Privacy Policy

Important: this page summarizes current service terms and data practices for StateOfArt. It is provided for transparency and does not replace independent legal advice for your specific jurisdiction.

Controller / operator: PublishPilot (StateOfArt), contact: support@publishpilotapp.com

What we collect

Account data (email, authentication identifiers, profile fields you provide).
Project data (titles, research questions, keywords, notes, rankings, comparisons).
Uploaded PDFs and extracted text when you upload files legally.
Paper metadata from public academic indexes and your library selections.
AI-generated summaries, drafts, and copilot messages derived from your inputs.
Billing metadata via Stripe (subscription status, customer id — not full card numbers).
Usage and security logs (requests, rate limits, error diagnostics).
Cookies / local storage required for session and preferences.
Ad delivery metadata for free plan placements (when ads are enabled).
Encrypted BYOK AI credentials when you choose to store your own API key.

Purposes

Providing the service, authentication, billing, AI-assisted features, security, support, and legal compliance.

Legal bases (GDPR)

Performance of a contract (Art. 6(1)(b)).
Legitimate interests such as fraud prevention and service improvement (Art. 6(1)(f)).
Consent where required, e.g. non-essential cookies or certain marketing (Art. 6(1)(a)).
Legal obligation where applicable (Art. 6(1)(c)).

Processors

Supabase (database, auth, storage), Vercel (hosting), Stripe (payments), AI providers you configure (e.g. OpenAI or OpenRouter), ad providers (when enabled), and future email providers if enabled.

Ads and subscriptions

The free plan may display sponsored placements. Paid plans remove ads. Ad delivery is feature-flagged and may be gradually enabled.

BYOK AI keys

If you add your own AI key in account settings, it is encrypted server-side before storage. We do not show the raw key back in the UI. You can remove it at any time from account settings.

International transfers

Providers may process data in the EU, UK, US, or other regions. Use their DPAs / SCCs as appropriate and document your transfer mechanism.

Retention

Data is retained while your account is active and as needed for legal, tax, fraud-prevention, and dispute-resolution obligations. You may request account deletion; some records may be kept when legally required.

Your rights

Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable. You may lodge a complaint with a supervisory authority (e.g. CNIL in France).

Exports and deletion

Request a copy or deletion via support@publishpilotapp.com. Requests are handled after identity verification and subject to legal retention duties.

Your PDFs

You are responsible for having the rights to upload and process documents you provide.

AI disclaimer

AI outputs can be inaccurate. You must verify results before academic or legal reliance.

Security

We apply industry-standard measures including TLS, access control, row-level security, and rate limiting. No method is 100% secure.

Version française