Privacy Policy

1. Who we are

Attention Snapshot is operated by Maksymilian Wójcik, an individual sole proprietor based in Poland. For the purposes of the EU General Data Protection Regulation (GDPR), Maksymilian Wójcik is the data controller responsible for the personal data processed through this site.

Attention Snapshot is a five-minute, anonymous self-assessment for ADHD-style attention patterns. The site is designed to be privacy-first by default: there are no user accounts, no email collection, no third-party analytics, and no advertising or tracking cookies at the time of writing.

For any privacy-related question, contact privacy@attentionsnapshot.com. A postal address is available on request via that email — we do not publish a residential address here.

2. Data we collect

When you take the snapshot we process the following:

• Your answers to the assessment items (ordinal scores from 0 to 4 per question).
• The scores, severity bands and pattern type computed from those answers, including the confidence score and the time you spent completing the assessment.
• A non-personal application version identifier (so we can match a report to the version of the scoring engine that produced it).
• A randomly generated UUID that identifies your report. This UUID is the only handle we have on a specific report and the only way we can locate it on request.
• Your IP address transiently — only in memory, only for rate-limit bucketing, and never written to persistent storage.
• If you choose to pay for the full report: a Stripe Checkout session ID linked to your report UUID. Card numbers and other payment details are handled entirely by Stripe and never reach our servers.

3. Data we do NOT collect

• No name, email address or phone number — there are no user accounts.
• No tracking cookies. No advertising cookies. No third-party analytics (Google Analytics, Mixpanel, etc.) at the time of writing.
• No card numbers, expiry dates or CVCs — those go directly to Stripe and are never visible to us.
• No browser fingerprinting and no cross-site tracking.
• No location data beyond what your IP address transiently reveals for rate-limit bucketing (which is never persisted).

4. How we use this data

The only purpose of processing your data is to compute and serve your assessment report. We do not sell, rent or share your data with third parties for marketing or any other purpose. We do not use your answers to train machine-learning models.

Legal basis under GDPR Article 6: for paid reports, processing is based on the performance of a contract with you (Art. 6(1)(b)). For the assessment computation itself before payment, processing is based on our legitimate interest (Art. 6(1)(f)) in providing the service you have actively requested by submitting the questionnaire.

5. How long we keep it

Reports are deleted automatically. We do not need to keep them and we do not want to.

• Unpaid reports are automatically deleted 24 hours after creation.
• Paid reports are automatically deleted 90 days after payment. After that window the report and every per-question answer linked to it are removed from the database.
• Per-question answers are stored in a child table (public_report_answers) and are cascade-deleted with the parent report.
• Stripe retains transaction records under its own retention policy and applicable financial regulations; that is outside our control.

6. Third parties (data processors)

We rely on the following processors. Each is bound by an appropriate Data Processing Agreement.

• Vercel (USA, EU edge): hosts the static site assets. GDPR-compliant DPA available; EU traffic is served from European data centres.
• Railway (USA): hosts the Ktor backend and the Postgres database. GDPR-compliant DPA available.
• Stripe Payments Europe (Ireland): processes the $9 payment. PCI-DSS and GDPR-compliant. We see only the Stripe session ID; Stripe sees the card data.
• Google (USA): Search Console for SEO indexing data. No user data is shared with Google by us. Google AdSense may be added in the future and will set cookies — we will update this policy and add a cookie banner before that happens.
• Microsoft Bing (USA): Webmaster Tools for SEO indexing data. No user data is shared with Microsoft by us.

7. Cookies

At the time of writing we do not use any tracking, analytics or advertising cookies. The site uses one first-party technical localStorage entry to remember your locale preference (English / Polish) — this is a functional preference, not a tracker, and it never leaves your browser.

If we add Google AdSense in the future to fund the free portion of the assessment, AdSense will set cookies for ad personalisation and measurement. Before that happens, we will update this policy and add a clear consent mechanism in line with the EU ePrivacy Directive.

8. Your rights under GDPR

Because the service is anonymous (we have no email or account linked to your report), the practical way to exercise any of the rights below is to email privacy@attentionsnapshot.com from any address, including your report URL or UUID so that we can identify the specific data set you are asking about.

Right of access (Art. 15)

You can ask for a copy of all data we hold linked to your report UUID. We will respond within 30 days.

Right to rectification (Art. 16)

Limited applicability — we hold no identifying information to correct. If you believe a stored answer is wrong, the simplest remedy is to retake the assessment.

Right to erasure (Art. 17)

You can request deletion of a specific report at any time by emailing the report URL or UUID. We will action the deletion within 7 days. Note that automatic deletion already happens at 24 hours (unpaid) or 90 days (paid).

Right to restriction of processing (Art. 18)

You can ask us to restrict processing while a dispute about your data is being resolved.

Right to data portability (Art. 20)

On request, we will provide your report data as a JSON export — answers, scores, bands, pattern type — in a structured, machine-readable format.

Right to object (Art. 21)

Where processing is based on legitimate interest, you can object at any time and we will stop processing unless we have compelling legitimate grounds that override your interests.

Right to lodge a complaint (Art. 77)

If you believe our processing of your data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO — Urząd Ochrony Danych Osobowych): ul. Stawki 2, 00-193 Warsaw, Poland.

9. Children's data

The site offers a "child track" of the assessment. This track is intended for parents or legal guardians completing the questionnaire about a child — it is not a track for children to use directly. In accordance with GDPR Article 8, the service is not directed at and should not be used directly by individuals under the age of 16. If you are under 16, please ask a parent or guardian to use the site on your behalf.

10. International data transfers

Some of our processors (Vercel, Railway, Google, Microsoft) are headquartered in the United States. Where personal data is transferred outside the European Economic Area, those transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and equivalent safeguards. EU traffic on Vercel is served from European data centres where available.

11. Security

We use HTTPS site-wide, rotated database credentials, and least-privilege access for the small number of administrators. Because we hold no email addresses, names or payment details, the blast radius of any hypothetical data incident is structurally limited — the worst case is the leak of an anonymous answer set linked to a randomly generated UUID.

12. Changes to this policy

We will update this policy when material changes happen — for example, if we add Google AdSense, change a processor, or change retention windows. The "last updated" date at the top of this page reflects the most recent revision. For non-trivial changes we will surface a notice on the site.

13. Contact

For privacy questions, data subject requests, or anything else covered by this policy, email privacy@attentionsnapshot.com. A postal address for the data controller is available on request via that email.