firstauthor.ai
Use in browser

Privacy Policy

How we process personal data when you use the First Author reference manager.

Controller

Dr. Philipp Münch - AI Software & SaaS
c/o COCENTER
Koppoldstr. 1
86551 Aichach
Germany

This policy applies to our website, the First Author Reader (a reference manager and reading app for scientific papers), account creation and sign-in, the waitlist and contact forms, and the AI features in the product.

Categories of Data

  • Account and contact data: name, email address, account settings, support requests, waitlist submissions, and messages you send us.
  • Sign-in with Google: if you choose "Continue with Google", we receive from Google your email address, your name, your Google account identifier, and whether your email is verified (OpenID Connect scope openid email profile). We use this only to create and authenticate your account.
  • Library data: the references and citations you save, PDFs you attach or we fetch for you, tags, groups/collections, highlights and "Explain" annotations, read/unread and reading state, and AI-generated summaries.
  • Technical and security data: IP address, browser and device metadata, request logs, error events, abuse-prevention signals (including hashed IP and user-agent values used for rate limiting), and browser-side storage used by the product.
  • AI feature inputs: reference text and metadata, extracted PDF text, the questions and prompts you enter, conversation history, and the minimal context needed to provide summaries, "Explain", the "Ask" reference chat, the enhanced reading view, and semantic search.
  • Billing data (only if you purchase a paid plan): selected plan, subscription status, invoice metadata, and customer identifiers from Stripe. The Reader is currently free; if you ever pay, we do not store full payment card numbers ourselves.

Purposes and Legal Bases

  • Art. 6(1)(b) GDPR for account creation, sign-in (including Google sign-in), operating your library, support, any paid plan, and AI features you actively request.
  • Art. 6(1)(a) GDPR for optional marketing or waitlist communications, and for optional Google Ads conversion tracking where you give consent.
  • Art. 6(1)(c) GDPR where processing is necessary to comply with legal obligations, especially tax, accounting, and compliance duties.
  • Art. 6(1)(f) GDPR for security, abuse prevention, fraud detection, debugging, service reliability, and aggregate product analytics.
  • Art. 6(1)(a) GDPR together with Section 25 TDDDG for non-essential advertising or conversion tracking and comparable access to information stored on your device.

Recipients and Processors

  • Vercel for hosting, delivery, logs, web analytics, the Postgres database, and file (PDF) storage.
  • Google as an identity provider when you choose to sign in with Google, and — only if you consent in the cookie banner — for Google Ads conversion measurement.
  • Resend for transactional emails such as confirmations, invitations, and notifications.
  • Stripe for checkout, subscription management, and invoices — only if you purchase a paid plan.
  • Pushover to send us an operational heads-up when a public live-demo session starts, including an approximate region derived from the IP address and the referring page.
  • AI providers used by the Reader's AI features: OpenRouter (the "Ask" reference chat, summaries, and "Explain", routed to various underlying models), Anthropic (direct calls for some features), OpenAI (text embeddings that power semantic search), and Mistral (OCR that turns a PDF into the enhanced reading view).
  • Public scholarly APIs that receive a DOI, title, or search query when you import, search, or fetch an open-access PDF — including Crossref, OpenAlex, Unpaywall, Semantic Scholar, DataCite, arXiv, PubMed/NCBI, and Europe PMC.

Additional technical details about AI-related processing and subprocessors are available on our Data Processing Agreement page.

International Transfers

Some providers process data outside the EU or EEA, especially in the United States. Where required, transfers are based on adequacy decisions such as the EU-U.S. Data Privacy Framework and/or on Standard Contractual Clauses with supplementary measures.

Cookies and Similar Technologies

We use necessary cookies and browser storage so the service works. Depending on the feature you use, this can include for example:

  • fa_session for authenticated sessions
  • fa_demo to mark the public live-demo session
  • fa_share_session for opening a shared link, where sharing is used
  • fa_cookie_notice_v2 in local storage to remember your tracking choice

If you accept optional tracking in the cookie banner, we enable Google Ads conversion measurement. We also use Vercel Web Analytics for aggregate website metrics.

Local Storage in Your Browser

The Reader caches some library content and your settings in browser technologies such as IndexedDB or local storage to load faster and support offline reading. This data stays on your device; your saved library is synced to your account so you can reach it from any device.

AI Features

When you use an AI feature, we send only the content needed for that feature — for example the text of the open paper, an extracted passage, your question, and minimal context. The exact data depends on the feature you invoke (a summary, "Explain", the "Ask" chat, building the enhanced reading view from a PDF, or semantic search).

We do not intentionally opt your content into provider model training, and we rely on the providers' API controls and terms. Technical details and current processor information are on the Data Processing Agreement page.

Live Demo

The public live demo creates a temporary, throwaway account seeded with a few sample papers so you can try the Reader without signing up. These demo sessions are rate-limited per visitor and reset automatically; they are not linked to a real account.

Automated Decisions and Age

The Reader's AI features support your reading; we do not use them to make automated decisions that produce legal or similarly significant effects about you within the meaning of Art. 22 GDPR. The service is intended for users aged 18 and over and is not directed to children.

Data Retention

  • We retain account and library data for as long as needed to provide the service.
  • We retain waitlist or contact data until the purpose ends or you withdraw consent, unless legal retention applies.
  • We retain security and operational logs for as long as reasonably necessary for security and reliability.
  • We retain any billing and tax-relevant records as long as required by applicable law.
  • If you request deletion, we will delete data unless we must retain parts of it for legal reasons or to establish, exercise, or defend legal claims.

Your Rights

You may have the right to:

  • access your personal data
  • rectify inaccurate data
  • request erasure
  • request restriction of processing
  • receive data portability where applicable
  • object to processing based on legitimate interests
  • withdraw consent at any time with effect for the future
  • lodge a complaint with a supervisory authority

The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht, BayLDA). You may also lodge a complaint with the authority in your country of residence or place of work.

Contact

If you have privacy questions or would like to exercise your rights, contact us at hello@firstauthor.ai or via our contact page.

Kurzfassung (DE)

Verantwortlicher ist Dr. Philipp Münch - AI Software & SaaS, c/o COCENTER, Koppoldstr. 1, 86551 Aichach, Deutschland. First Author ist ein Literaturverwaltungs- und Lese-Tool für wissenschaftliche Arbeiten. Wir verarbeiten Daten für Betrieb von Website und Produkt, insbesondere für Accounts und Anmeldung (auch "Mit Google anmelden"), Ihre Bibliothek (Referenzen, PDFs, Tags, Markierungen), Support und AI-Funktionen (Zusammenfassungen, "Explain", der "Ask"-Chat, die verbesserte Leseansicht und die semantische Suche). Je nach Funktion arbeiten wir mit Dienstleistern wie Vercel, Google, Resend, OpenRouter, Anthropic, OpenAI, Mistral und – nur bei Bezahlplänen – Stripe zusammen sowie mit öffentlichen wissenschaftlichen APIs (z. B. Crossref, OpenAlex, Unpaywall, Semantic Scholar, arXiv, PubMed). Optionale Conversion-Messung per Google Ads aktivieren wir nur nach Einwilligung. Sie haben insbesondere Rechte auf Auskunft, Berichtigung, Löschung, Einschränkung, Datenübertragbarkeit, Widerspruch und Widerruf erteilter Einwilligungen.

Last updated: June 6, 2026
FirstAuthor.ai — Reproducible manuscript writing