Provenance

Privacy Policy

Last updated: May 25, 2026

Provenance (provenance.works) is a content provenance registry for creators. This page explains what data we collect, why we collect it, and what we do with it. We aim to be straightforward — no legalese.

What we collect

Account & profile

When you register, we store your email address (via Supabase Auth), display name, creator type, bio, website URL, and optionally your ORCID iD. Registration is entirely voluntary and opt-in.

Works

For each work you register, we store its title, metadata, any DOIs you provide, and a semantic embedding (a numeric fingerprint derived from the content). The embedding lets us detect similarity without storing your raw text permanently beyond what's needed to generate it.

Usage events

We log product analytics events — things like which features you use — associated with your creator ID and a timestamp. Event metadata payloads are capped at 4 KB.

IP addresses

Your IP address is held temporarily in memory for rate limiting. It is not written to our database and is not retained after the request window expires.

Enterprise scans

Enterprise users can submit text to check whether it matches registered works. We operate a strict zero-retention policy on scan queries: the submitted text is processed to generate an embedding, then immediately discarded. We store only a SHA-256 hash of the input (for audit integrity), the match count, and the compliance status. We never store the original query text.

How we use your data

  • To provide and operate the Provenance registry
  • To let you prove authorship and detect unauthorized use of your work
  • To verify your identity via ORCID when you choose to connect it
  • To look up your publications via Semantic Scholar and Unpaywall when you choose to import them
  • To improve the product using aggregated, anonymized usage patterns

We do not sell your data to third parties. We do not use your content to train AI models.

Third-party services

We rely on the following services to operate:

Supabase (hosted on AWS)Database and authentication
VercelHosting and edge infrastructure
HuggingFaceGenerating semantic embeddings from work content
ORCIDResearcher identity verification (only when you connect your ORCID iD)
Semantic ScholarPublication lookups (only when you choose to import)
UnpaywallOpen access PDF URLs (only when you choose to import)

Each service has its own privacy policy. We share only the minimum data needed for each function.

Cookies

provenance_accessRecords that you have a valid invite code (early access gate)
csrf_tokenCSRF protection for form submissions
Supabase session cookiesKeeps you logged in
orcid_nonceShort-lived (10 minutes) nonce for ORCID OAuth — deleted after login completes

We do not use advertising or tracking cookies.

Data retention

Your account and registered works are kept for as long as you have an active account. IP addresses used for rate limiting are never persisted to the database. Enterprise scan query text is discarded immediately after processing. If you delete your account, your profile and works are removed from our database; some anonymized aggregate data (e.g., event counts) may remain in logs for a limited period.

Your rights

You can:

  • Export or view your data at any time from your dashboard
  • Delete individual works from your registry
  • Request full account deletion by emailing us
  • Disconnect your ORCID iD at any time from your profile settings

Contact

Questions, requests, or concerns? Email us at hello@provenance.works. We'll respond within a few business days.