Privacy policy

We use passwordless email authentication to verify users and protect the service from abuse. When you log in, a one-time access code is sent to your provided email address. This address is stored as your unique identity to enable personalized projects, saved settings, and account management.

We maintain limited technical logs (such as IP addresses, timestamps, and request metadata) to ensure security, detect misuse, and improve system reliability. If your email domain is recognized by the Research Organization Registry (ROR) as belonging to an academic institution, an academic license may be granted automatically. Only the domain portion of your email — not the full address — is shared with ROR for this purpose.

We do not use advertising or third-party analytics cookies, and we never sell personal data. You may delete your account at any time through the web interface or by contacting us directly.

This policy describes in detail the types of data we collect, the purposes of processing, applicable retention periods, and your rights under the Swiss Federal Act on Data Protection (FADP) and, where relevant, the EU/UK GDPR.

This policy is designed for the Swiss Federal Act on Data Protection (FADP, rev. 2023). If you are in the EEA/UK, we also apply the GDPR/UK GDPR where required.

By default, we receive only a unique identifier (sub) and your sign-in email. If an identity provider includes additional fields (e.g., name, avatar) by default, we discard them and do not store them. If you provide it, when you contact support or request trusted access, we may store your email address and name to handle your request.

Service usage & logs

  • Authentication events (sign-ins, refreshes, failures).
  • Server/application logs: IP address, request/response metadata (URL, method, headers, status), user agent, timestamps, and IDs associated with your account.
  • Feature access and actions (e.g., endpoints called, items created/edited, rate-limit counters).
  • Optional/feature-specific (only if you use those features)
  • Content you intentionally upload or create in the service.
  • Support messages you send us (including any contact details you provide).
  • Under FADP, processing is necessary for purposes evident from the circumstances and in our overriding legitimate interests (Art. 31).
  • Under GDPR (if applicable): Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests; and, where we rely on consent (e.g., truly optional features), Art. 6(1)(a).
  • Security & abuse prevention (legitimate interests): authenticate users, prevent fraud/scraping, detect anomalies, and protect our infrastructure.
  • Provide the service (contract): enable sign-in, operate core features, and maintain sessions.
  • Essential service communications (e.g., welcome, issue notices, misuse warnings) are sent under our legitimate interests or contract.
  • Diagnostics (legitimate interests): debug, measure performance, and improve reliability.
  • Product analytics (high-level) (legitimate interests): understand which features are used, without building individual profiles.
  • Legal compliance: comply with legal obligations and enforce our terms.

We do not send marketing emails.

During the sign-up process, you must provide a valid email address where a one-time login code will be sent each time you log in (we use passwordless authentication). This email address will be stored in our database as your unique identity to enable the creation of user-specific projects and settings.

You can delete your registration at any time through the web interface; if this option is unavailable, please contact us and we will remove it manually.

We may use your sign-in email address to send a single welcome message, to contact you if we detect a technical issue with your account, or to warn you if your actions appear inconsistent with our Terms of Use. Your email address is never shared with third parties and is not otherwise used for marketing purposes.

To protect the service and our users, we maintain detailed access and usage logs. This includes IP addresses and requests made from your account. We use automated and manual review to detect abusive behavior (e.g., mass scraping, rate-limit evasion) and to safeguard content. We do not make decisions with legal or similarly significant effects solely by automated processing.

If your email address is recognized by the Research Organization Registry (ROR) as belonging to an academic institution, an academic license will be granted automatically upon your first login.

If, however, the license is not granted automatically, you have the right to request a review by contacting us. A manual assessment will then be conducted. We do not make decisions with legal or similarly significant effects based solely on automated processing.

Your exact email address is never shared with ROR. Only the (sub)domain derived from it — for example, dept.cs.ethz.ch, cs.ethz.ch, or ethz.ch — is sent as a query parameter.

  • No advertising cookies: we do not use third-party advertising cookies.
  • No third-party analytics: we do not run third-party analytics.
  • Server uses cookie-free authentication flow

We share personal data only as needed to run the service:

  • Infrastructure providers (e.g., hosting, storage, logging/monitoring) that process data under contract.
  • Authentication providers (Google, LinkedIn, GitHub) for sign-in. Infrastructure and monitoring providers acting as processors under data processing agreements.
  • Professional advisers and authorities, where legally required.

We do not sell personal data.

Upon account deletion, we delete or anonymize your account data within 30 days. Security/access logs are retained up to 180 days (longer if needed for investigations). Backups roll off within ~30 days.”

  • Depending on where you live (e.g., Switzerland, EEA/UK), you may have the right to:
  • Access your personal data and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Delete your data (erasure) under certain conditions.
  • Object to or restrict processing, particularly for legitimate-interest processing.
  • Data portability (structured, commonly used, machine-readable format) where applicable.
  • Withdraw consent at any time where processing is based on consent.
  • Complain with your supervisory authority (e.g., the Swiss FDPIC or your local EEA authority).

To exercise your rights, contact us at [email protected]. We may need to verify your identity.

Without sign-in data, we cannot create or maintain your account or provide access to the curated scientific data. Only public pages, such as documentation, remain available.

We apply technical and organizational measures appropriate to the risk, including least-privilege access, encryption in transit, audit logging, and routine backups. No method of transmission or storage is 100% secure.

For transfers to countries without an adequacy decision, we rely on EU Standard Contractual Clauses (or Swiss equivalents) with supplementary measures where appropriate.

Our service is not directed to children under 16. If you are a parent or guardian and believe your child provided us with personal data, please contact us to request deletion.

We may update this policy from time to time. We will post the revised version here and update the “Last updated” date accordingly. For material changes, we will provide additional notice.

If you have questions about this policy or our data practices, contact [email protected].