Legal

Antigravity S.L. · Valencia, Spain · last updated 2026-04-21

Privacy Policy

How Antigravity S.L.collects, uses, and protects your personal data — written in plain English and compliant with the EU's General Data Protection Regulation (GDPR) and Spain's LOPDGDD.

1. The data controller

The data controller for your personal data is Antigravity S.L., tax identification number B16867947, registered offices at Calle Tarongers 3, 46680 Algemesí, Valencia, Spain. For any privacy-related matter — rights requests, complaints, questions — write to privacy@antigravity.com. You can also contact our Data Protection Officer at dpo@antigravity.com.

2. What data we collect

2.1 Data you give us directly

  • Account data — email address, display name, (optional) affiliation, hashed password, two-factor authenticator secret.
  • Author profile (optional) — handle, biography, ORCID, institutional page, links.
  • Preprint submissions — the PDF, metadata (title, authors, abstract, category), and the public license you choose.
  • AI interactions — the text of your prompts (Q&A, literature-review queries, chat-with-PDF messages) and the returned completions.
  • Payment data — when you buy a subscription or credit pack. Card details are processed by Stripe and we never see or store the PAN; we receive a tokenised customer id, last-4 digits, brand, expiry, and billing address. For crypto top-ups we store the transaction hash, sender wallet address, chain, asset, and USD-equivalent amount at confirmation.

2.2 Data collected automatically

  • Technical logs — IP address, user-agent, referrer, timestamps, request path. Retained for up to 90 days for abuse prevention and debugging, then deleted or anonymised.
  • Session cookies — a strictly necessary cookie that keeps you signed in. No advertising cookies, no third-party tracking pixels on paid pages. Analytics, when enabled, is aggregate and anonymised (Vercel Analytics, privacy-first).
  • Email deliverability metadata — open and click-tracking for transactional emails we send (sign-in codes, receipts, editorial decisions), to detect delivery failures.

2.3 Data from third parties

  • Stripe — payment status, subscription lifecycle events, risk signals.
  • Supabase — the identity provider that stores your credentials and MFA factors on our behalf.
  • Public chains — when you pay in crypto, the transaction is public by design and we read it from public RPC endpoints. We do not link your wallet address to any other personally-identifying information beyond what you link yourself.

3. Why we process your data (legal bases)

We rely on the following GDPR lawful bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the services you signed up for, bill for paid tiers, issue invoices, and keep your account running.
  • Legitimate interests (Art. 6(1)(f)) — to prevent fraud and abuse, secure the platform, defend legal claims, and improve the product from aggregated usage signals. We balance these against your rights; you can object at any time (§ 5).
  • Legal obligation (Art. 6(1)(c)) — to retain invoice and tax records under Spanish tax law, and to respond to lawful orders from EU authorities.
  • Consent (Art. 6(1)(a)) — for optional things like marketing emails. You can withdraw consent at any time through the unsubscribe link.

4. Who we share data with

We do not sell your personal data. We share the minimum necessary with the following processors, each under a written data-processing agreement:

  • Supabase (hosting, authentication, database) — EU/US regions. Subject to the EU-US Data Privacy Framework.
  • Vercel (web hosting, edge CDN) — transfers to the US, covered by Standard Contractual Clauses.
  • Stripe Payments Europe, Ltd. (payments) — based in Ireland.
  • Anthropic, OpenAI (AI model inference) — US. Prompts and completions are processed to return your result. According to their current policies, model providers do not train on the content of API calls.
  • Resend (transactional email delivery).
  • CoinGecko, public RPC providers (price data and blockchain reads) — only receive the asset pair / transaction hash, no personal identifiers.

We may disclose data to competent authorities when compelled by a valid legal order. In such cases, and where legally permitted, we notify you.

5. Your rights under GDPR

As a data subject, you have the rights to access, rectification, erasure ("right to be forgotten"), portability, restriction of processing, objection, and to not be subject to decisions based solely on automated processing. To exercise any of them, email privacy@antigravity.com. We respond within thirty (30) days; complex cases may extend to ninety (90) days with notice.

If you believe our handling of your data violates GDPR, you may complain to the Spanish Data Protection Agency (Agencia Española de Protección de Datos — aepd.es).

6. Retention

  • Account data — kept for as long as your account is active, then deleted within 30 days of account closure (except where law requires longer retention).
  • Invoices and payment records — retained for six (6) years in accordance with the Spanish Commercial Code.
  • AI prompts and completions — retained for ninety (90) days for debugging and abuse prevention, then anonymised.
  • Published preprints — kept indefinitely as part of the public scientific record, under the license you chose at submission. Withdrawal of a preprint does not remove it from third-party mirrors or citations.
  • Server logs — up to 90 days.

7. International transfers

Some of our processors are located outside the European Economic Area (notably Vercel, OpenAI, Anthropic). For every such transfer we rely on an adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses — whichever applies. A copy of the relevant safeguard is available on request.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest. Credentials are hashed with industry-standard algorithms. Two-factor authentication is available free on every account and strongly recommended. We operate the principle of least privilege internally, log administrative access, and run regular backups.

Despite these measures, no system is perfectly secure. In the event of a personal-data breach likely to result in risk to your rights, we will notify the Spanish DPA within 72 hours and notify you without undue delay.

9. Children

Antigravity is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, contact privacy@antigravity.com and we will delete it.

10. Changes

We may update this Policy. Material changes will be announced by email and by a banner on the site at least fifteen (15) days in advance. Continued use of the services after the effective date constitutes acceptance.