This Data Policy for dembrane's Products (hereinafter also referred to as the "Data Policy") outlines how dembrane handles and protects your (personal) data during and after a participation session. At dembrane, we are committed to safeguarding your data in compliance with the General Data Protection Regulation (GDPR) and other applicable laws.

Please note that this Data Policy may be updated periodically. The most recent version can always be found on our website. We recommend reviewing this Data Policy before participating in a session to stay informed about how we manage your data.

This Data Policy was last updated on: 22 June 2026.

Important notice regarding personal data

This Data Policy applies to all participants, whether they are part of sessions organised directly by dembrane or sessions conducted on behalf of dembrane's clients.

Participants in sessions organised directly by dembrane

If you are participating in a session directly organised by dembrane, dembrane is considered the "data controller" of your personal data under the GDPR. This means that we determine the purpose ("why") and means ("how") of processing your data. For more information on how we handle your personal data, please refer to our Privacy Statement.

Participants in sessions organised by dembrane's clients

If you are participating in a session conducted by dembrane on behalf of a third-party client, that client is the "data controller" for any data processed during the session. In this role, dembrane acts as a "processor" on behalf of the client. When dembrane is engaged by a client, dembrane and the client will establish a data processing agreement to govern the handling of personal data.

While this Data Policy provides general guidance on how we process personal data, the actual processing of your data may vary based on the specific needs and instructions of the client. For detailed information on how your personal data is managed, please refer to the client's privacy statement.

Data roadmap for participating sessions

dembrane's data processing for participation sessions includes four primary steps:

1. Audio recording

During participation sessions, audio is recorded to facilitate transcription. These recordings are securely stored on EU-based servers and are deleted within 30 days after the project is completed.

When you participate in a participation session, dembrane processes your data. This includes personal data such as:

Below is an overview of the purpose and legal basis on which we, or the client who engaged dembrane, process the aforementioned category of personal data of participants:

If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. However, please note that if dembrane cannot record you, you cannot participate in one of our sessions.

2. Transcription

Transcription is the process of converting spoken words from audio recordings into written text. During our sessions, audio recordings are transcribed using a specialised EU-based speech-to-text provider (see "External service providers" below), which enables us to accurately capture and document participant input.

Following transcription, we proceed with de-identification, which involves removing or obscuring information that could directly identify a specific individual, such as names, contact details, or other unique identifiers. This process is designed to reduce the risk of re-identifying any individual and to protect participants' privacy.

3. Analysis

Once transcripts are de-identified, they undergo analysis using our data analysis pipeline, which uses EU-based AI models to identify and extract key contributions from large groups of participants. These models recognize valuable insights, patterns, and themes in the data, allowing us to generate meaningful insights from participant input. This automated analysis helps us identify the most significant contributions without attributing them to specific individuals, helping to protect participant privacy throughout the process. Where a client uses its own AI model, analysis is carried out by that client's chosen provider.

4. Results of the analysis

For now, if participants want to access the results, they have to contact the client.

Later, we hope to implement some automatic feedback process such that the participants can independently learn about the outcomes of the session.

External service providers

Certain processing activities are carried out by trusted EU-based sub-processors, including cloud hosting, speech-to-text transcription, and AI analysis. These providers process data only under data processing agreements and are required to adhere to dembrane's data protection standards and the GDPR. The current list of sub-processors is available on request and in dembrane's compliance documentation.

Security measures

To protect your personal data, dembrane implements appropriate security measures in accordance with applicable data protection laws, whether acting as a data controller or as a data processor on behalf of a client. We also require our service providers and partners to take all necessary steps to ensure the confidentiality and security of your data.

Although no data transmission or storage system can be guaranteed 100% secure, we continuously assess and improve our security protocols based on technological advancements, implementation costs, and the nature of the data to be protected. We apply technical and organisational measures to mitigate risks such as destruction, loss, alteration, unauthorised disclosure, or access to your data.

If you suspect that your data or interactions with dembrane are no longer secure, we urge you to contact us immediately so that we can address and investigate any potential issues.

Participant responsibilities

We remind you that it is your obligation to provide accurate, complete, and up-to-date information during the session to the best of your knowledge. It is essential that participants avoid sharing personal data whenever possible, both about themselves and others. Personal data should only be shared if necessary for the session's purpose.

Participants' data protection rights

You have the right to request access to (including a copy), rectification, and/or deletion of your personal data, as well as to request restriction of processing concerning you, to object to processing, or to request the transfer of the personal data you have provided.

If dembrane is acting as the data controller, you can exercise these rights by contacting us directly. If dembrane is acting as a data processor on behalf of a client, please reach out to the client who engaged dembrane, as they are the primary contact for handling such requests. Our contact information is provided below for further assistance if needed.

We will strive to handle your request promptly and free of charge unless fulfilling it would entail a disproportionate effort. To prevent misuse, we may ask for sufficient identification before processing your request. In some instances, we may not be able to fully comply, for example, due to legal retention obligations. If this applies, we will inform you of the specific reasons. Generally, we aim to respond within one month of receiving your request.

Questions, comments, or complaints

In principle, the client who engages dembrane is your primary point of contact for any questions, comments, or complaints related to this Data Policy. However, if you are participating in a session organised directly by dembrane, or if you prefer to reach out to us directly, please feel free to contact us via email or phone using the information provided below.

Additionally, you have the right to file a complaint with the Dutch Data Protection Authority, or, if you reside or work in another country, with the relevant privacy regulator for that jurisdiction.

Contact

For questions, requests, or further information on this Data Policy or our data practices, please contact us at: