Attentia logo

Privacy Policy

Last updated: 18 November 2025

This Privacy Policy explains how Attentia ("we", "us", "our") collects, uses and protects personal data when you visit our websites, create an account, participate in ADHD-related tests, or otherwise use our services (together, the "Service").

Attentia is based in Austria and processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Austrian data protection law. If anything in this Policy conflicts with mandatory law, the law prevails.

1. Who we are and how to contact us

The controller responsible for the processing of personal data in connection with the Service is:

Attentia Laurenzgasse 12/20 1050 Vienna Austria

Email: zach@attentia.at

We currently do not have a formally appointed Data Protection Officer (DPO). For all privacy-related questions or to exercise your rights, please contact us via the email address above.

2. Scope of this Privacy Policy

This Policy applies when you:

  • browse or use our websites and web applications;
  • create and use an Attentia account;
  • complete ADHD-related or cognitive tests, including gaze and prosody prototypes;
  • receive any reports or feedback generated by the Service;
  • communicate with us (for example via email or forms).

It does not apply to:

  • websites, apps or services that we do not control, even if we link to them;
  • independent healthcare providers, clinics or researchers using their own systems.

3. What data we process

Because Attentia focuses on attention and related traits, some of the data we process may be health-related and can fall into GDPR " special categories of personal data". We treat this data as particularly sensitive.

3.1 Account and contact data

We may process:

  • first and last name;
  • email address and password (stored only in hashed form);
  • age or age range (e.g. 18–24, 25–34);
  • country or region and preferred language;
  • organisation or clinic (if applicable).

3.2 ADHD test and assessment data

When you participate in tests and prototypes, we may process:

  • task responses and scores in attention or cognitive tasks;
  • questionnaire responses, ratings, and self-reports;
  • gaze-related features (e.g. fixation patterns, saccades, gaze deviations);
  • prosody-related features (e.g. pitch, volume, tempo, pauses) in prosody tasks;
  • derived metrics or indices computed from the above;
  • timings, versions and configurations of each test.

3.3 Video and audio data

For tests that use your webcam and/or microphone, we may process:

  • raw video recordings (face, eyes, upper body) during tests;
  • raw audio recordings during prosody tasks;
  • frames or segments extracted as model input;
  • technical metadata (duration, frame rate, resolution, encoding).

These data may be biometric in nature (face, voice) even if we do not use them to uniquely identify you. We apply stricter safeguards to this data.

3.4 Technical and usage data

When you use the Service, we automatically collect certain technical information, such as:

  • IP address and approximate location;
  • device identifiers and browser type/version;
  • operating system and settings;
  • date and time of access;
  • pages viewed, UI events, error messages and performance metrics.

4. Where we obtain your data

Most data comes directly from you, when you:

  • register for an Attentia account;
  • complete tests and questionnaires;
  • grant access to your camera or microphone;
  • use the Service and interact with the interface;
  • communicate with us by email or forms.

In some research or clinical collaborations, we may also receive data from partner clinics or researchers who invite you to Attentia or manage participants through their own systems. In these cases, you will receive additional information or consent documents that explain the collaboration.

5. Purposes and legal bases

We process personal data only where we have a legal basis under GDPR. Depending on the situation, this may include:

  • Performance of a contract (Art. 6(1)(b) GDPR) – for example, providing access to the Service and running tests you request.
  • Consent (Art. 6(1)(a) and, where applicable, Art. 9(2)(a) GDPR) – for example, processing of health-related data, the use of analytics cookies, or participation in specific research projects.
  • Legitimate interests (Art. 6(1)(f) GDPR) – for example, ensuring IT security, improving usability, or defending legal claims, provided your interests and fundamental rights do not override ours.
  • Legal obligations (Art. 6(1)(c) GDPR) – where we must retain or disclose data under EU or Member State law.

For health-related or otherwise sensitive data, we rely in particular on your explicit consent and on the safeguards described in this Policy and in any study-specific consent forms.

6. Cookies and similar technologies

We use cookies and similar technologies (such as localStorage) for security, session management and analytics. Essential cookies are necessary to provide the Service. Optional analytics cookies are only used with your consent.

When you first visit Attentia, we display a cookie banner that lets you choose between using only essential cookies and accepting all cookies, with a "Customize settings" option for granular control. You can change your choices at any time via the "Cookie settings" link in the footer.

For more details, including examples of cookie types and lifetimes, please see our Cookie Policy.

7. Who we share data with

We do not sell your personal data. We may share data with the following categories of recipients:

  • Hosting and infrastructure providers who operate the servers and databases on which the Service runs.
  • Supabase, which we use as our primary back-end platform and authentication provider. Supabase processes data such as account information, session tokens and test-related records on our behalf under a data processing agreement.
  • Analytics and error monitoring services, where used, to understand usage patterns and improve stability (only with appropriate safeguards and, for analytics, your consent where required).
  • Research and clinical partners when you participate in a specific study or clinical collaboration. In such cases, you will receive separate information and/or consent forms that explain the roles and responsibilities.
  • Legal advisors and authorities where necessary to comply with legal obligations, defend legal claims, or respond to lawful requests.

8. International data transfers

Depending on the services involved (for example, Supabase or analytics providers), your data may be processed outside the EU/EEA. In such cases, we ensure that an adequate level of protection is in place, for example through adequacy decisions of the European Commission or standard contractual clauses.

You can contact us if you would like more information about international transfers relevant to your use of Attentia.

9. How long we keep data

We keep personal data only for as long as necessary for the purposes described in this Policy or as required by law. In particular:

  • account data is kept for as long as your account is active and for a reasonable period afterwards if needed to resolve disputes or enforce our rights;
  • test data is kept for the duration of the study or service provision and for a limited period afterwards for quality assurance and documentation;
  • logs and security-relevant data are kept for a short period to detect abuse and ensure stability, unless needed longer to investigate an incident.

Where possible, we anonymise or aggregate data so that it can no longer be linked to you personally and may use such data for research and improvement of the Service.

10. Your rights under GDPR

Subject to the conditions set out in GDPR, you have the following rights:

  • right of access to your personal data;
  • right to rectification of inaccurate or incomplete data;
  • right to erasure ("right to be forgotten");
  • right to restriction of processing;
  • right to data portability;
  • right to object to certain processing based on legitimate interests;
  • right to withdraw consent at any time, without affecting the lawfulness of processing before the withdrawal.

To exercise these rights, contact us at zach@attentia.at. We may need to verify your identity before responding. We aim to respond without undue delay and within one month, as required by GDPR (with the possibility of a limited extension for complex requests).

If you believe our processing of your data infringes data protection law, you also have the right to lodge a complaint with the competent supervisory authority.

11. Children and minors

Attentia is primarily intended for adults and older adolescents. We do not knowingly offer a self-service product to children under 16. If you are under 16, you should only use Attentia with the consent and supervision of a parent, guardian or authorised healthcare professional, in line with local law.

Where we knowingly process data about minors in clinical or research settings, this will occur under separate agreements and consent processes with the responsible institutions or guardians.

12. Is Attentia a medical device or diagnosis?

Attentia is designed to support understanding of attention and related traits and may be used in research or as a tool to support professional assessment. Unless explicitly stated otherwise:

  • Attentia is not a standalone medical diagnosis.
  • Information and scores provided by Attentia should not replace consultation with a qualified healthcare professional.
  • Any diagnosis or treatment decision should be made by a human professional who considers multiple sources of information.

13. Changes and contact

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates the current version. Significant changes will be highlighted within the Service or, where appropriate, notified by email.

If you have questions, concerns or requests related to this Privacy Policy or to our handling of personal data, you can contact:

Attentia Laurenzgasse 12/20 1050 Vienna Austria

Email: zach@attentia.at