PRIVACY POLICY | OPTOVERA by sobereye

Effective Date: January 1, 2026

1. Introduction and Scope

This Privacy Policy describes how SOBEREYE INC. (“SOBEREYE,” “we,” “us”) processes personal data in connection with the OPTOVERA workforce readiness and safety platform, including associated hardware, mobile applications, cloud services, analytics dashboards, and related services (collectively, the “Services”).

This Policy is intended to apply globally, including in jurisdictions governed by:

the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679),
the Brazilian General Data Protection Law (LGPD) (Law No. 13,709/2018),
applicable United States privacy laws (including state-level frameworks),
and other Latin American data-protection regimes.

Where local law imposes additional requirements, those requirements apply in conjunction with this Policy.

The Services are provided exclusively in a business-to-business (B2B) context. OPTOVERA is not a consumer service, is not intended for personal use, and is deployed by organizations for occupational safety and operational readiness purposes.

OPTOVERA is designed to support organizational safety programs, not to replace employer judgment or regulatory obligations.”

2. Overview of the OPTOVERA Platform

OPTOVERA is a workforce readiness and safety platform designed to help organizations identify conditions associated with reduced alertness and fatigue-related risk in operational environments.

The platform:

does not diagnose medical conditions,
does not determine impairment,
does not identify the cause of reduced readiness,
and does not function as a medical device.

Instead, OPTOVERA provides objective, time-of-assessment indicators that may be consistent with fatigue, reduced vigilance, or altered alertness, regardless of origin, to support proactive safety decisions.

One component of the platform, OPTOVERA Scan, analyzes characteristics of the Pupillary Light Reflex (PLR) — an involuntary physiological response in which the pupil changes size in reaction to light stimuli. Quantitative analysis of this response (“pupillary analysis”) is well established in scientific, human-factors, and safety-critical research contexts.

OPTOVERA applies this physiological signal in a non-diagnostic, operational safety context, as one of several inputs used to assess readiness.

3. Roles and Responsibilities (Controller / Processor)

For purposes of applicable data-protection laws:

Customers (employers or contracting organizations) act as Data Controllers (GDPR Art. 4(7); LGPD Art. 5, VI).
SOBEREYE acts as a Data Processor / Operator (GDPR Art. 4(8); LGPD Art. 5, VII), processing data solely on documented instructions from the Customer.

These roles are contractually defined in SOBEREYE’s Data Processing Agreement (DPA).

4. Categories of Personal Data Processed

Depending on customer configuration and deployment, the Services may process the following categories of data:

4.1 Pseudonymous User and Operational Data

Internal user identifiers or codes assigned by the Customer
Readiness and fatigue-related indicators
Operational assessment results
Safety workflow and event records

4.2 Technical and System Data

Device and application logs
Access records and audit logs
Security and performance telemetry

SOBEREYE does not require or process direct personal identifiers such as names, government IDs, personal contact details, or payroll information.

5. Biometric Data and Physiological Signal Processing

5.1 Nature of Biometric Processing

The OPTOVERA platform processes biometric data, including iris recognition, exclusively for the purpose of associating a readiness measurement with a previously registered user within the Customer’s environment.

This biometric processing:

is limited to one-to-one (1:1) association,
does not involve civil or public identification,
does not involve surveillance, tracking, or profiling,
does not involve biometric searches across groups or databases,
does not involve law enforcement or governmental identification use cases.

In addition, OPTOVERA processes biometric-derived physiological features (such as pupil response metrics) as part of readiness assessment workflows. These features are used solely within the Customer’s operational safety context.

5.2 Legal Classification

Biometric data is treated as sensitive personal data under applicable laws, including:

GDPR Art. 9 (special categories of personal data),
LGPD Art. 5, II (dados pessoais sensíveis).

Accordingly, enhanced safeguards and governance controls apply.

6. Purposes of Processing

Personal data is processed only for explicit, legitimate, and limited purposes, including:

workplace safety and risk prevention,
operational readiness and fatigue-risk assessment,
execution of contractual services,
platform security, auditing, and service integrity.

Data is not processed for marketing, advertising, or unrelated analytics.

OPTOVERA does not make automated decisions producing legal or similarly significant effects.

7. Legal Bases for Processing

Processing is carried out in accordance with applicable legal bases, including:

GDPR Art. 6(1)(b) / LGPD Art. 7(V) – performance of a contract,
GDPR Art. 6(1)(c) / LGPD Art. 7(II) – compliance with legal or regulatory obligations,
GDPR Art. 9(2)(b), (h) / LGPD Art. 11(II) – processing of sensitive data in the context of occupational health, safety, and risk prevention, subject to appropriate safeguards.

8. Data Minimization and Privacy by Design

OPTOVERA is designed according to privacy-by-design and privacy-by-default principles (GDPR Art. 25; LGPD Art. 6), including:

minimization of personal data,
pseudonymous user management controlled by the Customer,
separation of identity management from analytical processing,
purpose-bound biometric use.

SOBEREYE does not maintain independent identity registries of workers.

9. Security Measures

SOBEREYE maintains a comprehensive Information Security Management System (ISMS) covering people, processes, and technology, aligned with ISO/IEC 27001 and certified under that standard.

Security measures include:

encryption in transit and at rest,
role-based access controls (RBAC),
environment segregation,
audit logging and monitoring,
internal security policies and training.

10. Data Retention and Deletion

Personal data is retained only for the duration defined by the Customer, contractual requirements, or applicable law.

Upon expiration of the retention period or Customer instruction, data is securely deleted or anonymized using industry-standard procedures.

Retention periods are defined by the Customer in accordance with their legal and operational requirements.

11. Data Subject Rights

Data subjects may exercise their rights under applicable law, including access, correction, deletion, restriction, or objection, as provided under:

GDPR Arts. 12–22,
LGPD Arts. 18–20.

Requests should be directed to the Customer (Controller). SOBEREYE supports Customers in fulfilling these requests in its role as Processor.

12. International Data Transfers

Where data is transferred across borders, SOBEREYE implements appropriate safeguards in accordance with applicable law, including contractual and organizational measures.

13. Data Processing Agreement

All processing activities are governed by SOBEREYE’s Data Processing Agreement, which defines responsibilities, safeguards, and processing limitations:

https://www.sobereye.com/data-processing-agreement

14. Updates to This Policy

This Privacy Policy may be updated periodically. The most current version will always be available on SOBEREYE’s website.

15. Contact and Data Protection Officer

For privacy-related questions or requests, please contact SOBEREYE through the official channels listed on our website. SOBEREYE has designated a Data Protection Officer responsible for oversight of privacy compliance.

16. Contact

For privacy-related inquiries: info@sobereye.com