Privacy Policy

Last updated: 2026-05-03

Who we are

Stupidity Test is a novelty digital product operated by AvanVision, an indie maker registered in Australia. Contact details are on the imprint page.

Data we collect

• Email address — provided to you by the payment processor at checkout. Used to deliver your certificate and respond to support.
• Display name (optional) — only what you typed at checkout. Printed on your certificate. Default is “Anonymous” if you skip it.
• Country (ISO-2) — derived from your IP address at checkout time to select the local-currency product. We store the country code only, not your IP.
• Payment data — handled entirely by our payment processor (Polar or Stripe). We never see your card number or full billing address.
• Anonymous analytics — pageviews via Plausible (cookieless, no personal identifiers) and Vercel Analytics. No advertising trackers.

Why we collect it

• Deliver your certificate by email and on the public cert URL.
• Show country-level participation aggregates on the homepage.
• Detect fraud and chargeback patterns (via the processor).
• Respond to support emails.

Sub-processors

• Payment processor (Polar or Stripe) — merchant-of-record / payment processing.
• Resend — transactional email delivery.
• Vercel — web hosting + Vercel Analytics.
• Supabase — database (PostgreSQL) hosting in EU/AU regions.
• Plausible — cookieless analytics (EU-hosted, GDPR-compliant).

Your rights

Under GDPR (EU/EEA), UK GDPR, CCPA (California), and the Australian Privacy Principles, you have the right to:

• Access the data we hold about you.
• Request rectification of inaccurate data.
• Request erasure (see “Erasure model” below).
• Object to certain processing.
• Receive a copy of your data in a portable format.

Submit a request via the data subject access request form. We respond within 30 days.

Erasure model — anonymize, not delete

Your certificate URL stays public forever: the sequence number is part of an immutable public record (it’s your receipt and the basis for our public counter). When you request erasure, we:

• Replace the display name on your certificate with “Anonymous” (within 30 days of confirming your request).
• Delete your email address and email hash from our database.
• Regenerate the PNG and PDF artifacts to reflect the anonymization.

You may request full deletion of all data, including the certificate row itself, via the same form. We’ll comply, but the public counter and aggregate data are unaffected (we only know we lost a row, not whose).

Retention

• Certificate metadata (number, country, currency, score, tier, share token): retained indefinitely. Public.
• Email + email hash: deleted within 30 days of an erasure request.
• Webhook + product event logs: 90 days, then anonymized to monthly aggregates.

Cookies

We use only essential cookies (CSRF protection, session). Plausible is cookieless. We do not use advertising or cross-site trackers. No cookie banner is shown because we don’t set anything that requires consent.

Children

This product is for users 18 years of age or older. We attest this at checkout via a three-step age + waiver flow. If you believe a person under 18 has purchased a certificate, contact us via /contact and we will refund and erase the record.

International transfers

Our hosting is primarily in the EU and Australia. Data may transit through US sub-processors (Vercel, Resend, payment processor). Standard Contractual Clauses (SCCs) apply where required.

Changes

We will update this page when our practices change and update the “Last updated” date above.