Privacy Policy
Your privacy is our priority
Last updated: August 14, 2025
International Data Processing Notice
IMPORTANT: Your data will be processed across multiple international jurisdictions including the United States, European Union, and other regions where our service providers operate.
By using this service, you acknowledge and consent to the international transfer and processing of your personal data and research materials. We implement appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions where available.
If you are subject to data localization requirements or institutional policies that restrict international data transfers, please consult with your legal/compliance team before using this service.
Privacy at a Glance
We never sell your data
Your research is confidential
Delete anytime
Request data deletion via email
Minimal data collection
Only what's needed for service
International processing
With appropriate safeguards
Who We Are & Contact
Data Controller: Litry is the data controller for website analytics, marketing activities, and lead generation. For research data processing, we act as a data processor following your instructions.
Privacy Contact: legal@litry.org
Data Protection Officer: For GDPR-related inquiries, contact our DPO at dpo@litry.org
Legal Basis Registry: Available upon request for detailed information about processing lawful bases.
What We Collect
Contact Information
- • Name (first and last)
- • Email address
- • Phone number
- • Organization (if provided)
Research Data (Academic/Scientific Purpose)
- • Uploaded reference files (.ris, .nbib, .xml, .csv)
- • Screening criteria and conversations
- • Generated screening results and AI recommendations
- • Job metadata (timestamps, status, counts)
- • Study abstracts and bibliographic metadata
- • Author names and institutional affiliations (where provided)
- • Research field classifications and keywords
Note: Research data may contain special category data under GDPR if studies involve health, genetics, or other sensitive research areas.
Technical Data
- • IP address (for country detection)
- • Browser type and version
- • Basic usage analytics (page views, feature usage)
- • Error logs for debugging
How We Use Your Data
Service Delivery
Process your screening requests, generate results, and provide customer support
Quality Improvement
Enhance ML models, fix bugs, and improve user experience
Communication
Send results, respond to inquiries, and notify about service updates
Legal Compliance
Meet legal obligations and protect our rights when necessary
Lawful Bases (UK GDPR)
Contract
To deliver the service you've requested
Legitimate Interests
To improve quality/safety (you can opt out of improvement/training)
Legal Obligation
To comply with law and defend legal claims
Consent
Where we send optional marketing communications
Model Training & Service Improvement
Paid-Tier Data Usage
We may use paid-tier project data (files, prompts, outputs) to improve model quality, reliability, and safety.
You can opt out at any time:
- Toggle 'Exclude my data from model training' in the app; or
- Email NO-TRAIN with your project ID
Opting out won't limit processing needed to deliver your job.
Data Retention
Free tier
Auto-deletes after 12 hours
Paid tiers
Retained for operations and improvement until you request deletion or for a maximum of 24 months from job completion (whichever is earlier).
If you opt out of training, your future projects are excluded; you can request deletion of prior projects. Minimal audit logs and invoices may be kept longer for legal reasons.
International Data Transfers & Cross-Border Processing
Cross-Border Processing Notice
Your data WILL be processed internationally. This includes transfers to and processing in the United States, European Union member states, and other jurisdictions where our technology providers operate.
Countries where your data may be processed:
- • United States (Our ML infrastructure, cloud services)
- • European Union (Redis cloud services, backup storage)
- • United Kingdom (Railway hosting, primary processing)
- • Canada (Additional cloud regions as needed)
Academic institutions with data residency requirements: Please verify with your institution's ethics board, data protection officer, or legal counsel before uploading sensitive research data.
We implement robust safeguards for all international transfers as required by UK GDPR and EU GDPR. Our complete subprocessor list is available at /subprocessors.
Transfer Safeguards Implemented:
UK IDTA (UK Addendum)
UK International Data Transfer Addendum to EU Standard Contractual Clauses
EU SCCs (Standard Contractual Clauses)
European Commission approved transfer mechanisms
Adequacy Decisions
Where available (e.g., UK-EU adequacy bridge)
Technical Safeguards
End-to-end encryption, access controls, audit logs
Transfer Impact Assessment: We have conducted Transfer Impact Assessments (TIAs) for all international transfers. If you require details about transfer risks or safeguards for specific jurisdictions, contact our DPO.
Your Choices
Opt-out of model training
At any time (toggle or "NO-TRAIN" email)
Request deletion
Of project files/outputs
Export a copy
Of your data. We respond within 30 days
Data Security & Protection Measures
Technical Security Measures
End-to-End Encryption
TLS 1.3 in transit, AES-256 at rest
Zero-Trust Architecture
Multi-factor authentication, least privilege access
Vulnerability Management
Regular security scans, penetration testing
Access Controls
Role-based permissions, audit logging
Data Loss Prevention
Automated backups, geo-redundancy
Compliance Monitoring
Continuous security monitoring, SOC 2 Type II
Organizational Security Measures
• Staff Training: Regular data protection and security awareness training
• Background Checks: Security clearance for all personnel with data access
• Confidentiality Agreements: All staff bound by strict confidentiality obligations
• Incident Response: 24/7 security operations center with defined breach procedures
• Third-Party Audits: Annual independent security assessments and certifications
Data Breach Notification Procedures
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
1. Immediate Response (0-24 hours): Contain breach, assess impact, preserve evidence
2. Authority Notification (72 hours): Report to relevant supervisory authorities as required
3. Individual Notification (without undue delay): Notify affected individuals if high risk to rights/freedoms
4. Academic Institution Notification: Notify institutional contacts where applicable
5. Remediation: Implement measures to mitigate harm and prevent recurrence
Breach notifications will include: nature of breach, likely consequences, measures taken/proposed, contact point for more information.
Data Sharing
We never sell your data. We only share data in these limited circumstances:
Service Providers
Trusted partners who help us deliver services (hosting, email) under strict confidentiality
Legal Requirements
When required by law or to protect rights and safety
Aggregated Analytics
Anonymized data to improve our services (no personal information)
Your Data Protection Rights (GDPR/UK GDPR)
You have comprehensive rights under data protection law. We respond to all requests within 30 days (or 90 days for complex requests with notification).
Right of Access (Article 15)
Request a copy of all personal data we hold about you
Includes: data categories, processing purposes, recipient details, retention periods
Right to Rectification (Article 16)
Correct or update inaccurate personal data
We will notify third parties of corrections where feasible
Right to Erasure (Article 17)
Request deletion of your personal data
Subject to legal retention requirements and legitimate interests
Right to Restrict Processing (Article 18)
Limit how we process your data in certain circumstances
While accuracy is verified or objections are considered
Right to Data Portability (Article 20)
Receive your data in machine-readable format
For data processed by automated means based on consent/contract
Right to Object (Article 21)
Object to processing based on legitimate interests
Including direct marketing and automated decision-making
How to Exercise Your Rights
Email: legal@litry.org with "Data Subject Request" in subject line
Required Information: Full name, email address used for service, specific right you wish to exercise
Identity Verification: We may request additional information to verify your identity before processing requests
Response Time: 30 days (extendable to 90 days for complex requests with notification)
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.
UK: Information Commissioner's Office (ICO) - ico.org.uk
EU: Your national data protection authority
Academic Users: Your institution may also have internal data protection procedures
Data Retention
Free Tier Data
Automatically deleted after 12 hours
Paid Service Data
Retained for service improvement unless deletion requested
Contact Information
Kept for customer service and legal requirements
Academic Research Data Processing
Special Considerations for Academic Users
Research Ethics Compliance: Users are responsible for ensuring their use of this service complies with institutional IRB/ethics board requirements and any study-specific data management plans.
Funding Requirements: Some research funders (NIH, NSF, EU Horizon) have specific data management requirements. Verify compliance before using this service for funded research.
Publication Compliance: Consider journal data availability policies and publisher requirements when using AI-assisted screening for systematic reviews.
Human Subjects Research: If your research involves human subjects data (even in abstract form), additional ethical and legal considerations may apply.
Institutional Data Agreements
For institutions requiring formal data processing agreements, business associate agreements, or custom privacy terms, contact our legal team at legal@litry.org
Privacy Contacts & Support
For privacy-related questions, data rights requests, or security concerns:
Data Subject Requests: Include "Data Subject Request" in your email subject line and provide your full name, email address used for our service, and specify which right you wish to exercise.
We respond to privacy requests within 30 days (or 90 days for complex requests with advance notification).
Policy Updates
We may update this privacy policy from time to time. We'll notify you of significant changes via email. Continued use of our services after updates constitutes acceptance of the revised policy.