How We Protect Your Data

The data controller responsible for your personal data is:

As data controller, we determine the purposes and means of processing your personal data and are responsible for compliance with data protection laws.

For your self-assessment, we store:

• Email address – For sending your report and account identification
• Demographics – Age range, sex, country (for research)
• Purpose – Why you're taking the assessment
• Optional health data – ADHD subtype, co-occurring conditions (if provided)
• Assessment responses – Your answers and calculated scores
• Payment record – Transaction ID, amount, date (Stripe handles card details)
• Report token – A secure, unique link to access your report
• Timestamps – When you completed the assessment

We deliberately don't collect or store:

• Your name – We only need your email
• Your exact date of birth – Just an age range
• Your IP address – Not logged or stored
• Device fingerprints – No browser/device tracking
• Precise location – Only the country you select
• Browsing history – We don't track what you do elsewhere
• Credit card details – Stripe handles payments securely; we never see your card
• Social media data – No social logins or connections
• Third-party tracking cookies – No advertising or analytics trackers

Our philosophy is simple: we only collect what we need to deliver your report and contribute to research.

We implement comprehensive security measures:

• Encryption in transit: All connections use TLS 1.3 (HTTPS)
• Encryption at rest: Data encrypted with AES-256
• Secure payments: Stripe handles all payment processing (PCI DSS Level 1 compliant)
• Access controls: Only authorised systems can access your data
• Report security: Your report link uses a 64-character cryptographically secure token
• Database security: Row-level security policies, encrypted backups
• No shared hosting: Dedicated database instances

• Report access token: Expires after 90 days (for security)
• Assessment data: Retained for research purposes (anonymised after 2 years)
• Email address: Kept until you request deletion
• Payment records: 7 years (UK legal requirement for financial records)

You can request deletion of your data at any time. Note that anonymised research data cannot be deleted as it is no longer linked to you.

You have the following rights under the General Data Protection Regulation:

• Right of Access (Article 15) – Receive a copy of your personal data
• Right to Rectification (Article 16) – Correct inaccurate personal data
• Right to Erasure (Article 17) – Request deletion of your data
• Right to Restrict Processing (Article 18) – Limit how we use your data
• Right to Data Portability (Article 20) – Receive your data in a machine-readable format
• Right to Object (Article 21) – Object to processing based on legitimate interests
• Right to Withdraw Consent (Article 7) – Withdraw consent where processing is based on consent

To exercise any of these rights, email privacy@rsdrs.com

We will respond within 30 days. There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.

We process your data under the following legal bases:

We use trusted service providers who process data on our behalf:

All providers have Data Processing Agreements (DPAs) in place. For US providers, we rely on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).

Your data is primarily stored in the European Union (Supabase EU servers in Frankfurt). Some processing occurs in the United States through our service providers.

For transfers to the US, we ensure adequate protection through:

• EU-US Data Privacy Framework – Providers certified under the DPF
• Standard Contractual Clauses – EU Commission-approved contracts
• Supplementary measures – Additional technical safeguards where needed

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

• We will notify the ICO within 72 hours of becoming aware
• We will notify you directly if there is a high risk to your rights
• We will document all breaches and our response

Your assessment scores are calculated automatically based on your responses using a standardised scoring algorithm. This calculation:

• Is necessary to provide the service you requested
• Does not make decisions that legally or significantly affect you
• Is used for informational purposes only (not diagnosis)

You can request human review of your scores by contacting support@rsdrs.com.

If you have questions about how we handle your data, contact us first:

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's supervisory authority: