Privacy Policy
Last updated: June 2026
Short version: We collect only what is necessary to provide the service. We do not sell your data. We do not use your content to train AI models.
1. Who we are
RefScout is an academic reference finder that helps researchers locate and cite real sources. References to "we," "us," or "our" in this policy refer to the RefScout service.
For privacy questions or requests, contact us at:
privacy@refscout.app
2. Data we collect
- Account data — when you register: your email address and a hashed password (we never store your plain-text password). If you sign in with Google, we receive your verified email from Google.
- Usage data — we count how many searches and citation analyses you perform each day to enforce plan limits. We store the endpoint name and timestamp, not the content of your queries.
- Saved papers — if you save a paper to your personal library, we store the paper metadata (title, authors, DOI, etc.) that you chose to save.
- Billing data — if you subscribe to Pro, Stripe processes your payment. We store only your Stripe customer ID and subscription ID; we never see or store your card details.
- Server logs — standard web server logs (IP address, timestamp, HTTP method, path, response code). These are retained for up to 30 days for security and debugging.
3. What we do NOT collect
- The text you paste into Cite or Draft mode is sent to the API for processing and is not stored on our servers after the request completes.
- Your search queries are not stored (only the count per day for rate limiting).
- We do not use browser cookies beyond what is needed for the session; we rely on a JWT token stored in your browser's localStorage.
4. AI and your content
We do not train AI models on your content. When you use the Cite or Draft features, your text is sent to the Anthropic API (Claude) to detect citation-worthy claims. Anthropic's API usage policies apply; your data is not used by Anthropic to train their models under the API terms.
5. How we use your data
- To provide the RefScout service and authenticate your account.
- To enforce daily usage limits under the freemium model.
- To process your Pro subscription via Stripe.
- To debug and improve the service (aggregate, anonymised metrics only).
6. Data sharing
We do not sell your data. We share data only with the following service providers necessary to run RefScout:
- Anthropic — processes your text via the Claude API for claim detection.
- Stripe — handles payment processing for Pro subscriptions.
- Semantic Scholar & OpenAlex — academic search APIs queried with your search terms.
- CrossRef — queried with DOIs for verification; no personal data is sent.
7. Data retention
- Account data — retained as long as your account is active.
- Usage logs — retained for 90 days, then deleted.
- Saved papers — retained until you delete them or close your account.
- Server logs — retained for up to 30 days.
8. Your rights (GDPR)
If you are located in the European Economic Area, you have the following rights:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and associated data.
- Portability — request your data in a portable format.
- Objection — object to certain types of processing.
To exercise any of these rights, email privacy@refscout.app. We will respond within 30 days.
9. Security
Passwords are hashed with bcrypt before storage. JWTs are signed with a server-side secret. Payments are handled entirely by Stripe's PCI-compliant infrastructure. We use HTTPS for all data in transit.
10. Changes to this policy
We may update this policy from time to time. Significant changes will be communicated via email to registered users. The "Last updated" date at the top of this page reflects the most recent revision.