Privacy Policy
QueueSim, a ChiAha™ product · Last updated 2026-05-21
The short version
QueueSim is a free queueing simulator. There's no signup, no account, no payment. We collect the minimum metadata needed to run the service, prevent abuse, and keep the lights on. We do not retain the content of your chat conversations unless you explicitly click the Report button on an AI response. We do not sell, rent, or share your data with advertisers, and we do not use your inputs to train AI models. All telemetry is automatically purged after 90 days.
Contents
1. What we collect
1.1 Operational telemetry (every visitor)
Every HTTP request to queuesim.com generates standard server logs:
- IP address — processed in memory by the rate limiter (20 simulation requests / 60 seconds per IP) and appears in Fly.io's platform HTTP access logs (retained per Fly's standard log window, up to 30-90 days). The IP is not written to any of our durable JSONL files; those store a non-reversible session hash (SHA-256 of IP + user-agent bucket, first 16 hex chars) for same-client correlation within the retention window.
- User-agent string — bucketed into broad categories (
claude.ai,chatgpt,cursor,smithery,browser,(other)) for usage analytics. Only the bucket label is written to durable storage; the full UA string lives only in Fly's transient HTTP access logs. - Timestamp, request path, response status, response time — standard HTTP access logging.
1.2 Simulation inputs you submit at / or /models/{id}
- The numerical parameters you enter or that come from a hero scenario (arrival rate, server count, distribution choice, schedule, simulation days). These are abstract numbers about a hypothetical queue and do not constitute personal data.
- We do not link these inputs to your identity because we do not have one for you.
- For server-restart reconstruction and abuse audits, a single-line record per simulation run is appended to a server-side file (
/data/site-events.jsonl) containing the run timestamp, a non-reversible session hash (SHA-256 of your IP + user-agent bucket, first 16 hex chars), a user-agent bucket (e.g.browser,claude.ai), the referer's origin only (query strings stripped so click-tracking parameters are not captured), and the parameter ranges (min and max across the 24-hour input arrays plus distribution names). Retained for up to 90 days.
1.3 On-page AI chat (the floating Q bubble on queuesim.com)
If you open the chat widget and send a message, the following happens:
- Your message is sent to Anthropic via their Messages API to generate a response from Claude Sonnet 4.6. Anthropic's API does not train its public models on traffic from API calls by default; see Anthropic's data-use policy linked below.
- Your message and the assistant's response are not persisted to our durable storage. We only record per-turn metadata: timestamp, a non-reversible session hash (SHA-256 of your IP + user-agent, first 16 hex chars), the scenario you were on, input/output token counts, and a count of how many proposal cards the AI generated. This metadata feeds the aggregate counters at /api/chat-stats and is automatically purged after 90 days.
- Chat is rate-limited to 20 messages per rolling 24 hours per IP and capped at a monthly inference-spend budget.
- Optional content capture — Report button. Each assistant response has a small Report this response link. If you click it, a modal opens; if you submit it, we persist that specific exchange (your message, the assistant's response, your free-text note, the page-state snapshot at the time of the click, and the same session hash described above) to a separate file (
/data/reports.jsonl) for product debugging. No content is persisted unless you click Submit on that modal. Reports are subject to the same 90-day retention.
1.4 Public MCP API (queuesim.com/mcp/v1) — the Model Context Protocol server
QueueSim publishes a public Model Context Protocol server at queuesim.com/mcp/v1, listable in the OpenAI app directory, the Anthropic MCP registry, Smithery, Glama, and similar catalogs. It exposes nine read-only, pure-compute tools. Every tool takes abstract queueing parameters and returns simulation results — no tool reads from or writes to any persistent user store, and no tool accepts personally-identifying information as input.
| Tool | Required inputs | Optional inputs | Returns |
|---|---|---|---|
simulate_mmc |
arrivalRate (number, > 0, ≤ 200), serviceRate (number, ≥ 0.01, ≤ 10000), servers (integer, 1-50) |
arrivalDistribution (Exponential/Constant), serviceDistribution (Exponential/Constant/Normal/LogNormal), serviceCoV (0-5), simulationDays (1-30) |
Per-hour and overall avg wait time (minutes), peak wait, max wait, queue length, utilization, throughput, plus an artifact link to the interactive chart on queuesim.com |
simulate_scenario |
name (one of single, coffee, grocery, callcenter) |
overrides object with arrivalRate, servers, serviceTimeMinutes, simulationDays (1-30), distributions, and serviceCoV |
Same shape as simulate_mmc |
recommend_staffing |
arrivalRate, serviceRate, targetAvgWaitMinutes |
maxServers (1-50), simulationDays (1-30), distributions, serviceCoV |
Smallest server count whose simulated avg wait does not exceed the target, plus the trial points the search probed |
compare_scenarios |
scenarioA (simulate_mmc-shaped object), scenarioB (same) |
labelA, labelB |
Per-scenario inputs and summary, plus the delta on each metric |
interpret_result |
arrivalRate, serviceRate, servers, avgWaitMinutes |
none | A plain-English queueing-theory explanation of the result; pure text computation, no engine call |
list_scenarios |
none | none | The four preset scenarios with key, title, and description |
describe_scenario |
name (one of single, coffee, grocery, callcenter) |
none | The scenario's full configuration (hourly arrival rates and staffing) plus the list of supported overrides |
explain_queueing_theory |
none | none | Static textbook-level explainer on M/M/c, Little's Law, utilization, variance |
explain_advanced_patterns |
none | none | Static explainer covering six complexity patterns beyond M/M/c |
What we log per tool invocation: tool name, success/failure, duration in milliseconds, a non-reversible session hash (SHA-256 of your IP + user-agent bucket, first 16 hex chars), the user-agent bucket, the calling MCP client name (e.g. claude.ai, chatgpt, cursor, smithery), and the numerical input parameters you supplied (truncated to 1 KB). These rows go to /data/mcp-tool-calls.jsonl on the application server's encrypted volume and are automatically purged after 90 days. The session hash lets us correlate same-client repeat traffic for abuse forensics within the retention window without storing the IP itself. The input parameters are anonymous numbers (arrival rates, server counts) and do not constitute personal data.
There is no authentication, signup, account, or payment surface on the MCP endpoint. The endpoint is rate-limited per IP to prevent abuse.
1.5 Newsletter signup (only if you opt in)
- If you submit your email through the "Join our list" form on the site, we pass it to ActiveCampaign for transactional and product-update emails.
- You can unsubscribe at any time via the link in any email we send.
- The email + a signup timestamp are retained until you unsubscribe.
1.6 Analytics (Google Tag Manager + GA4)
- We use Google Tag Manager (container
GTM-NL7VDMTV) and Google Analytics 4 to count pageviews, traffic sources, and aggregate usage. GA4 collects standard browser/device fingerprints; IP anonymization is enabled where supported by the platform. - Aggregate counters (total simulations run, top tools called, total chat turns) are also exposed at /api/mcp-stats, /api/chat-stats, and /api/abuse-signals. These endpoints expose only aggregate numbers and contain no individually identifiable data.
2. What we do NOT collect
- No account data. There is no signup or login on QueueSim — there is nothing to leak.
- No payment data. The tool is free.
- No content from the on-page chat by default. Your messages and the AI's replies are not persisted unless you click the Report button on a specific exchange.
- No third-party advertising trackers. No retargeting pixels, no ad-network beacons.
- No cross-site tracking beyond what GA4 does for its own pageview attribution.
- No sensitive personal information. We do not request or collect race, religion, sexual orientation, health, financial, biometric, precise geolocation, or other categories defined as sensitive under California's CPRA.
3. How we use what we collect
- Run the simulator, chat, and MCP features.
- Detect and prevent abuse (rate-limit floods, scraping, validation attacks).
- Compute aggregate usage statistics (total simulations, top tools, turns per day) to inform product decisions.
- Investigate reported quality issues when a user explicitly submits a report via the Report button.
- Send you product emails if you opted into the newsletter.
We do not use any of the data we collect for advertising, profiling, or automated decisions that produce legal or similarly significant effects on you.
4. Who we share data with
- Fly.io — hosts the application and stores logs and the encrypted volume that holds the JSONL files described above. fly.io/legal/privacy-policy
- Anthropic — processes your on-page-chat messages, and processes MCP tool invocations when you call the MCP from a Claude/Anthropic client. anthropic.com/legal/privacy
- OpenAI — if you invoke our MCP from ChatGPT, the ChatGPT App Directory, or another OpenAI platform, your inputs pass through OpenAI's pipeline before reaching us; OpenAI's privacy policy governs that leg of the journey. openai.com/policies/privacy-policy
- Other MCP clients — if you invoke our MCP from Cursor, Smithery, Glama, or any other third-party MCP client, that client's privacy policy governs its handling of your inputs before they reach us.
- ActiveCampaign — receives your email for the newsletter (only if you opted in). activecampaign.com/legal/privacy-policy
- Google (Tag Manager + Analytics 4) — receives aggregate site analytics. policies.google.com/privacy
We do not sell, rent, or trade your data to anyone. We do not "share" your personal information for cross-context behavioral advertising as that term is defined under California law.
5. AI model training
- We do not use any of the data we collect to train AI models. The on-page chat, the MCP, the newsletter, and the analytics are not used to train Claude or any other model on our side.
- Anthropic processes on-page chat messages and MCP traffic that reaches them via Claude clients. Per Anthropic's published policy, Anthropic does not train its public models on API traffic by default. See their commercial terms.
- OpenAI processes MCP traffic that reaches them via ChatGPT or other OpenAI clients. OpenAI's data-use policy governs that traffic.
- Other MCP clients have their own data-use policies. If you connect the QueueSim MCP from a third-party client, review that client's terms.
6. Cookies
QueueSim sets only first-party cookies necessary for the analytics integration. We do not set any advertising or cross-site tracking cookies.
| Cookie | Source | Purpose | Lifetime |
|---|---|---|---|
_ga |
Google Analytics 4 (via GTM) | Distinguishes unique visitors for aggregate analytics | ~2 years (Google default) |
_ga_<property-id> |
Google Analytics 4 (via GTM) | Session state for GA4 | ~2 years (Google default) |
cf_chl_*, cf_clearance (occasional) |
Cloudflare Turnstile (anti-bot for the chat endpoint) | Verifies the chat POST originates from a browser rather than a scripted client | Session / short-lived |
Browsers in the EU/UK that have not signaled consent for analytics cookies may still receive standard server-log telemetry (IP, UA) but the GA4 cookies will not be set.
7. Retention
All durable QueueSim-side storage is automatically aged out via a background retention service that runs every 24 hours. The 90-day window is enforced by code, not just promised.
| What | Where | Retention |
|---|---|---|
| HTTP access logs (IP, UA, path, status) | Fly.io platform logs | Up to 90 days (Fly's standard log window) |
| Site-event JSONL (per page hit + simulation run) | /data/site-events.jsonl |
90 days, enforced by retention cron |
| MCP tool-call JSONL (per tool invocation, includes anonymous tool inputs) | /data/mcp-tool-calls.jsonl |
90 days, enforced by retention cron |
| Chat-history JSONL (aggregate metadata only — no message content) | /data/chat-history.jsonl |
90 days, enforced by retention cron |
| Reports (user-submitted chat content via the Report button) | /data/reports.jsonl |
90 days, enforced by retention cron |
| In-memory rate-limit state and counters | Application memory | Resets on every server restart |
| Newsletter subscriber list | ActiveCampaign | Until you unsubscribe, after which the address is suppressed |
| GA4 aggregate analytics | Google Analytics property 433243670 | 14 months (configured GA4 default) |
8. Your rights and how to exercise them
Because we do not link logs to an identity, there is usually nothing to "delete" beyond what ages out automatically within 90 days. If you want to exercise a specific right, email queuesim@chiaha.com and include:
- What action you want. Common options: access (a copy of any data we hold on you), deletion, correction, opt-out of analytics, unsubscribe from the newsletter.
- Any identifier we'd have on file. For newsletter requests, that's your email. For chat or MCP requests, that's the approximate date/time (in UTC if possible) and either the IP you were using or a phrase from a message you remember sending — we can grep the relevant JSONL.
We respond within 5 business days. If you submitted a chat Report via the chat widget and want it withdrawn, include the approximate timestamp and the scenario you were on (e.g. "Coffee Shop, May 15 around 2pm Eastern") — the session hash plus the timestamp lets us find your specific row in /data/reports.jsonl and remove it.
9. International users (GDPR, UK GDPR)
QueueSim is operated from the United States. If you are accessing it from the European Economic Area, the United Kingdom, or another jurisdiction with similar data-protection laws, your data is transferred to and processed in the United States.
Our lawful bases for processing (under GDPR Article 6) are:
- Legitimate interest — for operational telemetry, rate limiting, abuse prevention, and aggregate analytics. The interest is operating the free service securely and improving it; we minimize what we collect to what's needed for those purposes.
- Consent — for newsletter signup (you submit the form) and for chat reports (you click Submit on the modal). You can withdraw consent at any time by emailing us or unsubscribing.
- Contract performance — not applicable; there is no contract because there is no account.
You have the rights of access, rectification, erasure, restriction, portability, and objection. See Section 8 above for how to exercise any of these. If you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.
10. California users (CCPA / CPRA)
If you are a California resident:
- Categories of personal information we collect: identifiers (IP address), internet/network activity (user agent, request paths, GA4 cookies), and inferences drawn solely from aggregate usage patterns. We do not collect any sensitive personal information as defined under CPRA.
- Sources: directly from you (newsletter, simulation inputs, chat messages, reports) and from automated server logs (IP, UA, timestamps).
- Purposes: see Section 3 above.
- Sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising.
- Rights: you have the right to know, to delete, to correct, to limit use of sensitive personal information (not applicable since we collect none), and to opt out of sale or sharing (not applicable). To exercise any of these, email queuesim@chiaha.com.
11. Children's privacy
QueueSim is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us at queuesim@chiaha.com and we will delete it.
12. Security
Infrastructure runs on Fly.io with TLS terminating at the edge and encrypted persistent volumes. There are no user passwords or accounts to compromise. The MCP and chat endpoints are rate-limited; the chat endpoint is additionally budget-capped. The retention service automatically purges rows older than 90 days from durable storage. We do not make HIPAA or SOC 2 claims because we do not collect the kind of data those frameworks govern.
13. Changes to this policy
If we make material changes, we'll update this page and revise the "Last updated" date above. Because there are no accounts, there is no email list of users to notify; check back occasionally if it matters to you.
14. Contact
Questions, requests, or concerns: queuesim@chiaha.com. We aim to respond within 5 business days. Mailing address available on request.