Privacy Policy

Altevia (the "Operator"), located in Yokohama, Japan, sets forth this Privacy Policy regarding the handling of user information in "OpenPharos" (the "Service").

For inquiries regarding this Policy or personal data, please contact:
Altevia — [email protected]

1. Basic Policy

The Operator strives to comply with applicable data protection laws, including the Act on the Protection of Personal Information (Japan), the General Data Protection Regulation (EU), and other relevant legislation, and endeavors to handle personal information appropriately in AI-powered services.

2. Eligibility

The Service is intended for users aged 16 or older. The Operator does not knowingly collect personal information from individuals under the age of 16. If we become aware that personal information has been collected from a person under 16 without parental consent, we will promptly delete such information.

3. Information We Collect

• Account information: Email address
• Preference settings: Search keywords, alert settings, research interests
• Usage history: Alert delivery history, onboarding settings
• Payment information: Plan type and payment status (card details are managed by Stripe; the Operator does not store them)
• Log information: Access logs (IP address, device information, timestamps, etc.)

4. Purpose of Use

• Providing and improving the Service (delivering paper alerts, generating translations and summaries)
• Sending authentication emails via magic links
• Responding to inquiries
• Preventing unauthorized use
• Operating the referral program, including recording referral relationships, calculating rewards, and detecting fraud (including payment-card fingerprint comparison to prevent self-referral)
• Statistical analysis of usage (in a non-personally-identifiable form)

5. Use of Cookies

The Service uses cookies for session management. These cookies are necessary for maintaining login status and temporarily storing onboarding settings, and are essential to the basic functionality of the Service.

The Service does not use tracking cookies or third-party advertising cookies.

You may disable cookies through your browser settings; however, some features of the Service may not function properly.

6. Data Sent to AI Services

The Service sends paper titles, abstracts, author names, journal names, DOIs, and other bibliographic metadata to AI services (such as OpenAI and Anthropic) for translation and summary generation. Personal information (such as email addresses) is not sent to AI services.

Data sent through commercial AI APIs is not used for model training by default unless the Operator explicitly opts in or the provider's terms change. External AI service providers may retain data for a limited period for purposes such as abuse monitoring.

7. Disclosure to Third Parties and Outsourcing

The Operator does not sell or provide personal information to third parties except as required by law.

To the extent necessary for providing the Service, the Operator outsources the handling of personal information to the following categories of external service providers:

• Cloud infrastructure provider (Amazon Web Services — Japan)
• Payment processor (Stripe — US)
• Email delivery service (Resend — US)
• AI service providers (OpenAI, Anthropic — US)

This outsourcing constitutes data processing on behalf of the Operator, not third-party disclosure. The Operator exercises appropriate oversight of such outsourced parties, including through contractual measures.

7.1 Referral Program Disclosures

Under the referral program, the Operator shares aggregate statistics only — such as total number of registrations, card registrations, and paid conversions — with the holder of a referral code.

The Operator does not share any information that could identify a referred user, including names, email addresses, specific registration or billing dates, or individual usage patterns. Referral code holders cannot infer the identity of any particular referred user from the statistics shown to them.

8. International Data Transfers

The Service's cloud infrastructure is hosted in Japan (Amazon Web Services — Tokyo region). Certain service providers — including Stripe (payment), Resend (email delivery), OpenAI and Anthropic (AI processing) — are located in the United States. Japan has been granted an adequacy decision by the European Commission, meaning that transfers of personal data from the EU/EEA to Japan are permitted without additional safeguards. For transfers to the United States, the Operator selects service providers with appropriate security measures and, where applicable, ensures that appropriate safeguards — such as standard contractual clauses — are in place.

9. Rights of EU/EEA Users — GDPR

Users residing in the EU/EEA have the following rights under the GDPR:

• Right of access: Request disclosure of personal data held
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure ("right to be forgotten"): Request deletion of personal data
• Right to restriction of processing: Request restriction of processing of personal data
• Right to data portability: Request provision of data in a machine-readable format
• Right to object: Object to the processing of personal data
• Right to lodge a complaint: File a complaint with a supervisory authority in the EU/EEA Member State of your residence or place of work

The Service does not engage in automated decision-making or profiling that produces legal or similarly significant effects on users.

The legal basis for our processing under GDPR Article 6(1) is as follows: account operation, alert delivery, and billing are based on performance of a contract (Article 6(1)(b)); security, abuse prevention, and basic service analytics are based on legitimate interests (Article 6(1)(f)), specifically the Operator's interest in maintaining the security and integrity of the Service and understanding aggregate usage patterns.

To exercise any of these rights, please contact [email protected]. The Operator will respond within one month of receiving a verified request.

The Operator will assess whether appointment of an EU representative is required under GDPR Article 27.

10. Rights of California Residents — CCPA/CPRA

To the extent applicable under the CCPA/CPRA, California residents may have the following rights: the right to know what personal information is collected, the right to request deletion of their personal information, and the right to opt out of the sale or sharing of personal information. The Operator does not sell or share personal information as defined under the CCPA/CPRA. To exercise your rights, please contact [email protected].

11. Data Retention

The Operator retains personal data for the following periods:

• Account information and preference settings: For the duration of the account's existence, and deleted upon account deletion.
• Usage history (alert delivery logs, onboarding data): Retained for 2 years after account deletion.
• Log information (access logs): Retained for 1 year from the date of collection.
• Payment-related records: Retained for the period required by applicable tax and commercial laws (typically 7 years under Japanese law).
• Inquiry records: Retained for 2 years after resolution.

These periods do not apply where a longer retention period is required by law.

12. User Rights (Japan)

Users may request disclosure, correction, suspension of use, or deletion of their personal information. For inquiries regarding personal information, please contact [email protected].

13. Security Measures

The Operator implements the following security measures to prevent leakage, loss, and damage of personal information: encryption of data in transit (TLS), access control through authentication mechanisms, regular security reviews, and secure deletion of data upon expiration of the retention period.

14. Data Breach Notification

In the event of a data breach that is likely to result in a risk to the rights and freedoms of users, the Operator will notify affected users without undue delay via email. Where required under the GDPR, the Operator will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

15. Changes to This Policy

This Policy may be revised as necessary. Changes take effect upon publication on this website. However, for material changes — including but not limited to the introduction of new data sharing with third parties, changes to the purposes of use, or significant modifications to data retention periods — users will be notified in advance via in-service notification or email, and changes take effect after such notification.