Privacy Policy

This Privacy Policy describes how Cora (the "Service") collects, processes, and protects your information when you use our Voluntary Carbon Market (VCM) research platform. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Minimal Data Collection

We adhere to the principle of data minimization. Since our platform does not require user accounts or logins, we collect almost zero personal information.

Usage Data

• Chat History: Your chat conversations and history are stored locally in your browser. We do not store your chat history on our servers.
• User Queries: Text queries submitted through the interface are processed to generate responses but are not permanently tied to any personal identifier.
• Usage Metrics: Pages visited and time spent (aggregated metrics only for service optimization).

Note: We do not collect or store IP addresses, browser fingerprints, or location data.

Telemetry & Diagnostics

We use Sentry, a monitoring provider, to capture anonymized error, tracing, and performance telemetry. PII collection is disabled by default, and only warning/error console logs are forwarded. Metrics we send are aggregated and do not contain user identifiers.

Cookies and Local Storage

We use essential cookies and local storage to provide basic functionality:

• Terms acceptance status
• Cookie consent preferences
• Chat history and session data (stored locally in your browser)

Feedback Data Handling

If you submit message feedback, we store only the minimum content needed for quality improvement. Feedback text fields are automatically scanned and redacted for common personal identifiers before being written to our backend.

We process your data for the following purposes:

• Service Provision: Generate accurate answers to your queries
• Performance Optimization: Improve response times through caching
• Service Improvement: Analyze aggregated usage patterns to enhance quality
• Security: Prevent abuse and ensure system integrity

Sentry telemetry helps us find slow code paths, debug crashes, and keep the service reliable. All data sent to Sentry is limited to what is necessary for diagnostics, excludes personal identifiers, and is governed by a Data Processing Agreement.

All primary data processing occurs within the European Union (EU) to ensure GDPR compliance:

• Google Cloud Platform (Belgium): AI inference for answer generation
• Qdrant Cloud (EU): Vector database for document retrieval
• Supabase (EU): Persistent caching and usage tracking (anonymized)

Security Measures

• Encryption of data in transit (TLS 1.3) and at rest
• Anonymization of cached queries and feedback submissions
• Because chat sessions are stored locally on your device, you have full control over your data

We do not sell, rent, or share your personal information with third parties. We do not transfer personal data outside the EU.

We may share anonymized, aggregated information:

• With service providers who assist in platform operation (under strict confidentiality and GDPR-compliant agreements)
• When required by law or legal process
• To protect our rights, property, or safety

Under GDPR, you have the following rights:

• Right to Access: Request information about the data we hold
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure (Right to be Forgotten): You can clear your chat history directly from your browser at any time
• Right to Restrict Processing: Request restriction of data processing
• Right to Data Portability: Request data in a machine-readable format
• Right to Object: Object to processing based on legitimate interest

We retain information only as long as necessary to provide our services:

• Chat Data: Stored locally on your device and controlled by you.
• Query Cache: Automatically expires after 24 hours.
• Feedback Submissions: Marked with a retention expiry target of 30 days.

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date.

If you have questions about this Privacy Policy or how we handle your data, please contact us at:

Email: privacy@cora-ai.org