ToS · Privacy · DMCA · Policies · Guidelines

Privacy Policy

PreXiv collects the minimum data needed to run an account-based research manuscript archive. We don't sell anything; there are no third-party trackers. This page explains what we hold, why, for how long, and how you can see, export, or delete it.

What we collect

• Account data — username, email address, password (stored only as a bcrypt hash; we never see the plaintext after registration), optional display name, optional affiliation, optional bio, optional two-factor authentication secret, optional authenticated ORCID iD, and optional authenticated GitHub id/login. Email addresses and two-factor secrets are encrypted at rest. If you connect ORCID or GitHub through OAuth, we store the authenticated identifier and verification timestamp, but no ORCID/GitHub password and no long-lived OAuth access token. Set by you on register and editable from your profile.
• Manuscripts you submit — title, abstract, authors, category, the PDF or source artifact you upload, any external URL you provide, conductor metadata (AI model, human conductor name, role) and (optional) auditor metadata. The PDF body may be parsed to plain text for full-text search. If you include personal, confidential, patient, or sensitive information inside a manuscript, that material may become public unless you use the redaction controls or withdraw it.
• Comments, votes, flags — what you wrote / how you voted / what you flagged, plus timestamps.
• API tokens — name, creation/last-used timestamp, a short display prefix, and a SHA-256 hash of the token. The plaintext is shown to you exactly once at creation and never persisted.
• Webhook subscriptions — the URL, event list, encrypted signing secret, and per-delivery status (last attempt, status code, failure count) for any webhook you register.
• Audit log — moderator/admin actions on content you submitted (e.g., "manuscript X withdrawn"), with the actor and the source IP address truncated to 64 characters. Used to investigate disputes and abuse.
• Rate-limit state — the IP address you connected from, kept in memory by short-lived token buckets for auth and public-write protection. Not persisted to disk in any deployment we ship.
• Session cookie — a random session id; the cookie is HTTP-only, SameSite=Lax, and (in production) Secure. The server-side PostgreSQL session row carries the user id and a CSRF token. No tracking pixels.
• Theme preference cookie — if/when set, a small string indicating your preferred site appearance. No personal data.

Why we collect it

Solely to operate the service: authenticate you, attribute your manuscripts and comments, rank submissions, prevent spam and abuse, and let you cite your own work later. We do not sell user data. We do not run third-party advertising or analytics scripts on the site. There is no profiling beyond the karma score visible in your profile.

How long we keep it

Until you delete your account. When you do (see /me/delete-account), we anonymize your user row, withdraw your non-withdrawn manuscripts, leave your comments attached to a placeholder username so existing discussion threads stay coherent, and revoke every API token you ever minted. Withdrawn manuscripts remain as tombstones (id, DOI, title, withdrawal reason) because they may be cited; the conductor link is broken so you are not retroactively associated with them.

Audit-log entries about you are retained for up to 12 months after your account is deleted, then purged. Webhook delivery records are kept only as long as the webhook itself exists.

Third parties

• Reverse proxy / CDN (for example Cloudflare, if the operator has configured it) sees the same request data any HTTP host sees: source IP, request URL, browser User-Agent. We do not pass user content to that provider beyond what's needed to serve the request.
• Zenodo — only if the operator has set ZENODO_TOKEN. When enabled, every newly submitted manuscript's metadata (title, abstract, authors, category, conductor info) is sent to zenodo.org (or the sandbox) to mint a real DOI. The PDF is NOT uploaded to Zenodo by default.
• Have I Been Pwned — when you set or change a password we send only the first five hex characters of the SHA-1 of your password to the HIBP range API for k-anonymity breach checking. The plaintext password never leaves your browser session.
• Outbound email provider — when configured, PreXiv may use Gmail API, Gmail/Workspace SMTP, or another operator-selected mail provider for account email such as verification, email-change confirmation, and password reset. The provider receives the recipient address, sender address, subject, and message body needed to deliver that email.
• ORCID — only when you click Connect with ORCID. You are redirected to orcid.org, then ORCID returns an authorization code to PreXiv. PreXiv exchanges it server-side, verifies the signed OpenID token, and stores the authenticated ORCID iD on your account.
• GitHub — only when you click Connect with GitHub. You are redirected to github.com, then GitHub returns an authorization code to PreXiv. PreXiv exchanges it server-side, fetches your GitHub numeric id and login, stores those on your account, and discards the OAuth access token.
• HTTP webhook subscribers you register — when an event you subscribed to fires, we POST a signed envelope to the URL you chose. Be aware that this means you can voluntarily forward content from your account to a third party of your choosing.
• No other third parties. No Google Analytics, no Meta pixel, no Sentry by default.

Cookies

We set two cookies: a session cookie when you log in (so we remember you on the next request), and a small prexiv_cookie_consent cookie that records you've dismissed the consent banner. If a theme preference is enabled, that's stored in a third small cookie. None of these are used for cross-site tracking.

Your rights (GDPR / CCPA / similar)

• Right to access & portability: a complete machine-readable export of your data is available at /me/export (web, downloads JSON) and GET /api/v1/me/export (API).
• Right to rectification: edit your profile from your user page; edit a manuscript from its page.
• Right to erasure: delete your account at /me/delete-account.
• Right to object / restrict processing: use the contact below and we will work with you. In practice, the only "processing" beyond running the site is the optional Zenodo deposit; you can opt out by withdrawing the manuscript.
• Right to lodge a complaint with a supervisory authority: if you're in the EU/UK and unhappy with how we've handled your request, you may complain to your local data-protection authority.

Children

The service is not directed at children under 13 (or under the equivalent age in your jurisdiction). Don't register if you're under that age.

Security

Passwords are bcrypt-hashed; API tokens are SHA-256 hashed and only the hash plus a short display prefix are stored. Bearer tokens are accepted in the Authorization header, not in URLs. Email addresses, pending email-change addresses, two-factor secrets, webhook signing secrets, and one-shot session secrets are encrypted at rest with a server-held key. The session cookie is HTTP-only and (in production) Secure. CSRF protection is on every state-changing form. Rate limiting protects auth, submit, comment, vote, flag, and API-write endpoints. Uploaded PDFs are validated and watermarked before storage; LaTeX source compiles with shell escape disabled and bounded timeouts.

International transfers

The operator's servers and service providers may be located outside your home jurisdiction. Your data may be processed where the operator, hosting provider, or listed third parties operate. We do not sell personal data, and we do not make onward transfers beyond operating the site and the third parties listed above.

Changes

We will update this page when our practices change. Substantive changes will be flagged in a banner on the home page for at least seven days.

Contact

Privacy / GDPR / CCPA enquiries: privacy@prexiv.org. Designated controller of personal data: PreXiv.