top of page
Last Updated: [07/05/2026]

1.1 Introduction

M/s. Panoramix Market Research Services ("Company", "we", "us" or "our"), a Partnership Firm having its registered office at Flat No.4/6, Shanthi Apartments, 9/6, Avenue Road, Nungambakkam, Chennai – 600 034, operates the website [www.panoramix.com] (the "Website") and provides market-research services that involve eye-tracking, gaze analytics, attention measurement and related neuro-marketing studies (collectively, the "Services").

This Privacy Policy describes how we collect, use, store, disclose, retain, transfer and otherwise process Personal Data of visitors to our Website, research participants, clients and other Data Principals, in accordance with:

  • The Digital Personal Data Protection Act, 2023 ("DPDP Act") and rules and notifications issued thereunder;

  • The Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");

  • The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Rules"); and

  • Other applicable Indian laws.

By accessing the Website, registering as a research participant or availing our Services, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Website or our Services.


1.2 Definitions

Capitalised terms not otherwise defined have the meaning given in the DPDP Act. For ease of reference:

  • "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

  • "Sensitive Personal Data or Information" ("SPDI") means information specified under Rule 3 of the SPDI Rules, including biometric information, physical/physiological/mental-health condition and financial information.

  • "Data Principal" means the natural person to whom Personal Data relates, and includes a child's parent or lawful guardian and a person with disability's lawful guardian.

  • "Data Fiduciary" means M/s. Panoramix Market Research Services, which determines the purpose and means of processing Personal Data.

  • "Eye-Tracking Data" means data captured through eye-tracking hardware, webcam-based gaze estimation, software or other instruments, including but not limited to gaze coordinates, fixations, saccades, pupil dilation, blink patterns, dwell time, heat-maps, scan-paths and any inferences derived therefrom.


1.3 Categories of Data We Collect

(a) Information you provide directly: name, age, gender, postal address, email, telephone number, occupation, demographic information, ID-proof (where required), payment/incentive bank details, and any responses to surveys, questionnaires or interviews.

(b) Eye-Tracking and Biometric Data (Sensitive Personal Data): raw and processed gaze data, pupillometry, fixation maps, attention metrics, facial-region detection data and any visual/behavioural metrics generated by our eye-tracking equipment or software during a study. This category is collected only with your explicit, free, specific, informed and unambiguous consent recorded prior to the study.

(c) Health-related disclosures (if voluntarily provided): vision correction, color-blindness, neurological conditions and similar information relevant to study design.

(d) Technical and usage data: IP address, device identifiers, browser type, operating system, referring URLs, pages visited, time spent and cookies/SDK data.

(e) Audio/video recordings: where a study session is recorded for analysis (with separate consent).

We do not knowingly collect Personal Data of children below 18 years without verifiable parental/guardian consent in accordance with Section 9 of the DPDP Act.


1.4 Purposes of Processing

We process Personal Data only for the lawful purposes for which consent has been obtained, including:

  • Recruiting, screening and onboarding research participants;

  • Conducting eye-tracking and related market-research studies for our clients;

  • Generating aggregated, de-identified analytics, reports and insights for clients;

  • Paying participation incentives and complying with tax/withholding obligations;

  • Responding to enquiries and providing customer support;

  • Operating, maintaining and improving the Website and Services;

  • Complying with legal obligations, court orders and lawful requests by government authorities;

  • Preventing fraud, securing systems and enforcing our terms.

Purpose limitation: We will not use Eye-Tracking Data for any purpose beyond the specific study for which consent was obtained, unless fresh consent is taken.


1.5 Legal Basis — Consent and Notice

We rely primarily on the consent of the Data Principal as the legal basis for processing under Section 6 of the DPDP Act. Before collecting Personal Data, we will provide a clear notice setting out:

  • The Personal Data being collected and the purposes;

  • The manner in which the Data Principal may exercise their rights;

  • The manner of making a complaint to the Data Protection Board of India.

For Eye-Tracking and other biometric data, an additional, study-specific written consent form is signed by the participant, with the right to withdraw consent at any time without penalty. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

Where applicable, we may also process certain limited Personal Data for "legitimate uses" specified in Section 7 of the DPDP Act (e.g., compliance with law, employment-related processing).


1.6 Disclosure and Sharing

We may disclose Personal Data to:

  • Clients (research sponsors) — only de-identified, aggregated reports are shared by default. Identifiable Personal Data is shared only where the participant has given separate consent.

  • Data Processors / vendors — cloud-hosting providers, analytics platforms, eye-tracking software vendors, payment processors and panel-management providers, all of whom are bound by written contracts containing confidentiality, security and DPDP-compliance obligations.

  • Group companies and affiliates — for internal administration and to deliver Services.

  • Government and regulatory authorities — pursuant to a lawful order, summons, or as otherwise required under Indian law.

  • In connection with corporate transactions — such as a merger, acquisition or restructuring, subject to confidentiality undertakings.

We do not sell Personal Data.


1.7 Cross-Border Transfer of Personal Data

We may transfer Personal Data to, and store it in, jurisdictions outside India where our service providers, affiliates or clients operate. Such transfers will be carried out only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act, and subject to appropriate contractual safeguards.


1.8 Data Retention

Personal Data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law.

  • Eye-Tracking raw data: retained for 10 months after study completion, then permanently deleted or irreversibly de-identified.

  • De-identified, aggregated research outputs: retained indefinitely.

  • Participant contact details: retained for 5 years for incentive payment, audit and tax compliance.

After the retention period, we will erase Personal Data and require our processors to do the same, unless retention is mandated by law.


1.9 Security Safeguards

In accordance with Section 8(5) of the DPDP Act and Rule 8 of the SPDI Rules, we implement reasonable security practices, including:

  • ISO/IEC 27001-aligned information-security controls;

  • AES-256 encryption at rest and TLS 1.2+ in transit;

  • Role-based access control, multi-factor authentication and audit logging;

  • Pseudonymisation of participant identifiers in eye-tracking datasets;

  • Physical security at our research labs;

  • Periodic vulnerability assessments and penetration testing;

  • Staff training on data protection and confidentiality undertakings.

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in the manner and within the timelines prescribed under the DPDP Act and rules.


1.10 Rights of Data Principals

Subject to the conditions of the DPDP Act, every Data Principal has the right to:

  • Access — obtain a summary of Personal Data processed and processing activities;

  • Correction, completion, updating and erasure of Personal Data;

  • Grievance redressal — readily available means of grievance redressal by the Data Fiduciary;

  • Nominate another individual to exercise rights in case of death or incapacity;

  • Withdraw consent at any time, with the same ease as it was given;

  • Right to object to certain processing, where applicable.

Requests may be made to our Data Protection Officer / Grievance Officer at the contact details in Section 1.13. We will respond within the timelines prescribed under applicable rules (and in any event no later than the period prescribed by the Data Protection Board).


1.11 Cookies and Similar Technologies

The Website uses cookies, pixels and similar technologies. Please refer to our Cookie Policy in Section 3 below.


1.12 Children's Data

We do not process Personal Data of any individual below 18 years of age except with verifiable parental/guardian consent. We will not undertake processing that is likely to cause any detrimental effect on a child, nor will we engage in tracking, behavioural monitoring or targeted advertising directed at children, in compliance with Section 9 of the DPDP Act.


1.13 Grievance Officer / Data Protection Officer

In compliance with Section 8(9) of the DPDP Act, Rule 5(9) of the SPDI Rules and Rule 3(2) of the Intermediary Rules, the following officer is designated:

  • Name: Vinita Choudari

  • Designation: Founding Partner

  • Address: Flat No.4/6, Shanthi Apartments, 9/6, Avenue Road, Nungambakkam, Chennai – 600 034

  • Email: process@panoramix.co.in

  • Hours: Monday to Friday, 10:00 AM to 6:00 PM IST (excluding public holidays)

Acknowledgement of complaint within 24 hours and resolution within 15 days from receipt, as required under Indian law. If you are dissatisfied with the resolution, you may approach the Data Protection Board of India in accordance with the DPDP Act.


1.14 Changes to this Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised "Last Updated" date. Material changes affecting Eye-Tracking Data processing will be communicated to active research participants by email.


Privacy Policy

bottom of page