Skip to main content

Privacy Policy

Privacy policy of the Aphantasia Platform. Information about the processing of your data in accordance with GDPR.

Last updated: June 2026

Introduction

The protection of your personal data is important to us. This privacy policy informs you in accordance with Art. 13 and 14 GDPR about the processing of your data on our platform.

Controller (Art. 4 para. 7 GDPR)

HEADON Kreativagentur Onur Cirakoglu Am Vogelsberg 8 97922 Lauda-Königshofen Germany Email: hallo@headon.pro

Legal Basis for Processing

We process your data based on the following legal grounds:

  • Art. 6 para. 1 lit. a GDPR and Art. 9 para. 2 lit. a GDPR: Consent (e.g. research data)
  • Art. 6 para. 1 lit. b GDPR: Performance of contract (e.g., user account, forum)
  • Art. 6 para. 1 lit. f GDPR: Legitimate interest (e.g., security, website operation)

User Account and Registration

When registering, we process the following data. Registration requires you to confirm that you are at least 16 years old and that you have read the privacy policy.

  • Email address (for authentication and communication)
  • Username (publicly visible in the forum)
  • Password (stored encrypted)
  • Profile information (optional: display name, biography, avatar)

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of contract). Optional: consent to research contact (allow_research_contact) and email notifications – each opt-in, default: off.

Retention period: Until deletion of your account

Forum and Community

When using our forum and community, we process:

  • Your posts, comments, and threads
  • Upvotes, bookmarks, and helpful markings
  • Direct messages to other users
  • Group memberships and posts
  • Experience stories (optionally anonymous)
  • Trust level (automatically determined based on activity and moderation history), badges and in-app notifications
  • Machine translation of posts via LibreTranslate – operated on our own server, no third-party transfer; translations are stored

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of contract)

Retention period: Until deletion of the post or account

The trust-level system classifies users automatically based on their activity and moderation history. It affects community rights only (e.g. editing permissions) and does not constitute a legally significant automated decision within the meaning of Art. 22 GDPR.

Moderation: To enforce our community guidelines and protect users we process moderation data – content reports (reported content, reason, time), warnings (reason, severity), mutes and bans (reason, duration) and a moderation log of actions taken. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in a safe, rule-compliant community). You may object to this processing under Art. 21 GDPR.

Aphantasia Tests

Anonymous Use

Our tests (VVIQ, PSIQ, Binocular Rivalry) can be used completely anonymously. Individual responses exist only in working memory during the test session. Results are saved to the browser's LocalStorage only after your active consent choice. Analytics events contain only test type, duration and language – no scores and no categories.

Use with Account

When logged in, test results can optionally be linked to your account to save your test history.

Research Consent (optional – Art. 9 GDPR)

Test results allow inferences about mental imagery ability and therefore qualify as health data under Art. 9 GDPR (special category). Storage on our servers occurs only with your explicit consent under Art. 9 para. 2 lit. a GDPR. Data stored: score, interpretation and individual responses. No IP address, no user agent. Users who are not signed in receive a random pseudonymous identifier (aphantasie-anonymous-id) stored in LocalStorage; this links sessions on the same device but not across devices. Signed-in users are identified via their user ID. Without this consent, no data is stored on our servers.

I explicitly consent to my test results (including score, interpretation and individual responses) being stored pseudonymously for scientific research purposes. I understand that these data may allow inferences about my mental imagery ability (Art. 9 para. 2 lit. a GDPR).

Participation is voluntary. You may withdraw consent at any time via the “My Test Data” section on the test pages; this deletes your local data and all anonymous test sessions linked to your identifier from the database.

Pseudonymous research data is fully anonymised automatically after 36 months (identifier removed). After that, no link to your device is possible.

Legal basis: Art. 9 para. 2 lit. a GDPR in conjunction with Art. 6 para. 1 lit. a GDPR (explicit consent)

Research contact list (email opt-in)

After a test you can voluntarily leave your email address to be informed about future aphantasia studies. The address is only used after email confirmation (double opt-in) and is stored separately from your test results — no linking takes place.

Legal basis: Art. 6(1)(a) GDPR (consent). You can unsubscribe at any time via the link in every email; the address will then no longer be contacted. It is never shared with third parties; researchers only reach you through us.

Research Cooperations / Research Export

Registered and verified researchers may obtain access upon request to pseudonymised test datasets (test type, date, score, interpretation, individual responses – without user or device identifier). Each data retrieval is logged with the IP address and browser identifier of the accessing person for audit purposes. Researcher application data (name, email, institution, research purpose) are stored. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in promoting scientific research) and Art. 9 para. 2 lit. j GDPR (research interest with appropriate safeguards).

Technical Data Collection

Cookies

We use only technically necessary authentication cookies (Supabase session cookies). Language selection is handled via the URL; theme preference is stored under the localStorage key theme – not via cookies.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

Local Storage

We use your browser's LocalStorage with the following entries: aphantasie-test-store (test result and consent choice – created only after your active consent decision, retained until manual deletion or browser data clearing), aphantasie-anonymous-id (pseudonymous identifier – created only with research consent, revocable via “My Test Data”), theme (theme preference – no personal data). This data does not leave your device.

Server Log Files

With each access, the following is automatically collected: IP address, browser type, operating system, referrer URL, access time.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in security and operation)

Retention period: 7 days (subsequently deleted automatically)

Data Processors

We use the following service providers who process data on our behalf. All data remains within the EU:

Supabase (EU – Frankfurt)

For database, authentication and file storage we use Supabase (provider: Supabase Inc.). Hosting is in the EU (Frankfurt region). We have concluded a data processing agreement (DPA) under Art. 28 GDPR. Sub-processor: Resend Inc. (USA) is used for sending authentication emails (confirmation, password reset); the transfer is safeguarded via Standard Contractual Clauses (SCC). Further access from third countries by the provider or additional sub-processors cannot be fully excluded; any such transfer is covered by SCC or the EU-US Data Privacy Framework.

https://supabase.com/privacy

Hetzner Online GmbH (Germany)

Our website is hosted on our own server at Hetzner Online GmbH, located in Nuremberg (Germany). Hetzner is a German hosting provider with data centers in Germany and Finland. We have concluded a Data Processing Agreement (DPA). No data transfer to third countries occurs.

https://www.hetzner.com/legal/privacy-policy

Fonts

We use self-hosted fonts. There is no connection to external services like Google Fonts.

Web Analytics (Umami – Self-Hosted)

We use Umami, a privacy-friendly open-source analytics tool that we self-host on our servers in Germany. Umami is fully cookieless – no cookies are set and no consent is required. IP addresses are not stored. No data is transferred to third parties or third countries. Umami respects the Global Privacy Control (GPC) signal of the browser. Analytics events contain no test results, scores or categories – only anonymous usage data. Raw data is deleted after 12 months.

Data collected (aggregated and anonymous):

  • Page views and time on page
  • Referrer URL (where you came from)
  • Device type and browser (anonymized)
  • Approximate location (country only, no IP storage)

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in improving our service). Since no personal data is processed and no cookies are set, no consent under TTDSG/ePrivacy is required.

Retention Periods

We only store your data for as long as necessary for the respective purposes:

  • Account data: Until account deletion
  • Forum posts: Until deletion by you or moderation
  • Moderation data: logs and deactivated warnings 365 days, technical rate-limit data 30 days; active bans until lifted
  • Server logs: 7 days
  • Research data (pseudonymous): automatically fully anonymised after 36 months (identifier removed); data stored without identifier indefinitely (no personal reference). Withdrawal deletes pseudonymous data immediately.

Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You can request information about your stored data.
  • Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) – you can delete your account yourself at any time in account settings; your personal data is removed and free-text references to you in moderation logs are anonymized
  • Right to restriction (Art. 18 GDPR): You can request restriction of processing.
  • Right to data portability (Art. 20 GDPR): You can receive your data in a common format.
  • Right to object (Art. 21 GDPR): You can object to processing.
  • Right to withdraw consent (Art. 7 para. 3 GDPR): You can withdraw any given consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg Lautenschlagerstraße 20 70173 Stuttgart, Germany Phone: +49 711/615541-0 Email: poststelle@lfdi.bwl.de Website: https://www.baden-wuerttemberg.datenschutz.de

Data Security

We implement technical and organizational measures to protect your data:

  • HTTPS encryption for all data transfers
  • Encrypted password storage
  • Row Level Security (RLS) in the database
  • Regular security updates

Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with changed legal requirements or changes to our services. The current version can always be found on this page.

Special Categories of Data (Art. 9 GDPR) — Premium Report

The test results used to generate the Premium Report may reveal information about visual imagery ability and thereby constitute health-related characteristics falling under Art. 9 GDPR (special categories of personal data).

Data category: Information on imagery ability (visual and multisensory imagination); potential health data under Art. 9(1) GDPR

Legal basis: Explicit consent pursuant to Art. 9(2)(a) GDPR, given prior to purchase

Purpose: Generation of the personal Premium Report (analysis, percentile comparison, everyday strategies)

Payment and contract processing: The payment and contract processing itself is carried out on the basis of Art. 6(1)(b) GDPR (contract performance) by Paddle Payments Limited as Merchant of Record

Consent is voluntary and may be withdrawn at any time with effect for the future (hallo@headon.pro). Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Payment processing (Premium Report)

Paddle Payments Limited

For the purchase of digital products we use Paddle Payments Limited as Merchant of Record and payment processor. Paddle processes your payment data, issues invoices and handles tax compliance.

Data recipient: Paddle Payments Limited · Purpose: Purchase processing · Legal basis: Art. 6(1)(b) GDPR (contract fulfilment) · Paddle privacy policy: paddle.com/legal/privacy

paddle.com/legal/privacy

Resend (Transactional emails)

For delivering the download link after purchase we use the service Resend (Resend Inc., USA). Resend processes your email address solely to send the purchase confirmation and report link.

Storage of order data

Order data (including the test result payload used for the report) is deleted 90 days after the report is delivered. Report files are stored in Supabase Storage and become inaccessible after the download link expires.

Legal basis: Art. 6(1)(b) GDPR (contract fulfilment) and statutory retention obligations.

Privacy Contact

For questions about data protection, contact us at: hallo@headon.pro