Privacy Policy

This Privacy Policy explains what personal data we collect when you use CiteOrbit, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR) and equivalent laws.

1. Who we are

[Placeholder — replace with the registered legal entity, address, and any DPO contact.] CiteOrbit is operated by [Legal Entity] with its registered office at [Address]. For questions about this policy or your data, contact us at support@citeorbit.com.

2. What data we collect

2.1 Account & identity data

  • Name and email address you provide at registration;
  • Hashed password;
  • Email-verification status and any login security signals (e.g. failed-attempt rate-limit counters).

2.2 Manuscript content

  • The PDF or DOCX files you upload, plus extracted text and references;
  • Outputs of our processing pipeline: parsed citations, validation results, enriched metadata, and PDF reports.

2.3 Service & technical data

  • IP address and basic request metadata (user agent, timestamp);
  • Job processing logs (e.g. queue id, success/failure, duration);
  • Billing data if you purchase credits (handled by our payment processor).

2.4 Consent records

  • Whether you accepted these Terms and the Privacy Policy at registration, and the timestamp of that acceptance;
  • Your marketing-email preference (opt-in or not), and changes to it over time.

3. Why we use your data and our legal basis

  • To provide the Service. Account creation, manuscript processing, returning results to you. Legal basis: performance of a contract — GDPR Art. 6(1)(b).
  • To secure the Service. Bot mitigation, rate limiting, fraud prevention, abuse handling. Legal basis: legitimate interests — GDPR Art. 6(1)(f).
  • To send transactional emails. Email verification, password reset, billing receipts, security alerts. Legal basis: performance of a contract / legal obligation.
  • To send marketing emails. Only if you have opted in. Legal basis: consent — GDPR Art. 6(1)(a). You can withdraw at any time without affecting the lawfulness of prior processing.
  • To meet legal obligations. Tax, accounting, regulatory requests. Legal basis: legal obligation — GDPR Art. 6(1)(c).

4. How your manuscripts are processed

Your uploaded manuscripts and references are processed solely by deterministic and traditional machine-learning pipelines operated by CiteOrbit (e.g. machine learning extraction, regex/CSL processors). Your content is never transmitted to large-language-model APIs (such as OpenAI, Anthropic, Google Gemini, or similar). This is a contractual commitment under our Terms of Service and would constitute a material change requiring fresh notice and renewed consent.

5. Sub-processors and sharing

We use the following sub-processors to operate the Service. We share only the minimum data necessary for each:

  • [Hosting provider]. Application hosting and database. [Region.]
  • Cloudflare, Inc. CDN, DDoS mitigation, and Turnstile bot challenge. EU/US — SCCs.
  • Crossref. Reference enrichment via public DOI / metadata APIs. UK — adequacy.
  • OpenAlex. Reference enrichment via public scholarly metadata APIs. US.
  • Semantic Scholar. Reference enrichment via public APIs. US.
  • Brevo (formerly Sendinblue). Transactional and (if opted-in) marketing email delivery. EU.
  • [Payment processor]. Subscription and credit billing. [Region.]

We do not sell or share your personal data with advertisers. We do not use your data to train commercial AI models.

6. International transfers

Personal data is primarily processed in the European Economic Area (EEA). Some sub-processors are located outside the EEA. Where this is the case, transfers rely on (a) an adequacy decision under GDPR Art. 45, or (b) appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) and any necessary supplementary measures, in line with the Schrems II ruling.

7. How long we keep your data

  • Account data. While your account is active, plus 30 days in backups after deletion.
  • Manuscript content. Retained in your library until you delete it. Backups expire within 30 days of deletion.
  • Billing records. Retained for the period required by tax and accounting law (typically up to 10 years in the EU).
  • Security logs. Up to 12 months.
  • Marketing-consent records. Until you withdraw consent, plus a reasonable period afterwards to evidence the withdrawal itself.

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15);
  • Correct inaccurate data (Art. 16);
  • Request deletion (Art. 17);
  • Restrict processing (Art. 18);
  • Data portability — receive your data in a machine-readable format (Art. 20);
  • Object to processing based on legitimate interests (Art. 21);
  • Withdraw any consent you have given, at any time (Art. 7(3));
  • Lodge a complaint with your supervisory authority. [Placeholder — name your lead supervisory authority, e.g. CNIL (France) or BfDI (Germany).]

To exercise any of these rights, email support@citeorbit.com. We will respond within one month, as required by GDPR.

9. Cookies and tracking

We use only strictly-necessary cookies for authentication and security (session cookies and Cloudflare Turnstile challenge cookies). We do not currently use advertising or third-party analytics cookies. If this changes, we will display a cookie banner and obtain your prior consent before any non-essential cookie is set.

10. Automated decision-making

Our pipeline uses automated processing to verify references and produce reports. These outputs are advisory only and do not produce legal effects or similarly significant effects on you within the meaning of GDPR Art. 22. You remain free to act on or disregard any finding.

11. Security

We apply industry-standard technical and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest where applicable, role-based access control, and regular dependency review. No system is perfectly secure; you should choose a strong, unique password.

12. Children

The Service is intended for an adult and academic-professional audience. We do not knowingly collect personal data from children under 16.

13. Changes to this policy

We may update this policy from time to time. For material changes (such as a new sub-processor, a new processing purpose, or a change in legal basis), we will give prior notice by email and, where required, request renewed consent.

14. Contact and complaints

General privacy questions: support@citeorbit.com. Data Protection Officer (if appointed): [contact details]. You can also lodge a complaint with your local data-protection authority.