Privacy Policy

This Privacy Notice for HDI.Vision (operated by Tomislav Krištof, Radauševa 4, Zagreb, Croatia) describes how and why we might collect, store, use, and/or share your information when you use our services, including when you visit hdi.vision, use the HDI test platform at test.hdi.vision, or contact us.

Questions or concerns? Reading this notice will help you understand your privacy rights and choices. If you disagree with our policies, please do not use our services. For questions, contact us at info@hdi.vision.

1. What Information Do We Collect?

Information you provide voluntarily

We collect personal information you provide when you register an account, take the HDI assessment, or contact us. This includes:

• Name, email address, username, and password
• Year of birth, country, occupation, and education status
• Organization code and organization membership, if you join HDI through an organization
• Responses to HDI assessment questions (including information about your digital behaviour)
• Assessment attempts, timestamps, module scores, facet scores, subfacet scores, grades, improvement reports, and privacy sharing preferences
• Messages sent via the contact form

Sensitive information

The HDI assessment may collect data relating to your self-reported digital behaviour patterns, wellbeing indicators, and psychological traits (such as self-reported anxiety, mood, or behavioural tendencies). Under GDPR Article 9, this may constitute sensitive personal data.

We collect this data only with your explicit consent, provided at the point of assessment. You may withdraw this consent at any time by contacting us at info@hdi.vision, though withdrawal will prevent further use of the assessment. This data is used solely for:

• Generating your personal HDI report and improvement recommendations
• Anonymised and aggregated academic research (PhD research at Algebra Bernays University, Zagreb)

Important: HDI assessment data is not shared with healthcare providers, insurers, employers, or any third party without your explicit separate consent. It is never used for profiling, advertising targeting, or automated decision-making with legal effects.

Information collected automatically

When you visit our site, we automatically collect:

• IP address, browser type and version, device characteristics
• Operating system, language preferences
• Pages visited, time spent, referring URLs

2. How Do We Use Your Information?

We process your information to:

• Create and authenticate your account on test.hdi.vision
• Deliver your HDI assessment report and personalised recommendations
• Provide private-by-default individual results and optional user-controlled sharing with an organization administrator
• Provide organization-level dashboards, group statistics, longitudinal comparisons, and retake administration
• Provide data export, anonymization request workflows, and privacy/audit controls
• Process payments via Stripe for the comprehensive assessment
• Respond to your enquiries and contact form submissions
• Improve and develop our services and assessment methodology
• Conduct anonymised academic research (PhD research at Algebra Bernays University)
• Comply with legal obligations under Croatian and EU law

3. Legal Bases for Processing (GDPR)

We only process your personal information when we have a valid legal basis to do so under applicable law:

• Consent - where you have given us explicit consent (e.g. for sensitive assessment data or marketing communications)
• Contract performance - to deliver the services you have purchased or requested
• Legal obligation - where processing is required by law
• Legitimate interests - for security, fraud prevention, and service improvement, where these are not overridden by your rights

4. Do We Share Your Information?

We do not sell your personal information. We may share information with:

• Stripe - for payment processing (comprehensive test purchase)
• Google Analytics - for anonymised website usage analytics
• OpenAI / Anthropic - where AI-powered improvement reports are generated. We minimize the data sent for this purpose: name, email, organization name, and account identifiers are not sent to the AI provider. Assessment data sent to these providers is processed in accordance with their data processing agreements. Data is used solely for generating your report and is not used to train AI models.
• Resend - for transactional email delivery (account verification, invoice delivery)
• Law enforcement or regulatory authorities where required by law

We do not collect any personal information from third parties, and we do not share your individual assessment data with any third party without your explicit consent.

Organization access and privacy by default

If you register with an organization code, your organization may access group-level statistics and dashboards for its organization. Your individual scores, subfacet results, and private improvement reports are private by default. An organization administrator can access your individual results only if you enable sharing in your profile or My Results area. You may turn this sharing off again.

Super admin access to individual user data is restricted to platform administration, support, security, legal compliance, and troubleshooting purposes. Access to individual results and privacy actions is logged in the audit trail.

Organizations as controllers

Where an organization provides access to HDI for employees, students, members, or other participants, the organization may be the controller for the organizational assessment program and HDI may act as processor or independent controller depending on the arrangement. Organizations are responsible for providing appropriate notices, establishing a lawful basis, managing internal access, and using results lawfully and fairly. Where required, organizations should ensure a data processing agreement or equivalent contractual arrangement is in place.

5. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to operate our website and improve user experience. These include:

• Essential cookies - necessary for the site and assessment platform to function
• Analytics cookies - Google Analytics, used to understand how visitors use the site (with IP anonymisation enabled)

You can control cookie settings through your browser preferences. Opting out of analytics cookies will not affect your ability to use the site.

6. How Long Do We Keep Your Data?

We retain your personal information for as long as necessary to fulfil the purposes outlined in this notice, or as required by law. Specifically:

• Account data - for the duration of your account plus 2 years after deletion request
• Assessment data - for the duration of your account, unless anonymized or deleted according to applicable law and platform retention procedures
• Anonymous or aggregated statistics - may be retained for research, benchmarking, service improvement, and longitudinal analysis, provided they do not identify individual users
• Payment records - 7 years (Croatian tax law requirement)
• Audit logs and privacy request records - as needed for security, legal compliance, dispute resolution, and accountability
• Contact enquiries - 2 years from last communication

When an anonymization request is completed, HDI deletes or neutralizes individual answers, individual statistics, and private improvement reports, and removes or replaces direct identifiers where feasible. Purchase records, invoices, audit logs, and other records may be retained where required for legal, tax, accounting, security, or dispute-resolution reasons. Aggregate snapshots do not contain user IDs and are created only for groups with sufficient sample size to reduce re-identification risk.

7. Your Privacy Rights

As a resident of the EEA (including Croatia), you have the following rights under GDPR:

• Right of access - to receive a copy of your personal data
• Right to rectification - to correct inaccurate data
• Right to erasure - to request deletion of your data ("right to be forgotten")
• Right to restrict processing - to limit how we use your data
• Right to data portability - to receive your data in a structured, machine-readable format
• Right to object - to object to processing based on legitimate interests
• Right to withdraw consent - at any time, without affecting the lawfulness of prior processing

Registered users can use the in-app data export and anonymization request tools in their profile. You may also contact us at info@hdi.vision. We will respond within 30 days unless applicable law permits an extension. You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) at azop.hr.

8. Data Security

We implement appropriate technical and organisational security measures to protect your personal information, including authenticated access, role-based access, email verification, privacy-by-default settings, audit logging, administrative privacy request visibility, and data minimization for AI reports. However, no electronic transmission or storage system is 100% secure. We encourage you to use a strong, unique password for your account and to contact us immediately if you suspect unauthorised access.

9. International Data Transfers

HDI.Vision is based in Croatia (EU). Where we use third-party service providers outside the EEA (such as Stripe, OpenAI, or Anthropic), we ensure appropriate safeguards are in place - specifically, Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c). By using the Services, you acknowledge that your data may be transferred to and processed in countries outside the EEA as described above.

10. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal information from children under 16 without verified parental consent. If you believe a child has provided us with personal data, please contact us immediately.

11. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data subject access requests, or to exercise your rights:

• Email: info@hdi.vision
• Phone: +385 98 417 311
• Post: Tomislav Krištof, HDI.Vision, Radauševa 4, 10000 Zagreb, Croatia