Legal

Data Protection & Privacy Policy

Last updated: 28 March 2026

Chisquare is built for organisations that handle sensitive survey data — including data collected from vulnerable populations. We take data protection seriously and are committed to GDPR compliance.

Contents

  1. 1. Who we are
  2. 2. What data we collect
  3. 3. How we use your data
  4. 4. Data storage and security
  5. 5. Your survey data — special protections
  6. 6. Third-party processors
  7. 7. Data retention
  8. 8. Your rights (GDPR)
  9. 9. Cookies
  10. 10. Changes to this policy
  11. 11. Contact us

1. Who we are

Chisquare ("the Platform", "we", "us") is an AI-powered survey data analysis platform operated for NGOs, research firms, academic institutions, and policy units.

For the purposes of the UK and EU General Data Protection Regulation (GDPR), we act as a data controller for account and usage data, and as a data processor for survey datasets you upload.

Contact: privacy@chisquare.app

2. What data we collect

2.1 Account data (controller)

  • Email address and encrypted password (via Supabase Auth)
  • Organisation name
  • Date and time of account creation
  • Last login timestamp

2.2 Project metadata (controller)

  • Project names, descriptions, and research questions you enter
  • Configuration options (template, sampling method, geographic scope)
  • Timestamps of project creation and updates

2.3 Survey data (processor)

  • CSV/Excel files you upload ("datasets")
  • Questionnaire files (Word, PDF, XLSForm) you upload ("instruments")
  • Derived data: column statistics, quality scores, analysis results
  • Generated reports and exported files
Important: We are a data processor for your survey data. You remain the data controller for any personal data about survey respondents. Ensure you have a lawful basis for sharing that data with us.

2.4 Technical data (controller)

  • IP address (logged by Supabase for security purposes)
  • Browser type and version (for technical support)
  • Error logs (anonymised stack traces, no personal data)

3. How we use your data

PurposeLegal basis (GDPR Art. 6)
Providing the analysis serviceContract performance (6(1)(b))
User authentication and account managementContract performance (6(1)(b))
Sending email confirmation and password resetContract performance (6(1)(b))
AI-assisted analysis (Gemini API)Contract performance (6(1)(b)) — see §6
Security monitoring and fraud preventionLegitimate interest (6(1)(f))
Service improvement and bug fixingLegitimate interest (6(1)(f))
Legal compliance and responding to lawful requestsLegal obligation (6(1)(c))

We do not sell, rent, or share your data with third parties for marketing purposes.

4. Data storage and security

All data is stored in Supabase, a PostgreSQL-based platform with the following protections:

  • Row-Level Security (RLS): Each user can only access their own projects. Organisation-based access control prevents cross-user data leakage.
  • Encryption at rest: All database data and file storage is encrypted using AES-256.
  • Encryption in transit: All communication uses TLS 1.2+.
  • Private file storage: Uploaded datasets and questionnaires are stored in private S3-compatible buckets. Access requires a signed URL valid for 7 days.
  • Authentication: Passwords are hashed using bcrypt. Email confirmation is required for new accounts.

We conduct periodic security reviews and apply security patches promptly.

5. Your survey data — special protections

Survey datasets may contain personal data about respondents (names, locations, demographic characteristics). As the uploader, you are the data controller for this data. We act as your processor under a Data Processing Agreement (DPA).

Your responsibilities as data controller:

  • Ensure respondents were informed how their data would be used
  • Obtain necessary consents or have another lawful basis for processing
  • Anonymise or pseudonymise personal data before uploading where possible
  • Do not upload special category data (health, ethnicity, religion) without appropriate safeguards

We process your survey data only to provide the analysis service you requested. We do not use your survey data to train AI models or for any other purpose.

6. Third-party processors

ProcessorPurposeData transferredLocation
Supabase Inc.Database, authentication, file storageAll platform dataUS/EU (selectable)
Google LLC (Gemini API)AI analysis planning, interpretation, report draftingColumn names, aggregated statistics, project context — NOT raw respondent dataUS
Vercel Inc. (optional)Frontend hostingRequest logs, IP addressesUS/EU (Edge)
AI data minimisation: When sending data to the Gemini API for analysis, we send only column names, statistical summaries (means, counts, distributions), and project metadata. We never send raw respondent-level rows to the AI.

7. Data retention

Data typeRetention period
Account dataFor the life of the account + 30 days after deletion request
Survey datasets (uploaded files)Until project is deleted by the user, or account closure + 30 days
Analysis results and reportsSame as survey datasets
Security logs (IP, timestamps)90 days
Error logs30 days

You can delete individual projects (and their associated data) at any time from the dashboard. Account deletion requests are processed within 30 days.

8. Your rights (GDPR)

Under the UK and EU GDPR, you have the following rights regarding your personal data:

Right of access

Request a copy of all personal data we hold about you

Right to rectification

Correct inaccurate or incomplete personal data

Right to erasure

Request deletion of your account and associated data

Right to data portability

Receive your data in a machine-readable format (JSON/CSV)

Right to object

Object to processing based on legitimate interests

Right to restrict processing

Pause processing while a dispute is resolved

Right to withdraw consent

Where processing is based on consent, withdraw it at any time

Right to lodge a complaint

Contact your national data protection authority (e.g. ICO in the UK)

To exercise any of these rights, email privacy@chisquare.app. We will respond within 30 days.

9. Cookies

We use the following cookies:

CookiePurposeDuration
sb-auth-tokenSupabase authentication sessionSession / 1 week
sb-refresh-tokenSupabase session refresh1 week

We do not use tracking, analytics, or advertising cookies. No third-party cookies are set without your consent.

10. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. When we do:

  • We will update the "Last updated" date at the top of this page
  • For material changes, we will notify registered users by email at least 14 days before the change takes effect
  • Continued use of the platform after the effective date constitutes acceptance of the updated policy

11. Contact us

For any questions, concerns, or data subject requests related to this policy:

Email: privacy@chisquare.app

We respond to all data protection queries within 5 business days, and to formal GDPR requests within 30 calendar days.

If you are unsatisfied with our response, you have the right to lodge a complaint with your national supervisory authority. In the UK: Information Commissioner's Office (ICO).

© 2026 Chisquare · Home · Setup Guide