Privacy Policy
Effective Date: April 15, 2026
Last Updated: April 15, 2026
Statory ("Service," "Platform," "we," "us," or "our") is an AI-powered statistical analysis platform operated by Yongchan Shim ("Operator"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our website at statory.org and related domains (collectively, the "Website").
By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide
| Data Type | When Collected | Purpose |
|---|---|---|
| Email address | Account registration | Authentication, communication, account recovery |
| Display name | Account setup (optional) | Personalization |
| Profile photo | Google OAuth (automatic) | Display in UI |
| Uploaded data files | When you initiate analysis | Statistical computation |
| Analysis preferences | When you select options | Providing analysis results |
1.2 Information Collected Automatically
| Data Type | Method | Purpose |
|---|---|---|
| Usage logs | Server logs | Analysis type, frequency, success/failure tracking |
| AI interaction logs | API logging | Service improvement, AI quality monitoring |
| Device information | HTTP headers | Browser type, operating system (for compatibility) |
| IP address | Server connection | Locale detection, abuse prevention |
| Cookies | Browser cookies | Authentication session management |
1.3 Information We Do NOT Collect
- We do not collect payment card numbers (handled entirely by Paddle)
- We do not collect government-issued IDs
- We do not collect biometric data
- We do not use tracking pixels from advertising networks
- We do not participate in cross-site behavioral advertising
2. How We Use Your Information
We use collected information for the following purposes:
2.1 Service Delivery
- Processing your uploaded data to perform statistical analyses
- Generating AI-powered interpretations of your results
- Exporting results in your chosen format (PDF, Excel, clipboard)
- Maintaining your analysis history (if you opt in)
2.2 Service Improvement
- Monitoring analysis engine performance and error rates
- Identifying common usage patterns to prioritize features
- Improving AI interpretation quality based on aggregated, anonymized usage data
2.3 Communication
- Responding to support requests or feedback
- Sending service announcements (e.g., maintenance, new features)
- Sending transactional emails (e.g., password reset, subscription confirmation)
2.4 Security and Legal
- Preventing fraud, abuse, and unauthorized access
- Complying with applicable legal obligations
- Enforcing our Terms of Service
3. How We Handle Your Uploaded Data
This section is critical because Statory processes user-uploaded datasets.
3.1 Data Transmission
Your data is transmitted to our servers over encrypted connections (HTTPS/TLS 1.2+) when you initiate an analysis.
3.2 Data Processing
Statistical computations are performed on our backend servers. Data is held in server memory during the analysis session.
3.3 Data Storage
- Default behavior: Uploaded data files are not permanently stored on our servers. They are processed in memory and discarded after the analysis session ends.
- Browser storage: During the alpha period, data may be cached in your browser's localStorage for session continuity. This data stays on your device.
- Saved results: If you choose to save analysis results to your account, the results (tables, charts, interpretations) are stored in our database. The original uploaded data file is not stored.
3.4 AI Interpretation Data Flow
When you request AI interpretation:
- A summary of statistical results (e.g., test statistics, p-values, effect sizes) is sent to a third-party AI provider (Anthropic Claude API).
- Your raw data is NOT sent to the AI provider.
- The AI provider generates a natural language interpretation based on the summary.
- AI providers may retain interaction data per their own privacy policies. We encourage you to review Anthropic's Privacy Policy.
3.5 Data Deletion
- You may clear locally stored data by clearing your browser's localStorage.
- You may delete saved results from your account's history page.
- You may delete your entire account from the Settings page.
- Upon account deletion, all associated data is removed within 30 days.
4. Cookies and Tracking
4.1 Essential Cookies
We use essential cookies for:
- Authentication: Maintaining your login session (Supabase auth cookies)
- Locale preference: Remembering your language choice (statory-locale)
These cookies are strictly necessary for the Service to function and cannot be disabled while using the Service.
4.2 Analytics (When Enabled)
We may use Google Analytics 4 (GA4) to collect anonymized usage statistics:
- Pages visited, features used, session duration
- Geographic region (country level, not precise location)
- Device category (desktop, mobile, tablet)
Google Analytics data is anonymized (IP anonymization enabled) and is used solely for understanding aggregate usage patterns.
4.3 No Advertising Cookies
We do not use advertising cookies, retargeting pixels, or third-party tracking for ad purposes. We do not sell or share data with advertising networks.
4.4 Cookie Management
You can manage cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.
5. Data Sharing and Disclosure
5.1 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal information or uploaded data to any third party.
5.2 Service Providers
We share limited data with the following service providers, solely for the purpose of operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude API) | AI interpretation | Statistical result summaries (no raw data, no PII) |
| Supabase | Authentication, database | Email, profile, saved results |
| Vercel | Frontend hosting | Standard web server logs |
| Render | Backend hosting | Standard server logs, analysis processing |
| Paddle | Payment processing (when enabled) | Email, country, payment details (handled by Paddle directly) |
| Google Analytics (when enabled) | Usage analytics | Anonymized usage data |
| Sentry (when enabled) | Error monitoring | Error stack traces, browser info (no user data) |
5.3 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to:
- Comply with a legal obligation
- Protect our rights, property, or safety
- Prevent fraud or address security issues
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected users before their data becomes subject to a different privacy policy.
6. Data Security
6.1 Technical Measures
- All data transmission uses HTTPS/TLS encryption
- Database access is restricted by authentication and role-based permissions
- Server infrastructure is hosted on managed platforms (Vercel, Render) with security certifications
- Passwords are hashed using industry-standard algorithms (via Supabase Auth)
6.2 Organizational Measures
- Access to user data is limited to the Operator
- We do not share database credentials with third parties
- We conduct periodic reviews of access permissions
6.3 Limitations
No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use the Service at your own risk.
7. Your Rights
7.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your account and associated data
- Export: Download your saved analysis results
- Withdraw consent: Stop using the Service at any time
To exercise these rights, contact us at support@statory.org.
7.2 European Economic Area (EEA) β GDPR
If you are in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):
Legal Bases for Processing:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Statistical analysis of uploaded data | Contract performance |
| AI interpretation generation | Legitimate interest (service delivery) |
| Usage analytics | Legitimate interest (service improvement) |
| Security and fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation |
Additional GDPR Rights:
- Right to restriction: Request that we limit processing of your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interest
- Right to lodge a complaint: File a complaint with your local data protection authority
Data Transfers: Your data may be processed on servers located outside the EEA (currently United States). We rely on standard contractual clauses and the data processing agreements of our service providers to ensure adequate protection.
Data Protection Officer: For GDPR inquiries, contact support@statory.org with the subject line "GDPR Request."
7.3 California Residents β CCPA
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):
- Right to know: You may request disclosure of the categories and specific pieces of personal information we collect, the sources, the business purpose, and third parties with whom we share it.
- Right to delete: You may request deletion of personal information we collected.
- Right to opt-out of sale: We do not sell personal information. No opt-out is necessary.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
Categories of Personal Information Collected (past 12 months):
| Category | Examples | Sold? | Shared for Business Purpose? |
|---|---|---|---|
| Identifiers | Email, name, IP address | No | Yes (service providers only) |
| Internet activity | Pages visited, features used | No | Yes (analytics only) |
| Professional info | Institutional affiliation (if provided) | No | No |
To exercise your CCPA rights, email support@statory.org with the subject line "CCPA Request."
7.4 South Korea β PIPA
If you are in South Korea, your data is protected under the Personal Information Protection Act (PIPA, κ°μΈμ 보보νΈλ²):
- You have the right to access, correct, delete, and suspend processing of your personal information.
- We process personal information based on your consent (provided by using the Service).
- In the event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by law.
For PIPA inquiries, contact support@statory.org.
8. Sensitive Data β Special Restrictions
8.1 Health Data (HIPAA)
Statory is NOT a HIPAA-compliant service. We do not enter into Business Associate Agreements (BAAs). Do not upload Protected Health Information (PHI). If you work with health data, you must de-identify it in accordance with HIPAA Safe Harbor or Expert Determination methods before uploading.
8.2 Education Data (FERPA)
Statory is NOT a FERPA-compliant service. Do not upload education records containing personally identifiable student information. De-identify all student data before uploading.
8.3 Children's Data (COPPA)
Statory is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected such data, we will delete it promptly.
8.4 Your Responsibility
You are solely responsible for ensuring that data you upload does not contain sensitive information prohibited by applicable regulations, or that you have obtained all necessary consents and authorizations.
9. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account information | Until account deletion | Settings β Delete Account |
| Uploaded data files | Session only (not stored) | Automatic after session |
| Browser localStorage | Until manually cleared | Browser settings |
| Saved analysis results | Until you delete them | History β Delete |
| AI interaction logs | Up to 12 months | Automatic purge |
| Usage analytics | Up to 24 months (aggregated) | Automatic purge |
| Server logs | Up to 90 days | Automatic rotation |
Upon account deletion, all personal data is removed within 30 days. Aggregated, anonymized data that cannot identify you may be retained indefinitely for statistical analysis of service usage patterns.
10. Third-Party Links
The Service may contain links to third-party websites or services (e.g., documentation references, YouTube tutorials). We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party service you visit.
11. International Data Transfers
Our servers are currently located in the United States (Vercel, Render). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
For EEA users, we rely on:
- Standard Contractual Clauses (SCCs) incorporated into our service provider agreements
- Adequacy decisions where applicable
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will:
- Post the revised Privacy Policy on this page
- Update the "Last Updated" date
- Notify users of material changes via email or a prominent notice on the Website
Continued use of the Service after changes constitutes acceptance of the revised Privacy Policy.
13. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Statory
Email: support@statory.org
Website: https://statory.org
For region-specific requests, use the following subject lines:
- GDPR: "GDPR Request"
- CCPA: "CCPA Request"
- PIPA: "PIPA Request"
- General: "Privacy Inquiry"
We will respond to all requests within 30 days (or sooner as required by applicable law).
See also: Terms of Service.
This Privacy Policy is effective as of the date first written above.