Legal
Privacy Policy
Last updated: April 4, 2026
1. Data Controller
The data controller responsible for the processing of your personal data on PaperCompass ("the Service") is:
For full contact details see our Legal Notice (Impressum).
2. Overview of Data Processing
We take the protection of your personal data seriously. This Privacy Policy explains what data we collect, why we collect it, who we share it with, and what rights you have. We process personal data only in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
3. Data We Collect
3.1 Account Data
When you register, we collect your name, email address, and a hashed password. If you sign up via GitHub or Google OAuth, we receive your name, email, and provider user ID from the respective provider. This data is stored in Appwrite (our backend platform) and is necessary to provide you with an account (Art. 6(1)(b) GDPR — contractual necessity).
3.2 Uploaded Paper Content
When you submit a paper for analysis, the extracted text content (up to 500,000 characters) is sent to our server and forwarded to Google Gemini for AI analysis. The paper text is processed solely to generate the analysis result and is not stored separately beyond what is needed to deliver the Service. Analysis results (title, authors, ratings, commentary) are stored in our Appwrite database so you can access them later. Legal basis: Art. 6(1)(b) GDPR (contractual necessity). Users should not upload personal data or confidential information unless they have a legal basis to do so.
3.3 Credit & Payment Data
Your credit balance is stored as a user preference in Appwrite. When you purchase credits, the payment is processed by Stripe. We receive a confirmation of the transaction (amount, currency, Stripe session ID) but do not receive or store your payment card details. Stripe processes your payment data as an independent data controller under its own Privacy Policy. Legal basis: Art. 6(1)(b) GDPR (contractual necessity).
3.4 Usage & Analytics Data
We use PostHog (EU instance, hosted at eu.i.posthog.com) for product analytics. PostHog collects:
- Events such as sign-ups, sign-ins, analyses started / completed / failed, credit purchases, project creation, and paper deletions
- Associated metadata (e.g., analysis mode, text length, credit cost, methodology type)
- Standard web analytics data (page views, device type, browser, approximate location)
- JavaScript exceptions for error monitoring
Consent-based: Analytics tracking is opted out by default. Data is only collected after you accept cookies via our consent banner. If you reject cookies, PostHog operates in cookieless mode with in-memory persistence only. You can change your preference at any time by clearing your browser's local storage and refreshing the page. Legal basis: Art. 6(1)(a) GDPR (consent).
3.5 Session & Cookie Data
We use the following cookies and local storage items:
| Name | Type | Purpose | Basis |
|---|---|---|---|
research-checker-session | HTTP-only cookie | Authenticates your session with Appwrite | Art. 6(1)(b) — necessary |
cookie_consent | Local storage | Stores your cookie consent preference (accepted/rejected) | Art. 6(1)(f) — legitimate interest |
| PostHog cookies | Cookie + local storage | Analytics tracking (only if consent is given). Consent is stored locally in your browser and can be withdrawn at any time. | Art. 6(1)(a) — consent |
3.6 Server Logs
Our hosting infrastructure automatically collects server access logs including your IP address, browser user agent, referral URL, and timestamp. This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest in ensuring security and stability of the Service) and is retained for a limited period.
4. Third-Party Service Providers
We share your data with the following third-party providers, each acting as a data processor (Art. 28 GDPR) unless noted otherwise:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Appwrite (Cloud) | Authentication, database, user preferences, hosting & deployment | Account data, analysis results, credit balances, server logs, IP addresses (to ensure the operation and security of the Service.) | EU (Frankfurt) |
| Google (Gemini API) | AI-powered paper analysis | Paper text content, analysis prompts (Google processes this data as a data processor on our behalf where applicable. We have entered into appropriate data processing agreements. According to Google’s terms, submitted content is not used to train their models outside your specific request.) | USA / Global |
| Stripe | Payment processing (independent controller) | Payment details, email, user ID (via metadata) | USA / EU |
| PostHog | Product analytics | Usage events, device info, user ID | EU |
| GitHub (OAuth) | Optional social login (independent controller) | Name, email, GitHub user ID | USA |
| Google (OAuth) | Optional social login (independent controller) | Name, email, Google user ID | USA / Global |
We have concluded data processing agreements (DPAs) with all processors where required under Art. 28 GDPR.
For transfers to the USA, we rely on the providers' participation in the EU-U.S. Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), or equivalent safeguards under Art. 46 GDPR.
5. Purposes & Legal Bases Summary
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the Service (account, analysis, results storage) | Art. 6(1)(b) — performance of contract |
| Processing credit purchases via Stripe | Art. 6(1)(b) — performance of contract |
| Product analytics (PostHog) | Art. 6(1)(a) — consent |
| Session management (authentication cookie) | Art. 6(1)(b) — necessary for the Service |
| Server security & stability (access logs) | Art. 6(1)(f) — legitimate interest |
| Storing cookie consent preference | Art. 6(1)(f) — legitimate interest |
| Legal obligations (tax records, fraud prevention) | Art. 6(1)(c) — legal obligation |
6. Data Retention
- Account data: Retained as long as your account exists. Deleted upon account deletion, subject to legal retention obligations.
- Analysis results: Stored as long as your account is active. You may delete individual analyses at any time.
- Payment records: Retained for the period required by German tax law (typically 10 years pursuant to § 147 AO).
- Analytics data (PostHog):Retained according to PostHog's data retention settings; anonymized or deleted when no longer needed.
- Server logs: Automatically deleted after a limited retention period (typically 30 days).
7. Your Rights Under GDPR
Under the GDPR you have the following rights with respect to your personal data:
- Right of access (Art. 15) — obtain confirmation of whether we process your data and request a copy
- Right to rectification (Art. 16) — correct inaccurate or incomplete data
- Right to erasure(Art. 17) — request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18) — restrict the processing of your data in certain circumstances
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — withdraw consent for analytics at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at the email address listed in our Legal Notice. We will respond within 30 days.
8. Right to Lodge a Complaint
If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement. In Germany, the competent authority is the data protection commissioner of the federal state in which we are based, or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
9. International Data Transfers
Some of our third-party providers (Google, Stripe, GitHub, Vercel) are based in or transfer data to the United States. We ensure adequate protection through:
- EU-U.S. Data Privacy Framework (DPF) certification where applicable
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional technical and organizational measures (encryption in transit, access controls)
10. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- HTTPS/TLS encryption for all data in transit
- HTTP-only, secure session cookies to prevent XSS-based session theft
- Server-side session management — no client-side auth state
- Password hashing managed by Appwrite (never stored in plaintext)
- Stripe handles all payment card data — PCI DSS compliant
- Role-separated Appwrite clients (session-scoped vs. admin-scoped) to enforce least privilege
11. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the most recent revision was made. We encourage you to review this policy periodically. If we make material changes that affect how we process your personal data, we will notify you via the Service or by email.
13. Contact
For questions or concerns about this Privacy Policy or our data processing practices, please contact us using the details provided in our Legal Notice (Impressum).