PRIVACY POLICY.
Last updated: 2026-04-28 (rev. 1)
This Privacy Policy describes what data PeptideModel collects, how we use it, and your rights regarding it.
1. Eligibility
You must be at least 13 years old, or the minimum age required for online services in your jurisdiction (whichever is greater), to create an account or otherwise use the platform. We do not knowingly collect data from anyone below the applicable minimum age. If you believe we may hold data from someone below that age, contact us at [email protected] and we will delete it.
2. Data we collect
Account data. When you sign in with Google or GitHub OAuth we receive and store: your display name, email address, OAuth provider ID, and avatar URL. If you link an ORCID profile we store your ORCID handle.
API key data. If you register for an API key we store your email address, the use case you describe, and a SHA-256 hash of your key. We do not store API keys in plaintext after issuance.
Session data. We use an httpOnly session cookie (pep_session) with a 7-day lifetime to keep you signed in. Two short-lived cookies (pep_oauth_state, pep_oauth_cv) are used during the OAuth sign-in flow and cleared once it completes.
Analytics data. We run a self-hosted analytics tool (PostHog) on our own infrastructure at analytics.peptidemodel.com. Analytics events are processed and stored on infrastructure we operate; we do not send analytics data to third-party analytics providers. When you are signed in, events are associated with your account by display name and email. Events tracked include logins, signups, card creations and edits, fork actions, comments, flags, API token issuance, prediction submissions, GitHub linking, and trust-level changes.
Operational data. Server logs may include IP addresses and basic request metadata for security, abuse prevention, and rate limiting. These logs are retained for operational and security purposes and are not joined to your account in our database.
3. Data we do not collect
We do not intentionally request or require health information, medical records, payment or financial data, biometric data, or precise location data. Approximate location may be inferred from IP addresses by operational logs, our CDN/security provider, or analytics where any such inference is enabled. You should not publish personal health information, patient data, or other sensitive personal data on the platform — see the Terms of Service for the full prohibited-use list.
We do not run Google Analytics, advertising trackers, or social-media tracking pixels.
4. How we use your data
- Account data: to identify you on the platform, attribute your contributions, and contact you when needed.
- API key data: to manage API access, enforce rate limits, and reach you about API issues.
- Session and operational data: to keep you signed in and to operate the service.
- Analytics data: to understand how the platform is used and to improve it.
5. Infrastructure and third parties
The platform relies on the following infrastructure providers, which may process data as needed to provide hosting, delivery, security, email, and related services:
- Hetzner for server hosting. Account data, card content, and analytics events are stored on infrastructure we run at Hetzner.
- Cloudflare as our CDN, edge network, and security layer. Requests may pass through Cloudflare, which may process IP addresses, request metadata, routing and security data, and cached content as needed for CDN, security, and edge-network services.
- Postmark for outbound transactional email (account-related notifications, IP/legal correspondence).
- 3Dmol.org CDN for the molecular viewer script loaded on card pages with structural data.
Sign-in itself is handled by Google or GitHub OAuth. Their privacy policies apply to that flow.
We do not use third-party analytics providers, advertising networks, or social-media tracking pixels.
6. Cookies and similar storage
| Cookie / storage | Purpose | Lifetime |
|---|---|---|
| pep_session | Authentication (httpOnly, signed JWT) | 7 days |
| pep_oauth_state, pep_oauth_cv | OAuth sign-in flow | ~10 minutes, cleared after sign-in |
| Self-hosted analytics storage (ph_* cookie + localStorage) | Identify a browser session for our self-hosted analytics | Up to 365 days |
7. Data retention
- Account data is retained while your account is active.
- Card content published under CC-BY-SA 4.0 is licensed irrevocably; published cards and their version history are retained on the platform indefinitely as part of the lineage graph.
- Soft-deleted cards are removed from public view but retained in the database to preserve lineage integrity and existing citations.
- Analytics data is retained on our own infrastructure only for as long as reasonably needed. We periodically review and delete or anonymize it when it is no longer needed.
- Server logs are retained for operational and security purposes, then deleted or truncated.
8. Your rights
You may:
- Request an export of your account data.
- Request deletion of your account.
- Ask us to remove specific personal data we hold about you.
Note: rights granted to others under CC-BY-SA 4.0 for content you have already published cannot be retroactively revoked. If you delete your account, your published cards remain attributed to your handle as required by CC-BY-SA 4.0; you may request that your email and avatar be removed from our systems.
For any of these requests contact us at [email protected]. We process verified requests within a reasonable period, except where retention is required for security, legal compliance, abuse prevention, or lineage and citation integrity.
9. International users
PeptideModel is operated from infrastructure that may be located in multiple jurisdictions. If you are located in the European Union, the United Kingdom, or another jurisdiction with specific data-protection rights, contact us at [email protected] to exercise those rights.
10. Security
We use standard security practices including encryption in transit (HTTPS), httpOnly session cookies, hashed API key storage, and OAuth-based authentication. No service is perfectly secure; report suspected vulnerabilities to [email protected].
11. Changes
We may update this Privacy Policy. Material changes will be announced on the platform.