Privacy Policy
Effective date: 2026-05-03 Version: 1
Legal disclaimer about this template. This document is a working draft prepared for review. It is not legal advice. Before you process personal data of paying customers — particularly in jurisdictions with stricter regimes such as the EU (GDPR), Brazil (LGPD), or Peru (Ley N° 29733) — you must have a qualified attorney in your jurisdiction review and adapt this text.
This Privacy Policy explains what personal data MathSimulation ("we", "us", "our") collects, why we collect it, how we use it, who we share it with, and what rights you have over it.
1. Data we collect
1.1 Information you provide directly
- Account details: name, email address, profile picture (avatar), and password hash (we never see or store the plaintext password).
- Project content: STEP geometry, sketches, meshes, boundary conditions, materials, simulation results, post-process objects, pictures, animations, reports, and any metadata you create within the Service.
- Payment information: when you subscribe or buy credits, our payment processor (Stripe) collects your card data directly. We store only the customer ID and subscription state — never the card number.
- Support communications: any messages you send to us through the Help / Support form or email.
1.2 Information collected automatically
- Usage logs: which features you use, when, how long simulations
run, how much storage your projects consume. Stored in our
usagelogscollection and used for billing, capacity planning, and abuse detection. - Authentication metadata: IP address and user agent at login, failed login attempts, session timestamps. Used for security and brute-force protection.
- Email delivery events: when an email we send to you is
delivered, opened, clicked, or bounced, our email provider
(Resend) reports the event back to us. Stored in the
emaillogscollection.
1.3 Information from third parties
- Google OAuth (if you sign in with Google): Google sends us your name, email, and profile picture. We do not request access to your Gmail, contacts, calendar, or any other Google data.
2. How we use your data
- Provide the Service: authenticate you, store your projects, run your simulations, deliver results.
- Operate and improve: detect bugs, performance regressions, and abuse; plan capacity.
- Communicate with you: transactional emails (sim done / failed / invitations / receipts) and product announcements you have not opted out of.
- Bill you and prevent fraud: for paid features.
- Comply with the law: when we receive valid legal process or must defend against legal claims.
We do not use your project content (geometry, simulations, results) to train machine learning models, sell advertising, or share with third parties for marketing purposes.
3. Who we share data with
We share data only with the following categories of recipients, strictly as needed to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Vercel (USA) | Hosts the web application | Account data, project metadata, served files |
| MongoDB Atlas (AWS, region São Paulo) | Stores account and project metadata | Everything in the mathsimulation database |
| AWS S3 (region us-west-2) | Stores file content (STEP, meshes, results) | Project files |
| Railway (USA) | Hosts the simulation workers | Job payloads while solving |
| Resend (USA) | Delivers email | Recipient address, subject, message body |
| Google (USA) | OAuth sign-in (only if you choose Google) | Sign-in flow |
| Stripe (USA) | Payment processing (when activated) | Email, customer ID, charge amount |
These providers are bound by their own contracts and certifications (SOC 2, ISO 27001, GDPR DPA where applicable). We do not sell data to anyone.
4. Where your data lives
The Service is operated globally; specifically:
- Database (MongoDB Atlas): AWS São Paulo (sa-east-1).
- File storage (S3): AWS Oregon (us-west-2).
- Worker compute: Railway (US-based).
- Web frontend: Vercel (global edge, USA primary).
- Email delivery: Resend (USA).
If you are located in a region with cross-border data transfer restrictions (EU, Brazil), you consent to your data being transferred to and processed in the locations above by accepting these terms.
5. Cookies and similar technologies
We use cookies for essential functionality only:
- Session cookie: keeps you signed in (
__Secure-next-auth.session-token). - CSRF / OAuth state: protects sign-in flows from cross-site request forgery.
We do not use third-party analytics, advertising, or social media tracking cookies.
See our Cookie Policy for the full list.
6. Data retention
- Account data: kept for as long as your account is active.
- Project content: kept for as long as your account is active. Up to 30 days after deletion, recoverable from backups.
- Backups: cloud snapshots retained per the schedule documented internally (typically 30 days for primary backups).
- Usage logs: retained 12 months for billing and capacity analysis, then aggregated or deleted.
- Email logs: retained 12 months for deliverability analysis.
- Authentication logs (failed login attempts, session metadata): retained 90 days for security investigation.
When you delete your account, your data is permanently removed within 30 days, except where we are legally required to retain it (invoicing records, fraud-prevention obligations, etc.).
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or outdated data;
- Delete your account and associated personal data ("right to be forgotten");
- Export your data in a portable format (project content can be downloaded as STEP and standard simulation file formats);
- Object to certain processing activities;
- Withdraw consent for activities you previously consented to;
- Lodge a complaint with the data protection authority in your country (e.g., Autoridad Nacional de Protección de Datos Personales — ANPDP — in Peru).
To exercise these rights, contact us at the email address in section 11. We will respond within thirty (30) days.
8. Security
We implement industry-standard security measures, including:
- Encrypted connections (HTTPS / TLS) for all traffic;
- Encrypted-at-rest storage (AWS S3 SSE-S3, MongoDB Atlas encryption);
- Bucket-private storage with no public access; signed URLs for individual file downloads;
- Bcrypt password hashing (when you use password authentication);
- Per-user rate limits on sensitive endpoints;
- Brute-force protection on login attempts;
- Continuous monitoring of authentication patterns;
- Regular rotation of secrets and API keys.
No system is perfectly secure. If we ever discover a breach involving your personal data, we will notify you and the relevant authority within the time required by applicable law.
9. Children's privacy
The Service is not directed to children under 18. We do not knowingly collect data from anyone under 18. If we learn we have collected data from a child, we will delete it.
10. Changes to this policy
We may update this Policy from time to time. When we do, we will publish the updated version at mathsimulation.com/privacy with a new Effective date and Version. For material changes (new recipients, expanded use of data, longer retention, etc.) we will notify you by email and may require you to re-confirm your acceptance.
11. Contact
For privacy questions or to exercise your rights:
- Email: noreply@mathsimulation.com (replace with the privacy contact once a dedicated mailbox is configured)
- Postal address: (to be added before going live with paid customers in regulated jurisdictions)
If you are located in the EU, the UK, Brazil, or other jurisdictions that require a designated representative, please contact us first and we will respond with the appropriate point of contact.