neurotype

Privacy Policy

Last updated: March 2026

Who We Are

The Neurotype Assessment ("the Service") is operated by the Neurotype Project, an independent research initiative. For privacy inquiries, contact us at [email protected].

What We Collect

If you take the assessment without an account

Your quiz scores are computed in your browser and stored only in localStorage and the URL. We do not transmit quiz scores to our servers unless you create an account.

If you create an account

When you sign in (via email magic link or Google OAuth), we collect and store:

  • Email address — for authentication and communication
  • Display name — from Google OAuth or derived from your email
  • Quiz scores and dimensional binary — your assessment results
  • Per-question responses and response timing — which answer you chose for each question and how long (in milliseconds) each question took
  • Purchase history — if you buy the Full Report

Validation questions (demographic and health data)

After the 30 core assessment questions, we ask 6 optional validation questions covering:

  • Neurodivergent self-identification
  • Formal diagnoses — neurological, psychiatric, and somatic conditions
  • Suspected (undiagnosed) conditions
  • Sex assigned at birth
  • Pronouns
  • Age range

Every validation question includes a "Prefer not to say" or equivalent opt-out. Diagnosis data constitutes health-related information. By answering these questions, you explicitly consent to the collection and use of this data as described in this policy. This data is stored alongside your quiz results and used for research purposes (see "Research Use" below).

Automatically collected data

  • UTM parameters — campaign source, medium, and campaign name from the URL that brought you to the site. Stored in your browser's localStorage and synced to our email provider on account creation.
  • Browser storage — we use localStorage (persistent, cross-tab) and sessionStorage (tab-scoped, cleared on tab close) to store quiz progress, pending results, cookie consent preferences, and authentication state. This data stays in your browser unless you create an account.

How We Use Your Data

Legal basis for processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract performance: Account creation, storing quiz results, processing purchases, providing the service you signed up for
  • Explicit consent: Validation/health data collection, email communications, cookie-based analytics
  • Legitimate interest: Fraud prevention, service security, anonymized aggregate analytics to improve the assessment

Specific uses

  • Authentication: Magic link emails and Google OAuth sign-in
  • Results: Stored in our database so you can access, retake, and compare
  • Email: Post-quiz email sequence (you can unsubscribe anytime), comparison invite notifications
  • Analytics: Google Analytics 4 with consent mode v2. If you decline cookies, GA4 sends cookieless pings with no user-level data and no analytics cookies are set.
  • Ad attribution: Meta Conversions API (server-side). Your email is hashed (SHA-256) before transmission. Your IP address and browser user agent are also sent to Meta for event matching.
  • Research: See "Research Use" below

Research Use

Validation question responses (diagnoses, demographics) are collected to test and improve the scientific validity of the assessment. This data may be used to:

  • Perform known-groups validity testing (comparing quiz profiles against diagnostic groups)
  • Analyze demographic patterns and potential biases in the assessment
  • Publish anonymized, aggregated statistical findings (e.g., blog posts, research papers)
  • Share fully anonymized datasets with other researchers

No individual-level data is ever published or shared. All published findings use aggregate statistics. Shared datasets are stripped of all identifying information (email, user ID, account data) before release. Only anonymized quiz scores, dimensional results, and validation responses are included.

Third-Party Services

We share data with the following services, each acting as a data processor:

  • Supabase (database, authentication) — stores your account, quiz results, and validation data. Infrastructure hosted in the United States.
  • Stripe (payment processing) — processes purchases. We do not store credit card numbers. Stripe handles all payment data under its own privacy policy.
  • Brevo (email delivery) — your email address, neurotype result, and UTM acquisition data are synced to Brevo for email communication. Infrastructure in the EU.
  • Google Analytics 4 (analytics) — consent-gated. Quiz events, page views, and conversion events. No user-level data without cookie consent.
  • Meta Conversions API (ad attribution) — server-side event tracking. Receives hashed email, IP address, and browser user agent for ad measurement.

International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. These transfers are necessary to provide the service. Where data is transferred outside the EEA, we rely on the service providers' standard contractual clauses and data processing agreements.

Cookies

We ask for cookie consent on your first visit.

  • If you accept: Google Analytics 4 sets analytics cookies to measure site usage and track conversions.
  • If you decline: GA4 runs in consent mode (cookieless pings, no user-level data). No analytics cookies are set.

Essential storage: We use browser localStorage and sessionStorage for functional purposes (quiz progress, authentication state, cookie preference). These are not cookies and are not affected by your cookie consent choice.

You can change your cookie preference at any time via the "Manage cookies" link in the footer.

Data Retention

  • Account data: Retained as long as your account exists
  • Quiz results and validation data: Retained until you delete them or delete your account
  • Anonymized research data: Aggregated and anonymized datasets derived from validation responses may be retained indefinitely, as they contain no identifying information
  • Email marketing: Your Brevo contact is deleted when you delete your account or unsubscribe

Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: View all your data in your dashboard
  • Portability: Export your data as JSON from your dashboard
  • Erasure: Delete your account from your dashboard. This permanently removes all data: results, validation responses, comparisons, purchases, authentication data, and your email marketing contact
  • Rectification: Contact us to correct inaccurate data
  • Restrict processing: Contact us to request that we limit how your data is used
  • Object: You may object to processing based on legitimate interest by contacting us
  • Withdraw consent: Change cookie preferences via the footer link. Unsubscribe from emails via the link in any email. For validation data, you may delete your account to remove all stored responses.

To exercise any of these rights, use the self-service tools in your dashboard or email [email protected].

Data Security

All data is transmitted over HTTPS. Authentication tokens are managed by Supabase with industry-standard encryption. Row-level security policies restrict database access to authorized users. Premium content is served through authenticated edge functions. Payment data is handled entirely by Stripe and never touches our servers.

Children

This service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top indicates the most recent revision.

Contact

For privacy questions, data requests, or concerns: [email protected]