Privacy Policy

What Data We Collect

When you create an account

We use Google or GitHub for sign-in. When you authenticate, we receive and store:

• From Google: Your name, email address, profile picture URL, and Google account identifier
• From GitHub: Your name, email address, username, avatar URL, and GitHub account identifier

When you set up your profile

During onboarding, we ask for:

• University — so we can tailor the experience to your institution
• Programme level (e.g., Undergraduate, Masters, PhD) — so we can suggest appropriate defaults

When you run a literature review

You provide:

• A research topic or question — this is sent to our AI providers for processing (see “Who We Share Data With” below)
• An optional assignment brief — if you upload one

In most cases, a research topic (e.g., “systematic review of CBT for anxiety in adolescents”) is not personal data. In rare cases, a highly specific topic could theoretically be linked to an individual — we treat all topics with the same care and protections regardless.

The pipeline then generates:

• Search results, screening decisions, extracted data, a written review, methodology section, reference list, and audit trail

All of this is stored in your account and accessible through your dashboard.

Institutional library access

If you connect your university library, we collect:

• Encrypted session token — a temporary access key to your university's library proxy, encrypted at rest using a per-user encryption key
• University name — which institution you connected
• Usage count — the number of papers accessed through your library connection

We collect this data so the pipeline can retrieve academic papers on your behalf using your existing library subscription.

Credentials: Your username and password are sent directly to your university's authentication system over an encrypted connection (HTTPS/TLS). We do not store, log, or retain your login credentials at any point. They pass through our server only for the instant needed to authenticate with your institution.

Retention: Session tokens auto-delete when they expire (maximum 24 hours). We never store your username or password.

Your rights: You can disconnect your library at any time from Settings. All session data is immediately deleted. You can also request complete deletion of all library data under GDPR Article 17.

Security: Session tokens are encrypted at rest using per-user encryption keys (AES-GCM). Even in the unlikely event of a database breach, tokens cannot be decrypted without your unique user key.

Payment data

We use Stripe to process payments. We never see or store your card details. We store only:

• Your Stripe customer identifier and session reference
• Payment status, pricing tier, and transaction count
• The date and amount of each payment

Technical data

• Session cookie — a single authentication cookie to keep you signed in. This is strictly necessary for the service to function.
• Local storage — we use your browser's local storage to remember whether you've dismissed the cookie information banner. The ICO considers this a similar technology to cookies, so we mention it here for transparency.
• Security logs — we record security-relevant events (such as login attempts) with your account identifier. These help us detect and prevent unauthorised access.

We do not use analytics, advertising cookies, or tracking technologies of any kind.

Why We Process Your Data

Under UK data protection law, we need a lawful basis for processing your personal data. Here is ours:

We do not process your data for marketing purposes. If this changes in future, we will seek your consent or rely on legitimate interests with a clear opt-out, and we will update this policy before doing so.

Who We Share Data With

We share your data with the following third parties, all acting as data processors on our behalf:

AI providers

When you run a literature review, we send your research topic and the content of academic papers to:

• Anthropic (Claude) — San Francisco, USA
• OpenAI (GPT) — San Francisco, USA
• Google (Gemini) — Mountain View, USA

What they receive: Your research topic, search strategies, and paper content for analysis. They do not receive your name, email, university, or any other profile information.

Training: None of these providers use API data for training their models. Your research and the papers we process are not used to improve their AI systems.

Retention: These providers retain API data briefly for safety and abuse monitoring (typically up to 30 days), then delete it. They do not store your data permanently.

We have Data Processing Agreements with each provider that require them to process your data only on our instructions and to impose equivalent protections on any sub-processors they use. You can find their sub-processor lists at:

• Anthropic: trust.anthropic.com
• OpenAI: openai.com/policies
• Google Cloud: cloud.google.com/security/compliance

Stripe (payments)

We share your email address and an internal account identifier with Stripe to process payments. Stripe handles all card details directly — we never see or store your card number. Stripe's privacy policy is at stripe.com/privacy.

Authentication providers

When you sign in with Google or GitHub, those providers process your authentication data according to their own privacy policies. We receive only the profile data listed above.

Hosting infrastructure

Our backend and frontend are hosted on cloud infrastructure providers who process your data in transit and at rest as part of delivering the service. These providers act as sub-processors under our data processing agreements.

No one else

We do not sell your data. We do not share it with advertisers. We do not provide it to data brokers. We do not use it to train AI models.

International Transfers

Our AI providers are based in the United States. When we send your research topic and paper content to them for processing, your data crosses international borders.

These transfers are protected by:

• The UK-US Data Bridge — a UK adequacy regulation under the Data Privacy Framework that permits transfers to certified US organisations
• Standard Contractual Clauses (SCCs) with the UK Addendum — incorporated into our Data Processing Agreements as a supplementary safeguard
• Data Processing Agreements with each provider, requiring them to protect your data to UK GDPR standards

Stripe also processes data in the US and is certified under the Data Privacy Framework.

We have conducted a Transfer Risk Assessment for these transfers and are satisfied that adequate protections are in place.

We do not transfer your name, email, or university to any party outside the UK. Only your research topic and academic paper content are processed internationally, and only for the purpose of generating your literature review.

How Long We Keep Your Data

Inactivity process: If you haven't logged in for 23 months, we will email you a reminder. If you don't log in within the following 30 days, your account and all associated data will be permanently deleted.

Account deletion: You can delete your account at any time through your account settings. When you delete your account, your profile data (name, email, university) is removed immediately. Your literature reviews and run data are retained for 30 days in case you need to recover them — contact us within that period if you change your mind. After 30 days, all remaining data is permanently and irreversibly deleted.

Export before deletion: You can download your literature reviews (DOCX and Markdown) from your dashboard at any time. We recommend exporting anything you need before deleting your account.

Your Rights

Under UK data protection law, you have the following rights over your personal data:

Rights you can exercise yourself (via your dashboard):

• Access — View your profile data and all pipeline outputs in your dashboard
• Download / Portability — Download your literature reviews in DOCX or Markdown format
• Rectification — Edit your university and programme level in account settings. Your name and email come from your Google or GitHub account — to change them, update your account with that provider
• Erasure — Delete your account and all associated data in account settings

Rights you can exercise by contacting us:

• Formal data access request — We will provide a complete export of all personal data we hold about you, in a structured, machine-readable format (JSON)
• Restriction of processing — Ask us to limit how we use your data while a concern is being resolved
• Objection — Our core processing is based on contract, not legitimate interests, so the right to object is limited. However, if we ever process your data for marketing (legitimate interests), you can object at any time and we will stop immediately

Response time: We will respond to any data rights request within 30 days. If your request is unusually complex, we may extend this by up to 2 months, and we will tell you why.

Identity verification: To protect your account, we may ask you to verify your identity before processing a data rights request. This is typically a confirmation via your registered email address.

Conflict with legal obligations: If you request deletion of data that we are legally required to retain (such as payment records for tax purposes), we will explain which data we must keep and why, and delete everything else.

Contact us at privacy@extractation.com for any data rights request.

How We Process Your Research

Our pipeline analyses academic papers using AI to produce your literature review. This involves decisions about which papers to include or exclude from the review, based on your research question and screening criteria.

These are decisions about documents, not about you. The pipeline does not make decisions that affect your rights, access to the service, or opportunities. You can inspect every screening decision in your dashboard and override any of them.

We do not profile you or make decisions about you based on automated processing.

Security

We protect your data with industry-standard measures including:

• Encryption in transit (HTTPS/TLS) and at rest
• Authentication via trusted OAuth providers (Google, GitHub) — we do not store passwords
• PCI-compliant payment processing through Stripe — we never handle card details
• Access controls limiting data access to what is necessary for service delivery

No system is perfectly secure. If we become aware of a data breach that affects your personal data, we will notify the ICO within 72 hours as required by law, and we will notify you without undue delay, explaining what happened and what steps we are taking.

Children

This service is designed for university students. We do not knowingly collect personal data from children under 13. If we become aware that a user is under 13, we will delete their account and data promptly.

Our design practices — high-privacy defaults, clear plain-English information, no profiling or tracking — are consistent with the ICO's Age Appropriate Design Code.

Changes to This Policy

If we make material changes to this policy — such as collecting new types of data, sharing data with new third parties, or changing our retention periods — we will notify you by email at least 30 days before the changes take effect.

You can review the change and decide whether to continue using the service. If you disagree with a material change, you can delete your account before the new policy takes effect.

Non-material changes (clarifications, formatting, corrections) may be made without advance notice, but the “last updated” date at the top of this page will always reflect the most recent change.

Contact

For any questions about this privacy policy or your personal data:

Email: privacy@extractation.com

Address: 85 Markfield Avenue, Manchester, M13 9AX

For complaints about data protection, you can contact us first, or go directly to the ICO:

ICO: ico.org.uk/make-a-complaint