Legal

Attentia Privacy Policy

Last updated: 7 February 2026

This Privacy Policy explains how Attentia GesbR ("Attentia", "we", "us", "our") collects, uses, and protects personal data when you visit our websites, create an account, participate in ADHD-related tests or research prototypes, or otherwise use our services (together, the "Service").

We take data protection seriously and strive to comply with the EU General Data Protection Regulation ("GDPR")and applicable Austrian and EU data protection laws.

This Policy is written to be understandable for both laypeople and professionals. If anything is unclear, please contact us.

1. Definitions

This Privacy Policy uses GDPR terminology. In particular:

Personal data means any information relating to an identified or identifiable person.
Processing means any operation performed on personal data (collection, storage, use, deletion, etc.).
Data subject means the person whose personal data is processed.
Controller means the entity that determines the purposes and means of processing.

2. Who we are and how to contact us

The controller responsible for processing personal data in connection with the Service is:

Attentia GesbR Laurenzgasse 12/20 1050 Vienna Austria

For all privacy-related questions or to exercise your rights, please contact our Data Protection Officer (DPO): dpo@attentia.at

3. Scope of this Privacy Policy

This Policy applies when you:

browse or use our websites and web applications,
create an Attentia account,
participate in ADHD-related tests, tasks, or research prototypes hosted by Attentia, or
interact with us in other ways (e.g., email, feedback forms).

It does not apply to processing performed independently by third parties outside our control.

4. What data we process

Because Attentia focuses on attention and related traits, some processed data may be health-related and may fall under GDPR special categories of personal data (Art. 9 GDPR). We treat such data as particularly sensitive.

4.1 Account and contact data

name,
email address,
password (stored only in hashed form),
age or age range,
country/region and preferred language,
organisation or clinic affiliation (if applicable).

4.2 ADHD test and assessment data

task responses and scores,
questionnaire answers and self-reports,
timestamps and reaction times,
task version and difficulty context,
derived cognitive metrics.

Depending on the prototype, additional signals such as gaze metrics, voice recordings, or movement data may be collected with clear notice and explicit consent where required.

4.3 Video and audio data

Some tests or prototypes may use your webcam and/or microphone to enable real-time interaction.

live video frames (e.g. face/eye region),
live audio signals,
technical metadata needed for the task (e.g. device settings).

We do not store or retain raw video or audio recordings.

We do not perform biometric identification or authentication, and we do not build biometric templates from video or audio data.

4.4 Technical and usage data

IP address,
browser and device information,
operating system and language settings,
log data (pages viewed, clicks, error messages),
diagnostic data necessary for stability and security.

5. Where we obtain your data

We obtain personal data primarily from you when you:

register or log in,
complete tasks or questionnaires,
communicate with us,
adjust settings or consent preferences.

In some collaborations, data may also be received indirectly from partner clinics/researchers or authorized external systems.

6. Purposes and legal bases

Contract (Art. 6(1)(b))

To provide access to the Service and run tests you request.

Consent (Art. 6(1)(a), Art. 9(2)(a))

For sensitive data, research participation, video/audio features, or optional analytics.

Legitimate interests (Art. 6(1)(f))

For IT security, service improvement, fraud prevention, and legal defence.

Legal obligations (Art. 6(1)(c))

Where required under tax, commercial, or regulatory rules.

7. Cookies and similar technologies

manage sessions and logins,
store preferences and consent choices,
support security features,
optionally improve usability and measure usage (only with consent where required).

More detail is provided in our Cookie Policy.

8. Who we share data with

We do not sell personal data.

hosting and infrastructure providers,
Supabase (authentication, database, storage),
analytics and monitoring services (where used, with safeguards and consent),
research and clinical partners (in specific collaborations),
legal advisors and authorities where legally required.

All service providers act under GDPR-compliant data processing agreements.

9. International transfers

Where processing occurs outside the EU/EEA, we use safeguards such as adequacy decisions, SCCs, additional technical protections, and explicit consent where required.

10. Data retention

account data: lifetime of account plus limited period after deletion,
test and health-sensitive data: longer where needed for research, compliance, or QA,
anonymised or aggregated statistics may be retained indefinitely.

Where possible, data is deleted or irreversibly anonymised.

12. Children and minors

Attentia is primarily intended for adults and older adolescents. We do not knowingly offer a self-service product to children under 16 without parental or professional supervision.

If unlawful child data is discovered, it is deleted promptly.

13. Medical disclaimer

Attentia is not a certified medical device unless explicitly stated otherwise,
Attentia does not provide a diagnosis,
decisions must always be made by qualified healthcare professionals.

14. Security

encrypted transmission via HTTPS/SSL,
access controls,
minimisation of sensitive recordings,
secure storage and monitoring.

However, no internet transmission is ever completely risk-free.

15. Updates

We may update this Privacy Policy from time to time. The “Last updated” date indicates the current version.

For questions or concerns, contact:

Attentia GesbR Laurenzgasse 12/20 1050 Vienna, Austria

Email: info@attentia.at