Privacy

How SciStreak handles your data — effective May 2026

SciStreak ("we", "us") is a literature-tracking and quiz product operated by [TODO: legal entity name, e.g. SciStreak UG], served at scistreak.com. This page explains what data we collect when you use SciStreak, why, where it is stored, and what rights you have.

1. What we collect

  • Account data, when you sign in with Google: your name, email address, profile picture URL, and Google account identifier. Provided by Google, not asked of you directly.
  • Activity data: which papers you opened, MCQs you answered (and whether correctly), reading sessions, the specialties you selected, milestones you earned.
  • Technical data: a server-issued session cookie (HMAC-signed, no third-party trackers), your IP address recorded briefly in server logs for abuse prevention, and your User-Agent string for device-class analytics.
  • What we do NOT collect: payment data (SciStreak is free during stealth), location data beyond country-level from IP, contact lists, calendar, or any data from other Google services. We don't use third-party advertising or analytics SDKs.

2. Why we use it

  • To authenticate you and keep you signed in.
  • To personalize the paper feed and quiz to your specialty and past answers.
  • To compute the activity stats and confidence radar shown on your own profile page.
  • To detect abuse (rate-limit violations, automated scraping).
  • In aggregate, anonymized form, to evaluate the quality of the MCQ pipeline and the ranking model.

3. Where it lives

All user data is stored in a Postgres database hosted on a Hetzner Cloud server in Germany (EU). Backups are encrypted and stay within the same region. We don't transfer user data outside the EU/EEA except as listed under "Third parties" below.

4. Third parties we send data to

  • Google— only for OAuth sign-in. We receive your identity tokens; we don't send Google any of your activity data.
  • Anthropic— when our pipeline scores or generates an MCQ from a paper, the paper's public abstract and the prompt are sent to Anthropic's Claude API. Your personal data is never included in those requests.
  • OpenAlex, Crossref, arXiv, PubMed, etc.— public scholarly APIs we read FROM. We don't send them user data.

5. How long we keep it

  • Account data: until you delete your account.
  • Activity data: until you delete your account or 36 months of inactivity, whichever comes first.
  • Server logs with IP: 30 days, then deleted.
  • Backups: rotated out within 30 days of the originating data being deleted.

6. Your rights (GDPR / Swiss FADP)

You can at any time request: access to the data we hold on you, correction, deletion, restriction of processing, data portability (machine-readable export), and withdrawal of consent. Email hello@scistreak.com and we will respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.

7. Cookies

One first-party session cookie, set on scistreak.com, HMAC-signed server-side, used only to identify your account. No third-party cookies, no advertising cookies, no cross-site tracking.

8. Children

SciStreak is not directed at children under 16 and we don't knowingly collect data from them. If you believe a child has created an account, contact us and we will delete it.

9. Changes

If this policy changes materially, we will notify you in the app and via email before the new version takes effect.

10. Contact

[TODO: legal entity name, e.g. SciStreak UG]
[TODO: registered address]
hello@scistreak.com

Last updated: May 2026.