Privacy Policy

UnveilIQ Data protection contact: unveiliq.com/contact The Controller operates the websites unveiliq.com and cogitoscore.com (hereinafter collectively: the "Service").

This policy covers the processing of personal data and technical data of Service users in connection with: • taking a cognitive abilities test and computing the result, • test session handling, • recording analytics events (user interface interactions), • processing payments for premium reports (if applicable), • ensuring security and preventing abuse, • improving test quality (psychometric norms, item difficulty). The Service does not require account registration, name, email address, or any other direct personal identifiers to take the test.

A. Test session data (server-side): • session identifier (session_id) — auto-generated, pseudonymous, • age group (age_group), • interface language (locale), • service brand (brand), • test start and completion timestamps, • copy of answers in JSON format (answers_json) — for psychometric analysis. B. Test answer data: • question identifier (question_id), • selected answer option (selected_option), • correctness (is_correct), • response time in milliseconds (time_spent). C. Test result (computed server-side): • raw score (raw_score), • IQ score (iq_score), • percentile (percentile), • classification (classification), • cognitive subscale scores (fluid, crystallized, working_memory, spatial, processing_speed), • certificate identifier (certificate_id). D. Anti-fraud data: • browser tab switches (tab_switches), • copy/paste attempts (copy_attempts, paste_attempts), • average time per question, total test time, • suspicious activity flags (flag_type, flag_details). E. Demographic data (optional, consent-only): • age range, country, gender, education level. F. Technical data: • IP address — processed exclusively in server memory for rate-limiting; not stored in the database, • country detected from server headers (geo_country) — stored in browser cookie (24h). G. Analytics events: • event type (e.g., page_view, test_start, result_view, share_click, paywall_view), • session identifier (session_id), • contextual event data (JSON format). H. Payment data (if user makes a purchase): • Stripe session identifier (stripe_session_id), • Stripe customer identifier (stripe_customer_id), • amount, currency, payment status. Payments are handled by Stripe, Inc. The Controller does not process card numbers or payment credentials — these are processed exclusively by Stripe. I. User feedback (optional): • NPS score (0-10), text comment. J. Admin panel data (does not apply to test-takers): • email address, name (optional), password (hashed), role (ADMIN). This data is processed exclusively for authenticating access to the admin panel and does not apply to persons taking the test.

The Service processes data in two modes: 1. Client-side processing (user's browser): During the test, answers are temporarily stored in browser memory (sessionStorage). This data does not leave the user's device until the form is submitted. After closing the browser tab, this data is automatically deleted. This includes: • result preview — category, cognitive archetype, hint, • session identifier (in sessionStorage), • selected country (for pricing). 2. Server-side processing (persistent): After submission, data is stored in the server database. This includes: • test session and associated answers, • computed test result (IQ, percentile, subscales), • anti-fraud flags, • analytics events, • payment data (if applicable), • demographic data (if consent was given). Server-side data is subject to retention periods specified in Section 8.

The Service applies pseudonymization as a key data protection measure: • session_id — an automatically generated identifier (CUID format) assigned to each test session. It does not contain any personal information and cannot be linked to a natural person without access to the server database. • certificate_id — a unique identifier assigned to each test result, used in public share URLs (/r/[certificateId]). This identifier: – does not encode the IQ score, percentile, or any cognitive data, – cannot be reversed to obtain test answers or scores, – reveals only the cognitive archetype (a categorical label, e.g. "The Analyst") when accessed via the public share page. The risk of indirect identification through these identifiers is minimal but theoretically possible if a user voluntarily shares their session_id or certificate_id with third parties. The Service does not link these identifiers to any directly identifying information (name, email, phone number). Under Art. 11(2) GDPR, if the Controller cannot identify a data subject without additional information, the rights under Art. 15–20 may not apply unless the data subject provides information enabling their identification (e.g., their session_id or certificate_id).

Data is processed exclusively for the following purposes: 1. Test execution — processing answers, computing IQ score, determining cognitive archetype, generating certificate. 2. Session handling — maintaining test session continuity across HTTP requests. 3. Abuse prevention — detecting suspicious patterns (rapid answers, tab switching, copying), IP-based rate-limiting. 4. Test improvement — computing psychometric norms (mean, standard deviation), reliability (Cronbach's alpha), item difficulty, on aggregated data. 5. Product analytics — tracking conversion (result views → payments), identifying UX issues, monitoring test volume. 6. Payment processing — handling premium report transactions via Stripe, verifying payment status, unlocking full results. 7. Result sharing — generating a public link to the cognitive archetype (/r/[certificateId]), generating Open Graph image. Only shared: archetype name, emoji, and description — never the IQ score.

Art. 6(1)(b) GDPR — performance of a contract / pre-contractual measures at the data subject's request: • session identifier (session_id), • test answers (answers), • test result (IQ, percentile, subscales, certificate), • test session handling, • payment processing (Stripe). Basis: the user initiates the test, which constitutes a request for service performance — computing a result based on provided answers. Art. 6(1)(f) GDPR — legitimate interest of the Controller: • IP-based rate-limiting (in-memory processing, no storage) — purpose: security, abuse prevention, • anti-fraud flags — purpose: ensuring result integrity, • analytics events (page_view, share_click, paywall_view, etc.) — purpose: UX improvement and conversion monitoring, • normative data (aggregated question statistics) — purpose: test quality improvement. The Controller's legitimate interest consists in ensuring service security, preventing abuse, and improving the quality of the psychometric test. Art. 6(1)(a) GDPR — consent: • demographic data (age range, country, gender, education) — collected only after explicit consent before starting the test. Consent is voluntary and may be withdrawn at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

The Service records user interface interaction events (e.g., share_click, paywall_view, exit_intent_shown) and stores them server-side linked to the session identifier. These events are processed for conversion analysis and interface optimization. This processing does NOT constitute profiling within the meaning of Art. 4(4) GDPR, because: • data is linked to a one-time, pseudonymous session (session_id), not to a personal identifier, • no cross-session data linking occurs, • no behavioral profile is created for content personalization or advertising, • analysis is performed on aggregated data, not individual records. If cross-session user tracking, behavioral profiling, or content personalization based on interaction history is implemented in the future, the Controller will update this policy and implement a consent mechanism (Art. 6(1)(a) GDPR) before commencing such processing.

Data is retained for the following periods: • Test sessions and results — indefinitely, for psychometric norm continuity and report availability. Data does not contain direct personal identifiers. • Test answers — indefinitely, for item difficulty and reliability analysis. • Analytics events — 365 days from creation, then automatically deleted by a scheduled cleanup process. • Demographic data — indefinitely (with consent), for normative analyses per age group. • Anti-fraud flags — indefinitely, linked to session. • Payment data — per applicable accounting regulations (5 years from end of fiscal year). • Technical cookies — locale: 24 hours (automatic) or 365 days (manual language selection); geo_country: 24 hours. • Browser sessionStorage data — automatically deleted when the browser tab is closed. You may request deletion of your data at any time by providing the session identifier (session_id) or certificate identifier (certificate_id). Due to the pseudonymous nature of the data, identification without these identifiers may not be possible.

Data may be shared only with the following categories of recipients: • Hosting provider — Vercel, Inc. (San Francisco, USA). Application servers and databases located in the EU region (eu-central-1). Transfer to USA covered by Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework certification. • Database provider — Neon, Inc. PostgreSQL database in the EU region (eu-central-1). • Payment provider — Stripe, Inc. Processing of payment data (cards, transactions). Stripe is an independent data controller for payment data. Stripe's privacy policy: https://stripe.com/privacy The Controller does not share personal data with other third parties, advertising agencies, data brokers, or external analytics providers (e.g., Google Analytics, Meta Pixel). Through the result sharing feature, only the following is publicly available: cognitive archetype name, emoji, and description — never the IQ score, percentile, or subscale scores.

Under the GDPR, you have the following rights: • Right of access (Art. 15) — obtain information about processed data. • Right to rectification (Art. 16) — correct inaccurate data. • Right to erasure (Art. 17) — request data deletion ("right to be forgotten"). • Right to restriction of processing (Art. 18) — limit the scope of processing. • Right to data portability (Art. 20) — receive data in a structured format. • Right to object (Art. 21) — object to processing based on legitimate interest (Art. 6(1)(f)). • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing carried out before withdrawal. To exercise these rights, contact the Controller via the contact form: unveiliq.com/contact. When making a request regarding a specific test session, provide the session identifier (session_id) or certificate identifier (certificate_id). Due to the pseudonymous nature of the data, fulfilling a request without these identifiers may be impossible or significantly impeded (Art. 11(2) GDPR). You have the right to lodge a complaint with a supervisory authority — the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl).

The test result (IQ score, percentile, classification, cognitive archetype) is computed in a fully automated manner based on provided answers. This automated computation does NOT constitute automated decision-making within the meaning of Art. 22(1) GDPR, because: • the result does not produce legal effects concerning the user, • the result does not similarly significantly affect the user, • the result is informational and educational in nature, • the Service explicitly states that the test does not constitute a clinical diagnosis. Anti-fraud flags (e.g., FAST_ANSWERS, TAB_SWITCHES) may result in score limitation (soft penalty — IQ capped at 100, low confidence marker). This is a test integrity measure, not a decision producing legal effects.

The Service provides a voluntary result sharing mechanism: • After completing the test, the user may share a public link in the format: https://unveiliq.com/r/[certificateId] • The public share page displays ONLY: the cognitive archetype name, emoji, description, and traits. • The IQ score, percentile, subscale scores, and raw score are NEVER included in the share page, share URL, or Open Graph image. • The Open Graph image (used by social media platforms for link previews) contains only the archetype name and emoji — no numeric data. The certificateId used in the URL is a pseudonymous identifier (CUID format) that: – cannot be decoded to reveal the IQ score or any cognitive data, – is not linkable to a natural person without access to the server database, – does not constitute personal data on its own. The risk of indirect identification exists if a user voluntarily shares their link in a context where they are personally identifiable (e.g., on a personal social media profile). This is a user-initiated action and is outside the Controller's scope of processing. The share functionality does not require payment and is available to all users who complete the test.

The Service uses only technical cookies and browser session mechanisms: • locale — preferred interface language (365 days, SameSite: Lax). • geo_country — detected user country from server headers (24 hours, SameSite: Lax). Used for automatic language and currency selection. • brand — selected service variant (development mode only). • NextAuth session — admin panel only (httpOnly cookie, does not apply to test users). The Service does NOT use: • advertising or marketing cookies, • third-party cookies, • tracking pixels, • browser fingerprinting, • external analytics tools (Google Analytics, Meta Pixel, etc.). Data stored in browser sessionStorage (session identifier, result preview, country) is automatically deleted when the tab is closed and is not accessible to other websites.

User consent is NOT required for: • test execution and result computation (basis: Art. 6(1)(b) — service performance at user's request), • test session handling and technical cookies (basis: Art. 6(1)(b)), • server logs, rate-limiting, and anti-fraud protection (basis: Art. 6(1)(f) — legitimate interest), • recording analytics events within a single session (basis: Art. 6(1)(f)). User consent IS required for: • collecting demographic data (age range, country, gender, education) — consent given by checking a checkbox before starting the test. User consent WILL BE required if the following are implemented in the future: • cross-session user tracking, • storing behavioral data for creating user profiles, • behavioral analysis extending beyond a single test session, • content personalization based on interaction history, • integration with external analytics or advertising tools. Until such features are implemented, their legal handling does not apply.

The Service may evolve over time. The Controller commits to the following principles regarding future changes: 1. If user accounts (email, name) are introduced: this policy will be updated to reflect the new data categories, legal basis, and retention periods BEFORE the feature is launched. 2. If cross-session tracking or behavioral profiling is implemented: the Controller will implement a consent mechanism (Art. 6(1)(a) GDPR) and update this policy BEFORE activation. 3. If third-party analytics tools (e.g., Google Analytics, Meta Pixel) are integrated: this policy will be updated to list each tool, its purpose, data transferred, and legal basis. Where required, prior consent will be obtained. 4. If data is transferred to new recipients or jurisdictions: the appropriate safeguards (SCC, adequacy decisions, or BCR) will be documented in this policy. 5. Material changes to this policy will be communicated to users via a notice on the Service homepage. The date of last update is displayed at the top of this policy. The Controller will not retroactively apply new processing purposes to data collected under the current version of this policy without obtaining additional consent where required.

For data protection inquiries, please use our contact form: Data Controller: UnveilIQ / CogitoScore Contact: /contact We respond to data processing inquiries within 30 days of receiving the request.