Privacy Policy

We (operator: ggrxiv, hereafter "we", "us", "our") provide a service (the "App / Service") that allows users to create accounts, save academic papers ("papers"), and receive personalized daily paper recommendations via automated agent-driven processing and e-mail. This Privacy Policy describes how we collect, store, process, use and — where applicable — share personal data in connection with the use of our Service.

If you are located in the European Economic Area (EEA) or the UK, this policy also constitutes our privacy notice under the General Data Protection Regulation (GDPR).

Depending on how you use the Service, we may collect and process the following categories of personal data:

• Account & contact data: e.g. your e-mail address, login credentials (password hash), optionally name or other profile information.
• User-generated data: papers you add / save, user preferences, metadata associated with saved papers (e.g. titles, authors, tags), any profile settings.
• Usage & system data: metadata about your interactions (e.g. when you logged in, when you triggered a recommendation, which papers you saved), and technical data necessary for operation (e.g. hosting- or request-related metadata).
• E-mail delivery / communication data: when and whether we send you recommendation-emails; email address required for this; data relevant for delivery (e.g. mailing-service logs, status).

We do not request special sensitive data (e.g. health data, political beliefs, etc.).

We process your personal data for the following main purposes:

• To provide the Service: account creation, login, storage of papers and preferences, personalized recommendations, email delivery of recommendations.
• To operate, maintain and secure the Service and its infrastructure.
• To manage communications: sending recommendation-emails, service notifications, account-related messages.

Legal basis under GDPR (for EEA/UK users): processing is necessary to perform the contract (account provision, recommendation service), and — where appropriate — our legitimate interest in operating and improving the Service in a secure and functional manner.

To operate the Service, we rely on external providers. These may process or store personal data on our behalf as "processors". These include:

• Hosting / database provider (e.g. your database backend, cloud-host) for storing user accounts, saved papers and metadata.
• Embedding-storage / vector store (e.g. a cloud-based vector store) used by the recommendation engine.
• AI/ML service providers (via external APIs) used to curate recommendations from stored papers.
• E-mail delivery service for sending recommendation-emails to users.

We ensure that all such third-party providers are bound by data processing agreements (DPA / "Auftragsverarbeitungsvertrag") and required to implement appropriate technical and organisational measures to protect your data (e.g. encryption, access controls).

If any of these providers are located outside the EEA / UK, we apply appropriate safeguards (e.g. standard contractual clauses), or rely on an adequacy decision where available.

We retain personal data as long as needed to provide the Service (i.e. as long as your account exists or you remain subscribed), or for as long as legally required. When data is no longer necessary, or upon deletion request from you, we delete or anonymize the data.

Under GDPR you have the following rights regarding your personal data:

• Right of access (to know which data we hold)
• Right to rectification (correct inaccurate data)
• Right to erasure ("right to be forgotten") if data is no longer needed / legal basis does not apply.
• Right to restriction of processing.
• Right to data portability (receive data in machine-readable format).
• Right to object to certain processing (e.g. marketing, profiling) where relevant.

You can exercise these rights by contacting us at hi@ggrxiv.com.

We implement reasonable technical and organisational measures to protect your personal data against loss, unauthorized access, alteration or disclosure. This includes encryption, secure hosting, access controls, and regular security reviews.

Because we may rely on service providers outside the EEA/UK, personal data might be transferred internationally. In such cases, we ensure that appropriate safeguards are in place (e.g. standard contractual clauses), or only transfer to jurisdictions with an adequacy decision, or obtain your explicit consent as required.

We may update this Privacy Policy at any time. We will indicate the date of last update at the top of this document. Changes will take effect once published, and — if required by law — we will notify you in advance.