1. Introduction
RefDesk ("we", "our") is committed to protecting user privacy. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what your rights are. This policy applies to all use of the RefDesk platform at refdesk.com.
2. Data We Collect
2.1 Information you provide
- Account data: Name, email address, and profile picture (when signing in with Google)
- Research data: Research ideas, descriptions, AI conversation responses, research questions, and generated protocols
- Search queries: Scoping search terms and search strategies
- Preferences: Preferred language (Hebrew/English) and user context
2.2 Automatically collected information
- Usage data: Pages viewed, actions taken, timestamps
- Technical data: IP address, browser type, operating system, screen resolution
- Cookies: For session management and preference storage
2.3 Information we do NOT collect
- We do not collect payment details directly — Paddle handles all payment data
- We do not collect personal medical information
- We do not knowingly collect information from users under 18
3. How We Use Your Data
We use your information for the following purposes:
- Service operation: Processing AI conversations, generating protocols, running scoping searches, and building search strategies
- Account management: Authentication, subscription management, and communicating with you
- Service improvement: Analyzing usage patterns to improve user experience and functionality
- Technical support: Responding to inquiries and resolving issues
- Legal compliance: Fulfilling legal and regulatory obligations
Legal basis for processing (GDPR Article 6):
- Performance of contract (Art. 6(1)(b)): Account management, service operation, scoping search, and search strategy building
- Consent (Art. 6(1)(a)): AI conversation processing — can be withdrawn at any time via your Settings page
- Legitimate interest (Art. 6(1)(f)): Security logging, fraud prevention, and service improvement
We do not sell your personal information. We do not use your research content to train our own AI models.
Automated Decision-Making (GDPR Article 22):
RefDesk does not make automated decisions that produce legal or similarly significant effects on you. Framework selection uses deterministic logic (a decision tree), and AI content is an assistive tool only — all final decisions rest with you.
4. AI Processing & Zero Data Retention Guarantee
🔒 Zero Data Retention Guarantee
We strictly utilize the paid, enterprise tier of the Google Gemini API to process your research queries. Under these specific commercial terms, Google explicitly guarantees a Zero Data Retention policy for AI training. This means your inputs, research ideas, and generated outputs are NOT used to train Google's foundation models, nor are they used to train any of RefDesk's internal systems. Your intellectual property remains 100% yours and is securely processed solely to generate your requested outputs.
Important to know:
- AI processing is based on your consent (GDPR Art. 6(1)(a)). You can withdraw this consent at any time via your Settings page — withdrawal will prevent use of AI conversations but will not affect the lawfulness of processing performed before withdrawal
- We use the paid, enterprise tier of the Google Gemini API, under which Google is contractually bound not to retain or use customer data for model training
- We do not share personally identifiable information with Google beyond conversation content
- We explicitly guarantee that your content, including research ideas and AI conversations, is NOT used to train any artificial intelligence models — neither by RefDesk nor by our third-party AI providers
- MeSH terms are retrieved separately from NCBI and do not pass through AI models
- OpenAlex data is public and freely accessible
5. Data Sharing
We share information only with the following parties and for the stated purposes:
| Service | Purpose | Data type | Location |
|---|---|---|---|
| Supabase | Storage & auth | Account & project data | Ireland (EU) |
| Google Gemini | AI processing | Conversation content | US / Global |
| Paddle | Payments | Email, billing details | United Kingdom |
| NCBI | MeSH lookup | Search terms only | United States |
| OpenAlex | Scoping search | Search queries only | United States |
| Vercel | Hosting | Technical data (IP, browser) | Global CDN |
We do not sell, rent, or share your personal information with third parties for marketing purposes.
6. Cookies
RefDesk uses cookies for the following purposes:
- Essential cookies: Session management, user authentication, and language preference
- Functional cookies: Remembering user interface preferences
We do not use marketing cookies or third-party tracking cookies for advertising. We do not use Google Analytics or similar tracking tools.
7. Data Retention
We retain your information as follows:
- Account data: As long as the account is active. Deleted upon account deletion
- Project & conversation data: As long as the project exists. Deleted with the project or account
- Payment data: Managed by Paddle in accordance with regulatory requirements
- Technical data (logs): Retained up to 90 days for troubleshooting and security
After account deletion, all personal data will be removed within 30 days, except where retention is required by law.
8. Data Security
We take reasonable measures to protect your information:
- All communications are encrypted via HTTPS/TLS
- Data is stored on Supabase servers with encryption at rest
- Authentication uses secure JWT (JSON Web Tokens)
- Row Level Security (RLS) policies are enabled on all database tables
- Rate limiting to prevent abuse
Despite these measures, no method of internet transmission is 100% secure. We cannot guarantee absolute security.
9. International Data Transfers
System data is stored on Supabase servers in Ireland (EU). AI conversation content is processed by Google Gemini on servers that may be located outside your region of residence. Payments are processed by Paddle in accordance with Paddle's terms.
We maintain Data Processing Agreements (DPAs) with all our service providers, including Supabase, Google, Paddle, and Vercel. Data transfers outside the European Economic Area are conducted under Standard Contractual Clauses (SCCs) and in compliance with GDPR and the Israeli Privacy Protection Law.
EU Representative (GDPR Article 27):
RefDesk is operated by Shai Tamam from Israel. As the service processes data of EU residents, we are in the process of appointing an EU representative in accordance with Article 27 of the GDPR. Until the appointment is finalized, you may contact us directly at refdeskshaitamam@gmail.com for any data protection inquiries.
10. Your Rights
Under applicable privacy laws (including GDPR and the Israeli Privacy Protection Law), you have the following rights:
- Right of access (Art. 15): Request a copy of the personal data we hold about you
- Right of rectification (Art. 16): Request correction of inaccurate or outdated data
- Right of erasure (Art. 17): Delete your account and all associated data via your Settings page
- Right of portability (Art. 20): Export all your data in JSON format via your Settings page
- Right to object (Art. 21): Object to processing of your data in certain cases
- Right to restriction (Art. 18): Request restriction of processing of your data
- Right to withdraw consent (Art. 7(3)): Withdraw your consent for AI processing at any time via your Settings page — withdrawal will not affect the lawfulness of processing performed before withdrawal
You can exercise most of these rights directly from your Settings page (data export, account deletion, AI consent toggle). For additional requests, contact us at refdeskshaitamam@gmail.com. We will respond within 30 days.
11. Children
RefDesk is not intended for users under 18. We do not knowingly collect information from minors. If we learn that we have collected information from a minor, we will delete it immediately. If you believe a minor has provided us with personal information, please contact us.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of personal information collected, used, and shared
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale: RefDesk does not sell personal information and does not share personal information for cross-context behavioral advertising
- Non-Discrimination: We will not discriminate against users who exercise their rights
To exercise these rights, contact us at refdeskshaitamam@gmail.com. We will acknowledge receipt within 10 business days and respond substantively within 45 calendar days.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on the website and registered users will be notified via email. The last update date appears at the top of this document. Continued use of the service after changes are posted constitutes acceptance of the updated policy.
14. Contact
For questions about this Privacy Policy or to exercise your rights, contact us:
Email: refdeskshaitamam@gmail.com
For Israeli residents: You may contact the Israel Privacy Protection Authority at www.gov.il/privacy.
For EU residents: If you are not satisfied with how your inquiry was handled, you have the right to file a complaint with the data protection supervisory authority in your country.