Privacy Policy
Last updated: 29 March 2026Star Wars Data Explorer (swdata.ai) is operated by Patrick Magee as a personal, non-commercial fan project. This policy explains what data is collected, how it is used, and your rights under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).
1. Data controller
The data controller is Patrick Magee, an individual based in the United Kingdom. Contact: magaoidh.pro or via the GitHub repository.
2. What data is collected
Anonymous visitors (not signed in)
IP address — used for rate limiting only, held in server memory, not persisted to any database.
Google Analytics — only if you click “Accept All” on the cookie banner. See section 5.
Signed-in users
In addition to the above, the following is collected when you create an account and use authenticated features:
User ID — a unique identifier (UUID) from Keycloak, used to associate your data. Your name and email are stored in Keycloak, not in this site's database.
Chat history — your Ask AI conversations (questions, AI responses, tool calls, visualisations) are stored in MongoDB so you can resume them.
OpenAI API key (BYOK) — if you choose to provide one, it is encrypted at rest using ASP.NET Core Data Protection and only decrypted at the moment of an API call.
3. Legal basis for processing
| Data | Legal basis |
|---|---|
| Authentication cookies | Legitimate interest — necessary to provide the service |
| Chat history & settings | Consent — you choose to sign in and use these features |
| BYOK API key | Consent — you explicitly provide it |
| IP address (rate limiting) | Legitimate interest — preventing abuse |
| Google Analytics | Consent — only loaded after you accept the cookie banner |
4. Third-party services
Your data may be processed by the following third parties when you use certain features:
| Service | Data shared | Purpose |
|---|---|---|
| OpenAI | Your Ask AI messages | AI-powered question answering |
| Keycloak (self-hosted) | Email, username, social login profile | Authentication |
| Google Analytics | Page views, device info, approximate location | Usage analytics (consent required) |
| Google Fonts | IP address (font request) | Typography |
| Cloudflare | Traffic metadata | CDN / tunnel proxy |
5. Cookies and local storage
| Name / type | Category | Purpose |
|---|---|---|
| ASP.NET auth cookie | Essential | Maintains your login session |
| Antiforgery cookie | Essential | CSRF protection |
sw_cookie_consent (localStorage) |
Essential | Remembers your cookie preference |
_ga, _ga_* |
Analytics (consent required) | Google Analytics tracking |
6. Data retention
Chat sessions — retained until you delete them individually or use “Delete All My Data” in your Profile.
BYOK API key — retained until you remove it or delete all data.
Rate-limit data — held in server memory for 30 minutes, then automatically discarded.
Keycloak account — managed separately at auth.magaoidh.pro.
7. Your rights
Under UK GDPR and EU GDPR, you have the right to:
Access & portability — use “Export My Data” on your Profile page to download all your data as a JSON file.
Erasure — use “Delete All My Data” on your Profile page to permanently delete all stored data.
Withdraw consent — change your cookie preference at any time by clearing localStorage or using your browser settings.
Complain — you may lodge a complaint with the UK Information Commissioner's Office (ICO).
8. Data security
The site is served over HTTPS via Cloudflare. API keys are encrypted at rest. Authentication uses OpenID Connect with PKCE. The API service validates JWT tokens server-side. However, as a personal project, no formal security audit has been conducted and absolute security cannot be guaranteed.
9. Children
This site is not directed at children under 13. If you are under 13, please do not create an account or provide personal data.
10. Changes to this policy
This policy may be updated at any time. The “last updated” date at the top will be revised accordingly.