Privacy policy

Last updated: 2026-05-17. Plain-language version. The legal text is the source of truth in the eventual ToS.

What we collect

• Account data — your DID, ORCID (if used), Google sub (if used), display name, optional avatar URL and bio. Collected when you sign in.
• Content — papers, posts, summaries, AI-disclosures, pre-registrations, reviews, follow relationships. Public by design.
• Session — an http-only JWT cookie scoped to the OpenXiv domain. Used only for auth; not shared with third parties.
• Logs — request ids, IPs, user-agents, latencies for 14 days. Used for debugging and rate-limiting.

What we don't collect

• No selling, no enrichment, no "data partners".
• No analytics that fingerprint visitors. First-party event counters are anonymous and opt-in.

Tracking & analytics

We use one third-party marketing pixel: Twitter (X) Universal Web Tag, pixel id rch4y. It loads from static.ads-twitter.com/uwt.js and reports two events back to the X Ads dashboard:

• Signup — fires once when a new account picks a handle on /auth/welcome. We attach a conversion_id (random UUID for dedupe) and, only if you have explicitly opted into marketing, a SHA-256 hash of your email address. The raw email is never sent.
• PaperSubmitted — fires once when a submission completes on /submit. The only attached field is the conversion_id.
• PageView — fires when the pixel boots, per X Ads' default configuration.

The pixel does not load and no event fires unless you have granted marketing consent via the cookie banner. Do Not Track (browser DNT, Global Privacy Control) is honoured: the banner does not render, the pixel script is not emitted, and any helper call no-ops.

You can revoke consent at any time — Revoke tracking consent reloads the page with the pixel disabled. The openxiv_notrack=1 cookie still works as a permanent opt-out for both first-party events and the Twitter pixel.

Your rights (GDPR / CCPA shorthand)

• Access — download all your records via the API at /profiles/{your-did} and the AT-proto records in your PDS.
• Erasure — request deletion of your account at /dmca (same intake). Public content (papers, posts) is tombstoned with a withdrawal notice rather than fully erased so citation graphs don't break.
• Portability — your AT-proto PDS already speaks the migration protocol. Take your records to any other AT-proto App View.

Cookies

• Session — one http-only JWT for sign-in. Always present after you authenticate.
• openxiv_consent — your cookie-banner choice. Lives 1 year. SameSite=Lax, Secure. Not http-only by design — the client reads it to gate the marketing pixel.
• Third-party — only if you opted into marketing, Twitter's uwt.js sets its own first-party-to-Twitter cookies on x.com. We don't read those.

Contact

Privacy questions: davidich.alfyorov@gmail.com.