Account data: name, email address, locale preference, password hash (when email/password sign-up is used), authentication provider identifier (e.g. Google, Apple, GitHub), subscription tier, referral code, security events such as sign-in time, IP address, browser, operating system, and approximate geographic region derived from the IP.

Workspace data: chat messages and prompts, uploaded files (PDF, image, Excel, plain text), molecule sketches, drawn structures (SMILES/InChI), saved report drafts, study sessions, flashcards, quiz attempts, mistake history, references retrieved from open scholarly APIs, and exports you choose to generate.

Files and embeddings: when you upload a file, the binary is stored in our private object bucket and parsed into text and image chunks. We compute vector embeddings (1024-dim, BGE-M3, generated on our own server in Germany) so the file becomes searchable for your future questions. Chemistry images may also be processed by an on-premise DECIMER model to extract SMILES.

Usage and telemetry: credits consumed per model, queue latency, model identifiers, error codes, feature interactions, page views, web-vitals, and abuse-prevention signals. Some telemetry is collected via Vercel Analytics, Firebase Analytics, and a self-hosted error monitor where enabled.

Payment metadata: subscription status, plan, invoices, tax region, the customer identifier issued by Stripe, and limited card metadata such as brand and last four digits passed back by Stripe. We never store full card numbers, CVCs, or banking credentials.

Communications: support tickets and replies, opt-in marketing preferences, language preference for transactional email.

Performance of contract (Art. 6(1)(b)) — to operate the workspace, run prompts, generate reports, store your projects, process payments, and deliver paid features.

Legitimate interests (Art. 6(1)(f)) — to monitor service reliability, prevent abuse, secure the infrastructure, derive aggregate usage statistics, and improve the product in ways that do not override your rights.

Consent (Art. 6(1)(a)) — for non-essential cookies, marketing email, and optional analytics where local law requires consent. You can withdraw consent at any time.

Legal obligation (Art. 6(1)(c)) — tax records, regulatory enquiries, valid law-enforcement requests.

Under KVKK, the equivalent grounds are Art. 5(2)(c) (necessary for contract), Art. 5(2)(f) (legitimate interest), Art. 5(1) (explicit consent), and Art. 5(2)(a) (legal obligation).

Service delivery: store and resume projects, render molecule structures with RDKit, run the multi-agent orchestrator, retrieve papers from open scholarly APIs, generate reports, deliver them via the web app, and maintain Moll’s awareness of the current workspace.

Subscription operation: meter usage against your weekly credit allowance, display the meter, issue invoices, process renewals and cancellations through Stripe, apply educational discounts where eligible, prevent fraudulent payment behaviour.

Security and abuse prevention: detect credential stuffing, rate-limit aggressive clients, refuse prompts that violate the acceptable-use policy, investigate suspicious account activity, comply with valid legal process.

Product improvement: debug crashes, reduce latency, monitor failed jobs, prioritise fixes, and analyse aggregated, non-identifying usage patterns.

Communications: respond to support, send transactional email about billing and security, and — only with your opt-in — share product news.

We do not sell user prompts, uploaded files, saved projects, molecule sketches, reports, embeddings, or any derived datasets to advertisers, brokers, data marketplaces, or scrapers.

By default, your workspace content is used only to provide and improve your own Cheemly experience. We do not publish customer prompts or molecules in public datasets.

When third-party model providers handle your prompts (see Sub-processors), we configure provider settings to opt out of training on customer API inputs where the provider offers that control (Google AI Studio API: training is disabled for paid API traffic; Anthropic API: training is disabled by default; OpenAI API: training is disabled by default). Enterprise customers can request a written confirmation in the order form.

Hetzner Online GmbH (Falkenstein, Germany) — primary infrastructure: virtual machines hosting the database (PostgreSQL with pgvector), object storage bucket (Supabase Storage running on our own VM), embeddings model (BGE-M3, TEI), chemistry OCSR (DECIMER), API service, and reverse proxy. All workspace content lives here.

Vercel Inc. (Delaware, USA; data centers in multiple regions) — hosting and global CDN for the marketing site and Next.js application; Vercel Analytics if enabled.

Cloudflare, Inc. (San Francisco, USA) — authoritative DNS, DDoS protection, edge TLS, bot management, and proxy for api.cheemly.com / auth.cheemly.com. Cloudflare may briefly process request metadata (IP, headers, user-agent) to deliver these services.

OpenRouter, Inc. (USA) — LLM gateway routing prompts to selected underlying providers. The underlying providers currently used include Google (Gemini family), Anthropic (Claude family), OpenAI, and Meta (Llama, via free tiers). The list may change as we add or remove models; the most current model list is reflected in the in-product model selector.

Stripe, Inc. (USA) and Stripe Payments Europe Ltd. (Ireland, for EU/UK customers) — payment processing, subscription billing, invoice issuance, fraud-detection signals. Stripe is PCI-DSS Level 1 certified.

Resend, Inc. (USA) — transactional email delivery (sign-up verification, password reset, billing receipts).

Google LLC (Firebase Analytics, Google Sign-In) — analytics events and Google OAuth authentication where the user chooses it.

PostHog Inc. (EU region) — product analytics (event-level) where enabled; you can opt out from your account settings.

Sentry — error monitoring where enabled.

Open scholarly APIs we query on your behalf, only with public bibliographic queries (no personal data sent): Semantic Scholar (Allen Institute for AI), OpenAlex (OurResearch), Crossref, Europe PMC, arXiv, Unpaywall, PubChem (NIH/NLM), ChEMBL.

Apple Inc. is contacted only when the user explicitly chooses Sign in with Apple.

Notice of new or replacement sub-processors will be reflected on this page; material changes are pushed via the in-product notice or email. Enterprise customers may opt for prior written notice in the order form.

Workspace data (account, chats, files, embeddings, references, reports, billing metadata, activity log) is hosted in Germany on Hetzner Online GmbH infrastructure (Falkenstein/Helsinki regions), which sits within the European Economic Area (EEA). The primary database is PostgreSQL 16 with pgvector.

Web traffic is served via Vercel’s global CDN; static and edge regions are distributed worldwide for performance. Cloudflare proxies API and auth requests through its global edge.

LLM inference is performed at the underlying provider’s data centres, which today include locations in the United States and the European Union depending on the model. We do not control the precise data-centre routing of upstream providers.

Where transfers leave the EEA (e.g. Stripe, OpenRouter, Resend, Vercel, Cloudflare, Sentry, the underlying LLM providers), they rely on the European Commission’s Standard Contractual Clauses (Implementing Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework adequacy decision. We perform a basic transfer impact assessment and additional safeguards (encryption in transit, restricted scopes) are applied.

Account records: retained while the account is active. After account closure we delete the account, projects, files, embeddings, references, and saved reports within 30 days, except where law requires longer retention (e.g. tax invoices kept for ten years where required).

Operational logs: error, access, and security logs are retained for up to 90 days for debugging and abuse prevention, then deleted or aggregated.

Authentication events (sign-in IP, user-agent, timestamp): retained for up to 180 days for security review.

Billing and invoices: retained for the period required by applicable tax law (typically 5–10 years).

Encrypted backups: retained on a 30-day rotation. Deleted user content may persist in a backup until the rotation removes it; we do not restore deleted content into production except where required for security or law.

Marketing email opt-in records: retained while the opt-in is active and for 12 months after withdrawal as proof of consent.

Strictly necessary cookies and local storage: session token, authentication state (Supabase SSR cookie), language preference (NEXT_LOCALE), theme preference, CSRF protection. These cannot be turned off without breaking the site.

Functional storage: workspace draft (zustand local state), pinned references, study session progress — stored in your browser’s local/session storage to keep the workspace responsive between page loads.

Analytics: Vercel Analytics and Firebase Analytics may set first-party cookies for aggregate page-view measurement. PostHog event analytics is enabled only with consent where local law requires it.

Third-party cookies are only set when you use Sign in with Google or Apple, and are scoped to the provider’s authentication flow.

You can control cookies in your browser. Disabling required cookies will break sign-in.

Under GDPR / UK GDPR (Arts. 15–22) you have the right to access, rectification, erasure (right to be forgotten), restriction of processing, data portability (machine-readable export of your account and workspace), objection to processing based on legitimate interests, and the right not to be subject to a solely automated decision producing legal or similarly significant effects. Cheemly does not make solely automated decisions in that meaning.

Under KVKK (Türkiye, Art. 11) you may request information about whether your data is processed, the purposes, recipients, the source, correction, deletion, anonymisation, and you may object to results that arise exclusively from automated analysis.

Under CCPA/CPRA (California) you have the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing (we do not sell or share personal data in the CCPA sense), and the right to limit use of sensitive personal information.

To exercise any right, email privacy@cheemly.com from the account email. We will verify your identity, respond within 30 days, and notify you if we need an extension. There is no charge for the first request in any 12-month period. You also have the right to lodge a complaint with your supervisory authority — for example, the Kişisel Verileri Koruma Kurumu (KVKK Kurumu) in Türkiye, or the data protection authority in your EU member state.

Cheemly is not directed at children under the age of 13 (or under the age of 16 in the EEA where local implementation of GDPR Article 8 applies). Users under that age must use Cheemly only with the verifiable consent of a parent, guardian, or educational institution acting under appropriate authority.

Educators using Cheemly in a classroom should avoid uploading student personal data unless they have lawful authority and a clear pedagogical need. Cheemly does not assume the role of a school official under FERPA without a written addendum.

If we learn that a child has provided personal data without proper consent, we will delete the account and associated content.

If we become aware of a personal data breach likely to result in a risk to the rights and freedoms of users, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and, where the risk is high, notify affected users without undue delay (GDPR Art. 34).

KVKK Art. 12(5) similarly requires notification to the Kurum and the data subject as soon as possible — we treat the same 72-hour window as a hard target.

Notices will include what happened, what data was involved, what we have done, what users should do, and how to contact us.

Privacy / data protection requests: privacy@cheemly.com

Legal notices, including notices of intellectual-property infringement: legal@cheemly.com

Security disclosures: security@cheemly.com (see also /.well-known/security.txt)

General support: support@cheemly.com