Privacy Policy
Last updated: June 2026
MorningRead (“we”, “us”) delivers one personalized research paper each morning with optional AI summaries. This policy explains what personal data we process, why, the legal basis, who we share it with, and the rights you have under the EU/UK General Data Protection Regulation (GDPR).
1. Data controller
MorningRead is the data controller for the personal data described here. For any privacy request, contact privacy@morningread.ai.
2. Data we collect
- Account: email, name, and (if you sign in with ORCID, Google, or Apple) the identifier and profile fields those providers return. Email/password accounts store a salted bcrypt hash, never the password itself.
- Research profile: your interests/keywords, followed and excluded journals, affiliation, and reading preferences (summary length, expertise level, model, delivery time, timezone).
- Usage: which papers were recommended, viewed, saved, or marked read; AI summaries generated for you; questions you ask in Q&A.
- Device: push notification token + delivery settings (if you enable notifications); basic security logs (IP address, timestamp) for login attempts.
3. Why we use it & legal basis
- Provide the service (recommendations, summaries, Q&A, notifications) — performance of a contract.
- Account security (login-attempt logging, lockout) — legitimate interests.
- Analytics & advertising (only if you accept the cookie banner) — consent, which you may withdraw at any time.
4. Who we share data with (processors)
- OpenRouter — to generate summaries and answer Q&A, we send the article text and your question/expertise level. We do not send your name or email. (If you provide your own AI key, requests use your key.)
- OAuth providers (ORCID, Google, Apple) — only when you choose to sign in with them.
- Apple Push Notification service / Web Push — to deliver the daily reminder, if enabled.
- Google Analytics & Google AdSense — only after you consent via the cookie banner.
- PubMed, Europe PMC, OpenAlex, Unpaywall — for article metadata. We send search terms, not personal identifiers.
5. International transfers
Some processors are located outside the EEA. Where that is the case, transfers rely on the provider’s Standard Contractual Clauses or an adequacy decision.
6. Retention
We keep your account and profile data while your account is active. Security logs are kept only as long as needed to protect the service. When you delete your account, your personal data is erased (see below); shared, non-personal article metadata caches may be retained.
7. Your rights
- Access & portability — export all your data as JSON from Profile → “Export my data”, or request it from us.
- Rectification — edit your profile and preferences in the app at any time.
- Erasure — delete your account (Profile → Account → Delete account); this permanently removes your personal data.
- Withdraw consent — change analytics/ads consent anytime via “Cookie settings” in the footer.
- Complaint — you may lodge a complaint with your local data protection authority.
8. Children
MorningRead is not directed to children under 16, and we do not knowingly collect their data.
9. Changes
We’ll post any changes here and update the date above. Material changes will be highlighted in-app.
See also our Terms of Service and Cookie Policy.