Privacy Policy

Last updated: May 16, 2026

1. Introduction

Palidocs ("we", "our", "us") is a collaborative academic writing platform. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable German data protection law.

2. Data Controller

The data controller responsible for this website is listed on our Impressum page.

3. Data We Collect

3.1 Account Data

When you register, we collect your name, email address, and a hashed password. If you sign in via GitHub or Google OAuth, we receive your name, email, and profile picture from the respective provider.

3.2 Document Data

Documents you create and edit are stored on our servers. Real-time collaboration state is persisted as binary data (Yjs CRDT). Document content is not analyzed or shared with third parties.

3.3 Zotero Integration

If you connect your Zotero account, we store an API token to access your Zotero library on your behalf. We do not store your Zotero library data beyond what is needed for citation insertion.

3.4 Local Storage

We use IndexedDB in your browser for offline persistence of document state. This data stays on your device and is not transmitted to our servers beyond the normal sync process.

3.5 File Uploads

Images and files you upload to documents are stored in our object storage (S3-compatible). Files are associated with your documents and are not publicly accessible.

3.6 AI Provider API Keys

If you connect an AI provider (Anthropic, Google, or OpenAI), we store your API key encrypted at rest using AES-256-GCM authenticated encryption. The key is decrypted only in memory at the moment we make a request on your behalf, and is never logged. You can remove a connected key at any time from the settings page.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our service to you.
• Consent (Art. 6(1)(a) GDPR): For optional features like OAuth sign-in, Zotero integration, and AI assistance.
• Legitimate interest (Art. 6(1)(f) GDPR): For security measures and service improvement.

5. AI Features

Palidocs offers optional AI assistance for writing tasks (rewrite, continue, explain, chat, generate, and manuscript review). These features are opt-in and require you to connect an API key from a supported AI provider: Anthropic, Google, or OpenAI. You are billed directly by the provider under your own agreement; Palidocs does not charge for AI usage.

When you invoke an AI action, we transmit the following to your selected provider on your behalf:

• The text you have selected (or the cursor context for generation)
• Optionally, surrounding paragraphs for context (up to 4,000 characters before and 4,000 characters after the selection)
• Optionally, citation metadata for cited works (up to 8,000 characters)
• Your instruction or question

The full document is never transmitted unless you select it explicitly. AI requests are proxied through our backend but are not stored, cached, or logged beyond what is needed to stream the response back to your browser.

Your AI provider processes this data under its own privacy policy and terms, which we have no control over. Please review your provider's policy regarding data retention and model training:

• Anthropic: anthropic.com/legal/privacy
• Google (Gemini API): ai.google.dev/gemini-api/terms
• OpenAI: openai.com/policies/privacy-policy

6. Data Sharing

We do not sell your personal data. We share data only with the following categories of recipients:

• OAuth providers (GitHub, Google): Only during the authentication flow.
• AI providers (Anthropic, Google, OpenAI): If you opt in to AI features, document excerpts submitted through AI actions are transmitted to your chosen provider. See "AI Features" above for details.
• Hosting providers: Our infrastructure providers process data on our behalf under data processing agreements.
• Document collaborators: Other users you invite to your documents can see document content and your name/email as a collaborator.

7. Data Retention

We retain your account data and documents for as long as your account is active. You may delete your account and associated data at any time through the settings page.

8. Your Rights

Under the GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Request erasure of your data (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)

To exercise these rights, contact us at the address listed on our Impressum page.

9. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking or advertising cookies.

10. Security

We protect your data with encryption in transit (TLS), hashed passwords (bcrypt), and access controls. Collaboration connections are authenticated via signed JWT tokens.

11. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email.