This is the most common question from procurement, legal and IT teams. The answer matters — both for GDPR compliance and for understanding what the technology actually does.
Facial recognition identifies individuals by comparing their facial geometry against a database of known faces. It produces an identity match. It requires storing biometric templates and comparing them to identify specific people. Under GDPR, processing biometric data for the purpose of uniquely identifying a natural person is a Special Category activity under Article 9, requiring explicit consent or a specific legal basis. The EU AI Act classifies real-time remote biometric identification systems as high-risk or prohibited AI.
EchoDepth Events does not identify anyone. It analyses facial muscle movements — not facial geometry. The Facial Action Coding System (FACS) is a taxonomy of 44 discrete muscle group movements (Action Units) that combine to form all human facial expressions. AU4 is the brow lowerer. AU12 is the lip corner puller. These are movements, not identity markers — every person produces the same AU4 pattern when they furrow their brow, regardless of who they are.
EchoDepth's engine extracts AU activation values from video frames and immediately discards the frame. What is retained is a set of numbers representing muscle activation intensities — not an image, not a biometric template, not anything that could identify the person who generated them.
Because EchoDepth Events does not process biometric data for identification purposes, the Article 9 GDPR special category requirement does not apply. You do not need explicit consent from every visitor. Standard venue privacy notices, updated to reference the analytics system, are sufficient in most contexts.
EchoDepth Events is designed to GDPR Article 25 (Privacy by Design) standards. A Legitimate Interests Assessment is available to clients on request.
No. The system produces population-level aggregate scores for named zones. It cannot identify, track or profile individuals. No biometric template is created and no comparison against any database of individuals takes place.
Aggregated zone engagement scores are not personal data — they cannot be linked to any individual. Dashboard access logs (IP address and timestamp) are personal data, retained for 12 months. A SAR would cover dashboard access logs only.
No. The EU AI Act classifies real-time remote biometric identification systems as prohibited or high-risk. EchoDepth Events is not a biometric identification system. It analyses muscle movements to produce aggregate emotional signal data and does not fall within the high-risk or prohibited categories.
We recommend adding a brief reference to the analytics system in your venue or event privacy notice, noting that anonymised emotional engagement analytics are used in defined zones. Cavefish provides template privacy notice language as part of the deployment package.