Privacy Policy

SCModeling, a ChiAha™ product · Last updated 2026-05-21

The short version

SCModeling is a public marketing + demo site for the SCModeling supply-chain network design + simulation platform. The real product is a desktop application — by design, real client network data never travels to the cloud. This site collects only the minimum needed to run the public sandbox, process newsletter/access signups, and prevent abuse. We do not sell or share your data with advertisers, and we do not use your inputs to train AI models.

What we collect
What we do NOT collect
How we use what we collect
Who we share data with
AI model training
Cookies
Retention
Your rights and how to exercise them
International users (GDPR, UK GDPR)
California users (CCPA / CPRA)
Children's privacy
Security
Changes to this policy
Contact

1. What we collect

1.1 Operational telemetry (every visitor)

IP address — processed in memory by the rate limiter (sliding window) and appears in Fly.io's platform HTTP access logs (retained per Fly's standard log window, up to 30-90 days). IP is not written to any durable file on our side.
User-agent string — appears in Fly's transient HTTP access logs only; not persisted by us.
Timestamp, request path, response status, response time — standard HTTP access logging.

1.2 Network Sandbox (`/sandbox`)

The sandbox is a structural sketcher + curated-demo runner. It is sample-only by policy. The simulation and design engines (sc-sim, GreenfieldAnalysis) are reserved for the bundled sample models; the “Sketch your network” flow is structural-only and never runs the engines on your data.

Any CSV you paste or upload to the Sketch panel is processed entirely in your browser. It is not sent to our servers and is not stored on disk on our side.
The sandbox can ask POST /api/geocode to resolve place names through OpenStreetMap Nominatim when local + canonical caches don't have a match. The names you submit travel to Nominatim (governed by their Usage Policy); we cache returned coordinates in process for the lifetime of the current server instance. Rate-limited to 8 requests / IP / 60 seconds, max 30 names per request.
The “Ask the model” bar is a rule-based reader operating on the current page's state — it does not send your sketch to any AI service.

1.3 Simulation requests (`/api/simulate`, `/mcp`)

The public sandbox and MCP can invoke the sc-sim engine on a small, whitelisted set of sample models (simple-sc-demo, cookie-making, supply-chain-demo). The inputs are model identifiers, not your network data.
Results are cached server-side in process for performance; the cache is purely model-input keyed, not user-identifiable.

1.4 Public MCP API (`scmodeling.com/mcp`)

SCModeling publishes a public Model Context Protocol server at scmodeling.com/mcp, intended for use from Claude / ChatGPT / Cursor / other MCP clients. It exposes three tools:

Tool	Input	Returns
`run_simulation`	`model_id` (string; one of `simple-sc-demo`, `cookie-making`, `supply-chain-demo`)	Metrics, inventory time-series, orders, shipments, routing, and BOM from a real sc-sim discrete-event run
`list_models`	none	Catalog of the bundled sample models
`get_sc_theory`	none	Static reference guide to supply-chain simulation concepts (ordering policies, BOM, FDD formulas, event-driven simulation)

There is no authentication, signup, account, or payment surface on the MCP endpoint. The endpoint is rate-limited per IP (30 requests / 60 seconds). We do not persist per-tool-call records to disk on the MCP path; the only durable records of MCP traffic are the standard HTTP access logs in Fly's platform window.

1.5 Get-access signup (`/signup`, only if you submit the form)

If you submit the access-request form, we pass your email and any submitted fields to the ChiAha gateway service (apps.chiaha.com/api/service/contact), which forwards into our CRM (ActiveCampaign) for product-update emails. A Slack notification fires to our internal #signups channel.
You can unsubscribe at any time via the link in any email we send.

1.6 Analytics (Google Tag Manager + GA4)

We use Google Tag Manager (container GTM-NL7VDMTV) and Google Analytics 4 to count pageviews, traffic sources, and aggregate usage. GA4 collects standard browser/device fingerprints; IP anonymization is enabled where supported.

2. What we do NOT collect

No client network data. The SCModeling product is a desktop application by design — your supply-chain network, customer locations, demand, BOM, and lane data stay on your machine. The public sandbox never runs the optimization or simulation engines on your data; only on the bundled sample models.
No account data. There is no signup or login on the marketing site itself; the get-access form passes your email to our CRM but no account is provisioned by this site.
No payment data. Pricing and purchase happen offline.
No third-party advertising trackers. No retargeting pixels, no ad-network beacons.
No sensitive personal information. We do not request or collect race, religion, sexual orientation, health, financial, biometric, or precise geolocation data.

3. How we use what we collect

Run the sandbox, simulation, and MCP features against bundled sample models.
Detect and prevent abuse (rate-limit floods, scraping).
Compute aggregate site analytics for product decisions.
Send you product emails if you submitted the access-request form.

We do not use any of the data we collect for advertising, profiling, or automated decisions that produce legal or similarly significant effects on you.

4. Who we share data with

Fly.io — hosts the application and the standard HTTP access logs. fly.io/legal/privacy-policy
OpenStreetMap Nominatim — receives place-name queries when the sandbox's geocode lookup falls through the local cache. Nominatim usage policy
ActiveCampaign — receives your email for the product-update list (only if you submitted the signup form). activecampaign.com/legal/privacy-policy
Anthropic — if and when the AI chat scaffold is enabled (currently dormant pending an API-key handoff), chat messages will be sent to Anthropic via their Messages API. anthropic.com/legal/privacy
OpenAI / other MCP clients — if you invoke our MCP from ChatGPT, Claude.ai, Cursor, Smithery, or another client, your inputs pass through that client before reaching us; that client's privacy policy governs its handling.
Google (Tag Manager + Analytics 4) — receives aggregate site analytics. policies.google.com/privacy

We do not sell, rent, or trade your data to anyone. We do not "share" personal information for cross-context behavioral advertising as that term is defined under California law.

5. AI model training

We do not use any of the data we collect to train AI models. The sandbox, the MCP, the access-signup, and the analytics are not used to train Claude or any other model on our side.
Anthropic processes API traffic. Per Anthropic's published policy, Anthropic does not train its public models on API traffic by default. See their commercial terms.
OpenAI processes MCP traffic that reaches them via ChatGPT or other OpenAI clients. OpenAI's data-use policy governs that traffic.
Other MCP clients have their own data-use policies. If you connect the SCModeling MCP from a third-party client, review that client's terms.

6. Cookies

SCModeling sets only first-party cookies necessary for the analytics integration. We do not set any advertising or cross-site tracking cookies.

Cookie	Source	Purpose	Lifetime
`_ga`	Google Analytics 4 (via GTM)	Distinguishes unique visitors for aggregate analytics	~2 years (Google default)
`_ga_<property-id>`	Google Analytics 4 (via GTM)	Session state for GA4	~2 years (Google default)

The sandbox also uses browser localStorage (not a cookie) to cache user-resolved coordinates for the geocode lookup feature. This data stays in your browser and is never sent to our servers; you can clear it via the "Clear" link in the Sketch panel.

7. Retention

What	Where	Retention
HTTP access logs (IP, UA, path, status)	Fly.io platform logs	Up to 90 days (Fly's standard log window)
In-memory rate-limit state and geocode cache	Application memory	Resets on every server restart / deploy
Simulation result cache	Application memory	Resets on every server restart / deploy
Newsletter / access-request subscriber list	ActiveCampaign	Until you unsubscribe, after which the address is suppressed
GA4 aggregate analytics	Google Analytics property 433243670	14 months (configured GA4 default)

8. Your rights and how to exercise them

If you want to exercise a specific right, email scmodeling@chiaha.com and include:

What action you want. Common options: access (a copy of any data we hold on you), deletion, correction, opt-out of analytics, unsubscribe from emails.
Any identifier we'd have on file. For email-list requests, your email. For sandbox or MCP requests, the approximate date/time and the IP you were using.

We respond within 5 business days.

9. International users (GDPR, UK GDPR)

SCModeling is operated from the United States. If you are accessing it from the European Economic Area, the United Kingdom, or another jurisdiction with similar data-protection laws, your data is transferred to and processed in the United States.

Our lawful bases for processing (under GDPR Article 6):

Legitimate interest — for operational telemetry, rate limiting, abuse prevention, and aggregate analytics.
Consent — for signup form submission. You can withdraw consent at any time by emailing us or unsubscribing.

You have the rights of access, rectification, erasure, restriction, portability, and objection. If you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.

10. California users (CCPA / CPRA)

If you are a California resident:

Categories of personal information we collect: identifiers (IP address, email address if you submit the form), internet/network activity (user agent, request paths, GA4 cookies). We do not collect any sensitive personal information as defined under CPRA.
Sources: directly from you (signup form, sandbox inputs) and from automated server logs.
Purposes: see Section 3 above.
Sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising.
Rights: you have the right to know, to delete, to correct, to limit use of sensitive personal information (not applicable since we collect none), and to opt out of sale or sharing (not applicable).

11. Children's privacy

SCModeling is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us at scmodeling@chiaha.com and we will delete it.

12. Security

Infrastructure runs on Fly.io with TLS terminating at the edge. There are no user passwords or accounts on the public marketing site. The MCP endpoint is rate-limited; the signup form is HMAC-signed at the gateway. We do not make HIPAA or SOC 2 claims because we do not collect the kind of data those frameworks govern.

13. Changes to this policy

If we make material changes, we'll update this page and revise the "Last updated" date above. Check back occasionally if it matters to you.

14. Contact

Questions, requests, or concerns: scmodeling@chiaha.com. We aim to respond within 5 business days.