party advertising purposes.
7. International Data Transfers
Terac is based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States and potentially other countries outside your jurisdiction.
We protect these transfers using the following safeguards:
- European Commission adequacy decisions where available
- Standard Contractual Clauses (SCCs) approved by the European Commission (Module 1: Controller to Controller; Module 2: Controller to Processor), supplemented by transfer impact assessments where required
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for UK transfers
- Swiss-U.S. Data Privacy Framework where applicable
- Technical safeguards including encryption of data in transit (TLS 1.2+) and at rest (AES-256), access controls, and audit logging
You may request a copy of the Standard Contractual Clauses or other transfer safeguards by contacting us at privacy@terac.com.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Service provision; account recovery |
| Interview recordings and transcripts | Duration of client contract + 12 months | Contractual obligations to research clients; dispute resolution |
| Payment and transaction data | 7 years from transaction date | Tax and financial regulatory requirements |
| Marketing consent records | Duration of consent + 3 years after withdrawal | Demonstrating lawful consent |
| Platform usage logs | 24 months | Security, fraud detection, service improvement |
| Cookie data | Varies by cookie type (see Cookie Policy) | See our Cookie Policy |
| Support communications | 3 years from last interaction | Service quality and dispute resolution |
When personal data is no longer required, we securely delete or anonymize it. Anonymized data (which cannot be re-identified) may be retained indefinitely for statistical and analytical purposes.
9. Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process your personal data, and if so, to access that data along with information about the purposes, categories, recipients, retention periods, and safeguards for international transfers.
Right to Rectification (Article 16)
You have the right to correct inaccurate personal data and to have incomplete personal data completed.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for its original purpose
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Deletion is required to comply with a legal obligation
We may retain data where necessary for compliance with legal obligations, establishment or defense of legal claims, or reasons of public interest.
Right to Restriction of Processing (Article 18)
You have the right to restrict processing when:
- You contest the accuracy of your data (during verification)
- Processing is unlawful but you prefer restriction over erasure
- We no longer need the data but you require it for legal claims
- You have objected to processing (pending verification of our grounds)
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
You have an unconditional right to object to processing for direct marketing purposes at any time.
Right to Withdraw Consent (Article 7)
Where we rely on your consent to process personal data, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right Regarding Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you, except where the decision is necessary for a contract, authorized by law, or based on your explicit consent.
How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@terac.com
- Data subject access request: Email us with the subject line "DSAR Request"
We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any extension within one month of receiving your request.
We may need to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.
10. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
- EEA: Contact your national Data Protection Authority
- UK: Contact the Information Commissioner's Office (ICO)
- Switzerland: Contact the Federal Data Protection and Information Commissioner (FDPIC)
We encourage you to contact us first at privacy@terac.com so that we can try to resolve your concern before you file a formal complaint.
11. Children's Data
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that data promptly.
If you believe we may have collected data from a child, please contact us immediately at privacy@terac.com.
12. Cookie and Tracking Technologies
We use cookies and similar tracking technologies on our platform. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
Under the GDPR and ePrivacy Directive, we:
- Use strictly necessary cookies without consent (required for platform functionality)
- Obtain prior consent before placing analytics, marketing, or other non-essential cookies
- Provide a cookie consent mechanism that allows you to accept or reject non-essential cookies
- Honor your cookie preferences across sessions
13. Data Protection Officer
We have not appointed a formal Data Protection Officer (DPO) under Article 37 of the GDPR, as we do not meet the mandatory threshold for DPO appointment. However, we take data protection seriously and have designated a privacy point of contact to handle all data protection matters:
Privacy Contact Email: privacy@terac.com
We will appoint a DPO if our processing activities require it under applicable law.
14. Changes to This Notice
We may update this GDPR Privacy Notice from time to time to reflect changes in our processing activities, legal requirements, or business practices. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify affected individuals by email or prominent notice on our platform
- Where required by law, seek renewed consent for any new processing activities
We encourage you to review this notice periodically.
15. Contact Us
If you have questions about this GDPR Privacy Notice, wish to exercise your rights, or have concerns about our data processing practices, please contact us:
Terac Inc. 149 New Montgomery St San Francisco, CA 94105 United States
Email: privacy@terac.com
For data subject access requests: Send an email to privacy@terac.com with the subject line "DSAR Request" and include sufficient information for us to verify your identity and process your request.
Contents
