Privacy Policy

Privacy Policy for BibSafe

1. Data Protection at a Glance

Who is responsible for data processing?
The responsible party (controller) for data processing on this website is Tjark Nielsen (Sole Proprietor). The controller is the individual who determines the purposes and means of processing personal data.

How do we collect your data?
Your data is collected when you provide it to us – for example, by creating an account, entering reference queries, sending a message via the contact form, or subscribing to our newsletter. Other data (mainly technical data such as IP address, browser type, device information, and time of access) are collected automatically by our IT systems when you visit the site. This automatic collection occurs only after any required consent (e.g. for cookies) is obtained.

What do we use your data for?
We use personal data to provide and secure our services (e.g. verifying academic references, protecting the site from bots, handling user accounts and inquiries) and to improve user experience. With your consent, we also use certain data for analytics of user behavior and for personalized advertising/marketing purposes. If you enter into a contract with us (e.g. by creating an account or using paid features), we process your data to perform that contract. We do not use your data for any purposes beyond what is described in this policy.

Third-Party tools and analytics: When visiting this website, your browsing behavior may be statistically evaluated via analytics and tracking tools (with your consent). We also integrate several third-party services to deliver our core functionality (such as retrieving reference information and enabling certain features). Details on third-party tools, services, and processors used – including Google Analytics, Google Ads, Google Tag Manager, Cloudflare Turnstile, Supabase, Northflank, Cookiebot, OpenAI, and others – are provided in this Privacy Policy. We ensure that all third-party providers process data under GDPR-compliant agreements, and where applicable, we implement appropriate safeguards for international data transfers (e.g. Standard Contractual Clauses or reliance on adequacy decisions like the EU-U.S. Data Privacy Framework).

What rights do you have?
You have the right to obtain information about your stored personal data, its origin, its recipients, and the purpose of processing, at no charge, at any time. You have the right to request correction of inaccurate data and, in many cases, the deletion of your data. If you have given consent to data processing, you can revoke that consent at any time with future effect. Under certain conditions, you also have the right to request restriction of processing or to object to the processing of your data (see Section 3 below for details on your rights under GDPR, including Art. 21 rights to object). Additionally, you have the right to lodge a complaint with a supervisory authority. You can contact us at any time regarding any data protection issues.

2. Hosting and Infrastructure

External Hosting (Northflank): Our website is hosted on external servers provided by Northflank Ltd (Company no. 11918540), 20-22 Wenlock Road, London N1 7GU, UK. The servers for our website are in the European Region. All personal data collected on our website (such as IP addresses, contact form submissions, meta and communication data, usage data, etc.) are stored on Northflank’s servers. Northflank acts under our instructions and will process your data only to the extent necessary to fulfill its hosting services and to maintain security. Hosting the website externally is done in order to fulfill our contract with users for an efficient and reliable website (Art. 6(1)(b) GDPR) and based on our legitimate interest in secure and efficient provision of our online offering (Art. 6(1)(f) GDPR).

Supabase (Backend Database and Authentication): We use Supabase (Supabase Inc.) as our backend database and authentication service. All user account data and application data are stored in a Supabase database hosted on EU servers (to ensure data residency within the EU). Supabase handles personal data such as your email address, hashed password, and any information you store in your BibSafe account on our behalf. We have entered into a Data Processing Agreement with Supabase, ensuring that your data is processed only according to our instructions and in compliance with GDPR. Using Supabase is necessary for performance of our services and thus is based on Art. 6(1)(b) GDPR (contract fulfillment) and our legitimate interest in a secure, reliable data storage solution (Art. 6(1)(f) GDPR). For more details, you can refer to Supabase’s own privacy policy. No data is transferred outside the EU by Supabase and Supabase is SOC2 certified and GDPR-compliant in its services.

3. General Notes and Mandatory Information

Data Protection Commitment: We take the protection of your personal data very seriously. We handle your personal data confidentially and in accordance with the applicable data protection laws (GDPR, and, where applicable, national laws like the German Telemedia Data Protection Act – TTDSG) and this Privacy Policy. We have implemented technical and organizational security measures to protect your data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. However, please note that data transmission over the internet (e.g. via email) can still have security vulnerabilities, so absolute protection cannot be guaranteed.

Legal Bases for Processing: We process personal data only when allowed by law. The specific legal bases under the GDPR for our processing activities are as follows:

• Consent (Art. 6(1)(a) GDPR): We rely on your consent for certain processing activities, for example, when setting non-essential cookies (analytics/marketing cookies) or sending our newsletter. When consent is our legal basis, you have the right to withdraw your consent at any time, which will stop the future processing of your data for that purpose. If we ever process special categories of data (which is not typical in our service), we would obtain explicit consent under Art. 9(2)(a) GDPR. If you explicitly consent to a potential transfer of personal data to a third country (outside the EU/EEA) despite the absence of an adequacy decision or other safeguards, such transfer would be based on Art. 49(1)(a) GDPR (explicit informed consent to transfer).
• Contract (Art. 6(1)(b) GDPR): Where data processing is necessary for the performance of a contract with you (e.g. our Terms of Service) or in order to take pre-contractual steps at your request, we rely on this legal basis. This covers most data you provide when registering an account, using our service to verify references, receiving customer support, or making a purchase.
• Legal Obligation (Art. 6(1)(c) GDPR): If we are subject to a legal obligation that requires processing of your data – for example, retaining transaction records for tax law or providing information to authorities – we will process personal data on this basis.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data based on our legitimate interests, balanced against your interests and fundamental rights. Our legitimate interests include ensuring the security of our website (e.g. using anti-bot protection), preventing fraud and misuse, analyzing and improving our services, hosting our website reliably, and conducting direct marketing to our users (including via advertising networks, where permitted). Where we rely on legitimate interests, we have carefully considered and, where required, documented that our interests are not overridden by your privacy rights. Important: You have the right to object to processing based on legitimate interests at any time on grounds relating to your particular situation (see “Right to Object” below and Art. 21 GDPR).

We will indicate within this Privacy Policy the specific legal basis applicable to each processing activity or service.

Recipients of Personal Data: In the course of our business, we may share personal data with external recipients (third parties, processors, etc.). We only share data when permitted by law and only as needed for the purposes described. Typical recipients include IT service providers (e.g. hosting, email, analytics tools), companies involved in fulfilling your requests (e.g. payment processors if applicable, or external data providers for reference information), or advisors and authorities if legally required. Whenever we engage data processors (external service providers processing data on our behalf), we do so under a valid Data Processing Agreement (DPA) as required by Art. 28 GDPR, ensuring they only process data per our instructions and with adequate security measures. For certain processing involving other controllers (e.g. when using Google or Meta for advertising, which might be a controller-to-controller context), we ensure an appropriate legal arrangement (such as joint-controllership agreements or independent controller assurances) is in place if required by law. Details of key processors and partners are provided in this policy.

International Data Transfers: Some of our external service providers or partners are located outside the European Union/European Economic Area. Whenever we transfer personal data to countries outside the EU/EEA that do not have an EU Commission adequacy decision (for example, the United States for some services), we will ensure appropriate safeguards as required by GDPR Chapter V are in place. These typically include Standard Contractual Clauses (SCCs) signed with the recipient, and additional technical measures as needed. In some cases, providers may also rely on certifications like the EU-U.S. Data Privacy Framework (DPF) to legitimize transfers. We will inform you if a specific transfer relies on your explicit consent under Art. 49(1)(a) GDPR (though our aim is to avoid that by using SCCs/DPF where possible). You can contact us for more information on international data transfer safeguards (e.g. to obtain a copy of the standard clauses).

Your Rights under GDPR:

• Right to withdraw consent (Art. 7(3) GDPR): If you have given us consent for certain processing, you can revoke it at any time with effect for the future. Just contact us or use provided opt-out mechanisms (such as the “unsubscribe” link in emails or toggling off cookies via Cookiebot). Withdrawal of consent does not affect the lawfulness of processing done before the withdrawal.
• Right to object (Art. 21 GDPR): (1) If processing is based on Art. 6(1)(e) (task in public interest) or Art. 6(1)(f) (legitimate interest), you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. If you object and we cannot demonstrate compelling legitimate grounds that override your interests, we will stop that processing. (2) Where your personal data are processed for direct marketing purposes (including any related profiling), you have the right to object at any time, and if you do, we will cease processing your data for direct marketing. This is an absolute right. (How to object: You can contact us by email to object to specific processing. For cookie-based tracking, you can also adjust preferences via the Cookiebot tool to disable analytics/marketing cookies, which is effectively an objection.)
• Right to lodge a complaint (Art. 77 GDPR): If you believe we are violating data protection laws, you have the right to file a complaint with a supervisory authority, especially in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. This can be done without prejudice to other administrative or judicial remedies. For example, in Germany you may contact the Datenschutzbehörde of your state.
• Right to access (Art. 15 GDPR): You have the right to request confirmation whether we process personal data about you. If so, you can request a copy of the data and additional information on how we process it.
• Right to rectification (Art. 16 GDPR): You can demand correction of inaccurate personal data concerning you, and have incomplete data completed.
• Right to erasure (“right to be forgotten”, Art. 17 GDPR): You can request deletion of your personal data in certain circumstances – for example, if it’s no longer necessary for the purposes collected, or if you withdraw consent and no other legal ground applies, or if you object to processing and we have no overriding grounds, or if processing was unlawful, etc. We will honor valid deletion requests provided we are not legally required or permitted to retain the data (e.g. certain records under tax law).
• Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict processing of your data (so we only store it and not use it) in certain cases: e.g. if you contest the data’s accuracy (for a period enabling verification), or if processing is unlawful and you oppose deletion, or if we no longer need the data but you need it for legal claims, or if you have objected (pending verification of overriding grounds).
• Right to data portability (Art. 20 GDPR): For data you provided to us and which we process by automated means based on your consent or a contract, you have the right to receive it in a structured, commonly used, machine-readable format, and to have us transmit it to another controller where technically feasible.

To exercise any of your rights, please contact us at the contact details provided (email is fine). We may need to verify your identity before fulfilling certain requests. We will respond within the statutory time limits (generally one month, extendable by two further months if necessary with notice). There is no cost for you to exercise these rights, except in cases of excessive or unfounded requests where we might charge a reasonable fee or refuse the request (as permitted by Art. 12 GDPR).

Right to Information about Automated Decision-Making: We do not use any personal data for automated decision-making, including profiling, that produces legal effects or similarly significant effects on you (Art. 22 GDPR). While we use algorithms (including AI) to provide certain services (like reference checking or AI-generated suggestions), these do not make decisions about you as an individual – they operate on content you submit (such as analyzing a citation) and provide outputs to assist you.

Data Security: This website uses SSL/TLS encryption to secure data transmitted between your browser and our servers (you can see the padlock icon in your browser address bar and the “https://” in the URL). We also enforce encryption in transit for communications with our third-party providers. Internally, access to personal data is restricted to those who need it to perform their duties and is protected by authentication and confidentiality obligations. We regularly review our security measures and align with industry best practices to guard your data.

Storage Period: We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws. Unless otherwise specified in this policy, your personal data will be deleted or anonymized once it is no longer needed for the purpose it was processed for. For example, account data is stored as long as your account is active; if you delete your account or request erasure, we will delete the data provided no other legal retention requirements apply. We adhere to statutory retention periods (for instance, commercial and financial records may be kept for 6-10 years under German law) where applicable, but during such retention we will restrict processing of that data for compliance only. Logs and analytics data are generally anonymized or deleted when no longer needed. Specific retention details may be provided in context below. If you have any questions about our data retention, feel free to contact us.

4. Data Collection on This Website

Cookies and Consent Management

Our website uses cookies and similar technologies to ensure core functionality and to improve your user experience. Cookies are small text files that your browser stores on your device. They serve various purposes:

• Necessary cookies: These are required for the technical operation of the site. Without them, the website would not function properly (for example, session cookies for log-in or to remember your cookie preferences). Such cookies are stored based on our legitimate interest in providing a functional site (Art. 6(1)(f) GDPR), or if they facilitate a service you explicitly requested (they may not require consent under ePrivacy laws).
• Preference cookies: These remember your choices (e.g. language settings) to provide a personalized experience. We typically use these only with your consent, unless strictly necessary.
• Analytics cookies: These cookies (from tools like Google Analytics) collect information about how visitors use our site (pages visited, time on site, etc.) to help us understand and improve user experience. They are not essential and will only be set with your consent.
• Advertising/Marketing cookies: These are used to track browsing habits and show you relevant advertisements, possibly on other platforms. We use such cookies (e.g. for Google Ads remarketing) only if you give consent via our cookie consent tool.

When you first visit our site, you will see a cookie consent banner provided by our Consent Management Platform Cookiebot (by Usercentrics). This tool allows you to choose which categories of cookies you consent to. Cookiebot itself will set a cookie to remember your preferences. Cookiebot CMP by Usercentrics: We use Cookiebot to manage user consents for cookies. The provider is Usercentrics A/S (Havnegade 39, 1058 Copenhagen, Denmark). Cookiebot records your consent choices and tracks the state of your consent. It processes meta/communication data like your IP address, browser information, and consent timestamp to comply with our legal obligation to obtain and document consent. The legal basis for this processing is Art. 6(1)(c) GDPR (compliance with EU data protection laws requiring consent management). You can access the Cookiebot privacy policy at the link provided in the cookie banner or on Cookiebot’s website.

Managing Cookies: You can adjust your cookie preferences at any time by clicking the cookie consent widget (toggle) in the bottom-left corner of the website. This will re-open the Cookiebot preferences, allowing you to enable or disable categories of cookies. Additionally, most web browsers allow you to control cookies through their settings (e.g. to refuse all third-party cookies, or to delete cookies when closing the browser). Note that if you disable cookies entirely, some features of our site may not function properly.

Consent for Cookies: If you consent to certain cookies, the processing of data through those cookies is based on Art. 6(1)(a) GDPR and §25(1) TTDSG (the German Telemedia privacy law) as applicable. You can withdraw consent at any time by adjusting your preferences; the withdrawal will prevent further data collection by those cookies after you opt out. Any cookies or similar tracking technology that are essential for the service or security (as explained above) are used based on Art. 6(1)(f) GDPR – our legitimate interest in a functional, secure, and optimised service. We do not use non-essential cookies unless you have opted in.

For detailed information on exactly which cookies are used and their purposes, you can refer to our cookie declaration (accessible via the Cookiebot interface) or contact us.

Server Log Files

The server (and our hosting provider) automatically collects and stores certain information in server log files that your browser transmits to us by default. This includes:

• IP address of the accessing device
• Date and time of the request
• Pages/URLs accessed (request details)
• Referrer URL (the page from which you came, if any)
• Browser type and version
• Operating system used
• Hostname of the accessing computer (device name or network name)

These log files are not combined with other data, and we do not attempt to identify individuals through these logs. We collect log data primarily for troubleshooting, security (e.g. defense against attacks, fraud monitoring), and usage analytics.

Legal basis: The collection of server log data is based on our legitimate interest in the technically error-free operation and security of the website (Art. 6(1)(f) GDPR). Without collecting server logs, we could not ensure the performance and integrity of our service. Log data is typically retained for a short period (generally 30 days or less, unless investigating an incident) and then automatically deleted or anonymized. In case of security incidents, relevant log data may be kept until the incident is resolved and any legal obligations are fulfilled.

Contact Form and Customer Inquiries

If you contact us via the contact form on our website (or by email, telephone, or other means), we will collect and process the personal data you provide in order to handle your inquiry. This typically includes your name, email address, and the content of your message (and any other information you voluntarily provide, such as a phone number or attachments). We use this data solely to respond to your question or request and to carry out the requested actions. We will not share the contents of your inquiry or your contact details with third parties outside our organization, except if necessary to fulfill your request (for example, if your inquiry requires input from a specific partner or processor) or if you explicitly consent.

Legal bases: If your inquiry is related to a contract or pre-contractual obligation (e.g. questions about our service prior to signing up, or support for a service you’re using), we process your data under Art. 6(1)(b) GDPR (performance of a contract or steps prior to contract). In other cases, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in efficiently responding to communications addressed to us. If you choose to provide sensitive information or if we ever ask for consent explicitly in the contact process, we would process that data based on your consent (Art. 6(1)(a) GDPR), but this is typically not the case for basic inquiries. You are not obligated to provide any personal data via the contact form, but if you do not provide at least a way to reach you (e.g. email), we will not be able to respond.

Data retention for inquiries: We will retain the data from contact form submissions or other inquiries only as long as necessary to respond and handle your request. Once your inquiry is resolved, your data will be deleted or archived (unless it leads to further interaction such as a contract, or we are required to keep it for legal reasons). For example, business correspondence may be kept for applicable retention periods (usually up to 6 years under German commercial law). In all cases, we restrict the use of your inquiry data to the original purposes. If you request deletion of your inquiry data and we have no legal need to keep it, we will delete it earlier.

(Note: Our site is protected by anti-spam and security measures, including Cloudflare Turnstile as described below, which also applies to contact form submissions to prevent spam.)

Cloudflare Turnstile (Bot Protection)

To protect our website and especially our forms (such as sign-up and contact forms) from spam, bots, and abuse, we use Cloudflare Turnstile – a privacy-friendly CAPTCHA alternative by Cloudflare, Inc. Cloudflare Turnstile analyzes certain visitor behaviors and device attributes to determine whether an action is being performed by a human and not an automated bot. This may involve processing of your IP address, mouse movements or touches, timing of actions, browser and device information, and similar data that help distinguish bots from legitimate users. The process is usually seamless and won’t require solving puzzles – Turnstile runs in the background when you perform certain actions (like logging in or submitting a form).

By using our site, you acknowledge that “This site is protected by Cloudflare Turnstile, and the Cloudflare Privacy Policy and Terms of Use apply.” In other words, when Turnstile is triggered, the data mentioned above is transmitted to Cloudflare. Cloudflare may store some of this technical data for a short period to improve its service and for audit purposes. Cloudflare, Inc. is based in the USA (101 Townsend St., San Francisco, CA). We have a Data Processing Addendum with Cloudflare and rely on the European Cloudflare entity (Cloudflare SAS, in the EU) as appropriate. However, some data will be checked against Cloudflare’s global network (which may involve U.S. infrastructure), so we ensure that Standard Contractual Clauses are in place for any EU-U.S. data transfer, and Cloudflare is certified under the EU-U.S. Data Privacy Framework as well.

Legal basis: The use of Cloudflare Turnstile is based on our legitimate interest (Art. 6(1)(f) GDPR) in protecting our website from malicious attacks, spam submissions, and other fraudulent or automated abuse. This protection is essential for the security and availability of our service and benefits all users (by keeping the platform safe). We assessed that using Turnstile (which is designed to be privacy-preserving compared to traditional CAPTCHAs) has minimal impact on user privacy while effectively serving this security interest.

For more information on Cloudflare’s privacy practices, you can refer to Cloudflare’s Privacy Policy (see the link in the Turnstile widget or at cloudflare.com). Cloudflare’s Turnstile Privacy Addendum further details the data it processes for this service. If you have any concerns about this processing, you have the right to object (as detailed in Section 3 above), but please note that without an anti-bot solution, we may not be able to securely offer certain functionalities.

Analytics and Tracking Tools

With your consent, we use the following analytics and tracking tools to better understand how our website is used and to improve our services. These tools may also be used for advertising/marketing purposes as described. No analytics or tracking cookies are deployed unless you have opted-in via the Cookiebot consent banner. You can opt out or adjust your preferences any time (see “Cookies” above).

Google Tag Manager: We utilize Google Tag Manager (GTM) to manage and deploy various website tags (scripts/snippets) from a single interface. GTM is a tool provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect personally identifiable information or set cookies for analytics; it simply triggers other tags that we have configured. It is essentially a container that helps load other services (such as Google Analytics or advertising tags) more efficiently. However, when GTM is loaded, your IP address may be transmitted to Google to retrieve the container script (this is technically necessary). GTM may also record basic tag firing data (e.g. how often tags are triggered). We have configured GTM such that it respects your cookie consent choices – i.e. analytics/marketing tags managed via GTM will only fire if you have given consent for their respective categories. Legal Basis: The use of Google Tag Manager is based on consent (Art. 6(1)(a) GDPR) insofar as it triggers any non-essential tags, since it’s part of our analytics/marketing stack. In cases where GTM is used purely to facilitate essential functionality, we base it on legitimate interest (Art. 6(1)(f)). We have a Data Processing Agreement with Google covering Tag Manager (Google acts as our processor for this service). Any data transfers to Google’s servers follow Google’s EU-approved data transfer mechanisms (including SCCs and adherence to the EU-U.S. Data Privacy Framework). For clarity: Google Tag Manager itself does not create user profiles or perform analysis – it’s covered here for transparency because it loads other tools.

Google Analytics: Our site uses Google Analytics (GA) provided by Google Ireland Ltd. to collect data about how visitors use our website. We use this information to analyze site traffic and usage patterns (e.g. which pages are popular, how users navigate the site, what content is effective) and thereby improve our services. The following applies to Google Analytics on our site:

• Data Collected: Google Analytics uses cookies and similar identifiers to recognize your browser or device. It collects information such as pages you view, the time and duration of your visit, interactions with our site, approximate location (country/region, based on IP), device and browser information, and referrer URL. Importantly, we have configured Google Analytics not to store full IP addresses – IP anonymization is enabled, meaning Google truncates your IP address within the EU/EEA before processing (so it is not stored in full). Google Analytics does not collect your name, email, or other direct identifiers (unless you explicitly provide them somewhere on our site, which we do not send to GA).
• Pseudonymous Identifiers: Google Analytics may assign a random unique user ID to aggregate your actions under a pseudonymous profile. However, this ID cannot directly identify you by name. We do not merge Google Analytics data with any personally identifiable information on our end.
• Purpose of Processing: The information provided by Google Analytics helps us understand user behavior in an aggregated way – for example, which search terms led to our site, which features are most used, and where users drop off. This insight is used to optimize our content and design. We also use certain GA features that assist with marketing: for instance, Google Analytics Audiences/Remarketing data may be used to create remarketing lists (groups of users who performed certain actions) so we can show relevant ads to them via Google Ads. Additionally, if you consent, we enable Google Signals, which allows GA to gather information on users who are signed into Google and have consented to ads personalization – this provides aggregated insights like cross-device usage, demographics and interest data. These enhanced features help us tailor our offerings and advertising better, but they are completely dependent on user consent (if you decline marketing cookies, these features remain off).
• Legal Basis: We only run Google Analytics with your consent (Art. 6(1)(a) GDPR). Through the Cookiebot CMP, you can choose to allow or disable it. If you do not consent, Google Analytics will not load, no analytics cookies will be set, and no data will be transmitted to Google. You can also revoke consent later by toggling off the “Analytics” category in Cookiebot (or using Google’s own opt-out mechanisms).
• Data Sharing and Retention: The Google Analytics data may be processed on Google servers in the United States or other countries. We have activated the standard data protection addendum with Google, and Google Analytics data transfers are safeguarded by Standard Contractual Clauses and Google’s compliance with the Data Privacy Framework. Within Google Analytics, we have set data retention controls such that user-level and event data are retained for no longer than 14 months (after which they are deleted or anonymized). We do not enable “Google Analytics data sharing” with other Google products for advertising unless you have consented to marketing cookies, and even then, that primarily occurs through linked Google Ads accounts under our control.
• Impact on Individuals: We do not use GA to track or profile individual users by name – all reports we see are aggregate. We do not use GA to make decisions about individuals. However, Google may use the data for improving their services, benchmarking, etc., as per their privacy policy. You can read more in Google’s Privacy Policy and specifically the section on Google Analytics.
• Opt-Out: Aside from withdrawing consent via our site, you can opt-out of Google Analytics tracking across all websites by installing the official Google Analytics Opt-out Browser Add-on.

For more details on Google’s data practices in Analytics, see Google’s help pages and privacy documentation.

Google Ads (Advertising and Remarketing): We participate in Google’s advertising network to promote BibSafe and to reach users who may be interested in our services. Through Google Ads (formerly AdWords), we engage in conversion tracking and remarketing/retargeting:

• Conversion Tracking: When you arrive at our site via a Google advertisement (e.g. a sponsored search result or display ad) and take certain actions (such as signing up or performing a key action on the site), Google Ads uses cookies or similar technologies to record that conversion. This allows us to measure the effectiveness of our ads – for example, to know which ad campaigns led to sign-ups. The information we receive from Google’s conversion tracking is statistical and anonymous; we cannot identify which specific user clicked an ad and then signed up. We only see aggregated data like “X people clicked this ad and Y% of them converted.” Google may temporarily process identifiers to link the ad click to your action, but does not give us personal info.
• Remarketing: Our website uses Google Ads Remarketing tags, which place a Google advertising cookie if you consent to marketing cookies. This cookie ID allows Google to add you to a pseudonymous remarketing list of users who visited our site. We can then create targeted ads that you may see later on Google search results, YouTube, or other sites in the Google Display Network, specifically aimed at visitors who showed interest in our site. For example, if you visited our “Pricing” page, we might later show you a BibSafe ad with a promotion. Remarketing is done via pseudonymous data; Google does not reveal your identity to us. It simply enables linking your browser to a certain interest category based on your visit to our site.
• Ads Personalization: The remarketing lists might also be combined with Google’s broader data if you have a Google account and have consented to Ads Personalization with Google. For instance, Google might use your site visits along with other information (like YouTube views) to tailor ads. This is governed by Google’s privacy settings on your account. From our side, we just define audience criteria (e.g. “show this ad to previous visitors from Europe interested in academic research”).
• Enhanced Conversions: In some cases, we may use Google’s “enhanced conversions” feature for more accurate conversion tracking. If you convert (for example, sign up) after clicking one of our Google ads, and you provided information like your email during signup, our site might (with your consent) send a hashed version of that email to Google. Google can then match that hash against its user database to see if you are a Google account user who clicked an ad. This helps attribute conversions across devices or browsers. Importantly, the data is hashed and not used by Google for any purpose other than matching conversions. We do not send raw personal data, and Google only reports back aggregated conversion data to us. Use of enhanced conversions is also consent-based (Art. 6(1)(a) GDPR) – we would only implement it if you’ve agreed to marketing tracking.
• Legal Basis: All Google Ads features involving personal data (remarketing cookies, conversion cookies, enhanced conversions) are used only with your consent (Art. 6(1)(a) GDPR). During your first visit, if you decline marketing cookies, none of these will be active. You can later consent via the cookie settings if you want. In certain limited cases, we might rely on legitimate interest (Art. 6(1)(f)) for basic ad fraud prevention and aggregated analytics tied to ads, but any tracking that identifies your browser over time for ad purposes is consent-based. We also abide by the ePrivacy Directive as implemented in EU member states, which means marketing cookies are off unless opted-in.
• Data Sharing and International Transfer: Google Ireland Ltd. is our service provider, and for EU users, Google uses EU-based servers where possible. However, data may be transferred to Google LLC in the USA for processing. We have accepted Google’s Ads Data Processing Terms, which incorporate the EU Standard Contractual Clauses to ensure adequate protection. Google LLC is certified under the EU-U.S. Data Privacy Framework as well. Any data transferred is protected under these frameworks and clauses.
• Data Retention: Remarketing lists created in Google Ads expire after a set period (typically 30 to 540 days, depending on our configuration). Conversion cookies also have a limited lifespan (usually 30 days). We do not receive personal data from Google Ads – only aggregated reports – and thus we do not store personal data about ad clicks beyond those anonymous reports.
• Your Choices: You can avoid participation in Google Ads tracking by not giving consent to marketing cookies on our site. If you initially consented but change your mind, update your cookie settings to disable marketing cookies; this will remove/disable Google Ads cookies for your browser.

For more information, see Google’s Privacy Policy and specifically Google Ads’ policies on user data. We want to emphasize that we do not receive any personal data like names, only ad performance metrics. Google acts as an independent data controller for the user-level data in remarketing and targeted advertising, but we ensure such processing only happens per your consent. We also respect any “Do Not Track” signals or global privacy controls to the extent Google’s system supports them.

External Services and APIs for Reference Data

BibSafe’s core functionality – verifying academic references and providing bibliographic data – relies on integrating several external data sources and services. When you use our tool to check or fetch details for a reference (like a DOI, arXiv ID, ISBN, etc.), our backend will query third-party databases and APIs to retrieve the relevant information, e.g. Crossref API. We ensure that only the minimal data necessary for the query is sent, but please be aware that in making these requests, any information pasted as input for the reference verification process may be processed by these external providers.

Legal Basis: Using these APIs is necessary to perform the service you requested (reference verification), so it is based on Art. 6(1)(b) GDPR (contract-like performance of service). It’s also in our legitimate interest to provide accurate reference data (Art. 6(1)(f) GDPR). The third party’s use of the query data is subject to their terms; as an open infrastructure, they may keep request logs for a short time for abuse monitoring. There is no regular data “storage” of your personal data by any of these APIs. Nonetheless, they may route data to servers in the US.

Important: For all these APIs, we do not store any personal data. The bibliographic data we get (titles, authors, etc.) is about published works, not about our users. It’s possible that author names (which are personal data of those authors) are processed, but that information is publicly available bibliographic info which we handle under our legitimate interest in facilitating academic reference checking. If we ever cache some reference data for performance, it is purely data about publications, not about you as a user. Additionally, our use of these APIs is read-only – we fetch data; we do not send your user data to these services except the content you paste for verification.

By using BibSafe and requesting reference verifications, you agree that we will query these external sources on your behalf. If you prefer that we do not send any data to a particular external source, you should refrain from using features that rely on that source. (For example, if for some reason you did not want us to contact Crossref, you would not be able to use our reference verification tool.)

If you have questions about a particular integration or believe a certain reference query might involve personal data, please contact us and we will clarify or accommodate your concerns.

OpenAI API (Artificial Intelligence Processing)

What we use OpenAI for: BibSafe integrates advanced AI capabilities through OpenAI’s API. Specifically, we may use OpenAI’s GPT models to assist with tasks like summarizing sources, interpreting citations, checking consistency, or providing intelligent suggestions related to reference verification. For example, if our service offers an “AI analysis” of a bibliography or a natural language answer about a reference, your input query and relevant context might be sent securely to OpenAI’s API, and the AI’s response returned to you via our platform.

OpenAI’s services are provided by OpenAI, L.L.C. (USA) and its EU subsidiary OpenAI Ireland Ltd. We have a contractual relationship with OpenAI to use their API in compliance with data protection requirements. Importantly, OpenAI has made commitments to comply with GDPR and data privacy rules for API customers. OpenAI is GDPR-compliant and offers a Data Processing Addendum (DPA) to its clients. They have also implemented security measures (including SOC 2 compliance) and privacy practices which you can review on their Trust Portal (https://openai.com/trust).

Data sent to OpenAI: When you interact with the reference verification tool or any other AI-driven feature on BibSafe, we send the necessary data to OpenAI’s API servers. This typically includes the text of your input. We minimize the data shared to the textual query and any context required for the AI to produce a useful answer. We do not send personally identifying information about users to OpenAI. However, if you include personal data in a prompt or your input (for example, asking a question that includes a person’s name or other personal info), that would be transmitted to OpenAI. We advise against including unnecessary personal data in any content you ask the AI to process. Necessary personal data like author names (which are personal data of those authors) are processed, but that information is publicly available bibliographic info which we handle under our legitimate interest in facilitating academic reference checking.

OpenAI’s processing of data: According to OpenAI’s policies, content you provide via the API is used only to provide you the service and to monitor for abuse/misuse. OpenAI will not use data submitted via the API to train or improve their models, unless you explicitly opt-in to share data for that purpose. We have not opted in to such data sharing. This means any prompts or data we send are not fed into OpenAI’s future model training. They are temporarily stored by OpenAI for processing and may be retained for a short period for abuse detection, after which it is deleted. During that retention, OpenAI maintains it securely and only uses it if needed to investigate a possible misuse of the service (e.g., content violating their terms).

We ensure that our integration with OpenAI uses the latest settings that prioritize privacy. Furthermore, OpenAI’s API is accessed over encrypted channels (HTTPS) to protect data in transit.

Legal Basis: The use of OpenAI’s API is based on our legitimate interest (Art. 6(1)(f) GDPR) in enhancing our service with AI capabilities. We believe this provides a significant benefit to users (making reference checks smarter and more efficient). We have assessed that using the OpenAI API in this controlled manner does not override your data protection rights – especially given that the data you input is typically not highly sensitive personal data but academic content, and OpenAI does not further use it beyond providing the service. In some cases, the processing is necessary for performing the service you request (Art. 6(1)(b) GDPR) – for example for AI-driven web search of a hard-to find reference. If you have any objections to this processing, you have the right to object (per Art. 21; see Section 3). Note that objecting might mean you cannot use the AI features.

Data transfers to OpenAI (USA): Whenever we send data to OpenAI, it may be processed on servers in the United States. We have taken steps to ensure this is lawful under GDPR. OpenAI has executed Standard Contractual Clauses and provides a Data Processing Addendum which extend GDPR obligations to their handling of API data. OpenAI, L.L.C. is also certified under the EU-U.S. Data Privacy Framework (see their certification on the Data Privacy Framework list) which attests to their compliance with EU data protection principles. These measures provide appropriate safeguards for the transfer. Additionally, because the content is not used outside of providing our requested service, the risk is reduced. By using the AI features, you acknowledge that your query may be processed by OpenAI’s servers in the US under these safeguards.

OpenAI’s Trust and Security: You can read more about OpenAI’s privacy and security commitments at their Trust Portal. In summary, OpenAI states that they support compliance with privacy laws including GDPR, and have been audited for security (SOC 2 Type II). We will update our integration if OpenAI’s policies change, to ensure your data remains protected (for example, if they allow specifying shorter retention, etc., we will implement that).

We do not allow public use of our integration that would violate OpenAI’s policies (e.g. generating disallowed content), and we do not knowingly send special category personal data to the API.

5. Newsletter and Communications

Newsletter Subscription and Emails

If you subscribe to our newsletter, we will collect your email address and potentially your name (if provided) to send you periodic emails with product updates, academic integrity tips, or marketing information about BibSafe. We use a double opt-in process for newsletter subscriptions to ensure consent: this means after you sign up on our website or via a checkbox, we will send you a confirmation email. You must click the confirmation link in that email to activate your subscription. This double opt-in procedure verifies that you own the email address and that you intended to subscribe. We log the time and date of subscriptions and confirmations, and the IP address used, as proof of consent (as required by law).

Mailtrap (Email Service Provider): We use a third-party service called Mailtrap (provided by Railsware Products Studio LLC) to send out our transactional emails (like verification emails, password resets) and newsletter campaigns. Mailtrap serves as our email delivery platform and infrastructure. When you subscribe to the newsletter or we need to send you any email, your email address and the content of the email is transmitted to Mailtrap’s systems, which then handle the sending to your mailbox. Mailtrap is GDPR-compliant and has appropriate security measures in place. Railsware (Mailtrap) is a U.S.-based company but is certified under the EU-U.S. Data Privacy Framework and also offers Standard Contractual Clauses for EU data transfers. Mailtrap does not use your email for any purpose other than to send our communications and to improve delivery (e.g. tracking deliverability, preventing spam). It is an ISO 27001 certified service and stores data in secure cloud servers. By subscribing, you acknowledge that your email information will be stored in Mailtrap’s system.

Content and Frequency: Our newsletters, if any, will contain information we believe is useful to our community (e.g. new features, relevant blog posts, or promotions). We do not spam – typically newsletters might be at most weekly or monthly. Every email we send via the newsletter will include an unsubscribe link at the bottom. You can click that link to immediately opt-out of future newsletters.

Legal Basis: Sending the newsletter is based on your consent (Art. 6(1)(a) GDPR). By signing up and confirming, you agreed to receive it. You can withdraw that consent at any time. Additionally, if you are an existing customer, we might send occasional product updates under the soft opt-in rule (Art. 6(1)(f) GDPR in conjunction with §7(3) UWG under German law) if relevant, but we will always provide an opt-out in such cases as well. For clarity, marketing emails require consent unless they meet narrow criteria for existing customers, and we adhere to that.

We also may send transactional or relationship emails (not marketing) such as account notifications, password reset emails, important service announcements. Those are sent because they are necessary for the use of the service (legal basis Art. 6(1)(b) GDPR – contract performance, or Art. 6(1)(f) – our legitimate interest to keep you informed of critical info). You generally cannot opt out of receiving essential service emails, but we minimize those communications.

Tracking: Our newsletter emails might contain small tracking pixels or unique links that tell us if you opened the email or clicked on a link. This is common to gauge engagement and refine our content. We may use this to see which topics are of interest. However, if you do not want to be tracked in this way, you can configure your email client to not load images (as the pixel is an image) or simply unsubscribe. The tracking is tied to your email address, so as long as you remain subscribed and load images, we will see if you opened that particular mail. We treat this data confidentially and primarily in aggregate.

Opting Out: You have the right to revoke your consent to use your email for newsletter at any time. The easiest way is to click the “unsubscribe” link in any newsletter email. Once you opt out, we will stop sending newsletters to you. We may retain your email on a “suppression list” (or “blacklist”) to ensure we respect your opt-out and do not accidentally send you emails in the future. This suppression list data is used only to block mail and not for any other purpose, and it is kept indefinitely (as the point is to remember not to send you anything) unless you request otherwise.

Email Communication and Support

If you are a registered user, we may send you direct emails related to your use of BibSafe. For example, if you use our service in a certain way, we might send tips or if you have an ongoing support ticket with us, we’ll communicate via email. All such communications are considered part of our service to you. We use the same Mailtrap service to send these emails, or sometimes we might directly email from our company account.

Legal Basis: These communications are typically Art. 6(1)(b) GDPR (if about your account/service) or Art. 6(1)(f) GDPR (if general user notices, where our legitimate interest is to inform you of relevant information regarding the service). If any email would constitute marketing beyond what you signed up for, we will only send it with consent.

Response to inquiries: If you email us or contact support, we will of course use your contact info to respond (see Contact Form section above). We might also later follow up to ensure your issue was resolved.

We do not sell or share our users’ email addresses with third-party marketers. We hate spam as much as you do.

6. Data Subject Rights and Additional Information

(Note: We have covered most of the rights in Section 3. This section reiterates some key points to ensure completeness.)

• Access & Portability: You may request a copy of the personal data we hold about you at any time. We will provide this in a structured, commonly used format. If technically feasible, you can also request that we transmit it directly to another service provider (this usually applies to data like your account information).
• Correction: If any personal data we have is incorrect or outdated, please let us know and we will correct it promptly.
• Deletion: You can delete many pieces of information via your account settings (if applicable). You may also request us to delete your account entirely. We will then erase all personal data that isn’t required to retain. Note certain data cannot be completely deleted if it’s necessary for ongoing service (for example, if you still want to use the service, we must keep your login email; deletion in that case is equivalent to account cancellation).
• Restriction: In situations outlined in Art. 18 GDPR (see Section 3 above), you can ask us to restrict processing. For example, if you contest the accuracy of your data, we will mark it restricted until resolved.
• Objection: As described, you can object to any processing based on legitimate interests or public interest. If you do so, we will stop unless we have compelling grounds or a legal need. Specifically, you can object to any direct marketing at any time and we will cease immediately.
• Supervisory Authority: You have the right to lodge a complaint with a data protection regulator. In Germany, that could be the Baden-Württemberg Commissioner for Data Protection (for our location in Mannheim), or you may contact your local authority. We would, however, appreciate the chance to address your concerns directly first.
• No discrimination: Exercising your data rights will not affect the service we provide to you (except in ways that those rights logically impact, e.g. if you ask us to delete all your data, we cannot provide your account service).

To exercise rights or for any privacy-related inquiry, please contact: Tjark Nielsen – hello@bibsafe.com. We may ask you to verify identity (especially for sensitive requests like access or deletion of account data) to ensure we don’t disclose or remove data to the wrong person.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or processing practices. The latest version will always be available on this webpage and the “Last Updated” date will be modified accordingly. If we make material changes (for example, if we start processing data for new purposes that would require consent, or change any third-party involvement significantly), we will notify users either by an email notice or a prominent announcement on the site. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.

Last Updated: February 16, 2026

8. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Tjark Nielsen (Sole Proprietor)
Address: Windeckstr. 46, 68163 Mannheim
Email: hello@bibsafe.com

We will be happy to assist you and aim to respond to all inquiries promptly.

This Privacy Policy aims to provide comprehensive information in compliance with the GDPR and other relevant laws. It covers all required disclosures about our data processing activities and your rights. If anything is unclear or if you need further information, do not hesitate to reach out.

Thank you for using BibSafe – we are committed to protecting your data and your privacy rights.