Supersenses Privacy Policy

I. Introduction

Welcome to SuperSenses Inc., a corporation organized under the laws of the State of California, United States of America (“SuperSenses,” “we,” “us,” or “our”). We are committed to advancing sensory health through innovative products, including but not limited to at-home sensory test kits, mobile applications, and related services. Our services are primarily targeted at individuals aged 40 and older, but may be used by anyone who affirms they are at least 18 years old (or have obtained verifiable parental or guardian consent if under 18). By using our Services, you acknowledge that you meet this age requirement and agree to the practices described herein.

This Privacy Policy (“Policy”) describes how we collect, use, share, and protect information about you when you access and use our website at https://super-senses.com/ (“Website”), mobile application (“App”), at-home sensory test kits, and any other services we may provide (collectively, the “Services”).

We understand the importance of your privacy and are committed to maintaining the confidentiality, integrity, and security of any personal information. SuperSenses is based in the United States and complies with applicable U.S. federal and state privacy regulations, including the California Consumer Privacy Act (as amended by the CPRA, “CCPA”), Oregon Consumer Privacy Act, and other state laws, as well as international standards like the UK Data Protection Act 2018, UK GDPR, and EU GDPR where applicable.

By using our Services, you consent to the collection and use of your information as outlined in this Policy. If you do not agree, please do not use the Services.

II. Scope of the Policy

This Policy applies to all personal information collected by SuperSenses through:

  • Our Website and App

  • Activation and use of sensory test kits

  • Any other interactive features, applications, or communications linked to this Policy

  • Offline interactions where you voluntarily provide information to us

  • Data we receive from authorized partners or service providers

We generally act as an independent controller of personal information collected through our Services. For certain enterprise arrangements, we may act as a processor under a separate data processing agreement, in which case that agreement governs.

This Policy does not apply to data collected by third parties, including linked websites, unaffiliated applications, or advertisers. We encourage you to review the privacy policies of any third-party sites or services.

III. Data Collection

We collect information in the following ways:

A. Information You Provide

  • Contact details (name, email, phone, postal address, date of birth)

  • Account credentials for Service access

  • Payment details for purchases

  • User content (e.g., feedback, reviews, or any submissions via our Services)

  • Order information including your name, billing address, shipping address, payment confirmation, email address, phone number

  • Shopping information including the items you view, put in your cart or add to your wishlist

  • Customer support information including the information you choose to include in communications with us, for example, when sending a message through the Services

B. Information Collected Automatically

  • Device and connection data (IP address, browser type, device IDs, OS)

  • Usage data (pages visited, features used, interaction history)

  • Cookies and similar technologies (see Section VII)

  • Internet or other similar network activity, such as Usage Data

C. Kit-Driven Data Collection

Sensory measurement data (e.g., results from smell, taste, hearing, vision, and touch tests) is collected only when you use a registered sensory test kit or an authorized digital equivalent. We do not collect sensory results during in-person classes or demonstrations unless the kit is activated and linked to your account or a designated study. Where applicable, we obtain your explicit consent for collecting and processing sensitive data, such as health-related sensory information, in accordance with laws like GDPR.

We practice data minimization by collecting only what is necessary for the purposes described herein.

IV. Use of Personal Information

We use information to:

  • Provide, operate, and improve the Services

  • Process transactions and deliver customer support

  • Conduct research, testing, and product development

  • Personalize user experience and communications

  • Ensure security and compliance with laws

  • Communicate with you about updates, security alerts, administrative messages, and promotional materials (with opt-out options)

Data Commercialization (De-identified Data)

We may create, use, license, and sell de-identified and/or aggregated datasets and derived analytics for research, product development, and other commercial purposes, including to research institutions and other third parties. De-identified data is processed to remove identifiers and is not reasonably capable of being associated with or linked to you, in compliance with standards under CCPA, HIPAA (where applicable), GDPR, and other laws. We will ask for your consent before using information for purposes other than those set out here.

V. Sharing of Information

We may share personal information with:

  • Service providers under contractual confidentiality obligations

  • Affiliates and business partners in compliance with this Policy

  • Law enforcement or regulators when legally required

  • Successor entities in the event of a merger, acquisition, or sale of assets (commitments in this Policy remain in force, and successors may continue using data as described herein)

  • Vendors or other third parties who perform services on our behalf (e.g., IT management, payment processing, data analytics, customer support, cloud storage, fulfillment and shipping)

  • Business and marketing partners, including Shopify, to provide services and advertise to you. Our business and marketing partners will use your information in accordance with their own privacy notices

We may license or sell de-identified, aggregated datasets to third parties globally, such as research institutions, consistent with applicable privacy laws, including CCPA, Oregon Consumer Privacy Act, other US state laws, UK Data Protection Act 2018, UK GDPR, and EU GDPR. This does not constitute a "sale" of personal information under CCPA or similar laws.

No Re-Identification; Downstream Restrictions

Any third party receiving de-identified or aggregated datasets must: (a) not attempt to re-identify individuals; (b) implement safeguards commensurate with the data’s sensitivity; (c) flow these restrictions down to any sub-recipients; and (d) permit audit or attestations demonstrating compliance. Material breach permits termination and deletion of received data. We reserve the right to audit compliance periodically.

VI. Data Security and Retention

We maintain administrative, technical, and physical safeguards to protect personal data, including:

  • Data networks protected by industry-standard firewall and password protection systems

  • SSL encryption for sensitive data transmitted online

  • Encryption in transit and at rest

  • Least-privilege access, logging, and monitoring

  • Restricted access to employees and service providers who need it for job functions

While no method is 100% secure, we maintain an information security program designed to protect against unauthorized access, use, or disclosure.

We retain personal information only as long as necessary for operational, legal, and research purposes, considering the context and legal obligations. Where feasible, we minimize storage, separate identifiers from test results, and convert data to de-identified or aggregated form for longer-term retention. De-identified data may be retained indefinitely for research/statistical purposes.

In the event of a data breach, we have procedures to respond swiftly and will notify affected users and appropriate authorities within 72 hours of becoming aware, in accordance with applicable laws (e.g., GDPR timelines; US laws may vary).

You play a role in security—never share credentials with unverified parties. If you suspect compromise, contact us immediately.

VII. Cookies and Tracking

We and our third-party partners use cookies, pixels, web beacons, and similar technologies for functionality, analytics, and personalization.

  • Essential Cookies: Necessary for Services access and secure areas.

  • Performance and Functionality Cookies: Enhance performance but non-essential; disabling may limit features.

  • Analytics and Customization Cookies: Collect aggregate data on usage to improve Services and customize content.

You may adjust browser settings to block, delete, or alert on cookies, though this may restrict functionality. We honor browser-based opt-out signals like Global Privacy Control.

For specific information about the Cookies that we use related to powering our store with Shopify, see https://www.shopify.com/legal/cookies.

VIII. International Data Transfers

We operate globally. Personal data may be transferred to, stored in, and processed in the United States or other jurisdictions where privacy laws may differ. We use Standard Contractual Clauses, adequacy decisions, data transfer agreements, Binding Corporate Rules (where applicable), and other safeguards to protect transfers.

For users in the UK and EU, our legal bases include performance of a contract, legitimate interests, and explicit consent for special category data (e.g., health/sensory). Countries receiving data may not offer equivalent protection; by using Services, you consent to such transfers.

IX. Your Rights

Depending on your jurisdiction (e.g., under CCPA, Oregon law, GDPR), you may have rights to:

  • Access, correct, or delete personal information

  • Object to or restrict certain processing

  • Request data portability

  • Withdraw consent where applicable

  • Lodge complaints with a data protection authority

No “Sale” or “Sharing” of Personal Information; Global Privacy Control

We do not “sell” or “share” personal information as defined by CCPA or similar laws. This does not restrict our use, licensing, or sale of de-identified or aggregated data. We honor opt-out signals and will not discriminate against you for exercising rights (e.g., no denial of services, price changes, or quality differences).

To exercise rights, contact our Data Protection Officer (DPO) via details in Section XIII. We may verify your identity and respond within required timeframes (e.g., 45 days under CCPA). You may designate an authorized agent with proof.

X. Children’s Privacy

Our Services are not directed to children under 13 (or under 16 where required by law, e.g., CCPA for sales). We do not knowingly collect personal information from such children without verifiable parental consent. If we learn of unauthorized collection, we will delete it promptly. Users must affirm they are 18+ or have consent; we comply with COPPA and similar laws.

XI. HIPAA Status

We are not generally a HIPAA covered entity. For certain customers, we may act as a business associate under a Business Associate Agreement, governing protected health information.

XII. Changes to This Policy

We may update this Policy; the “Last Updated” date reflects changes. Material changes will be notified via email or Website notice. Continued use constitutes acceptance. If you disagree, stop using Services and request account deletion.

XIII. Contact Information

For questions, concerns, or to exercise rights:

Email: hello@super-senses.com

Online: https://super-senses.com/connect

Mail: SuperSenses Inc., 1315 NW Davenport Ave, Bend, OR 97703, USA

Our DPO can be reached at the above.

XIV. Governing Law and Jurisdiction

This Policy is governed by the laws of the State of California, without regard to conflict of laws principles. You consent to the exclusive jurisdiction of state and federal courts in Bend, Oregon, for disputes arising from this Policy. Non-US users note data may be processed in the US; we strive to respect global privacy rights.