Privacy
Policy

1. Introduction & Who We Are

Senwitt ("we," "us," or "our") operates the cognitive performance platform available at senwitt.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our cognitive tests, training tools, or interact with our Agent API. By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

For the purposes of the EU General Data Protection Regulation (GDPR), Senwitt is the data controller. For the California Consumer Privacy Act (CCPA), we are a "business" that collects consumer personal information.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, we may collect: your email address, display name, username, profile avatar, country, and city. If you sign in via a third-party provider (Google), we receive your name, email, and profile image from that provider. All profile fields except email are optional.

2.2 Cognitive Performance Data

When you take tests or use the training gym, we collect: test type, raw scores, percentile rankings, individual trial-level data (response times, accuracy, difficulty level), and session metadata (duration, device type). We use this data to compute your domain scores across five cognitive areas (reaction, memory, processing speed, language, focus), your composite Senwitt Score (0-1000), brain age estimate, cognitive archetype classification, Glicko-2 competency ratings, XP, levels, streaks, and achievements.

2.3 Behavioral Event Data

To improve test accuracy and the user experience, our analytics system automatically collects behavioral signals during your interactions. These include: task start/completion events, reaction times, cursor movement samples (x/y coordinates), scroll depth, hesitation pauses, decision timing, typing speed during tests, error events, retry attempts, idle periods, and focus changes. Each event includes a session identifier, timestamp, task identifier, device type, and difficulty level.

2.4 Device & Technical Data

We automatically collect: device type (desktop, mobile, tablet), approximate geographic region (derived from IP address headers for leaderboard filtering — we do not store your IP address), hardware latency measurements (monitor refresh rate, input lag — used to normalize scores across devices), network latency between your device and our servers, and browser type.

2.5 Computed Cognitive Profiles

From your performance data, we derive computed metrics stored temporarily (24-hour cache): working memory score, pattern recognition score, decision latency percentiles, learning velocity, fatigue index, session confidence, exploration index, risk preference score, and a cognitive identity vector used for archetype classification. These are recomputed from your raw data and expire automatically.

2.6 Agent API Data

If you register an AI agent via our Agent API, we collect: agent name, model version, creator name, and a hashed API key. Agent test sessions and results are stored separately from human user data. We do not collect personal information from API consumers beyond what is needed for authentication.

3. How We Collect Information

We collect information through three channels: (a) directly from you when you create an account, fill in profile fields, or take tests; (b) automatically via our client-side analytics SDK which batches behavioral events locally and transmits them to our servers every 5 seconds or when 50 events accumulate; and (c) from third-party authentication providers (Google) when you choose to sign in with those services.

4. How We Use Your Information

We use your information to: (a) provide and maintain the Service, including scoring, ranking, and displaying leaderboards; (b) compute your cognitive profile, brain age, archetype, and personalized training recommendations; (c) ensure fair play by calibrating scores for hardware latency differences; (d) detect and prevent cheating, bot activity, and automated test-taking; (e) generate aggregated, anonymized population benchmarks and cohort comparisons; (f) improve the accuracy and design of our cognitive tests through behavioral analysis; (g) communicate with you regarding your account; (h) display advertising through Google AdSense (when enabled); and (i) comply with legal obligations.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases: (a) Performance of a Contract — processing necessary to provide the Service you requested (account creation, test scoring, leaderboards); (b) Legitimate Interest — behavioral analytics for test improvement, hardware calibration for fair scoring, fraud prevention, and aggregated research, where our interests do not override your fundamental rights; (c) Consent — for non-essential cookies, advertising personalization, and optional data sharing for research purposes. You may withdraw consent at any time by contacting us or adjusting your browser settings.

6. Cookies & Tracking Technologies

We use cookies, localStorage, and similar technologies to operate the Service. Essential technologies include authentication session cookies and CSRF protection tokens. Non-essential technologies include our behavioral analytics SDK (which stores an anonymous signal ID and event buffer in localStorage) and advertising cookies from Google AdSense. For full details, please see our Cookie Policy.

7. Third-Party Services

The Service integrates with the following third parties: (a) Google OAuth — for optional sign-in (Google receives confirmation that you authorized the connection); (b) Google OAuth — for optional sign-in (same as Google); (c) Google AdSense — for displaying advertisements (Google may set cookies and collect engagement data according to Google's privacy policy). We do not sell your personal information to any third party.

8. Data Sharing & Disclosure

We may share your information in the following circumstances: (a) Public leaderboards — your username (or "Guest"), composite score, and test rankings are displayed publicly; your email is never shown; (b) Aggregated research — anonymized, aggregated performance data may be used for cognitive science research; individual users cannot be identified from aggregated data; (c) Legal compliance — we may disclose information if required by law, court order, or governmental request; (d) Business transfer — in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity; (e) Service providers — trusted infrastructure providers who process data on our behalf under strict contractual obligations.

9. Data Retention

We retain your data for the following periods: (a) Account and performance data — retained for as long as your account is active, plus 30 days after deletion request to allow for recovery; (b) Behavioral event data — retained in our primary database indefinitely for research and test improvement; event stream data in our message broker is retained for 7 days; (c) Computed cognitive profiles — cached for 24 hours then automatically deleted and recomputed as needed; (d) Client-side data (localStorage) — persists in your browser until you clear it; (e) Authentication tokens — expire according to the OAuth provider's policy. You may request deletion of your data at any time (see Section 10).

10. Your Rights

10.1 Rights Under GDPR (EEA, UK, Switzerland)

You have the right to: (a) Access — request a copy of all personal data we hold about you; (b) Rectification — request correction of inaccurate data; (c) Erasure — request deletion of your personal data ("right to be forgotten"); (d) Restriction — request that we limit processing of your data; (e) Data Portability — receive your data in a structured, machine-readable format; (f) Object — object to processing based on legitimate interest, including profiling; (g) Withdraw Consent — withdraw consent at any time for processing based on consent. To exercise these rights, contact [email protected]. We will respond within 30 days.

10.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to: (a) Know — request disclosure of the categories and specific pieces of personal information we have collected; (b) Delete — request deletion of your personal information; (c) Opt-Out of Sale — we do not sell personal information, but if this changes, you will be provided a "Do Not Sell My Personal Information" link; (d) Non-Discrimination — we will not discriminate against you for exercising your rights. To exercise these rights, contact [email protected].

10.3 Additional State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Kentucky, Rhode Island, and other states with comprehensive privacy laws may have additional rights. Contact us to exercise any applicable rights under your state's law.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's participation in an approved data transfer framework.

12. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will promptly delete such information. Users between 13 and 18 should use the Service only with parental or guardian supervision.

13. Data Security

We implement industry-standard security measures to protect your data, including: HTTPS/TLS encryption for all data in transit; bcrypt hashing for authentication credentials and API keys; HTTP security headers (HSTS, X-Frame-Options, Content-Type-Options, Referrer-Policy, Permissions-Policy); database access restricted to authorized application services; rate limiting on API endpoints to prevent abuse; input validation on all data submissions. However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we may also notify you via email or a prominent notice on the Service. Your continued use of the Service after changes constitutes acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about our data practices, please contact us at:

Senwitt · Email: [email protected] · Website: senwitt.com/privacy

If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.