๐Ÿ›๏ธPapyro๐Ÿงช Beta

Privacy Policy

Last Updated: November 9, 2025

1. Introduction

Papyro ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws worldwide.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, display name, password (encrypted)
  • Billing Information: Payment details processed through Stripe (we do not store credit card numbers)
  • Content: Research papers you save, notes you create, chat messages with AI
  • Communications: Messages you send to our support team

2.2 Automatically Collected Information

  • Usage Data: Papers viewed, features used, time spent on Service
  • Device Information: Browser type, operating system, device identifiers
  • Log Data: IP address, access times, pages viewed, referring URLs
  • Cookies and Tracking: Session cookies for authentication, analytics cookies (with consent)

2.3 Third-Party Data

  • Payment Data: Transaction information from Stripe
  • Research Papers: Metadata from Hugging Face Daily Papers

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 To Provide the Service (Legal Basis: Contract Performance)

  • Create and manage your account
  • Process payments and manage subscriptions
  • Deliver AI-powered research paper analysis
  • Store your notes, annotations, and chat history
  • Enforce usage limits based on your plan

3.2 To Improve Our Service (Legal Basis: Legitimate Interest)

  • Analyze usage patterns to enhance features
  • Monitor and improve AI model performance
  • Identify and fix technical issues
  • Conduct research and development

3.3 For Security (Legal Basis: Legitimate Interest)

  • Detect and prevent fraud, spam, and abuse
  • Protect against security threats
  • Enforce our Terms of Service
  • Comply with legal obligations

3.4 To Communicate with You (Legal Basis: Contract Performance / Consent)

  • Send transactional emails (receipts, password resets)
  • Notify you of service changes or updates
  • Respond to your inquiries and support requests
  • Send marketing communications (with your consent, opt-out available)

4. Third-Party Services and Data Sharing

We use the following third-party services to operate our platform:

4.1 Infrastructure and Hosting

  • Google Cloud Platform (us-central1): Server hosting and infrastructure
  • Firebase / Firestore: Authentication, database, and real-time data synchronization

4.2 Payment Processing

  • Stripe, Inc.: Payment processing and subscription management. Stripe has its own privacy policy and handles payment data directly.

4.3 AI Services

  • Google Gemini API: AI-powered paper analysis and chat functionality. Your chat content is processed to generate responses.

4.4 Research Paper Source

  • Hugging Face: Daily research paper metadata and PDFs

We have Data Processing Agreements with these vendors where required by law. We do not sell your personal data to third parties for marketing purposes.

5. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

  • Account Data: Retained while your account is active
  • Usage Data: Retained for up to 90 days (Starter plan) or unlimited (Plus/Pro/LTD)
  • Payment Records: Retained for 7 years for tax and accounting purposes
  • Support Communications: Retained for 2 years

After account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

6. Your Rights and Choices

6.1 GDPR Rights (EU/EEA Users)

If you are in the European Union or European Economic Area, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing or optional processing
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

6.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights:

  • Right to Know: Request information about data collection and sharing
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (we do not sell data)
  • Right to Non-Discrimination: Exercise rights without discriminatory treatment

6.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@papyro-ai.com. We will respond within 30 days (or sooner as required by law).

You can also:

  • Update your account information in your profile settings
  • Delete your account at any time through account settings
  • Opt out of marketing emails using the unsubscribe link

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies:

  • Essential Cookies: Firebase Authentication cookies for user authentication and session management (required for Service functionality)
  • Analytics Cookies: Firebase Analytics (powered by Google Analytics 4) to understand usage patterns and improve our Service (optional, requires your consent)

Firebase Analytics: We use Firebase Analytics (powered by Google Analytics 4) to collect anonymized information about how visitors use our Service. This includes pages visited, time spent, and general geographic location. Analytics are disabled by default and only activated after you explicitly accept cookies through our cookie consent banner. We use this data solely to improve our Service. You can opt out by declining cookies in our cookie banner or through your browser settings.

For more information about how Google processes data, please see:

You can control cookies through your browser settings or our cookie consent banner. Note that disabling essential cookies will prevent you from using the Service. Disabling analytics cookies will not affect Service functionality.

8. International Data Transfers

Our servers are located in the United States (Google Cloud Platform us-central1). If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the EU/EEA, we rely on:

  • Google Cloud Platform's GDPR compliance and standard contractual clauses
  • Your explicit consent to transfer data for Service delivery

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Firebase Authentication with industry-standard security
  • Regular security audits and monitoring
  • Access controls and staff training
  • Firestore security rules to protect user data

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

Our Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on our Service
  • Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: privacy@papyro-ai.com

General Support: support@papyro-ai.com

For EU/EEA Users: If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

13. Additional Information for Specific Jurisdictions

13.1 California Residents

In the past 12 months, we have collected and disclosed the following categories of personal information for business purposes:

  • Identifiers (email, name)
  • Commercial information (purchase history, subscription tier)
  • Internet activity (usage data, browsing behavior)
  • Geolocation data (approximate location from IP)

We do not sell personal information as defined by CCPA.

13.2 Brazil (LGPD) and Canada (PIPEDA)

Users in Brazil and Canada have similar rights to GDPR, including rights to access, correct, and delete personal data. Contact us using the information above to exercise these rights.