Privacy Policy
Last updated: 2026-06-13Jump to:
1. Data Controller
Noosaga is currently run by Axel Pond ("we", "us"). For privacy questions or requests, contact axel@noosaga.com. We do not sell personal data.
2. Data We Process
This table describes the main categories. A single request can involve more than one category.
| Category | Examples | Purpose | Legal basis | Retention criteria |
|---|---|---|---|---|
| Account, authentication, and sessions | Email address, sign-in provider identifiers, session cookies, admin flag, and basic authentication events. | Create sessions, keep accounts secure, authorize logged-in features, and prevent abuse. | Contract; legitimate interests for security. | Session tokens expire after about 7 days. Account identifiers are kept until deletion or until no longer needed for an active account. |
| Profile and username | Chosen username, account email linked to that username, profile timestamps. | Display your profile and attribute public Atlas Review posts without exposing your email. | Contract; legitimate interests for public attribution and abuse prevention. | Kept until you change or delete it. Public posts may be anonymized rather than deleted where needed to preserve discussion integrity. |
| Pathfinder questions and saved roadmaps | Question or study goal, level/emphasis/depth choices, generated route, saved roadmap steps, progress status, warnings, model metadata. | Create maps, save roadmaps, let you resume study plans, and improve reliability. | Contract; legitimate interests for service quality and safety. | Saved roadmaps are kept until you delete them or use the account data deletion control. |
| Learning progress and quiz data | Subfield progress, concept completions, quiz counts, points, timestamps, completed frameworks. | Track learning progress, mastery state, and profile statistics. | Contract. | Kept until you delete your account-linked data. |
| Scores and ratings | Scholar's Quest player name/email when supplied, score, article thumbs-up/down ratings, timestamps. | Show scores, record article usefulness feedback, and improve atlas quality. | Contract for account-linked scores; legitimate interests for content quality feedback. | Account-linked scores and ratings are deleted through the profile control. Non-account public score displays may remain without email. |
| Feedback and source suggestions | Feedback type, message, optional email, current page URL, source suggestion URL/title, contextual metadata. | Respond to reports, improve missing or weak atlas areas, and audit source suggestions. | Legitimate interests; consent where you voluntarily provide optional contact details. | Reviewed for deletion or anonymization after resolution. Contact details can be deleted on request. |
| Public Atlas Review/forum replies | Public thread/reply content, display name or username, reports, source-suggestion context, and moderation/approval records. | Let users contribute to public content review, moderate abuse, and preserve review history. | Contract; legitimate interests for public discussion integrity, moderation, and abuse prevention. | Public posts may remain visible until removed or anonymized. Account deletion anonymizes directly linked author names where technically identifiable. |
| Prompts, questions, and AI feature inputs | Pathfinder questions, Literature Survey questions/focus terms, Draft Review text, Paper Guide pasted or uploaded text, Document Classifier text, selected options, generated outputs. | Run the requested AI-assisted feature and return an educational map, guide, survey, classifier result, or critique. | Contract; legitimate interests for safety, abuse prevention, and reliability. | Some generated outputs are saved only when the feature is designed to save them, such as roadmaps. Beta document/draft/survey inputs are not saved as Noosaga application records unless explicitly stated. |
| Scholarly metadata and external-source queries | Literature search terms, metadata/abstract results, Wikipedia/source lookups, atlas source leads. | Find sources, route content, validate labels, and provide source-aware maps. | Contract; legitimate interests for source grounding and content quality. | Search results may appear inside generated outputs. External providers may process query terms under their own logs and policies. |
| LLM/provider telemetry | Model identifiers, request timing, provider errors, token counts, structured diagnostics, and limited safety/reliability metadata. | Operate AI features, debug failures, monitor cost, and investigate abuse or security incidents. | Contract; legitimate interests for security, reliability, and cost control. | Kept only as needed for operations, debugging, billing reconciliation, security, and legal obligations. Provider-side retention is governed by the provider terms. |
| Optional analytics and activation events | Consent state, privacy-safe product events, page/action metadata, coarse activation funnel data. | Understand feature usage and improve product reliability. | Consent. | Internal activation analytics are retained for up to 30 days. |
| Web vitals and performance telemetry | Core web vitals, page path, user agent-derived performance context, timing values. | Find performance regressions and keep the service usable. | Consent when tied to optional analytics; legitimate interests for strictly necessary operational logs. | Internal web vitals telemetry is retained for up to 7 days. |
| Security and operational logs | IP-derived request metadata, timestamps, route, status code, auth signature checks, rate-limit events, errors. | Detect abuse, debug outages, secure the service, and comply with legal obligations. | Legitimate interests; legal obligation where applicable. | Kept for the shortest operational period available in the deployed logging systems, normally no longer than 90 days unless needed for security investigation or legal claims. |
3. AI Processing and Ephemeral Inputs
Noosaga uses AI-assisted systems for atlas drafting, routing, Pathfinder, saved roadmaps, Paper Guide, Literature Survey, Document Classifier, Genealogy, Draft Review, and Atlas Review maintenance. When you use these features, your prompt, question, pasted or uploaded text, selected options, generated output, and relevant atlas context may be sent to OpenRouter and configured model providers so the feature can run.
"Ephemeral" means the submitted text and generated result are not saved as a Noosaga application record in our database for that beta flow. It does not mean there is no processing, no network transit, no security logging, or no provider-side temporary handling. Do not submit sensitive personal data, confidential third-party data, or documents you are not authorized to process. See AI Transparency for a product-level explanation.
4. Purposes and Legal Bases
- Providing core product features, accounts, saved roadmaps, progress, and requested AI tools: GDPR Art. 6(1)(b) contract.
- Security, abuse prevention, debugging, service reliability, public review integrity, and content quality operations: GDPR Art. 6(1)(f) legitimate interests.
- Optional analytics and activation telemetry: GDPR Art. 6(1)(a) consent.
- Legal compliance, regulator requests, and legal claims where applicable: GDPR Art. 6(1)(c) legal obligation or Art. 6(1)(f) legitimate interests.
6. Recipients and Processors
We share personal data only as needed to operate Noosaga, provide requested features, secure the service, or comply with law.
| Recipient or category | Data involved |
|---|---|
| Hosting, database, Redis/cache, queue, and infrastructure providers | Application data, logs, roadmaps, progress records, and operational telemetry needed to run Noosaga. |
| Google authentication | Sign-in data needed to authenticate your account. Google also processes data under its own account and authentication terms. |
| OpenRouter and configured model providers | AI feature requests, relevant atlas context, selected options, and generated outputs needed to provide AI-assisted features. |
| Vercel Analytics, Speed Insights, and Google analytics/ads tags, when enabled | Google consent-mode tag signals before consent, and optional analytics, ads conversion, and performance telemetry after consent. |
| Scholarly and reference providers | Search terms or source lookups sent to providers such as Semantic Scholar, OpenAlex, Crossref, arXiv, Europe PMC, Wikipedia, and related metadata services. |
| Email, support, and security tooling | Messages you send us, optional contact details, operational logs, and abuse/security evidence. |
7. International Transfers
Some providers may process data outside the EEA/UK, including in the United States or other countries where model, hosting, analytics, or metadata providers operate. Where required, we rely on adequacy decisions, Standard Contractual Clauses, provider transfer safeguards, and transfer-risk review. You can contact us for information about the safeguards used for a specific provider. Public source lookups and AI-provider requests can involve international routing even when Noosaga does not store the submitted text as an application record.
8. Retention
| Data | Retention period or criteria |
|---|---|
| Authentication sessions | About 7 days, with refresh while active. |
| Analytics consent cookie | Up to 180 days, or until you change your choice. |
| Saved roadmaps | Until you delete the roadmap or delete account-linked data. |
| Progress, completions, ratings, and account-linked scores | Until you delete account-linked data. |
| Profile username | Until changed, deleted, or anonymized through account deletion. |
| Feedback and support emails/messages | Reviewed after resolution; contact details can be removed on request unless needed for legal, security, or abuse-prevention records. |
| Public forum/review posts | Remain as public discussion or review history unless removed or anonymized. |
| Paper Guide, Draft Review, Literature Survey, and Document Classifier inputs | Not saved as application records for the current beta flows unless explicitly saved by a feature. |
| Noosaga-side LLM/provider telemetry | Normally no longer than 90 days unless needed for debugging, billing reconciliation, abuse/security investigation, legal claims, or provider-controlled retention. |
| Internal web vitals | Up to 7 days. |
| Internal activation analytics | Up to 30 days. |
| Security and operational logs | Normally no longer than 90 days, unless needed for incident response, legal claims, or provider-controlled retention. |
| Backups | Rotated on the hosting/database provider's operational backup schedule; deletion is applied to live systems first and then ages out of backups. |
9. Your GDPR Rights
If GDPR applies to you, you may have the right to access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and rights related to automated decision-making. You can also lodge a complaint with your local supervisory authority.
The profile page lets you export account-linked data as JSON and delete directly linked account data. Deletion removes or unlinks saved roadmaps, progress, completions, ratings, account-linked scores, username profile, feedback contact details, source-suggestion submitter links, and directly identifiable public-review metadata where technically identifiable. Public forum/review content may be anonymized rather than removed when retention is needed for discussion integrity, abuse prevention, legal claims, or freedom of expression. Email us if you need a broader access, correction, objection, restriction, or deletion request.
10. Automated Decision-Making
Noosaga does not use automated decision-making that produces legal effects or similarly significant effects under GDPR Art. 22. AI routing, critique, classification, recommendation, and roadmap generation are educational outputs. They must not be used as the basis for high-impact decisions about a person.
11. Children and Sensitive Data
Noosaga is not directed to children under 16. Do not submit special-category data such as health, biometric, political, religious, union-membership, sex-life, sexual-orientation, racial or ethnic-origin data, or confidential data about another person unless you have a lawful basis and authority to do so.
12. Contact
For privacy questions or requests:
axel@noosaga.com