Plain-English summary: most of Nootpedia's "personalization" lives in your browser. If you sign up for an account, we store the minimum needed to give you a profile across devices and let you participate in the community. We don't sell your data. We don't run ad-tracking. We don't claim to be a HIPAA-covered service — don't enter your full medical record into a wiki.

Who we are

Nootpedia is operated by Dylan Spencer (the "operator," "we," "us"). For any privacy question, email d@dylandoesbusiness.com.

What we collect

• Identity (when you sign up): email address and (optional) display name, handled by our auth provider Clerk.
• Profile (anonymous, in your browser): the answers to the "Build my profile" intake — age, sex, goals, current stack, priorities, etc. Stored in localStorage only, unless you opt in to cloud sync from your profile page.
• Tried-history: compounds you mark as tried and the outcome you record (worked / no-effect / side-effects / etc.). Linked to your account when synced.
• Discussion posts: what you post in compound discussion threads, including timestamps and any optional display name. Public by design.
• Edit suggestions: suggestions you submit against a compound page (suggestion text, change type, optional citation).
• Saved stacks: stacks you save or customize from the recommendations engine.
• Poll votes: your option choice plus a session ID so we can dedupe and let you change your vote.
• Page analytics: aggregate page-view metrics via Vercel Web Analytics — no personal identifiers, no fingerprinting, no cross-site tracking.
• Server logs: request metadata (IP, user agent, path, status) kept short-term for abuse/forensics. We don't build profiles off this.

What stays on your device

Most personalization lives in your browser's localStorage and only leaves the device if you opt in to cloud sync. Examples:

• nootpedia_profile_v2 — your intake answers and goals.
• biohacking_profile — legacy profile blob.
• nootpedia_disclaimer_acked_v1 — your medical-disclaimer acknowledgement.
• nootpedia_disclaimer_dismissed_at — when you last dismissed the homepage banner.
• nootpedia_welcomed_v2 — that you've seen the welcome modal.
• theme — your dark/light preference.
• Bookmarks, helpful-marks, and similar UI preferences.

You can wipe all of this at any time by clearing site data in your browser, or by hitting Reset on the profile page.

Lawful basis (GDPR)

For visitors in the EU/UK/EEA, the legal bases we rely on are:

• Consent — for creating an account, opting into cloud sync, and any other action that ships your data off-device. You can withdraw consent at any time by deleting your account.
• Legitimate interest — for short-term server logs, aggregate page analytics, and operating the site (security, fraud/abuse prevention, debugging). We balance this against your rights and use the minimum needed.
• Contract — for the parts of the service tied to your account (saving your profile, returning your saved stacks, etc.).

Third-party processors

We don't run our own infrastructure. The following services process data on our behalf:

• Clerk (identity / authentication) — stores your email and account credentials. Sits behind Cloudflare for delivery. See Clerk's privacy policy.
• Supabase (Postgres database) — stores your synced profile, tried-history, saved stacks, discussion posts, edit suggestions, and poll votes.
• Vercel (hosting + analytics) — serves the site and collects aggregate page-view metrics with no personal identifiers.
• OpenRouter (LLM gateway) — when you use Ask AI or generate recommendations, your prompt is forwarded to a model provider for inference. We do not ship your account email, name, or identity through OpenRouter — only the prompt content you author.
• Sentry (error monitoring, when configured) — may collect error-trace metadata for debugging crashes.

Retention

• Compound recommendation data and editorial content (the wiki itself, including the body of community posts) is kept indefinitely so the wiki stays useful over time.
• Account-linked data (profile, tried-history, saved stacks, edit suggestions, poll votes) is retained until you delete your account, at which point it's hard-deleted.
• Discussion posts are soft-deleted on account deletion: the body is replaced with [deleted] so the thread structure (and other people's replies) stays coherent.
• Server logs are kept for a short period (days to weeks) for forensics, then rotated.

Your rights

Under the GDPR (EU/UK/EEA) and the CCPA/CPRA (California), and as a matter of policy for everyone else, you have the right to:

• Access the data we hold about you.
• Rectify data that's incorrect.
• Erase your data ("right to be forgotten").
• Portability — receive your data in a machine-readable format.
• Opt out of any non-essential processing (we don't sell or share data for advertising, so there's nothing to opt out of there, but you can withdraw consent for analytics by clearing site data).
• Object to processing based on legitimate interest.
• Lodge a complaint with your local data-protection authority.

Two of these — access (export) and erasure (delete) — are self-service from your profile page:

• Export my data downloads a JSON dump of everything we have linked to your account.
• Delete my account hard-deletes your profile, tried-history, saved stacks, edit suggestions, poll votes, and your Clerk identity, and soft-deletes your discussion posts.

For everything else (rectification, objection, complaints), email d@dylandoesbusiness.com. We aim to reply within 30 days.

Cookies

We don't use third-party advertising or tracking cookies. The cookies that do exist:

• nootpedia_sid — anonymous session ID used to dedupe poll votes (so you can change your vote without double-voting). 1-year expiry, no personal data.
• Clerk auth cookies — set when you sign in, used to keep you logged in. Required for account features.
• Vercel analytics — first-party, anonymous, aggregate. No fingerprinting.

No medical-grade privacy

Nootpedia is not a HIPAA-covered service and is not a registered medical device. Don't submit clinical-record-grade information (diagnosis codes, full lab panels with identifiers, etc.) through forum posts, edit suggestions, or AI chat. If you choose to enter health-adjacent information into the intake, treat it as you would any other consumer wellness app — useful for personalization, not as private as a chart at your clinician's office.

International transfers

Our processors (Clerk, Supabase, Vercel, OpenRouter) are based in or operate from the United States. If you're using Nootpedia from outside the US, your data will be transferred to and processed in the US. These providers each maintain appropriate safeguards (Standard Contractual Clauses where applicable).

Children

Nootpedia is for adults 18+. We don't knowingly collect information from anyone under 18. If you believe a minor has submitted information to us, contact us and we'll remove it.

Changes

Material changes will be reflected by bumping the "Last updated" date at the top and resetting the first-visit acknowledgement gate so returning users see the updated disclaimer.