Privacy Policy

The open-source connector runs on your own machine or server. Your Zotero credentials and library data flow only between your device, your Zotero account, and the AI client you choose. We have no access to any of it, and the connector phones home to nobody.

If you subscribe to the hosted connector, we store only what’s required to operate it:

• Your Zotero API key / login, used solely to access your library on your behalf. It is encrypted at rest (AES-256-GCM) and transmitted over TLS.
• Your account email and subscription status, to provision and maintain access (managed via Polar — see Payments).
• Operational logs with secrets redacted, kept for reliability and abuse prevention and deleted within 30 days.

We act as a data processor for your library data — you remain in control of it. We do not read, mine, sell, or use your library or PDFs to train anything. Reads stay scoped to your own library.

We process your account email, subscription status, and encrypted Zotero key because they are necessary to provide the subscription you signed up for (Article 6(1)(b) GDPR — performance of our contract with you). We keep short-term operational logs on the basis of our legitimate interest in keeping the service reliable and preventing abuse (Article 6(1)(f) GDPR).

Checkout and billing are handled by Polar as the merchant of record. We never see your card details. Polar processes your payment data under its own privacy policy.

• Polar — checkout, subscriptions, and licensing.
• Google Cloud (Google LLC) — hosts the hosted connector instance; see International transfers below.
• Your own Zotero account — the source of the library data you ask us to access.

The hosted connector currently runs on Google Cloud infrastructure located in the United States (region us-central1). This means that if you use the hosted tier, your encrypted Zotero API key and account email are transferred to and stored in the US. We rely on Google Cloud’s Standard Contractual Clauses (and, where applicable, the EU–US Data Privacy Framework) as the safeguard for this transfer under Articles 44–46 GDPR. We are evaluating moving hosting to a Google Cloud EU region to keep this data inside the EEA; if you self-host, no transfer takes place at all.

We keep your encrypted key only while your subscription is active. Revoke the key in Zotero at any time to cut off access immediately, cancel to stop renewal, or email us to delete your stored data outright. On cancellation we delete stored credentials within 30 days.

Where the GDPR applies, you can request access, correction, deletion, portability, or restriction of your data, and object to processing based on our legitimate interest. Contact privacy@zoteus.com and we’ll respond promptly. You also have the right to lodge a complaint with your data protection authority — in Belgium, the Gegevensbeschermingsautoriteit / Autorité de protection des données.

Credentials are encrypted at rest, traffic is served over HTTPS, and access is scoped to your own library. No system is perfectly secure, but we keep the stored surface area deliberately small.

The data controller for the hosted tier is Oscar Devos, operating Zoteus from Belgium. You can reach the controller at privacy@zoteus.com for any privacy question or data request. Not affiliated with or endorsed by the Corporation for Digital Scholarship / Zotero.