Skip to content
Explore Science/Privacy PolicyLast updated 1 July 2026

Privacy Policy

This policy explains what personal data we collect, why we collect it, where we store it, and the rights you have under GDPR and equivalent regimes. For a plain-language overview of how documents and reviews are handled, see Data handling.

01Who We Are

Explore Science Pty Ltd ("Company", "we", "us", "our") operates the Explore Science site and web application, accessible from https://explorescience.ai ("Service", "Website").

02What Data We Collect

We collect only the minimum data necessary to provide our Service (data minimisation principle):

CategoryDetails
Account DataEmail (required), display name
AuthenticationHashed password, or a sign-in token from a connected provider (Google, ORCID)
Phone NumberMobile number, collected to verify your account at sign-up. The number is held by our authentication provider to send the verification code; we store only a hashed version and whether it was verified.
Profile DataAcademic role, career stage, field of study, usage goals, and how you heard about us (collected during onboarding). To help build your researcher profile, we search open scholarly databases (such as ORCID, OpenAlex, and ROR) using the details you provide, then surface your public research record for you to link and store your institution and publication metrics, refreshing them periodically. When you connect your ORCID iD, we import your public works and affiliations. A linked profile is visible to collaborators you invite to your projects.
Submission DataUser-uploaded research articles and any metadata you supply
Author & Co-author DataNames, email addresses, and affiliations of authors listed on manuscripts you upload, detected as part of our analysis and shown to you as suggested collaborators. We do not contact these individuals; invitations are sent only when you choose to send them.
Review & Chat DataAI-generated reviews, and the messages you send via the review chat, team chat, direct messages, and document comments, together with real-time collaboration signals such as who is currently viewing or editing a document.
Collaborator DataFor people you invite to a team or who join yours: name, email address, profile photo, and the times they were invited and joined.
Connected AccountsIf you connect a third-party account such as Zotero, we store an access token for that account and metadata for the items you sync (for Zotero: titles, authors, DOIs, venues, and years).
Payment DataBilling email, name, and payment method (processed by Stripe; we store only the Stripe customer identifier)
Usage DataIP (short-lived), browser type/version, timezone, interaction events, referral/attribution parameters, error and diagnostic reports, and session replays used to diagnose bugs and improve the product. Form inputs and the document viewer are masked in these recordings.
Cookies & Local StorageStrictly necessary cookies; analytics cookies; and browser local and session storage used for sign-in, attribution, and interface preferences

03Why & How We Use Your Data

The lawful bases under GDPR for each processing purpose:

PurposeDataGDPR Basis
Provide and secure the serviceAccount, Profile, Submission, Review & ChatContract Art 6(1)(b)
Verify your account and prevent abusePhoneContract Art 6(1)(b)
Process paymentsPaymentContract Art 6(1)(b)
Quality, safety & fraud preventionReview, UsageLegitimate interests Art 6(1)(f)
Product improvement & analyticsUsage, ProfileLegitimate interests Art 6(1)(f)
Attribute authorship & suggest collaboratorsAuthor & Co-authorLegitimate interests Art 6(1)(f)
Optional marketing emailsAccountConsent Art 6(1)(a)

04International Transfers

Storage regions: Central United States and Southeast Australia.

AI processing providers

  • OpenAI (United States), DPF participant
  • Anthropic (United States), SCCs with supplementary measures
  • Google AI (United States), DPF participant
  • Mistral AI (France / EEA), no transfer, EEA-based
  • X AI (United States), SCCs with supplementary measures
  • Copyleaks (United States), plagiarism and integrity scanning, used only when you request an integrity review; SOC 2 and GDPR compliant, does not train on or retain your content

Other service providers

  • Customer.io (EEA), email and in-app messaging, no transfer required
  • Google Firebase (United States), authentication and phone verification, DPF participant
  • Stripe (United States), payment processing, DPF participant
  • PostHog (United States), analytics, DPF participant
  • Google Tag Manager / Google Analytics (United States), website analytics, DPF participant

Transfer safeguards

  • United States: DPF or SCCs 2021 with supplementary encryption and access controls
  • Australia: SCCs 2021 plus the same supplementary safeguards
  • All providers: Data is encrypted in transit, processed with minimal retention, and subject to strict DPAs

You may obtain a copy of the relevant SCCs by emailing [email protected].

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to these transfers. We ensure adequate controls are in place including the security of Your data and other personal information.

05Retention

  • Uploads & reviews: removed from your workspace on your command
  • Chat messages: retained while the associated document exists; deleted with the document
  • Phone verification: hashed number and verification status retained for the life of your account
  • Usage / analytics events: 18 months
  • Payment records: retained as required by tax and accounting law (typically 7 years)
  • Account closure & erasure: on closure we deactivate your account; you may request erasure of your personal data at any time by emailing [email protected], and we action it without undue delay

06Your Rights

Under GDPR, you have the following rights:

  • Access to your personal data
  • Correction of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Right not to be subject to automated decision-making with legal effects

Exercise your rights via [email protected].

07Security Measures

We implement the following security measures:

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest
  • Token-based authentication with revocation checking and role-based access control
  • Staff two-factor authentication and GDPR training
  • Structured audit logging on all data access and administrative operations

While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

08Data Breach Notification

We notify the competent supervisory authority within 72 hours of discovering a personal-data breach and affected users without undue delay, unless strong encryption renders risk unlikely.

09Children

Our Service is not directed to children under 18; we do not knowingly collect their data. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 18 without verification of parental consent, We take steps to remove that information from Our servers.

10Third-Party Processors

Our processors are bound by Data Processing Agreements (DPAs) or equivalent data-protection terms. AI providers operate under commercial / enterprise API contracts: no training on your content, with a brief automated safety-retention window (up to 30 days) under their standard terms, segregated from training systems.

AI providers

  • OpenAI (United States)
  • Anthropic (United States)
  • Google AI Gemini (United States)
  • Mistral AI (France)
  • X AI (United States)
  • Copyleaks (United States), plagiarism and integrity scanning, used only when you request an integrity review

Other service providers

  • Google Firebase (United States), authentication and account verification
  • Customer.io (EEA), email and in-app messaging, and related account attributes such as subscription status, usage, and referral source
  • Stripe (United States), payment processing
  • PostHog (United States), product analytics, session replay, error reporting, support conversations, and AI assistant observability (including the content of assistant chats)
  • Google Tag Manager / Google Analytics (United States), website analytics

Services you connect

You can sign in with, or connect, third-party services such as ORCID and Zotero. These services are controlled by their own providers under their own terms and privacy policies; we access only what is needed to provide the feature (your public ORCID record; the Zotero library items you choose to sync), at your direction.

Business transfers

If the Company is involved in a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Legal requirements

The Company may disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities.

11Changes to This Policy

Updates are published on this page. The "Last updated" date at the top reflects the most recent revision. We recommend reviewing this page periodically.

12Cookie Management

You can manage cookie preferences, and clear local and session storage, through your browser settings. Strictly necessary cookies cannot be disabled. We do not use third-party advertising cookies.

13Data Portability

On request, and where required under GDPR or equivalent law, we will provide your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), including account information, document metadata, AI-generated reviews, and chat transcripts. Requests can be made by emailing [email protected].

14Contact

Links to other websites

Our Service may contain links to other websites that are not operated by Us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Privacy Policy · Explore Science