Sign inOpen Palimpsa

Legal · Privacy

Privacy.

We collect the minimum we need, explain it plainly, and let you delete it. UK and EU data subject rights are honoured.

What we collect

  • Account — your BeyondTheBox identity (email, display name). Palimpsa doesn't run its own auth; identity is handled by auth.beyond-the-box.uk and Palimpsa receives the user id.
  • Documents — title, excerpt, and the binary CRDT state (the document itself), stored in Firestore. Encrypted at rest and in transit on Google Cloud, region europe-west2 (London).
  • Research queries — the search terms you type into the research panel are sent to the third-party sources (arXiv, OpenAlex, CrossRef). We don't log them.
  • Cookies — only essentials by default. See the cookie notice or the cookies page.

What we don't do

  • We don't train AI on your documents. Ever.
  • We don't use AI for typing assistance. There is no autocomplete, no "rewrite this paragraph", no generative writing of any kind.
  • We don't sell data to advertisers or brokers.
  • We don't keep an analytics profile linked to your identity unless you explicitly opt in.

AI critique buttons

Some buttons in Palimpsa — "Spot flaws", "Check research", "Check citations", "Run submission audit" and similar — explicitly send the relevant excerpt of your document to external analysis systems for processing. Each button click is its own consent event.

The submitted text is processed in-flight and not retained, logged, or used to train any model by us or by the analysis provider — we contract specifically for zero-retention processing and won't ship a feature without it.

You can disable AI features entirely in Settings → AI; with AI disabled, every "check" button is hidden and the editor, research panel, exports and the rest of Palimpsa continue to work.

Subprocessors

  • Google Cloud / Firebase — Auth (via BeyondTheBox project), Firestore, Cloud Run, Storage, Hosting. EU/UK regions.
  • Stripe — payments, when you have a paid plan.
  • arXiv, OpenAlex, CrossRef — research panel search queries are forwarded to these public APIs. We don't include any of your draft text in the request.
  • External analysis providers — used for the AI critique buttons only, under contracts that prohibit retention or training on submitted content.

Your rights

Email privacy@beyond-the-box.uk to access, correct, or delete your data. We respond within one calendar month per UK GDPR.

You can also export every document you own as PDF, DOCX, Markdown, HTML, or plain text from the document menu — regardless of plan.

Retention

Active documents are kept while your account is active. If you delete your account, all documents are hard-deleted after a 30-day grace period.