Privacy Policy

1. Introduction

Welcome to ThesisFlow AI ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our research assistant platform and related services (collectively, the "Service").

By accessing or using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you voluntarily provide when using our Service:

• Account Information: Name, email address, password, academic institution, research field, and profile details
• Research Content: Documents you upload, research queries, notes, citations, and academic work products
• Payment Information: Billing details, payment method information (processed securely through third-party payment processors)
• Communication Data: Messages, feedback, support requests, and correspondence with our team
• User Preferences: Settings, customizations, notification preferences, and feature selections

2.2 Automatically Collected Information

When you access our Service, we automatically collect certain information:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages viewed, features used, time spent, click patterns, search queries
• Log Data: Server logs, error reports, API calls, performance metrics
• Location Data: Approximate geographic location based on IP address

2.3 Information from Third Parties

• Authentication Services: Data from Google, Microsoft, or other OAuth providers if you use social login
• Academic Databases: Publicly available research paper metadata, citations, and bibliographic information
• Analytics Providers: Aggregated usage statistics and performance data

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

• Provide, operate, and maintain our research assistant platform
• Process your research queries and generate AI-powered insights
• Enable collaboration features and document sharing
• Manage your account, subscriptions, and billing
• Provide customer support and respond to inquiries

3.2 Service Improvement

• Analyze usage patterns to improve features and user experience
• Train and improve our AI models (using aggregated, de-identified data)
• Conduct research and development for new features
• Test, monitor, and debug platform performance

3.3 Communication

• Send service notifications, updates, and security alerts
• Respond to comments, questions, and support requests
• Send marketing communications (with your consent, where required)
• Provide educational content and research tips

3.4 Legal and Security

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and other agreements
• Protect against fraud, abuse, and security threats
• Resolve disputes and investigate violations

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We share data with trusted third-party vendors who perform services on our behalf:

• Cloud Hosting: Vercel, Railway, Supabase for infrastructure and database hosting
• AI Services: OpenRouter, Groq for AI model processing
• Payment Processing: Stripe or similar payment processors
• Analytics: Aggregated usage analytics providers
• Email Services: Transactional and marketing email providers

All service providers are contractually obligated to protect your data and use it only for the specified purposes.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, warrants)
• Government requests or investigations
• Protection of our rights, property, or safety
• Prevention of fraud or illegal activity

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change in ownership or control.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Technical Safeguards

• Encryption: TLS/SSL encryption for data in transit, AES-256 encryption for data at rest
• Authentication: Secure password hashing (bcrypt), multi-factor authentication support
• Access Controls: Role-based access control (RBAC), principle of least privilege
• Infrastructure: Secure cloud hosting with regular security audits
• Monitoring: 24/7 security monitoring, intrusion detection systems

5.2 Organizational Safeguards

• Regular security training for employees
• Confidentiality agreements with all personnel
• Incident response and data breach procedures
• Regular security assessments and penetration testing

5.3 Data Retention

We retain your information only as long as necessary to:

• Provide our services and fulfill the purposes described in this policy
• Comply with legal, accounting, or reporting requirements
• Resolve disputes and enforce our agreements

Upon account deletion, we will delete or anonymize your personal information within 90 days, except where retention is required by law.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

6.1 General Rights

• Access: Request copies of your personal information
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal information (right to be forgotten)
• Portability: Request transfer of your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing of your personal information
• Withdraw Consent: Withdraw consent for data processing at any time

6.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under GDPR:

• Right to lodge a complaint with a supervisory authority
• Right to object to automated decision-making and profiling
• Enhanced transparency and consent requirements

6.3 CCPA Rights (California Residents)

California residents have specific rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising CCPA rights

Note: We do not sell personal information as defined by CCPA.

6.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@thesisflow-ai.com
• Account Settings: Manage data preferences in your account dashboard
• Response Time: We will respond to requests within 30 days

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

7.1 Types of Cookies

• Essential Cookies: Required for authentication, security, and basic functionality
• Performance Cookies: Help us understand how users interact with our Service
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Collect aggregated usage statistics

7.2 Managing Cookies

You can control cookies through:

• Browser settings (most browsers allow you to refuse cookies)
• Cookie consent banner when you first visit our site
• Account settings for analytics preferences

Note: Disabling essential cookies may affect Service functionality.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for certain countries
• Binding Corporate Rules where applicable
• Consent for specific transfers where required

9. Children's Privacy

Our Service is not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information from our systems.

For educational institutions using our Service with students under 18, we comply with applicable laws including FERPA (Family Educational Rights and Privacy Act) and COPPA (Children's Online Privacy Protection Act).

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or prominent notice on our Service
• Obtain your consent where required by applicable law
• Provide a 30-day notice period for substantial changes

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: