Privacy Policy

Welcome to Traki ("we," "our," or "us"). Traki is a mobile application designed for researchers, academics, and students to discover, track, and summarize academic papers from sources like arXiv, Crossref, and PubMed.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our iOS and Android applications (the "App"), our associated web services, and any related features. Please read this policy carefully. By using Traki, you agree to the practices described herein.

We collect information in the following categories:

2.1 Account & Identity Data

2.2 Research Preferences & Usage Data

• Selected research goals — chosen during onboarding (Screen 1)
• Topic tracks — up to 3 topics for free users, unlimited for PRO subscribers, including preset chip selections and custom free-text inputs
• Alert settings — notification preferences per track
• Saved papers & collections — papers you bookmark, up to 50 for free users, unlimited for PRO
• "Mark as Read" history — records of papers you have read
• AI summary requests — count and content of requested summaries (capped at 3/week for free users)
• Search queries — terms entered in the in-app search bar
• Filter & sort preferences — applied feed configurations

2.3 Device & Technical Data

• Device model, operating system version, and app version
• Unique device identifiers (for crash reporting and analytics, anonymized where possible)
• IP address (collected at the server level for security, not stored persistently)
• Purchase receipts and subscription status via RevenueCat

2.4 Data You Do Not Provide Directly

Paper metadata (titles, abstracts, authors, DOIs) is fetched from public academic APIs (arXiv, Crossref, PubMed) and is not considered your personal data. This information is cached temporarily for performance and is subject to the respective API providers' terms of service.

We process your data for the following purposes:

1. Provide core services: Authenticate your account, maintain your research tracks, display paper feeds, and enable saving/reading functionality.
2. Deliver AI summaries: Send paper text to our AI provider (OpenAI or Google Gemini) to generate short plain-language summaries as requested. Paper content is not stored by the AI provider beyond the request lifecycle.
3. Send notifications: Deliver alerts about new papers matching your tracks, based on your alert settings. Notifications are processed via Firebase Cloud Messaging.
4. Manage subscriptions: Process in-app purchases, verify PRO status via RevenueCat, and enforce free-tier limits (3 tracks, 50 saves, 3 AI summaries/week).
5. Improve the app: Analyze anonymized usage patterns to fix bugs, optimize performance, and guide feature development.
6. Security & fraud prevention: Detect unauthorized access, abuse, and ensure platform integrity.
7. Legal compliance: Fulfill legal obligations under applicable data protection laws.

Traki relies on the following third-party services. Each operates under its own privacy policy:

Traki uses large language model APIs to generate short summaries of academic papers. Here is how it works:

5.1 What Is Sent to AI

When you request an AI summary, the paper's title and abstract (and, where applicable, key methodology excerpts) are sent to our AI provider. No personal data (your name, email, account details, or reading history) is included in these requests.

5.2 AI Provider Data Policy

We use API endpoints configured to not use your input data for model training. Paper text is processed in real-time and discarded after the response is returned. We do not store full paper text in our AI request logs.

5.3 Summary Types (PRO)

PRO subscribers have access to extended AI insights per paper:

• Plain-language summary — a 2-3 line non-technical overview
• Beginner explanation — context for those new to the field
• Why it matters — significance and real-world implications
• Methods breakdown — simplified methodology overview
• Weekly What Changed — per-track summary of new papers, generated by scheduled Firebase Cloud Functions

6.1 Storage Location

Your personal data is stored in Google Cloud Platform (GCP) via Firebase Firestore, located in the European Union (EU region). This ensures compliance with GDPR data residency requirements.

6.2 Security Measures

We implement industry-standard security practices including:

• Encryption in transit: All data is transmitted over TLS 1.2+ / HTTPS
• Encryption at rest: Firestore data is encrypted by default on GCP
• Firebase Security Rules: Server-side rules ensure users can only access their own data
• Authentication: All API endpoints require valid Firebase Auth tokens
• No raw credentials stored: We do not store passwords; authentication is delegated to Apple and Google
• Image caching: Paper thumbnail images are cached locally on-device using standard Flutter image caching; no sensitive data is cached insecurely

6.3 Limitations

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any reported vulnerabilities.

We do not sell, rent, or trade your personal data.

We may share limited data only in these scenarios:

1. Service providers: With the third-party services listed in Section 4, solely for the purposes described therein and under contractual data processing agreements.
2. Legal requirements: If required by law, court order, governmental regulation, or legal process. We will notify you where legally permitted.
3. Safety: To prevent fraud, protect the rights or safety of Traki, our users, or the public.
4. Business transfer: In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify affected users via in-app notice and/or email.

Traki offers an optional PRO subscription with the following plans:

• Monthly: €6.99/month with a 30-day free trial
• Yearly: €59.99/year with a 30-day free trial

8.1 Payment Processing

All payments are processed through the Apple App Store or Google Play Store. Traki does not receive, store, or have access to your credit card number, bank account details, or full payment instrument information. Payment security is entirely managed by Apple and Google.

8.2 RevenueCat

We use RevenueCat to validate purchase receipts, manage subscription lifecycle (trial, renewal, cancellation, expiration), and sync PRO status across devices. RevenueCat receives an anonymous app user ID and purchase receipts — not your personal identity data.

8.3 Free Trial

The 30-day free trial begins at subscription confirmation. You will not be charged until the trial ends. You may cancel at any time during the trial via your device's subscription settings. If you cancel, PRO features remain active until the trial period expires.

8.4 Subscription Management

All subscription management (cancellation, refund requests, plan changes) is handled through:

• iOS: Settings → Your Name → Subscriptions → Traki
• Android: Google Play Store → Profile → Payments & Subscriptions → Traki

The "Restore Purchases" button in the app re-verifies your subscription with RevenueCat if you reinstall or switch devices.

Traki is a research tool primarily designed for university students, academics, and professionals. While we do not explicitly target minors, we recognize that students of various ages may use the app.

We do not knowingly collect personal data from children under 16 years of age (or under 13 in jurisdictions where that is the applicable threshold, such as under COPPA in the United States). If we discover that we have inadvertently collected data from a child below the applicable age, we will take immediate steps to delete that data from our servers.

If you believe a child has provided us with personal data, please contact us at privacy@traki.app.

Depending on your location, you may have the following rights under GDPR, CCPA, or other applicable laws:

You may exercise these rights by emailing privacy@traki.app with the email address associated with your Traki account. We will respond within 30 days (or sooner where required by local law). You may also request a data export through in-app settings or revoke notification permissions through your device settings.

Traki is primarily a native mobile application and does not use traditional web cookies. However, the following tracking and identification mechanisms are used:

• Firebase Installation ID: A unique identifier assigned to each app installation, used for push notifications, analytics, and crash reporting. This is not a cross-app tracking identifier.
• Firebase Analytics: Collects anonymized event data (e.g., screen views, feature usage) to improve the app. We do not link analytics data to individual user accounts.
• Crashlytics: Collects crash logs including device model and OS version when the app encounters an error. Logs may contain fragmentary user data; we minimize this risk.
• Device advertising identifiers: Traki does not access or use device advertising identifiers (IDFA/GAID) for any purpose.

Your primary data is stored in the EU (GCP EU region). However, some third-party services listed in Section 4 may process data outside the European Economic Area (EEA), including in the United States.

We ensure adequate protection for such transfers through:

• Standard Contractual Clauses (SCCs): Where applicable, as adopted by the European Commission
• Data Processing Agreements (DPAs): With all sub-processors, incorporating appropriate safeguards
• EU-US Data Privacy Framework: For providers certified under this framework (e.g., Google Cloud)
• Supplementary measures: Technical and organizational measures where required by guidance from European data protection authorities

You can permanently delete your Traki account and all associated data directly from the app. Deletion is irreversible — all research tracks, saved papers, reading history, collections, and AI summary history will be permanently erased.

Profile screen — "Delete Account" sits inside the Account section alongside Privacy & Security and Help & Support

1. Open your Profile Launch Traki and tap the Profile tab in the bottom navigation bar. This opens your account screen showing your name, email, preferences, and account options.
2. Tap "Delete Account" in the Account section Scroll down to the ACCOUNT section — the grouped list that contains Privacy & Security and Help & Support. Tap "Delete Account" at the bottom of that group. This opens the first confirmation dialog. Nothing is deleted yet.
3. Read the caution warning carefully A warning dialog appears listing everything that will be permanently erased: your research tracks, saved papers, reading history, AI digests, and PRO benefits. A banner clearly states "This action is permanent and cannot be undone." Take a moment to review what you will lose. There is no undo.
4. Tap "Continue" to proceed If you still wish to delete your account, tap the red "Continue" button. This advances to the final confirmation step. Tapping "Cancel" at any point safely dismisses the flow without making any changes.
5. Type DELETE to confirm A second dialog asks you to type the word DELETE (in capitals) into the text field. The red "Delete" button remains disabled and faded until the word is typed exactly, preventing accidental deletion. This is a deliberate friction step — you must consciously type the confirmation word before proceeding.
6. Complete Google re-authentication — your account is permanently deleted After tapping "Delete," your device will show the Google account picker. Select your account to re-authenticate. This proves you are the account owner and satisfies Firebase's security requirement for account deletion. Once confirmed, all your data is immediately queued for permanent removal from our servers within 30 days. You will be signed out and returned to the sign-in screen. The action is irreversible. Since Traki uses Google Sign-In exclusively, re-authenticating through Google replaces a traditional password entry.

Final confirmation dialog — the Delete button activates only when "DELETE" is typed exactly

What Gets Deleted

• Your Firebase Auth account record
• All research tracks and topic configurations
• All saved papers and custom collections
• Complete "Mark as Read" history
• AI digest and summary history
• Alert and notification preferences
• Push notification token stored on our servers

What Is NOT Deleted

• Subscription billing: You must cancel separately via the App Store or Google Play. Deletion does not stop billing.
• Anonymized analytics: Aggregated usage data that cannot identify you is retained per our analytics retention policy (Section 13).
• Purchase records: RevenueCat receipt records are retained for legal/tax compliance for up to 7 years, but are anonymized and cannot be linked to your account.
• Paper metadata cache: Cached arXiv/Crossref/PubMed data on our servers contains no personal data and will be naturally refreshed.

We may update this Privacy Policy from time to time to reflect changes in our practices, new features, legal requirements, or third-party provider policies. When we make changes:

1. We will update the "Last updated" date at the top of this page.
2. For material changes (those that affect what data we collect, how we use it, or with whom we share it), we will notify you via:
   • An in-app notification/banner at least 14 days before the change takes effect
   • An email to the address associated with your account (if applicable)
3. Continued use of Traki after the effective date constitutes acceptance of the updated policy.

We encourage you to review this page periodically. A version history is maintained internally and can be provided upon request.