PARALLAX — POLICY
Privacy Policy
What we collect, what we don't, and what you can do about it.
Updated May 24, 2026
Privacy Policy
Last updated: 24 May 2026
Parallax Lens (“Parallax,” “we,” “us”) publishes long-form visual explainers at parallaxlens.com. This policy explains what personal data we collect when you read the publication or create a reader account, what we do with it, and the rights you have to control it.
Parallax Lens is a publication based in India, operated by an individual founder. We can be reached at privacy@parallaxlens.com.
This document is written plainly. Where the law requires specific language, you’ll find it in the marked sections. Everywhere else, we’ve chosen to be readable rather than legalistic.
What we collect
We collect three categories of personal data, and only what falls into these three.
1. Account data — only if you sign up.
- Your email address (required for the account; used as your login identifier).
- A display name (you choose this; can be a pseudonym).
- If you sign in with Google, your Google profile name and profile-picture URL are also passed to us by Google. We store your name; we do not store the profile picture.
2. Reading behaviour — only after Phase B engagement features ship.
- Which issues you open, how far you scroll, when you finish, what sources you click through to. These are recorded server-side, tied to your account.
- For visitors without an account, a short-lived anonymous cookie ID links page-view events to a single browsing session so we can compute rough reach numbers. The cookie does not identify you across sessions or across devices.
3. Newsletter & email data.
- The email address you subscribed with, your topic preferences (which of the six topic worlds you want issues for), the cadence you chose (per-issue / weekly digest), and the timestamps of which emails we’ve sent and which you’ve opened.
- “Opened” is recorded by your email client requesting a 1-pixel image in the email; we keep this off by default. If we ever turn open tracking on for a specific campaign, this document will list it explicitly.
Technical data automatically generated by your visit:
- Your IP address, browser type, operating system, and the page you came from. Our hosting provider (Vercel) records these in server logs for security and abuse prevention. We do not link these logs to your account or use them for tracking.
That’s the full list. We do not collect: phone numbers, mailing addresses, dates of birth, government IDs, payment information, biometric data, precise geolocation, or anything else not named above.
What we explicitly do not do
This is the brand promise, made specific. Parallax does not:
- Run advertising of any kind on the site, in the newsletter, or in emails.
- Use Google Analytics, Plausible, Hotjar, Mixpanel, or any other third-party analytics product. Reading-behaviour data, when it exists, lives only on our own database in Supabase.
- Use Facebook Pixel, X Pixel, LinkedIn Insight Tag, or any other ad-tech pixel. None are loaded on any page.
- Sell, rent, or trade your data with anyone, ever.
- Share your email with marketing partners, “trusted third parties,” or data brokers.
- Use your data to train AI models. The AI features we build into the product (explainer tooltips, the Q&A sidebar) run on the issue’s own sources; your reading history is not sent to any external AI provider.
- Set advertising cookies, retargeting cookies, or any third-party cookie. The only cookies we set are first-party session cookies that keep you logged in.
If any of these change in future, this policy will be updated and existing accounts notified by email before the change takes effect.
Why we collect what we collect
We list the purpose for each category, not a generic “to provide our services.”
| Data | Purpose | Lawful basis (GDPR / PDPDP) |
|---|---|---|
| Email + display name | Account identifier; magic-link login | Contract (you’re creating an account) |
| Sending newsletters you opted in to | Consent (you ticked the box) | |
| Sending transactional emails (password-less login codes, account-deletion confirmations) | Contract / legitimate interest | |
| Reading events | Showing you your own reading history; computing aggregate issue stats; recommending next issues based on your topic mix | Legitimate interest, with right to opt out |
| Server logs (IPs etc.) | Security, abuse prevention, debugging | Legitimate interest |
You can withdraw consent for the newsletter at any time via the unsubscribe link in every email. You can opt out of reading-behaviour tracking from your account settings (when Phase B ships).
Who processes your data (named third-party services)
Your personal data is stored and processed by us and by a small number of named third-party services (“processors”) who help us run Parallax. We’ve chosen each one for privacy posture as much as functionality.
Supabase — authentication and database
- Role: Stores your account, saved issues, reading history, reactions, comments.
- Data location: Supabase data centre region (typically Mumbai or US-East — we use the region closest to most readers; see your account’s data dashboard for the current region).
- Privacy: Supabase is SOC 2 compliant and offers a GDPR Data Processing Agreement, which we have signed.
Resend — transactional and newsletter email
- Role: Sends magic-link login emails, account-confirmation emails, newsletter digests, and per-issue alerts.
- Data location: AWS Tokyo region (ap-northeast-1).
- What they see: Your email address and the contents of any email we send you. They cannot see your reading history or your other account data.
Vercel — website hosting
- Role: Hosts parallaxlens.com (static) and app.parallaxlens.com (server-side).
- Data location: US-East (primary edge).
- What they see: Server logs (IPs, user-agent, requested URLs). Vercel does not access database content.
Cloudflare — DNS and CDN
- Role: Routes DNS for parallaxlens.com and acts as a global CDN for static assets.
- Data location: Globally distributed edge network.
- What they see: Network-level traffic metadata. Cloudflare’s CDN proxy is set to “DNS only” — they do not see request contents.
Google (OAuth) — optional login provider
- Role: If you choose “Sign in with Google,” Google authenticates you and passes us your email + name.
- Data location: Google’s global infrastructure.
- What they see: That you logged into Parallax at a specific time from a specific IP. Standard OAuth handshake.
- This service is optional. Magic-link email login is the alternative and uses no third-party login provider.
Anthropic (Claude API) — AI features
- Role: Powers the inline “explain this term” tooltips and the per-issue Q&A sidebar (when Phase D ships).
- Data location: Anthropic’s US infrastructure.
- What they see: The text of your question to the Q&A sidebar plus the issue’s published content. They do not see your account identity, email, reading history, or any other personal data.
- Anthropic’s published policy commits to not training their models on API customer data.
We do not use any other processor for personal data. If we add one later, this policy will be updated and existing accounts notified at least 14 days before the change takes effect.
How long we keep your data
We keep personal data only as long as needed for the purpose stated.
| Category | Retention | Why |
|---|---|---|
| Active account data | While your account is active | Self-evident |
| Inactive account data | Up to 24 months from last login, then deleted | Reasonable dormancy window |
| Saved issues, reactions | Same as account | Tied to account |
| Reading-event records | 18 months rolling, then aggregated and personal data stripped | Long enough for “your year in reading,” short enough to be honest |
| Newsletter subscription | Until you unsubscribe, then 12 months for legal record of consent | Audit trail for opt-in compliance |
| Server logs (Vercel) | 30 days | Vercel’s standard |
| Email send/delivery records (Resend) | 90 days | Resend’s standard |
| Account deletion requests | Hard-deleted within 30 days of request | Our commitment |
When you request account deletion, we delete your account row, all saved issues, all reactions, all comments you’ve authored (or anonymise them if they’re part of public threads — your choice at deletion time), all reading events, and all newsletter subscriptions linked to your email. Some data may persist briefly in encrypted backups, which expire automatically within 30 days.
Your rights
You have rights over the personal data we hold about you. The specific rights you have depend on where you live.
Everyone — the rights we honour for all readers
- Access. Request a copy of the personal data we hold about you. We respond within 30 days.
- Correction. Ask us to fix anything that’s wrong.
- Deletion. Ask us to delete your account and all associated data, per the 30-day commitment above.
- Portability. Receive your data in a machine-readable format (JSON export of your account, saved issues, reading history).
- Withdrawal of consent. Stop receiving newsletters by clicking the unsubscribe link in any email. Withdraw your account at any time.
Send any of these requests to privacy@parallaxlens.com. We respond in 30 days or less.
If you live in India — your PDPDP rights
The Digital Personal Data Protection Act 2023 (DPDP Act) gives you specific rights:
- The right to obtain confirmation of whether we process your personal data, a summary of what we hold, and the identities of any third parties we’ve shared it with.
- The right to correction, completion, updating, and erasure of your personal data.
- The right to nominate another person to exercise these rights on your behalf in case of your death or incapacity.
- The right to grievance redressal — you can write to the Data Protection Officer (currently the founder; contact privacy@parallaxlens.com) and we will respond within 7 days. If unresolved, you may approach the Data Protection Board of India.
Parallax is the Data Fiduciary for personal data of Indian users. The founder is the Designated Officer for DPDP Act purposes.
If you live in the European Economic Area or UK — your GDPR rights
In addition to the universal rights above, you have:
- The right to object to processing based on legitimate interest (such as reading-event analytics).
- The right to restrict processing in certain circumstances.
- The right to lodge a complaint with your local data protection authority. For example, in Ireland this is the Data Protection Commission (dataprotection.ie); your country’s authority is listed at edpb.europa.eu.
Our lawful bases under GDPR Article 6: consent (for newsletter), contract (for account services), and legitimate interest (for reading-event analytics, abuse prevention, and security).
If you live in California — your CCPA / CalOPPA rights
You have the rights to:
- Know what categories of personal information we collect, the purposes, the sources, and which third parties we share it with — this document covers all of that.
- Delete personal information we have collected about you.
- Opt out of “sale” of personal information. We do not sell personal information. We have never sold personal information. We will not sell personal information.
- Non-discrimination — we will not deny you service, charge you a different price, or provide a different level of service for exercising your privacy rights.
To exercise these rights, email privacy@parallaxlens.com. We may ask you to verify your identity (typically by responding from the email address on the account).
Cookies and similar technologies
Parallax uses only the cookies and storage strictly needed to make the site work. No tracking cookies. No third-party advertising cookies.
| Type | Name(s) | Purpose | Duration |
|---|---|---|---|
| Session cookie | sb-<project>-auth-token (set by Supabase) | Keeps you logged in | Browser session + 30-day refresh |
| Anonymous reach cookie | px_anon_id (set after Phase B ships) | Aggregate visit counts without identifying you | 90 days |
| Cookie consent state | px_cookie_ack | Remembers that you’ve seen this policy | 365 days |
We do not use local storage or session storage for any personal data other than what Supabase’s authentication SDK manages on your browser to keep you logged in. You can clear all cookies and local storage at any time via your browser settings.
We do not need a cookie consent banner because we set no third-party cookies and the cookies above are strictly necessary for the service to function (consent is implied by your use of an authenticated feature).
Cross-border data transfers
Your data may be transferred outside your country of residence — for example, Indian readers’ data may pass through Vercel servers in the US, or Resend’s email infrastructure in Tokyo.
We rely on standard safeguards for these transfers:
- For EEA/UK readers: Standard Contractual Clauses approved by the European Commission, signed with each processor named above.
- For Indian readers: PDPDP Act § 16 permits cross-border transfers to countries not specifically restricted by the Government of India. None of the named processors operate from restricted jurisdictions as of the date of this policy.
Children’s privacy
Parallax is intended for adult readers.
- We do not knowingly collect data from anyone under the age of 16.
- For Indian readers, the minimum age is 18 in line with the DPDP Act’s definition of “child.”
- If you are a parent or guardian and believe a child has created an account with us, please contact privacy@parallaxlens.com and we will delete the account and all associated data within 7 days.
How we protect your data
- All data in transit is encrypted via HTTPS / TLS 1.3.
- Supabase database storage is encrypted at rest (AES-256).
- Service-role credentials are never sent to the browser; they live only on server-side environments protected by access controls.
- We follow a principle of least privilege — internal database queries use row-level security policies that limit each query to its authenticated user’s own rows.
- We log security-relevant events (failed logins, password changes, account deletions) and retain those logs for 90 days.
We cannot guarantee absolute security — no system can. If we ever suffer a personal-data breach that creates a real risk to your rights, we will notify you by email and the data protection authority for your region within 72 hours, per GDPR / PDPDP standards.
Links to other websites
Issues on Parallax often link to primary sources elsewhere on the web (news sites, government databases, academic papers). When you click those links, you leave Parallax and enter a site we don’t control. Our policy doesn’t apply once you’re there. We pick sources we trust, but we can’t speak for their privacy practices.
Changes to this policy
We may update this policy from time to time as Parallax evolves and laws change. When we do:
- We update the “Last updated” date at the top.
- For material changes (new processors, new data categories, new uses of existing data), we email registered users at least 14 days before the change takes effect.
- We keep a public change log at the bottom of this page (see below).
- Continuing to use the Service after the effective date means you accept the updated policy. If you don’t agree, you can delete your account.
Contact
For any privacy question, data request, or complaint:
- Email: privacy@parallaxlens.com
- Response time: within 30 days (typically 3–7 days)
- Postal address: Available on request for formal regulatory correspondence — email us first.
For users in India, this email also reaches the Designated Officer under the DPDP Act.
Change log
- 24 May 2026 — Initial version published. Covers GDPR, CCPA, CalOPPA, and India’s DPDP Act 2023. Lists Supabase, Resend, Vercel, Cloudflare, Google OAuth, and Anthropic as processors.