GDPR Data Protection Addendum
Document: docs/legal/data-protection.md
Version: v1.0
Effective date: 2026-05-22
Applies to: EU/EEA users
1. Purpose of This Document
This document is a GDPR-specific addendum to the Privacy Policy. It supplements that policy with the operational detail that a Data Protection Authority (DPA) or EU/EEA user would expect under Regulation (EU) 2016/679 ("GDPR"). Where the Privacy Policy provides the general data-handling baseline, this addendum covers controller/processor relationships, sub-processors, international transfers, data-subject rights enumeration, breach-notification commitments, and DPO designation status.
EU/EEA users should read both documents together. In the event of conflict between this addendum and the Privacy Policy on a GDPR-specific matter, this addendum takes precedence for EU/EEA users.
2. Definitions
The following terms have the meaning given in GDPR Article 4 (Regulation (EU) 2016/679). The summaries below are operational paraphrases of the statutory definitions; the authoritative text is the consolidated GDPR as published by EUR-Lex.
| Term | GDPR Art. | Operational paraphrase |
|---|---|---|
| Personal data | Art. 4(1) | Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. |
| Processing | Art. 4(2) | Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
| Controller | Art. 4(7) | The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| Processor | Art. 4(8) | A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. |
| Data subject | Art. 4(1) | An identified or identifiable natural person whose personal data is processed (see "Personal data" above). |
| Consent | Art. 4(11) | Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. |
| Personal data breach | Art. 4(12) | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
| Cross-border processing | Art. 4(23) | Either (a) processing of personal data in the context of activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data in the context of activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. |
3. Controller Identity
For the purposes of GDPR Article 4(7), the data controller for personal data processed via the Noah's Ark Chrome extension is:
| Field | Value |
|---|---|
| Controller name | Hộ Kinh Doanh Võ Thị Huyền Vân – Cố Vấn Độc Lập |
| Entity type | Vietnamese household business (hộ kinh doanh, independent-consultant trade) |
| Principal | Võ Thị Huyền Vân |
| Business registration number | 046171000354 |
| Registered address | 19 Trương Công Định, Phường Tân Bình, Thành Phố Hồ Chí Minh, Việt Nam |
| Contact email | levuminhphuc2007@gmail.com |
The Household Business determines the purposes and means of processing personal data through Noah's Ark. All references to "we," "us," or "our" in this addendum refer to Hộ Kinh Doanh Võ Thị Huyền Vân – Cố Vấn Độc Lập.
The operating developer is Lê Vũ Minh Phúc, who acts under and on behalf of the Household Business.
4. Processor Identities and Roles
The Household Business engages the following processors. Each processes personal data on behalf of the Household Business under the data flows described below. All processor relationships are governed by the respective processor's published Data Processing Addendum or equivalent contractual terms.
4.1 Google LLC / Google Cloud (Infrastructure Processor)
| Field | Detail |
|---|---|
| Role | Infrastructure processor for Firebase Auth, Firestore, Cloud Functions, and Cloud Storage — the backend platform on which Noah's Ark runs |
| Data received | Firebase authentication tokens; Firestore document writes including user profile fields (email, display name, photo URL, username), discussion posts, votes, presence heartbeats, rate-limit counters, and usage-meter documents |
| Retention by processor | Subject to Google Cloud's Data Processing Addendum (DPA) and applicable Service Specific Terms; Google processes data to provide the contracted service and deletes or returns it upon contract termination per the DPA |
| DPA / transfer mechanism | Google Cloud Data Processing Addendum (Customers), which incorporates Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) for transfers outside the EEA |
| Privacy policy URL | https://policies.google.com/privacy |
| DPA URL | https://cloud.google.com/terms/cloud-data-processing-addendum |
4.2 Perplexity AI (AI Research Processor)
| Field | Detail |
|---|---|
| Role | AI research processor; receives research queries generated server-side from the user's highlighted claim text and intent |
| Data received | Research query strings derived from highlighted claim text and discussion context. No Firebase UID, email, or display name is sent. |
| Retention by processor | Perplexity AI processes user queries pursuant to its publicly available privacy policy. |
| Transfer mechanism | Perplexity AI is US-based; transfers are governed by the terms set out in Perplexity AI's publicly available privacy policy. |
| Privacy policy URL | (see provider website) |
4.3 xAI (Grok) (AI Research Processor)
| Field | Detail |
|---|---|
| Role | AI research processor; receives research queries generated server-side from the user's highlighted claim text |
| Data received | Research query strings derived from highlighted claim text and discussion context. No Firebase UID, email, or display name is sent. |
| Retention by processor | xAI processes user queries pursuant to its publicly available privacy policy. |
| Transfer mechanism | xAI is US-based; transfers are governed by the terms set out in xAI's publicly available privacy policy. |
| Privacy policy URL | (see provider website) |
4.4 Google Gemini (AI Research and Embeddings Processor)
| Field | Detail |
|---|---|
| Role | AI research and embeddings processor (distinct from Google Cloud's infrastructure role above); the @google/generative-ai SDK is called server-side for embeddings and research generation |
| Data received | Research query strings and embedding inputs derived from highlighted claim text and discussion context. No Firebase UID, email, or display name is sent. |
| Retention by processor | For Paid Services: prompts and responses logged for a limited period solely for detecting and preventing violations; Grounding results retained up to 30 days (per Gemini API Additional Terms of Service, effective 2026-03-23). |
| Transfer mechanism | Google Gemini API Additional Terms of Service reference the "Data Processing Addendum for Products Where Google is a Data Processor," which incorporates SCCs under GDPR Art. 46(2)(c). VERIFIED via Gemini API Additional Terms of Service (effective 2026-03-23). |
| Privacy policy URL | https://policies.google.com/privacy |
| DPA / Terms URL | https://ai.google.dev/gemini-api/terms |
4.5 Anthropic (AI Synthesis Processor)
| Field | Detail |
|---|---|
| Role | AI synthesis processor; receives synthesis prompts (retrieved evidence + user intent) for the Critic and Synthesizer roles in the copilot pipeline |
| Data received | Synthesis prompt containing retrieved research evidence and the user's question intent. No Firebase UID, email, or display name is sent. |
| Retention by processor | Users can delete individual conversations, which are removed immediately from conversation history and automatically deleted from Anthropic's backend within 30 days (per Anthropic Privacy Policy, effective 2026-01-12). |
| Transfer mechanism | Anthropic is US-based. SCCs adopted under GDPR Art. 46(2)(c) — Anthropic's Privacy Policy (effective 2026-01-12) states: "The European Commission has approved contractual clauses under Article 46 GDPR that allows companies in the EEA to transfer data outside the EEA." VERIFIED via Anthropic Privacy Policy (https://www.anthropic.com/legal/privacy). |
| Privacy policy URL | https://www.anthropic.com/legal/privacy |
5. Lawful Bases per Processing Activity
Per GDPR Article 6(1), each processing activity requires a lawful basis. The table below maps our processing activities to their lawful basis.
| Processing activity | Data involved | Lawful basis | GDPR Art. |
|---|---|---|---|
| User account creation and authentication | Email, display name, photo URL, Firebase tokens, username | Performance of contract — the user explicitly signs in to access the discussion platform | Art. 6(1)(b) |
| Discussion posting and voting | Post text, votes, presence heartbeats, timestamps | Performance of contract — posting and voting are the core contractual service | Art. 6(1)(b) |
| AI evidence requests (copilot) | Highlighted claim text, user intent, derived research queries | Performance of contract — the user explicitly invokes the copilot feature; supplemental Art. 6(1)(a) consent applies for any AI processing flagged in-app | Art. 6(1)(b); Art. 6(1)(a) (supplemental) |
| Anti-abuse and rate limiting | Rate-limit counters (copilotRateLimit, copilotMeter, user_metadata) |
Legitimate interests — operating a non-abusive service and protecting AI pipeline resources | Art. 6(1)(f) |
Entity-discovery proposals (proposed_tickers) |
Detected ticker, source hostname, NLP confidence score, UID | Performance of contract — entity detection is the core NLP sensor feature | Art. 6(1)(b) |
Server-side telemetry (ai_telemetry) |
Request ID, timing, cost, model used, token counts (no user PII) | Legitimate interests — internal product quality measurement | Art. 6(1)(f) |
The ai_telemetry collection is retained for up to 90 days for operational integrity (product-quality measurement and abuse detection), then purged by a scheduled worker.
6. Special Categories of Personal Data (GDPR Art. 9)
We do not process special-category personal data as defined in GDPR Article 9(1). Specifically, we do not collect or process data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person's sex life or sexual orientation
Noah's Ark is a financial-discussion platform. Users discuss stocks, cryptocurrencies, and companies. No aspect of the service requires or solicits any of the above special categories.
7. Data Subject Rights
EU/EEA users have the following rights under GDPR Chapter III. For the operational procedure to exercise any of these rights (response timelines, identity verification, contact channel), see Privacy Policy §11.
| Right | GDPR Article | What it means in practice |
|---|---|---|
| Right of access | Art. 15 | You may request a copy of your personal data we hold and information about how we process it. |
| Right to rectification | Art. 16 | You may request correction of inaccurate personal data. For example, if your stored username or email is wrong, you can request it be corrected. |
| Right to erasure ("right to be forgotten") | Art. 17 | You may request deletion of your personal data where processing is no longer necessary, consent is withdrawn, you object under Art. 21, or processing was unlawful. Note: data deleted at your request is hard-deleted; it cannot be user-restored. Posts removed by moderators are subject to a separate moderation policy. |
| Right to restriction of processing | Art. 18 | You may request that we restrict processing of your data (e.g., while a rectification request is pending or while an objection is assessed). |
| Notification obligation | Art. 19 | Where we carry out rectification, erasure, or restriction under Arts. 16–18, we notify each recipient to whom your data was disclosed, unless impossible or disproportionate. We will inform you of those recipients upon request. |
| Right to data portability | Art. 20 | Where processing is based on consent or contract and is carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller. |
| Right to object | Art. 21 | You may object at any time to processing based on legitimate interests (Art. 6(1)(f)), including profiling. We stop processing unless we demonstrate compelling legitimate grounds overriding your interests. Note: we do not conduct direct marketing; the absolute right to object to direct marketing processing under Art. 21(2) is therefore not triggered. |
| Right not to be subject to automated decision-making | Art. 22 | You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. This right is not triggered by Noah's Ark: the AI copilot is advisory only (it suggests evidence; the user decides what to post), and the gravity ranking algorithm is non-individualized (it scores posts, not persons, using public signals). |
To exercise any of these rights, contact us at levuminhphuc2007@gmail.com. See Privacy Policy §11 for operational procedure and response timelines.
8. International Data Transfers
Most processors we engage are based in the United States, which is not designated as a country with an adequate level of data protection under GDPR Article 45. Transfers to these processors are therefore governed by GDPR Chapter V.
Applicable transfer mechanisms:
- Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) — the European Commission-approved clauses that provide appropriate safeguards for transfers to third countries. These are the primary transfer mechanism we rely on for US-based processors.
| Processor | Transfer mechanism | Verification status |
|---|---|---|
| Google Cloud (Firebase / Firestore / Functions) | SCCs incorporated in Google Cloud DPA (Appendix 3) | VERIFIED — Google Cloud DPA (https://cloud.google.com/terms/cloud-data-processing-addendum) |
| Google Gemini | SCCs via Google Data Processing Addendum for Products (reference in Gemini API Terms) | VERIFIED — Gemini API Terms (https://ai.google.dev/gemini-api/terms, effective 2026-03-23) |
| Anthropic | SCCs under GDPR Art. 46 — confirmed in Anthropic Privacy Policy (effective 2026-01-12) | Anthropic Privacy Policy (https://www.anthropic.com/legal/privacy) |
| Perplexity AI | Pursuant to Perplexity AI's publicly available privacy policy | (see provider website) |
| xAI (Grok) | Pursuant to xAI's publicly available privacy policy | (see provider website) |
General principle: All transfers occur under GDPR Art. 44, which requires that the level of protection guaranteed by GDPR is not undermined by transfers to third countries. The SCC mechanism, where in place, satisfies this requirement.
9. Sub-processor List
The following sub-processors process personal data on our behalf. We commit to notifying users of material sub-processor changes. Per GDPR Art. 28(2), engaging a new sub-processor or replacing an existing one requires our prior specific or general written authorisation; where general authorisation is used, we give notice of sub-processor changes so users have the opportunity to object.
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC (Firebase Auth, Firestore, Cloud Functions, Cloud Storage) | Infrastructure | USA / global | Google Cloud DPA with SCCs |
| Perplexity AI | AI research | USA | Pursuant to provider's publicly available privacy policy |
| xAI (Grok) | AI research | USA | Pursuant to provider's publicly available privacy policy |
| Google LLC (Gemini API) | AI research / embeddings | USA / global | Google DPA for Products with SCCs |
| Anthropic | AI synthesis | USA | SCCs (Anthropic Privacy Policy) |
We do not engage sub-processors for purposes unrelated to operating the Noah's Ark service. The current list is accurate as of the effective date of this addendum (2026-05-22). We will update this section and notify users at least 30 days before any material change to the sub-processor list.
10. Data Retention
For the canonical retention schedule, see Privacy Policy §9. The following is a summary for EU-user convenience.
| Data | Retention period |
|---|---|
User profile (Firestore users/{uid}) |
Retained while the account is active; deleted upon verified erasure request |
Discussion posts (discussions/{slug}/posts/{postId}) |
Retained while the discussion room exists; subject to soft-delete on user request (hard-delete available on erasure request) |
| Votes | Retained while the associated post exists |
| Presence heartbeats | Auto-expire via 5-minute TTL in Firestore |
AI evidence cache (evidence_cache) |
4 hours (temporally sensitive) / 24 hours (stable) cache-validity window; hard-purged 7 days after creation by a scheduled worker |
Server-side telemetry (ai_telemetry) |
Retained for up to 90 days, then purged by a scheduled worker |
| Rate-limit / quota counters | Rolling window (per-day, per-month keys) |
proposed_tickers suggestions |
Retained for the operational lifetime of the entity-discovery sensor; subject to periodic review |
| Firebase Auth tokens | Rotated automatically by Firebase; not stored in Firestore |
11. Data Breach Notification
GDPR Art. 33 — Notification to supervisory authority: Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification will include, to the extent then known: nature of the breach; categories and approximate number of data subjects and records affected; likely consequences; measures taken or proposed to address the breach.
GDPR Art. 34 — Notification to affected data subjects: Where the breach is likely to result in a HIGH risk to the rights and freedoms of natural persons, we will notify affected data subjects without undue delay, directly and in plain language.
Operational commitments:
- Incident triage within 24 hours of becoming aware of a potential breach.
- User-facing notification via in-extension banner and email on file where Art. 34 notification is required.
- Supervisory authority notification within the 72-hour GDPR Art. 33 window where notification is required.
12. Data Protection Officer (DPO)
Under GDPR Article 37, designation of a DPO is mandatory only when:
- (a) processing is carried out by a public authority or body (except courts acting in their judicial capacity);
- (b) the controller's or processor's core activities consist of processing operations which, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale; or
- (c) the controller's or processor's core activities consist of processing on a large scale of special-category data (Art. 9) or data relating to criminal convictions (Art. 10).
The Household Business does not meet any of these criteria:
- We are a private household business, not a public authority.
- Our core activity is operating a financial-discussion forum; this does not involve large-scale systematic monitoring of natural persons.
- We do not process special-category or criminal-conviction data.
We have therefore NOT designated a DPO. All data-protection inquiries route to levuminhphuc2007@gmail.com.
13. Supervisory Authority
EU/EEA users have the right to lodge a complaint with the competent national data protection authority in their EU member state, per GDPR Article 77. A full list of national DPAs (EDPB member authorities) is published at:
European Data Protection Board (EDPB) member authorities: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
You may also bring judicial proceedings in your member-state courts per GDPR Art. 79.
Cross-jurisdictional note: For inquiries that also engage Vietnamese data-protection law (Decree 13/2023/ND-CP), the relevant authority is the Ministry of Public Security of Vietnam (Bộ Công an). This is not the primary path for EU users but is disclosed for completeness.
14. Records of Processing Activities
Per GDPR Article 30, we maintain internal records of processing activities. These records include: controller and contact details, processing purposes, categories of data subjects and personal data, categories of recipients, third-country transfers and their mechanisms, and, where possible, retention periods. The records are not published for general user access but are available to supervisory authorities on request.
15. Changes to This Addendum
This addendum is versioned. The current version is v1.0, effective 2026-05-22.
Where a change materially affects the processing of your personal data in a way not previously disclosed, we will notify EU/EEA users as required by GDPR Article 13(3) (where data was collected from you) or Article 14(4) (where data was obtained from other sources). Notification will be via in-extension notice or email on file, with reasonable advance notice before the change takes effect.
16. Contact
For privacy inquiries, data-subject rights requests, or questions about this addendum:
- Email: levuminhphuc2007@gmail.com
- Phone: 0918425016
- Postal address: 19 Trương Công Định, Phường Tân Bình, Thành Phố Hồ Chí Minh, Việt Nam
We aim to respond to all data-subject rights requests within 30 days of receipt (extendable by a further two months for complex requests, per GDPR Art. 12(3), with notice).
17. Sources Cited
| Source | URL |
|---|---|
| GDPR (Regulation (EU) 2016/679) — EUR-Lex OJ | https://eur-lex.europa.eu/eli/reg/2016/679/oj |
| GDPR consolidated text (EUR-Lex CELEX:32016R0679) | https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 |
| Google Cloud Data Processing Addendum (Customers) | https://cloud.google.com/terms/cloud-data-processing-addendum |
| Google Gemini API Additional Terms of Service | https://ai.google.dev/gemini-api/terms |
| Anthropic Privacy Policy (effective 2026-01-12) | https://www.anthropic.com/legal/privacy |
| EDPB member authorities | https://www.edpb.europa.eu/about-edpb/about-edpb/members_en |
| Google Privacy Policy | https://policies.google.com/privacy |