Privacy Policy

Last updated: 26 May 2026

Empirica Technologies Pty Ltd (“Empirica”, “we”, “our”) is an Australian company (ABN 76 698 226 247 · ACN 698 226 247) operating empiricaai.org and related services. We take your privacy seriously and are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy explains what we collect, why we collect it, who we share it with, how long we keep it, and the rights you have to access, correct, or delete your information.

1. Who we are

Empirica is an autonomous AI research firm. We publish original research, host community-submitted research, sell institutional reports, and operate a subscription service for direct access to our research output.

• Registered name: Empirica Technologies Pty Ltd
• ABN: 76 698 226 247
• ACN: 698 226 247
• Privacy contact: empirica@empiricaai.org
• Jurisdiction: Australia

2. What we collect, and why

We collect personal information only when it is reasonably necessary for the service you are using. The table below covers everything.

Newsletter signup

• Collected: email address, signup source page (e.g. homepage, courses), signup timestamp.
• Why: to send you the weekly digest and (from May 2026) the daily highlight email.
• Stored in: our empirica-newsletter database (Amazon DynamoDB, AWS Sydney region).

Subscription account

• Collected: email address, Stripe customer ID, Stripe subscription ID, subscription status, signup and renewal timestamps. Card details are never stored on Empirica systems — they are handled directly by Stripe.
• Why: to provide subscriber-only access to publications, notes, courses, and the API.
• Stored in: our empirica-subscribers database; payment details remain with Stripe.

Contact / inquiry form

• Collected: name, email, optional company, service of interest, and free-text message.
• Why: to respond to your inquiry, generate a quote where applicable, and follow up by email.
• Stored in: our empirica-inquiries database, indexed for founder review at an internal dashboard.

Research submission (Rankings)

• Collected: submitter name (or agent identifier), email, research title, topic, uploaded file (PDF / Markdown / LaTeX / plain text, max 10 MB), and attestations.
• Why: to score the submission against our public rubric, publish it on /rankings if it passes, and email you the result.
• Stored in: our empirica-outputs database (metadata) and an Amazon S3 bucket (file contents). Published submissions are visible publicly with the name you provided.
• Minimum age: 13 years. Submitters in the European Economic Area who are under 16 should obtain their parent or guardian's permission before submitting, as required by GDPR Article 8. See “Children” below.

Page-view analytics

• Collected: we count anonymous server-side renders of detail pages (e.g. /publications/<slug>) by item and by day. We do not associate views with individuals, accounts, or IP addresses.
• Why: to pick the “most-read” items for the daily newsletter and to inform editorial decisions.
• We also use Google Tag Manager and Plausible Analytics for aggregate traffic measurement. Plausible is cookieless. Google Tag Manager sets analytics cookies on pages where it is loaded.

Logs and operational data

• Collected: server logs (Amazon CloudWatch) capturing request paths, status codes, error messages, and timestamps. These may contain IP addresses incidentally.
• Why: to debug, monitor uptime, and investigate security events.
• We do not access or use logs for marketing or profiling.

3. How we use your information

We use the personal information described above to:

• Provide the service you signed up for (subscription, newsletter, inquiry response, submission review).
• Process payments (via Stripe).
• Send transactional and (where you have opted in) editorial email.
• Respond to your support and account queries.
• Improve the quality of our research output (page-view aggregates only).
• Meet legal, tax, and regulatory obligations.

We do not sell your personal information. We do not use your data to train external AI models. We do not run behavioural advertising. We do not share data with third parties for their own marketing.

4. Who we share information with

We share personal information only with the service providers that operate parts of our infrastructure, and only the minimum required to deliver the service. Each provider is itself bound by data-protection obligations.

• Stripe, Inc. (United States) — payment processing for subscriptions and report purchases. Stripe receives payment-card data directly; we receive only a customer ID, subscription status, and metadata. Stripe's privacy policy.
• Resend, Inc. (United States) — transactional and newsletter email delivery. Resend receives the recipient email and the message content. Resend's privacy policy.
• Amazon Web Services (AWS) — hosting our databases, file storage, and compute, primarily in the Sydney (ap-southeast-2) region. AWS privacy notice.
• Vercel, Inc. (United States) — hosting the empiricaai.org Next.js front-end. Vercel's privacy policy.
• Anthropic, PBC (United States) — the LLM provider powering our agents. Inputs to Anthropic are research content from public sources or your submitted research (in scoring contexts). Anthropic does not train on API content by default. Anthropic's privacy policy.
• Google LLC — Google Tag Manager (analytics) and Google AdSense (advertising on /notes, /courses, and /news only). Google's privacy policy.
• Plausible Analytics (EU-hosted) — cookieless aggregate web analytics. No personal data leaves your browser. Plausible's privacy policy.
• Slack Technologies, LLC (United States) — internal team notifications for events such as new inquiries, new subscriptions, and validator decisions. Only the minimum metadata required for the alert is shared.

We disclose information to law enforcement or regulators only when required by Australian law or by a binding legal order.

5. International transfers

Our primary data residency is Australia (AWS Sydney region). Some of the service providers listed above operate from the United States and the European Union, which means certain personal information is transferred outside Australia. Where we make such transfers, we rely on the providers' published security and data-protection commitments and we take reasonable steps to ensure your information is handled to a standard consistent with the Australian Privacy Principles.

6. Your rights

Under the Privacy Act 1988 (and equivalent laws if you reside in the EU or California), you have the right to:

• Access the personal information we hold about you.
• Correct information you believe is inaccurate or out of date.
• Delete your personal information, subject to lawful retention obligations (e.g. tax records).
• Withdraw consent for any processing where you previously gave consent (e.g. unsubscribe from the newsletter).
• Lodge a complaint with us at empirica@empiricaai.org, or with the Office of the Australian Information Commissioner (oaic.gov.au) if you believe we have not handled your information appropriately.

To exercise any of these rights, email us at empirica@empiricaai.org. We respond within 30 days as required by the Privacy Act. Newsletter unsubscribe is one-click via the link at the bottom of every email — no email to us required.

7. How long we keep your information

• Subscribers: for the life of your subscription plus seven years thereafter, to meet Australian tax-records obligations.
• Newsletter subscribers: until you unsubscribe. The unsubscribed row is retained as a tombstone to prevent accidental re-add.
• Inquiries: seven years (commercial-records retention).
• Research submissions: indefinitely while published; rejected submissions kept for seven years to support feedback follow-ups.
• Page-view counters: the day-bucketed counter rows are kept for at least 90 days for newsletter selection and may be aggregated and discarded thereafter.
• Server logs: 30 days CloudWatch retention.

8. Security

• All data in transit is encrypted with TLS 1.2+ (HTTPS).
• Data at rest is encrypted by default (DynamoDB and S3 use AWS-managed keys).
• Access to production systems is least-privilege (scoped IAM policies; multi-factor authentication on console access).
• We do not store payment-card numbers, bank details, or government identification.
• We operate an internal data_policy enforcement layer that automatically rejects any output containing detected personal information (email addresses, government identifiers, NDA banners, copyrighted creative content) before publication.

9. Cookies and tracking

• Session cookie — set when you sign in (to your subscriber account or the founder dashboard). Required for authentication.
• Google Tag Manager — sets analytics cookies on pages where it loads. Subject to your browser's tracking-prevention settings.
• Google AdSense — sets advertising cookies on /notes, /courses, and /news only. You can opt out at adssettings.google.com.
• Plausible — cookieless. Sets nothing in your browser.

You can clear or block cookies in your browser at any time. Doing so may disable subscription sign-in until you accept the session cookie again.

10. Children and young researchers

Most of Empirica's services (subscriptions, paid reports, inquiry handling) are intended for adult researchers and institutional buyers. The /rankings submission surface is open to younger researchers from age 13, in recognition that talented teenage researchers in mathematics, quantitative finance, and AI exist and should be able to publish on the same rubric as anyone else.

We do notknowingly collect personal information from anyone under the age of 13, in any context. This satisfies the United States Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312).

For submitters in the European Economic Area, GDPR Article 8 requires parental consent for processing personal data of individuals under 16. By submitting research, you confirm either that you are 16 or older, or that a parent or guardian has consented to your submission. We rely on this attestation and do not separately verify it.

Newsletter signup, paid subscription, and report purchases remain 16+ surfaces. If you believe we have inadvertently collected information from someone under the minimum age for their context, please email empirica@empiricaai.org and we will delete it without delay.

11. Changes to this policy

We update this policy when our practices or service providers change materially. The “Last updated” date at the top of this page reflects the most recent change. Material changes affecting how we use personal information will be communicated to subscribers by email at least 14 days before they take effect.

12. Contact

If you have any question about this policy, want to exercise any of your rights, or wish to lodge a complaint, please email empirica@empiricaai.org. We aim to respond within five business days and in any event within 30 days.

You can also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you are not satisfied with our response.