Privacy Policy

Last updated: July 2026

Who we are

Papyrium is an independent software project, operated from Lithuania by Alex Bush, who is the data controller for the purposes of this policy. It covers both the website papyriumlib.com and the Papyrium desktop app, and the data collected through them. For any privacy-related questions, or to exercise your data rights, contact us at privacy@papyriumlib.com.

What we collect

Analytics (optional)

If you accept cookies, we use Google Analytics (GA4) to understand how visitors use this site. This includes pages visited, time on site, device type, and approximate location (country/region level). Your IP address is anonymized. This data is processed by Google LLC and subject to Google's Privacy Policy. You can decline analytics cookies at any time using the banner or by clearing your browser's local storage.

Newsletter (if you subscribe)

If you submit your email address, it is stored and used only to send you updates about Papyrium — new versions, announcements, and founding discount information. Your email is never sold or shared with third parties for their own marketing; it is processed only by the service providers that run our newsletter and site (see below). You can unsubscribe at any time via the link in any email we send.

Feedback and support emails

If you email us feedback or a support request, we process your email address and the contents of your message so we can respond, troubleshoot issues, and improve Papyrium.

Cookies

We only set analytics cookies if you accept analytics. Until you accept, the Google Analytics script is not loaded at all — no analytics cookies are written and nothing is sent to Google. When you accept, Google Analytics loads and sets cookies (_ga, _ga_*) that persist for up to 2 years. If you decline, the script stays unloaded and no Google Analytics cookies are set. Your preference is saved in your browser's local storage.

Third-party services

  • Netlify — hosts this website and processes newsletter form submissions. Like most websites, our hosting provider may process basic request data such as IP address, browser/user agent, requested URL, and timestamps for hosting, security, abuse prevention, and reliability. Netlify Privacy Policy
  • Google Analytics — site analytics (only if you accept cookies). Your IP address is anonymized. If you decline, Google Analytics is not loaded and no cookies are set. Google Privacy Policy
  • GitHub — download buttons fetch the latest release information from GitHub's public API and may redirect your browser to GitHub Releases to download the app. The desktop app also contacts GitHub to check for and download updates. GitHub Privacy Statement
  • PostHog — pseudonymous product analytics inside the Papyrium desktop app, processed in the EU region. Only active if you enable analytics (off by default); see "The Papyrium app" below. PostHog Privacy Policy

Legal bases for processing

  • Analytics (website and in-app) — your consent. You can withdraw it at any time.
  • Newsletter — your consent. You can withdraw it at any time by unsubscribing.
  • Feedback and support emails — our legitimate interest in responding to you and improving Papyrium.
  • Hosting and security logs — our legitimate interest in operating the site securely and reliably and preventing abuse.

Data retention

Website analytics (Google Analytics) data is retained for 14 months. In-app product-analytics events (PostHog) are retained for up to 12 months. Email addresses are retained until you unsubscribe or request deletion, and support and feedback emails are kept only as long as needed to handle your request and for a reasonable period afterward.

Your rights

Under GDPR and similar laws, you have the right to access, correct, or delete your personal data; to object to or restrict its processing; to data portability where applicable; and to withdraw consent at any time (without affecting processing already carried out before withdrawal). To exercise any of these rights, contact us at privacy@papyriumlib.com. We will respond within one month.

You also have the right to lodge a complaint with a data protection authority — in Lithuania, the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI).

The Papyrium app

Papyrium is local-first: your books, notes, annotations, and library contents are stored on your device, and the app does not send them to our servers. Some optional features may copy or sync your data to a destination you control (such as your own cloud storage) or exchange limited data with a service you turn on — see "Optional features that send data" below.

How the app processes your books

To show covers, display metadata, and power search (and, in future, optional AI features), Papyrium processes the books you add directly on your device. Derived data — extracted text, cover images, metadata, and search indexes — is stored locally alongside your library and is not sent anywhere unless you enable an optional feature that sends data.

Usage analytics (optional, off by default)

The app includes optional, pseudonymous usage analytics that are turned off by default. You are asked during first-run setup, and you can turn analytics on or off at any time in Settings → General. When enabled, the app uses PostHog (EU region) to record product-usage events such as app launches and onboarding steps, together with basic device information: operating system and version, device type, time zone, and a randomly generated device identifier. This identifier is not linked to your name or any account, but because it is persistent it is treated as personal data under the GDPR. Approximate location (country/region level) may be derived from your IP address by PostHog.

What analytics never include

Analytics never include your book files, book content, notes, highlights, tags, file names, file paths, or any other library contents. No account is required, and the data is not linked to your identity or your library content.

Connected AI clients — MCP (optional, off by default)

Papyrium can run a local MCP (Model Context Protocol) server so that AI applications you choose to connect — for example, Claude or other MCP-compatible clients — can work with your library. The server runs on your device and is off by default. Connected clients can read library metadata, file paths, annotations, highlights, notes, and bookmarks — not the full text of your books — and write access is a separate opt-in. Papyrium itself does not send this data anywhere: a connected client decides what it reads and may send it to its own AI provider under that provider's terms, so review the privacy terms of any client you connect.

Update checks

The app periodically contacts GitHub to check for new releases and to download updates. Like any network request, this includes your IP address and standard technical information (app version, platform) — never any library content.

Optional features that send data

Some features are off until you enable them and may send data outside your device. For example, syncing your library to your own cloud storage keeps it under your control through that provider, and a future AI assistant would send relevant excerpts of a book, plus your question — but never your book files or your library wholesale — to an AI provider to answer it. Any feature that sends your data to us or to a third party is opt-in, indicated in the app, and documented in this policy before it processes your data.

Changes to this policy

We may update this policy as the product evolves. The date at the top of this page reflects the most recent revision.