Privacy Policy

Privacy Policy

This Privacy Policy describes how ChiAha, Inc. (a Tennessee corporation with its principal place of business at 11826 Kingston Pike, Suite 230, Farragut, Tennessee 37934 — "ChiAha", "we", "us") collects, uses, and shares information about you when you visit our websites or use the contact / signup forms on them.

It is distinct from the ChiAha Software License, which governs the desktop applications we sell (ReliaSim, QSimHealth, SCModeling, ReliaStats, DiscreteRate, and others). The two documents cover two different relationships: this one covers the visitor → website relationship, the Software License covers the customer → application relationship.

If you have any questions about this Privacy Policy, email info@chiaha.com with the subject "Privacy request."


Sites Covered

Information We Collect

Information you give us directly when you fill out a contact, signup, or "join our list" form:

  • Name (first and/or last)
  • Work email address
  • Company / organization (when supplied)
  • Job title (when supplied)
  • Any free-text message or note you choose to add
  • Which product page you submitted from

Information automatically collected as you browse:

  • Standard server logs: IP address, browser user-agent, referrer, the pages you visited, and the time of each visit. Operational logs needed to keep the sites running and to investigate security or abuse incidents.
  • Analytics events from Google Tag Manager (container GTM-NL7VDMTV) and Google Analytics 4 (property 433243670). Aggregate page-view, event, and conversion data; may set cookies in your browser.
  • Visitor-behavior tracking via the ActiveCampaign site-tracking pixel (account 478631777), which records page visits against an email if you have previously identified yourself by submitting a form.
  • LinkedIn Insight Tag (partner ID 6488196) for measuring effectiveness of any paid advertising we may run on LinkedIn.

Information specific to product trials and authenticated use:

  • For products that use Microsoft Entra ID or Google OAuth (currently QSimHealth, ReliaStats, GreenfieldAnalysis): the email address and basic profile information returned by the identity provider when you sign in. We do not see your password.
  • A session cookie issued by our authentication system to keep you signed in. Typical lifetime: 14 days.
  • Records of when you logged in and accessed the product, retained so we can support you and improve the product.

We do not collect:

  • Payment card numbers. When a paid product is purchased, FastSpring handles the payment and sends us a webhook with the transaction summary; we never see your card.
  • The contents of supply-chain network data, simulation models, or other business data you use inside our desktop products. Those products are local-first and your model data stays on your machine.

How We Use Information

We use the information we collect to:

  • Respond to you. When you fill out a contact or signup form we send an internal notification (Slack channel #signups) so the right person at ChiAha can follow up. Your contact information may also be added to our customer-relationship system (ActiveCampaign).
  • Provide the products and services you have requested or purchased — sign you in, deliver license keys, send transactional emails (purchase confirmation, license renewal reminders, password reset links), and provide customer support.
  • Operate and improve the sites — diagnose problems, measure aggregate traffic patterns, A/B-test page changes, prioritize content.
  • Send marketing communications — newsletters, product announcements, sales follow-up — but only if you have opted in by submitting a contact / signup / mailing-list form. Every marketing email includes an unsubscribe link.
  • Comply with legal obligations — respond to subpoenas, court orders, and other lawful requests; investigate suspected fraud or abuse.

We do not sell your personal information. We do not share it with third parties for their own independent advertising or commercial use.


Service Providers

To operate the sites and serve you, we share information as needed with the following processors. Each is contractually bound (by their standard data-processing terms, which we have accepted) to use the information only on our behalf.

Processor Purpose What they see
ActiveCampaign (account 478631777) Email marketing, customer relationship management, visitor behavior tracking Form submissions, email opens / clicks, page-visit history when tied to an identified email
Google (Tag Manager + Analytics 4 + Workspace) Web analytics, internal email, document collaboration Page-view and event data (aggregate); the internal team's own email + documents
Fly.io Web hosting (sites, gateway, MCP services) Server logs (IP, paths) for sites hosted on Fly
Azure (Microsoft) Hosting for GreenfieldAnalysis and supporting services; Entra ID for SSO; geocoding cache Server logs; for Entra-authenticated apps, basic profile (email, name)
FastSpring Payment processing for paid products Card and billing information you submit directly to FastSpring (we never see your card)
LinkedIn Advertising effectiveness measurement A pseudonymous Insight Tag matching ad clicks to page visits
OpenStreetMap / Nominatim Address geocoding for network-model demos Place names you enter into geocode lookups (no personal info)
Anthropic The "Ask the model" agent on supply-chain demos uses Anthropic's Claude API The text of your questions and the loaded sample model context
Bitwarden Internal credential management Our own internal credentials; not used to store anything about you
GitHub Code hosting, CI, deploy pipelines Source code and deploy logs; not used to store anything about you

If we add a processor that materially changes how your information is handled, we will update this list and the effective date.


Cookies

We and our service providers use cookies and similar technologies for:

  • Strictly necessary — keeping you signed in (session cookie), remembering form state, basic security.
  • Analytics — Google Analytics measurement cookies, set via Google Tag Manager.
  • Visitor tracking — ActiveCampaign cookies that match a browser to an identified email after you submit a form.
  • Advertising effectiveness — LinkedIn Insight Tag cookie for measuring ad performance.

Where required by applicable law (notably for visitors from the European Economic Area / United Kingdom / California), we provide a cookie consent banner before non-strictly-necessary cookies are set. If we have not added a consent banner yet on a particular site, only strictly necessary cookies should be relied upon to be set; analytics and tracking cookies are conditional on your future consent action.

You can clear cookies any time from your browser settings, and most browsers offer a "do not track" or "global privacy control" signal that we honor where technically feasible.


Data Retention

  • Form submissions are retained in ActiveCampaign for as long as you remain a contact in our system, typically until you unsubscribe and we delete the record. Unsubscribed contacts are deleted on a rolling 24-month basis.
  • Server logs are retained for up to 90 days for operational and security purposes, then deleted.
  • Analytics data is retained per Google Analytics 4 default settings (26 months for event data) unless we change them.
  • Authenticated-product session cookies expire after 14 days of inactivity (or when you log out).
  • Backups of these stores may persist for an additional 30-60 days in encrypted storage before being overwritten.

Your Rights

Depending on where you live, you may have the following rights:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to fix inaccuracies.
  • Deletion — ask us to delete your information, subject to legal retention obligations.
  • Portability — receive your information in a machine-readable format.
  • Opt-out of marketing — unsubscribe link in every marketing email; or email info@chiaha.com.
  • Opt-out of sale/share for advertising — we do not sell or share for cross-context behavioral advertising; this right does not currently produce any change, but it remains exercisable.
  • California specific (CCPA/CPRA) — the rights above, plus the right to non-discrimination for exercising them.
  • EEA/UK specific (GDPR) — the rights above, plus the right to object to processing and the right to lodge a complaint with your local supervisory authority.

To exercise any of these, email info@chiaha.com with the subject line "Privacy request." We will respond within the legally required timeframe (typically 30 days, sometimes longer for complex requests).


International Transfers

ChiAha is based in the United States. Information you submit is processed and stored in the United States. If you are visiting from outside the US, you understand that your information will be transferred to and processed in the US, which may have different data-protection laws than your home jurisdiction. Where required, our service providers operate Standard Contractual Clauses or equivalent transfer mechanisms.


Children's Privacy

The ChiAha products and websites are not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please email info@chiaha.com and we will delete it.


Changes to this Policy

We may revise this Privacy Policy from time to time. Material changes will be announced at the top of this document and (where we have your email) by email notification. The "Last reviewed" date reflects the most recent edit; the "Effective" date is when the current version became binding.


Contact

For privacy questions, requests, or complaints:

  • Email: info@chiaha.com (subject line: "Privacy request")
  • Mail: ChiAha, Inc. — Attn: Privacy — 11826 Kingston Pike, Suite 230, Farragut, TN 37934, United States