Privacy Policy

This Privacy Policy describes how Cora (the "Service") collects, processes, and protects your information when you use our Voluntary Carbon Market (VCM) research platform. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Minimal Data Collection

We adhere to the principle of data minimization. Since our platform does not require user accounts or logins, we collect almost zero personal information.

Usage Data

• Chat History: Your chat conversations and history are stored locally in your browser. We do not store your chat history on our servers.
• User Queries: Text queries submitted through the interface are processed to generate responses but are not permanently tied to any personal identifier.

Note: We do not collect or store IP addresses, browser fingerprints, or location data.

Cookies and Local Storage

We use essential cookies and local storage to provide basic functionality:

• Terms acceptance status
• Chat history and session data (stored locally in your browser)

Analytics Data (Consent-Based Only)

If you explicitly consent to analytics cookies via our cookie banner, we collect the following anonymous usage data through PostHog:

• Pages visited and navigation paths
• Session duration and approximate device type

This data is used solely for product improvement. It is not used for advertising, profiling, or sold to third parties.

Feedback Data Handling

If you submit message feedback, we store only the minimum content needed for quality improvement. Feedback text fields are automatically scanned and redacted for common personal identifiers before being written to our backend.

We process your data for the following purposes:

• Service Provision: Generate accurate answers to your queries
• Performance Optimization: Improve response times through caching
• Service Improvement: Analyze aggregated usage patterns to enhance quality (only with your analytics consent)
• Security: Prevent abuse and ensure system integrity

All primary data processing occurs within the European Union (EU) to ensure GDPR compliance:

• Google Cloud Platform (Belgium): AI inference for answer generation
• Qdrant Cloud (EU): Vector database for document retrieval
• Supabase (EU): Persistent caching and usage tracking (anonymized)
• PostHog (EU): Product analytics hosted in the EU (eu.i.posthog.com)

Security Measures

• Encryption of data in transit (TLS 1.3) and at rest
• Anonymization of cached queries and feedback submissions
• Because chat sessions are stored locally on your device, you have full control over your data

We do not sell, rent, or share your personal information with third parties for advertising or profiling.

We share data only with the following processors under GDPR-compliant agreements:

• PostHog: Product analytics (anonymous usage data only, and only if you consent). Data remains in the EU.
• Google Cloud Platform: Cloud infrastructure and AI inference hosting
• Supabase: Database and caching services

We may also share anonymized, aggregated information:

• When required by law or legal process
• To protect our rights, property, or safety

Under GDPR, you have the following rights:

• Right to Access: Request information about the data we hold
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure (Right to be Forgotten): You can clear your chat history directly from your browser at any time. For analytics data held by PostHog, contact us and we will request deletion on your behalf.
• Right to Restrict Processing: Request restriction of data processing
• Right to Data Portability: Request data in a machine-readable format
• Right to Object: Object to processing based on legitimate interest or withdraw analytics consent at any time

We retain information only as long as necessary to provide our services:

• Chat Data: Stored locally on your device and controlled by you.
• Query Cache: Automatically expires after 24 hours.
• Feedback Submissions: Marked with a retention expiry target of 30 days.
• Analytics Data (PostHog): Retained for up to 1 year, after which it is automatically deleted or aggregated beyond identification.

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date.

If you have questions about this Privacy Policy or how we handle your data, please contact us at:

Email: privacy@cora-ai.org