MyEtAl

Privacy Policy

Last updated: 27 April 2026

Data controller

MyEtAl is operated by James Dimonaco. For any privacy-related questions or requests, contact dimonaco.james@gmail.com.

What we collect

When you create an account we store your email address, display name, and an optional link to your ORCID profile. When you sign in via GitHub or Google we also receive your name and avatar from the provider — we never see your password on those flows.

When you create and publish a share, the collection title, description, and list of paper metadata you curate are stored and displayed publicly.

We record anonymous view events on public shares for view-count analytics. On the web, views are de-duplicated by a hashed IP address that is not stored after dedup. On mobile, a random per-device token (X-View-Token) is sent for the same purpose.

How we use it

  • To authenticate you and manage your sessions.
  • To display your name on public shares you choose to publish.
  • To track anonymous, de-duplicated view counts on public shares.
  • To operate a moderation queue so we can act on abuse reports promptly.

Legal basis

We process your data on the following legal bases under UK GDPR:

  • Contract— processing necessary to provide your account and the sharing service you signed up for.
  • Legitimate interest— anonymous view tracking and moderation, where our interest does not override your rights.

Third parties

We use the following processors to operate MyEtAl:

  • Neon— managed PostgreSQL database hosting.
  • Vercel— web application hosting and edge network.
  • Cloudflare— CDN and DNS.

We query OpenAlex and Crossrefto look up paper metadata (titles, authors, DOIs). These are outbound lookups — no user personal data is sent to these services.

Cookies

MyEtAl sets no tracking cookies on public pages. When you sign in, we set two strictly necessary httpOnly cookies (myetal_access and myetal_refresh) to manage your authenticated session. These are exempt from consent requirements under PECR as they are essential for the service to function.

We do not use third-party analytics, trackers, or advertising SDKs.

View tracking

We record one view per share per visitor per 24-hour window. Mobile app installs send a random per-device token for de-duplication; web visitors are de-duplicated by hashed IP. We do not use third-party analytics, trackers, or advertising SDKs.

Data retention

  • View records older than 90 days are aggregated and the raw rows deleted.
  • Tombstoned (deleted) shares are garbage-collected after 30 days.
  • Expired refresh tokens are pruned every 24 hours.

Your rights

Under UK GDPR you have the right to:

  • Access— view your data via the analytics dashboard and your profile page.
  • Deletion— delete your account and all associated data at any time from your profile page. This cascades to shares, views, reports, library entries, and auth tokens.
  • Rectification— update your name, email, and profile details via the profile edit page.

For any data request, email dimonaco.james@gmail.com.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated “Last updated” date.

Contact

Questions or concerns? Email dimonaco.james@gmail.com.