Privacy Policy
Effective June 2026
1. Who we are
Athena is built and operated by Xavier Rojas. For questions about your data, contact [email protected].
2. What we collect
| Data | Purpose | Storage |
|---|---|---|
| Email & password | Authentication | Shared auth database. Password is bcrypt-hashed. |
| Uploaded PDFs | Paper processing & library | Your isolated user directory on our server. |
| Library metadata | Search, browse, enrichment | Your isolated per-user SQLite database. |
| Extracted text | Search & analysis | Text pulled from your PDFs (GROBID). Your isolated per-user database. |
| Embeddings | Semantic search | Numeric vectors derived from your papers, used only for your own library's search. Per-user database. |
| Usage analytics | Improve the product | Shared analytics database. Page views, clicks, navigation, and search queries. No paper content or passwords. |
3. Data isolation
Each user has their own SQLite database and file directory. Your library data is not shared with, visible to, or accessible by other users. There are no cross-user queries or shared data stores for library content.
4. AI processing
- Paper text is sent to our local AI pipeline for metadata extraction, tagging, and embedding generation.
- Paper text is not sent to third-party AI providers for training.
- Enrichment queries (DOI, title lookups) are sent to academic APIs: OpenAlex, CrossRef, Semantic Scholar, and arXiv.
5. Analytics & cookies
- Athena uses a first-party analytics tracker (no Google Analytics, no third-party trackers).
- The tracker records page views, clicks, and navigation patterns to improve the product.
- It does not record passwords, paper content, or personal information.
- You can opt out of analytics tracking via the consent banner. Your preference is stored locally in your browser.
- Athena uses a session cookie for authentication. This is essential for the service to work.
6. Third-party services
- Resend — transactional email (verification codes, password resets). Only your email address is shared.
- OpenAlex, CrossRef, Semantic Scholar, arXiv — academic metadata APIs. DOIs and titles are sent for enrichment lookups.
- Cloudflare — network security and tunnel. Cloudflare processes requests but does not access your library data.
7. Your rights
You stay in control of your data — you can:
- Access & export — export your entire library as BibTeX from the Export page, and download any uploaded PDF from its detail page.
- Correct — edit any paper's metadata directly.
- Delete — remove individual papers, or your whole account (see below).
- Opt out of analytics — at any time via the consent banner.
To make a privacy request or ask what we hold about you, email [email protected].
8. Account deletion
You can delete your account from the Settings page. When you delete your account:
- Your account is immediately deactivated (you cannot log in).
- Your data is retained for 90 days in case you change your mind.
- During this period, contact [email protected] to restore your account.
- After 90 days, all data is permanently deleted: user record, library database, uploaded files, and analytics.
Export your data first if you want to keep it.
9. Data retention
Your data is kept as long as your account is active. Expired sessions are cleaned up automatically. Deleted accounts are retained for 90 days before permanent removal.
10. Changes
This policy may be updated as features are added. Significant changes will be communicated to registered users.