SciBeacon

Summary: This Privacy policy is part of the binding Legal & Data Agreement accepted at registration, together with the Terms of service and Disclaimer. We collect the minimum data needed to run the service. We do not sell personal data. Patient-identifiable information must never be uploaded. AI outputs require human review. Data is encrypted in transit and at rest.

1. WHO WE ARE

SciBeacon ("we", "us", "our") operates this research workflow platform. We act as a data controller for account data and as a data processor for research content you submit. For privacy enquiries contact our Contact us page.

2. DATA WE COLLECT

Account data: email, authentication identifiers, and profile fields you provide at sign-up.
Usage data: feature events, token usage metadata, and technical logs (timestamps, errors) used to operate and improve the service.
Content you submit: research queries, draft text, uploaded documents, and messages entered into workflows.
Cookies and local storage: session tokens and interface preferences required for sign-in functionality.

We apply the data minimisation principle — we collect only what is necessary for the stated purpose, in line with GDPR Article 5(1)(c) and HIPAA minimum necessary standards.

3. PATIENT PRIVACY AND PROHIBITED DATA

SciBeacon is a research workflow tool, not a clinical records system. You must not upload, enter, or process patient-identifiable or Protected Health Information (PHI) on this platform. This includes, but is not limited to: patient names, dates of birth, NHS or national ID numbers, medical record numbers, biometric identifiers, free-text clinical notes, or any data that could be linked back to an individual patient.

If your research involves patient data, you must de-identify it in accordance with HIPAA Safe Harbor (45 CFR §164.514(b)) or GDPR pseudonymisation/anonymisation requirements before entering any information into the platform. Any decision to use identifiable data requires your institution's data protection officer, ethics committee approval, and a formal data processing agreement — contact us before proceeding.

4. USER RESPONSIBILITY FOR PATIENT DATA PROTECTION

You are the data controller for any research data you bring to SciBeacon. This means:

You must have a lawful basis for processing any data you submit (e.g. informed consent, legitimate interest, or a legal obligation under your local regulations).
You are responsible for ensuring your use of SciBeacon complies with applicable data protection laws (GDPR, HIPAA, CCPA, or equivalent) and your institutional policies.
You must not share credentials or allow unauthorised individuals to access data stored in your workspace.
You must report any suspected breach or accidental disclosure involving patient data to your data protection officer and to us without undue delay.
Administrators are responsible for configuring access controls within their organisation's workspace appropriately.

5. HOW WE USE DATA

Provide, secure, and maintain the application and its features
Authenticate users and enforce role-based access controls
Run AI-assisted features you explicitly request
Measure usage and estimated LLM cost (see Analytics dashboard)
Respond to support requests and satisfy legal obligations
Detect and prevent fraud, abuse, and security incidents

We rely on the following legal bases (GDPR): contract performance for service delivery; legitimate interests for security and analytics; and legal obligation for compliance and breach reporting.

6. AI USE AND HUMAN-IN-THE-LOOP SAFEGUARDS

SciBeacon uses large language models (LLMs) and Python-based ML pipelines to assist with literature screening, protocol drafting, statistical planning, and editorial assessment. The following safeguards apply to all AI-assisted workflows:

Human-in-the-loop oversight: All AI outputs — suggestions, drafts, classifications, and scores — are presented as assistive content requiring human review and professional judgment before use. No AI decision is final or autonomous.
Zero training-data use: We configure model providers with instructions not to use your submitted content for model training or improvement. This mirrors HIPAA BAA requirements for AI vendors handling research data.
Purpose limitation: Content you submit to an AI workflow is processed solely to fulfil your request — it is not repurposed for other users, profiling, or advertising.
Transparency: Each AI-assisted feature identifies the model provider used, and analytics are available in your dashboard.
No patient data in AI calls: Submitting patient-identifiable information to AI workflows is strictly prohibited (see section 3). De-identified, anonymised, or fictional data only.
Data Protection Impact Assessment (DPIA): High-risk AI processing activities are assessed in accordance with GDPR Article 35 and HIPAA security risk analysis requirements before deployment.

7. DATA ENCRYPTION AND SECURITY

We apply technical and organisational measures appropriate to the risk:

Encryption in transit: All connections use TLS 1.2 or higher. Data transmitted between your browser, our servers, and third-party model APIs is encrypted end-to-end.
Encryption at rest: Data stored in our database (Supabase / PostgreSQL on AWS infrastructure) is encrypted at rest using AES-256.
Access controls: Role-based access control (RBAC) limits data access to authorised users. Service-role API keys are restricted to server-side routes and are never exposed to client bundles.
Audit logging: Administrator actions and sensitive operations are logged with timestamps and user identifiers to support incident investigation and compliance review.
Least-privilege principle: API integrations and internal services are granted the minimum permissions required for their function.

No system is perfectly secure. If you discover a vulnerability, report it privately via Contact us before public disclosure.

8. AI AND THIRD-PARTY PROCESSORS

When you use AI features, relevant content is sent to configured model providers (e.g. Google Gemini, OpenRouter-routed models) solely to complete your request. We require providers to:

Not use your content for model training or improvement
Process data under appropriate data processing agreements or BAAs
Apply their own security standards to data in transit and at rest

Third-party processors also include cloud infrastructure (hosting, database, authentication). A current list of sub-processors is available on request.

9. DATA RETENTION

We retain account and usage data while your account is active, and for a reasonable period thereafter for backups, security investigation, and legal compliance. Research content you delete is removed from active storage; backup copies are purged on the standard backup rotation schedule. You may request deletion of your personal data — subject to institutional policy and lawful retention requirements — via Contact us.

10. COOKIES AND TRACKING

We use strictly necessary cookies for session management and authentication. We do not use advertising cookies, cross-site tracking, or third-party analytics cookies that identify you across the web. Interface preferences may be stored in browser local storage. No consent banner is displayed because no non-essential tracking is active; if this changes, this policy will be updated.

11. INTERNATIONAL DATA TRANSFERS

Infrastructure and model provider services may involve processing data outside your country of residence. Where data is transferred out of the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or other approved mechanisms. Users in the United States should note that some infrastructure may be hosted by AWS or equivalent providers in US data centres subject to applicable US law.

12. BREACH NOTIFICATION

In the event of a personal data breach that poses a risk to individuals, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, in compliance with GDPR Article 33 and applicable HIPAA Breach Notification Rule requirements. Notifications will describe the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

13. CHILDREN

The service is intended for qualified adult researchers and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided data, contact us for immediate removal.

14. CHANGES TO THIS POLICY

We may update this policy as the service evolves or regulations change. Material changes will be reflected by the "Last updated" date at the top of this page. For significant changes, we will notify active users by email or in-app notice at least 14 days before the change takes effect.