Most scholarly platforms watch what you read and sell the trail.
CiteStamp’s entire product is public records about papers — private records
about you are a liability we refuse to hold. This page lists everything we touch.
It is short because there is not much.
What this site does not do
No analytics. No tracking pixels. No fingerprinting. No ad tech.
No tracking cookies — which is why there is no cookie banner to click away.
No browsing history, reading list, or interest profile, on the site or in the
extension. We never learn what you read — only what you explicitly ask the graph about.
Open your browser’s network tab and count the trackers: the only third-party
request a page makes is to Google Fonts for typeface files. Google sees that request’s
standard metadata (IP address, user agent); no analytics flow back to us from it.
What stays in your browser
item
what it is
cs_theme
localStorage — your dark/light choice
citestamp_token
localStorage — only if you paste an API key on the main page; never set otherwise
cs_staged:<name>
localStorage — claims you stage in the writing picker, keyed by manuscript name. These never reach our servers; export is a file download.
cs_claim
cookie — set only after you sign in with ORCID to claim a paper; HttpOnly, expires in 24 hours
What crosses the wire
Asks. When you query the graph, the identifier you typed is the request.
Anonymous requests are rate-limited by IP address; the IP is held transiently in a
sliding-window counter and is not written to any record.
Picker searches. The writing picker searches OpenAlex directly from your
browser — your manuscript text never touches a CiteStamp server. OpenAlex sees the
search string under its own policy.
ORCID sign-in. Claiming a paper sends you to orcid.org; ORCID returns your
iD and public name to us, nothing else.
The short list of what we store
The public graph. Claims connecting public identifiers — no full text, no
abstracts, no personal data on any node. A claim you sign carries your public researcher
identifier, and it is permanent on an append-only log. That is not a privacy accident;
it is the product. The one thing we keep forever is the thing you asked us to publish.
Citation-alert contacts. If you opt in: your email, ORCID iD, the papers you
watch, and the exact consent text you agreed to. Stored apart from the graph, never on
the public log, never shared. Unsubscribing is one click from any alert and never asks
you to log in; deletion requests by email work too.
Claim accounts. Your ORCID iD and the signing key we custody for you,
encrypted at rest. The iD is a public identifier by design.
The browser extension
The CiteStamp extension reads the page you are on locally to find a paper
identifier (a DOI). When it finds one, it sends only that identifier to
api.citestamp.com to fetch the paper’s public citation record. That is the entire
data flow. It collects no browsing history, runs no analytics, loads no remote code, and
sells nothing — there is nothing to sell. Anything you stage through it stays in your
browser, same as the table above.
Email
You will only ever get two kinds of email from us: replies to mail you sent, and
citation alerts you explicitly opted into. No newsletters you did not ask for, no
“we miss you.”
Changes
This page lives in an open-source repository, so every edit to it is publicly
diffable. We run an append-only log for a living — we are not going to quietly rewrite
a privacy policy.
Contact
Questions, deletion requests, anything:
info@citestamp.com. A human reads it.