Privacy Policy

1. Controller (Verantwortlicher)

The controller responsible for processing your personal data is:

• Chenio UG (haftungsbeschränkt)
• Bolbergstr. 13, 72131 Ofterdingen, Germany
• Email for privacy enquiries: support@chenio.de

A Data Protection Officer (DPO) has not been appointed because the legal thresholds in § 38 BDSG are not met. If a DPO is appointed in the future, contact details will be added here.

2. Scope

This policy applies to the Acteams website at acteams.chenio.de and the associated web application, including project workspaces (literature, notes, documents, R/Python analyses, LaTeX, discussions/chat) and supporting APIs.

3. Categories of Personal Data

3.1 Account & identity data

• Name (if provided)
• Email address
• Password hash (we never store plaintext passwords)
• Profile image (if uploaded)
• Account state (e.g. email verification status, role)

3.2 User-generated project content

The Service is designed for collaborative research. Depending on how you use it, content you produce may contain personal data (your own or about others).

• Project names, project membership, role assignments
• Discussion / chat messages and reactions
• Notes (including tags and links to literature)
• Literature records (citations, identifiers, metadata, annotations)
• Files you upload — PDFs, images, BibTeX/RIS, .tex / .bib / .sty, datasets
• Documents created or edited via Collabora Online (.odt, .docx, .ods, .xlsx, .odp, .pptx)
• R Markdown analyses, Jupyter-style Python notebooks, LaTeX projects
• Real-time collaborative editing state (Yjs CRDT updates)

3.3 Technical & usage data

• Server log data (timestamps, requested endpoints, status codes, errors)
• Browser / device user-agent string
• IP address (in server access logs and as part of security events)
• Sign-in attempts and other security-relevant events

3.4 Payment data

If you subscribe to a paid plan, payment is processed by Stripe Payments Europe, Limited (Ireland). We do not see or store your full card number. We receive a customer ID, the subscription status, and metadata about your invoices.

3.5 Preferences & local-storage state

• UI preferences (e.g. sidebar width, active LaTeX file) stored in your browser's localStorage
• NextAuth session, CSRF and callback-URL cookies (see Section 9)

4. Purposes and Legal Bases (Art. 6 GDPR)

We process personal data only when we have a valid legal basis. Each purpose below is mapped to the relevant Art. 6 ground.

• Providing the Service — account creation, sign-in, project membership, document collaboration, AI features you invoke: Art. 6(1)(b) — performance of a contract.
• Security & abuse prevention — log retention, rate-limiting, CSRF/session cookies, security event review: Art. 6(1)(f) — legitimate interest (interest in the integrity of our Service); also Art. 32 GDPR — security of processing.
• Operational email — verification mails, password resets, receipt of subscription invoices: Art. 6(1)(b) and Art. 6(1)(c) — legal obligation for invoicing.
• AI-assisted features (citation extraction, full-text URL lookup, drafting / revision, semantic search): Art. 6(1)(b) when invoked as part of the requested feature; we rely on Art. 6(1)(a) — consent for any optional feature where this is explicitly stated.
• Billing & tax records: Art. 6(1)(c) — legal obligation (HGB / AO retention duties).
• Cookies & local storage strictly necessary for the Service: permitted under § 25 (2) Nr. 2 TDDDG without consent. Any non-essential storage would require consent (Art. 6(1)(a) GDPR + § 25 (1) TDDDG); we do not currently use any.

5. AI Features (OpenAI)

Some features send user-provided text to OpenAI, L.L.C. (United States) as a processor on our behalf. These include: literature citation extraction, full-text URL lookup, document drafting/revision, AI assistant questions, retrieval-augmented synthesis over your literature, embedding generation for semantic search, and code generation in analysis notebooks.

• We use OpenAI's API (not the consumer ChatGPT product). Under OpenAI's API terms, content submitted via the API is not used to train OpenAI's models.
• Inputs and outputs may be retained by OpenAI for a limited period for abuse monitoring and service operation, in accordance with their Enterprise / API privacy policy.
• AI outputs can be inaccurate. You are responsible for verifying outputs before relying on them in academic, citation, or compliance contexts.
• Do not submit special-category data (Art. 9 GDPR — health, biometrics, political opinions, etc.) into AI features unless you have a specific legal basis and the necessary permissions.

6. Document Collaboration (Collabora)

Real-time collaborative editing of office documents is provided by an instance of Collabora Online that we host ourselves alongside the rest of the Service. Document content does not leave our infrastructure for the purpose of rendering or editing.

7. Real-Time Collaboration (Yjs)

Live co-editing of notes, analyses and LaTeX documents uses a self-hosted Yjs WebSocket server. Document state and presence (cursor position, selection, user name shown next to your cursor) flow over a short-lived signed token bound to a specific document. No third party is involved.

8. Recipients & Subprocessors

We do not sell personal data. We share personal data only with processors acting on our instructions under data-processing agreements (Art. 28 GDPR):

We may also disclose information when required by law or to protect the rights, safety or security of our users, third parties, or the Service.

9. Cookies & Local Storage

The Service uses only cookies and local-storage entries that are strictly necessary to deliver features you have explicitly requested. Under § 25 (2) Nr. 2 TDDDG no consent is required for these. We currently use:

• authjs.session-token / __Secure-authjs.session-token — authentication session
• authjs.csrf-token — CSRF protection
• authjs.callback-url — sign-in redirect state
• Browser localStorage entries for UI preferences (e.g. sidebar width, active file in the LaTeX editor)

We do not use analytics, advertising or third-party tracking cookies. We do not embed third-party content (Google Fonts, YouTube, Maps, social widgets, etc.) that would set cookies on your device. See our Cookie Policy for details.

10. International Data Transfers

Personal data is primarily processed within the European Union. Where we use OpenAI as a processor, data is transferred to the United States. The transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), supplemented where applicable by reliance on the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795). We have documented a transfer impact assessment for this transfer and apply organisational safeguards (no submission of special-category data without explicit user action).

11. Data Retention

• Account data: retained while your account is active. On account deletion, account data and content are removed within 30 days, except where longer retention is required by law (see below) or where content is part of a shared project owned by another user.
• Project content: retained while the project exists. Project owners can export and delete content at any time.
• Backups: encrypted backups in S3 are retained for up to 30 days for disaster recovery.
• Server access logs: retained for up to 14 days for security and abuse investigation.
• Billing & invoices: retained for 10 years (§ 147 AO, § 257 HGB).

12. Your Rights (GDPR)

If GDPR applies to you, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate or incomplete personal data (Art. 16)
• Erasure / right to be forgotten (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interests (Art. 21), including any direct marketing
• Withdraw consent at any time, where processing is based on consent (Art. 7(3))

To exercise any of these rights, contact us at the email above. You also have the right to lodge a complaint with your local data protection authority. For German users, the competent supervisory authority is Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart (baden-wuerttemberg.datenschutz.de).

13. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR), including TLS-encrypted transport, hashed passwords (bcrypt/scrypt), role-based access control, signed short-lived tokens for real-time collaboration, scoped per-project access checks on every API endpoint, encrypted database and S3 backups, and least-privilege credentials. No system is 100% secure; we will notify users and the supervisory authority of any personal data breach as required by Art. 33 / Art. 34 GDPR.

14. Children

The Service is not directed at children under 16. We do not knowingly process personal data of children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

15. Changes to This Policy

We may update this policy from time to time. The current version with the "Last updated" date above is the binding version. Material changes will be communicated by email or in-app notice.

16. Contact

Privacy questions and rights requests: support@chenio.de.