Who We Are
Pangea Research LLC ("Pangea Research", "we", "us", "our") operates the Pangea Research platform, which includes our marketing website (pangearesearch.io), Lab (lab.pangearesearch.io), Academy (academy.pangearesearch.io), Factory (factory.pangearesearch.io), and mobile applications (collectively, the "Platform").
Pangea Research is the data controller for personal data collected through the Platform. For questions about this policy or your data, contact us at privacy@pangearesearch.io.
Data We Collect
We collect the following categories of personal data:
Account & Registration Data. When you create an account, we collect your email address, display name, and password (or OAuth credentials if you sign in with Google, GitHub, Microsoft, or Apple). You may optionally provide your organization, role, experience level, preferred locale, and timezone.
Learning & Progress Data. As you use the Platform, we collect lesson progress, quiz attempts and scores, notebook entries, scenario interactions, competency assessments, certificates earned, badges, streaks, and other gamification data.
Payment Data. If you purchase courses, scenarios, or subscriptions, payment processing is handled entirely by Stripe. We store your Stripe customer ID, session ID, and payment intent ID, but we never receive or store your full credit card number.
Communications Data. We collect data you submit through contact forms, event registrations, chat conversations, and support requests, including name, email, phone, organization, and message content.
Device & Technical Data. We automatically collect IP address, browser type and version, operating system, screen resolution, and session metadata. IP addresses stored for analytics purposes are truncated to /24 blocks after 30 days and deleted after one year.
Cookies & Consent Choices. We store your cookie and analytics consent preferences. See our Cookie Policy for details.
How We Use Data
We use personal data for the following purposes:
- Service delivery: To provide, maintain, and improve the Platform, including account management, content delivery, progress tracking, and certification.
- Communications: To send transactional emails (password resets, verification, notifications) and, if you opt in, marketing updates about research, events, or services.
- Security & abuse prevention: To detect and prevent fraud, unauthorized access, and other security threats.
- Analytics: With your consent, to understand aggregate usage patterns and improve Platform performance and content.
- Legal compliance: To comply with applicable laws, respond to legal requests, and enforce our Terms of Use.
We do not sell your personal data. We do not use your personal data for automated decision-making that produces legal effects.
Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process personal data only where we have a valid legal basis. The table below identifies the legal basis under Article 6(1) for each processing activity.
| Processing Activity | Legal Basis (Article 6(1)) | Details |
|---|---|---|
| Event registration | (b) Contract performance | Necessary to process your registration |
| Contact form submissions | (f) Legitimate interest | Responding to inquiries |
| Payment processing | (b) Contract performance | Fulfilling paid event registration |
| Website analytics (Cloudflare) | (f) Legitimate interest | Understanding site usage to improve services |
| Email notifications | (b) Contract performance | Transactional emails related to your registration |
| Marketing communications | (a) Consent | Only with explicit opt-in consent |
| Security and fraud prevention | (f) Legitimate interest | Protecting the platform and users |
| Cookie preferences | (a) Consent | Stored based on your cookie choices |
| Error tracking and performance monitoring (Sentry, Cloudflare Analytics) | (f) Legitimate interest | Detecting and resolving application errors to maintain service quality and reliability. Sentry collects anonymous crash data and stack traces; user-identifiable data is attached only with explicit consent. Cloudflare Analytics collects aggregated performance metrics and error rates. Both services process data to ensure service reliability and error resolution. |
Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time by contacting us at privacy@pangearesearch.io.
Artificial Intelligence and AI Services
The Platform uses artificial intelligence to power certain features, including content generation (Factory), AI-assisted tutoring, and adaptive learning assessments.
AI Service Providers. We use the following AI services:
- Anthropic (Claude API): Used for scenario generation, lesson authoring assistance, and AI-powered feedback. When you interact with AI features, relevant context from your session (such as your prompt, scenario content, or quiz responses) is sent to Anthropic's API for processing. Anthropic's data practices are governed by their usage policy at anthropic.com/policies.
- Google (Gemini API): Used as an optional secondary AI provider for content generation. Google's AI data practices are governed by their terms at ai.google.dev/terms.
What AI providers receive. AI providers receive the content of your interactions with AI features (prompts, responses, scenario context) but do not receive your account credentials, payment information, or personal profile data.
AI training. We do not use your personal data or content to train our own AI models. Data sent to third-party AI providers is subject to their respective data handling policies. As of this policy's effective date, neither Anthropic nor Google uses API customer data for model training.
Disclosure. When you are interacting with an AI-powered feature (rather than a human), the Platform indicates this in the interface.
Service Providers and Sub-Processors
We share personal data with the following categories of service providers, who process data on our behalf under contractual obligations:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Hosting, CDN, edge security, Workers runtime, R2 storage, bot protection (Turnstile) | IP address, request metadata, uploaded assets |
| Neon | Serverless PostgreSQL database hosting | All account and platform data (encrypted in transit and at rest) |
| Stripe | Payment processing | Email, payment details, purchase history |
| Resend | Transactional email delivery | Email address, name, notification content |
| Anthropic | AI content generation and tutoring | Session context, prompts, scenario content |
| OAuth authentication; optional AI generation | OAuth profile data (email, name); generation prompts | |
| GitHub | OAuth authentication; admin access | OAuth profile data (email, username) |
| Microsoft | OAuth authentication | OAuth profile data (email, name) |
| Apple | OAuth authentication (Sign in with Apple) | OAuth profile data (email, name — may be relayed via Apple Private Email Relay) |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | Anonymous crash data, error stack traces, browser metadata, user ID (if consented) |
Fonts (Roboto, Roboto Mono) are self-hosted from our own domain and do not involve third-party requests.
We do not share personal data with advertisers or data brokers.
Data Processing Agreements. We maintain Data Processing Agreements (DPAs) with our sub-processors in compliance with GDPR Article 28. DPA documentation is available from the following providers:
- Cloudflare, Inc. — Hosting, CDN, KV storage, analytics, Workers compute. DPA: cloudflare.com/cloudflare-customer-dpa
- Resend, Inc. — Transactional and notification email delivery. DPA: resend.com/legal/dpa
- Stripe, Inc. — Payment processing for paid events. DPA: stripe.com/legal/dpa
- Neon, Inc. — PostgreSQL database hosting. DPA: neon.tech/dpa
- Anthropic, PBC — AI-assisted content generation (no personal data processed). DPA: anthropic.com/legal/commercial-terms
- Apple Inc. — OAuth authentication (Sign in with Apple). DPA: developer.apple.com/terms/apple-developer-program-license-agreement
- Google LLC (Gemini API) — Optional secondary AI provider for content generation. DPA: cloud.google.com/terms/data-processing-addendum
- Functional Software, Inc. (Sentry) — Error tracking and performance monitoring (US). DPA: sentry.io/legal/dpa
Cookies and Analytics
Our marketing site uses a consent banner for analytics cookies. Analytics tracking is opt-in and disabled by default.
Essential cookies are required for core functionality (authentication, security, form workflows) and cannot be disabled.
Analytics cookies, when you opt in, help us understand aggregate website usage and improve content and performance. The marketing site uses Cloudflare Web Analytics. The Platform uses server-side analytics that respect your analytics consent preference.
Preference cookies store your saved cookie and consent choices.
You can manage your cookie preferences at any time using the "Manage Cookies" control in the footer. See our full Cookie Policy for details.
Data Retention
We retain personal data for as long as your account is active and for a reasonable period afterward, subject to the following specific retention periods:
- Account data: Duration of account plus 30 days after deletion request is processed.
- Authentication sessions and tokens: Expired sessions cleaned nightly; password reset and email verification tokens deleted after 7 days.
- Analytics events: Retained for 365 days. IP addresses truncated to /24 blocks after 30 days.
- Learning interactions and adaptive sessions: 90 days after completion.
- Webhook delivery logs: 90 days (completed or failed entries only).
- xAPI statement logs: 2 years.
- Admin audit logs: 7 years (regulatory and SOC 2 requirement).
- Payment and commerce records: Retained as required by tax and accounting law (typically 7 years).
- Completed or cancelled deletion requests: 90 days for recordkeeping.
- Contact submissions and event registrations: Up to 12 months.
When data reaches the end of its retention period, it is deleted or anonymized through automated nightly cleanup jobs.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
For all users:
- Access: Request a copy of your personal data. You can export your data at any time from your account settings, or by contacting us.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of your personal data. Deletion requests have a 30-day grace period during which you can cancel. After processing, your data is anonymized and associated records are cascade-deleted.
- Portability: Export your data in machine-readable format (JSON or CSV) covering 17 data categories.
Additional rights under GDPR (EU/EEA/UK residents):
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent at any time
- Right to lodge a complaint with your local data protection authority
Additional rights under US state privacy laws (California, Colorado, Connecticut, Virginia, and others):
- Right to know what personal data is collected and how it is used
- Right to delete personal data
- Right to opt out of sale or sharing of personal data (we do not sell personal data)
- Right to non-discrimination for exercising your privacy rights
To exercise any of these rights, email privacy@pangearesearch.io or use the data export and deletion features in your account settings. We will respond within 30 days (or sooner if required by applicable law).
California Privacy Rights (CCPA/CPRA)
This section provides additional disclosures required under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
Categories of Personal Information Collected.
| Category | Examples | Business Purpose |
|---|---|---|
| Identifiers | Name, email address, IP address, account ID | Account creation, authentication, communications |
| Commercial information | Purchase history, payment records, subscription details | Processing transactions, maintaining purchase records |
| Internet or electronic network activity | Browser type, pages visited, session metadata | Website analytics, security monitoring, service improvement |
| Professional or employment-related information | Organization, role (optionally provided) | Personalizing the learning experience |
| Education information | Lesson progress, quiz scores, certificates, competency data | Delivering and improving educational content |
Sale and Sharing of Personal Information. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Your California Privacy Rights. As a California resident, you have the following rights under the CCPA/CPRA:
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
- Right to Delete: You may request the deletion of personal information we have collected from you, subject to certain exceptions required by law.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share personal information, so no opt-out is necessary. If this practice changes, we will provide a clear opt-out mechanism.
- Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted under the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
How to Exercise Your Rights. To submit a request, email privacy@pangearesearch.io. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.
Response Timing. We will acknowledge your request within 10 business days and respond within 45 calendar days. If additional time is needed, we will notify you of the extension and the reason.
Children's Privacy
The Platform is designed for users aged 13 and older. We do not knowingly collect personal data from children under 13 (or under 16 in the EEA/UK).
If you are between 13 and 18, you may use the Platform only with the consent of a parent or legal guardian. Users under 13 may not create an account or use the Platform.
If we learn that we have collected personal data from a child without appropriate consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@pangearesearch.io.
FERPA Notice
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records maintained by educational institutions. Pangea Research is not an educational institution and does not receive or process student education records from schools, colleges, or universities on their behalf.
The Platform is not currently FERPA-compliant and is not designed to serve as a school official or to maintain education records as defined under FERPA. If your institution requires FERPA-compliant tools, please contact us at privacy@pangearesearch.io to discuss your requirements before using the Platform in an institutional setting.
International Data Transfers
The Platform is hosted on Cloudflare's global network, with primary database infrastructure in the United States (AWS US-East-2 via Neon). If you access the Platform from outside the United States, your data may be transferred to and processed in the United States.
We rely on Cloudflare's and our sub-processors' Standard Contractual Clauses (SCCs) and other approved transfer mechanisms to ensure adequate protection for international data transfers in compliance with GDPR and other applicable data protection laws.
Security
We apply technical and organizational safeguards to protect personal data, including:
- Encryption in transit (TLS) and at rest for all database and stored data
- AES-256-GCM encryption for OAuth tokens and sensitive credentials
- Hashed passwords (never stored in plaintext)
- Hashed session tokens with IP and user-agent binding
- Role-based access controls and admin audit logging
- Cloudflare WAF, bot protection (Turnstile), and rate limiting
- Regular key rotation on a tiered schedule
- Incident response procedures with defined severity levels and recovery targets
No system is completely risk-free. If you discover a security vulnerability, please report it responsibly via our security disclosure policy at pangearesearch.io/security.
Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable law. The most current version will always be posted on this page with an updated effective date. Material changes will be communicated through the Platform or by email to registered users.
Contact
For questions, concerns, or requests related to this Privacy Policy or your personal data:
Email: privacy@pangearesearch.io
Website: pangearesearch.io/contact
Pangea Research LLC
privacy@pangearesearch.io
Last Updated: March 25, 2026
© 2026 Pangea Research LLC. https://pangearesearch.io/privacy-policy/