Privacy Policy
Effective Date: March 1, 2026 · Last Updated: March 2026
Table of Contents
- Introduction
- What Data We Collect
- How We Use Your Data
- Third-Party Services
- Data Retention
- Account Deletion
- Data Security
- Children's Privacy
- International Data Transfers
- Your Rights Under GDPR (EU Users)
- Your Rights Under CCPA (California Users)
- Cookies and Tracking
- Changes to This Policy
- Contact Us
1. Introduction
PsyStat Nexus ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, web application, and related services (collectively, the "Service").
By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service. This Privacy Policy should be read in conjunction with our Terms of Service.
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address — used for authentication, account recovery, and essential communications.
- Password — stored as a cryptographic hash; we never store plaintext passwords.
- ORCID identifier (optional) — if you choose to link your ORCID for researcher identification.
- Institutional affiliation (optional) — university or organization name you may provide.
- Display name (optional) — a name or alias used within the application.
Account data is stored in our Supabase database with row-level security policies ensuring that users can only access their own records.
2.2 Analysis Data
When you use the statistical analysis features, we store:
- Statistical inputs — datasets, variable configurations, test parameters, and analysis settings you provide.
- Results — computed statistical outputs, effect sizes, confidence intervals, p-values, and generated tables/figures.
- Notes and annotations — any notes, labels, or interpretations you attach to your analyses.
- Saved projects — collections of analyses organized into research projects.
Analysis data is stored in Supabase and is accessible only to you. We do not access, review, or use your analysis data for any purpose other than providing the Service, unless required by law.
2.3 Usage Data
We collect anonymized and aggregated usage information, including:
- Module usage — which modules you open and how frequently (e.g., Stats Studio, Psychometrics, Bayesian Lab).
- Analysis counts — the number and types of analyses performed.
- Feature interactions — which features you use most, navigation patterns, and session duration.
- Error and crash reports — technical data to help us diagnose and fix problems.
Some usage data may be stored locally on your device via AsyncStorage and periodically synced to Supabase for backup and cross-device continuity.
2.4 AI Conversation Data
When you use the AI Assistant feature:
- Messages you send are transmitted to the Anthropic Claude API for processing.
- AI responses are generated by Anthropic's servers and returned to you.
- Conversation history is stored in your Supabase account so you can review past interactions.
We may include contextual information about your current analysis (such as variable names, test types, and summary statistics) in AI prompts to provide relevant assistance. Raw datasets are not sent to the AI by default unless you explicitly include them in your message.
Please refer to Anthropic's Privacy Policy for information on how they handle data sent to the Claude API.
2.5 Device Information
We may collect basic device information, including:
- Device type and model (e.g., iPhone 15, Samsung Galaxy S24).
- Operating system and version.
- App version number.
- Screen resolution and locale/language settings.
- Unique device identifiers (for analytics and crash reporting only).
2.6 Summary of Data Collection
| Data Category | Examples | Storage Location | Required? |
|---|---|---|---|
| Account Data | Email, ORCID, institution | Supabase | Email required; others optional |
| Analysis Data | Inputs, results, notes | Supabase | Created through use |
| Usage Data | Module opens, analysis counts | AsyncStorage / Supabase | Automatic |
| AI Conversations | Messages, AI responses | Supabase / Anthropic | Created through use |
| Device Info | Device type, OS, app version | Analytics service | Automatic |
3. How We Use Your Data
We use the information we collect for the following purposes:
3.1 Providing the Service
- To authenticate your identity and maintain your account.
- To process and store your statistical analyses and results.
- To sync your data across devices.
- To provide AI-powered interpretations and recommendations.
3.2 Personalizing Your Experience
- To customize the AI Assistant's responses based on your research context and usage history.
- To suggest relevant modules, methods, or features based on your usage patterns.
- To remember your preferences, settings, and recently used analyses.
3.3 Improving the Service
- To analyze aggregated, anonymized usage data to understand how the Service is used and identify areas for improvement.
- To diagnose and fix bugs, crashes, and performance issues.
- To develop new features and improve existing statistical methods.
3.4 Advertising (Free Tier Only)
If you are on the Free tier, we display ads through Google AdMob (mobile) and Google AdSense (web). These advertising services may use:
- Device identifiers and general location data (not precise GPS) to serve relevant ads.
- Ad interaction data (impressions, clicks) to measure ad performance.
- Interest-based targeting using data collected by Google's advertising network according to their policies.
We do not share your analysis data, AI conversations, or research content with advertisers. Paid subscribers (Researcher and Scholar tiers) do not see ads and their data is not used for advertising purposes.
You can opt out of personalized ads through your device settings (iOS: Settings > Privacy > Apple Advertising; Android: Settings > Google > Ads).
3.5 Communications
- To send essential service notifications (security alerts, billing confirmations, Terms updates).
- To send optional product updates and feature announcements (you can unsubscribe at any time).
4. Third-Party Services
We use the following third-party services to operate PsyStat Nexus. Each has its own privacy policy governing how they handle data:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database, authentication, file storage, real-time sync | Account data, analysis data, AI conversation history | supabase.com/privacy |
| Anthropic (Claude API) | AI-powered statistical interpretation and assistance | AI conversation messages, contextual analysis metadata | anthropic.com/privacy |
| Google AdMob / AdSense | Advertising for Free tier users | Device identifiers, ad interaction data | policies.google.com/privacy |
| RevenueCat | Subscription and payment management | Purchase history, subscription status, anonymous user ID | revenuecat.com/privacy |
| Vercel | Web application hosting | IP address, request metadata (standard web server logs) | vercel.com/legal/privacy-policy |
| Railway | Backend API and computation hosting | Analysis requests, statistical computation data (processed server-side) | railway.app/legal/privacy |
We carefully select third-party providers that maintain high standards of data protection. However, we are not responsible for the privacy practices of third-party services, and we encourage you to review their privacy policies.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service to you. Specifically:
- Account data — retained until you delete your account.
- Analysis data — retained until you delete individual analyses or your entire account.
- AI conversation history — retained until you clear your conversation history or delete your account.
- Usage data — aggregated and anonymized usage data may be retained indefinitely for analytics purposes, even after account deletion, as it cannot be linked back to you.
- Billing records — retained for a minimum of 7 years as required by tax and accounting regulations.
When you request account deletion, all personally identifiable data is permanently removed from our active systems within 30 days. Backup systems may retain encrypted copies for up to 90 days before automatic purging.
6. Account Deletion
You can delete your account and all associated data at any time through the following methods:
- In-App: Navigate to Settings > Account > Delete Account. You will be asked to confirm your decision. This action is irreversible.
- By Email: Send a request to moonlit-social-labs@proton.me from the email address associated with your account.
Upon account deletion, the following data is permanently removed:
- Your account profile and credentials.
- All saved analyses, results, datasets, and notes.
- All AI conversation history.
- All usage data linked to your account.
- All subscription information (active subscriptions will be canceled).
We will process deletion requests within 30 days and send a confirmation email upon completion.
7. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest — data stored in Supabase is encrypted at rest using AES-256.
- Authentication security — passwords are hashed using bcrypt. We support and encourage the use of strong passwords.
- Row-level security — Supabase row-level security policies ensure that users can only access their own data.
- Secure token storage — authentication tokens are stored using Expo SecureStore (mobile) or secure HTTP-only cookies (web).
- Regular security reviews — we periodically review our security practices and update them as needed.
While we strive to use commercially acceptable means to protect your data, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. Children's Privacy
PsyStat Nexus is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and you believe your child under 13 has provided us with personal information, please contact us at moonlit-social-labs@proton.me.
If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to remove that information from our servers within 30 days.
Users between the ages of 13 and 18 may use the Service with the consent and supervision of a parent or legal guardian, in accordance with our Terms of Service.
9. International Data Transfers
PsyStat Nexus operates globally, and your data may be processed and stored in countries other than your own, including the United States. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.
We take appropriate safeguards to ensure that your data is treated securely and in accordance with this Privacy Policy, regardless of where it is processed. These safeguards include:
- Using service providers that comply with recognized data protection frameworks.
- Implementing Standard Contractual Clauses (SCCs) where required for transfers from the European Economic Area (EEA).
- Ensuring all third-party processors maintain adequate security measures.
10. Your Rights Under GDPR (EU Users)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access — you have the right to request a copy of the personal data we hold about you.
- Right to Rectification — you have the right to request correction of inaccurate or incomplete personal data.
- Right to Erasure — you have the right to request deletion of your personal data (see Account Deletion).
- Right to Restriction of Processing — you have the right to request that we limit how we use your data.
- Right to Data Portability — you have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to Object — you have the right to object to our processing of your personal data, including for direct marketing purposes.
- Right to Withdraw Consent — where processing is based on consent, you have the right to withdraw consent at any time.
- Right to Lodge a Complaint — you have the right to lodge a complaint with a supervisory authority in your EU member state.
Our legal bases for processing personal data under GDPR include:
- Contract performance — processing necessary to provide the Service you requested.
- Legitimate interests — processing for service improvement and security, where our interests do not override your rights.
- Consent — processing based on your explicit consent (e.g., marketing communications, personalized ads).
- Legal obligation — processing required to comply with applicable laws.
To exercise any of these rights, please contact us at moonlit-social-labs@proton.me. We will respond within 30 days.
11. Your Rights Under CCPA (California Users)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — you have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share your data.
- Right to Delete — you have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale — you have the right to opt out of the "sale" of your personal information. We do not sell your personal information.
- Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.
- Right to Correct — you have the right to request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Personal Information — you have the right to limit the use and disclosure of sensitive personal information.
Categories of personal information we collect: identifiers (email, ORCID), internet or other electronic network activity information (usage data), and professional or employment-related information (institutional affiliation).
We do not sell personal information as defined under the CCPA/CPRA. For Free tier users, advertising data shared with Google AdMob/AdSense may constitute "sharing" under the CPRA; you can opt out via your device's ad settings.
To exercise your CCPA rights, contact us at moonlit-social-labs@proton.me or use the in-app account deletion feature. We will verify your identity before processing requests and respond within 45 days.
12. Cookies and Tracking
The PsyStat Nexus web application may use the following tracking technologies:
- Essential cookies — required for authentication and session management. These cannot be disabled.
- Analytics cookies — used to understand how the Service is used. These are anonymized and can be disabled in your browser settings.
- Advertising cookies (Free tier only) — used by Google AdSense to serve relevant ads. These can be managed through your browser's cookie settings or Google's ad settings.
The mobile application uses AsyncStorage for local data persistence and does not use cookies. Advertising identifiers on mobile are managed through your device's operating system settings.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you via email and/or an in-app notification at least 30 days before the changes take effect.
- Provide a summary of the material changes.
Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this page periodically for the latest information on our privacy practices.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
PsyStat Nexus — Privacy Team
Email: moonlit-social-labs@proton.me
General Support: moonlit-social-labs@proton.me
For GDPR-related inquiries, you may also contact our Data Protection Officer at the email address above with the subject line "DPO Request."
We will make reasonable efforts to respond to all privacy-related inquiries within 30 days.