nausika

legal · privacy

Privacy.

Last updated

Who we are

Nausika is operated by Andrea di Cagno (Italy). Where this policy refers to we, the data controller is the same natural person — there is no company entity. For any privacy matter, the contact is privacy@nausika.app.

What we store

When you connect Nausika via OAuth, we keep:

  • Account record — your email address, OAuth provider (GitHub or Google), and a hashed session token. Used to authenticate you on subsequent calls.
  • Contributed data — boat profile, favorites, ratings, saved routes, and place proposals you submit through the AI assistant. These are tied to your account.
  • API request logs — every MCP call your AI assistant makes is logged with tool name, parameters, response payload, your user ID, timestamp, and latency. This includes free-text fields you send (rating comments, favorite notes, place proposal descriptions). Used solely for debugging, abuse prevention, and performance analysis.

Coordinates you submit to your boat profile (your home port) and the latitude/longitude pairs that make up the saved routes you create are personal data once they are tied to your account. They live in the same encrypted PostgreSQL database as the rest of your account record and are never transmitted to third-party services in identifiable form: tool calls that need coordinates (forecast, tides, geocoding) issue plain coordinate queries from the Nausika server, with no account identity attached.

Retention

  • Account record & contributed data — retained until you ask us to delete it (see Your rights). Place proposals that have been approved and merged into the shared atlas remain in the dataset under ODbL 1.0 after account deletion, separated from your identity.
  • API request logs — automatically deleted after 90 days by a scheduled background job. No manual purge required.
  • Operational logs (server-side errors and traces) — automatically deleted after 30 days.

Where the data lives

All personal data is stored in a managed PostgreSQL database hosted by Railway in the European Union region (Amsterdam). Data is encrypted at rest by the platform. Access is limited to the maintainer for incident response.

Subprocessors

The following providers process personal data on Nausika's behalf. They do not receive your data for advertising and they do not profile you across services.

Provider Purpose Data seen Region
Railway Application hosting, PostgreSQL database, object storage All stored data (account, contributed data, request logs) EU (Amsterdam)
GitHub OAuth sign-in (when you choose Sign in with GitHub) OAuth handshake, your GitHub email US (governed by GitHub's policy)
Google OAuth sign-in (when you choose Sign in with Google) OAuth handshake, your Google email US (governed by Google's policy)
Cloudflare R2 object storage for place images uploaded via proposals; DNS Image bytes (no account-identifying metadata in the stored object) EU + global edge

External data sources used by Nausika tools (OpenStreetMap, Open-Meteo, NOAA) receive only coordinate queries from the Nausika server — not your IP or account identity. They are documented under licensing terms on Credits.

Cookies & local storage

The marketing site at nausika.app sets no cookies. The MCP server at mcp.nausika.app sets a single OAuth session cookie when you sign in for admin review purposes; it is HTTP-only, Secure, and SameSite=Lax. There is no third-party analytics, no advertising tracker, no fingerprinting.

Your rights

Under the GDPR you have the right to access, rectify, erase, port, and object to the processing of your personal data. To exercise any of these:

  1. Email privacy@nausika.app from the address tied to your Nausika account, stating which right you wish to exercise.
  2. We respond within 30 days. Erasure removes your account record, contributed data tied to your identity, and request logs containing your user ID. ODbL-licensed atlas contributions remain in the dataset, dissociated from your identity.
  3. You may also lodge a complaint with your national data protection authority (in Italy: Garante per la protezione dei dati personali).

Children

Nausika is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has registered, email privacy@nausika.app and we will delete the account.

Changes

Material changes to this policy will be reflected in the last updated date at the top of the page. The current version is binding from that date.

Contact

Email privacy@nausika.app. For data-license take-down notices (ODbL / CC BY) the dedicated address is takedown@nausika.app; see Credits for the data sources at issue.