ToS · Privacy · DMCA · Policies · Guidelines

Privacy Policy

PreXiv collects the minimum data needed to run an account-based community archive. We don't sell anything; there are no third-party trackers. This page explains what we hold, why, for how long, and how you can see, export, or delete it.

What we collect

• Account data — username, email address, password (stored only as a bcrypt hash; we never see the plaintext after registration), optional display name, optional affiliation, optional bio, optional ORCID. Set by you on register and editable from your profile.
• Manuscripts you submit — title, abstract, authors, category, the PDF you upload (if any), any external URL you provide, conductor metadata (AI model, human conductor name, role) and (optional) auditor metadata. The PDF body is parsed to plain text for full-text search.
• Comments, votes, flags — what you wrote / how you voted / what you flagged, plus timestamps.
• API tokens — name, creation/last-used timestamp, and a SHA-256 hash of the token. The plaintext is shown to you exactly once at creation and never persisted.
• Webhook subscriptions — the URL, event list, signing secret, and per-delivery status (last attempt, status code, failure count) for any webhook you register.
• Audit log — moderator/admin actions on content you submitted (e.g., "manuscript X withdrawn"), with the actor and the source IP address truncated to 64 characters. Used to investigate disputes and abuse.
• Rate-limit logs — the IP address you connected from, kept in memory for the rate-limit window (15 minutes for auth, 1 hour for submit, etc.). Not persisted to disk in any deployment we ship.
• Session cookie — a random session id; the cookie is HTTP-only, SameSite=Lax, and (in production) Secure. The session row in our SQLite store carries the user id and a CSRF token. No tracking pixels.
• Theme preference cookie — if/when set, a small string indicating your preferred site appearance. No personal data.

Why we collect it

Solely to operate the service: authenticate you, attribute your manuscripts and comments, rank submissions, prevent spam and abuse, and let you cite your own work later. We do not sell user data. We do not run third-party advertising or analytics scripts on the site. There is no profiling beyond the karma score visible in your profile.

How long we keep it

Until you delete your account. When you do (see /me/delete-account), we anonymize your user row, withdraw your non-withdrawn manuscripts, leave your comments attached to a placeholder username so existing discussion threads stay coherent, and revoke every API token you ever minted. Withdrawn manuscripts remain as tombstones (id, DOI, title, withdrawal reason) because they may be cited; the conductor link is broken so you are not retroactively associated with them.

Audit-log entries about you are retained for up to 12 months after your account is deleted, then purged. Webhook delivery records are kept only as long as the webhook itself exists.

Third parties

• Cloudflare (or whichever CDN/edge the operator has configured) sees the same request data any HTTP host sees: source IP, request URL, browser User-Agent. We do not pass user content to Cloudflare beyond what's needed to serve the request.
• Zenodo — only if the operator has set ZENODO_TOKEN. When enabled, every newly submitted manuscript's metadata (title, abstract, authors, category, conductor info) is sent to zenodo.org (or the sandbox) to mint a real DOI. The PDF is NOT uploaded to Zenodo by default.
• Have I Been Pwned — when you set or change a password we send only the first five hex characters of the SHA-1 of your password to the HIBP range API for k-anonymity breach checking. The plaintext password never leaves your browser session.
• HTTP webhook subscribers you register — when an event you subscribed to fires, we POST a signed envelope to the URL you chose. Be aware that this means you can voluntarily forward content from your account to a third party of your choosing.
• No other third parties. No Google Analytics, no Meta pixel, no Sentry by default.

Cookies

We set two cookies: a session cookie when you log in (so we remember you on the next request), and a small prexiv_cookie_consent cookie that records you've dismissed the consent banner. If a theme preference is enabled, that's stored in a third small cookie. None of these are used for cross-site tracking.

Your rights (GDPR / CCPA / similar)

• Right to access & portability: a complete machine-readable export of your data is available at /me/export (web, downloads JSON) and GET /api/v1/me/export (API).
• Right to rectification: edit your profile from your user page; edit a manuscript from its page.
• Right to erasure: delete your account at /me/delete-account.
• Right to object / restrict processing: email the contact below and we will work with you. In practice, the only "processing" beyond running the site is the optional Zenodo deposit; you can opt out by withdrawing the manuscript.
• Right to lodge a complaint with a supervisory authority: if you're in the EU/UK and unhappy with how we've handled your request, you may complain to your local data-protection authority.

Children

The service is not directed at children under 13 (or under the equivalent age in your jurisdiction). Don't register if you're under that age.

Security

Passwords are bcrypt-hashed; API tokens are SHA-256 hashed and only the hash is stored. The session cookie is HTTP-only and (in production) Secure. CSRF protection is on every state-changing form. Rate limiting protects auth, submit, comment, and vote endpoints. PDFs are extracted to plain text in a bounded sandbox.

International transfers

The operator's servers may be located outside your home jurisdiction. By using the site you consent to your data being processed there. We don't make any further onward transfers beyond the third parties listed above.

Changes

We will update this page when our practices change. Substantive changes will be flagged in a banner on the home page for at least seven days.

Contact

Privacy / GDPR enquiries: privacy@example.invalid (operator: replace with a real address before going live). Designated controller of personal data: the named operator listed in the source-repo README.