Privacy Policy

1. Who we are and how to contact us

The controller responsible for the processing of personal data in connection with the Service is:

Attentia Laurenzgasse 12/20 1050 Vienna Austria

Email: zach@attentia.at

We currently do not have a formally appointed Data Protection Officer (DPO). For all privacy-related questions or to exercise your rights, please contact us via the email address above.

2. Scope of this Privacy Policy

This Policy applies when you:

• browse or use our websites and web applications;
• create an Attentia account;
• participate in ADHD-related tests, tasks, or research prototypes hosted by Attentia; or
• interact with us in other ways, for example by email or through feedback forms integrated into the Service.

It does not apply to the processing of your data by third parties outside our control, such as independent clinics or researchers that use their own tools or systems.

3. What data we process

Because Attentia focuses on attention and related traits, some of the data we process may be health-related and can fall into GDPR " special categories of personal data". We treat this data as particularly sensitive.

3.1 Account and contact data

We may process:

• first and last name;
• email address and password (stored only in hashed form);
• age or age range (e.g. 18–24, 25–34);
• country or region and preferred language;
• organisation or clinic (if applicable).

3.2 ADHD test and assessment data

When you participate in tests and prototypes, we may process:

• task responses and scores in attention or cognitive tasks;
• questionnaire responses, ratings, and self-reports;
• timestamps and derived metrics (e.g. reaction times);
• context information such as difficulty level, instructions or version of the task;
• depending on the prototype, additional signals such as gaze metrics, voice recordings or movement data (always with clear notice and, where required, your explicit consent).

3.3 Video and audio data

For tests that use your webcam and/or microphone, we may process:

• raw video recordings (face, eyes, upper body) during tests;
• raw audio recordings during prosody tasks;
• frames or segments extracted as model input;
• technical metadata (duration, frame rate, resolution, encoding).

These data may be biometric in nature (face, voice) even if we do not use them to uniquely identify you. We apply stricter safeguards to this data.

3.4 Technical and usage data

When you use the Service, we may automatically collect technical data such as:

• IP address and approximate location (city/region level);
• device and browser information (e.g. operating system, version, screen size, language settings);
• log data such as pages viewed, buttons clicked, time spent on tasks and error messages;
• diagnostic data needed to ensure security and stability of the Service.

4. Where we obtain your data

We primarily obtain personal data directly from you when you:

• create an account or log in;
• complete questionnaires or tasks;
• communicate with us by email or through feedback forms; or
• adjust your settings or consent preferences.

In some research or clinical collaborations, we may receive data indirectly, for example:

• from partner clinics or researchers who invite you to Attentia or manage participants through their own systems; or
• from external systems that you authorise to connect to Attentia (only with appropriate safeguards and information).

In such cases, you will receive additional information or consent documents that explain the collaboration.

5. Purposes and legal bases

We process personal data only where we have a legal basis under GDPR. Depending on the situation, this may include:

• Performance of a contract (Art. 6(1)(b) GDPR) – for example, providing access to the Service and running tests you request.
• Consent (Art. 6(1)(a) and, where applicable, Art. 9(2)(a) GDPR) – for example, processing of health-related data, the use of analytics cookies, or participation in specific research projects.
• Legitimate interests (Art. 6(1)(f) GDPR) – for example, ensuring IT security, improving usability, or defending legal claims. We balance these interests against your rights and freedoms.
• Legal obligations (Art. 6(1)(c) GDPR) – for example, obligations under tax, commercial or medical device regulations, where applicable.

6. Cookies and similar technologies

We use cookies and similar technologies (such as localStorage and sessionStorage) to:

• keep you logged in and manage sessions;
• store your preferences and consent choices;
• support security features such as rate limiting and fraud prevention;
• optionally, measure usage and improve usability (only with your consent where required).

For more detail, please see our Cookie Policy.

7. Who we share data with

We do not sell your personal data. We may share data with the following categories of recipients, always on a need-to-know basis and with appropriate safeguards:

• Hosting and infrastructure providers who operate the servers and databases on which the Service runs.
• Supabase, which provides authentication, database and storage infrastructure for the Service.
• Analytics and error monitoring services, where used, to understand usage patterns and improve stability (only with appropriate safeguards and, for analytics, your consent where required).
• Research and clinical partners when you participate in a specific study or clinical collaboration. In such cases, you will receive separate information and/or consent forms that explain the roles and responsibilities.
• Legal advisors and authorities where necessary to comply with legal obligations, defend legal claims, or respond to lawful requests.

8. International data transfers

Depending on the services involved (for example, Supabase or analytics providers), your data may be processed outside the EU/EEA. In such cases, we ensure that an adequate level of protection is in place, for example by:

• relying on an adequacy decision of the European Commission (where available);
• using Standard Contractual Clauses and additional safeguards; or
• obtaining your explicit consent, where appropriate.

9. How long we keep data

We keep personal data only for as long as necessary to fulfil the purposes described in this Policy or to comply with legal obligations.

• Account and profile data are kept for the lifetime of your account and for a limited period afterwards, for example to handle queries or legal obligations.
• ADHD test data and related health-sensitive data may be kept for longer where needed for research, quality assurance or compliance with medical and research regulations.

Where possible, we delete or irreversibly anonymise data once it is no longer needed. We may retain aggregated statistics and trained models that no longer allow identification of individuals.

10. Your rights under GDPR

You have a number of rights in relation to your personal data, including (subject to conditions and limitations under the law):

• the right of access to your data;
• the right to rectification of inaccurate data;
• the right to erasure ("right to be forgotten");
• the right to restriction of processing;
• the right to data portability (to receive your data in a structured, commonly used and machine-readable format);
• the right to object to certain processing, including where we rely on legitimate interests; and
• where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise these rights, please contact us at zach@attentia.at. We may need to verify your identity before responding. We aim to respond without undue delay and within one month, as required by GDPR (with the possibility of a limited extension for complex requests).

If you believe our processing of your data infringes data protection law, you also have the right to lodge a complaint with the competent supervisory authority.

11. Children and minors

Attentia is primarily intended for adults and older adolescents. We do not knowingly offer a self-service product to children under 16. If you are under 16, you should only use Attentia with the consent and supervision of a parent, guardian or authorised healthcare professional, in line with local law.

If we learn that we have collected personal data from a child in a way that is not permitted by law, we will take steps to delete it as soon as reasonably possible.

12. Is Attentia a medical device or diagnosis?

Attentia is designed to support understanding of attention and related traits and may be used in research or as a tool to support professional assessment. Unless explicitly stated otherwise:

• Attentia is not a certified medical device.
• Attentia does not itself provide a diagnosis or treatment decision.
• Any medical or therapeutic decisions must be made by qualified professionals who can interpret results in context.