EFFECTIVE: JULY 17, 2026
Privacy Policy
This policy explains how SixSentences_ processes personal data on the website sixsentences.com, in the web application at app.sixsentences.com and through the programming interface at api.sixsentences.com (together: the "Service"). It is written to meet Articles 12 to 14 of the EU General Data Protection Regulation (GDPR). Privacy is a design goal of this product: we collect little, we track nothing, and everything you store in your workspace can be deleted by you at any time.
1. Controller
The controller responsible for all processing described here is:
Lukas Buck
Dorfstraße 11
72660 Beuren, Germany
Email: hello@sixsentences.com
A data protection officer has not been appointed because the legal thresholds of Art. 37 GDPR and § 38 BDSG are not met.
2. The short version
- No advertising, no tracking pixels, no analytics scripts.
- No cookies. We use the browser's local storage only for your session token and interface preferences, which is strictly necessary for the Service (§ 25 (2) TDDDG).
- Your research content (questions, protocols, decisions, library) belongs to your workspace, is never used for advertising or for training models by us, and is deleted when you delete it.
- Questions you ask are answered by external AI model providers. You choose the model, and with it the provider that processes your request text.
- You can delete individual chats, whole searches or your entire account yourself, at any time, without asking us.
3. Hosting and infrastructure
The entire Service, the website, the web application, the interface and the database that hold your workspace data, runs on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, in data centers located in Germany, under a data processing agreement pursuant to Art. 28 GDPR. No hosting provider outside the European Union is involved in operating the Service itself.
Server logs
When you access any part of the Service, the web servers process the data that your browser transmits: IP address, date and time, requested resource, referrer, browser and operating system identification. These logs are needed to deliver the Service, to defend against abuse and to diagnose faults (legal basis: Art. 6 (1) (f) GDPR). They are kept short term, typically no longer than 14 days, and are not merged with any other data.
4. The waitlist
If you request access on the landing page we store your email address, the time of the request and your browser identification (to filter automated signups). Purpose: managing access to the closed test phase and sending you one invitation email when it is your turn. Legal basis: Art. 6 (1) (b) GDPR (steps prior to entering into a contract, taken at your request).
We send no newsletter and no promotional email to this address. Waitlist entries are deleted once general registration opens, at the latest twelve months after signup, or immediately upon your request to hello@sixsentences.com.
5. Account and workspace
When an account is created we process your email address, your first name (used to address you in the interface), a password hash (PBKDF2, never the password itself) and the name of your workspace. Legal basis: Art. 6 (1) (b) GDPR. Workspaces are strictly isolated from one another.
Account data is stored until the account is deleted. You can delete your account yourself in the settings; deletion permanently removes the account together with the workspace content described in section 6. Administrators of the Service can also delete accounts upon request.
6. Research content you create
Using the Service creates content inside your workspace: research questions, chat conversations, search protocols, retrieved bibliographic records, screening decisions with their reasons, reports, copies of openly available full texts in your library, and export files. We process this content exclusively to provide the Service to you (Art. 6 (1) (b) GDPR).
- We do not read, evaluate or share workspace content except where technically unavoidable for operation, legally required, or explicitly requested by you (for example in a support case).
- We do not use your content to train models.
- You can delete single chats, single searches, your whole chat history or the entire account at any time; deletion is permanent.
- Please do not enter special categories of personal data (Art. 9 GDPR) or other people's personal data into research questions. The Service searches scholarly literature; questions about publications do not require personal data.
7. AI model providers
Answering questions, writing protocols and screening records is performed by large language models operated by external providers. For each request only the text needed for the task is transmitted: your question or instruction, and the titles, abstracts or passages under review. Account data such as your email address is never part of these requests. Legal basis: Art. 6 (1) (b) GDPR; transfers to third countries rest on the providers' EU standard contractual clauses and, where applicable, on Art. 49 (1) (b) GDPR, because the processing is necessary to perform the very request you submit.
Providers currently in use:
- Hangzhou DeepSeek Artificial Intelligence Co., Ltd., Hangzhou, People's Republic of China ("DeepSeek").
- MiniMax (international service, operated from Singapore) ("MiniMax").
You stay in control: the model menu in the app lets you choose, for every question, which provider processes your text. The providers available at any time are listed in that menu, and this policy is updated when the roster changes. If you do not want a specific provider to see a request, choose a different model for it.
8. External research sources
To run searches the Service queries scholarly indexes and, when you enable it, the open web. Your search strings (not your identity) are transmitted to these sources. The scholarly core is OpenAlex, operated by OurResearch, Vancouver, Canada, with infrastructure in the USA. Full texts are retrieved from the publishers' or repositories' servers wherever they are openly available. If you connect your Zotero account, exports are pushed to Zotero (Corporation for Digital Scholarship, USA) using the API key you provide; this happens only on your explicit action.
9. Cookies, local storage and tracking
The Service sets no cookies and embeds no third party tracking, advertising or analytics. The web application stores in your browser's local storage: your session token (so you stay signed in) and interface preferences such as the sidebar state. This storage is strictly necessary to provide the Service you request (§ 25 (2) No. 2 TDDDG) and therefore requires no consent banner. Signing out removes the session token.
10. Payments
During the current test phase there is no payment processing: plans are assigned manually by the operator, free of charge. When paid subscriptions launch, payments will be handled by a payment service provider, and this policy will be updated beforehand to name the provider and the data involved. We will never store full card numbers ourselves.
11. API and webhooks
Workspaces can create API keys and register webhook endpoints. Events about your own searches are then delivered to the URL you configure. Choosing a trustworthy endpoint is your responsibility; the payloads contain the same search metadata you see in the app, scoped to your workspace.
12. Storage periods
- Account and workspace content: until you delete it or delete the account.
- Waitlist entries: until general registration opens, at most twelve months, or until you ask us to remove you.
- Server logs: short term, typically no longer than 14 days.
- Backups: encrypted, rotated on a short cycle; deleted content falls out of the backup rotation automatically.
- Statutory retention duties (for example for invoices, once billing exists) remain unaffected.
13. Recipients and processors
We share personal data only with the processors and recipients named in this policy: Hetzner (hosting of the website, the app, the API and the database, in Germany), the AI model provider you select per request (DeepSeek or MiniMax), OpenAlex/OurResearch and the open web sources queried during searches, and Zotero if you connect it. A data processing agreement pursuant to Art. 28 GDPR is in place with our hosting processor. We never sell personal data.
14. International transfers
Where processing happens outside the European Economic Area, it rests on an adequacy decision (for example for processors certified under the EU-US Data Privacy Framework), on the EU standard contractual clauses, or, for the model requests you initiate, on the necessity for performing your request (Art. 49 (1) (b) GDPR). The model menu keeps the choice of provider, and with it the destination of your request text, in your hands.
15. Security
All connections are encrypted in transit (TLS). Passwords are stored only as salted PBKDF2 hashes. API tokens are stored only as SHA-256 hashes. Workspaces are isolated at the application layer, administrative functions require an interactive session, and access to production systems follows the least privilege principle.
16. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you (Art. 15),
- rectification of inaccurate data (Art. 16),
- erasure (Art. 17) and restriction of processing (Art. 18),
- data portability for data you provided to us (Art. 20); note that the app's export functions already cover your research content,
- object to processing based on legitimate interests (Art. 21), and
- withdraw any consent at any time with effect for the future (Art. 7 (3)).
To exercise these rights, write to hello@sixsentences.com. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority responsible for us is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany.
17. No automated decision-making
The Service makes no automated decisions with legal or similarly significant effect on you (Art. 22 GDPR). The automated screening the product performs concerns scholarly publications, not people.
18. Children
The Service is aimed at researchers and is not directed at children under 16. We do not knowingly collect data from children.
19. Changes to this policy
We update this policy when the Service changes, for example when new processors are added or billing launches. The effective date at the top always reflects the current version, and material changes are announced in the app before they take effect.