Privacy

Privacy Policy

Effective date: 2026-05 · Last updated: 2026-05 · Version: Draft v2 (free-mode)

Plain-language draft. AlgoViz is a free educational resource. This policy describes the small amount of data we handle to operate the site. It's structured to GDPR (EU/UK), DPDP (India), and CCPA (California) standards. We recommend legal-counsel review before relying on this for any commercial purpose.

1. Who we are

"AlgoViz", "we", "us", or "our" refers to the team operating algoviz.io. We are an independent education-technology project producing original DSA (Data Structures & Algorithms) learning content. The site is free to use; we do not sell anything and there are no paid plans.

For any privacy-related question, write to privacy@algoviz.io. Indian users can also reach our Grievance Officer at grievance@algoviz.io (see §13).

2. What data we collect

2.1 What stays on your device

Most of what you do on AlgoViz never reaches our servers:

Reading progress, bookmarks, theme, text size, settings — stored in your browser's localStorage only.
An anonymous device identifier (a UUID generated once per browser) — also localStorage only; used to embed an invisible per-device watermark in rendered lessons so leaked copies can be traced back to their source.
A short-lived session cookie (av_sess, 1-hour expiry) — set by our Cloudflare middleware to gate the lesson data against scraping; not used for analytics.
Anti-abuse signals computed in your browser — bot-detection heuristics (e.g., headless-browser flags, mouse-cadence) used to flag scraping. Today these are local-only.

2.2 What we receive on our servers

The only personal data that reaches us is when you voluntarily submit it:

Email address — only if you submit the "Get update emails" form in the app. Used solely to email you when there's new content (new lessons, fixes, or material updates).
Submission metadata attached to that email row: country code (read from Cloudflare's cf-ipcountry header), browser user-agent, the page you came from (referer), submission timestamp.
Aggregate visit counts via Cloudflare Web Analytics — cookieless, no cross-site tracking, no individual identifiers.

We do not collect phone number, address, name, payment information, browsing history outside AlgoViz, or any data from third-party services. We do not run third-party ad pixels or tracking SDKs.

2.3 Watermarking

To deter content theft and identify the source of leaked copies, AlgoViz applies watermarks at three layers:

Invisible watermark — zero-width Unicode characters (U+200B / U+200C / U+200D) encoding your anonymous device ID, injected into rendered headings and paragraphs. Invisible on screen; survives copy-paste; lets us match a leaked snippet back to the originating device.
Visible watermark — a faint diagonal overlay reading "session <device-id> · <date>", almost invisible during normal reading but legible in screenshots.
Print / "Save as PDF" suppression — when you try to print or save a lesson, the lesson content is removed from the printed output entirely. Instead the output shows the AlgoViz brand name and a note pointing back to the live site, plus a small "© AlgoViz · session <id> · date" footer for traceability if the printed page itself is photographed or screenshot.
Developer-tools-triggered watermark boost — if our heuristics detect that browser DevTools is open during a session, the visible diagonal watermark becomes more opaque and denser. This catches DevTools-assisted screenshot leaks. It is purely cosmetic — no functionality changes and no signal is sent to our servers.

The device ID is an anonymous UUID. It does not identify you by name or email. We use watermarks only to investigate suspected bulk redistribution of our original content; we do not use them for advertising, analytics, or third-party sharing.

2.4 Client-side abuse signals (telemetry only — stay in your browser)

To inform our abuse defences, the AlgoViz PWA runs a handful of lightweight client-side checks and stashes the results on the page. None of these are sent to our servers today; they stay in your browser session.

window.__BOT__ — composite score from public browser fingerprint signals (navigator flags, headless-Chrome user-agent strings, WebGL renderer name) that distinguishes a real browser from automation tools.
window.__DEVTOOLS__ — a flag set when our two heuristics (window outer/inner size delta, console-getter trap) indicate browser DevTools is open. Triggers the watermark boost described above.
window.__EXT__ — a flag listing detected content-scraping browser extensions (Webscraper.io, Octoparse, ScrapeStorm, Data Miner, etc.) by their DOM signatures. We do not detect or interfere with password managers, screen readers, accessibility tools, ad blockers, translation tools, or any other legitimate extension; only ones whose advertised purpose is bulk content extraction.
window.__BEHAV__ — aggregate mouse-movement statistics and deck-open cadence. Used to distinguish human reading from scripted high-rate fetches.

What this is NOT: we don't capture keystrokes, clipboard contents, audio/video, or any specific user input. We don't track you across sites. We don't ship these signals to our servers today. If we ever do, it will be in the context of an abuse investigation, never associated with your reading history or used for advertising.

3. Why we collect it

Data	Lawful basis (GDPR Art. 6)	Purpose
Email for update list	Consent (Art. 6(1)(a))	You voluntarily provide it to receive update emails
Country, UA, referer with that email	Legitimate interest (Art. 6(1)(f)) — fraud/abuse prevention	Spam detection on the signup endpoint; sender geography
Watermarks & client-side abuse signals	Legitimate interest (Art. 6(1)(f)) — protection of original content	Trace bulk redistribution
Aggregate visit counts	Legitimate interest (Art. 6(1)(f))	Understand which lessons get read

Under the DPDP Act §7 (India), processing is grounded in consent and "legitimate uses" (content protection, security).

4. Where it's stored

Email addresses and their associated metadata are stored in Cloudflare Workers KV. Cloudflare regions assign KV namespaces to the geography closest to the requester. Encryption in transit (TLS 1.2+) and at rest. Anonymous server logs (IP, UA, request path) are retained briefly by Cloudflare's edge nodes.

5. Cookies & localStorage

We avoid third-party tracking cookies entirely. We use:

localStorage (browser storage, not a cookie) for reading progress, theme, device ID, etc. You can clear it via your browser settings or the in-app Settings → Privacy & Data → Reset local progress.
One first-party session cookie — av_sess, 1-hour expiry, used only to gate the content blob against direct-fetch scrapers. No analytics use.
Cookieless analytics — page-view counts aggregated at the Cloudflare edge. No identifiers; no cross-site tracking.

We do not use Google Analytics, Facebook Pixel, advertising tracking pixels, or any third-party SDK that fingerprints you across sites.

6. Sub-processors

Provider	Service	Data accessed
Cloudflare Inc.	Hosting, CDN, KV store, edge functions, bot mitigation, cookieless analytics	HTTP requests, IP, user-agent, country, the update-list email row
Resend (when we send batch emails)	Transactional email delivery	Email address, message content

That's the complete list. No payment processor, no auth provider, no third-party analytics — none are needed for a free site.

7. Retention

Data	Retention
Update-list email (and its submission metadata)	Until you unsubscribe, then deleted within 30 days
Anonymous server logs (IP, UA, request path) at Cloudflare edge	~30 days, then aggregated
localStorage on your device	Until you clear browser data or use the in-app reset

8. Your rights

Under GDPR (EU/UK), DPDP (India), CCPA (California), and similar laws, you have rights including:

Access — get a copy of the data we hold for your email (just the email row in KV).
Rectification — correct your email if needed.
Erasure — delete your email row entirely.
Portability — receive your email row in JSON.
Object to processing — including direct marketing (one-click unsubscribe).
Withdraw consent — unsubscribe at any time.
Lodge a complaint — with your local Data Protection Authority.

Email privacy@algoviz.io to exercise any of these. We respond within 30 days.

9. Children's data

AlgoViz is intended for users 13 years of age or older. We do not knowingly collect personal data from younger children. Under GDPR Art. 8 the digital-consent age varies by EU member state (13–16); we apply 16 as the safe default. Under DPDP §9 (India), processing under-18 personal data requires verifiable parental consent — we do not knowingly do so.

10. Security

TLS 1.2+ on all connections.
AES-256 encryption at rest for the email list in Cloudflare KV.
Strict Content-Security-Policy, X-Frame-Options DENY, HSTS preload.
Server-side rate limiting on the email signup endpoint.
No service-level credentials stored client-side.

11. Breach notification

If we suffer a breach likely to result in risk to your rights, we will notify you and the appropriate Data Protection Authority within 72 hours of becoming aware (GDPR Art. 33 / DPDP §8(6)).

12. Update emails & unsubscribe

If you submit your email, we use it only to send you update emails about AlgoViz — new lessons, fixes, or material changes. We do not share, sell, or rent your email. We do not send promotional emails for third parties. Every email has a one-click unsubscribe link; we honor unsubscribes within 24 hours.

13. India (DPDP) rights & Grievance Officer

Under the Digital Personal Data Protection Act, 2023, Data Principals in India have rights including access (§11), correction and erasure (§12), and grievance redressal (§13). Our Grievance Officer is reachable at grievance@algoviz.io. We respond within 15 days. If unsatisfied you may approach the Data Protection Board of India under DPDP §27.

14. Changes to this policy

If we update this policy materially, we'll email subscribers and post a notice in the app. The "Last updated" date at the top reflects the most recent revision.

15. Contact

Privacy questions: privacy@algoviz.io
India Grievance Officer: grievance@algoviz.io
General contact: /contact