Privacy Policy

Effective Date: October 9, 2025 Last Updated: October 9, 2025

1. Introduction

Welcome to LitReview-AI ("we," "us," "our"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered academic literature review service ("Service") at https://litreview-ai.com.

This policy applies to all users globally and includes specific provisions for EU residents under the General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Information You Provide

Account Information

• Email address
• Name (optional)
• Password (encrypted)
• Profile information (academic affiliation, research interests)

Content Data

• PDF documents you upload for analysis
• Analysis results and summaries
• Notes and annotations you create
• Search queries and filters

Payment Information

• Processed by Paddle.com (our Merchant of Record)
• We do not store credit card numbers or banking information
• Billing address and transaction history

2.2 Information Automatically Collected

Usage Data

• IP address
• Browser type and version
• Device information
• Pages visited and features used
• Time and date of access
• Referring website

Cookies and Tracking Technologies

• Session cookies (essential for Service operation)
• Authentication tokens
• Preference cookies (language, display settings)
• Analytics cookies (with consent)

2.3 Information from Third Parties

OAuth Providers

• Basic profile information from Google OAuth (email, name)
• No access to your Google Drive or other Google services

Academic Data Sources

• Citation metadata from OpenAlex API
• Publicly available research information

3. How We Use Your Information

3.1 Service Provision

• Process and analyze your uploaded documents
• Generate AI-powered literature reviews and summaries
• Provide citation network analysis
• Store your analysis history and notes
• Authenticate and manage your account

3.2 Service Improvement

• Enhance AI analysis accuracy
• Develop new features
• Optimize Service performance
• Conduct research on user experience

3.3 Communication

• Send Service-related notifications
• Respond to support requests
• Provide updates about Service changes
• Send marketing communications (with consent)

3.4 Legal and Security

• Comply with legal obligations
• Enforce our Terms of Service
• Prevent fraud and abuse
• Protect rights and safety

4. Legal Basis for Processing (GDPR)

For EU residents, we process your data based on:

Contract Performance: Processing necessary to provide the Service you requested Legitimate Interests: Improving our Service, security, and fraud prevention Consent: For marketing communications and optional analytics Legal Obligation: When required by law

5. How We Share Your Information

5.1 Service Providers

We share data with trusted third-party services:

Supabase (Database and Authentication)

• Stores user accounts and uploaded content
• Location: United States
• Privacy Policy: https://supabase.com/privacy

Google Gemini API (AI Processing)

• Processes document content for analysis
• No long-term storage of your content
• Privacy Policy: https://policies.google.com/privacy

Paddle.com (Payment Processing)

• Handles all payment transactions as Merchant of Record
• Location: United Kingdom
• Privacy Policy: https://paddle.com/legal/privacy

OpenAlex (Citation Data)

• Enriches bibliographic information
• Only processes publicly available metadata
• Privacy Policy: https://openalex.org/privacy

Vercel (Hosting)

• Hosts our web application
• Location: Global CDN
• Privacy Policy: https://vercel.com/legal/privacy-policy

5.2 Legal Requirements

We may disclose information if required by:

• Court order or subpoena
• Government or regulatory request
• Law enforcement investigation
• Protection of our legal rights

5.3 Business Transfers

If we merge with or are acquired by another company, your information may be transferred to the new owners.

5.4 Aggregated Data

We may share anonymized, aggregated data that cannot identify you personally.

6. Data Security

6.1 Security Measures

We implement appropriate technical and organizational measures:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Secure password hashing (bcrypt)
• Regular security audits
• Access controls and authentication
• Regular backups

6.2 Data Breach Notification

In case of a data breach, we will:

• Notify affected users within 72 hours (GDPR requirement)
• Provide information about the breach and potential impact
• Recommend protective actions

7. Data Retention

7.1 Retention Periods

• Account Data: Retained while account is active
• Uploaded Documents: Deleted 90 days after analysis completion
• Analysis Results: Retained for your account lifetime
• Payment Records: 7 years (legal requirement)
• Support Tickets: 2 years
• Marketing Data: Until consent withdrawn

7.2 Account Deletion

When you delete your account:

• Personal data removed within 30 days
• Some data may be retained for legal compliance
• Anonymized data may be retained for analytics

8. Your Privacy Rights

8.1 General Rights

All users have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account
• Export your data
• Opt-out of marketing communications

8.2 GDPR Rights (EU Residents)

Additional rights under GDPR:

• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to certain processing activities
• Right to Withdraw Consent: Withdraw previously given consent
• Right to Lodge a Complaint: File a complaint with your supervisory authority

8.3 CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to say no to the sale of personal information
• Right to delete personal information
• Right to non-discrimination

8.4 Exercising Your Rights

To exercise your rights, contact us at: privacy@litreview-ai.com

We will respond within 30 days (or as required by law).

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence, particularly:

• United States (primary data processing)
• European Union (some service providers)

We ensure appropriate safeguards through:

• Standard Contractual Clauses (EU)
• Privacy Shield certification (where applicable)
• Adequate security measures

10. Children's Privacy

Our Service is not intended for children under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. Cookie Policy

11.1 Essential Cookies

Required for Service operation:

• Session management
• Authentication
• Security tokens

11.2 Functional Cookies

Enhance user experience:

• Language preferences
• Display settings
• Recently viewed items

11.3 Analytics Cookies

With your consent:

• Usage patterns
• Feature engagement
• Performance metrics

11.4 Managing Cookies

You can control cookies through:

• Browser settings
• Our cookie preferences panel
• Email: privacy@litreview-ai.com

12. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies.

13. Marketing Communications

13.1 Email Marketing

• Only with your explicit consent
• Unsubscribe link in every email
• Preference management in account settings

13.2 Do Not Track

We respect Do Not Track browser signals for analytics tracking.

14. Data Protection Officer

For privacy inquiries, contact our Data Protection Officer: Email: dpo@litreview-ai.com

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Email notification
• Prominent notice on our Service
• Updating the "Last Updated" date

16. Contact Information

For questions, concerns, or requests regarding this Privacy Policy:

LitReview-AI Email: privacy@litreview-ai.com Support: support@litreview-ai.com Website: https://litreview-ai.com

For GDPR Inquiries: Email: dpo@litreview-ai.com

EU Representative: [To be designated]

Supervisory Authority (EU): You may lodge a complaint with your local data protection authority.

17. Region-Specific Provisions

17.1 European Union (GDPR)

• Legal basis for processing documented above
• Data Protection Officer contact provided
• 72-hour breach notification
• Privacy by Design implementation

17.2 California (CCPA/CPRA)

• We do not sell personal information
• California residents can request data twice per year
• Non-discrimination for exercising rights

17.3 Brazil (LGPD)

• Similar rights to GDPR
• Legal basis for processing applies
• Contact: privacy@litreview-ai.com

17.4 United Kingdom (UK GDPR)

• Equivalent protections to EU GDPR
• UK-specific data transfers permitted

18. Privacy Compliance Checklist

We maintain compliance with:

• ✓ GDPR (European Union)
• ✓ CCPA/CPRA (California)
• ✓ LGPD (Brazil)
• ✓ UK GDPR (United Kingdom)
• ✓ PIPEDA (Canada)
• ✓ CAN-SPAM Act (Email Marketing)

IMPORTANT DISCLAIMER: This is a template for informational purposes. Consult with a qualified attorney for legal advice specific to your situation.