Privacy Policy
What we collect, why, and your rights.
1. Data we collect
| Category | Examples | Why |
|---|---|---|
| Account | Email, Google profile name, picture URL, Firebase UID | Sign-in and identity (Firebase Auth) |
| Usage | Pages visited, endpoint calls, credits consumed, idempotency keys | Billing, abuse detection, product analytics |
| Research inputs | IP Radar briefs, polymer screening drugs, FTO proposed_product text | Run the analysis you requested. Confidential — per-uid scope only |
| Research outputs | Generated reports, drug briefs, FTO verdicts, polymer compatibility scores | Saved to your job history; downloadable as ZIP; not shared with other users |
| Telemetry | HTTP latency, error codes, Cloud Run revision IDs, request IDs | Reliability monitoring (Cloud Logging, retained 30 days) |
2. Where it's stored
- Firebase Authentication — credentials and session tokens.
- Firestore (
research_jobs,credits) — job metadata + audit trail. Region:nam5. - AlloyDB (
ip_radar_brief_templates,fto_verdicts_cache,polymer_lab_jobs) — durable per-user research artifacts. Region:us-central1. - Cloud Storage (
gs://molforge-research-reports) — large research reports (>800 KB), gzipped, Firestore-pointer-referenced. - Cloud Logging — application logs, 30-day default retention.
3. What we do not do
- We do not sell or share your data with advertising networks.
- We do not use your
proposed_producttext to train models or share it across users — it stays in the per-uidfto_verdicts_cache. - We do not retain billing card details — payments are tokenized via Stripe.
- We do not enable third-party trackers other than Google Analytics 4 (anonymized IP, no cross-site advertising).
4. Data shared with third parties
- Google Cloud / Vertex AI / Gemini — for AI inference (claim extraction, FTO scoring, drug brief synthesis). Subject to Google Cloud's data-processing terms; data is not used to train Google's foundation models in the Vertex enterprise tier.
- Google BigQuery — for patent search queries against the public
patents-public-datadataset. - Stripe — for payment processing (when applicable).
- Firebase — authentication, hosting, analytics.
5. Your rights (GDPR / CCPA)
You can:
- Access your data — email [email protected] with your account email.
- Export your research history — every job has a "Download ZIP" action in the recent-jobs panel.
- Delete your account and all associated job data — request via email; we honor within 30 days.
- Object to processing — opt out of analytics in Settings; you can stop using the platform at any time.
- Port your data — JSON export available on request.
6. Cookies
MolForge uses minimal cookies: a session token (Firebase Auth), a theme preference (molforge-theme), and a Google Analytics tracking cookie (_ga) with anonymized IP. No advertising cookies. No cross-site tracking.
7. Children
MolForge is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has registered, contact us and we will delete the account.
8. Security
All traffic is HTTPS-only with HSTS enabled. CSP, X-Frame-Options, and X-Content-Type-Options headers are set. API authentication uses Firebase JWT (>1024-bit RSA signed by Google). Database access is VPC-private (no public IP). Service accounts follow least-privilege.
9. Changes
Material privacy changes will be announced by email and posted on the blog 30 days in advance.
10. Contact
Privacy questions or data requests: [email protected]
Data Protection Officer: Gauthier Bros ([email protected])