PlantRxiv

Last updated: March 27, 2026

1. Introduction

This Privacy Policy explains how PlantRxiv, operated by Su Sarlar (ZZP, Netherlands), collects, uses, and protects your personal data when you use our service. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch data protection laws.

2. Data Controller

The data controller for your personal data is Su Sarlar, operating as a ZZP (zelfstandige zonder personeel) in the Netherlands. For data protection inquiries, please contact us at the email address provided on the platform.

3. Data We Collect

We collect the following personal data:

• Account information: Username, email address, and hashed password (we never store your password in plain text)
• Usage data: Report generation history (search parameters, dates, paper counts)
• Generated content: Review articles, figures, and paper metadata generated through the Service
• Technical data: IP address (for rate limiting and security purposes), session cookies

4. How We Use Your Data

We use your data for the following purposes:

• Service delivery: To create and manage your account, generate reports, and provide the Service
• Communication: To send verification codes, password reset emails, and essential service notifications
• Security: To protect against unauthorized access, abuse, and fraud through rate limiting and session management
• Service improvement: To understand usage patterns and improve the Service

Legal basis for processing: Performance of a contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR).

5. Third-Party Services

The Service uses the following third-party services that may process your data:

• Anthropic (Claude API): Your search parameters and paper abstracts are sent to Anthropic's API to generate review articles and figures. Anthropic's privacy policy applies to this processing.
• EuropePMC: Search queries are sent to the EuropePMC API to retrieve bioRxiv paper metadata. No personal data is included in these queries.
• Render.com: The Service is hosted on Render.com. Server logs may contain IP addresses and request metadata.
• Email provider: Your email address is shared with our email service provider for sending verification and password reset codes.

6. Data Retention

We retain your data as follows:

• Account data: Retained as long as your account is active
• Generated reports: Retained as long as your account is active for your convenience
• Session data: Expires after 24 hours
• Verification codes: Automatically expire after 15 minutes

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Right of access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restriction: Request restriction of processing
• Right to data portability: Request your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at the email address provided on the platform. We will respond within 30 days.

8. Cookies and Session Data

The Service uses essential cookies only:

• Session cookie: Required for authentication and security. HttpOnly, SameSite=Lax, Secure in production. Expires after 24 hours.
• CSRF token: Required for form security. Prevents cross-site request forgery.

We do not use analytics cookies, tracking cookies, or advertising cookies.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Password hashing (bcrypt/scrypt)
• HTTPS encryption in transit
• CSRF protection on all forms
• Rate limiting on authentication endpoints
• Content Security Policy headers
• No-cache headers to prevent session data leakage

10. International Data Transfers

Your data may be processed outside the European Economic Area (EEA) by our third-party service providers (Anthropic, Render.com). Such transfers are subject to appropriate safeguards in accordance with GDPR requirements.

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact and Complaints

For privacy-related questions or to exercise your data rights, please contact Su Sarlar at the email address provided on the platform.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.