OpenArx — Privacy Policy

OpenArx Privacy Policy

Version: 1.1 Effective Date: 2026-04-21 Last Updated: 2026-04-21

1. Introduction

This Privacy Policy explains how personal data is collected, used, disclosed, and protected when You use OpenArx — a scientific knowledge infrastructure platform accessible at openarx.ai and related subdomains (portal.openarx.ai, mcp.openarx.ai, governance.openarx.ai, gov.openarx.ai) — together with all associated APIs, MCP interfaces, and services (collectively, the "Service").

This Policy should be read together with the Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

2. Data Controller

The data controller for personal data processed through the Service is:

Vladyslav Kosilov, acting as a natural person in a personal capacity (the "Operator").

Contact for all privacy-related inquiries: [email protected].

OpenArx is operated on a non-commercial, cost-recovery basis. The Operator does not sell personal data under any circumstances.

3. What Data We Collect

3.1 Account Data

When You register for a Portal account, We collect:

Email address — required for account creation, login, transactional notifications, and password recovery;
Password hash — if You register with email/password (passwords are stored using industry-standard hashing; the Operator never sees Your plaintext password);
OAuth profile data — if You register via GitHub or Google: Your public profile identifier, email address, and display name as provided by the OAuth provider;
Account metadata — registration date, last login timestamp, tier level, credit balance, and associated OARX membership status.

3.2 API and Usage Data

When You use the Service, We collect:

API token metadata — token identifiers (not plaintext), creation date, last-used timestamp, associated profile (v1 / pub / gov);
Request logs — timestamps, endpoint called, HTTP status codes, response sizes, IP addresses, User-Agent strings;
Usage metrics — number of requests, tools invoked (search, get_document, find_related, find_code), tokens consumed, credits spent;
Error and diagnostic logs — stack traces and error messages (scrubbed of sensitive parameters where possible).

3.3 User-Submitted Content, Governance, and Agent Activity

If You submit content or participate in governance through the Service, We collect:

Manuscripts, abstracts, metadata, and supplementary files You upload through the Self-Publishing Portal;
Your stated authorship claims and licensing declarations;
Governance submissions — votes, deliberation messages, proposals, reactions, stakes, and other participation data;
Review and moderation history — flags, decisions, and associated reasoning.

If You operate an automated or AI-driven agent through Your account (including governance agents, submission agents, review assistants, and MCP clients), We also collect:

Agent configuration data — agent identifiers, associated prompts, permission scopes, and timestamps;
Agent action logs — all actions taken by the agent through Your account, including content published, messages sent, votes cast, interactions with other agents, and resources consumed.

Agent activity data is treated as personal data associated with Your account under these terms, reflecting that You bear full responsibility for actions taken by agents operating under Your credentials (see Terms of Service Section 8.3).

3.4 Payment and OARX Acquisition Data

If You purchase credits, acquire or redeem OARX, or otherwise pay the Operator:

Cryptocurrency payments are processed through NOWPayments or a similar payment processor. The Operator receives transaction identifiers, amounts, source and destination wallet addresses, and timestamps sufficient to confirm settlement. The Operator does not receive or store Your private keys.
On-chain OARX activity (including mint, burn, and any attempted transfer) is, by the nature of public blockchains, visible on-chain and may be observed by the Operator and any third party. The Operator does not have technical means to remove records from public blockchains.
Acquisition records — for each OARX acquisition, the Operator records the associated account, the payment processor transaction reference, the acquisition rate in effect at the time, and the quantity of OARX issued. These records are maintained for operational, reserve-management, and compliance purposes (see Terms of Service Section 5.4).
Geographic eligibility data — at the point of OARX acquisition, the Operator may collect IP-based geolocation data and self-declared residency to verify eligibility under Terms of Service Section 5.3. Such data is processed for compliance purposes and retained for a reasonable period sufficient to evidence eligibility checks.
The Operator does not process credit card or bank payment data directly. If fiat payment methods are added in the future, they will be handled exclusively through PCI-DSS-compliant third-party processors.

The Operator does not hold user funds on a trust, custodial, or escrow basis. Payments received in connection with OARX are recorded as deferred service obligations as described in Terms of Service Section 5.4.

3.5 Cookies and Analytics

Session cookies — used for authentication on the Portal. Required for login to function.
CSRF tokens — short-lived, used for security.
Cloudflare analytics — We use Cloudflare as a reverse proxy and CDN; Cloudflare may collect standard traffic data (IP, User-Agent, request URL) for security and performance purposes, as described in Cloudflare's Privacy Policy.
No third-party advertising trackers. We do not use Google Analytics, Meta Pixel, or similar ad-tech trackers.

3.6 Communications

If You contact Us at [email protected] or via other support channels, We retain the content of Your communications and Our responses for the purpose of providing support and maintaining records.

4. How We Use Personal Data

We process personal data for the following purposes:

4.1 To Provide the Service

Create and authenticate Your account;
Issue API tokens and enforce rate limits;
Deliver requested tool responses (search, document retrieval, related-paper lookup);
Maintain credit balances and process OARX-related actions;
Operate the governance and self-publishing workflows.

4.2 To Secure the Service

Detect and prevent abuse, fraud, credential stuffing, and scraping;
Investigate security incidents and enforce the Terms;
Maintain audit logs for compliance and accountability.

4.3 To Communicate With You

Send transactional emails (account verification, password resets, security alerts, credit balance notices);
Respond to support requests and legal notices (e.g. DMCA takedowns);
Notify You of material changes to the Terms or this Policy.

4.4 To Improve the Service

Analyze aggregate and anonymized usage patterns to improve performance and reliability;
Debug errors;
Plan infrastructure scaling.

4.5 To Comply With Legal Obligations

Respond to lawful requests from public authorities;
Enforce intellectual property rights (see DMCA Policy);
Comply with tax, accounting, and regulatory requirements where applicable.

We do not use Your personal data for targeted advertising, behavioral profiling for commercial purposes, or sale to third parties.

Where GDPR applies, We rely on the following legal bases under Article 6(1):

Purpose	Legal Basis
Creating and operating Your account	Performance of a contract (Art. 6(1)(b))
Processing payments and credit transactions	Performance of a contract (Art. 6(1)(b))
Sending transactional emails related to the Service	Performance of a contract (Art. 6(1)(b))
Security, abuse prevention, audit logs	Legitimate interests (Art. 6(1)(f)) — operating a secure open infrastructure
Aggregate analytics and performance monitoring	Legitimate interests (Art. 6(1)(f))
DMCA compliance, legal requests, record-keeping	Legal obligation (Art. 6(1)(c))
Optional marketing or newsletter communications (if introduced)	Consent (Art. 6(1)(a)) — revocable at any time

You have the right to object to processing based on legitimate interests; see Section 9.

We share personal data only as necessary to operate the Service. Categories of recipients:

6.1 Infrastructure Providers

Cloudflare (USA / global CDN) — DNS, TLS termination, DDoS protection, CDN caching of static assets;
Hosting and server providers — compute and storage infrastructure. Current provider: Hetzner (Germany / Finland).
Email delivery — transactional email delivery (e.g., Namecheap Private Email or equivalent SMTP provider).

6.2 Authentication Providers

GitHub and Google (if You choose to sign in with these providers). Your interaction with these providers is governed by their respective privacy policies.

6.3 Payment Processors

NOWPayments or equivalent — for cryptocurrency payment processing, when such features are active.

6.4 LLM and AI Processing Providers

Some Service functions (embedding generation, semantic chunking, review assistance, agent-driven governance tools) rely on third-party AI APIs:

Google Gemini API — embeddings, semantic chunking, and language-model inference;
Additional AI providers may be introduced as the Service evolves and will be disclosed at the point of processing or through updates to this Policy.

When You submit content for ingest or self-publishing, or when the Service otherwise processes Your content through such providers, the text is transmitted to these providers solely for the purpose of semantic processing in connection with Service operation. The Operator selects providers that offer data-processing terms consistent with the following commitments: (i) submissions are not used to train the provider's models where an opt-out is available, and (ii) submissions are not retained by the provider beyond what is necessary for transient processing or for the provider's own security, billing, and compliance purposes.

6.5 Sub-Processor Summary

For transparency under GDPR Article 28, the Operator's principal sub-processors as of the Last Updated date above are summarized below. This list may change and will be updated in this Policy.

Sub-processor	Role	Data categories	Location
Cloudflare, Inc.	CDN, TLS, DDoS protection	IP addresses, request metadata	USA / global
Hetzner Online GmbH	Hosting and storage	All data stored by the Service	Germany / Finland
Namecheap (Private Email) or equivalent	Transactional email delivery	Recipient email, message content	USA / EU
GitHub, Inc. / Google LLC	OAuth authentication (optional)	OAuth profile data	USA / global
NOWPayments or equivalent	Cryptocurrency payment processing	Payment metadata, wallet addresses	EU
Google LLC (Gemini API)	LLM and embedding processing	User-submitted content, query text	USA / global

Material changes to the sub-processor list will be reflected in updates to this Policy.

6.6 External Open Science Sources

The Service ingests and indexes scientific content from public sources including arXiv, OpenAlex, Unpaywall, CORE, and PubMed Central. Your interaction with the Service generally does not expose Your personal data to these sources, except to the extent You disclose Yourself (e.g. through self-publishing under Your real name).

6.7 Legal Disclosures

We may disclose personal data where required by law, court order, or to enforce the Terms, investigate fraud, or protect the rights, property, or safety of any person.

6.8 No Sale of Data

We do not sell, rent, or trade personal data to third parties for advertising or marketing purposes.

7. International Data Transfers

The Service is operated globally. Personal data may be transferred to and processed in jurisdictions outside of Your own, including the European Economic Area, the United Kingdom, the United States, and other countries where Our infrastructure providers operate.

Where transfers of personal data outside of the EEA or UK occur, We rely on:

Adequacy decisions by the European Commission, where available;
Standard Contractual Clauses (EU SCCs) with providers where required;
Other lawful transfer mechanisms recognized under applicable law.

By using the Service, You acknowledge that Your data may be processed in jurisdictions other than Your own.

8. Data Retention

We retain personal data only for as long as reasonably necessary to fulfill the purposes described in this Policy, to comply with legal obligations, to resolve disputes, and to enforce Our agreements.

General retention approach:

Account data — retained while Your account is active;
API tokens and credentials — retained while active; revoked tokens may remain in audit logs for a reasonable period;
Request and usage logs — retained for a reasonable operational period (typically measured in months), after which detailed logs are deleted or aggregated into non-identifying statistics;
User-submitted content — retained while Your account is active and Your content remains published; removed content may be retained in backups for a reasonable period before being overwritten;
Payment and transaction records — retained as required by applicable tax and accounting law;
Email support history — retained for a reasonable period to maintain continuity of support.

Upon account deletion (see Section 9), personal data is deleted or anonymized within a reasonable period, subject to exceptions where retention is required by law or necessary to protect legitimate interests (e.g., ongoing legal disputes, fraud investigation, compliance records).

On-chain data (e.g., OARX burn or transaction records) cannot be erased from public blockchains by the Operator; this is an inherent property of blockchain technology and is outside the Operator's technical control.

9. Your Rights

Subject to applicable law, You have the right to:

Access — request a copy of the personal data We hold about You;
Rectification — request correction of inaccurate or incomplete data;
Erasure ("right to be forgotten") — request deletion of Your personal data;
Restriction — request that We limit the processing of Your data in certain circumstances;
Portability — request Your data in a structured, machine-readable format;
Objection — object to processing based on legitimate interests;
Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior lawful processing);
Lodge a complaint with Your local data protection authority.

9.2 How to Exercise Your Rights

Send Your request to [email protected] from the email address associated with Your account. We will respond within thirty (30) days. If We need to verify Your identity before acting, We may ask for additional information.

9.3 Account Deletion

You may request deletion of Your account at any time by emailing [email protected]. Requests are processed within thirty (30) days. Deletion involves:

Removal or anonymization of account data (email, profile, credentials);
Revocation of all API tokens;
Removal of identifying associations from usage logs where technically feasible;
Removal of publicly displayed authorship attributions on any content You contributed, at Your request.

Limits of the right to erasure:

Content You submitted under an open license may remain indexed where the license (e.g., Creative Commons attribution) does not grant a unilateral right of withdrawal. The Operator will remove Your personal identifying attribution upon request where the license permits.
On-chain records of OARX activity cannot be erased, as described in Section 3.4 and Section 8.
OARX associated with a terminated account is non-transferable and, consistent with Terms of Service Section 14.3, cannot be redeemed upon termination. OARX is a membership token and confers no right to a residual cash or asset distribution.
Data retained for tax, accounting, legal-hold, compliance, or fraud-investigation purposes may continue to be held for as long as required by applicable law.

Where erasure is limited by the grounds above, the Operator will restrict processing of Your data to those purposes and will not use it for other purposes.

9.4 No Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects based solely on automated processing of personal data.

10. Security

We apply reasonable technical and organizational measures to protect personal data, including:

TLS encryption for all data in transit;
Password hashing using industry-standard algorithms;
Access controls on production infrastructure (SSH keys, principle of least privilege);
Network segmentation between Core, Portal, and Governance server roles;
Regular security updates of operating systems and dependencies;
Logging and monitoring of access to production systems.

No security measure is perfect. You are responsible for safeguarding Your own credentials (passwords, API tokens, wallet keys).

Breach notification. In the event of a personal data breach likely to result in a risk to Your rights and freedoms, the Operator will notify the relevant supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to Your rights and freedoms, the Operator will also communicate the breach to affected users without undue delay, in accordance with GDPR Article 34.

11. Children's Privacy

The Service is directed at researchers, developers, and adult users. It is not directed to children.

In the European Union, in accordance with GDPR Article 8, the Service does not knowingly collect personal data from children below the age at which digital-services consent is valid in the relevant Member State (16 by default, and as low as 13 where national law so provides).
In the United Kingdom, the threshold is 13 under the UK GDPR as implemented.
In other jurisdictions, the Service is not directed to individuals below the age of majority in their jurisdiction.

If You believe a child has provided personal data to the Service, contact [email protected] and the Operator will take appropriate steps to delete or anonymize it.

12. Scientific Content and Research Papers

The Service ingests scientific publications from public sources under a unified processing regime (see Terms of Service Section 6.2). Such content typically does not contain the personal data of end users, but it may contain author names, affiliations, ORCIDs, and other bibliographic metadata that are already public.

Delivery of ingested content to users of the Service is license-aware:

for permissively licensed works, full text is served;
for restrictively licensed or default-license works, only metadata, the author-provided abstract, and a link to the canonical source are served;
for works also available from an alternative source under a more permissive license, content may be served from that alternative source.

See Terms of Service Sections 6.3 and 6.4 for the full description of the delivery model.

If You are an author whose paper is ingested and You wish to:

Correct bibliographic metadata — contact [email protected];
Request removal — if You hold the relevant rights, contact [email protected] or file a notice under the DMCA / Copyright Policy;
Assert an opt-out from text-and-data mining under EU Directive 2019/790 Article 4, or an equivalent opt-out under applicable law — contact [email protected] with evidence of Your rights and the opt-out declaration; machine-readable opt-out signals (such as ai.txt, TDMRep, and equivalent standards) are honored at the next ingest cycle and, where technically feasible, applied to already-processed works;
Exercise GDPR rights related to author metadata (including access, rectification, restriction, erasure, and objection) — contact [email protected].

Where the same work is the subject of both a rights-based removal request and a personal-data rectification request, the Operator will coordinate the two responses.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in Our practices, legal obligations, or the Service itself. Material changes will be communicated through:

Notice posted on the Service;
Email to the address associated with Your account (for material changes affecting registered users).

The "Last Updated" date at the top reflects the most recent version. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy. If You do not agree to the updated Policy, You may request deletion of Your account as described in Section 9.3.

14. Contact

Questions, requests, or concerns regarding this Privacy Policy or Your personal data should be directed to:

Vladyslav Kosilov (Operator, Data Controller) Email: [email protected]

For copyright and IP notices, see the DMCA Policy. For the contractual terms governing Your use of the Service, see the Terms of Service.