Privacy Policy

Effective 2026-05-02 · Tessera (https://tessera.study)

This Policy explains what personal data Tessera collects, why we collect it, and what choices you have about it. Plain-English summaries lead each section; the details follow.

1. What we collect

Account data. When you register, we collect your email address, a chosen display name, and a password (which we never store in plaintext — we store a bcrypt hash).

Profile data. Optional fields you fill in: bio, avatar URL, and (if you link Bluesky) your AT Protocol DID and handle.

Research content. Notes, annotations, citations, knowledge-graph nodes and edges, reading lists, and any documents you choose to sync. This is "Your Content" under the Terms of Service.

Device data. When the desktop app syncs, we record a per-device identifier, hostname, OS, app version, and the last sync timestamp so you can manage your active devices and so we can resolve sync conflicts.

Logs. Standard server logs (timestamps, IP addresses, user-agent strings, request paths, status codes) for security, abuse prevention, and debugging. We do not use these for behavioral advertising.

Communications. Email addresses to and from which we send transactional email (verification, password reset, share notifications, account-deletion confirmations). We do not currently send marketing email.

2. How your data is protected

Encryption at rest. Personally identifying fields in our database — email, display name, bio, Bluesky handle, and DID — are encrypted with AES-256-GCM before they are written. The encryption key is held only on our servers and is not stored in the database.

Blind indexes. So that we can still look you up by email or Bluesky handle, we store a separate keyed HMAC ("blind index") of those fields. The blind index lets us compare for equality without ever decrypting; an attacker with read access to the database alone cannot recover the original value from the blind index.

Two independent keys. The encryption key and the blind-index key are independent, so a compromise of one does not enable both enumeration AND decryption of your data.

Passwords. Never stored in plaintext. We hash with bcrypt at cost 12. Reset and verification tokens are stored as SHA-256 hashes; the plaintext is shown to you exactly once via email.

Transport. All connections to https://tessera.study are TLS-encrypted. The desktop sync client connects over the same TLS channel.

3. Where your data is stored

Our production database (PostgreSQL) and application servers are operated on Railway, hosted in the United States. Backups and large binary assets (release installers, screenshot uploads) are stored in S3-compatible object storage. Email is delivered through Resend. By using the Service, you consent to your data being processed in the United States, even if you reside elsewhere.

4. Third-party services

To make academic search work, we query the following metadata APIs on your behalf when you initiate a search or import: Semantic Scholar, OpenAlex, arXiv, PubMed, Crossref, and similar public scholarly metadata providers. The query terms you enter are transmitted to those services. We do not share your account identity with those providers.

If you link a Bluesky / AT Protocol account, the relevant tokens are exchanged with your Personal Data Server (PDS) per the AT Protocol specification.

5. Cookies and similar technologies

We use a single session cookie (tessera_session) to keep you signed in to the web shell, plus a short-lived tessera_flash cookie that carries success and error banners across redirects. We do not use third-party analytics, advertising, or behavioral tracking cookies.

6. Sharing your data

We do not sell your personal data, and we do not share it with advertisers. We share data only:

With service providers (Railway, Resend, S3 storage) strictly to operate the Service.
With other users when you choose to publish a graph or share content with them — only the data you explicitly chose to share.
For legal compliance when required by valid legal process. We will, where allowed, notify you before responding to such requests.
In a business transfer (merger, acquisition, asset sale), in which case the recipient must continue to honor this Policy or you'll be given an opportunity to delete your data first.

7. Your rights

You can:

Access and correct your account data from your profile.
Change your email via a verification flow that requires confirming the new address.
Export your content from the desktop app at any time — your library is yours.
Delete your account from your profile. Deletion runs after a 24-hour grace period (during which you can cancel from the email we send), then wipes your data from production. Backups containing pre-deletion data may persist for up to 30 days before they roll off.
Object, restrict, or port your data, or lodge a complaint with a data protection authority where applicable (e.g., GDPR, UK GDPR, CCPA).

To exercise any right not directly available in the product, email support@tessera.study from the address on your account.

8. Data retention

We retain your account data for as long as your account is active. After deletion: production data is wiped within 24 hours of the scheduled deletion time; backups roll off within 30 days. Logs are retained for up to 90 days. Aggregate, de-identified usage statistics may be retained indefinitely.

9. Children

The Service is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe we have, contact us at support@tessera.study and we will delete the account.

10. Security disclosures

If you believe you have found a security vulnerability in the Service, please report it to support@tessera.study. We will acknowledge within 72 hours, and we appreciate good-faith research.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-product notice before they take effect.

12. Contact

Questions about this Policy or the data we hold? Email support@tessera.study.