Privacy Policy

Last updated: 2026-06-13

1. Data Controller

Noosaga is currently run by Axel Pond ("we", "us"). For privacy questions or requests, contact axel@noosaga.com. We do not sell personal data.

2. Data We Process

This table describes the main categories. A single request can involve more than one category.

CategoryExamplesPurposeLegal basisRetention criteria
Account, authentication, and sessionsEmail address, sign-in provider identifiers, session cookies, admin flag, and basic authentication events.Create sessions, keep accounts secure, authorize logged-in features, and prevent abuse.Contract; legitimate interests for security.Session tokens expire after about 7 days. Account identifiers are kept until deletion or until no longer needed for an active account.
Profile and usernameChosen username, account email linked to that username, profile timestamps.Display your profile and attribute public Atlas Review posts without exposing your email.Contract; legitimate interests for public attribution and abuse prevention.Kept until you change or delete it. Public posts may be anonymized rather than deleted where needed to preserve discussion integrity.
Pathfinder questions and saved roadmapsQuestion or study goal, level/emphasis/depth choices, generated route, saved roadmap steps, progress status, warnings, model metadata.Create maps, save roadmaps, let you resume study plans, and improve reliability.Contract; legitimate interests for service quality and safety.Saved roadmaps are kept until you delete them or use the account data deletion control.
Learning progress and quiz dataSubfield progress, concept completions, quiz counts, points, timestamps, completed frameworks.Track learning progress, mastery state, and profile statistics.Contract.Kept until you delete your account-linked data.
Scores and ratingsScholar's Quest player name/email when supplied, score, article thumbs-up/down ratings, timestamps.Show scores, record article usefulness feedback, and improve atlas quality.Contract for account-linked scores; legitimate interests for content quality feedback.Account-linked scores and ratings are deleted through the profile control. Non-account public score displays may remain without email.
Feedback and source suggestionsFeedback type, message, optional email, current page URL, source suggestion URL/title, contextual metadata.Respond to reports, improve missing or weak atlas areas, and audit source suggestions.Legitimate interests; consent where you voluntarily provide optional contact details.Reviewed for deletion or anonymization after resolution. Contact details can be deleted on request.
Public Atlas Review/forum repliesPublic thread/reply content, display name or username, reports, source-suggestion context, and moderation/approval records.Let users contribute to public content review, moderate abuse, and preserve review history.Contract; legitimate interests for public discussion integrity, moderation, and abuse prevention.Public posts may remain visible until removed or anonymized. Account deletion anonymizes directly linked author names where technically identifiable.
Prompts, questions, and AI feature inputsPathfinder questions, Literature Survey questions/focus terms, Draft Review text, Paper Guide pasted or uploaded text, Document Classifier text, selected options, generated outputs.Run the requested AI-assisted feature and return an educational map, guide, survey, classifier result, or critique.Contract; legitimate interests for safety, abuse prevention, and reliability.Some generated outputs are saved only when the feature is designed to save them, such as roadmaps. Beta document/draft/survey inputs are not saved as Noosaga application records unless explicitly stated.
Scholarly metadata and external-source queriesLiterature search terms, metadata/abstract results, Wikipedia/source lookups, atlas source leads.Find sources, route content, validate labels, and provide source-aware maps.Contract; legitimate interests for source grounding and content quality.Search results may appear inside generated outputs. External providers may process query terms under their own logs and policies.
LLM/provider telemetryModel identifiers, request timing, provider errors, token counts, structured diagnostics, and limited safety/reliability metadata.Operate AI features, debug failures, monitor cost, and investigate abuse or security incidents.Contract; legitimate interests for security, reliability, and cost control.Kept only as needed for operations, debugging, billing reconciliation, security, and legal obligations. Provider-side retention is governed by the provider terms.
Optional analytics and activation eventsConsent state, privacy-safe product events, page/action metadata, coarse activation funnel data.Understand feature usage and improve product reliability.Consent.Internal activation analytics are retained for up to 30 days.
Web vitals and performance telemetryCore web vitals, page path, user agent-derived performance context, timing values.Find performance regressions and keep the service usable.Consent when tied to optional analytics; legitimate interests for strictly necessary operational logs.Internal web vitals telemetry is retained for up to 7 days.
Security and operational logsIP-derived request metadata, timestamps, route, status code, auth signature checks, rate-limit events, errors.Detect abuse, debug outages, secure the service, and comply with legal obligations.Legitimate interests; legal obligation where applicable.Kept for the shortest operational period available in the deployed logging systems, normally no longer than 90 days unless needed for security investigation or legal claims.

3. AI Processing and Ephemeral Inputs

Noosaga uses AI-assisted systems for atlas drafting, routing, Pathfinder, saved roadmaps, Paper Guide, Literature Survey, Document Classifier, Genealogy, Draft Review, and Atlas Review maintenance. When you use these features, your prompt, question, pasted or uploaded text, selected options, generated output, and relevant atlas context may be sent to OpenRouter and configured model providers so the feature can run.

"Ephemeral" means the submitted text and generated result are not saved as a Noosaga application record in our database for that beta flow. It does not mean there is no processing, no network transit, no security logging, or no provider-side temporary handling. Do not submit sensitive personal data, confidential third-party data, or documents you are not authorized to process. See AI Transparency for a product-level explanation.

6. Recipients and Processors

We share personal data only as needed to operate Noosaga, provide requested features, secure the service, or comply with law.

Recipient or categoryData involved
Hosting, database, Redis/cache, queue, and infrastructure providersApplication data, logs, roadmaps, progress records, and operational telemetry needed to run Noosaga.
Google authenticationSign-in data needed to authenticate your account. Google also processes data under its own account and authentication terms.
OpenRouter and configured model providersAI feature requests, relevant atlas context, selected options, and generated outputs needed to provide AI-assisted features.
Vercel Analytics, Speed Insights, and Google analytics/ads tags, when enabledGoogle consent-mode tag signals before consent, and optional analytics, ads conversion, and performance telemetry after consent.
Scholarly and reference providersSearch terms or source lookups sent to providers such as Semantic Scholar, OpenAlex, Crossref, arXiv, Europe PMC, Wikipedia, and related metadata services.
Email, support, and security toolingMessages you send us, optional contact details, operational logs, and abuse/security evidence.

7. International Transfers

Some providers may process data outside the EEA/UK, including in the United States or other countries where model, hosting, analytics, or metadata providers operate. Where required, we rely on adequacy decisions, Standard Contractual Clauses, provider transfer safeguards, and transfer-risk review. You can contact us for information about the safeguards used for a specific provider. Public source lookups and AI-provider requests can involve international routing even when Noosaga does not store the submitted text as an application record.

8. Retention

DataRetention period or criteria
Authentication sessionsAbout 7 days, with refresh while active.
Analytics consent cookieUp to 180 days, or until you change your choice.
Saved roadmapsUntil you delete the roadmap or delete account-linked data.
Progress, completions, ratings, and account-linked scoresUntil you delete account-linked data.
Profile usernameUntil changed, deleted, or anonymized through account deletion.
Feedback and support emails/messagesReviewed after resolution; contact details can be removed on request unless needed for legal, security, or abuse-prevention records.
Public forum/review postsRemain as public discussion or review history unless removed or anonymized.
Paper Guide, Draft Review, Literature Survey, and Document Classifier inputsNot saved as application records for the current beta flows unless explicitly saved by a feature.
Noosaga-side LLM/provider telemetryNormally no longer than 90 days unless needed for debugging, billing reconciliation, abuse/security investigation, legal claims, or provider-controlled retention.
Internal web vitalsUp to 7 days.
Internal activation analyticsUp to 30 days.
Security and operational logsNormally no longer than 90 days, unless needed for incident response, legal claims, or provider-controlled retention.
BackupsRotated on the hosting/database provider's operational backup schedule; deletion is applied to live systems first and then ages out of backups.

9. Your GDPR Rights

If GDPR applies to you, you may have the right to access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and rights related to automated decision-making. You can also lodge a complaint with your local supervisory authority.

The profile page lets you export account-linked data as JSON and delete directly linked account data. Deletion removes or unlinks saved roadmaps, progress, completions, ratings, account-linked scores, username profile, feedback contact details, source-suggestion submitter links, and directly identifiable public-review metadata where technically identifiable. Public forum/review content may be anonymized rather than removed when retention is needed for discussion integrity, abuse prevention, legal claims, or freedom of expression. Email us if you need a broader access, correction, objection, restriction, or deletion request.

10. Automated Decision-Making

Noosaga does not use automated decision-making that produces legal effects or similarly significant effects under GDPR Art. 22. AI routing, critique, classification, recommendation, and roadmap generation are educational outputs. They must not be used as the basis for high-impact decisions about a person.

11. Children and Sensitive Data

Noosaga is not directed to children under 16. Do not submit special-category data such as health, biometric, political, religious, union-membership, sex-life, sexual-orientation, racial or ethnic-origin data, or confidential data about another person unless you have a lawful basis and authority to do so.

12. Contact

For privacy questions or requests:

axel@noosaga.com