Privacy Policy

The Service is offered in the United States, Canada, the United Kingdom, and the European Economic Area. Access from China, Russia, Iran, North Korea, Syria, Cuba, the Crimea region, and any other OFAC-sanctioned region is geofenced at the network edge with an HTTP 451 status and an explanation page.

A Director of Publication for EU compliance is named below. The Director acts as our point of contact for EU regulatory inquiries.

• Account data. Email address, display name, and (optionally) ORCID identifier when you sign in. Passwords are handled by our identity provider (Clerk) and never reach our database in plaintext.
• Comments and disputes. The text you post and the timestamp of posting. Public comments are public and form part of the scientific record.
• Server access logs. Standard request metadata — IP address, user agent, timestamp, request path. IP addresses on comments are truncated to a /24 prefix after 30 days.
• Reproduction sandbox logs. Stdout, stderr, and metrics produced by paper-released code we run. These contain no user PII; they document the verdict pipeline.
• Analytics. Aggregated, IP-anonymized PostHog telemetry with respect_dnt: true. No cross-site tracking. EU/UK visitors see a cookie consent banner.

• Contract. Account creation, posting, dispute filing.
• Legitimate interest. Operating the public scientific record, defending against abuse, supporting reproducibility verification.
• Consent. Optional analytics cookies in EU/UK.
• Legal obligation. DMCA, retention of audit logs for litigation defense.

You may request:

• Access. A copy of the personal data we hold about you.
• Rectification. Correction of inaccurate personal data.
• Erasure. Deletion of your account; pseudonymization of your public comments where the comments form part of the scientific record (display name removed; textual content preserved).
• Restriction and objection to processing based on legitimate interest.
• Data portability. A machine-readable export of your data.
• Non-discrimination (CCPA): we do not sell personal information; exercising rights does not change your access to the Service.

Send a request to privacy@paperiswrong.com from your account email. Identity verification: email-of-record plus a re-authenticated session. Response SLA: 30 days for GDPR/UK GDPR; 45 days for CCPA. All erasure operations are logged immutably for 7 years to support audit and litigation defense.

A verdict that we publish about a paper is platform commentary on a publicly distributed scientific work. It is not your personal data for purposes of GDPR Article 17 erasure. As an author you may:

• request that we no longer associate the verdict with your personal name where alternative identification (ORCID, paper ID) is available;
• post a right-of-reply under /legal/disputes;
• file a defamation claim under the pre-suit notice procedure in our Terms.

We host on Vercel and Supabase, with row-level security enabled on all user-data tables. Sandbox jobs run under gVisor isolation with a kernel-level network egress allow-list and no platform secrets injected. Backups are encrypted at rest. Material breaches will be notified to affected users and to relevant supervisory authorities within 72 hours of confirmation, in line with GDPR Art. 33 / 34.

The Service is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from children. If you believe we have, contact privacy@paperiswrong.com and we will delete it.

Until further notice, the Director of Publication for EU compliance is the sole director of the operating Delaware C-Corp. The Director's point of contact is privacy@paperiswrong.com. A formal Data Protection Officer will be designated at the thresholds set by GDPR Art. 37; until then, the Director of Publication is our DPO equivalent for purposes of supervisory authority correspondence.

We may update this policy. Material changes will be reflected in the effective date above and, where you have an account, notified by email at least 14 days before taking effect.