Who We Are
ResearchAI ("we", "us", or "our") operates the Smart Research Companion platform at researchai.app (the "Service"). We are the data controller for personal data processed through this Service.
For the purposes of the General Data Protection Regulation (GDPR) and other applicable privacy laws, our data protection contact is reachable at privacy@researchai.app.
Data We Collect
We collect the following categories of personal and usage data when you use ResearchAI:
| Data Category | Purpose | Retention |
|---|---|---|
| Account Data | Create and manage your account (email, name, tier) | Until account deletion |
| Research Content | PDF uploads, paper metadata, project notes, AI outputs stored for your workspace | Until you delete them |
| Usage Data | Feature usage, page views, session length — for product improvement | 24 months |
| Billing Data | Credit transactions, subscription status (processed by our payment provider) | 7 years (tax law) |
| AI Interactions | Chat messages, prompts, and AI responses within your sessions | Until session/account deletion |
| Technical Data | IP address, browser type, device type — for security and debugging | 90 days |
We do not collect sensitive personal data such as race, religion, health information, or biometric data.
How We Use Your Data
We use your data strictly to provide, maintain, and improve the ResearchAI service:
- Service Delivery: Running your research workspace, processing PDFs, generating AI responses, managing projects.
- Account Management: Authenticating you, managing your subscription tier and credit balance.
- Product Improvement: Analysing aggregated, anonymised usage patterns to prioritise features. We never analyse your personal paper content for training AI models.
- Security: Detecting fraud, abuse, and other harmful activity.
- Legal Compliance: Meeting obligations under applicable law including GDPR and tax regulations.
- Communications: Sending transactional emails (password reset, billing receipts). We send marketing only with your explicit consent.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We share data only in these limited circumstances:
- Supabase (Database & Auth): Stores your account, projects, papers, transactions. Data at rest is encrypted. Hosted in the EU-West region by default.
- Zilliz Cloud (Vector Database): Stores anonymised vector embeddings of your paper PDFs for semantic search. Raw text is not stored in Zilliz.
- Mistral AI & Qwen (AI APIs): Processes prompts to generate AI responses. We use their API; your data is not used to train their models per our agreements.
- Payment Provider (FastSpring/Paddle): Processes payments. We share only what is necessary for transaction completion. We do not store raw card data.
- Law Enforcement: Only if required by a valid legal process, and we will notify you where legally permitted.
Data Retention
We retain your data for as long as your account exists or as needed to provide the Service. When you delete your account, we initiate a 30-day grace period during which your data is soft-deleted and can be recovered. After 30 days, all personal data, research content, and AI outputs are permanently deleted from our systems and backups within 90 days.
Billing records are retained for 7 years to comply with tax and financial regulations, but personal identifiers are removed after account deletion.
Your Rights
Under GDPR and applicable privacy laws, you have the following rights regarding your personal data:
Access
Request a copy of all data we hold about you.
Rectification
Correct inaccurate or incomplete data.
Erasure
Request deletion of your data ("right to be forgotten").
Portability
Export your data in a machine-readable format (JSON/CSV).
Objection
Object to processing based on legitimate interests.
Restriction
Request we limit processing of your data in certain cases.
To exercise any of these rights, email us at privacy@researchai.app. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
Security
We take security seriously and implement industry-standard measures to protect your data:
- ✓All data in transit encrypted via TLS 1.3
- ✓All data at rest encrypted with AES-256
- ✓API access protected by rotating JWT tokens with <10 minute expiry
- ✓Database access restricted by Row-Level Security (RLS) policies
- ✓AI model API calls use ephemeral, request-scoped credentials
- ✓Regular automated security audits and dependency updates
In the event of a data breach affecting your personal data, we will notify you and relevant authorities within 72 hours as required by GDPR.
Children's Privacy
ResearchAI is designed for academic and professional researchers. Our Service is not directed to anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us immediately at privacy@researchai.app and we will promptly delete such data.
International Transfers
Your data may be processed outside your country of residence, including in the United States and European Union, where our infrastructure providers operate. For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent safeguards, to protect your data.
Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email and an in-app notice at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised policy.
Contact Us
For any privacy-related questions, requests, or concerns:
© 2026 ResearchAI. All rights reserved.