Privacy Policy

Effective date: 25 June 2026 · Controller: Carlos Tapia · Contact: carlostapiaman@gmail.com

papyro is designed for data minimisation. We store the least amount of personal data necessary to operate the service and we never access your document content.

1. What data we collect and why

Name and email address — collected from your GitHub or GitLab account at sign-in to identify your account.
OAuth provider and provider user ID — stored to match future logins to your existing account.
Personal Access Token (PAT) — provided by you, encrypted at rest, used solely to clone and list your repositories on your behalf. Never transmitted to third parties.
LLM API key — if provided, encrypted at rest, used solely to make AI requests on your behalf.
Last login timestamp — used to delete inactive accounts after 12 months (see Section 6).
IP address at login — stored in the audit log for security purposes, retained for 180 days then automatically deleted.

2. What we do NOT collect

We do not store your OAuth access token — it is revoked immediately after sign-in.
We do not retain the content of your documents for our own purposes, and we never use it to train AI models. (When you use the AI assistant, see Section 5 for how your content is handled.)
We do not use tracking cookies or analytics scripts.
We do not sell your personal data, and we do not share it with third parties for their own purposes. We use one infrastructure sub-processor (Section 5).

3. Repository access

With your consent (by providing a PAT), papyro will:

Scan your repositories read-only to identify papyro-enabled ones (those containing a deliverable_register.json file).
Clone only the repository you explicitly connect to a workspace.
Push commits to that repository only when you explicitly trigger a save or sync action.

You can revoke access at any time by deleting your PAT from Settings or from your GitHub/GitLab account settings.

4. Encryption and security

All secrets (PATs, LLM keys) are encrypted at rest using AES-128 (Fernet) with per-user derived keys.
Session cookies are httponly, samesite=lax, and secured over HTTPS.
Sessions are invalidated on logout and cannot be reused.
Login endpoints are rate-limited to prevent brute-force attacks.
All authentication events are recorded in an audit log.

5. Data location, sub-processors & the AI assistant

All data is stored exclusively on servers located in Nuremberg, Germany, operated by our sole infrastructure sub-processor, Hetzner Online GmbH (hosting, database, and encrypted backups). No personal data is transferred outside the European Economic Area.

papyro's AI assistant works on a bring-your-own-key basis: when you use it, the relevant text from your document is sent to the LLM provider you choose (e.g. Anthropic, OpenAI, Mistral, Google) using your own API key, under your own agreement with that provider. papyro does not route this through an account of its own and does not retain the content; that provider acts as your processor, not ours.

A full sub-processor list and a GDPR Article 28 Data Processing Agreement are available on request at carlostapiaman@gmail.com.

6. Data retention

Account data is retained for as long as your account is active.
Accounts that have not logged in for 12 months are automatically deleted.
Security audit log entries (including login IP addresses) are retained for 180 days, then automatically purged.
You may request immediate deletion at any time (see Section 7).

7. Your rights (GDPR)

Under the GDPR you have the right to:

Access — download a copy of all personal data we hold about you at any time via Settings → Export my data, or request it from us.
Rectification — request correction of inaccurate data.
Erasure — delete your account and all associated data immediately via Settings → Delete account, or by contacting us.
Portability — export your account data as machine-readable JSON at any time from Settings → Export my data; your documents additionally live in your own Git repository, always under your control.
Objection — object to processing at any time by deleting your account.

To exercise any right, contact carlostapiaman@gmail.com. We will respond within 30 days.

8. Legal basis

Most processing is based on the performance of a contract (Art. 6(1)(b) GDPR) — your account data is necessary to provide the service you signed up for. Security logging (including the login IP address) relies on our legitimate interest in protecting the service against abuse (Art. 6(1)(f) GDPR).

9. Changes to this policy

Material changes will be communicated by email to registered users. The effective date at the top of this page indicates the last revision.