PapersFlow

Privacy Policy

Welcome to PapersFlow. We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable French data protection laws.

Last updated: March 19, 2026

1. Introduction

Welcome to PapersFlow. We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable French data protection laws.

This privacy policy explains how we collect, use, store, and protect your personal data when you use our research platform, and informs you of your privacy rights under EU law.

2. Data Controller

PAPERSFLOW SAS is the data controller responsible for your personal data. For any questions about this privacy policy or our data practices, you can contact us at:

3. Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: Name, username, profile information you provide during registration.
  • Contact Data: Email address used for account access and communications.
  • Technical Data: IP address, browser type and version, time zone, operating system, device information, and platform type.
  • Usage Data: Information about how you use our platform, including features accessed, navigation patterns, and interaction with content.
  • Content Data: Research papers you upload, notes, annotations, and projects you create within the platform.
  • Payment Data: Billing information processed securely through our payment providers (we do not store full payment card details).

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with our services as outlined in our Terms of Service.
  • Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate business interests, such as fraud prevention, platform security, service reliability, support, and defending legal claims, where these interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for optional product analytics, separate advertising or remarketing consent, and marketing communications. You may withdraw consent at any time.
  • Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with legal requirements.

5. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain our research platform services
  • To process your account registration and manage your subscription
  • To enable features such as paper analysis, summarization, and writing assistance
  • To communicate with you about your account, updates, and support requests
  • To understand product usage and improve our services when you have opted in to product analytics
  • To activate future advertising measurement or remarketing features only if you separately opt in to advertising consent
  • To detect, prevent, and address technical issues and security threats
  • To comply with legal obligations

6. AI and Machine Learning

PapersFlow uses third-party AI services to provide features such as paper analysis, summarization, and writing assistance.

  • Processing of Content: When you use AI features, relevant content may be transmitted to third-party AI providers for processing.
  • Provider Policies and Controls: Where available, we configure provider settings and choose services intended to limit the use of customer content for model training or unrelated product improvement. However, provider practices may vary, and some providers may retain limited data for abuse prevention, logging, security, or legal compliance.
  • Temporary and Incidental Retention: We aim to use providers that process content only as needed to deliver the requested feature, but limited temporary retention by providers may occur depending on their technical and legal requirements.
  • AI Content Disclaimer: AI-generated content may contain inaccuracies. You are responsible for reviewing and verifying any AI-generated output before use.

7. Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to operate our platform:

  • Essential Cookies and Storage: Required for authentication, security, fraud prevention, payment flows, and basic platform functionality. These cannot be disabled because the service would not work properly without them.
  • Preference Storage: Used to remember settings such as theme, language, and your privacy choices.
  • Optional Product Analytics: Only if you accept product analytics in our consent banner or later enable it in Settings do we activate Google Analytics for Firebase (GA4 / Firebase Analytics) to measure product usage, navigation patterns, feature adoption, and basic performance signals.
  • Separate Advertising Consent: Advertising-related storage, measurement, or remarketing features remain off unless you separately opt in. If we activate advertising integrations in the future, that consent will be handled separately from product analytics.

If you do not consent to product analytics, we do not enable optional analytics collection in the app. If you do not consent to advertising, we do not activate advertising-related storage, ad user data sharing, or ad personalization through our consent layer.

What we do NOT use as advertising or analytics content: The substance of your uploaded papers, research notes, chat messages, or private writing.

You can change your choices at any time through the consent banner when shown, or later in Settings > General > Product analytics and Settings > General > Advertising consent.

8. Third-Party Services (Sub-Processors)

We share your data with trusted third-party service providers who process data on our behalf.

Infrastructure & Database

  • Convex (USA): Backend database and server infrastructure.
  • Cloudflare R2 (EU): PDF and file storage in European data centers.
  • Cloudflare (USA): Security services including Turnstile bot protection and CDN.

Authentication, Identity, and Analytics

  • Firebase / Google (USA): Authentication, push notifications, and Google Analytics for Firebase if you consent to optional product analytics.
  • Google OAuth, Apple OAuth, LinkedIn OAuth: Social sign-in providers used only when you choose those login methods.

AI & Content Processing

  • OpenRouter (USA): AI routing gateway for paper analysis, summarization, and writing assistance.
  • Google Gemini (USA): Primary AI model provider for AI-powered features, accessed via OpenRouter.
  • Jina AI (Germany): PDF-to-text conversion and document processing.

Payments & Email

  • Polar (USA): Subscription billing and payment processing.
  • Resend (USA): Transactional email delivery for authentication and notifications.

Academic Data & Integrations

  • OpenAlex (USA): Academic paper metadata and citation data.
  • Unpaywall (USA): Open access paper discovery.
  • Zotero (USA): Bibliography management integration (user-initiated).
  • Notion (USA): Workspace integration (user-initiated).

Collaboration & UI

  • Y-Sweet (USA): Real-time collaborative document editing.
  • Syncfusion (India): PDF viewer component.

Where required, we put in place contractual, technical, and organizational safeguards with our service providers to protect personal data and support compliance with applicable data protection laws.

9. International Data Transfers

As some of our service providers are located in the United States, your personal data may be transferred outside the European Economic Area (EEA). We use appropriate safeguards for these transfers, which may include Standard Contractual Clauses (SCCs), reliance on adequacy mechanisms where available, and additional technical and organizational security measures.

10. Data Retention

We retain your personal data only for as long as necessary:

  • Account Data: Retained while your account is active and for a reasonable period afterward to handle disputes, security matters, or legal requirements.
  • Content Data: Your papers, notes, and projects are retained until you delete them or close your account, subject to limited backup and legal retention periods.
  • Analytics Data: If you enable optional product analytics, event-level analytics data is retained according to our configured Google Analytics retention settings, and we may keep aggregated, non-identifying reports for longer to understand product performance.
  • Payment Records: Retained as required by tax and accounting regulations (typically 7-10 years).

Upon account deletion, we will delete or anonymize your personal data within a reasonable period, except where retention is required by law.

11. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of your personal data and information about how it is processed.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") under certain circumstances.
  • Right to Restriction (Art. 18): Request limitation of processing of your personal data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

To exercise any of these rights, please contact us at developer@papersflow.ai. We will respond without undue delay and, in any event, within one month of receipt of your request. Where permitted by law, that period may be extended by up to two further months if your request is particularly complex or numerous, and if we do so we will inform you within the initial one-month period.

12. Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. For France, this is:

  • CNIL (Commission Nationale de l'Informatique et des Libertés)
  • 3 Place de Fontenoy, TSA 80715
  • 75334 Paris Cedex 07, France
  • Website: https://www.cnil.fr

13. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest where appropriate, access controls, regular security assessments, and employee training on data protection.

14. Children's Privacy

PapersFlow is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our platform and updating the "Last updated" date. We encourage you to review this policy periodically.

16. Contact Us

If you have any questions about this privacy policy, your personal data, or wish to exercise your rights, please contact us at developer@papersflow.ai.