Privacy Policy

Who we are

Evidence Table Builder is operated as part of the Systematic Review Tools product family. For privacy requests and data subject rights, contact george@systematicreviewtools.app. We act as the data controller for personal data processed through this website and application, except where a payment processor acts as an independent controller for card payments (see Subprocessors below).

Data Collection and Use

We collect and process only what is needed to deliver the service. This includes:

• PDF files uploaded for analysis (stored in Supabase Storage only during processing and deleted within 2 hours)
• Extracted answers and questions (stored in your account history for 30 days to support quality and customer support)
• User account information (email and authentication data)
• Billing/subscription metadata needed to operate your plan
• Basic product analytics and logs that exclude PDF contents

Provenance and Source Traceability

Evidence Table Builder may extract verbatim text excerpts from uploaded PDFs to support transparency, verification, and auditability of extracted data. These excerpts are used solely to show where information was identified in the source document and are subject to the same strict retention and deletion policies as extracted answers.

Legal bases (GDPR)

Where EU/UK GDPR applies, we rely on: contract (running your account and delivering extraction you request), legitimate interests (securing the service, debugging without reading PDF contents, limited product analytics), and legal obligation where we must retain billing records for tax or compliance. Where we ask optional marketing consent, we rely on consent and you may withdraw it without affecting core service delivery.

Subprocessors and infrastructure

We use vetted providers that process data on our instructions:

• Supabase (authentication, Postgres database, object storage for uploads, and server-side functions). PDFs reside in our storage bucket only for short-term processing; structured extraction outputs and account metadata are stored in Postgres under access controls.
• Stripe for subscription checkout and billing. Stripe receives payment details and billing contact data as needed to complete transactions; we do not store full card numbers on Evidence Table Builder servers.
• Email delivery (transactional messages such as sign-in and password reset) through our auth provider’s email channel, which processes recipient addresses and message metadata.

We do not sell personal information and we do not allow subprocessors to use your research PDFs or extraction results for their own model training.

International transfers

Your data may be processed in the United States and other regions where our providers operate. Where required, we rely on appropriate safeguards such as the UK/EU Standard Contractual Clauses and provider compliance programs. You may request more detail on transfers when you contact us.

Cookies and analytics

We use cookies and similar technologies needed for authentication sessions, security (for example CSRF protection where applicable), and aggregated product analytics that do not include PDF contents. Analytics events are designed to respect storage limitation: they support reliability and product improvement, not advertising profiles built from your manuscripts.

Data Protection

We implement various security measures to maintain the safety of your personal information:

• TLS encryption for file transfers; provider-managed encryption at rest for storage and databases
• Scoped access controls and service-role isolation for background jobs
• Automated cleanup of uploaded PDFs (within 2 hours) and time-bounded retention of results (30 days)
• Regular updates and monitoring of our cloud infrastructure
• We do not use uploaded PDFs or extracted data for training AI models or any other purposes beyond your specific analysis requests

AI-Derived Research Outputs

Extracted answers, confidence scores, verbatim quotations, and processing metadata constitute derived research outputs. These outputs remain under the user's control, are exportable, and can be deleted at any time in accordance with applicable data protection laws.

Evaluation and Benchmarking

We do not use user-uploaded PDFs or extracted outputs for internal benchmarking, performance evaluation, or validation studies without explicit user consent.

Your Rights

Under GDPR and other data protection laws, you have the right to:

• Access your personal data
• Correct inaccurate personal data
• Request deletion of your data
• Object to processing of your data
• Data portability

California and US state privacy rights

If you are a California resident or otherwise covered by US state privacy laws that apply to our processing, you may request access, deletion, or correction of personal information we hold, and you may opt out of any sale or sharing of personal information (we do not sell personal information). We will verify requests to a reasonable degree before responding.

Children

Evidence Table Builder is intended for professional and academic research use. We do not knowingly collect personal information from children under 16. If you believe a child has provided us data, contact us and we will delete it promptly.