Privacy Policy

1. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver assessment results and team services you have requested or purchased.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, for example when signing in via Google OAuth or opting in to marketing communications. You may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): For service improvement, security, fraud prevention, and anonymised academic research. We balance our interests against your rights and only proceed where the impact on your privacy is minimal.

2. Data We Collect

2.1 Free Individual Assessments

When you take the assessment without creating an account, we collect:

• Assessment responses: Your answers to the assessment questions
• Results data: Your calculated mindset type and related insights
• Basic technical data: IP address, browser type, device type (for security purposes)

No account required. We generate a unique result ID so you can access your results later. No email, no name, no signup.

2.2 Registered Accounts

When you create an account or sign in via Google OAuth, we additionally collect:

• Email address: From your account registration or Google profile
• Google OAuth profile data: Name, email, and profile picture as provided by Google (if you sign in with Google)

2.3 Team Assessments

When you set up or purchase a team diagnostic pilot, we additionally collect:

• Team organiser email: To send access links and results
• Team name: To identify your team assessment
• Team member information: Names and roles (optional)
• Payment information: Processed by invoice or an agreed payment provider where applicable. We do not store full card details.

3. How We Use Your Data

We use the information we collect to:

• Generate assessment results: Calculate orientation signals and provide reflection prompts
• Provide team dashboards: Show aggregated team results and patterns
• Process payments: Handle team diagnostic pilot and workshop payments where applicable
• Improve the assessment: Refine questions and enhance the methodology
• Send transactional emails: Assessment links, results, and purchase confirmations
• Conduct research: Academic analysis using aggregated, anonymised data
• Prevent fraud and abuse: Detect unusual patterns and ensure security

We never sell, rent, or trade your personal information to third parties.

4. Third-Party Processors

We share your data only with the following processors, each under a data processing agreement:

We carefully vet all processors to ensure they meet our privacy and security standards. We do not share personal data with any other third parties.

5. Cookies

Scotoma uses only essential session cookies to maintain your login state and assessment progress. These cookies are strictly necessary for the service to function and do not require consent under GDPR.

Our analytics tool (Umami) is completely cookie-free and does not track individual users.

We do not use: third-party advertising cookies, social media pixels, or cross-site tracking of any kind.

6. Data Retention

• Assessment results: Retained for 12 months from the date of assessment, then automatically deleted. You may request earlier deletion at any time.
• Account data: Retained for as long as your account is active. After account deletion, personal data is removed within 30 days.
• Team assessment data: Retained for the duration of your service period plus 24 months for compliance and support purposes.
• Payment records: Retained for 7 years as required by Dutch tax law (Belastingdienst).
• Anonymised research data: May be retained indefinitely as it cannot be traced back to individuals.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you
• Right to rectification (Art. 16): Correct inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your personal data
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to restriction (Art. 18): Limit how we process your data in certain circumstances
• Right to object (Art. 21): Object to processing based on legitimate interest, including for research purposes
• Right to withdraw consent: Where consent is the legal basis, withdraw it at any time without affecting the lawfulness of prior processing

How to Exercise Your Rights

Email us at support@scotoma.app with your request. We will verify your identity and respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

Exercising your rights is free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests.

Right to Lodge a Complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl.

8. International Data Transfers

Some of our processors (for example Vercel, Cloudflare, and any agreed payment provider) may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with equivalent data protection standards
• Processor-specific certifications and compliance frameworks

Your primary database (Supabase) is hosted in the EU. Data is encrypted in transit (TLS) and at rest.

9. Children

Scotoma is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.

If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will delete that data as quickly as possible. If you believe we may hold data from a child under 16, please contact us immediately at support@scotoma.app.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS) and at rest
• Access controls and authentication
• Regular security reviews
• Secure payment handling through agreed payment providers or invoice workflows

No system is 100% secure. We commit to notifying affected users and the relevant supervisory authority within 72 hours if a data breach occurs that poses a risk to your rights and freedoms, as required by GDPR Art. 33-34.

11. Research and Anonymised Data

Scotoma is designed to advance academic research on expertise and AI adoption. Assessment data may be used for research purposes under the legitimate interest basis (Art. 6(1)(f)).

All research data is aggregated and anonymised before analysis or sharing with academic partners. No individual results or personally identifiable information are ever published or shared.

You may object to research processing under Art. 21 GDPR by contacting us at support@scotoma.app. Note that once data has been fully anonymised, it can no longer be traced back to you and is no longer considered personal data under GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• Email notification (for registered users and team assessment customers)
• Prominent notice on our website
• Updated "Last updated" date at the top of this policy

We encourage you to review this policy periodically. Continued use of Scotoma after changes become effective constitutes acceptance of the revised policy.

13. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data: