Privacy Notice — Noah's Ark

Version: 1.0
Effective date: 2026-05-22
Last updated: 2026-05-22

1. Identity and Contact

Data controller:
Hộ Kinh Doanh Võ Thị Huyền Vân – Cố Vấn Độc Lập
(Vietnamese registered household business / hộ kinh doanh, independent-consultant trade)
Principal: Võ Thị Huyền Vân
Business registration number: 046171000354
Registered address: 19 Trương Công Định, Phường Tân Bình, Thành Phố Hồ Chí Minh, Việt Nam

The Household Business is referred to as "we" in this notice. Developer operating under the Household Business: Lê Vũ Minh Phúc.

Contact for privacy matters:
Email: levuminhphuc2007@gmail.com
Phone: 0918425016

Business registration is made under applicable Vietnamese law governing household businesses (hộ kinh doanh). Disclosure of the registration number and registered address in this notice satisfies the commercial-disclosure obligation applicable to hộ kinh doanh.

2. Scope

This notice covers:

The Noah's Ark Chrome extension (version 1.3, Manifest V3), identified by extension ID mcmdnfalhfjfojifmhihdoophopldefl.
The server-side Cloud Functions backend (editorAction, proposeEntity, claimUsername, claimLegacyPosts) and associated Firestore database operated on Google Cloud under Firebase project noah-s-ark-4ee2d.

This notice does not cover third-party websites that Noah's Ark operates on. Those sites have their own privacy policies.

For EU users, see also data-protection.md (the GDPR-specific addendum).
For software license terms, see end-user-license-agreement.md.
For the service relationship contract, see terms-of-service.md.

3. What We Collect (and What We Do Not)

3.1 Client-side storage (local to your browser)

The extension stores the following in chrome.storage.local or chrome.storage.session. This data lives in your browser and is not transmitted unless explicitly noted.

Key	Storage type	Purpose
`creator_uuid`	local	Pre-authentication identity anchor that ties anonymous posts to your account via `claimLegacyPosts`. Source: `node.js/discuss.js:825`.
FAB position (`{side, yPercent}`)	local	Your preference for the floating-action-button position. Source: `node.js/fab.js:305`.
`lastContext` (popup)	local	The entity most recently viewed in the popup, for display continuity. Source: `node.js/popup.js:356`.
`entityPool`, `lastContext` (background)	local	The aggregated set of financial entities the NLP engine has detected for the active tab. Source: `node.js/background.js:1086`.
`discovery_queue`	local	Entities the NLP engine flagged as candidates for the entity dictionary; sent in batches to the `proposeEntity` Cloud Function. Source: `node.js/background.js:1173`.
`lastSync`	local	Timestamp of the last sync with backend reference data. Source: `node.js/background.js:1201`.
`lock_${tabId}`	session	Per-tab lock so a high-confidence URL match overrides NLP noise. Source: `node.js/background.js:1137`.
Copilot working state (`STORAGE_NAMESPACE`)	local	Cached AI evidence and research bundles for re-render after the popup closes. Source: `node.js/copilot.js:138,929`.

3.2 Authentication data

When you sign in with Google:

Firebase ID tokens — issued by Firebase Auth; managed in extension memory by the Firebase JS SDK; rotated automatically. Not persisted directly to chrome.storage.
Google account email — from the email OAuth2 scope.
Google display name — from the profile scope.
Google profile photo URL — from the profile scope.

All three Google fields are optional. You may use Noah's Ark anonymously using a creator_uuid until you choose to sign in.

Username — optional; user-chosen; unique per platform; validated via the claimUsername Cloud Function.

3.3 Server-side Firestore collections (user-initiated writes)

Your actions in the extension cause writes to these Firestore collections:

Collection	What it stores	Who initiates
`discussions/{slug}/posts/{postId}`	Discussion post text, timestamps, soft-delete flag, derived gravity score.	You (explicit post action)
`discussions/{slug}/posts/{postId}/votes/{uid}`	Your vote (`+1` or `−1`) on a post.	You (explicit vote action)
`discussions/{slug}/presence/{uid}`	Presence heartbeat; auto-expires via 5-minute TTL.	You (implicit on room entry)
`proposed_tickers/{suggestionId}`	NLP-detected entity candidate: suggested ticker, source hostname, NLP confidence, your UID.	Automatic on NLP discovery
`users/{uid}`	Private profile: email, displayName, photoURL, username, tier, settings.	You
`users/{uid}/copilotRateLimit/global`	Rolling token counter for AI evidence rate limiting.	System (incremented on copilot use)
`users/{uid}/copilotMeter/{dayKey}`	Per-day usage meter (Pro tier).	System
`users/{uid}/copilotDeepenMeter/{monthKey}`	Per-month deepen quota.	System
`user_metadata/{uid}`	Server-side rate-limit and hygiene metadata.	System
`user_quotas/{uid}`	Per-user quota state.	System
`usernames/{username}`	Unique username reservation document.	You (on claim)

3.4 Server-only collections (not written or read by the extension client)

Collection	Purpose	Retention
`evidence_cache/{cacheKey}`	Sub-cache for the copilot pipeline; keyed by SHA-256 of concatenated query strings.	4 hours (temporally sensitive queries) / 24 hours (stable queries) cache-validity window; hard-purged 7 days after creation by a scheduled worker.
`ai_telemetry/{requestId}`	Per-request telemetry: timing, cost, model used, token counts. No user PII fields.	Retained for up to 90 days, then purged by a scheduled worker.
`rag_knowledge/{docId}`	Server-side knowledge base for retrieval-augmented copilot responses; 768-dimension vector index.	Indefinite (curated reference corpus).
`tickers`, `aliases`, `site_rules`	Read-only reference data managed by the Household Business.	Indefinite.

3.5 What we do not collect

Additional personally identifiable information. No real-name mandate, no national ID numbers, no postal addresses, no phone numbers beyond those you choose to put in discussion posts.
Financial information. Hosting discussions about publicly traded stocks and cryptocurrencies does not constitute collection of financial information. We do not collect bank account credentials, brokerage API keys, portfolio holdings, net worth, or transaction history.
Health information. None.
Location data. No Geolocation API calls, no IP-to-city lookups, no geographic data stored or transmitted.
Web browsing history. Content scripts run only on the explicitly enumerated finance and crypto host patterns in node.js/manifest.json. We do not see, store, or transmit pages outside that list. We do not maintain a session log of visited URLs.
Personal communications. No email scraping, no chat-channel access.
Payment information. No payment flow exists in the current version. If a Pro billing flow ships, it will route through a third-party payment service provider — not through our systems.

4. Purposes of Collection

Data category	Primary purpose
`creator_uuid`	Pre-authentication identity continuity; migrates anonymous posts to verified account on sign-in.
FAB position	Persisting your UI preference across browser restarts.
`entityPool`, `lastContext`, `lastSync`, `lock_${tabId}`	Powering the NLP entity sensor: detecting and caching the financial entity on the current page.
`discovery_queue` / `proposed_tickers`	Expanding the entity dictionary when the NLP engine detects a candidate ticker not already in the reference data.
Copilot working state	Re-rendering AI evidence and research bundles after popup close without a new server call.
Firebase ID tokens + Google email / display name / photo URL	Authentication and account identity for the discussion platform.
Username	User-chosen display identity; uniqueness enforced per platform.
Discussion posts and votes	Core product function: collaborative discussion and post ranking.
Presence heartbeat	Live participant count in discussion rooms.
`copilotRateLimit`, `copilotMeter`, `copilotDeepenMeter`, `user_quotas`	Rate limiting and quota enforcement for the AI evidence pipeline.
`user_metadata`	Server-side anti-abuse and hygiene.
`evidence_cache`	Reducing duplicate AI provider calls; lowering latency for repeated queries.
`ai_telemetry`	Internal measurement of AI pipeline cost, latency, and quality. No user PII.

5. Legal Bases for Processing

5.1 Vietnam PDPL — Decree 13/2023/NĐ-CP

Vietnam's Personal Data Protection Law (effective 2023-07-01) is our primary governing regime.

Processing activity	Basis under Decree 13/2023/NĐ-CP
Operating the discussion platform; storing posts, votes, presence	Performance of service — processing necessary for contract performance under Decree 13/2023/NĐ-CP
Optional Google sign-in; collecting email, displayName, photo	Consent — freely given, specific, informed, unambiguous, under Decree 13/2023/NĐ-CP
AI evidence feature (`editorAction` pipeline)	Consent — user explicitly triggers the feature, under Decree 13/2023/NĐ-CP
Rate limiting, anti-abuse (`user_metadata`, `user_quotas`, `copilotRateLimit`)	Legitimate interests of the Household Business — protecting the service from abuse, under Decree 13/2023/NĐ-CP
Entity discovery (`discovery_queue`, `proposed_tickers`)	Legitimate interests — improving dictionary quality, proportionate to service purpose, under Decree 13/2023/NĐ-CP

Data subjects have the right to withdraw consent at any time. Withdrawal does not affect lawfulness of processing based on consent before the withdrawal.

5.2 GDPR — for EU/EEA users

GDPR (Regulation (EU) 2016/679) applies to users in the EU/EEA by virtue of the extension being made available to persons in the EU (Art. 3(2) territorial scope).

Processing activity	Lawful basis (Art. 6(1))
Operating the discussion platform; storing posts, votes, presence	Art. 6(1)(b) — processing necessary for the performance of a service contract
Optional Google sign-in; collecting email, displayName, photo URL	Art. 6(1)(a) — consent
AI evidence feature	Art. 6(1)(a) — consent (user explicitly triggers)
Rate limiting, anti-abuse	Art. 6(1)(f) — legitimate interests (protecting the service from abuse; not overridden by data subjects' interests given the minimal data involved)
Entity discovery (`proposed_tickers`)	Art. 6(1)(f) — legitimate interests (improving entity dictionary; proportionate)
Server-only telemetry (`ai_telemetry`)	Art. 6(1)(f) — legitimate interests (internal quality measurement; no PII fields)

5.3 CCPA — for California residents

CCPA (California Civil Code §§1798.100 et seq., as amended by CPRA) is a disclosure-only regime for our purposes. We are a "business" as defined in §1798.140.

We do not "sell" personal information as defined in §1798.140(ad). We do not share personal information for cross-context behavioral advertising. We do not use personal data to determine creditworthiness or for lending. The three CWS certification checkboxes confirmed in docs/cws/privacy-disclosure.md apply here.

This notice satisfies the right-to-know notice obligation of §1798.115.

6. Third-Party Processors

6.1 Firebase / Google Cloud

Role: Infrastructure provider — Auth, Firestore, Cloud Functions, Storage.
Relationship: Controller (Household Business) – Processor (Google Cloud EMEA Limited and affiliates) under the Google Cloud Data Processing Addendum, which incorporates Standard Contractual Clauses for international transfers.
What is sent: All Firestore data described in §3.3–§3.4; Firebase Auth tokens; Cloud Functions invocations.
What is NOT sent: Anything not described in §3.

6.2 Perplexity AI

Role: Research data provider in the AI evidence pipeline.
What is sent: Research queries derived from the user-highlighted claim text and discussion context intent. Source: node.js/functions/index.js:1714.
What is NOT sent: The user's Firebase UID, email, display name, or any Firestore document content unrelated to the specific copilot request.
Caching: Responses cached server-side in evidence_cache (4h / 24h TTL) to reduce duplicate calls.

6.3 xAI (Grok)

Role: Research data provider in the AI evidence pipeline.
What is sent: Research queries derived from claim text. Endpoint: https://api.x.ai/v1 (OpenAI-compatible). Source: node.js/functions/index.js:1796.
What is NOT sent: Firebase UID, email, display name, or unrelated Firestore content.

6.4 Google Gemini

Role: Embeddings generation and research in the AI evidence pipeline.
What is sent: Research queries and embedding inputs derived from highlighted claim text. Endpoint: https://generativelanguage.googleapis.com via @google/generative-ai SDK.
What is NOT sent: Firebase UID, email, display name, or unrelated Firestore content.

6.5 Anthropic Claude

Role: Synthesis (Critic and Synthesizer roles) in the AI evidence pipeline.
What is sent: Synthesis prompt with retrieved evidence and the user's question intent. Endpoint: https://api.anthropic.com via @anthropic-ai/sdk.
What is NOT sent: Firebase UID, email, display name, or unrelated Firestore content.

6.6 What is never sent to any AI provider

The user's Firebase UID, email address, and display name are never sent to Perplexity, xAI, Google Gemini, or Anthropic Claude. All AI provider calls are made server-side by the editorAction Cloud Function. The extension client never directly calls any of these providers.

7. International Data Transfers

US-based providers: Perplexity AI, xAI, and Anthropic Claude are US-based. Transfers of EU-resident personal data (in the form of claim text and intent) to these providers occur under Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Art. 46(2)(c), or equivalent appropriate safeguards. We rely on each provider's applicable data processing terms.

Google / Firebase: Operates globally. Google Cloud's Data Processing Addendum includes SCCs covering transfers from the EEA to Google infrastructure outside the EEA (GDPR Art. 46).

Vietnam PDPL: Cross-border transfers of personal data are conducted in accordance with the obligations set out in Decree 13/2023/NĐ-CP.

8. Retention

Data category	Retention period
`chrome.storage.local` entries	Until extension uninstall or you clear extension storage.
`chrome.storage.session` entries	Until browser session ends.
Firestore user data (`users/{uid}`, `usernames/{username}`, `user_metadata/{uid}`, `user_quotas/{uid}`, `copilotRateLimit`, `copilotMeter`, `copilotDeepenMeter`)	Until account deletion. We delete all user-keyed documents when an account is deleted.
Discussion posts (`discussions/{slug}/posts/{postId}`)	On soft-delete: post text is nulled immediately; only the `deleted:true` flag and `deletedAt` timestamp remain. The tombstone record is hard-deleted 30 days after soft-delete by the `purgeTombstonedPosts` scheduled worker. Source: `node.js/functions/purgeTombstonedPosts.js`.
Votes	Until account deletion.
Presence heartbeat	Auto-expires via 5-minute TTL in Firestore.
`proposed_tickers` entries	Retained indefinitely as part of the entity dictionary. Your UID is included in the entry; you may request deletion per §9.
`evidence_cache`	4 hours (temporally sensitive queries) / 24 hours (stable queries) cache-validity window; hard-purged 7 days after creation by a scheduled worker.
`ai_telemetry`	Retained for up to 90 days, then purged by a scheduled worker. Used for internal product-improvement purposes.
`rag_knowledge`, `tickers`, `aliases`, `site_rules`	Indefinite (curated reference data maintained by the Household Business).

9. Your Rights

9.1 Rights under Vietnam PDPL — Decree 13/2023/NĐ-CP

Right to access — obtain confirmation that your data is processed and access a copy, under Decree 13/2023/NĐ-CP.
Right to correction — request correction of inaccurate data, under Decree 13/2023/NĐ-CP.
Right to deletion — request deletion of personal data we hold about you, under Decree 13/2023/NĐ-CP.
Right to restrict processing — object to processing and request restriction in certain circumstances, under Decree 13/2023/NĐ-CP.
Right to withdraw consent — where processing is based on consent, you may withdraw at any time. Withdrawal does not affect processing already done.

Response deadline under Vietnam PDPL: within the period required by applicable Vietnamese law.

See also terms-of-service.md for the dispute-resolution clause applicable under Vietnamese law.

9.2 Rights under GDPR — for EU/EEA users

Art. 15 — Right of access: obtain confirmation whether we process your data and receive a copy.
Art. 16 — Right to rectification: request correction of inaccurate personal data.
Art. 17 — Right to erasure ("right to be forgotten"): request deletion when data is no longer necessary, consent is withdrawn, or data was processed unlawfully.
Art. 18 — Right to restriction of processing: pause processing while accuracy or legitimacy is contested.
Art. 20 — Right to data portability: receive your data in a structured, machine-readable format and transfer it to another controller (applies where processing is consent- or contract-based and automated).
Art. 21 — Right to object: object at any time to processing based on Art. 6(1)(f) (legitimate interests). We will stop processing unless we demonstrate compelling legitimate grounds.
Art. 22 — Rights related to automated decision-making: we do not make solely automated decisions that produce legal or similarly significant effects on you. The gravity ranking algorithm ranks community posts, not individuals, and produces no legal effects.

Response deadline under GDPR: 1 month from receipt of request, extendable by 2 further months for complex requests (Art. 12(3)).

EU users may also lodge complaints with their national data-protection authority and bring proceedings in their EU member-state courts (GDPR Art. 79).

For full detail on controller/processor relationships, transfer mechanisms, and EU data-subject rights procedures, see data-protection.md.

9.3 Rights under CCPA — for California residents

§1798.100 — Right to know what personal information we collect, use, disclose, and the purposes for collection.
§1798.105 — Right to delete personal information we have collected, subject to statutory exceptions (e.g., legal compliance, security, completing the service).
§1798.115 — Right to know about disclosures to third parties. We do not sell or share personal information for advertising. AI provider calls send only de-identified claim text; see §6.
§1798.120 — Right to opt out of the sale or sharing of personal information. We do not sell personal information (§1798.140(ad)). This right is not applicable, but we note it for completeness.
§1798.121 — Right to limit use of sensitive personal information. We do not process sensitive personal information as defined in §1798.140. This right is not applicable.
§1798.125 — Right to non-discrimination. We do not deny goods or services, charge different prices, or provide a different quality of service because you exercised a privacy right.

Response deadline under CCPA: 45 days from receipt of a verifiable consumer request, extendable by 45 days with notice (§1798.130).

California users retain the right to file complaints with the California Privacy Protection Agency (CPPA) per CCPA §1798.155 (post-CPRA, eff. 2023-01-01; Stats. 2020 Ch. 30 §16, as amended) and exercise private-right-of-action remedies where applicable per §1798.150.

10. How to Exercise Your Rights

Send a request to: levuminhphuc2007@gmail.com

Identity verification: To process a deletion or access request, we must verify that the request comes from the account owner. Provide your Firebase UID in the request. Your Firebase UID is available in the extension by opening the side panel while signed in — your UID appears in the browser developer console log (look for "User authenticated: [uid]" in the service worker console).

Response timelines:

Vietnam PDPL: within the period required by applicable Vietnamese law.
GDPR (Art. 12(3)): 1 month, extendable by 2 months.
CCPA (§1798.130): 45 days, extendable by 45 days.

11. Children's Privacy

Noah's Ark is not directed at children. The minimum age to use the service is 13 years (COPPA-aligned). In the EU, the minimum age for a child to provide their own consent for information society services is 16 years (GDPR Art. 8); users under 16 in the EU require parental or guardian consent.

We do not knowingly collect personal data from users under 13. If a parent or guardian believes their child under 13 has provided personal data, contact us at levuminhphuc2007@gmail.com and we will delete the data.

12. Security Measures

Encryption at rest: Firebase and Google Cloud encrypt data at rest by default.
Encryption in transit: All connections use TLS.
Content Security Policy: The extension enforces script-src 'self' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; trusted-types dompurify default; — no unsafe-inline, no unsafe-eval, no remote script sources.
Trusted Types: Every DOM mutation surface enforces the Trusted Types API.
No remote code execution: No eval, no new Function, no dynamic import() of remote URLs anywhere in the codebase. All JavaScript is bundled at build time via esbuild.
Firestore security rules: Server-side rules enforce that users may read and write only their own documents. Discussion posts are readable by all authenticated users.

13. Data Breach Notification

In the event of a personal data breach:

GDPR (Art. 33): We will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
GDPR (Art. 34): Where a breach is likely to result in high risk to affected data subjects, we will notify those individuals without undue delay.
Vietnam PDPL: We will comply with breach notification obligations under Decree 13/2023/NĐ-CP within the period required by applicable Vietnamese law.

14. Changes to This Policy

This is version 1.0 of the privacy notice, effective 2026-05-22. We will post material changes in the extension popup before the updated policy takes effect. The version number and effective date will be updated at the top of this document. For changes that materially affect how we process your personal data, we will notify you via the extension popup at your next session.

15. Contact for Privacy Matters

Hộ Kinh Doanh Võ Thị Huyền Vân – Cố Vấn Độc Lập
19 Trương Công Định, Phường Tân Bình, Thành Phố Hồ Chí Minh, Việt Nam
Email: levuminhphuc2007@gmail.com
Phone: 0918425016

16. Sources Cited

Citation	Source reference
GDPR (Regulation (EU) 2016/679) — Art. 6(1)(a)(b)(f)	`https://gdpr-info.eu/art-6-gdpr/` (mirrors consolidated EUR-Lex text)
GDPR Art. 8 — child's consent	`https://gdpr-info.eu/art-8-gdpr/`
GDPR Art. 12(3) — response timeframe	`https://gdpr-info.eu/art-12-gdpr/`
GDPR Art. 15 — right of access	`https://gdpr-info.eu/art-15-gdpr/`
GDPR Art. 17 — erasure	`https://gdpr-info.eu/art-17-gdpr/`
GDPR Art. 20 — portability	`https://gdpr-info.eu/art-20-gdpr/`
GDPR Art. 21 — objection	`https://gdpr-info.eu/art-21-gdpr/`
GDPR Art. 22 — automated decisions	`https://gdpr-info.eu/art-22-gdpr/`
GDPR Art. 33 — breach notification to authority	`https://gdpr-info.eu/art-33-gdpr/`
GDPR Art. 34 — breach notification to data subjects	`https://gdpr-info.eu/art-34-gdpr/`
GDPR Art. 46 — transfers subject to appropriate safeguards (SCCs)	`https://gdpr-info.eu/art-46-gdpr/`
GDPR Art. 79 — judicial remedy	`https://gdpr-info.eu/art-79-gdpr/`
CCPA §1798.100 — right to know	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100.`
CCPA §1798.105 — right to delete	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.105.`
CCPA §1798.115 — right to know about third-party disclosures	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.115.`
CCPA §1798.120 — right to opt out of sale	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.120.`
CCPA §1798.121 — right to limit sensitive PI	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.121.`
CCPA §1798.125 — non-discrimination	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.125.`
CCPA §1798.130 — response time (45 days)	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.130.`
CCPA §1798.140(ad) — definition of "sell"	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.`
CCPA §1798.150 — private right of action	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.150.`
CCPA §1798.155 — enforcement (California Privacy Protection Agency)	`https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.155.`