Privacy Policy
Last Updated: December 11, 2024
1. Information We Collect
RefExtract collects minimal information necessary to provide our service:
- Account Data: Email, name, and profile picture (if using Google OAuth)
- Authentication Data: Encrypted passwords (if using email signup), session tokens, password reset tokens
- Search Data: Research topics, keywords, search history, and citation history
- Essay Content: Text submitted to Smart Citation Assistant (processed but not permanently stored)
- Usage Data: Number of searches, citations processed, word counts, subscription tier, and usage limits
- Payment Information: Processed securely through Stripe (we never see your card details)
- Device Information: Device fingerprints for security and rate limiting
2. How We Use Your Information
We use the information we collect to:
- Authenticate your account and maintain secure sessions
- Process reference searches and smart citation requests
- Track usage limits based on your subscription tier
- Store your search and citation history for easy access
- Send password reset emails when requested
- Process payments and manage subscriptions
- Enforce rate limits to prevent abuse
- Improve our service and user experience
- Send transactional emails (password resets, payment confirmations)
3. Data Storage and Security
Database Storage: We store your account information, search history, citation history, and usage statistics in a secure PostgreSQL database hosted on Railway. This data persists across sessions and allows you to access your history from any device.
Password Security: Passwords are hashed using bcrypt (industry-standard encryption) before storage. We never store plain-text passwords.
Session Storage: Secure session tokens are stored in your browser's localStorage to keep you logged in for 30 days. These can be cleared at any time by logging out.
Essay Content: Text submitted for smart citations is processed by our servers and OpenAI's API but is not permanently stored after processing is complete.
Payment Data: All payment information is handled by Stripe, Inc. We never store credit card details on our servers.
4. Data Sharing
We do not sell, trade, or rent your personal information to third parties. We share data only with:
- Google: For OAuth authentication (subject to Google's Privacy Policy)
- Stripe: For payment processing (subject to Stripe's Privacy Policy)
- OpenAlex: Your search queries are sent to OpenAlex API to retrieve academic papers
- OpenAI: Essay text is sent to OpenAI's API for AI-powered citation suggestions (subject to OpenAI's Privacy Policy)
- Railway: Our hosting provider where the database is securely stored
- Nodemailer/Gmail: For sending password reset emails via refextracts@gmail.com
5. Cookies and Local Storage
RefExtract uses minimal tracking:
- localStorage stores your session token for authentication (expires after 30 days)
- No third-party advertising cookies
- No cross-site tracking
- Google OAuth may use cookies for authentication
- Stripe may use cookies for payment processing
6. Email Communications
We send emails only for:
- Password reset requests (when you click "Forgot Password")
- Payment confirmations and subscription updates
- Critical service announcements
We do NOT send:
- Marketing emails
- Promotional content
- Newsletters (unless you explicitly opt-in)
7. Your Rights
You have the right to:
- Access your data stored in our database
- Request deletion of your account and all associated data
- Export your search history and citation history
- Update your email address or profile information
- Reset your password at any time
- Cancel your subscription at any time
- Request information about data we've collected
- Opt-out of non-essential emails
8. Data Retention
We retain your data as follows:
- Account Data: Until you request deletion
- Search History: Until you delete or request account deletion
- Session Tokens: 30 days, then auto-expire
- Password Reset Tokens: 1 hour, then auto-expire
- Essay Content: Processed immediately, not stored permanently
- Payment Records: Retained as required by law (typically 7 years)
9. Security Measures
We implement industry-standard security measures to protect your information:
- All connections use HTTPS/TLS encryption
- Passwords hashed with bcrypt (10 rounds)
- Rate limiting on authentication endpoints (prevents brute force attacks)
- Session tokens are cryptographically secure (32-byte random)
- Database hosted on secure Railway infrastructure
- Regular security audits and updates
- Payment processing is PCI-DSS compliant via Stripe
10. Children's Privacy
RefExtract is intended for use by individuals 13 years or older. We do not knowingly collect information from children under 13. If you believe a child under 13 has created an account, please contact us immediately.
11. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence. By using RefExtract, you consent to the transfer of your information to the United States and other countries where our service providers operate.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of any material changes by:
- Updating the "Last Updated" date at the top of this policy
- Posting a notice on our website
- Sending an email to paid subscribers (for significant changes)
13. Third-Party Services
RefExtract integrates with the following third-party services:
14. Data Deletion Requests
To request deletion of your account and all associated data:
- Email us at refextracts@gmail.com with "Data Deletion Request" in the subject line
- Include your registered email address
- We will process your request within 30 days
- Some data may be retained as required by law (payment records)
By using RefExtract, you acknowledge that you have read and understood this Privacy Policy.