Privacy Policy

Last updated: March 17, 2026

lightpaper.org ("lightpaper", "we", "us") is an API-first publishing platform. This policy explains what data we collect, why, and how we protect it.

What We Collect

• Account data: Email address, display name, and handle when you create an account.
• Published content: Documents, metadata, and tags you publish through our API.
• Verification data: Domain ownership records, LinkedIn profile ID (if you verify via OAuth), and ORCID iD (if you link it).
• Technical data: IP addresses for rate limiting and abuse prevention. We do not use tracking cookies or analytics scripts.

How We Use It

• To publish, host, and serve your documents at permanent URLs.
• To authenticate your identity and compute your author gravity level.
• To enforce rate limits and prevent abuse.
• To generate search indexes so published content is discoverable.

What We Don't Do

• We do not sell your data to third parties.
• We do not serve ads or use ad trackers.
• We do not profile you or build behavioral models.
• We do not share your email with anyone.

Third-Party Services

• Google Cloud Platform: Hosts our infrastructure (Cloud Run, Cloud SQL, Cloud Storage). Subject to Google Cloud Privacy Notice.
• Resend: Delivers authentication emails (OTP codes). Subject to Resend Privacy Policy.
• Stripe: Processes payments for premium features. Subject to Stripe Privacy Policy. We do not store card numbers.
• Anthropic: Powers the Writing IDE AI assistant. Content you write in the IDE is sent to Anthropic's API for processing. Subject to Anthropic Privacy Policy.
• LinkedIn: Used only if you choose to verify your identity via LinkedIn OAuth. We store only your LinkedIn profile ID, not your connections or activity.
• ORCID: Used only if you choose to link your ORCID iD. We query the public ORCID API to validate your iD.

Data Retention

Published documents are retained permanently — that's the point. Account data is retained while your account is active. If you delete your account, all your data (account, documents, keys, verifications) is permanently and irreversibly deleted.

Your Rights

• Access: View your account and documents via the API at any time.
• Deletion: Delete your account via DELETE /v1/account. This is a hard delete — all data is removed.
• Export: Retrieve all your documents via GET /v1/account/documents.

Security

API keys are stored as bcrypt hashes. All traffic is encrypted via TLS. We follow OWASP security practices including input sanitization, parameterized queries, and content security policies.

Contact

Questions about this policy? Email privacy@lightpaper.org.

← lightpaper.org