Your data,
handled with care.
Last Updated: 21 April 2026 · Effective immediately
This policy applies to all users of AUBAIB.SPACE and all associated subdomains and APIs. The Data Controller is the AUBAIB team (aubaib.mail@gmail.com).
1. Data We Collect
We collect the minimum data necessary to operate the platform, grouped into four categories:
Account data
- Username, email address, hashed password, date of account creation, email verification status.
Profile data
- University, country (optional, for discovery filter), avatar configuration (character type, skin, outfit), scholar level, XP, AUBCoin balance, streak count.
Activity data
- Articles read and bookmarked, quiz submissions and answers, dome sessions entered, leaderboard positions, badges earned, co-study session participation, reading shelf contents, KnowledgeSpark Q&A posts and upvotes, circle membership and notes.
Technical data
- IP address (for rate limiting and abuse prevention), browser user-agent, session tokens, push notification subscription tokens (if opted in), WebSocket connection identifiers (for real-time presence and chat), server-side request logs.
We do not collect payment card data directly. We do not collect audio or video from users (voice chat was removed from the platform in April 2026). We do not sell your data to any third party.
2. Legal Basis for Processing
Under the EU General Data Protection Regulation (GDPR) and Thailand's Personal Data Protection Act B.E. 2562 (PDPA), we process your data on the following legal bases:
Contract performance (Art. 6(1)(b) GDPR / PDPA §24(3))
Account management, authentication tokens, learning progress, certificate generation, and delivering the service you signed up for.
Consent (Art. 6(1)(a) GDPR / PDPA §19)
Analytics cookies, error-monitoring opt-in (Sentry), and push notification subscriptions. You can withdraw consent at any time via the cookie preferences banner or your browser's notification settings.
Legitimate interests (Art. 6(1)(f) GDPR / PDPA §24(5))
Security monitoring, spam and abuse prevention, rate limiting, and platform integrity checks — where our interests do not override your fundamental rights.
3. Authentication Tokens & Sessions
When you log in, we issue a secure API token stored in your browser cookies (aubaib_token / aubaib_user, SameSite=Lax, Secure flag, HttpOnly where applicable). Tokens authenticate all requests to our API. You can invalidate your token at any time by logging out.
Token expiry: tokens are rotated on re-authentication. Sessions that are inactive for 30 days are automatically invalidated server-side.
4. Cookies & Local Storage
Essential (always active)
- aubaib_token / aubaib_user — authentication
- aubaib_cookie_consent — consent preference record
- aubaib_seated_dome — current dome seat indicator (localStorage)
- Theme, UI preferences (localStorage)
Push Notifications (opt-in)
- Web Push subscription object stored server-side against your account.
- Contains: endpoint URL, encryption keys (p256dh, auth).
- Used only to deliver AUBAIB notifications (e.g. XP milestones, circle activity).
- Revocable at any time via your browser's site notification settings or Profile → Notifications.
Analytics (opt-in)
- Vercel Analytics — anonymous page-view counts. No personal identifiers shared.
- Google Tag Manager (GTM-M8C2X2RM) — tag container. Active only after analytics consent.
- Sentry — error monitoring with stack traces. Requires analytics consent. Personal data in error payloads is scrubbed before submission.
5. Real-Time Features & WebSocket Data
AUBAIB.SPACE uses persistent WebSocket connections (Django Channels, path /ws/social/chat/…) for:
- Real-time chat messages in Dome channels and direct messages.
- Live presence indicators — which users are currently in which Dome.
- Co-study session coordination.
Chat messages are stored in our database against your account. Presence data (current room, avatar skin) is updated at most every 2 minutes and is stored ephemerally in the database; it is overwritten, not accumulated as a historical log. Chat messages can be deleted by you from the interface; deletion removes the content but may retain a record that a message existed for abuse-investigation purposes for up to 30 days.
6. Sub-processors & Third-Party Services
The following third parties process data on our behalf:
| Service | Purpose | Data location | Transfer basis |
|---|---|---|---|
| Render.com | Backend API hosting | Singapore | SCCs |
| Neon (PostgreSQL) | Primary database | US East | SCCs |
| Cloudinary | Media hosting (images, avatars) | US / CDN global | SCCs |
| Resend | Transactional email | US | SCCs |
| Supabase | Supplementary storage / real-time features | US East | SCCs |
| Vercel | Frontend hosting + anonymous analytics | Global edge | SCCs |
| Sentry | Error monitoring (consent-gated) | US | SCCs |
| Google (GTM/GA) | Tag management + analytics (consent-gated) | US | Adequacy / SCCs |
"SCCs" = EU Standard Contractual Clauses (Commission Implementing Decision 2021/914). All sub-processors are contractually bound to process data only on our documented instructions.
7. Data Retention
- Account and profile data — retained while your account is active.
- Personal data after account deletion — removed within 30 days.
- Chat messages — deleted on request; otherwise retained for the life of the conversation.
- Push notification subscription tokens — deleted when you revoke permission or delete your account.
- Server request logs — retained for a maximum of 90 days.
- Anonymised aggregate statistics (e.g. topic heat scores, dome activity counts) — may be retained indefinitely; they cannot be linked back to any individual.
- Sentry error reports — retained for 90 days per Sentry's default.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required under GDPR Article 33 and PDPA Section 37(1). Affected users will be notified without undue delay where the breach is likely to result in high risk. Notification will be sent to the email address registered on your account.
9. Your Rights
Depending on your jurisdiction, you have the following rights:
To exercise any right, email aubaib.mail@gmail.com with the subject "Data Rights Request". We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with your national data protection authority (for EU users) or the Personal Data Protection Committee (PDPC) for users in Thailand.
10. Thailand PDPA Notice
สำหรับผู้ใช้ในประเทศไทย — ข้อมูลส่วนบุคคลของคุณถูกประมวลผลตามพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) คุณมีสิทธิ์ตามที่ระบุไว้ในหัวข้อ 9 ข้างต้น และสามารถยื่นเรื่องร้องเรียนต่อ สำนักงานคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล (สคส.) หากไม่พอใจกับการตอบสนองของเรา ฐานทางกฎหมายหลักในการประมวลผลคือการปฏิบัติตามสัญญา (§24(3)) และความยินยอม (§19) ตามที่ระบุไว้ในหัวข้อ 2
11. Children's Privacy
AUBAIB.SPACE is intended for users aged 13 and older (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has registered an account, please contact us at aubaib.mail@gmail.com and we will delete the account and associated data promptly. Users aged 13–17 should obtain parental or guardian consent before registering.
12. Changes to This Policy
We may update this Privacy Policy. Material changes — defined as changes to the categories of data collected, legal bases, or user rights — will be announced on the platform and via email to registered users at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
13. Contact & Data Controller
Controller: AUBAIB.SPACE (AUBAIB team)
Email: aubaib.mail@gmail.com
Subject line for data requests: "Data Rights Request"
Response time: within 30 days
For general questions, see our Contact page.