Privacy Policy
Last Updated: November 3, 2025
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address - Used for account recovery and important service notifications
- Username - Your chosen display name
- Password - Stored securely using one-way cryptographic hashing (we cannot see your password)
- Account tier - Subscription level for access control
1.2 Usage Data
We automatically collect:
- Analysis jobs - Your gematria analysis requests and custom database usage
- Custom databases - Words and phrases you add to your personal databases
- Session data - Login sessions and authentication state
1.3 IP Address Collection
GDPR Notice: IP addresses are considered Personal Data under GDPR Article 4(1).
We collect IP addresses for the following legitimate interests (GDPR Article 6(1)(f)):
- Rate limiting - Prevent abuse and denial-of-service attacks
- Security monitoring - Detect brute-force login attempts and suspicious activity
- Session management - Validate login sessions from consistent locations
- Fraud prevention - Identify and block malicious actors
Retention period:
- Rate limiting data: Expires after the rate limit window (typically 1 minute), entries become inactive
- Security logs: Retained for 90 days for incident investigation
- Server access logs: Retained for 30 days (standard practice)
IP address processing:
- IP addresses are NOT stored with your account or user data
- IP addresses are NOT used for tracking, profiling, or marketing
- IP addresses are NOT shared with third parties
- IP-based rate limiting is anonymous (no link to user accounts)
Legal basis: Legitimate interest in protecting our service and users from security threats (GDPR Article 6(1)(f)).
1.4 What We DON'T Collect
We do NOT use:
- ❌ Google Analytics or tracking cookies
- ❌ Advertising or marketing cookies
- ❌ Social media tracking pixels
- ❌ Third-party data brokers
- ❌ Behavioral tracking or profiling
2. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
| Data Type | Legal Basis | GDPR Article |
|---|---|---|
| Account data (email, username, password) | Performance of contract | Article 6(1)(b) |
| Custom databases, analysis jobs | Performance of contract | Article 6(1)(b) |
| IP addresses (rate limiting, security) | Legitimate interest | Article 6(1)(f) |
| Session cookies | Strictly necessary | ePrivacy Directive |
Legitimate Interest Assessment (IP Addresses):
- Purpose: Prevent denial-of-service attacks, brute-force attempts, and abuse
- Necessity: Essential for service availability and security
- Balancing test: Protection of all users outweighs minimal privacy impact of temporary IP storage
- Mitigation: IP addresses are not linked to user accounts, used only for rate limiting
3. How We Use Your Information
We use your data only to:
- Provide the service - Process gematria analysis, store custom databases
- Maintain your account - Authentication, session management, tier-based features
- Ensure security - Rate limiting, abuse prevention, account protection
- Communicate with you - Important service updates (we don't send marketing emails)
- Improve the platform - Aggregate usage statistics (no individual tracking)
4. Cookies & Tracking
4.1 Essential Cookies Only
We use only strictly necessary cookies for the website to function:
| Cookie Name | Purpose | Duration |
|---|---|---|
session |
Authentication & session management | Session (deleted when browser closes) |
No consent required: These cookies are exempt from GDPR consent requirements as they are strictly necessary for the service to function.
5. Data Storage & Security
- Encryption: All connections use industry-standard HTTPS/TLS encryption
- Passwords: Stored using secure one-way cryptographic hashing (passwords cannot be recovered)
- Database security: Secured with access controls and encryption at rest
- Rate limiting: Protection against brute-force attacks and abuse
- Regular updates: Security patches applied promptly
- Access controls: Strict authentication and authorization measures
6. Data Retention
- Account data: Retained until you delete your account
- Analysis jobs: Retained for 30 days, then automatically deleted
- Custom databases: Retained until you delete them or your account
- Rate limiting data: Expires after rate limit window (typically 1 minute)
- Security logs: Retained for 90 days for incident investigation
7. Data Sharing & Third Parties
We do NOT sell, rent, or share your personal data with third parties.
Limited exceptions:
- Legal requirements: If required by law or to protect our rights
- Service providers: Hosting infrastructure (data processors bound by contract)
We do NOT share data with:
- ❌ Advertisers or marketing companies
- ❌ Data brokers or analytics services
- ❌ Social media platforms
- ❌ Any third party for commercial purposes
8. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your account and data
- Portability: Export your custom databases
- Restriction: Limit how we process your data
- Objection: Object to data processing (where applicable)
To exercise these rights, contact us at: support@gematria.codes
9. Children's Privacy
Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.
10. International Data Transfers
Your data may be transferred to and stored on servers outside your country. We ensure appropriate safeguards are in place to protect your data according to GDPR standards.
11. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the new policy.
12. Contact Us
Questions about this privacy policy or your data?
- Email: support@gematria.codes
🛡️ Our Commitment
Your privacy matters. We built this platform for truth seekers, not advertisers. We collect only what's necessary, protect it rigorously, and will never sell your data.