WhyTheyThink
Back to home

Privacy Policy

WhyTheyThink.com Last updated: June 2026

Who We Are

WhyTheyThink.com, based in Ontario, Canada. We built this platform to help parents, adults, and educators better understand neurodivergent thinking profiles. We take the privacy of everyone who uses this platform seriously, especially when it comes to health-related information and data about children.

If you have any questions about this policy, contact us at:

What This Policy Covers

This Privacy Policy explains:

  • What personal information we collect and why
  • How we use and store that information
  • How we protect it
  • Your rights under Canadian privacy law (PIPEDA) and, where applicable, Quebec's Law 25 (Act respecting the protection of personal information in the private sector)
  • How to reach us with questions or requests

This policy applies to all users of whytheythink.com, including individuals screening themselves, parents screening their children, and educators using the school or educator features.

The Information We Collect

Information You Give Us Directly

Account information: When you create an account, we collect your name and email address. We do not collect your date of birth, phone number, or physical address unless you choose to provide it.

Screening responses: When you complete a screening questionnaire, we store your responses and the computed scores. These are health-related data and are treated accordingly.

Profile information: You may create profiles for yourself, your children, or students. For children and students, we ask only for a first name or initials and an approximate age. We do not require email addresses, dates of birth, or any other identifying information for child or student profiles.

Payment information: When you make a purchase, payment is processed by Stripe. We do not store your credit card number, card details, or banking information on our servers. We store only the transaction reference provided by Stripe.

Affiliate payment information: If you join our affiliate program, we collect a PayPal email address to send commission payments. This is not shared with any third party except as necessary to process payment.

Communications: If you contact us by email or through a contact form, we retain that correspondence.

Information Collected Automatically

Usage data: We collect standard web analytics data including pages visited, time spent on pages, and device type. This is used to improve the platform.

Cookies: We use essential cookies required for the platform to function (session management, authentication). We do not use advertising cookies or third-party tracking cookies. A cookie preference is presented on your first visit.

Referral tracking: If you arrive at our site through an affiliate link, we store a referral cookie for up to 30 days to attribute any purchase to the referring affiliate. This cookie contains only the affiliate identifier -- no personal information.

Information We Do Not Collect

  • We do not collect government identification numbers
  • We do not collect biometric data
  • We do not use your screening data for advertising or sell it to any third party
  • We do not collect student email addresses or full names for educator accounts

How We Use Your Information

We use the information we collect to:

  • Provide the screening tool and generate your results
  • Deliver the reports and PDFs you have purchased
  • Deliver deep dive questionnaires and detailed reports you have purchased
  • Manage your account and subscription
  • Process payments through Stripe
  • Send transactional emails (account confirmation, report delivery, subscription receipts)
  • Send service-related reminders (re-screening reminders for family and educator plan subscribers)
  • Improve the platform through aggregate, anonymised analytics
  • Generate anonymised comparison statistics (once sufficient data exists) -- no individual data is ever identified in these statistics
  • Respond to your enquiries and provide customer support
  • Comply with our legal obligations

We do not use your information for advertising, profiling for marketing purposes, or sale to third parties.

Legal Basis for Processing (PIPEDA)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), we collect and use your personal information based on:

Your consent: You consent to the collection and use of your information when you create an account, complete a screening, or make a purchase. You may withdraw consent at any time by contacting us (note that withdrawal may limit your ability to use certain features).

Contractual necessity: We process payment and account information to provide the services you have purchased.

Legitimate interest: We use anonymised, aggregated data to improve the platform. No individual can be identified from this data.

Legal obligation: We may retain certain records to comply with tax or legal requirements.

Quebec Residents -- Law 25

If you are a Quebec resident, you have additional rights under Quebec's Act respecting the protection of personal information in the private sector (Law 25):

  • Right to access: You may request a copy of the personal information we hold about you.
  • Right to rectification: You may request that inaccurate information be corrected.
  • Right to withdrawal of consent: You may withdraw your consent to the collection and use of your personal information at any time.
  • Right to de-indexing: Where personal information about you has been made publicly accessible (such as a shared profile link), you may request that we make it inaccessible.
  • Right to portability: You may request that we provide your personal information in a structured, commonly-used format.

To exercise any of these rights, contact us at . We will respond within 30 days.

We have appointed a Privacy Officer responsible for compliance with Law 25. Contact:

Health Information

Screening results and responses are health-related information. We treat this data with the highest level of care:

  • Screening data is stored in an encrypted database
  • Results are visible only to the account holder who created the profile
  • We do not share individual screening results with any third party without your explicit consent
  • We do not provide screening data to insurance companies, employers, or government agencies
  • Aggregate, anonymised statistics may be computed from screening data -- individual responses are never identifiable in these statistics

Important: The WhyTheyThink screening tool is not a diagnostic instrument. Results are not medical records and are not intended to replace professional assessment. We do not store results as medical records and they should not be treated as such.

Children's Privacy

We take special care with information relating to children.

  • Child profiles require only a first name or initials and approximate age. No email address or full legal name is required.
  • Parents and guardians are responsible for creating and managing child profiles.
  • We do not knowingly collect personal information directly from children under the age of 13.
  • Educators using the school features may create student profiles with initials only -- no student email addresses or identifying information beyond a first name or initials is required or requested.
  • We do not share child profile data with any third party.
  • Parents may request deletion of their child's profile and all associated data at any time by contacting .

Sharing Your Information

We do not sell your personal information. We share it only in the following circumstances:

Service providers: We use the following third-party services to operate the platform. Each is bound by their own privacy policy and data processing agreements:

  • Supabase (database and authentication hosting) -- data stored in Canadian or US data centres
  • Stripe (payment processing) -- PCI-DSS compliant payment infrastructure
  • Resend (transactional email delivery)
  • Vercel (hosting and delivery infrastructure)

Affiliates: If you are an affiliate, we share your referral statistics with you through your affiliate dashboard. No customer personal information is shared with affiliates. Affiliate partners are bound by our affiliate program terms.

Legal requirements: We may disclose your information if required by law, court order, or government authority. We will notify you of any such request where legally permitted to do so.

Business transfer: In the event of a merger, acquisition, or sale of our business, your information may be transferred. We will notify you in advance and give you the opportunity to delete your account before any such transfer.

International Data Transfers

Some of our service providers may store or process personal information outside Canada, primarily in the United States. These providers include Supabase (database and authentication), Vercel (hosting), and Resend (email delivery).

We have assessed these providers as offering protection comparable to Canadian privacy law, in line with PIPEDA and Law 25 requirements. Where personal information is transferred outside Canada, we rely on contractual safeguards and the providers' security practices to protect your data.

Data Breach Notification

In the event of a data breach that creates a real risk of significant harm to affected individuals, we will notify those individuals and the relevant privacy commissioner(s) without unreasonable delay, as required under PIPEDA and Quebec's Law 25.

Notifications will describe the nature of the breach, the types of information involved, and the steps we are taking to address it. If you believe your account may have been affected by a security incident, contact us immediately at .

Data Retention

We retain your personal information for as long as your account is active or as needed to provide services.

  • Account information: Retained until you delete your account
  • Screening results: Retained until you delete the profile or your account
  • Payment records (including full reports, professional PDFs, assessment guides, and deep dives): Retained for 7 years to comply with tax and legal requirements (Stripe transaction references only, no card data)
  • Email communications: Retained for 2 years
  • Anonymised analytics: Retained indefinitely (cannot be linked to individuals)

You may request deletion of your account and all associated data at any time. Deletion will be completed within 30 days. Anonymised data that cannot be linked to you cannot be deleted as it does not constitute personal information.

Data Security

We implement the following security measures to protect your information:

  • All data is encrypted in transit using TLS
  • Database encryption at rest
  • Row-level security on all database tables -- users can only access their own data
  • Access to production data is restricted to authorised personnel only
  • Stripe handles all payment card data in PCI-DSS compliant infrastructure -- we never see or store card numbers

No system is completely secure. If you believe your account has been compromised, contact us immediately at .

Your Rights

Regardless of your province of residence, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that inaccurate or incomplete information be corrected
  • Deletion: Request that your personal information be deleted (subject to legal retention requirements)
  • Withdrawal of consent: Withdraw consent to the collection and use of your information
  • Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca

To exercise any of these rights, email with your name, email address, and the specific request. We will respond within 30 days.

Cookies

We use the following types of cookies:

Essential cookies (always active): Required for authentication, session management, and core platform functionality. Cannot be disabled without preventing the platform from working.

Analytics cookies (optional): Used to understand how users interact with the platform. These cookies are anonymised and do not track you across other websites.

Referral cookies (set only on affiliate link arrival): Stores the affiliate identifier for 30 days to attribute a purchase. Contains no personal information.

We do not use advertising cookies, social media tracking cookies, or third-party behavioural tracking of any kind.

You can manage cookie preferences through your browser settings at any time.

Sharing Reports

If you choose to share a profile card or report link publicly, that link becomes accessible to anyone with the URL. We do not index shared profiles in search engines. You can revoke a shared link at any time from your account settings, which will immediately make the link inaccessible.

Changes to This Policy

We may update this policy from time to time. When we make significant changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of the platform after notification constitutes acceptance of the updated policy.

Contact Us

Privacy Officer WhyTheyThink.com Email:

For complaints that we are unable to resolve, you may contact:

Office of the Privacy Commissioner of Canada 30 Victoria Street, Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 www.priv.gc.ca

Commission d'acces a l'information du Quebec (for Quebec residents) www.cai.gouv.qc.ca