Privacy Policy

1. Introduction

Welcome to ScholaRef ("we," "us," "our," or "Company"). ScholaRef is an AI-powered academic workspace that helps researchers move from first draft to confident journal submission through tools including Deep Review, War Room, Peer Review Simulator, Submission Recommender, Keyword & Abstract Studio, Grammar Corrector, and Academic Explorer.

We are committed to protecting your privacy and maintaining transparency about how we handle your data. This Privacy Policy explains in detail how we collect, use, store, share, and safeguard your personal information and academic content when you access or use our platform and services (collectively, the "Service").

Please read this Privacy Policy carefully before using ScholaRef. By creating an account or using any part of the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

                Our Core Privacy Principles:
                Minimal Collection: We collect only the information necessary to provide and improve our services
Your Content Stays Yours: We never claim ownership of your uploaded papers or academic work
No Selling Data: We never sell, rent, or trade your personal data or academic content to third parties
No Training on Your Papers: We do not use the content of your uploaded documents to train our AI models unless you explicitly opt in
Transparency: We are upfront about what data we collect, why, and how long we keep it

            

2. Information We Collect

2.1 Account Registration Information

When you create a ScholaRef account, we collect the following required information:

Username: A unique username you choose to identify your account
Email Address: Your email address, used for authentication, communications, and account recovery
Password: Your chosen password, which is cryptographically hashed using industry-standard algorithms (Werkzeug/PBKDF2) before storage. We never store plain-text passwords
Terms of Service Consent: A record that you agreed to our Terms of Service at registration

2.2 Profile Information (Optional)

You may voluntarily provide additional profile information to enrich your account:

Display Name: A name displayed on your profile
Bio: A personal biography or description (up to 2,000 characters)
Institution: Your university, research institute, or organizational affiliation (up to 255 characters)
Academic Role: Your position or title (e.g., PhD student, postdoctoral fellow, professor) (up to 150 characters)
ORCID URL: Your ORCID researcher identifier URL
LinkedIn URL: Your LinkedIn profile URL
Google Scholar URL: Your Google Scholar profile URL
Research Interests: Up to 20 research interest tags (each up to 60 characters)
Avatar: Your selected profile avatar from our predefined set of 12 options (we do not accept custom image uploads for avatars)

2.3 Academic Content You Upload

When you use our analysis tools, we collect and process:

PDF Documents: Academic papers, manuscripts, and research documents you upload for analysis. PDFs are stored as binary data in our database
OCR-Extracted Text: Text content extracted from your PDFs through optical character recognition, stored for processing by our AI tools
File Metadata: Original filenames, upload timestamps, and file sizes
Text Input: Text you paste directly into the Grammar Corrector tool
Search Queries: Queries entered in the Academic Explorer for AI-powered natural language search

2.4 AI-Generated Data

We store outputs generated by our AI systems in association with your account:

Deep Review Feedback: Structured JSON feedback from each of the 13 reviewer personas (structure, writing, and content reviews)
War Room Results: Journal recommendations, reviewer suggestions, extracted keywords, generated abstracts, peer review simulations, and chat transcripts
War Room Reports: HTML reports generated from War Room sessions
Paper Tools Outputs: Keywords and abstracts generated by the Keyword & Abstract Studio
Submission Recommendations: Journal, paper, and publisher matches
Peer Review Results: Simulated peer review feedback
Grammar Results: Grammar and style corrections (processed in real-time; not permanently stored)
Paper Validation Results: Whether our AI classified your upload as an academic paper

2.5 Payment and Transaction Information

When you purchase token packages, we collect and store:

Transaction Records: Selected package, token quantity, price paid, currency (CAD), transaction timestamp, and invoice number
Stripe Identifiers: Stripe checkout session ID and payment intent ID (for payment reconciliation and refund processing)
Token Balance History: Credits before and after each purchase, current balance, and consumption history
Coupon/Promotion Usage: Coupon codes applied, discount amounts, and promotion code identifiers
Receipt Delivery Status: Whether a purchase receipt email was successfully sent

                Important: ScholaRef does not directly collect, process, or store your credit card number, CVV, expiration date, or other payment card details. All payment card information is handled exclusively by Stripe, a PCI-DSS Level 1 certified payment processor. We only receive confirmation of successful or failed transactions.
            

2.6 Notification Preferences

We store your notification configuration choices, including:

Email notification toggles (similar papers, citations, journal matches, War Room completions, credit alerts, product updates)
Similarity threshold settings
Digest cadence preference (weekly, biweekly, or monthly)
Selected timezone (from 9 available options)
Quiet hours configuration (start and end times)
Maximum alerts per digest setting

2.7 Automatically Collected Technical Information

When you access ScholaRef, our servers automatically collect:

Session Data: Server-side session identifiers for maintaining your authenticated state
Usage Data: Pages visited, features accessed, tools used, number of analyses run, timestamps of activities, and interaction patterns
Device Information: Browser type and version, operating system, device type, and screen resolution
Network Information: IP address and approximate geographic location derived from IP (city/country level, not precise GPS)
Performance Data: Page load times, error logs, and system diagnostics
Referral Information: The URL that referred you to ScholaRef

2.8 Email Communications

We collect and store data related to emails we send you:

Password Reset Tokens: Time-limited, single-use cryptographic tokens for password recovery (expire after 30 minutes)
Notification Delivery Records: Logs of emails sent for analysis completions, low-credit alerts, and purchase receipts

3. How We Use Your Information

3.1 Providing Core Services

Create and manage your user account, authenticate your identity, and maintain your session
Store your uploaded PDF documents and extracted text for processing
Process your papers through our AI analysis pipelines: Deep Review (13 reviewer personas), War Room (5-step pipeline with interactive chat), Peer Review Simulator, Submission Recommender, and Keyword & Abstract Studio
Validate uploaded documents as academic papers before consuming tokens
Run grammar and style checks through the Grammar Corrector
Power the Academic Explorer, Journal Explorer, Author Explorer, Publisher Explorer, and Institution Explorer search and browsing features
Generate and store review reports, recommendations, and analysis results
Track your token balance, deduct tokens for premium tool usage, and process refunds for failed analyses
Display your personal analytics dashboard with usage statistics, token consumption charts, and activity breakdowns

3.2 Processing Payments

Create Stripe Checkout sessions for token package purchases
Receive and verify payment confirmations via Stripe webhooks
Credit purchased tokens to your account upon successful payment
Apply promotional codes and coupon discounts during checkout
Generate and send purchase receipt emails with invoice numbers
Maintain transaction records for accounting, tax compliance, and dispute resolution

3.3 Communications

Transactional Emails: Account registration confirmation, password reset links, analysis completion notifications, low-credit alerts (when balance ≤ 3 tokens), and purchase receipts — sent via Zoho Mail SMTP
Configurable Notifications: Email digests about similar papers, citation alerts, journal matches, and War Room completions, based on your notification preferences and selected cadence
Product Updates: If you opt in, periodic communications about new features, service improvements, and platform news
Support Communications: Responses to your support requests and inquiries

3.4 Service Improvement and Analytics

Analyze aggregated, anonymized usage patterns to understand how our tools are used and identify areas for improvement
Monitor system performance, detect errors, and troubleshoot technical issues
Generate platform-wide statistics (e.g., total analyses run, average processing times) for internal use
Inform decisions about new features, tool improvements, and resource allocation
We do not use the content of your uploaded papers for service improvement, analytics, or model training

3.5 Security and Fraud Prevention

Detect and prevent unauthorized access, abuse, and fraudulent activity
Monitor for violations of our Terms of Service and Acceptable Use Policy
Protect the integrity of the token/credit system against manipulation
Investigate and respond to security incidents

3.6 Legal and Compliance

Comply with applicable laws, regulations, tax requirements, and legal processes
Enforce our Terms of Service and respond to disputes
Respond to lawful requests from law enforcement and government authorities
Protect our rights, property, safety, and those of our users and the public

3.7 Administrative Functions

ScholaRef administrators use aggregated and individual account data for platform management, including monitoring overall platform health, tracking usage metrics, managing user accounts, reviewing purchase histories, and generating financial reports. Administrator access is restricted to authorized personnel only and is subject to strict access controls.

4. AI Processing and Document Handling

4.1 How Your Documents Are Processed

When you upload a document for analysis, the following occurs:

Upload & Storage: Your PDF file is uploaded and stored as binary data in our secure database
OCR Extraction: The PDF is sent to our self-hosted OCR service (QSAI) for text extraction. The extracted text is stored alongside the original PDF
Document Validation: For applicable tools, the extracted text is submitted to our AI validation system to confirm the document is an academic paper
AI Analysis: The extracted text is sent to our AI analysis backend (self-hosted), which processes it through the selected tool's pipeline (e.g., 13 reviewer personas for Deep Review, 5-step pipeline for War Room)
Result Storage: AI-generated feedback, recommendations, and reports are stored in your account in structured JSON format
Notification: Upon completion, you receive an email notification (if enabled) and can view results in your dashboard

4.2 AI Model Usage and Your Data

                Critical Commitment:
                Your uploaded documents are processed to provide you with the analysis you requested — nothing more
We do not use the content of your documents to train, fine-tune, or improve our AI models unless you provide explicit opt-in consent
Your documents are not shared with other users, external researchers, publishers, or any third party
AI processing occurs on our self-hosted infrastructure — your document text is not sent to external third-party AI API providers (e.g., OpenAI, Google, Anthropic)
War Room chat interactions with AI agents are processed by our self-hosted Ollama LLM and are associated only with your session

            

4.3 Related Paper Discovery

The Deep Review References reviewer may use extracted keywords from your paper to query our academic database for related works. This is done to provide you with relevant literature suggestions. The queries are based on keywords — your full paper text is not sent to external academic databases.

4.4 Academic Explorer AI Processing

When you use the Academic Explorer's natural language search, your search query is processed by our self-hosted Ollama LLM to extract search intent (entity type, topic, publisher, year, etc.). If the LLM is unavailable, a regex-based fallback parser is used. Search queries are not stored permanently and are not linked to your identity for purposes beyond serving your current session.

4.5 Grammar Corrector Processing

Text submitted to the Grammar Corrector is sent to our self-hosted LanguageTool instance for grammar and style checking. The text is processed in real-time and is not permanently stored by the Grammar Corrector service. If you upload a PDF, the OCR-extracted text is temporarily used for grammar checking but may be retained if the paper was previously uploaded for another analysis.

5. Information Sharing and Disclosure

5.1 We Do NOT Sell Your Data

                ScholaRef does NOT sell, rent, trade, or license your personal information, academic content, or any user data to third parties for commercial, marketing, advertising, or any other purposes. Period.
            

5.2 Service Providers We Share Data With

We share limited, necessary information with the following categories of service providers, all bound by contractual data protection obligations:

Stripe (Payment Processing): When you purchase tokens, your payment is processed by Stripe. We share with Stripe: the transaction amount, currency, and your email (for receipt purposes). Stripe independently collects your payment card details. See Stripe's Privacy Policy
Zoho Mail (Email Delivery): We use Zoho Mail's SMTP service to send transactional emails (password resets, analysis notifications, purchase receipts, credit alerts). The email recipient address, subject, and body are transmitted through Zoho's servers. See Zoho's Privacy Policy

5.3 Self-Hosted Services (No External Data Sharing)

The following critical services are self-hosted on our own infrastructure and do not involve sharing your data with external third parties:

AI/LLM Processing: All AI analysis (Deep Review, War Room, Peer Review, etc.) is performed on our self-hosted backend with our own models and task queue (Celery)
OCR Processing: Text extraction from PDFs is handled by our self-hosted QSAI service
Ollama LLM: Natural language processing for Academic Explorer and War Room chat is performed by our self-hosted Ollama instance
LanguageTool: Grammar checking is handled by our self-hosted LanguageTool instance
Academic Database: OpenAlex data is stored in our own local database replica, not queried from external APIs in real-time (with occasional fallback to the public OpenAlex API for supplementary searches)
Application Database: All user data, papers, reviews, and account information are stored in our self-hosted MariaDB/MySQL database

5.4 Legal Requirements

We may disclose your information when required to:

Comply with applicable laws, regulations, or legal processes (court orders, subpoenas, government requests)
Protect the rights, property, or safety of ScholaRef, our users, or the public
Detect, prevent, or address fraud, security incidents, or technical issues
Enforce our Terms of Service

When legally permitted, we will notify you of such disclosures. We will challenge overly broad or unlawful requests where appropriate.

5.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or substantially all of ScholaRef's assets, your personal information and data may be transferred as part of that transaction. We will provide you with advance notice of any such transfer and any resulting changes to this Privacy Policy. Your data will continue to be subject to the same privacy protections.

5.6 Anonymized and Aggregated Data

We may create, use, and share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for: platform statistics, research publications about academic tool usage patterns, business analytics, and public reporting on platform metrics. Anonymized data is not subject to the restrictions of this Privacy Policy.

5.7 With Your Explicit Consent

We may share your information with third parties when you explicitly authorize us to do so (e.g., if you opt in to a research collaboration or institutional partnership). Such sharing will be clearly described to you before you consent.

6. Data Security

We implement comprehensive technical, administrative, and organizational security measures to protect your personal information and academic content against unauthorized access, alteration, disclosure, destruction, or loss.

6.1 Technical Safeguards

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS) protocols
Password Hashing: Passwords are hashed using Werkzeug's secure hashing implementation (PBKDF2 with salt) before storage. Plain-text passwords are never stored or logged
Secure Token Generation: Password reset tokens are generated using Python's secrets.token_urlsafe(48), providing cryptographically secure, unpredictable tokens with 30-minute expiration and single-use enforcement
Session Security: Server-side session management with secure session identifiers
Database Security: Access to databases is restricted to application services with authenticated connections
Infrastructure Isolation: Services run in isolated Docker containers with network segmentation

6.2 Administrative Safeguards

Access Controls: Administrative access to user data is restricted to authorized personnel on a need-to-know basis, controlled by the is_admin flag
Principle of Least Privilege: Services and personnel are granted only the minimum access necessary to perform their functions
Incident Response: We maintain incident response procedures for detecting, investigating, and mitigating security breaches
Backup Procedures: Regular database backups with secure storage and defined retention periods

6.3 Payment Security

Payment processing is handled entirely by Stripe, a PCI-DSS Level 1 certified processor
ScholaRef never receives, processes, transmits, or stores your payment card details
Stripe webhook endpoints verify event signatures to prevent tampering

6.4 Security Limitations

Important: While we implement industry-standard security measures appropriate for the nature of the data we handle, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security against all threats. You acknowledge this inherent risk when using any internet-based service, including ScholaRef. We encourage you to use strong, unique passwords and keep your account credentials confidential.

6.5 Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify affected users via email as soon as reasonably practicable, and no later than 72 hours after becoming aware of the breach (as required by GDPR for EU/EEA users)
Notify relevant data protection authorities as required by applicable law
Provide a description of the breach, the types of data affected, and the measures taken or proposed to address it
Offer guidance on steps you can take to protect yourself

7. Your Privacy Rights

Depending on your location and applicable privacy laws, you have certain rights regarding your personal information. ScholaRef respects and facilitates the exercise of these rights.

7.1 Rights Available to All Users

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete personal information. You can update most profile information directly through your account settings
Deletion: Request deletion of your account and all associated data. You can also delete individual papers, reviews, and War Room sessions from your dashboard at any time
Opt-Out of Marketing: Opt out of product update emails and non-essential notifications through your notification settings at any time
Data Export: Request a portable copy of your data in a commonly used, machine-readable format
Object to Processing: Object to specific types of data processing where we rely on legitimate interests

7.2 GDPR Rights (EU/EEA Residents)

If you are a resident of the European Union or European Economic Area, you have the following additional rights under the General Data Protection Regulation (GDPR):

Right of Access (Art. 15): Obtain confirmation of whether we process your data and a copy of that data
Right to Rectification (Art. 16): Have inaccurate personal data corrected without undue delay
Right to Erasure / Right to be Forgotten (Art. 17): Have your personal data deleted when it is no longer necessary, you withdraw consent, or you object to processing
Right to Restriction of Processing (Art. 18): Restrict the processing of your data in certain circumstances (e.g., while we verify accuracy)
Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling
Right Not to be Subject to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Note: ScholaRef's AI analysis provides supplementary academic feedback and does not make legal or similarly significant decisions about you
Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA) if you believe our processing violates GDPR
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing

7.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell (if applicable)
Right to Delete: Request deletion of personal information collected from you, subject to certain exceptions
Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary
Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment (same service quality, pricing, and access)
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use of Sensitive Information: Limit the use and disclosure of sensitive personal information to what is necessary for providing the Service

7.4 PIPEDA Rights (Canadian Residents)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

Right of Access: Access your personal information held by ScholaRef
Right to Challenge Accuracy: Challenge the accuracy and completeness of your personal information and have it amended
Right to Withdraw Consent: Withdraw consent for the collection, use, or disclosure of personal information, subject to legal or contractual restrictions
Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada

7.5 How to Exercise Your Rights

To exercise any of your privacy rights:

Self-Service: Update profile information, delete papers, manage notifications, and adjust preferences directly through your ScholaRef account
Email Request: Send a detailed request to info@scholaref.com, including your account email and a description of the rights you wish to exercise
Verification: We may need to verify your identity before processing requests, typically by confirming your email address or account details
Response Timeline: We will acknowledge your request within 5 business days and provide a substantive response within 30 days (or as required by applicable law). Complex requests may require an extension of up to 60 additional days, with notice
No Fee (Typically): We will not charge a fee for processing reasonable privacy requests. For manifestly unfounded or excessive requests, we may charge a reasonable fee or decline the request

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Essential/Strictly Necessary Cookies: Required for core functionality including user authentication, session management, and security. These cannot be disabled without breaking the Service. Includes Flask server-side session cookies
Preference Cookies: Remember your display settings, notification preferences, and interface choices to improve your experience
Performance Cookies: Monitor system performance, page load times, and identify technical issues

8.2 What We Do NOT Use

We do not use third-party advertising cookies or tracking pixels
We do not use cross-site tracking technologies
We do not sell cookie data or browsing behavior to advertisers
We do not use fingerprinting technologies to identify users across devices

8.3 Do Not Track (DNT) Signals

We respect Do Not Track (DNT) signals sent by your browser. When DNT is enabled, we limit the collection of non-essential usage data to the minimum required for system operation and security.

8.4 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to view, delete, and block cookies. Note that disabling essential cookies will prevent you from logging in and using authenticated features. Consult your browser's help documentation for instructions on managing cookies.

8.5 Third-Party Cookies

Stripe may place its own cookies when you proceed to a checkout session for token purchases. These cookies are governed by Stripe's Cookie Policy. We have no control over third-party cookies.

9. Third-Party Services and Integrations

9.1 Stripe (Payment Processing)

Stripe processes all payment transactions for token purchases. When you initiate a purchase, you are redirected to Stripe's secure checkout page. Stripe collects payment card details, billing address, and related information under its own privacy policy. We receive only transaction confirmation details.

Website: stripe.com
Privacy Policy: stripe.com/privacy

9.2 Zoho Mail (Email Delivery)

Zoho Mail's SMTP service delivers transactional emails on our behalf, including password reset links, analysis completion notifications, low-credit alerts, and purchase receipts. Zoho processes recipient email addresses and email content to perform delivery.

Privacy Policy: zoho.com/privacy.html

9.3 OpenAlex (Academic Data)

Our Academic Explorer, Journal Explorer, Author Explorer, Publisher Explorer, and Institution Explorer features display metadata sourced from the OpenAlex open scholarly database. We maintain a local database replica of OpenAlex data. In some cases, supplementary queries may be made to the public OpenAlex API (api.openalex.org), which would transmit your search parameters (not your identity or personal data) to OpenAlex servers.

Website: openalex.org

9.4 External Links

ScholaRef contains links to external websites, including journal publisher sites, DOI resolvers (e.g., doi.org), ORCID, Google Scholar, LinkedIn, and academic institution websites. We are not responsible for the privacy practices of external sites. We recommend you review their privacy policies before providing any personal information.

9.5 Self-Hosted Services

The following services are entirely self-hosted on our infrastructure, meaning your data does not leave our controlled environment when processed by these services:

AI/ML Backend: Celery task workers for all AI analysis processing
Ollama LLM: Language model for Academic Explorer search parsing and War Room chat
QSAI OCR Service: PDF text extraction
LanguageTool: Grammar and style checking
MariaDB/MySQL Databases: Application data and OpenAlex academic data

10. Data Retention

10.1 Retention Periods

We retain different types of data for different periods based on the purpose of collection, operational needs, and legal requirements:

Account Information (username, email, hashed password, profile data): Retained while your account is active. Upon account deletion, removed from active systems within 30 days
Uploaded Documents & OCR Text: Retained as long as your account is active and you have not deleted them. You can delete individual papers at any time from your dashboard. All documents are deleted upon account deletion
AI-Generated Reviews & Reports: Retained as long as the associated paper exists in your account. Deleted when you delete the paper or your account
War Room Sessions & Reports: Retained as long as your account is active. Deleted upon account deletion
Transaction & Billing Records: Retained for a minimum of 7 years after the transaction date to comply with tax, accounting, and financial record-keeping regulations (Canada Revenue Agency requirements)
Password Reset Tokens: Expire and are invalidated after 30 minutes, and marked as used after single use
Server Logs & Performance Data: Retained for up to 90 days for security monitoring and troubleshooting, then automatically purged
Email Delivery Records: Retained for up to 12 months for delivery troubleshooting and compliance
Notification Preferences: Retained while your account is active. Deleted upon account deletion

10.2 Account Deletion

When you request account deletion:

Your personal information (username, email, profile data) is removed from active systems within 30 days
All uploaded documents, OCR text, reviews, War Room sessions, and reports are permanently deleted within 30 days
Transaction records are retained as required by law (see Section 10.1) but are disassociated from your personal identity where technically feasible
Anonymized, aggregated statistical data derived from your usage may be retained indefinitely

10.3 Backup Retention

Due to our regular backup procedures, deleted data may persist in encrypted backup copies for up to 90 days after deletion from active systems. Backup copies are automatically rotated and permanently destroyed according to our backup retention schedule. We do not actively restore deleted data from backups except in the case of a system-wide disaster recovery event.

10.4 Inactive Accounts

We may contact you if your account has been inactive for an extended period. We reserve the right to delete accounts that have been inactive for more than 24 months, after providing 60 days' advance notice to your registered email address. Purchased but unused tokens will not be refunded for inactive account deletions unless required by applicable law.

11. International Data Transfers

11.1 Where Your Data Is Stored

ScholaRef's infrastructure is primarily located in Canada. By using the Service, your data may be transferred to and processed in Canada, regardless of your country of residence. Canada has been recognized by the European Commission as providing an adequate level of data protection under GDPR.

11.2 Safeguards for International Transfers

Where data is transferred across borders, we ensure appropriate safeguards are in place:

Adequacy Decisions: Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) has been recognized as providing adequate protection by the European Commission
Contractual Protections: Where required, we use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to jurisdictions without an adequacy finding
Service Provider Obligations: Our third-party service providers (Stripe, Zoho) maintain their own lawful data transfer mechanisms and compliance certifications

11.3 Your Acknowledgment

By using ScholaRef, you consent to the transfer and processing of your personal information in Canada and acknowledge that the data protection laws of Canada may differ from those in your jurisdiction. We will ensure your data receives an equivalent level of protection regardless of where it is processed.

12. Children's Privacy

ScholaRef is an academic platform designed for researchers, students, and professionals. It is not intended for children under the age of 13, and we do not knowingly collect personal information from children under 13.

If we become aware that a child under 13 has created an account or provided us with personal information without verifiable parental consent, we will promptly:

Delete the child's account and all associated personal information
Remove any uploaded documents and AI-generated data
Void and refund any token purchases where feasible

For users between 13 and 18 years of age (minors), we require verifiable parental or legal guardian consent. Parents and guardians should review this Privacy Policy and supervise their child's use of ScholaRef. Minors in the EU/EEA must be at least 16 years old to consent to data processing (or as specified by their member state, with a minimum of 13).

If you believe we have inadvertently collected information from a child under 13 (or under the applicable age of consent in your jurisdiction), please contact us immediately at info@scholaref.com.

13. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process personal data under the following legal bases as required by GDPR Article 6:

13.1 Performance of Contract (Art. 6(1)(b))

Processing your account registration information to create and maintain your account
Storing and analyzing your uploaded documents to deliver AI-powered review, recommendation, and feedback services
Processing payments and managing your token balance
Sending transactional emails (password resets, analysis completions, purchase receipts)

13.2 Consent (Art. 6(1)(a))

Sending product update emails and marketing communications (opt-in)
Using your data for research partnerships or collaborations (explicit consent required)
Placing non-essential cookies (preference and analytics cookies)

13.3 Legitimate Interests (Art. 6(1)(f))

Analyzing aggregated, anonymized usage data to improve service quality and user experience
Monitoring platform performance and troubleshooting technical issues
Detecting and preventing fraud, abuse, and security threats
Maintaining and administering the platform

13.4 Legal Obligation (Art. 6(1)(c))

Retaining transaction records to comply with tax and accounting regulations
Responding to lawful requests from law enforcement or regulatory authorities
Complying with data protection notification obligations in case of a breach

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, regulatory guidance, or other factors. When we make changes:

Minor Changes: We will update the "Last Updated" date at the top of this policy and post the revised version on our website
Material Changes: We will notify you via email to your registered address at least 30 days before the changes take effect, and display a prominent notice on the platform
Changes Requiring Consent: Where required by GDPR or other applicable law, we will obtain your explicit consent before implementing changes that affect how we process your personal data

Your continued use of ScholaRef after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the revised policy, you should discontinue use and delete your account.

We encourage you to review this Privacy Policy periodically. Previous versions of this policy will be made available upon request to info@scholaref.com.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, your personal data, or our privacy practices, please contact us:

                ScholaRef

                Email: info@scholaref.com

                Website: www.scholaref.com

                Response Times:

                Privacy and data access requests: within 30 days

                Data deletion requests: within 30 days

                General privacy questions: within 5 business days

                Security incidents: within 24 hours

Data Protection Officer

For inquiries related to data protection, GDPR compliance, or to report a privacy concern, you may contact our Data Protection Officer at info@scholaref.com with the subject line "DPO Inquiry."

Supervisory Authority Complaints

If you are in the EU/EEA and believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

If you are in Canada and have a complaint about our privacy practices, you may contact the Office of the Privacy Commissioner of Canada.

Table of Contents