Privacy Policy
Last updated: 12 June 2026
1. Introduction
SiestaStudio ("the Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal information when you use our Service, in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Spanish Organic Law 3/2018 on the Protection of Personal Data (LOPDGDD).
SiestaStudio is currently provided as a free, non-commercial academic beta — see the Terms of Service for details on permitted use.
2. Data Controller
Arsalan Akhtar
Individual researcher operating SiestaStudio as a free, non-commercial academic beta.
Barcelona, Spain
Email: sr.arsalan.akhtar@gmail.com
Full postal address available on written request to the email above.
No Data Protection Officer (DPO) is appointed: SiestaStudio does not meet the thresholds in Art. 37(1) GDPR (no large-scale systematic monitoring, no large-scale special-category data). For all data-protection enquiries, contact the email above.
3. Information We Collect
3.1 Information you provide directly
- Name and email address (registration form)
- Password (stored only as a bcrypt hash, never in plaintext)
- Optional profile fields: organization / institution, position / role, country, research field
- Content you create or upload: saved calculations, input files (.fdf), workflow definitions, presets, project notes, comments, support tickets, ideas
- Uploaded SIESTA output files for analysis (SCF, DOS, bands, PDOS, tbtrans, vibra, fat/mprop, macroave)
- HPC connection credentials — if you optionally configure a connection to an external HPC cluster: hostname, username, port, working directory, and either an SSH password or an SSH private key (with optional passphrase). Credentials are encrypted before storage; see §7
- Marketing consent preferences (recorded with date of consent)
3.2 Information we receive from OAuth providers
When you choose to sign in with Google or GitHub, we receive from that provider:
- Name and email address
- Profile image (if you have one set with that provider)
- Provider account identifier (used internally to link your sign-ins)
We do not receive your password, social-graph, or any other data beyond the public profile fields above. ORCID sign-in is temporarily disabled.
Provider-switch protection: if you originally registered using email/password (or one OAuth provider) and later attempt to sign in with a different OAuth provider that returns the same email address, we will refuse the sign-in and log a login_provider_conflict audit entry rather than silently taking over your account. This prevents account takeover via OAuth-email collision. To change the sign-in method for an existing account, contact us at the email in §17.
3.3 Operational data
- Login timestamps, login count, and last-active time
- Storage usage statistics and calculation count
- Audit-log entries: action performed, resource, your IP address and user-agent string (purged automatically after 90 days; see §12)
- Rate-limit and bot-protection signals (Cloudflare Turnstile token; signup IP)
3.4 Assistant queries
When you use the in-app documentation assistant, the questions you submit and the answers and sources returned are saved to your account so you can revisit them across your devices, and to help us improve the assistant. Our legal basis is our legitimate interest in providing and improving the service (Article 6(1)(f) GDPR). Entries are automatically deleted 12 months after they are created, and you can delete any entry — or your entire history — at any time from the assistant. This data is included in your data export and is permanently erased when you delete your account. The assistant runs on your device; we store these queries and answers but do not share them with third parties. Because this processing relies on our legitimate interest, you have the right to object to it at any time under Article 21 GDPR — you can stop it by emailing us at sr.arsalan.akhtar@gmail.com, turning off saving in the assistant, and deleting your stored history yourself at any time. If you turn on the optional AI answers, the small language model that produces them is downloaded once to your browser from a public model-hosting service (the MLC / Hugging Face content-delivery network); that service may see your IP address while the model files download, but it receives none of your question text. The model then runs entirely on your own device — no AI service receives your questions, and the answer is generated locally.
4. How We Use Your Information
- To provide and maintain the Service (account, calculations, workflows, analyses)
- To authenticate your identity and protect your account
- To save, retrieve, and let you export your work
- To respond to support tickets and ideas you submit
- To detect and prevent abuse (rate limits, bot protection, audit trail)
- To send service emails strictly necessary to operate your account (password reset, account changes, security notices, ticket replies)
- To send product updates, newsletter, and tips — only if you have opted in (see §6)
5. Legal Basis for Processing
Article 6(1) GDPR requires us to identify a legal basis for every processing activity. The following table maps each purpose to its basis:
| Purpose | Legal basis |
|---|---|
| Account creation, authentication, providing the Service | Art. 6(1)(b) — performance of a contract (our Terms of Service) |
| Audit logs, rate limiting, bot protection, abuse prevention | Art. 6(1)(f) — legitimate interest in keeping the Service available and secure |
| Saving documentation-assistant questions, answers, and sources (history; see §3.4) | Art. 6(1)(f) — legitimate interest in providing and improving the assistant |
| Marketing emails (product updates, newsletter, tips) | Art. 6(1)(a) — your explicit consent, withdrawable at any time |
| Responding to data-subject rights requests (access, deletion, etc.) | Art. 6(1)(c) — legal obligation under GDPR |
| Retaining audit logs for defence of legal claims and abuse investigation | Art. 6(1)(f) — legitimate interest; Art. 17(3)(e) — defence of legal claims |
6. Marketing Communications
We only send marketing communications if you have explicitly opted in. You can change your preferences at any time in Profile → Email Subscriptions (marketing consent, product updates, newsletter, tips). Withdrawing consent does not affect the lawfulness of processing before withdrawal. We record the date you gave consent so we can demonstrate compliance with Art. 7 GDPR.
7. Data Storage and Security
Your data is stored in a self-hosted MongoDB 8 database running on a Hetzner Cloud server located in Germany (EU). The database listens on the server's loopback interface (127.0.0.1) only and is not directly reachable from the public internet. Encryption in transit between your browser and the Service is provided by TLS 1.2+ (Let's Encrypt certificate); HSTS is enabled site-wide.
Disk-level encryption at rest is not currently enabled on the server. The boot volume uses a standard ext4 filesystem. We are honest about this rather than implying a protection we do not yet provide. Sensitive credentials (see below) are protected by application-layer encryption that is independent of disk encryption and provides strong protection even if the database files are read directly. Migration to a Hetzner Encrypted Volume for the MongoDB data directory is on the operational roadmap and will be reflected in this section once complete.
Account passwords are hashed using bcrypt (work factor 12) and are never stored in plaintext. Session and CSRF cookies are HttpOnly, Secure, SameSite=Lax, and use the __Host- or __Secure- prefix where the browser supports it.
HPC connection credentials (SSH passwords, private keys, and passphrases) receive a stronger protection independent of disk-level encryption: they are encrypted with AES-256-GCM using a per-user encryption key derived via scrypt from a server-side secret combined with your user ID. This means that even if the database files are read directly, decrypting any user's HPC credentials requires both the server secret and that specific user's identifier — a single compromise does not expose all users. The plaintext credential is only reconstructed in memory at the moment an SSH session is established and is never logged.
Roadmap items being honest about: (a) a scheduled MongoDB backup procedure is on the operational roadmap; we currently rely on user-initiated exports and do not have a routine off-site backup. (b) Hetzner Encrypted Volume migration for at-rest encryption (see paragraph above). Both will be reflected here when shipped.
8. Sub-processors and Third Parties
We rely on the following sub-processors to operate the Service. Each is bound by its own data-processing agreement and privacy policy.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, storage, network | Germany (EU) |
| Resend, Inc. | Transactional and (opt-in) marketing email delivery | USA (EU-US Data Privacy Framework) |
| Cloudflare, Inc. | Bot protection (Turnstile) on signup and sign-in | USA (EU-US Data Privacy Framework) |
| Google LLC | OAuth authentication (if you sign in with Google) | USA (EU-US Data Privacy Framework) |
| GitHub, Inc. (Microsoft) | OAuth authentication (if you sign in with GitHub) | USA (EU-US Data Privacy Framework via Microsoft) |
| ORCID, Inc. (currently disabled) | OAuth authentication (re-enabling planned) | USA |
| PseudoDojo | Source of pseudopotential files (proxied via our server; no user identity is forwarded) | EU (academic infrastructure) |
9. International Data Transfers
Where sub-processors are located outside the European Economic Area, personal data transfers are protected by one or more of the following safeguards (Art. 46 GDPR):
- EU-U.S. Data Privacy Framework certification (currently relied upon for Google, GitHub via Microsoft, Cloudflare, and Resend)
- Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a fallback where DPF certification is not available
- Transfer Impact Assessments documenting why the destination country offers protection essentially equivalent to GDPR (kept on file)
You may request a copy of the safeguards in place for any specific transfer by contacting us at the email in §2.
10. Your Rights
Under the GDPR you have the following rights with respect to your personal data:
- Access (Art. 15) — view all data we hold about you through your profile page and the data-export feature
- Rectification (Art. 16) — update your profile information at any time
- Erasure (Art. 17, "right to be forgotten") — delete your account and all associated data from your profile settings
- Restriction (Art. 18) — request that we restrict processing in certain situations; contact us to do so
- Data portability (Art. 20) — export your data instantly from Profile → Danger Zone → Export My Data as a ZIP archive (JSON + files)
- Objection (Art. 21) — object to processing based on legitimate interest at any time
- Withdraw consent (Art. 7(3)) — withdraw marketing consent at any time from your profile
- Lodge a complaint (Art. 77) — you may complain to the Spanish Data Protection Agency (AEPD, www.aepd.es) or to the supervisory authority of your EU/EEA country of residence
We will respond to rights requests within one month (extendable by two further months for complex requests, with notice; Art. 12(3) GDPR).
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR). Bot-protection (Cloudflare Turnstile) and rate-limiting are technical safeguards applied uniformly to all users; they are not decisions about you as a person.
12. Data Retention & Deletion
We apply the following retention criteria:
- Active accounts: retained for as long as the account is active
- Inactive accounts: we may contact you after 24 months of inactivity; if there is no response within 90 days, the account may be deleted
- Audit logs: automatically purged 90 days after creation, regardless of account status (enforced by database TTL index)
- Documentation-assistant history: each saved question, answer, and its sources is automatically deleted 12 months after creation (database TTL index), with at most ~50 entries kept per user; you can delete entries — or turn saving off — yourself at any time
- Email-delivery logs (at Resend): retained per Resend's data retention policy (typically 30 days)
- Server access logs (nginx): rotated weekly, retained no longer than 30 days
- Application runtime logs (PM2 stdout/stderr): rotated automatically by PM2 (default size cap), retained no longer than 30 days; these may contain user IDs and error traces but never plaintext passwords or HPC credentials
When you delete your account, the following are permanently removed: your profile; calculations, analyses, and analysis folders; projects you own and their full contents (members, comments, files, notes, activity, sub-spreadsheets); spreadsheets and sheet comments; HPC connections and terminal sessions; notifications; support tickets and your replies on other users' tickets; alpha-tester invitations; your documentation-assistant history; and direct messages you have sent.
You are also removed from collaborative documents owned by other users (project member lists, conversation participants, ticket reply threads); those documents remain with their owners.
Audit logs are retained for security and abuse-prevention purposes (Art. 6(1)(f) legitimate interest; Art. 17(3)(e) defence of legal claims). Upon account deletion, your email is replaced by "[deleted]" and your IP address and user-agent string are removed from every audit log entry linked to you. Entries are automatically purged 90 days after they are created, regardless of account status.
If the Service is discontinued, the procedure described in Terms §10 (Discontinuation of the Service) applies: 30 days' advance notice, continued availability of the data-export feature during the notice period (Art. 20 portability), and deletion of all personal data on the shutdown date in accordance with the right to erasure (Art. 17), subject to the limited retention exceptions above. User account data will not be transferred to any third party without your explicit consent.
13. Personal Data Breaches
In the event of a personal data breach, we will notify the AEPD within 72 hours of becoming aware of the breach where required (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR).
14. Cookies
We use only strictly-necessary cookies. These do not require consent under the ePrivacy Directive because they are essential to providing the service you explicitly request by signing in or by accepting an alpha-tester invitation. We do not use tracking, advertising, or analytics cookies, and we do not embed third-party advertising tags.
The cookies we may set are:
| Cookie | Purpose | Lifetime |
|---|---|---|
__Secure-authjs.session-token (or __Host- equivalent) | Authenticated session JWT, set after successful sign-in | Session (cleared on sign-out) |
__Host-authjs.csrf-token | CSRF protection for sign-in and account-mutation endpoints | Session |
__Secure-authjs.callback-url | Stores the post-sign-in destination URL during the OAuth round-trip | Short-lived (cleared after the redirect completes) |
__Host-maintenance_bypass | Only set when an administrator has explicitly granted you a maintenance-mode bypass token; allows access during maintenance windows | Up to the token's expiry (typically 24 hours) |
__Host-alpha_bypass | Set when you accept an alpha-tester invitation; allows access to the Service during the academic-beta gating | Up to the token's expiry (configurable per invitation) |
All cookies above are HttpOnly, Secure, and SameSite=Lax. If we ever introduce a non-essential cookie (e.g. analytics), we will deploy a cookie-consent banner before that cookie is set, and update this section.
15. Children's Privacy
The Service is intended for researchers and students in higher education. We do not knowingly collect information from children under 16. Spain's LOPDGDD sets the digital-consent age at 14, but SiestaStudio applies the higher GDPR baseline of 16 across all users for consistency.
16. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page always reflects the most recent revision.
Material changes — changes that affect your rights or how we process your personal data (for example: a new lawful basis, a new category of personal data we collect, a new sub-processor in a non-adequate country, weaker retention guarantees, or a new disclosure to a third party) — will be brought to your attention by a prominent notice shown in the Service the next time you sign in. Where the change affects a processing activity that relies on your consent, we will ask you to re-consent before the change takes effect.
Non-material changes — such as clarifications of existing wording, typo fixes, structural reorganisation, or updates to processor contact details — will be reflected by bumping the "Last updated" date; no separate notification is sent.
If you disagree with any change, you may exercise your rights under §10 — including erasure of your account — before the change takes effect.
17. Contact
For questions about this Privacy Policy or to exercise any of the rights in §10, contact us at sr.arsalan.akhtar@gmail.com. We aim to respond within one month (Art. 12(3) GDPR).