1. Data Controller

This service is operated by Omitsis. For any privacy-related inquiries, contact us at kontakt@psychotherapie-barcelona.com.

2. What Data We Collect

We collect the minimum data necessary to provide the screening service:

• Screening responses: Your answers to the 246 questionnaire items (numerical values 0-4). These are stored in your browser session and, if you purchase a report, in our database.
• Email address: Only collected if you choose to save your results or purchase a report. Used exclusively for result retrieval and verification.
• Verification codes: Temporary 6-character codes sent to your email, valid for 15 minutes, used for identity verification.
• Session data: A session cookie (connect.sid) that expires when you close your browser. Contains no personal information — only a random session identifier.

3. What We Do NOT Collect

• No user accounts or passwords (the service is anonymous)
• No IP addresses are stored in our database
• No browsing history or tracking cookies
• No third-party analytics (no Google Analytics, no Facebook Pixel, no tracking scripts)
• No geolocation data
• No device fingerprinting

4. Purpose and Legal Basis (GDPR Art. 6)

• Screening responses: Processed under legitimate interest (Art. 6(1)(f)) to provide the screening service you requested. Health-related data processing under Art. 9(2)(a) — explicit consent given by voluntarily completing the screening.
• Email address: Processed under contract performance (Art. 6(1)(b)) when you purchase a report, or consent (Art. 6(1)(a)) when you save results.
• Report generation: Your anonymised numerical scores (not your email or personal data) are sent to a third-party AI service for AI-powered analysis. This constitutes a data processing activity under Art. 28 GDPR.

5. Third-Party Data Processors

We use the following third-party services:

• AI service provider: Receives anonymised numerical scores only (no email, no personal identifiers) to generate clinical screening reports. The AI provider does not store or train on this data. Data processed in the US under EU-US Data Privacy Framework.
• SMTP provider: Used to send verification code emails. Receives only your email address and a 6-character code. No screening data is included in emails.

6. Data Retention

• Session data: Deleted when you close your browser or click Logout.
• Screening responses and reports: Stored for 10 days from creation, then permanently and automatically deleted by our cleanup process.
• Email addresses: Deleted together with the associated screening data after 10 days.
• Verification codes: Expire and are deleted after 15 minutes.
• No backups of screening data are retained beyond the 10-day period.

7. Your Rights (GDPR Art. 12-23)

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): You can retrieve your stored data at any time using the "Retrieve Test" function with your email address.
• Right to erasure (Art. 17): Your data is automatically deleted after 10 days. To request immediate deletion, contact kontakt@psychotherapie-barcelona.com with the email address you used.
• Right to data portability (Art. 20): You can export your screening report as a PDF at any time during the 10-day retention period.
• Right to object (Art. 21): You may object to data processing by not using the service. No data is collected until you voluntarily begin the screening.
• Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.

8. Security Measures

• All data transmitted over HTTPS (TLS encryption in transit)
• Session cookies are httpOnly, secure, and SameSite strict
• Verification codes generated with cryptographic randomness
• Admin access protected by bcrypt-hashed passwords and rate limiting
• No personal data stored in application logs
• Database access restricted to the application layer only

9. Cookies

We use a single essential cookie (connect.sid) required for the service to function. This cookie contains a random session identifier, expires when you close your browser, and cannot be used to identify you. We do not use any tracking, analytics, or advertising cookies. Under GDPR and the ePrivacy Directive, essential cookies do not require consent.

10. Children

This screening tool is designed for adults (18+). We do not knowingly collect data from minors. If you are under 18, please do not use this service.

11. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact

For any questions about this privacy policy or to exercise your data protection rights, contact: kontakt@psychotherapie-barcelona.com