Last updated: 29 March 2026 · Version 1.0
Short version: Physimlab collects your email and password when you create an account. It saves your exploration progress locally in your browser. It stores newsletter subscriptions and simulation suggestions. Nothing is shared with third parties or used for advertising.
1. Who is responsible for your data
Physimlab is a non-commercial, educational project operated by an individual developer. No company or legal entity collects or processes your data.
- Contact: physimlab@gmail.com
- Website: physim.io
2. What data we collect and why
2.1 Account registration (optional)
If you create an account you provide:
- Email address — used to identify your account and send newsletters if you opt in
- Password — stored as a salted PBKDF2 hash (we never see your plaintext password)
- Display name — shown in your profile
Legal basis: Contract performance (Art. 6(1)(b) GDPR) — the account only exists to provide the service.
2.2 Newsletter subscription (optional)
If you tick "subscribe to updates" or sign up via the newsletter form, we store your email to send announcements about new simulations. You can unsubscribe at any time using the link in any email.
Legal basis: Consent (Art. 6(1)(a) GDPR).
2.3 Simulation suggestions
If you submit a suggestion via the "Suggest a Sim" button, the text of your suggestion and the page you were on is stored. No personal data is required or stored alongside it unless you are logged in, in which case your user ID is associated.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — improving the service.
2.4 Explorer progress (browser only)
Which simulations you have opened is saved in your browser's localStorage. This data never leaves your device and is not sent to our servers. It is used purely to show your exploration progress badge.
2.5 Authentication sessions
When you log in, a JSON Web Token (JWT) is stored in localStorage on your device. This token expires after 7 days. It is sent with API requests to authenticate you. It is not a cookie.
3. Storage and cookies
| Storage item | Where stored | Purpose | Expiry |
|---|---|---|---|
| physim_token | Your browser (localStorage) | Authentication JWT | 7 days or until you log out |
| physim_theme | Your browser (localStorage) | Dark/light mode preference | Until cleared |
| explored_sims | Your browser (localStorage) | Simulations you have opened | Until cleared |
| cookie_ok | Your browser (localStorage) | Records that you dismissed this banner | Until cleared |
Physimlab does not use advertising cookies, tracking pixels, or third-party analytics. The only third-party request is loading KaTeX (equation renderer) from cdn.jsdelivr.net — a public CDN that does not track users.
4. Where your data is stored
Account data (emails, hashed passwords, suggestions) is stored in a Cloudflare D1 SQLite database located in Cloudflare's infrastructure (EU/US edge nodes). Session tokens are stored in Cloudflare KV. Both are subject to Cloudflare's data processing terms.
The Physimlab website is served via Cloudflare Pages globally.
5. How long we keep your data
- Account data: Until you request deletion
- Newsletter subscriptions: Until you unsubscribe
- Simulation suggestions: Indefinitely (used for product development)
- Session tokens: 7 days (automatic expiry)
6. Your rights (GDPR)
Under the General Data Protection Regulation you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — request deletion of your account and all associated data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — unsubscribe from the newsletter at any time
- Lodge a complaint — with your national data protection authority (e.g. AEPD in Spain, ICO in the UK, CNIL in France)
To exercise any of these rights, email physimlab@gmail.com. We will respond within 30 days.
7. Data security
- Passwords are hashed using PBKDF2-SHA256 with 100,000 iterations — never stored in plaintext
- All connections use TLS 1.3 (enforced via HSTS)
- Authentication uses signed JWT tokens (HMAC-SHA256)
- Login attempts are rate-limited to 5 per minute per IP
- Admin endpoints require authentication and are not accessible without a valid admin session
8. Third-party services
- Cloudflare — hosting, CDN, DDoS protection. Cloudflare processes requests passing through its network. See Cloudflare Privacy Policy.
- jsDelivr (cdn.jsdelivr.net) — serves KaTeX for equation rendering. No user data is sent. See jsDelivr Privacy Policy.
- MailChannels — used to send newsletter and transactional emails via the Cloudflare Worker. See MailChannels Privacy Policy.
9. Children
Physimlab is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
10. Changes to this policy
If we make significant changes, we will update the date at the top of this page and, where appropriate, notify newsletter subscribers. Continued use of Physimlab after changes constitutes acceptance of the updated policy.
11. Contact
For any privacy-related request or question, email physimlab@gmail.com. We aim to respond within 30 days.