Privacy Policy

Effective Date: May 19th, 2026

Entity: The Carpocratian School, Inc. (“School,” “we,” “us,” or “our”)

1. Scope

This Privacy Policy describes how we process personal information when individuals (“you”) access or use our public website, curated search engine, MCP server endpoints, archive interfaces, and related public-facing services (collectively, the “Site”). This Policy does not apply to third-party websites or services linked from the Site, or to third-party destinations you choose to access from search or archive results.

2. Information We Collect

Server/Network Logs. When you access the Site, our servers may automatically record technical data ("Log Data"), which can include IP address, date/time of request, request method, requested path, HTTP status and size, referrer URL (if provided), and User-Agent string (browser/OS/device). We configure logging to minimize routine collection where practical, and some Site services or endpoints may generate reduced logs or no access logs at all.

Search, MCP, and Archive Requests. When you use our curated search engine, MCP server endpoints, or archive interfaces, our systems necessarily receive the contents of your request in order to process it. Depending on the service, this may include search terms, endpoint paths, query parameters, request bodies, tool or prompt inputs, selected options (such as SafeSearch), and related technical metadata needed to process the request, return results, diagnose errors, and protect the service from abuse. Such request contents are not necessarily retained in ordinary web-server access logs and may instead be processed transiently in memory or retained only in limited operational or error contexts.

Analytics. We use a self-hosted analytics platform (Goatcounter) to measure traffic and usage of the Site. This platform collects limited technical information such as page URL, referrer, user agent, language, and IP address (with anonymization), but does not use tracking cookies, persistent identifiers, or cross-site profiling.

3. Sources of Information

We obtain Log Data automatically from your device and browser when the Site is requested. We also obtain request information directly from you when you submit search queries, connect to MCP server endpoints, request archive content, or load pages on which our self-hosted analytics service is enabled. We may also receive limited technical information from our hosting provider, infrastructure vendors, or content delivery/network security services (if used).

4. Purposes of Processing

We process Log Data and service request data to operate, secure, and maintain the Site; process search, archive, and MCP requests; measure availability and performance (e.g., uptime, error rates); detect, investigate, and mitigate fraud, abuse, and security incidents; enforce service limits and policies; and generate aggregated, non-identifiable statistics for capacity planning. We do not use such data for targeted advertising or profile building.

5. Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we process Log Data based on our legitimate interests (Art. 6(1)(f)) in operating a secure, reliable website and preventing abuse, and where necessary to comply with legal obligations (Art. 6(1)(c)).

6. Retention

We retain raw Log Data for 7 days for operational and security purposes, after which it is deleted or anonymized. Some services or endpoints may use reduced logging or no access logging at all. Search, MCP, and archive request records are retained only as long as reasonably necessary to operate the service, troubleshoot failures, monitor abuse, and maintain security. We may preserve specific logs or request records longer where reasonably necessary to investigate or document a security incident, comply with law, or establish, exercise, or defend legal claims.

7. Disclosures and Recipients

We may disclose personal information to: (a) service providers/processors (e.g., hosting, infrastructure, DDoS protection/CDN, and analytics infrastructure) strictly to provide the Site and subject to contractual confidentiality and security obligations; (b) search and content providers, where necessary to fulfill a search request or retrieve third-party content through our services; (c) legal and safety recipients, where required by law, subpoena, or court order, or to protect rights, safety, or the integrity of the Site; and (d) corporate governance recipients, such as our officers, directors, counsel, and auditors.

We do not sell or "share" personal information for cross-context behavioral advertising.

Where we use Goatcounter analytics hosted on our own infrastructure (or through a service provider acting on our behalf), limited technical information may be processed solely to provide website analytics, subject to confidentiality and security obligations.

Our curated search service is built on SearXNG. When you use that service, your query may be transmitted by our server to selected upstream search providers in order to retrieve results. Those upstream providers may process the query and technical request metadata associated with the server-to-server request under their own terms and privacy practices. In addition, if you click through to a result, the destination site will receive information directly from your browser, subject to that site's own policies.

8. International Transfers

If data is processed outside your jurisdiction, we take appropriate measures under applicable law (e.g., Standard Contractual Clauses for EEA/UK transfers) to protect personal information.

9. Security

We implement reasonable technical and organizational measures appropriate to the risk, including network-level protections, access controls, rate limiting, selective logging minimization, and log review. No system is 100% secure, and we cannot guarantee absolute security.

Our curated search engine is configured to use a strict SafeSearch setting by default where supported by the relevant search source, but filtering depends in part on third-party engines and content sources and cannot guarantee that all results will be suitable for every user or every context.

10. Your Rights

Your rights depend on your location and applicable law. Subject to limitations, you may have rights to request access, correction, deletion, restriction, objection (including to processing based on legitimate interests), and portability.

How to exercise: See Section 14. We will respond as required by law and may request information to verify your identity.

EEA/UK: You may complain to your local supervisory authority. U.S. state privacy laws: If and when such laws apply to us, you may have rights to know, access, delete, correct, or opt out of certain processing. We do not sell or share personal information. Nonprofit exemptions may apply.

11. Children’s Privacy

The Site is not directed to children under 13 (or the relevant age of digital consent). We do not knowingly collect personal information from children. If you believe a child provided personal information, contact us to request deletion.

12. Do Not Track

We use Goatcounter analytics, which does not rely on cookies or persistent identifiers, but does process limited technical information to provide aggregated usage statistics. Because there is no common industry standard for responding to “Do Not Track” signals, we do not respond to such signals.

13. Changes to This Policy

We may update this Policy from time to time. The “Effective Date” reflects the latest version. Material changes will be posted to the Site.

14. Contact

The Carpocratian School, Inc.
Attn: Privacy
82 Wendell Ave.
Pittsfield, MA 01201
Email: privacy@carpocratian.org