Privacy Policy

Paperbreak is operated by Scidonia Limited ("we", "us", "our"). We take your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Irish and EU data protection law.

By using Paperbreak you agree to this policy. If you do not agree, please do not use the service.

1. Who we are

Data controller: Scidonia Limited, Drombeg, Glandore, Co. Cork, P81DY66, Ireland.
Contact: [email protected]

If you have any questions about this policy or how we handle your data, please contact us at the address above. We will respond within 30 days.

2. What data we collect

Account information

• Your name and email address (provided when you sign up via Auth0)
• Your Google account email address (if you connect Google Drive)
• Subscription status and billing history (processed by Stripe — we do not store card details)

Content you provide

• Messages you send in the chat interface
• Documents, notes, and other content you share with the AI assistant
• Workspace names and configuration settings

Google Drive data

When you connect Google Drive, we request access only to files and folders created by Paperbreak (drive.file scope). We do not access, read, or store any pre-existing files in your Google Drive. We store OAuth tokens to maintain the connection between sessions; these are encrypted at rest.

Usage data

• Token usage counts (to enforce free trial limits and billing)
• Conversation history (stored so the AI can maintain context across sessions)
• Server logs including IP addresses and request timestamps (retained for up to 30 days for security purposes)

3. How we use your data

We process your personal data for the following purposes and legal bases:

We do not use your data for advertising, we do not sell your data to third parties, and we do not use your content to train AI models.

4. Third-party processors

We share data with the following sub-processors, solely to provide the service:

Where processors are located outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Chapter V.

We do not disclose your personal data to any other third parties, and we never sell your data.

5. Data retention

• Account data and conversation history — retained for as long as your account is active, plus 30 days after deletion to allow recovery from accidental deletion.
• Google OAuth tokens — deleted immediately when you disconnect Google Drive or delete your account.
• Billing records — retained for 7 years as required by Irish tax law.
• Server logs — retained for 30 days, then automatically deleted.

6. Your rights under GDPR

As a data subject in the EU/EEA/UK, you have the following rights:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate or incomplete data.
• Right to erasure — you can ask us to delete all your personal data within 30 days. Billing records may be retained as required by law.
• Right to restriction of processing — you can ask us to pause processing your data in certain circumstances.
• Right to data portability — you can request your data in a structured, machine-readable format.
• Right to object — you can object to processing based on our legitimate interests.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Irish Data Protection Commission or the supervisory authority in your country of residence.

7. Deleting your account and data

You can request full deletion of your account and all associated personal data at any time by emailing [email protected] with the subject line "Delete my account".

Upon receiving your request we will:

1. Delete your account, workspaces, conversation history, and all personal data from our systems within 30 days
2. Revoke your Google OAuth tokens so Paperbreak can no longer access your Drive
3. Confirm deletion by email once complete

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• All data in transit is encrypted using TLS 1.2 or higher
• Databases are hosted on servers in the EU (Hetzner, Germany) with encrypted storage
• OAuth tokens are stored encrypted at rest
• Access to production systems is restricted to authorised personnel only
• We request only the minimum Google Drive permissions necessary (drive.file — app-created files only)

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay as required by GDPR Article 33–34.

9. Cookies

We use a single session cookie to maintain your login state. This cookie is strictly necessary for the service to function and does not require consent under the ePrivacy Directive. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

10. Children's privacy

Paperbreak is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.