Privacy Policy

ID Verification

In order to provide our Identity Verification Services, some user data beyond the scope of micro-expression analysis. One or more reference images of the expected learner’s face is required so that Emotics’ Identity Verification Service can compare their “true face” with images captured via webcam. These reference images must be stored on a server that is accessible to all launched instances of Emotics’ data aggregation servers. URLs of each reference image must be stored in the database used by instances of the Emotics’ API server.

Depending on service configuration, imagery captured by learner webcams that is determined to not match their reference images may or may not be uploaded to the API server for later review by the compliance management team.

If Emotics’ Identity Verification Services believes that the person in front of the webcam does not match the identity of the expected learner, neither the person being monitored nor the expected learner is immediately notified. Instead, the compliance management team is notified, via the Emotics Console, that there may be a problem. Failed identity verifications are presented within the context of all metadata collected for the session in question.

Depending on service configuration, Identity Verification Services may require that both reference images and webcam imagery be shared with external parties that provide certain analysis services. Emotics protects the information we share by imposing contractual privacy and security safeguards on the recipient of the information and ensuring that none of the imagery is stored by these external parties after analysis is complete.

Data Storage

Several types of information are collected during an e-learning session that is monitored by Emotics Attention:

  1. Session Metadata, including the learner’s IP address, status of cookies related to Emotics’ service, specifications of the learner’s browser and operating system, identifiers for the content being viewed and the username of the person logged into the learning management system.
  2. Webcam Imagery, raw video coming from whatever webcam is connected to or embedded in the learner’s computer. In most cases, this data never leaves the learner’s computer nor is it stored beyond the duration of the e-learning session.
  3. Imagery Analysis, numerical measurements of the positions of facial features, the probability that the learner is experiencing specific emotions, and AI-generated guesses of certain appearance characteristics (e.g. age, gender).
  4. Browser-Based Behavior, including the specific piece of content, within a video, webpage, or SCORM activity, that a learner is looking at during each moment of the e-learning session, along with analytics related to attention (e.g. window focus state, window size, mouse movements).

In addition to the data collected client-side, with Emotics’ SDK, certain pieces of aggregated analysis are generated server-side and stored for later use:

  1. Emotics Score, a simple metric designed to help the compliance management team quickly identify potentially-problematic e-learning sessions, along with trends in large numbers of sessions.
  2. Warning Flags are recorded if session data exceeds certain configurable thresholds (e.g. very short amount of time spent looking at an activity).
  3. Content-Level Aggregation combines analytics from multiple learners according to the specific page, slide, or second of video content that they were looking at, in a given moment.

Analytics data stored to support the compliance management team resides in a database. Depending on the terms of your service agreement with Emotics, this database may be fully-controlled by the customer organization or managed by Emotics. It may be hosted on-premises at a customer site or within a cloud-computing service.

Data Security

Emotics has implemented measures designed to secure all personal information from accidental loss and unauthorized access, use, alteration, and disclosure. Our infrastructure is designed in layered-architecture and the security of each element builds upon those below it, from verifying that any cloud data centers we may use meet physical security and hardware standards, to the security protections of our software to the processes we use to support operational security.

As data moves between learners’ devices, Emotics services, and database, it is protected by security technology like HTTPS and Transport Layer Security. Personal information is stored in an encrypted state, providing security at rest as well as in transit.

Data Privacy

Emotics Attention is designed to only collect data that is necessary to meet specific business requirements and it ensures that both individuals and organizations have the ability to access and control their own personal information according to applicable regulations, like GDPR and CCPA.

Data is collected from learner devices only with learner consent. During each session, learners are presented with options to contact the compliance management team to request access to or deletion of all personal information stored within the Emotics Attention system.

The Emotics Console makes it easy for the compliance management team to respond to GDPR-compliant employee requests in a timely manner.

Data Anonymisation

Data storage policies for Emotics Attention can be configured according to the customer’s regulatory environment and business needs. With appropriate configuration, the system meets regulations defined by GDPR, as well as other data protection regulations, like CCPA. When analytics data have been anonymised, the compliance management team will have access to population-level trends in micro-expression analyses, but session details cannot be tied directly back to individual learner identities.

Consent

No data is collected from learner devices until the learners have agreed to terms of service. The agreement language is configured by the customer, with consultation from their legal team.

Details of the place and time that each learner agreed to these terms is recorded by the Emotics Attention service. Learners have the ability to revoke any permissions they have previously given during any subsequent session.

Opt-in Opt-out

There are several options we can provide to a client:

  1. Mandatory compliance training monitoring – where all individuals with the organisation, or a subset of high risk employees are required to authorise Emotics to verify the correct person is carrying out the training and to assess engagement levels.
  2. Opt-out – where monitoring is in place as standard, but individuals who have strong feelings about their privacy have the option not to be monitored.
  3. Opt-in – where monitoring is available on training, but end users have to “volunteer” to be monitored in order to provide feedback on the quality of content and to help with content optimisation.

Service Deployment Options

Various deployment options may be used, depending on the service agreement between Emotics and the customer organization. On one hand, Emotics Attention may be provided as a cloud-hosted service, where Emotics manages infrastructure-level set-up. Alternatively, the service may be deployed on-premises, where the customer organization has full control of their technical infrastructure and no data leaves the company network.

The software runs on Node.js and can be deployed as a Docker container with dependencies installed via npm. Emotics Attention works best with a PostgreSQL database, though it can be modified to use other options.