← PaperBreak Grants

Privacy Policy

Last updated: 26 February 2026

PaperBreak Grants is operated by Scidonia Limited ("we", "us", "our"). We take your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Irish and EU data protection law.

By using PaperBreak Grants you agree to this policy. If you do not agree, please do not use the service.

1. Who we are

Data controller: Scidonia Limited, Drombeg, Glandore, Co. Cork, P81DY66, Ireland.
Contact: [email protected]

If you have any questions about this policy or how we handle your data, please contact us at the address above. We will respond within 30 days.

2. What data we collect

Account information

  • Your name and email address (provided when you sign up via Auth0)
  • Your Google account email address (if you connect Google Drive)
  • Subscription status and billing history (processed by Stripe — we do not store card details)

Content you provide

  • Messages you send in the chat interface
  • Grant proposal content, project descriptions, and other text you share with the AI assistant
  • Workspace names and configuration settings

Google Drive data

When you connect Google Drive, we request access only to files and folders created by PaperBreak Grants (drive.file scope). We do not access, read, or store any pre-existing files in your Google Drive. We store OAuth tokens to maintain the connection between sessions; these are encrypted at rest.

Usage data

  • Token usage counts (to enforce free trial limits and billing)
  • Conversation history (stored so the AI can maintain context across sessions)
  • Server logs including IP addresses and request timestamps (retained for up to 30 days for security purposes)

3. How we use your data

We process your personal data for the following purposes and legal bases:

Purpose Legal basis (GDPR Art. 6)
Providing the service (AI assistant, Drive integration, workspaces) Performance of contract (Art. 6(1)(b))
Account authentication and session management Performance of contract (Art. 6(1)(b))
Billing and subscription management Performance of contract (Art. 6(1)(b))
Security, fraud prevention, and abuse detection Legitimate interests (Art. 6(1)(f))
Complying with legal obligations Legal obligation (Art. 6(1)(c))

We do not use your data for advertising, we do not sell your data to third parties, and we do not use your grant proposal content to train AI models.

4. Third-party processors

We share data with the following sub-processors, solely to provide the service:

Processor Purpose Location
Anthropic AI language model (Claude) — processes messages you send to the assistant USA (SCCs apply)
Auth0 (Okta) User authentication EU / USA (SCCs apply)
Google LLC Google Drive and Docs integration (only app-created files) EU / USA (SCCs apply)
Stripe Payment processing and subscription management EU / USA (SCCs apply)
Cloudflare CDN, DDoS protection, and TLS termination EU / USA (SCCs apply)
Hetzner Server hosting and database Germany (EU)

Where processors are located outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Chapter V.

We do not disclose your personal data to any other third parties, and we never sell your data.

5. Data retention

  • Account data and conversation history — retained for as long as your account is active, plus 30 days after deletion to allow recovery from accidental deletion.
  • Google OAuth tokens — deleted immediately when you disconnect Google Drive or delete your account.
  • Billing records — retained for 7 years as required by Irish tax law.
  • Server logs — retained for 30 days, then automatically deleted.

Files you created in Google Drive via PaperBreak remain in your Google Drive under your control. We do not store copies of your Drive files on our servers.

6. Your rights under GDPR

As a data subject in the EU/EEA/UK, you have the following rights:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — you can ask us to delete all your personal data. We will fulfil this within 30 days. Note that billing records may be retained as required by law.
  • Right to restriction of processing — you can ask us to pause processing your data in certain circumstances.
  • Right to data portability — you can request your data in a structured, machine-readable format.
  • Right to object — you can object to processing based on our legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Irish Data Protection Commission or the supervisory authority in your country of residence.

7. Deleting your account and data

You can request full deletion of your account and all associated personal data at any time by emailing [email protected] with the subject line "Delete my account".

Upon receiving your request we will:

  1. Delete your account, workspaces, conversation history, and all personal data from our systems within 30 days
  2. Revoke your Google OAuth tokens so PaperBreak can no longer access your Drive
  3. Confirm deletion by email once complete

Files in your Google Drive that were created by PaperBreak will remain in your Drive under your full control — we do not delete files from your Drive on your behalf.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Databases are hosted on servers in the EU (Hetzner, Germany) with encrypted storage
  • OAuth tokens are stored encrypted at rest
  • Access to production systems is restricted to authorised personnel only
  • We request only the minimum Google Drive permissions necessary (drive.file — app-created files only)

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay as required by GDPR Article 33–34.

9. Cookies

We use a single session cookie to maintain your login state. This cookie is strictly necessary for the service to function and does not require consent under the ePrivacy Directive. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

10. Children's privacy

PaperBreak Grants is intended for use by researchers, academics, and professionals. It is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.

Contact us

For any privacy-related questions, requests, or complaints:
Scidonia Limited
Drombeg, Glandore, Co. Cork, P81DY66, Ireland
[email protected]

Home Pricing App