Privacy

Marketing-site analytics events. When you visit the marketing site (this site, contrastscreen.com), PostHog records page views, clicks on "Take the test" buttons, FAQ expansions, and similar navigation signals. The events do not include your name, email, or any input you typed.

Marketing-site session recordings. Microsoft Clarity records cursor movement, clicks, and scrolling, with IP addresses masked. Text input on form fields is automatically scrubbed by Clarity. Recordings are used to understand which parts of the page confuse people, not to identify visitors.

Test-app analytics events (only after consent). On the test app at test.contrastscreen.com (currently also reachable at vcs-test-eight.vercel.app), we show a consent banner the first time you load the page. If you click "Yes," PostHog receives events such as test started, calibration complete, staircase complete, and test complete, with the resulting numbers (threshold contrast, log-CS, area under the curve). If you click "No," nothing is sent. If your browser has Do Not Track enabled, the banner does not appear and analytics stays off by default.

Email addresses (only if you give us one). If you sign up for newsletter updates or request a result by email (a feature that is not yet live), we store your email address to send you what you asked for. We do not subscribe you to anything else.

Account information (only if you create an account). If we launch a paid tier and you decide to use it, Clerk stores your email and password (Clerk handles password storage — we never see your password). Stripe stores your payment information directly; we receive only an indicator that the payment succeeded.

Standard server logs. Our hosting provider (Vercel) records request URLs, IP addresses, and user agents in short-term access logs for security, debugging, and uptime. We do not use these logs to identify individual visitors or to build advertising profiles.

We do not use third-party advertising or cross-site tracking cookies. PostHog drops a single first-party cookie to give each visitor a stable, anonymous ID across page loads — this is what lets a "test started" event and a "test complete" event come from the same browser show up as a single funnel entry rather than two unrelated visits. The cookie carries no personal information.

We also store small bits of state in your browser’s localStorage (which is local to your device — we never read it from a server). The kinds of things stored:

• Your analytics consent decision, so we don't re-prompt you on every visit.
• First-touch and last-touch UTM parameters (where you came from), so we can tell if a particular blog post or ad is helping people find us.
• Your test history — calibration values, completed thresholds, and result curves — so the results page can show you your previous runs.
• Whether you've dismissed the privacy assurance banner.
• If you choose to share a result, the share link metadata so you can find it again.

You can clear all of this by clearing your browser’s site data for our domains.

Opt out of analytics. On the marketing site, you can opt out from the privacy modal in the footer; on the test app, use the "Manage analytics" link in the footer. Either action stops further capture immediately. We also honor your browser’s Do Not Track header without you having to do anything.

Delete locally stored data. Clear your browser site data for the marketing-site domain and for the test-app domain. That removes every value we described in the section above. There is no server-side copy to chase.

Request deletion of account data (when accounts exist). Once the paid tier launches and you have an account, you can request deletion through the account-settings page or by emailing us. We will remove the account and its associated history within 30 days, except where retention is required for a Stripe-related financial record.

For EEA / UK visitors (GDPR-style rights). You have rights of access, rectification, erasure, restriction, portability, and objection regarding your personal data, where applicable. Our lawful basis for processing analytics is your consent (opt-in on the test app; opt-out plus DNT honored on the marketing site); for account data, it is the contract you enter when you create an account. You can withdraw consent at any time. Email the contact below to exercise any of these rights.

For California visitors (CCPA / CPRA-style rights). You have the right to know what personal information we collect, to request its deletion, and to opt out of any "sale" or "sharing." We do not sell or share personal information for cross-context behavioral advertising. You can still ask us, in writing, to confirm and delete any data tied to your account.

VCS-Test is a self-tracking and screening tool, not a medical device. It does not diagnose, treat, or cure any condition. Anything you do here is informational. Talk to a clinician about what your results might mean.

We are not a HIPAA-covered entity. Your test results are not part of a medical record we maintain; they live in your browser, under your control. If you choose to share a result with a clinician (for example, by emailing a PDF in a future version), that copy is governed by whatever privacy practices your clinician uses — not ours.

Questions about this policy, or a request to exercise the rights described above, can go to privacy@contrastscreen.com.