Privacy Policy
EN ES DE

Privacy Policy & Data Protection

How we handle your data, GDPR compliant

Last updated: April 2026

1. Data Controller

This service is operated by Omitsis. For any privacy-related inquiries, contact us at kontakt@psychotherapie-barcelona.com.

2. What Data We Collect

We collect the minimum data necessary to provide the screening service:

  • Screening responses: Your answers to the questionnaire items (118 items for the ADS/ADHD test or 128 items for the Autism test, numerical values 0-4). These are saved to our database during the test as you complete each section, so you can resume if your browser closes.
  • Email address: Only collected if you choose to save your test, view detailed results, or purchase a report. Used exclusively to give you access to your results and to notify you before your data is deleted.
  • Payment data: If you purchase a report, we store the transaction reference, amount paid, and coupon code (if used). Your card details are processed entirely by Stripe and never reach our servers.
  • Verification codes: Temporary 6-character codes sent to your email, valid for 15 minutes, used for identity verification.
  • Session data: A session cookie (connect.sid) that expires when you close your browser. Contains no personal information, only a random session identifier.
3. What We Do NOT Collect
  • No user accounts or passwords (the service is anonymous)
  • No IP addresses are stored in our database
  • No browsing history or device fingerprinting
  • No geolocation data
  • No personal data is included when generating your report via AI (only anonymous numerical scores are sent)
4. Purpose and Legal Basis (GDPR Art. 6)
  • Screening responses: Processed under legitimate interest (Art. 6(1)(f)) to provide the screening service you requested. Health-related data processing under Art. 9(2)(a), explicit consent given by voluntarily completing the screening.
  • Email address: Processed under contract performance (Art. 6(1)(b)) when you purchase a report, or consent (Art. 6(1)(a)) when you save results. By providing your email, you consent to receiving service-related communications (result access and deletion notification).
  • Report generation: Your anonymised numerical scores (not your email or personal data) are sent to a third-party AI service for analysis. This constitutes a data processing activity under Art. 28 GDPR.
  • Payment processing: Processed under contract performance (Art. 6(1)(b)) to fulfil your purchase.
5. Third-Party Data Processors

We use the following third-party services:

  • AI service provider (Anthropic): Receives anonymised numerical scores only (no email, no personal identifiers) to generate screening reports. The provider does not store or train on this data. Data processed in the US under the EU-US Data Privacy Framework.
  • Payment processor (Stripe): Processes credit card payments. Receives your email address and payment amount. Card details are handled entirely by Stripe and never touch our servers. Stripe's privacy policy applies to payment data.
  • SMTP provider: Used to send emails (verification codes, report links, data deletion notifications). Receives your email address and message content. No screening data is included in emails.
  • Analytics (Umami): Cookieless, privacy-first analytics. Collects anonymous page view statistics only. No personal data, no tracking cookies, no cross-site tracking. Hosted on our own infrastructure.
  • Google Ads: Conversion tracking to measure advertising effectiveness. Only activated if you accept cookies via the consent banner. Uses Google's gtag.js with consent mode, analytics and ad storage are denied by default until you opt in.
6. Data Retention
  • Anonymous tests (no email): If less than 5% of the test is completed, data is automatically deleted after 1 hour. Otherwise, data is deleted after 10 days.
  • Tests with email (unpaid): Screening responses, email address, and any generated reports are permanently deleted after 10 days. All sensitive fields are overwritten with null values before deletion.
  • Paid transactions (Stripe): Screening responses and report content are deleted after 10 days. However, the payment record (email, amount, payment method, date) is retained for the minimum period required by European tax and accounting regulations.
  • Session data: Deleted when you close your browser. The server-side session record is automatically purged after 15 minutes of inactivity.
  • Verification codes: Expire and are deleted after 15 minutes.
  • No backups of screening data are retained beyond the 10-day period.
7. Emails We Send

If you provide your email address, you may receive the following communications:

  • Verification codes to access your saved results.
  • A link to continue a saved test.
  • A link to view your generated report.
  • A single notification before your data is deleted (approximately 2 days before the 10-day expiry). We will not send any further messages after this.
8. Your Rights (GDPR Art. 12-23)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): You can retrieve your stored data at any time using the "Retrieve Test" function with your email address.
  • Right to erasure (Art. 17): Your data is automatically deleted after 10 days. To request immediate deletion, contact kontakt@psychotherapie-barcelona.com with the email address you used.
  • Right to data portability (Art. 20): You can export your screening report as a PDF at any time during the 10-day retention period.
  • Right to object (Art. 21): You may object to data processing by not using the service. No data is collected until you voluntarily begin the screening.
  • Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.
9. Security Measures
  • All data transmitted over HTTPS (TLS encryption in transit)
  • Session cookies are httpOnly, secure, and SameSite lax
  • Verification codes generated with cryptographic randomness
  • Admin access protected by bcrypt-hashed passwords and rate limiting
  • No personal data stored in application logs
  • Database access restricted to the application layer only
  • Sensitive data fields are overwritten before deletion (defence in depth)
10. Cookies

We use the following cookies: (1) An essential session cookie (connect.sid) required for the service to function, contains a random session identifier, expires when you close your browser, and cannot be used to identify you. (2) A language preference cookie to remember your chosen language. These essential cookies do not require consent under GDPR and the ePrivacy Directive. Additionally, if you accept cookies via our consent banner, Google Ads conversion tracking cookies may be set to measure advertising effectiveness. These are only activated with your explicit consent.

11. Children

This screening tool is designed for adults (18+). We do not knowingly collect data from minors. If you are under 18, please do not use this service.

12. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates the most recent revision.

13. Contact

For any questions about this privacy policy or to exercise your data protection rights, contact: kontakt@psychotherapie-barcelona.com