Privacy Policy

Effective Date: 8 May 2026 · Last Updated: 8 May 2026

Deepnotis ("we", "our", or "us") respects your privacy. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our platform. It is written to comply with the UK GDPR and the EU GDPR. By using Deepnotis, you agree to the terms outlined here.

1. Data Controller

The data controller for the Service is:

PLAYBLAST LTDCompany Number: 1611692171–75 Shelton StreetCovent Garden, London WC2H 9JQ, United KingdomContact: support@deepnotis.com

2. Information We Collect

When you create an account and use the Service, we collect:

Account information: first and last name, email address, hashed password (handled by our authentication provider, never seen by us in clear), and preferred citation style.

Document content: the .docx files you upload, the citations extracted from them (footnotes and endnotes), and the rewritten outputs you download.

Citation metadata: structured CSL fields (authors, titles, DOIs, journal names, dates) produced by our auto-labeling pipeline. These are derived from your document and from public bibliographic databases (CrossRef, OpenAlex).

Usage data: authentication events, upload counts (used for monthly quota enforcement), basic timestamps. We use a privacy-respecting, cookieless analytics system that records aggregated page views without storing personally identifying information or tracking you across sites.

Payment information: billing data is handled by Stripe. We never see or store your card number; we only receive the subscription status and the last four digits of the card for receipts.

3. How We Use Your Information & Lawful Basis

Under the UK/EU GDPR (Article 6), each processing activity has a lawful basis:

  • Provide the Service — process your documents, extract and reformat citations, render downloadable outputs, manage your account. Lawful basis: performance of the contract (Art. 6(1)(b)).
  • Process payments — handle subscription billing through Stripe. Lawful basis: performance of the contract (Art. 6(1)(b)).
  • Service-related communication — send transactional emails (welcome, plan changes, cancellations, password resets) via Resend. Lawful basis: performance of the contract (Art. 6(1)(b)) and our legitimate interest in keeping you informed about your account (Art. 6(1)(f)).
  • Service improvement — aggregated analytics, debugging, error monitoring. Lawful basis: legitimate interest (Art. 6(1)(f)) in running and improving a reliable Service.
  • Legal obligations — retain billing records as required by tax/accounting law. Lawful basis: legal obligation (Art. 6(1)(c)).

4. Use of Citation Metadata to Improve Our Model

By default, we use field-level citation metadata (authors, titles, DOIs, journal names, publication years) to improve the accuracy of our citation-analysis model. We neveruse the body of your manuscript or any long-form text from your document for this purpose — only the structured bibliographic fields, which are themselves already public information drawn from CrossRef/OpenAlex.

You can opt out at any time from your Account settings. Opting out excludes your data from future training batches; previously aggregated batches are not retroactively filtered. Lawful basis: legitimate interest (Art. 6(1)(f)), balanced against your right to opt out.

5. Sub-Processors and Data Sharing

We do not sell your personal data. We share it only with the sub-processors necessary to operate the Service:

Supabase(authentication + database) — account data and citation metadata. Hosted in the EU.

Cloudflare R2 (object storage) — uploaded .docx files and exported outputs. Hosted in the EU/global edge.

Stripe(payments) — subscription billing and card processing. Hosted in Ireland (EU) and the US.

Resend(transactional email) — account-related emails. Hosted in the US.

n8n (self-hosted by us) — orchestration of the citation extraction and export pipelines. Hosted in the EU.

Umami(cookieless web analytics) — aggregated page-view counts, traffic source, country, device type. No cookies, no fingerprinting, no cross-site tracking, no personal identifier shared. Honours Do-Not-Track. Operated by Umami Software, Inc. (cloud.umami.is).

CrossRef & OpenAlex — public bibliographic databases queried server-side during auto-enrichment. We send only DOIs / titles, never your identity.

Legal authorities — only if compelled by valid legal process in the UK or EU.

6. International Transfers

Some of our sub-processors (Stripe, Resend, parts of Cloudflare) process data in the United States. Such transfers rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (2021/914), and the EU–US Data Privacy Framework where applicable. Each provider is contractually required to maintain a level of protection equivalent to UK/EU standards.

7. Document Handling and Retention

  • Uploaded documents and converted outputs are stored securely for the retention window of your plan: 30 days on Nota (Free), 365 days on Copia, and as long as your subscription is active on Summa / Institution. After the retention window the documents and their citations are permanently deleted by an automated cron job.
  • You retain full copyright and full responsibility for what you upload. We do not modify the substantive content of your manuscript — we only reformat citations.
  • In rare debugging cases we may inspect a sample of a document to investigate a defect. Such inspection is limited, logged, and conducted under confidentiality.
  • Account data is kept while your account is active and for up to 30 days after account deletion (to handle billing reconciliation). Billing records are kept for 7 years as required by UK tax law.

8. Security

We use industry-standard technical and organisational measures: TLS in transit, encryption at rest by our sub-processors, row-level security in our database, strict access controls, webhook signature verification, and a Content Security Policy in enforcement mode. Despite these measures, no system is perfectly secure; in the event of a personal data breach we will notify affected users and the relevant supervisory authority within 72 hours, in line with Article 33 GDPR.

9. Your Rights

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Correct inaccurate data (Art. 16).
  • Request deletion of your data (Art. 17) — you can do this at any time from Account.
  • Restrict or object to processing (Art. 18, 21).
  • Receive a portable copy of your data (Art. 20) — an export feature is available from your Account.
  • Withdraw consent for any processing based on consent (with no effect on processing carried out before withdrawal).
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU supervisory authority.

To exercise any of these rights, contact support@deepnotis.com. We respond within 30 days.

10. Minors

You must be at least 18 years old or the age of majority in your jurisdiction to use Deepnotis. We do not knowingly collect data from minors; if we become aware that a minor has created an account, we will delete it promptly.

11. Updates to this Policy

We may update this Privacy Policy as the Service evolves. We will update the "Last Updated" date above and, for material changes (new sub-processor, new processing purpose), notify active users by email at least 14 days before the change takes effect.

12. Contact

For any question or request regarding your personal data:

support@deepnotis.comPLAYBLAST LTD71–75 Shelton StreetCovent Garden, London WC2H 9JQ