Privacy Policy
This Privacy Policy explains how Cure ADHD Ltd ("AxonCPT", "we", "us") collects, uses, and protects personal data when you use the AxonCPT platform at axoncpt.com, app.axoncpt.com, and test.axoncpt.com (the "Service").
1. Who we are
AxonCPT is operated by Cure ADHD Ltd, a company registered in England and Wales. Contact us at support@axoncpt.com for any privacy-related questions or to exercise your data rights.
2. The data we collect
From clinicians (account holders):
- Email address, password hash, and authentication metadata (managed by AWS Cognito)
- Title (Dr/Mr/Ms/etc.), first name, last name, clinic or organisation name, country
- Subscription status and Stripe customer reference (we never see card numbers)
- Account activity (logins, assessments sent, billing events)
- Anonymous usage analytics via Plausible (no cookies, no IP storage)
About patients (entered by their clinician):
- Patient name and email address
- Date of birth and gender (used for age- and sex-stratified scoring)
- Clinician-supplied notes
- Continuous performance test (CPT) responses: stimulus type, response, latency per trial
- Computed clinical metrics (reaction time, variability, omission and commission errors, percentiles, z-scores)
Patients do not hold accounts on AxonCPT. The clinician who refers a patient is responsible for obtaining the patient's informed consent before sending an assessment.
3. How we use the data
- To deliver the Service: account access, sending assessment links, scoring results, longitudinal tracking
- To process payments via Stripe
- To send transactional emails (welcome, assessment links, results-ready notifications, support replies)
- To improve and secure the Service (aggregate analytics, error monitoring)
- To comply with legal obligations
We do not sell personal data and we do not use it for advertising.
4. Legal basis (UK GDPR / EU GDPR)
For clinician account data, we rely on contract (providing the Service you signed up for) and legitimate interest (securing and improving the Service). For patient data entered by clinicians, we act as a data processor on behalf of the clinician, who is the data controller; the clinician is responsible for the legal basis under which they collect and share patient information.
5. Who we share data with
- Amazon Web Services (AWS) — cloud infrastructure (us-east-1, USA). Data is processed under AWS's standard contractual clauses and, where applicable, AWS's HIPAA Business Associate Agreement.
- Stripe — payment processing (UK / Ireland / USA).
- Plausible Analytics — privacy-focused, cookieless web analytics (Germany / EU).
- Google Ads — advertising attribution (USA). When a clinician completes their profile, we pass a hashed version of their email address to Google Ads so we can measure which advertising channels brought them to AxonCPT. Patient data is never shared with Google.
- Email delivery — Amazon SES (USA) for outbound transactional emails.
We do not sell, rent, or share personal data with any third party for marketing purposes.
6. International data transfers
Most data is stored in AWS's us-east-1 region (USA). Where data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or the UK-US Data Bridge as applicable.
7. How long we keep data
- Clinician accounts and patient records: retained for as long as the clinician's account is active. After account closure, data is deleted within 30 days, except where we are required to retain billing records (typically 6 years for tax purposes).
- Logs and audit data: 30 days.
- Anonymous analytics: retained indefinitely in aggregate form.
8. Your rights
If you are in the UK or EEA, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data ("right to be forgotten")
- Restrict or object to processing
- Data portability (receive your data in a machine-readable format)
- Withdraw consent at any time, where consent is the legal basis
- Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk
To exercise any of these rights, email support@axoncpt.com. Patients should direct requests to their clinician in the first instance.
9. Security
We use industry-standard measures to protect personal data: HTTPS for all traffic, encryption at rest in AWS, multi-factor authentication for clinician accounts (where enabled), audit logging, and the principle of least privilege for internal access. No system is perfectly secure; we cannot guarantee absolute protection but we work hard to keep your data safe.
10. Cookies and tracking
We use a small number of strictly necessary session cookies for authentication (set by AWS Cognito). We do not use advertising or tracking cookies. Our analytics provider (Plausible) does not set cookies and does not collect personally identifiable information. No consent banner is required.
11. Children's data
AxonCPT is intended for use by licensed healthcare professionals to assess patients aged 14 and older. The clinician is responsible for obtaining appropriate parental or guardian consent where the patient is a minor.
12. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email and via the Service before they take effect. The version and effective date appear at the top of this page.
13. Contact
Questions, requests, or complaints: support@axoncpt.com.