Privacy Policy

The data controller for your personal data is:

We are responsible for deciding how we hold and use personal information about you.

When you complete a self-assessment, we collect:

• Email address – To send you your report and for account identification
• Demographics – Age range, sex, and country (for research purposes)
• Purpose – Why you're taking the assessment (diagnosed, being assessed, curious)
• Optional health information – ADHD subtype, co-occurring conditions (if you choose to provide)
• Assessment responses – Your answers to the questionnaire
• Payment confirmation – Transaction ID from Stripe (we never see your card details)

Under GDPR, we process your data based on the following legal grounds:

• Contract Performance (Article 6(1)(b)) – Processing your email, payment, and assessment responses is necessary to provide the service you purchased.
• Legitimate Interest (Article 6(1)(f)) – Using anonymised data to improve our assessment and conduct research. Our legitimate interest is advancing understanding of rejection sensitivity, balanced against your privacy rights.
• Consent (Article 6(1)(a)) – For optional data like ADHD subtype and co-occurring conditions, which you can choose not to provide.
• Legal Obligation (Article 6(1)(c)) – Retaining payment records as required by financial regulations.

• Your Report – To generate and email your personalised results
• Research – Anonymised data contributes to understanding rejection sensitivity better
• Service Improvement – To make our assessments more accurate and helpful
• Communication – To send you your report and respond to enquiries

We do not:

• Send marketing emails (unless you explicitly opt in)
• Share your personal data with advertisers
• Make automated decisions that significantly affect you
• Profile you for purposes other than the assessment

Some information you provide (such as ADHD diagnosis status and mental health conditions) is considered "special category data" under GDPR. We process this data based on:

• Your explicit consent – You choose whether to provide this information
• Scientific research purposes – With appropriate safeguards (anonymisation)

You can complete the assessment without providing this optional information.

Your report is accessible via a secure, unique link for 90 days after completion. After this period, the link expires for security reasons.

We recommend saving or printing your report if you want to keep it longer.

• Report access token – Expires after 90 days
• Assessment data – Kept indefinitely for research (anonymised)
• Email address – Kept until you request deletion
• Payment records – 7 years (legal requirement)

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Payment processing is handled by Stripe (PCI DSS compliant)
• Data is stored in secure EU data centres
• Access is restricted to authorised systems only
• Report links use cryptographically secure tokens

We share data with these trusted service providers:

• Stripe – Payment processing (receives email for receipts)
• Supabase – Database hosting (EU servers)
• Resend – Email delivery (receives email to send your report)
• Vercel – Website hosting

Each provider has appropriate data protection agreements in place. We do not share your data with any other third parties.

Your data is primarily stored in the EU. Some service providers (Stripe, Vercel) may process data in the US under appropriate safeguards:

• EU-US Data Privacy Framework certification
• Standard Contractual Clauses approved by the European Commission

Under GDPR, you have the right to:

• Access – Request a copy of your personal data
• Rectification – Correct any inaccurate information
• Erasure – Request deletion of your data ("right to be forgotten")
• Restrict processing – Limit how we use your data
• Data portability – Receive your data in a machine-readable format
• Object – Object to processing based on legitimate interests
• Withdraw consent – Where processing is based on consent

To exercise any of these rights, email privacy@rsdrs.com. We will respond within 30 days.

Note: Some requests may be limited where we have a legal obligation to retain data (e.g., payment records) or where data has been anonymised for research.

We use only essential cookies required for the website to function:

• Session cookies – To maintain your assessment progress
• Security cookies – To protect against fraud

We do not use analytics cookies, advertising cookies, or social media tracking cookies.

This service is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at privacy@rsdrs.com and we will delete it.

We may update this Privacy Policy from time to time. If we make significant changes, we will update the "Last updated" date below. We encourage you to review this policy periodically.

If you have concerns about how we handle your data, please contact us first at privacy@rsdrs.com. We will try to resolve your concern.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint

For privacy-related questions or to exercise your rights: