PubSci:Privacy

Version: 0.1 (pre-launch draft). Effective: upon PubSci's public launch. Last updated: 2026-05-26.

PubSci (pubsci.io) is an open academic journal. It is operated as a small project, not a company, by Mark Elliott, MD, who also runs Pharmacopedia (PCP). This page describes what PubSci collects, why, how long it keeps it, and what you can ask us to do with it. Plain language; if anything is unclear, ask.

A note before we start: PubSci is built around a permanent record principle. Content you publish here stays published; it does not disappear because someone disagrees with it or because time passes. That commitment to permanence affects how some privacy rights work, and we explain it honestly in the "Published content and the permanent record" section below.

PubSci and Pharmacopedia (PCP) are operated by the same person, Mark Elliott, MD, as parts of the same project. The named data controller on each privacy page is Mark Elliott, MD.

Your account lives on PCP. PCP is the data controller for that shared layer; rights related to your account are exercised through PCP at About:Privacy on pharmacopedia.wiki. PubSci reads from that layer only to authenticate you and verify basic eligibility (see below). PubSci is itself an independent data controller for all content and activity generated inside PubSci: papers, reviews, annotations, ratings, pen names, and session records.

PubSci does not have its own account or password. You sign in with Pharmacopedia. When you click "Sign in with Pharmacopedia," PCP authenticates you, shows you what PubSci is asking for, and, with your consent, sends you back to PubSci with a short-lived access token. PCP never gives PubSci your password or your second factor.

PubSci requests two scopes:

• pubsci-identity: your PCP user ID (an opaque subject identifier, not your username or real name). Required to create and maintain your pen name and your session.
• pubsci-account-age: the date your PCP account was created. Used only for the reviewer-eligibility check (30-day account minimum); checked at pen-name registration and discarded immediately after. Not stored.

PubSci does not request access to your PCP assessments, your PCP profile text, or any other PCP data. Its only claims are who you are (an opaque ID) and how old your account is.

OAuth grant management and revocation live at PCP (Special:OAuthManageMyGrants on pharmacopedia.wiki). Revoking PubSci's grant there immediately disables PubSci's ability to refresh your session.

Account and pen name:

• Your PCP user ID (the opaque OAuth subject) -- stored as the internal link between your pen name and your identity. Not shown publicly.
• Your pen name (handle) -- public; shown on everything you author, review, annotate, or comment on.
• The date your pen name was created and the date of your most recent sign-in.
• Your Trykl "Support this author" opt-in flag (true or false). No Trykl profile data is stored here.
• Session activity records (login timestamps, OAuth scopes, session durations) -- stored in PubSci's SessionLog table, kept for 2 years, then deleted. A display surface in your account settings is planned for a later version.

Submissions and published papers:

• Papers you submit, in draft form (restricted to you and admins until published) and in published form (public).
• Draft papers are stored until published or until you abandon them. Abandoned drafts with no activity for 12 months are purged (see "How long things are kept").

Reviews and annotations (all public, all attributed to your pen name):

• Whole-paper reviews you write, including any edits (edit history is logged and publicly visible).
• Inline annotations you write on published papers.
• Author votes you cast on reviews of your own papers -- displayed publicly with your pen name and an "Author" badge. These are a distinct, attributed signal separate from the private community vote.
• Comments you post on reviews, including any edits (edit history logged and visible).

Voting (private aggregate):

• Your upvote or downvote on any paper, review, or author profile -- stored privately. Only the net score (upvotes minus downvotes) is displayed publicly. Your individual vote direction is never attributed to you and never shown to anyone, including admins.

Unauthenticated visitors:

• When you visit without signing in, the web server records your IP address and user-agent in its access log, the same way every web server does. Sign-in events also record an IP for up to 24 hours for anti-abuse, then delete it.

These are commitments, not aspirations:

• Real names and contact information are never collected. Identity lives at PCP; PubSci holds only an opaque user ID.
• Your PCP assessments are never requested, stored, or processed.
• No analytics SDK, advertising tracker, or third-party telemetry runs on PubSci.
• Your data is not sold.
• No ads are shown. There are no advertisers.
• Your community vote direction (upvote or downvote on papers, reviews, and profiles) is never publicly attributed to you.
• No account age data is retained after the reviewer-eligibility check.

Every PubSci user who publishes or reviews chooses a pen name: a permanent, public handle (2-40 characters: letters, numbers, spaces, hyphens, underscores, apostrophes, and periods). A few things to understand before you set one:

Your pen name is permanently linked to your work. Every paper you author, every review you write, every annotation you leave, and every comment you post is publicly attributed to your pen name. That attribution does not disappear if you close your account; the work remains attributed to the handle.

Your real identity behind your pen name is protected from the public. The link between your pen name and your PCP account is stored in PubSci's database with access restricted to admin-level queries (Mark). It is not exposed in any public API, public page, or data export.

Reviewer activity is always public; it cannot be hidden. If you write a review or annotation, your pen name is displayed. There are no anonymous reviews on PubSci, by design. Your full review history is publicly visible on your Author profile page.

The one exception: legal compulsion. If Mark (the named controller) receives a valid legal process (subpoena or court order) requiring disclosure of the identity behind a pen name, he will comply. That is the only path by which the link between your pen name and your PCP account would be disclosed to anyone outside PubSci's admin layer. PubSci does not voluntarily disclose pen-name identity.

Institutional handles are transparent by design. Handles such as "Pharmacopedia Editorial" are labeled "Institutional author" wherever they appear. They are not part of the pen-name anonymity model.

Pen names are immutable. Once set, a pen name cannot be changed. Citation records and review histories depend on a stable, permanent handle.

PubSci's core commitment is that content, once published, stays published. This affects how privacy rights apply.

Papers, reviews, and annotations are permanent. They are not removed because a reviewer criticizes the work, because an author regrets having published it, or because it turns out to be incorrect. An author may request a retraction notice, which posts a "Retracted by author" banner on the paper; the paper and all associated reviews remain accessible.

Legal-floor removals are the only exception. Content meeting the US legal removal threshold (CSAM; clear incitement to imminent violence) is removed. Removed content leaves a tombstone at the original URL.

What this means for account deletion. If you close your account and ask us to delete your PubSci data, here is what happens:

• The link between your pen name and your PCP account is deleted. From that point, your pen name is a disconnected handle -- its record exists, but it is no longer traceable to you through PubSci's systems.
• Session activity records (SessionLog) are deleted.
• Any unpublished draft papers are deleted.
• Published papers, reviews, and annotations attributed to your pen name remain published. They are now attributed to a pen name with no surviving identity link -- effectively anonymous. They are not removed.

If the permanent record principle is a concern for you, that is worth knowing before you publish.

A small number of outside services are involved in running PubSci:

• Zenodo (CERN). PubSci's primary DOI registrar. When a paper is published, PubSci sends Zenodo the paper title, author list (pen names or institutional handles only; no real names), abstract, field tags, publication date, PSI ID, and canonical URL to register a DOI. Real names are never sent; only pen names and institutional handles. Zenodo's privacy policy governs its data handling.
• Pharmacopedia (PCP). Holds your account and supplies the OAuth identity layer. Governed by PCP's own privacy policy at About:Privacy.
• "Discuss this paper live" button. If you click the button on a paper page, your browser is redirected to a third-party video service with the paper's public metadata (PSI ID, DOI, title, abstract excerpt, canonical URL). No personal data about you is included in that redirect.
• "Support this author" button. If you click the button on a paper page (visible only when the author has opted in), PubSci generates a short-lived signed token encoding the author's PCP subject and redirects your browser to a third-party platform. No data about you (the reader clicking the button) is included. The token encodes only the author's identity, not yours.
• Hosting. PubSci runs on AWS (its own infrastructure, separate from PCP). The full list of subprocessors will be published before sign-up opens.

PubSci does not run any analytics service, advertising SDK, or third-party tracking.

Sign-in uses an HttpOnly, Secure, SameSite=Strict cookie holding your encrypted OAuth tokens; browser JavaScript cannot read it. A CSRF protection cookie and a session cookie for the active tab are also set. No tracking cookies, no third-party cookies.

• In transit: every connection to PubSci is HTTPS.
• OAuth tokens: stored encrypted at rest in the HttpOnly cookie. Refresh tokens are rotated on every use.
• Pen-name identity mapping: the pen-name to PCP account link is stored in PubSci's database with access restricted to admin-level queries. It is not reachable via the application API or any public interface.

• Server access logs: rotated daily, kept for 14 days, then deleted.
• Sign-in IP addresses: kept for up to 24 hours for anti-abuse, then deleted.
• Account-age data (from OAuth): checked and discarded at pen-name registration; not stored.
• Session activity records (SessionLog): 2 years, then deleted.
• Draft papers with no activity for 12 months: purged; the PSI ID is tombstoned as "draft abandoned."
• OAuth tokens: kept for as long as you stay connected to PCP.
• Published papers, reviews, and annotations: permanent (see "Published content and the permanent record" above).

• See it. Your PubSci settings show what is stored against your account.
• Change it. Your pen name is immutable. Everything else you control -- the Trykl opt-in flag, your author replies -- can be updated from the page where you entered it.
• Export it. Email us and we will return your PubSci account data (pen name, session records, opt-in flags) in a machine-readable form. Published papers and reviews are already publicly accessible and may be saved by any reader.
• Delete it. Email us and we will delete your PubSci account data. What happens: the pen-name identity link is severed and deleted, session records are deleted, unpublished drafts are deleted. Published work attributed to your pen name remains (see above). Live copies are removed promptly. Backups: kept for 7 days on-host, then up to 14 days in active off-site storage. The off-site provider retains deleted files in a recovery layer for up to 180 additional days, after which the encrypted bundle is permanently deleted. Backups are GPG-AES256 encrypted at all times; the off-site provider cannot read them.

For any of the above, email privacy@pubsci.io.

You additionally have the right to know the categories of personal information collected, the right to opt out of sale or sharing (PubSci does not sell or share personal information for cross-context behavioral advertising; there is no sale to opt out of), the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. The categories are listed above; retention periods are in "How long things are kept."

The same baseline rights apply: access, rectification, erasure, restriction, portability, and objection. The legal basis for processing is your consent (for the OAuth connection) and legitimate interest in operating the publishing service you signed up for. There is no automated decision-making with legal effects.

A note on the right to erasure. The permanent record principle limits erasure for published content. PubSci will sever the identity link between your pen name and your PCP account, which makes your published work effectively anonymous. The content itself is not removed. If you believe this is incompatible with your rights in your specific situation, contact us at privacy@pubsci.io; we will engage with you directly.

International data transfers from the EU/UK to the United States, where PubSci's servers are located, are made under appropriate safeguards (standard contractual clauses or successor mechanisms).

PubSci is for adults (18+) in this version. Personal information is not knowingly collected from anyone under 13. A separate posture for users between 13 and 17 is being developed; until that is published, no one under 18 should use PubSci. If a child under 13 has provided personal information, contact privacy@pubsci.io and it will be deleted promptly.

Under US law (18 U.S.C. § 2258A), operators of electronic communication services and remote computing services are required to report apparent violations involving child sexual exploitation material to the National Center for Missing and Exploited Children (NCMEC) CyberTipline. If a submission to PubSci appears to involve such material, we report to NCMEC before taking any other action, including removal. This is a legal obligation; the report is made regardless of any other policy consideration. Content meeting this threshold is then removed and the URL is tombstoned.

A few items finalize before PubSci's public launch:

• The final list of hosting subprocessors and their data-processing agreements.
• The detailed posture for users between 13 and 17.
• The final wording of the OAuth consent screen on the PCP side, reconciled with PCP before launch.
• The privacy@pubsci.io address and associated handling process.

Any of these that move the substance of this policy will trigger a versioned update.

When something material changes, it is announced on PubSci and, if you have an active account, sent to you. The "Last updated" date at the top tracks the most recent change. Prior versions are kept on a public archive page.

Privacy questions: privacy@pubsci.io.
PCP-side questions (your account): info@pharmacopedia.wiki.