Last Updated: October 31, 2025

Privacy Policy

TL;DR: We collect minimal data to provide our service. We never sell your data. You can export or delete your data anytime. We're GDPR compliant.

1. Information We Collect

Account Information

Email address: For account creation and communication
Password: Encrypted and stored securely (we can't see it)
Name: Optional, for personalization

Research Data

Search queries: The research questions you ask
Research summaries: AI-generated summaries you create
Saved sources: Papers you save to your library

Usage Data

IP address: For security and fraud prevention
Browser type: To optimize performance
Device information: For fraud detection (limited to 3 free accounts per device)
Usage statistics: Number of searches, features used (anonymized)

Payment Information

Billing details: Processed and stored by Stripe (PCI compliant)
We never see or store your full credit card number

2. How We Use Your Information

✅ Provide the service: Process your research requests
✅ Improve the product: Analyze usage patterns to make Cookiejar better
✅ Send updates: Product updates, trial reminders (you can unsubscribe)
✅ Prevent fraud: Detect abuse and multiple free accounts
✅ Comply with law: When legally required

We do NOT:

❌ Sell your data to third parties
❌ Use your research for training AI models without permission
❌ Share your data with advertisers
❌ Send spam emails

3. Your GDPR Rights (EU Users)

4. Data Storage & Security

Where We Store Data

Cloud Hosting: Vercel (US-based, GDPR-compliant)
Database: Vercel KV (Redis) with encryption at rest
Authentication: Firebase (Google, GDPR-compliant)
Payments: Stripe (PCI DSS Level 1 compliant)

Security Measures

✅ All data encrypted in transit (HTTPS/TLS)
✅ All data encrypted at rest
✅ API keys hashed with SHA-256
✅ Regular security audits
✅ Rate limiting to prevent abuse
✅ CSRF protection

5. Data Retention

Active accounts: Data stored indefinitely while account is active
Inactive accounts (>2 years): We may delete data after email notice
Deleted accounts: All data permanently deleted within 30 days
Backup copies: Deleted from backups within 90 days

6. Third-Party Services

We use the following third-party services that may process your data:

Firebase (Google): Authentication - Privacy Policy
Stripe: Payment processing - Privacy Policy
Vercel: Hosting and infrastructure - Privacy Policy
Anthropic (Claude AI): Research synthesis - Privacy Policy
Google Analytics: Usage analytics - Privacy Policy

7. Cookies & Tracking

We use the following cookies:

Essential Cookies (Required)

Authentication cookies: Keep you logged in
Security cookies: CSRF protection

Analytics Cookies (Optional)

Google Analytics: Track usage patterns
Vercel Analytics: Performance monitoring

You can disable analytics cookies in your browser settings or use our app without them.

8. Children's Privacy

Cookiejar is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, please contact us immediately.

9. International Users

EU Users: We comply with GDPR. Data may be transferred to the US but is protected by EU-US Privacy Framework.

California Users: We comply with CCPA. You have the right to know, delete, and opt-out of data sales (we don't sell data).

10. Changes to This Policy

We may update this policy occasionally. We'll notify you of major changes via:

Email to your registered address
Notification on the website
Updated "Last Modified" date at the top

11. Contact Us

For privacy questions, GDPR requests, or data concerns:

Contact Form: Submit a privacy request

Response Time: We respond to all privacy requests within 30 days

Questions about how we handle your data?
Contact us