Privacy Policy

1. Eligibility

• Age requirement: This study is limited to participants aged 18 and older. We do not knowingly collect data from minors. If we discover that someone under 18 has created an account, it will be immediately deactivated and data deleted within 7 days.
• Location: This study is open to U.S. residents only at this time. We cannot guarantee compliance with other countries' data protection laws (e.g., GDPR). Data will be processed in the United States.

2. Information We Collect

2.1 Information You Provide Directly

Account Information

• Email address (required for authentication and communication)
• Platform selection (which platforms you use: ChatGPT, Facebook, Instagram, Spotify, TikTok, YouTube)

Survey Responses

• Demographics (age, gender, location at county level or higher)
• Platform usage patterns and perceptions
• Political views and participation (for Social Media Survey only)
• Educational information (for LLM Survey - student status, field of study)

Uploaded Data Exports

De-identified platform usage data (after you process through our redaction tool):

• ChatGPT: Conversation logs (PII removed)
• Facebook: Activity metadata (likes, comments, groups, search history)
• Instagram: Post metadata (captions, timestamps)
• Spotify: Streaming history
• TikTok: Video watch history, browsing history
• YouTube: Watch history

2.2 Information Collected Automatically

• Browser type and version
• Device type (desktop/mobile)
• Upload timestamps
• File sizes
• Magic link tokens (expire after 1 hour)
• Session tokens (expire after 1 hour, with automatic refresh)

2.3 Information We Do NOT Collect

• Passwords (we use passwordless magic link authentication)
• Social Security Numbers
• Financial information (credit cards, bank accounts)
• Precise geolocation (GPS coordinates)
• Health information
• Children's data (participants must be 18+)
• IP addresses (automatically redacted upon upload)

3. How We Use Your Information

3.1 Research Purposes

Your de-identified data will be used to analyze broad patterns in social media and AI platform usage, and impacts on cultural trends and student learning attitudes.

3.2 Operational Purposes

Your email address is used for:

• Authentication: Sending magic links to verify your identity (no password storage)
• Communication: Reminder emails about pending data uploads, notifications about reward delivery status, and important study updates (rare)
• Reward Delivery: Sending compensation via Tremendous API

3.3 What We Will NOT Do

We will never:

• Sell your email address or data to third parties
• Use your data for commercial purposes or to train artificial intelligence models
• Send marketing emails unrelated to the study
• Share identifiable data in publications or public datasets
• Contact you after study completion (except to respond to data deletion requests)

4. How We Protect Your Information

4.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 (HTTPS) and at rest using AES-256. Database connections use SSL encryption.
• Access Controls: Database access is restricted to 3 research team members who must use multi-factor authentication. Service role API keys are stored in a secure credential manager, not in code.
• Infrastructure: Our CRM database (Supabase) is SOC 2 Type II certified. Our data storage (Google Cloud Platform) is ISO 27001 certified.
• Data Redaction: Before you upload platform data, it passes through our redaction tool that automatically removes personally identifiable information. For all social media and streaming platforms, this processing happens on your device before any data leaves your computer. For ChatGPT, data is redacted securely on our server before storage.

4.2 Organizational Safeguards

• Data Separation: Your email address is stored separately from research data. These are linked only by an anonymous UUID, and all analysis is performed on de-identified data only.
• Personnel: All research team members have completed human subjects protection training (CITI) and signed non-disclosure agreements.
• Auditing: All database queries are logged and we conduct quarterly security reviews.

4.3 Data Minimization

We collect only the minimum data necessary for research purposes. Platform data is limited to non-private activity (no direct messages), demographics are collected at aggregate level, and our redaction tool removes PII before upload.

5. Third-Party Services

We use the following trusted services to operate the study:

We have executed data processing agreements with all parties ensuring they use data only for providing services to us, do not sell or share data, and maintain appropriate security measures.

Location: All data stored in the United States.

6. Data Retention and Deletion

6.1 How Long We Keep Your Data

Email Addresses:

• Retained for 7 years after study completion (federal research record retention requirement)
• Or until you request deletion (whichever comes first)

Research Data:

• De-identified platform data and survey responses retained indefinitely to enable replication of published findings, secondary research analyses, and long-term trend studies

6.2 How to Request Data Deletion

You have the right to request deletion of your data at any time:

1. Email normal-lab@uchicago.edu with subject "Data Deletion Request"
2. Include the email address associated with your account
3. We will confirm your identity via magic link

What Gets Deleted:

• Your email address (removed from CRM immediately)
• Link between your email and research data (UUID dissociated)
• Your study access credentials
• If you request deletion BEFORE we publish findings, your submitted data files are also deleted

Note: We cannot delete de-identified research data already incorporated into published analyses (but it is no longer linkable to you).

Timeline: We will process deletion requests within 30 business days.

7. Your Rights and Choices

7.1 Access to Your Data

You have the right to:

• Access: Request a copy of your data
• Correct: Fix errors in your profile or survey responses
• Delete: Request data deletion (see Section 6)
• Withdraw: Stop participating at any time without penalty

To exercise rights: Email normal-lab@uchicago.edu

7.2 Withdrawing from the Study

You may withdraw at any time by emailing us. Effect of withdrawal:

• No future contact from research team
• No penalty or loss of benefits you've already earned
• Compensation already received is yours to keep

8. Data Sharing and Publication

8.1 Who Has Access to Identifiable Data

Internal Access (email addresses): Leonardo Bursztyn (Principal Investigator), Ada Gianassi (Research Team), Jan Fasnacht (Research Team)

No External Access to email addresses

8.2 Research Collaborators

De-identified and aggregated research data (no emails) may be shared with collaborators at Bocconi University, Stanford University, University of Zurich, and University of Cologne.

Collaborators receive only de-identified data (no emails, no UUIDs they can link) and are bound by similar data protection agreements.

8.3 Publications

• In Research Papers: Only aggregate statistics will be published. No individual-level data that could identify participants will appear.
• Public Data Repositories: Only after additional review to ensure no re-identification risk. Direct identifiers (email) never included.

9. Security Incident Response

We will notify you if:

• Unauthorized persons access your email address
• Your email address is disclosed publicly
• Research data is re-identified to your identity

If a breach occurs: The University of Chicago IRB will be notified within 24 hours, you will be notified within 72 hours via email, and an incident report will be posted on the study website.

10. Changes to This Privacy Policy

We may update this policy to reflect changes in data practices, comply with new regulations, and improve clarity.

How we notify you:

• Email notification of material changes
• "Last Updated" date at top of policy
• Option to withdraw if you disagree with changes

11. Complaints and Questions