Privacy Policy
Last updated: April 2026
This Privacy Policy explains how [AquaSoft (Pty) Ltd] ("we," "us," "Psychoanalyzeme") collects, uses, shares, and protects your personal information when you use psychoanalyzeme.co.za ("the Site").
This policy is governed by South Africa's Protection of Personal Information Act, 2013 (POPIA) and, where you visit from the EU/EEA or UK, the General Data Protection Regulation (GDPR).
We've tried to write this in plain language. Where the law requires specific terms, we've used them and explained what they mean.
1. The short version
- We sell access to self-screening psychological tests. You pay per test or buy a bundle.
- We do not keep your test answers. Your responses are scored in memory and deleted from our servers within seconds of you submitting them.
- We keep your account email and a record of what you've paid for, so you don't get charged twice.
- If you purchase the bundle, we keep your final scores (not your individual answers) so the cross-test narrative report can be generated.
- Some test items relate to mental health. Under POPIA, this is "special personal information" requiring stronger protection. We treat it that way.
- Some screens (notably the PHQ-9) include questions about self-harm. If you answer in a way that suggests risk, we interrupt your results page to show crisis resources, regardless of your overall score.
The rest of this policy is the detail.
2. Who we are
The Responsible Party (POPIA) / Data Controller (GDPR) is:
[AquaSoft (Pty) Ltd] [Registered address] Email: info@psychoanalyzeme.co.za
Our Information Officer (registered under POPIA section 55) is [Name], contactable at [info-officer@psychoanalyzeme.co.za].
3. Information we collect
Account information
- Your email address (used as your account identifier and to send you sign-in links).
- An optional display name.
We do not use passwords. Sign-in is via one-time emailed links.
Payment information
- When you buy a test or the bundle, PayFast processes the payment. We do not see or store your card number.
- We receive and store a record of which test or bundle you purchased, the amount, the transaction ID, and the date. This is so you can re-access content you've paid for and so we can produce a tax invoice on request.
Test responses (the part that matters most)
When you take a test, you tap or type answers to a series of questions. Those raw answers are:
- Transmitted over an encrypted (HTTPS) connection to our scoring server.
- Held in computer memory only long enough to calculate your scores — typically under a second.
- Discarded. They are not written to any database, log, or backup.
This means we cannot tell you, three months from now, what you answered to question 7 of the PHQ-9 you took in April. We don't have it.
Test scores
After scoring, the numerical results (subscale scores, severity bands, percentile positions) are:
- If you have a single-test purchase: displayed to you once, and not retained on our servers. You can save or print the page. The next time you log in, the result is gone unless you saved it yourself.
- If you have purchased the bundle (R49): retained on our servers and linked to your account. This is necessary so the cross-test AI narrative report can be generated from your accumulated results, and so you can revisit your dashboard. You can delete any retained score at any time from your account page.
We do this because the bundle's promise — a synthesis across tests — requires us to keep the scores. We've made this an explicit trade-off: take the bundle, and we keep your scores so we can give you the narrative; take individual tests, and we keep nothing.
Critical-item flags
For instruments containing items about self-harm (currently the PHQ-9), a positive response to such an item is detected at scoring time and triggers a redirect to our crisis-resources page before any score is shown. The fact that the item triggered is not separately logged or retained. We do not contact emergency services on your behalf; that is your responsibility or your trusted contacts'.
Technical metadata
When you load the Site, our servers receive:
- Your IP address.
- Your browser and device type.
- The pages you visit and the time you visit them.
This is used for security (detecting attacks and abuse), error diagnosis, and aggregate usage statistics. Server logs are retained for a maximum of 30 days and then deleted automatically.
Cookies
The Site uses a minimal set of cookies:
- Authentication cookie — to keep you signed in.
- Security cookie — to prevent cross-site request forgery.
We do not use advertising cookies, behavioural-tracking cookies, third-party tracking pixels, Google Analytics, or Facebook Pixel.
4. Special personal information
Many of our screens (PHQ-9, GAD-7, ASRS, AQ-50, ECR-R, IRI, SD3, LSRP, and others) collect responses that relate to your mental health, emotional state, and personal beliefs. Under POPIA section 26, this is "special personal information," and under GDPR Article 9, it is a "special category" of data. Both require a stronger lawful basis than ordinary personal information.
Our lawful bases are:
- POPIA section 27(1)(a): your explicit consent, given when you begin a test. We treat clicking through the test-start screen — which explains that you are about to provide health-related information — as explicit consent.
- GDPR Article 9(2)(a): your explicit consent, given the same way.
You can withdraw consent at any time by deleting your account and any retained scores. Withdrawal does not affect the lawfulness of processing already completed.
Because we delete raw responses within seconds, the practical surface of special personal information that we retain is small: only the scores derived from those responses, and only when you've bought the bundle.
5. How we use your information
We use your information only to:
- Authenticate you when you sign in.
- Process your payment and provide the tests you've paid for.
- Calculate and show your scores.
- Generate the cross-test narrative report (bundle users only — see section 8).
- Surface crisis resources when a critical item is triggered.
- Send you transactional emails (sign-in links, receipts, important service notices).
- Detect and respond to fraud, abuse, or security incidents.
- Meet our legal obligations (tax records, regulator requests).
We do not use your information to:
- Sell or share with advertisers.
- Train machine-learning models on your responses or scores.
- Profile you for marketing purposes.
- Publish or share research using your data without an entirely separate, opt-in consent process.
6. How we share information
We share personal information only with the following categories of subprocessors, only to the extent necessary, and only under written processing agreements.
| Recipient | Purpose | Country |
|---|---|---|
| PayFast | Payment processing | South Africa |
| Resend | Transactional and sign-in emails | United States |
| [Hosting provider — e.g. Vercel / Railway] | Application hosting and database | United States / European Union |
| [AI provider for narrative reports — e.g. Anthropic / OpenAI] | Generating the cross-test narrative for bundle users only | United States |
Each subprocessor is contractually bound to process personal information only as instructed and to protect it with appropriate security measures. A current list of subprocessors is available at psychoanalyzeme.co.za/subprocessors (to be created) and we will update it before adding any new subprocessor that processes personal information.
We do not sell personal information. We do not share your data with anyone else for any other purpose.
We may disclose information if required by law (a valid court order, subpoena, or regulator request), or to protect our rights, property, or safety, or that of our users or the public — but only to the minimum extent necessary.
7. International data transfers
Some of our subprocessors are located outside South Africa. When personal information is transferred internationally, we rely on:
- For POPIA: the recipient being subject to a law, binding code, or agreement that provides protection substantially similar to POPIA, or your consent, in line with section 72.
- For GDPR: Standard Contractual Clauses (SCCs) or an adequacy decision where applicable.
By using the Site you acknowledge that your account data and any retained scores may be processed outside South Africa.
8. The AI narrative report (bundle users)
Bundle users who complete at least 10 instruments can generate a written synthesis of their results. To do this:
- Your scores (not your responses) are sent to a third-party large-language-model API ([Anthropic / OpenAI]) along with a prompt template that instructs the model to write a balanced, non-diagnostic synthesis.
- The API call is configured so the AI provider does not retain the data for model training and processes it only to return the requested narrative.
- The generated narrative is shown to you and stored in your account so you can revisit it.
If you would prefer not to use the narrative report feature, simply do not request it. The bundle still gives you full access to all twelve tests; the narrative is optional.
9. How long we keep information
- Account email: for as long as your account is active, plus a reasonable period for tax and dispute-resolution purposes. We are required by the South African Revenue Service to retain financial records for 5 years.
- Payment records: 5 years (SARS requirement).
- Test responses: less than 60 seconds. Discarded after scoring.
- Test scores (single-test purchases): displayed once, not stored.
- Test scores (bundle users): for as long as your account remains active, or until you delete them. You can clear any retained score from your account page.
- AI narrative reports: retained in your account until you delete them.
- Server logs: maximum 30 days.
- Transactional email logs (Resend): typically 30 days.
When you delete your account, we delete all your retained scores and reports within 30 days from active systems and within 90 days from backups. Payment records are retained for the remainder of the SARS 5-year period and then deleted.
10. Your rights
Under POPIA (and GDPR if you're in the EU/UK), you have the right to:
- Access the personal information we hold about you.
- Correct anything that's inaccurate.
- Delete your account and any retained scores or reports.
- Object to processing in certain circumstances.
- Withdraw consent at any time (without affecting processing already done).
- Receive a copy of your data in a machine-readable format.
- Lodge a complaint with the Information Regulator (see section 13).
To exercise any of these rights, email info@psychoanalyzeme.co.za. We respond within 30 days.
Most of these rights you can exercise yourself from your account page (delete account, delete individual scores, export data).
11. Security
We protect your information using industry-standard measures:
- HTTPS/TLS encryption for all data in transit.
- Encryption at rest for our database.
- Magic-link authentication (no passwords stored or transmitted).
- Strict in-memory-only handling of raw test responses.
- Access controls limiting who on our team can view production data.
- Regular security updates to our software dependencies.
No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and the Information Regulator (where required by POPIA section 22) without undue delay.
12. Children
You must be at least 16 years old to use the Site and to take any test.
If you are between 16 and 18, please discuss any results that concern you with a parent, guardian, or trusted adult — these tests are designed for personal reflection, and the results can be misinterpreted without context.
If we become aware that we have collected personal information from a child under 16, we will delete it.
13. Information Officer and complaints
Our designated Information Officer (POPIA section 55) is:
[Name] [AquaSoft (Pty) Ltd] [Registered address] Email: [info-officer@psychoanalyzeme.co.za]
If you have a complaint about how we handle personal information that we cannot resolve directly, you have the right to lodge a complaint with:
South Africa — Information Regulator JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001. Email: complaints.IR@justice.gov.za Website: inforegulator.org.za
EU/EEA: Your local Data Protection Authority. A list is available at edpb.europa.eu.
United Kingdom: Information Commissioner's Office, ico.org.uk.
14. Refunds and cancellation
Because the tests are digital products that you consume immediately, the Electronic Communications and Transactions Act (section 44) allows us to exclude the standard 7-day cooling-off period — and we do, by your initiation of the test. This means:
- A test you have started is not refundable.
- A test or bundle you have paid for but not started is refundable on request within 14 days.
- Duplicate charges, technical failures that prevented you from completing what you paid for, or any other system error are refundable in full. Email info@psychoanalyzeme.co.za.
15. Changes to this policy
We may update this Privacy Policy as the Site evolves and as the law changes. When we make material changes, we will notify you via email and via a notice on the Site at least 14 days before the changes take effect. The "Last updated" date at the top of this document indicates the most recent revision. Continued use of the Site after the effective date of a change constitutes acceptance.
16. Contact
For privacy questions, requests, or complaints:
Email: info@psychoanalyzeme.co.za Information Officer: [Name and email] Postal: [AquaSoft (Pty) Ltd, registered address]
For crisis resources, see psychoanalyzeme.co.za/crisis.