Privacy Policy — Get Causality

Beta testing notice. Get Causality is currently in beta testing. This privacy policy applies to all beta testers and will be updated before public launch.

1. Introduction

Welcome to Get Causality ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Fuzzy Cognitive Mapping (FCM) analysis platform.

Who we are (data controller): Get Causality, LLC, a Delaware limited liability company with its registered office at 1209 Orange Street, Wilmington, DE 19801, USA, and principal place of business in Brighton, Massachusetts, USA. For privacy questions, contact [email protected]; our Data Protection Officer can be reached at [email protected].

2. Information we collect

2.1 Information you provide

Account information: name, email address, password (encrypted)
Research data: FCM models, survey data, analysis results you upload or create
Payment information: credit-card details (processed securely by Stripe)
Profile information: organization name, research interests, preferences

2.2 Automatically-collected information

Usage data: pages visited, features used, time spent on platform
Device information: IP address, browser type, operating system
Performance data: error logs, load times, performance metrics (via Sentry; PII scrubbed before transmission)

3. How we use your information

Provide services: process FCM analyses, store models, generate visualizations
Improve platform: analyze usage patterns, identify bugs, enhance features
Communication: account updates, feature announcements, security alerts
Support: respond to inquiries, troubleshoot issues
Security: detect and prevent fraud, abuse, security threats
Legal compliance: comply with applicable laws and regulations

4. Data security (GDPR Art. 32)

We implement technical and organizational measures appropriate to the risk:

Encryption at rest: all PII (email, name, IP, user agent) encrypted with AES-256-GCM authenticated encryption before database storage
Encryption in transit: all data encrypted with TLS 1.2+
Pseudonymization: survey response identifiers are pseudonymized; email lookups use HMAC-SHA256 hashes
Password protection: passwords hashed with bcrypt; plaintext never stored
Access controls: role-based, least-privilege; 2FA (TOTP) and passkey/WebAuthn support
Session security: JWT tokens with HttpOnly + SameSite=Strict cookies; CSRF protection via HMAC-signed double-submit cookies; automated session cleanup after 90 days idle
Audit logging: immutable, append-only security event logs with encrypted IP/UA fields; 2-year retention with tamper detection
Rate limiting: per-endpoint limits (e.g. login: 10 attempts / 5 min)
Content Security Policy: strict CSP headers, no inline scripts
Data minimization: client-side PII filtering strips identifiable columns from survey data before any processing
Regular assessments: periodic security scans and dependency audits

5. Special categories of personal data (GDPR Art. 9)

Important for researchers. Survey data uploaded to Get Causality may contain special categories of personal data as defined by GDPR Article 9. This section explains how we handle such data.

5.1 What constitutes special-category data

FCM surveys may collect demographic information that qualifies under Art. 9(1):

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Health data
Data concerning sex life or sexual orientation

5.1.1 Cognitive profiling data

When a survey has FCM auto-generation enabled, individual cognitive models are derived from each respondent's answers. These models capture how a respondent perceives causal relationships between concepts — constituting psychological profiling data under Article 9. Surveys that generate individual cognitive profiles require explicit respondent consent before participation. No automated decisions are made from these profiles; they are used solely for aggregated scientific research.

Researchers may configure a FCM data retention period, after which PII (email, IP, etc.) is automatically stripped from responses while preserving the anonymized research data. Once de-identified, cognitive profiles are no longer linked to any individual.

5.2 Lawful basis for processing

Where special-category data is processed, we rely on Art. 9(2)(j): processing necessary for scientific or historical research purposes, with appropriate safeguards under Art. 89(1). Where applicable, we also rely on the explicit consent of data subjects obtained by the researcher (data controller) per Art. 9(2)(a).

5.3 Data controller vs. data processor

Get Causality acts as a data processor for survey response data. The researcher or organization that creates and distributes a survey is the data controller and bears primary responsibility for:

Obtaining informed consent from survey respondents
Securing IRB or ethics-board approval where required
Complying with institutional data-governance policies
Determining the lawful basis for collecting special-category data
Ensuring respondents are informed of their rights

5.4 Safeguards for special-category data

Client-side PII stripping: identifiable columns removed before data leaves the respondent's browser
Encryption at rest: AES-256-GCM with per-record IVs
No cross-survey linking: respondent data isolated per survey
Data minimization: only data necessary for FCM analysis is retained
Configurable retention: per-survey retention; expired data auto-purged
Access restriction: response data accessible only to survey creator and authorized collaborators
Browser-side analysis: for supported analyses, all computation happens in the researcher's browser. Survey data — including special-category demographics — never leaves the device.

5.5 Rights of survey respondents

Survey respondents may exercise their rights under Articles 15–22 via our Data Rights Portal to request a data export or erasure. You may also contact the survey creator directly, or reach Get Causality at [email protected]. We assist data controllers in fulfilling subject requests per Art. 28(3)(e).

6. Your research data

Data ownership. You retain full ownership of all research data, FCM models, and analyses you create on our platform. We do not claim any rights to your research content.

6.1 Data usage

Your research data is used solely to provide services to you
We do not share your data with third parties without your explicit consent
We do not use your research data for our own research
Aggregated, anonymized data may be used to improve our platform

6.2 Data retention

Our canonical retention schedule is published at our retention schedule reference. Key periods:

Active account data: retained as long as your account is active
Deleted account data: 30-day grace period (deletion cancellable via email link), then permanently cascade-deleted
Backup data: 30 days (one backup-rotation cycle), then permanently overwritten
Survey responses: retained per the researcher's configured survey retention period; cognitive profiles (extracted_concepts) anonymized at the researcher's configured FCM-retention period
Audit logs: retained for 2 years (24 months) from the event date for security and regulatory purposes. This retention applies even after account deletion, in accordance with GDPR Art. 6(1)(f) (legitimate interest in security) and Art. 32 (security of processing).
Payment metadata: retained for 7 years from the last transaction to meet US tax and accounting requirements
Breach records: retained indefinitely as required by GDPR Art. 33(5) and equivalent regulations
You can request data export or deletion at any time

6.3 AI / LLM disclosure

Some Get Causality features use a small in-browser language model (Qwen 2.5 0.5B Instruct, served via WebLLM/WebGPU) to assist with FCM construction. We disclose the following:

Where it runs: entirely in your browser. Your text inputs are not sent to our servers, to OpenAI, to Anthropic, or to any other third-party LLM provider as part of this feature.
What it produces: suggested concept names and causal-edge candidates. Outputs are advisory — every concept and edge must be reviewed by you before being used in research outputs.
Limitations: the model is small and has light safety training. Independent red-teaming (NVIDIA Garak, monthly) shows it can be coaxed into off-task or unsafe outputs by adversarial prompts. Treat any unexpected concept names with skepticism. Our threat-model review for this feature is documented at docs/runbooks/LLM_THREAT_MODEL.md in the source repository.
Optional remote LLM: users may opt to use a local Ollama (opens in new tab) backend on their own machine for higher-quality extraction. This is also local — no third party — and only used when the user explicitly configures it.
No automated decisions about you: the LLM features do not make decisions about survey respondents. They only assist the researcher in modelling the structure of their own input text.

7. Third-party services

The current sub-processor list is maintained at /subprocessors. We provide 30 days advance notice of material changes.

Vercel: application hosting (frontend CDN + serverless API functions)
Neon: PostgreSQL database hosting (PII encrypted at the application layer with AES-256-GCM before reaching Neon)
Cloudflare: edge protection — Web Application Firewall (WAF), DDoS mitigation, bot management (Turnstile), TLS termination. No persistent storage of user data.
Stripe: payment processing (we never store card details; not active during closed beta)
Resend: transactional email delivery
PostHog: two distinct uses — (1) anonymous usage analytics, only loaded with explicit consent; (2) server-side security telemetry under legitimate interest (Art. 6(1)(f)) for fraud and intrusion detection — tagged with category=security, never including email, IP, or response contents.
Sentry: error monitoring and performance tracking. PII is scrubbed via a beforeSend hook before transmission. Frontend Sentry is consent-gated (loads only with analytics consent and respects Do Not Track); backend Sentry runs for production reliability.

8. Cookies and tracking

We use three categories of cookies, each requiring separate consent:

Functional (required): auth tokens, CSRF, session, dark mode
Analytics (optional): PostHog anonymous usage analytics; only loaded after explicit consent
Marketing (optional): campaign measurement; disabled by default

Manage your cookie preferences at any time. See the Cookie Policy for details.

9. Your rights (GDPR & CCPA / CPRA)

Access: request a copy of your personal data
Rectification / Correction: correct inaccurate or incomplete data
Erasure / Deletion: request deletion of your personal data
Portability: export your data in a machine-readable format
Objection: object to processing
Restriction: restrict how we process your data
Withdraw consent: where processing is based on consent, you may withdraw at any time (Art. 7(3)).
Complaint: lodge a complaint with your local data-protection supervisory authority (Art. 77).
Non-discrimination: we will not retaliate against you for exercising any of these rights.

Exercise these rights at [email protected]. We respond within 14 days for routine requests (regulatory deadlines: 45 days under CCPA / CPRA; one month under GDPR / UK GDPR, extendable as the applicable law permits).

9a. California residents — CCPA / CPRA rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following additional rights:

Right to know the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, the purposes, and the categories of third parties with whom we have shared it.
Right to delete personal information we have collected from you, subject to exceptions (e.g., to complete a transaction, detect security incidents, comply with legal obligations).
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. We do not sell or share your personal information as those terms are defined under Cal. Civ. Code § 1798.140. To confirm our non-sale practices or to direct us never to sell or share your information in the future, use the link below.
Right to limit the use and disclosure of sensitive personal information. The platform may process "sensitive personal information" under CPRA when survey respondents provide special-category data through researcher-administered surveys. You may direct us to limit the use of such information to that necessary to provide the service. Manage this via the Data Rights Portal or contact [email protected].
Right to non-discrimination for exercising any of these rights.

Do Not Sell or Share My Personal Information

Authorized agents may submit requests on your behalf with verifiable written permission. Contact [email protected] for the authorized-agent process.

Lawful basis for processing (GDPR Art. 6)

Account data (name, email): contractual necessity — Art. 6(1)(b).
Analytics data: consent — Art. 6(1)(a).
Security data (encrypted IP, audit logs): legitimate interest — Art. 6(1)(f).
Survey research data (special categories): scientific research — Art. 9(2)(j).

10. Children's privacy

Our platform is not intended for users under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact us immediately.

11. International data transfers

Your data may be processed in the United States and other countries. We rely on the following transfer mechanisms, in order of priority:

From the EEA to the U.S.: EU-U.S. Data Privacy Framework where the relevant sub-processor is certified; otherwise, Standard Contractual Clauses (Module 2 — controller-to-processor) under Commission Implementing Decision (EU) 2021/914.
From the UK to the U.S.: UK Extension to the EU-U.S. Data Privacy Framework under the UK Data Protection (Adequacy) (United States of America) Regulations 2024 where applicable; otherwise, the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner.
From Switzerland to the U.S.: Swiss-U.S. Data Privacy Framework where applicable; otherwise, the SCCs adapted for Switzerland per FDPIC guidance (Switzerland as the Member State; FDPIC as the supervisory authority; Swiss FADP as the applicable law).

A current Transfer Impact Assessment is available on request at [email protected].

12. Changes to this policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or platform notification. Continued use after changes constitutes acceptance.

13. Academic and research use

Special notice for researchers. All data you upload remains confidential and is never used in aggregate studies without your explicit written consent.

14. Beta-testing specifics

We may collect additional feedback and usage data to improve the platform
Platform features and data handling may change
We will notify beta testers of significant changes
Beta testers can request data deletion at any time

15. Contact us

Email: [email protected]
Support: [email protected]
Address: Get Causality, United States

16. Data Protection Officer

For GDPR-related inquiries, contact our DPO at [email protected].

Cookie settings

Manage your cookie preferences at any time:

View sub-processor list →