As a data processor, Ethica does comply with GDPR regulations and currently multiple European institutions have Data Controller/Data Processor agreements with Ethica in place.

Below we explain how our privacy policy and overall system architecture is set to comply with GDPR requirements.

1. GDPR does apply to Ethica, as a data processor.

2. Participant unambiguous consent

Our software will require each study to have a consent form. As explained in section 6.2. of our Privacy Policy, the consent form is required to "... specify, among other things, (1) what is the purpose of the study (2) what are the potentials risks or benefits to you as the Participant (3) what type of data is being collected (each referred to as a Data Source) (4) how the data will be handled and who will have access to the data (5) how you can contact the Researcher (6) what is the withdrawal process."

This consent form will be presented to participants prior to joining a study, and they have to agree to this before being able to participate. The consent form is available to the participant throughout the study participation.

3. Further processing outside of what mentioned in the consent form

Ethica does not perform any processing on the data collected for a given study.

4. Participants right to access their data

Ethica provides each participant with an online account. The credentials of that account are the same as the ones used to sign up in the Ethica app. Participants can log in to their online account on Ethica's website at any time to access their data.

5. Participant's right to delete their data

Ethica allows participants to delete all or part of their data directly through their online account (as described in Section 10.6 of the Privacy Policy). If the participant does not have enough technical skills to use this option, she can contact our support for assistance.

6. Data Portability

Participants in any Ethica study can contact Ethica's Support team and ask for a copy of their data. We will provide them with a machine-readable file containing all data collected from them.

7. Data Storage and flow

Ethica stores all data on servers physically located in Canada. All Ethica employees and support staff are also located in Canada, therefore the data does not flow to any country other than Canada. Canada is considered by the EU Data Protection Commission as a country that provides adequate data protection.

You can find more information in Ethica’s Privacy Policy and Terms of Use. For example, Section 6.5. Data Sources We May Collect From the Participant, While Enrolled in a Study, talks about what are different data sources, what are the anonymization methods that can be used for each, and what are the potential concerns for each. Or Section 6.6 Data Encryption, Upload, Storage, and Anonymization, talks about how Ethica encrypts, uploads, and stores the data.

If you have any questions regarding this topic, please feel free to email us.