Privacy Policy - Get Causality

Last Updated: March 14, 2026

                Beta Testing Notice: Get Causality is currently in beta testing. This privacy policy applies to all beta testers and will be updated before our full public launch.
            

1. Introduction

Welcome to Get Causality ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Fuzzy Cognitive Mapping (FCM) analysis platform.

2. Information We Collect

2.1 Information You Provide

Account Information: Name, email address, password (encrypted)
Research Data: FCM models, survey data, analysis results you upload or create
Payment Information: Credit card details (processed securely by Stripe)
Profile Information: Organization name, research interests, preferences

2.2 Automatically Collected Information

Usage Data: Pages visited, features used, time spent on platform
Device Information: IP address, browser type, operating system
Performance Data: Error logs, load times, system performance metrics (collected via Sentry error tracking; PII is scrubbed before transmission to Sentry servers)

3. How We Use Your Information

We use your information for the following purposes:

Provide Services: Process your FCM analyses, store your models, generate visualizations
Improve Platform: Analyze usage patterns, identify bugs, enhance features
Communication: Send account updates, feature announcements, security alerts
Support: Respond to inquiries, troubleshoot issues, provide assistance
Security: Detect and prevent fraud, abuse, and security threats
Legal Compliance: Comply with applicable laws and regulations

4. Data Security (GDPR Article 32)

We implement technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:

Encryption at Rest: All personally identifiable information (email addresses, names, IP addresses, user agents) is encrypted using AES-256-GCM authenticated encryption before database storage
Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+
Pseudonymization: Survey response identifiers are pseudonymized; email lookups use HMAC-SHA256 hashes rather than plaintext queries
Password Protection: Passwords are hashed using bcrypt with appropriate cost factors; plaintext passwords are never stored
Access Controls: Role-based access with least-privilege principles; two-factor authentication (TOTP) and passkey/WebAuthn support
Session Security: JWT tokens with HttpOnly, SameSite=Strict cookies; CSRF protection via HMAC-signed double-submit cookies with timing-safe comparison; automated session cleanup after 90 days of inactivity
Audit Logging: Immutable, append-only security event logs with encrypted IP/user agent fields; 2-year retention with tamper detection
Rate Limiting: Per-endpoint rate limits to prevent brute-force and abuse (e.g., login: 10 attempts per 5 minutes)
Content Security Policy: Strict CSP headers preventing cross-site scripting, with no inline scripts allowed
Data Minimization: Client-side PII filtering strips personally identifiable columns (IP addresses, GPS coordinates, email, names) from survey data before any processing occurs
Regular Assessments: Periodic security scans and dependency audits

5. Special Categories of Personal Data (GDPR Article 9)

                Important for Researchers: Survey data uploaded to Get Causality may contain special categories of personal data as defined by GDPR Article 9. This section explains how we handle such data.
            

5.1 What Constitutes Special Category Data

FCM surveys may collect demographic information from respondents that qualifies as "special category" data under GDPR Article 9(1), including but not limited to:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Health data
Data concerning sex life or sexual orientation

5.1.1 Cognitive Profiling Data

When a survey has FCM (Fuzzy Cognitive Mapping) auto-generation enabled, individual cognitive models are derived from each respondent's answers. These models capture how a respondent perceives causal relationships between concepts — constituting psychological profiling data under Article 9. Surveys that generate individual cognitive profiles require explicit respondent consent before participation. No automated decisions are made from these profiles; they are used solely for aggregated scientific research.

Researchers may configure a FCM data retention period, after which personally identifiable information (email, IP address, etc.) is automatically stripped from responses while preserving the anonymized research data. Once de-identified, cognitive profiles are no longer linked to any individual.

5.2 Lawful Basis for Processing

Where special category data is processed, we rely on GDPR Article 9(2)(j): processing necessary for scientific or historical research purposes, subject to appropriate safeguards as required by Article 89(1). Additionally, where applicable, we rely on the explicit consent of data subjects obtained by the researcher (data controller) per Article 9(2)(a).

5.3 Data Controller vs. Data Processor

Get Causality acts as a data processor for survey response data. The researcher or organization that creates and distributes a survey is the data controller and bears primary responsibility for:

Obtaining informed consent from survey respondents
Securing Institutional Review Board (IRB) or ethics board approval where required
Complying with institutional data governance policies
Determining the lawful basis for collecting special category data
Ensuring survey respondents are informed of their rights

5.4 Safeguards for Special Category Data

We implement the following safeguards in accordance with Article 89(1):

Client-side PII Stripping: Personally identifiable columns are automatically detected and removed from survey data before it leaves the respondent's browser
Encryption at Rest: All PII fields are encrypted using AES-256-GCM authenticated encryption with per-record initialization vectors
No Cross-Survey Linking: Respondent data is isolated per survey; we do not link or combine respondent data across different surveys
Data Minimization: Only the data necessary for FCM analysis is retained; raw PII is stripped before processing
Configurable Retention: Survey creators can set per-survey data retention periods; expired data is automatically purged
Access Restriction: Survey response data is accessible only to the survey creator and authorized collaborators
Browser-Side Analysis: For supported analysis types, all computation is performed entirely within the researcher's browser. Survey data — including any special category demographic data — never leaves the researcher's device. This client-side processing architecture provides the strongest possible technical safeguard under Article 32, as data that is never transmitted cannot be intercepted or breached.

5.5 Rights of Survey Respondents

Survey respondents whose data has been collected may exercise their rights under GDPR Articles 15-22 by visiting our Data Rights Portal to request a data export or erasure. You may also contact the survey creator (data controller) directly, or reach Get Causality at [email protected]. We will assist data controllers in fulfilling data subject requests in accordance with Article 28(3)(e).

6. Your Research Data

                Data Ownership: You retain full ownership of all research data, FCM models, and analyses you create on our platform. We do not claim any rights to your research content.
            

6.1 Data Usage

Your research data is used solely to provide services to you
We do not share your data with third parties without your explicit consent
We do not use your research data for our own research purposes
Aggregated, anonymized data may be used to improve our platform

6.2 Data Retention

Active account data is retained as long as your account is active
Deleted account data is removed after a 30-day grace period (allowing cancellation), followed by permanent cascade deletion
Backup data is retained for 90 days for disaster recovery
You can request data export or deletion at any time

7. Third-Party Services

We use the following third-party services:

Vercel: Website hosting and serverless API functions
Neon: PostgreSQL database hosting (all data encrypted at rest with AES-256-GCM)
Stripe: Payment processing (we never store card details)
Google Cloud: Python API backend hosting for FCM analyses
Resend: Transactional email delivery (account notifications, verification emails)
PostHog: Anonymous usage analytics (only loaded with explicit analytics consent; no PII collected)
Sentry: Error tracking and performance monitoring (PII is scrubbed before transmission)

8. Cookies and Tracking

We use three categories of cookies, each requiring separate consent:

Functional Cookies (Required): Authentication tokens, CSRF protection, session management, and dark mode preferences. These cannot be disabled as they are essential for the platform to function.
Analytics Cookies (Optional): PostHog anonymous usage analytics to understand how visitors interact with our platform. Only loaded after you grant explicit analytics consent. No personally identifiable information is collected.
Marketing Cookies (Optional): Used to measure campaign effectiveness and deliver relevant information about our services. Disabled by default.

You can manage your cookie preferences at any time using the "Manage Cookie Preferences" button below, or via the cookie banner shown on your first visit. Each consent type is individually recorded and synced to our servers for GDPR audit compliance. You can also disable cookies in your browser, but this may limit platform functionality.

9. Your Rights (GDPR & CCPA)

You have the following rights regarding your personal data:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data
Portability: Export your data in a machine-readable format
Objection: Object to processing of your personal data
Restriction: Restrict how we process your data
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time (GDPR Article 7(3)). Withdrawal is as easy as giving consent — use the "Manage Cookie Preferences" button on this page or your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Complaint: Lodge a complaint with your local data protection supervisory authority if you believe your personal data has been processed unlawfully (GDPR Article 77).

To exercise these rights, contact us at [email protected]

Lawful Basis for Processing (GDPR Article 6)

Account data (name, email): contractual necessity — required to provide our services (Article 6(1)(b)).
Analytics data (usage patterns, page views): consent — only collected when you opt in via the cookie preferences panel (Article 6(1)(a)).
Security data (encrypted IP, audit logs): legitimate interest — necessary to protect against fraud, abuse, and security threats (Article 6(1)(f)).
Survey research data (special categories): scientific research purposes with appropriate safeguards (Article 9(2)(j)), as detailed in Section 5.2 above.

10. Children's Privacy

Our platform is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us immediately.

11. International Data Transfers

Your data may be processed in the United States and other countries. For transfers from the European Economic Area (EEA) to the United States, we rely on the EU-U.S. Data Privacy Framework where applicable, and Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46(2)(c)) as appropriate safeguards. Our infrastructure providers (Vercel, Neon) maintain their own adequacy mechanisms. You may request a copy of the applicable transfer safeguards by contacting [email protected].

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Academic and Research Use

                Special Notice for Researchers: We understand the importance of data privacy in academic research. All data you upload remains confidential and is never used in aggregate studies without your explicit written consent.
            

14. Beta Testing Specifics

During beta testing:

We may collect additional feedback and usage data to improve the platform
Platform features and data handling may change
We will notify beta testers of any significant changes
Beta testers can request data deletion at any time

15. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Email: [email protected]
Support: [email protected]
Address: Get Causality, United States

16. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at [email protected]

                Your Trust Matters: Protecting your research data and privacy is our top priority. If you have any concerns, we encourage you to reach out to us directly.
            

View Sub-processor List → ← Back to Home