OffbrainGET
This is the creator privacy notice. To exercise any of the §7 rights below — access, correction, deletion, withdrawal, objection, port, complaint, or appeal a reliability hold — submit a privacy request (acknowledged within 24 hours). Buyers should read the buyer privacy notice. For how public profiles are sourced before any creator opts in, see the notice at collection. For the per-study consent + NDA shape every creator signs, see the sample template (Att. C).

Attachment B — Creator Privacy Notice

This notice tells creators what data Offbrain Research, LLC ("Provider") collects, why, how it is used, who sees it, how long it is kept, and what rights creators have. It is referenced by Attachment A (Creator Participation Terms) and by every Project SOW.

1. Who is responsible, and what this notice covers §

Provider is the data controller for creator data collected during recruiting and interviews. Provider's privacy contact is privacy@get.offbrain.ai.

For a given study, the Provider client may also act as a controller for interview content the creator agrees to share (recordings, transcripts). Each study identifies its data uses in the consent screen the creator signs.

Pilot privacy commitment vs. legal privacy rights. This notice combines two things, and they are not the same:

  • Voluntary pilot commitments are promises Provider makes to every creator regardless of whether a specific privacy law applies. They include the rights in §7, the retention table in §5, and the deletion + suppression mechanics in §8. Provider has chosen to grant these rights for trust reasons; they are enforceable as a contract under these terms.
  • Statutory rights are rights creators have under applicable law (e.g., California's CCPA/CPRA, or other state privacy laws). When a creator is covered by such a law, the statutory right always wins where it is more protective than the voluntary pilot commitment.

CCPA/CPRA business status. As of the Effective Date of this notice, Provider is not a "business" under California's CCPA/CPRA based on the §1798.140 thresholds (≥$25M annual revenue, ≥100,000 California consumers/households of personal information, or ≥50% revenue from selling/sharing personal information). Provider re-assesses this status quarterly and republishes this notice with an updated Effective Date within 30 days of crossing any threshold, at which point the full CCPA/CPRA rights mechanics (sale/share opt-out, sensitive personal information limits, authorized agent process, verifiable consumer request flow) will be added in §7. California creators may exercise the voluntary equivalents of these rights at any time via the §7 process now, regardless of business status.

Notice at collection — sourced profiles. Before Provider stores a public profile snapshot from a licensed data source for recruiting, Provider records the source vendor, license terms, and timestamp. The first contact Provider makes to that creator includes a link to this notice and an opt-out path. A creator who never opts in has their snapshot deleted or refreshed within the §5 retention window for that data class.

2. What data Provider collects §

At sourcing (before creator opts in):

  • Public profile data permitted by the source platform's API or license: handle, display name, follower count band, category tags, public bio, profile snapshot.
  • The source vendor and the timestamp of the snapshot.

At opt-in / screener:

  • Email or messaging handle the creator chooses to use.
  • Screener answers.
  • Identity confirmation (e.g., a sample post URL the creator provides).
  • Consent record: study ID, consent version, timestamp, allowed uses, recording flag, retention period.

At interview:

  • Scheduled and actual session times.
  • Recording, transcript, and notes if recording was consented.
  • Payment record: amount, method, payout timestamp, payout reference.

Provider does not collect government ID, tax ID (other than what is legally required for payment processing), social-security-equivalent identifiers, or biometric data.

3. Why Provider collects it, and how AI tools may be used §

Provider collects creator data:

  • To determine creator fit for a specific study.
  • To contact creators about that study only.
  • To run the interview and pay the creator.
  • To prevent fraud (fake accounts, duplicate participation).
  • To comply with legal obligations (tax reporting at thresholds; record-keeping).

AI usage rules — three separate categories, each governed differently:

Use category Default How it's enabled
AI-assisted analysis of recordings, transcripts, or screener answers (summarization, theme coding, report drafting) Disabled. Enabled per study only by the SOW §5 "AI-assisted analysis allowed" field and the matching Attachment C §10 disclosure to the creator, which names whether the tool is Provider-hosted, Client-hosted, or a named third-party processor.
Vendor retention or model training by any AI tool used in analysis Prohibited. Provider only uses AI tools whose contracts forbid retention or training on customer data; this prohibition cannot be lifted on a per-study basis.
Training Provider's or Client's own AI models on creator data Prohibited. Requires a separate, specific written release from each creator whose data would be included; no implicit consent.

A creator who reads "AI-assisted analysis allowed" should understand: a Provider operations person or a Client researcher may paste an interview transcript into a contract-bound AI tool to help draft a summary, but the tool must not keep the data after the session and must not train on it. If the study disables AI-assisted analysis, that processing is forbidden entirely.

4. Who sees the data §

  • Provider operations staff: all of the above, on a need-to-know basis.
  • Vendor data providers: receive only what is required to validate a profile snapshot under license terms.
  • Payment processors: receive only what is required to pay the creator.
  • Provider clients: receive only what the invitation disclosed and the creator consented to. Default is no contact data, no handle, and no profile URL. Identity disclosure is study-specific and shown to the creator before they accept.
  • Legal authorities: when required by valid legal process.

Provider does not sell creator data. Provider does not provide bulk creator data to clients in any tier.

5. How long Provider keeps it §

Data Retention
Public profile snapshot up to 12 months from snapshot, then deleted or refreshed under license
Screener answers duration of the study + 12 months for fraud prevention
Consent ledger entries 7 years (legal record)
Payment records 7 years (tax/legal record)
Recordings and transcripts as stated in the per-study consent; default is duration of the study + 12 months unless client license requires shorter
Do-not-contact list entries (creator-requested or legal/safety/fraud) indefinite, minimum data only (hashed identifiers and reason) — Provider must retain these to honor "never contact me" requests permanently
Reliability hold entries (attendance-based, see Attachment A §6a) 12 months from triggering event; auto-expires unless renewed by a new event; record of the hold itself retained for 24 months for appeal/audit

If a retention period in a per-study consent is shorter than the table above, the shorter period wins for that study's content.

6. Where the data lives §

  • Primary storage: Provider's managed Postgres (region: us-east-1), with row-level security and encryption at rest.
  • Recordings: object storage with per-study access scope.
  • Backups: encrypted, 30-day rolling, same region.

Pilot scope: during the pilot phase (see SOW §3 "Pilot territorial scope"), Provider only collects data from US-resident creators. International creator participation is not offered until Provider publishes the international addendum, which will add the full GDPR/UK-GDPR Article 13/14 disclosures, lawful-basis statement, transfer mechanism, and per-jurisdiction tax handling. This section is reserved for that addendum.

7. Creator rights §

Every creator may, at any time, by emailing privacy@get.offbrain.ai:

  • Access — receive a copy of the personal data Provider holds.
  • Correct — fix inaccurate data.
  • Delete — remove screener and profile data; recordings already delivered to a client are handled per the per-study consent and the limits in §8.
  • Withdraw — stop future contact.
  • Object — refuse a specific use (e.g., refuse use of a quote in a client report, where the consent permitted opt-out).
  • Port — receive data in a portable format.
  • Complain — to a relevant supervisory authority.

Provider responds within 10 business days and completes most requests within 30 days.

8. Limits on deletion §

  • Provider must retain consent ledger and payment records to meet legal obligations. These are retained in minimum form even after a deletion request, with personal identifiers reduced to what the law requires.
  • Recordings already licensed to a client under the creator's signed consent remain under the client's license, but Provider stops further distribution and asks the client to honor any valid deletion request the creator forwards.
  • Suppression list entries persist (in hashed form) so that creators who asked never to be contacted are never re-contacted.

9. Minors and age-restricted topics §

  • Provider operates an 18+ minimum. Studies on age-restricted topics (alcohol, cannabis, gambling, tobacco, or any other 21+ topic disclosed in the SOW) are 21+.
  • Age is collected as the first screener question. An applicant under the relevant age threshold is rejected immediately, and Provider retains only a minimal rejection record (timestamp + reason) sufficient to prevent re-application by the same person within 30 days, without retaining further screener answers.
  • If Provider later learns that a participant was under the minimum age at the time of an interview, Provider quarantines the recording and screener data, removes any client access, requests Client deletion of any received content, and seeks legal review before further action.
  • Payment for completed work is not retroactively voided without legal review; underpayment to a creator who performed the work in good faith is hostile and creates additional risk. Where payment must be paused or recovered, Provider notifies the creator in writing with reasons and offers an appeal path.
  • Provider does not knowingly target or process data from children under 13 in any setting; if any such data is collected accidentally, it is deleted and any required FTC/COPPA-style notifications are made.

10. Security §

  • Encryption in transit (TLS) and at rest.
  • Row-level security on the operational database.
  • Access logging on identity reveal events and on every record export.
  • Background-checked operations staff with role-scoped access.
  • Annual security review and penetration test before production SaaS launch (pilot phase: see Provider's security review checklist).

11. Breach notice §

If Provider experiences a security incident affecting creator personal data, Provider notifies affected creators within 72 hours of confirming the incident, and notifies regulators where required.

12. Changes to this notice §

Provider may update this notice. The version recorded in the consent ledger at the time the creator participated is the version that governs that participation. Future changes apply to future studies only.

Version: v1.0.1 · Effective: 2026-05-07 · Recorded in consent ledger as: creator_privacy_notice@v1.0.1