Privacy Policy

Last updated: July 8, 2026 This Privacy Policy explains how Zynthia ("we," "us") collects, uses, shares, and protects information when you use the Zynthia systematic literature review platform (the "Service"). It applies to visitors to zynthia.ai, waitlist signups, and registered users. 1. Information We Collect Account information: When you register, we collect your name, email address, username, institution, research role, and field of research. If you sign in with Google or ORCID, we receive your name, email address, and (for ORCID) your ORCID iD and the profile information you've made available to us through that provider. Waitlist information: If you join our pre-launch waitlist, we collect only your email address, used to notify you about early access. Research content: When you use the Service, we store the content you create or import, including project titles and descriptions, search strategies, imported bibliographic records (paper titles, authors, abstracts, DOIs, keywords), inclusion/exclusion criteria, screening decisions and notes, audit log entries, and collaborator/invite information for shared projects. When you import a file (RIS, BibTeX, CSV, or Excel), we extract the bibliographic data it contains; the original file itself is not stored, only its filename and the structured data extracted from it. Usage and technical information: We log AI usage volume associated with your account (token counts and API call counts, used for service operation and, in future, billing) and standard technical data generated by using a web application (such as authentication timestamps). 2. How We Use Your Information We use your information to: provide, operate, and maintain the Service; generate AI-assisted screening suggestions and relevance scores (see Section 3); enable collaboration features you choose to use; send you service-related communications, including account verification and, if you join the waitlist, launch updates; respond to support requests; and monitor and improve the reliability and quality of the Service. 3. AI Processing of Your Research Content To provide AI-assisted screening, we send the following to our AI provider, Google (via the Gemini API), for each paper you screen: the paper's title, abstract, and keywords, together with the inclusion/exclusion criteria and project topic you have written for that review. We do not send your name, email address, institution, ORCID iD, or other account information to the AI provider as part of these requests. This processing is governed by Google's own data handling terms for the Gemini API; we do not currently configure any additional data-retention restriction or model-training opt-out beyond Google's standard API terms. Do not include personal data about identifiable third parties in your criteria or project notes beyond what is necessary for your review. 4. Legal Bases for Processing (EEA/UK Users) Where applicable data protection law requires it, we process your information on the following bases: performance of a contract (to provide the Service you've signed up for), legitimate interests (to secure, maintain, and improve the Service), and consent (for optional communications such as waitlist updates, which you can withdraw at any time). 5. Cookies We use two authentication cookies, "zynthia-auth" and "zynthia-refresh", to keep you signed in. Both are HTTP-only, transmitted only over HTTPS in production, and expire automatically (the access cookie after 8 hours, the refresh cookie after 7 days). We also use a standard session cookie during the OAuth sign-in process. We do not use advertising, tracking, or analytics cookies. A non-personal light/dark theme preference is stored in your browser's local storage. 6. Who We Share Information With We do not sell your personal information. We share information only with the service providers who help us operate Zynthia, under agreements that require them to protect your data and use it only to provide their service to us: - Google (Gemini API) — processes paper metadata and criteria text to generate AI screening suggestions, as described in Section 3. - Google and ORCID — process your profile information when you choose to sign in using those providers. - Resend — our email delivery provider, used to send account verification and waitlist emails. - Railway — our infrastructure and database hosting provider, which stores the Service's data on our behalf. We may also disclose information if required by law, to enforce our Terms of Service, or to protect the rights, safety, or property of Zynthia or our users. 7. Collaboration and Shared Projects If you are invited to collaborate on a project, the project owner and other collaborators with appropriate permissions can see the content of that shared project, including screening decisions attributed to you. Project owners can export an audit trail of a project that includes collaborators' email addresses for accountability purposes. 8. International Data Transfers Our service providers may process data in countries other than your own, including the United States. Where we transfer personal data internationally, we rely on the safeguards made available by our providers (such as standard contractual clauses) to protect your information. 9. Data Retention and Deletion We retain your account and research data for as long as your account is active. If you delete your account, it is deactivated immediately and your data is retained for 30 days, during which you can restore full access simply by signing back in. After that period, your account and the projects you own (including their papers, criteria, screening decisions, and audit logs) are scheduled for permanent deletion. Deleting your account also removes your individual screening decisions from any other projects you collaborated on. Waitlist email addresses are retained until launch communications are complete or you ask us to remove them. 10. Data Security We use industry-standard technical and organisational measures to protect your information, including encrypted transport (HTTPS), HTTP-only authentication cookies, and access controls on our hosting infrastructure. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. 11. Your Rights Depending on your location, you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion of your data; restrict or object to certain processing; receive a copy of your data in a portable format; and, where processing is based on consent, withdraw that consent at any time. You may also have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, contact us at [email protected]. Most of these actions (correcting your profile, exporting your review data, deleting your account) are also available directly within your account settings. 12. Children's Privacy The Service is not directed at individuals under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it. 13. Changes to This Policy We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via a notice within the Service before the changes take effect. 14. Contact For privacy-related questions or to exercise your rights, contact us at [email protected].