Legal

Privacy Policy

Last updated: May 2026

1. Data controller

Symmathy LLC is the data controller responsible for your personal data. We are a limited liability company organized in Wyoming, USA. Contact details are at the bottom of this page. If you are in the EU/UK and we do not have a local representative, Symmathy LLC is the controller of record.

2. What we collect

2.1 Information you provide

• Account data: email address, password hash, professional self-identification (e.g. clinician / researcher), and any profile fields you fill in.
• Search queries: the text you type into the scanner, search, discover, and compare tools.
• Uploaded documents: PDFs you submit to the scanner, and the extracted text we send to AI providers for analysis.
• Library entries: papers, summaries, and notes you save.

2.2 Information collected automatically

• IP address, browser user-agent, request timestamps, and approximate location (from IP) — used for security, abuse prevention, and rate-limiting.
• Functional cookies / local storage (e.g. session token, banner-dismissal flag).
• Aggregated, non-identifying usage metrics.

2.3 What we do not collect

We do not knowingly collect protected health information (PHI) about identifiable patients. Symmathy is not a HIPAA-covered service and is not designed to receive PHI. Do not upload identifiable patient information.

3. Why we process it & legal basis

Under GDPR / UK GDPR Article 6, we rely on the following legal bases:

• Performance of a contract — to provide the search, scan, compare, and library features you request.
• Legitimate interests — to secure the service, prevent abuse, debug errors, and improve product quality.
• Consent — for any optional analytics or marketing communications, where required.
• Legal obligation — to respond to lawful requests from authorities.

We do not use your data for automated decision-making with legal or similarly significant effects. We do not sell your personal data.

4. Who we share data with

We share the minimum personal data required with the following categories of processor:

• Hosting & backend infrastructure — Lovable Cloud (database, auth, file storage, edge compute).
• AI model providers — Google and OpenAI, accessed via the Lovable AI Gateway, for summarization and Q&A. Search queries and uploaded document text are transmitted to these providers.
• Source APIs — your search query is transmitted to PubMed, Europe PMC, Cochrane, ClinicalTrials.gov, J-STAGE, BVS/BIREME (LILACS), DOAJ, HAL, OpenAlex, and CrossRef in order to retrieve results. These providers receive only the query, not your account identity.
• Payments & Merchant of Record — Paddle.com Market Limited acts as our Merchant of Record. When you purchase a subscription, Paddle receives your name, billing address, email, payment method, and transaction details to process payment, calculate and remit tax, issue invoices, and handle refunds and chargebacks. Symmathy receives only the subscription status and a transaction reference — never your full card number.
• Authorities — when required by law, court order, or to protect our rights or the safety of others.

Each processor is bound by its own published privacy and data-handling policies. We do not control how upstream AI providers retain or use prompts beyond those policies — this is one reason you must not submit PHI.

5. International transfers

Some processors are located outside the European Economic Area or the UK (including the United States). Where transfers occur, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an applicable adequacy decision, as documented by each processor.

6. Retention

• Account data: kept while your account is active, plus up to 12 months after deletion for backups and abuse-prevention.
• Saved library entries and summaries: kept until you delete them or close your account.
• Server logs: typically 30–90 days.
• Anonymous aggregated analytics: indefinitely.

7. Your rights

Depending on where you live (GDPR in the EEA, UK GDPR, CCPA in California, and similar laws elsewhere), you may have the right to:

• access a copy of the personal data we hold about you;
• correct inaccurate or incomplete data;
• delete your account and associated personal data ("right to be forgotten");
• restrict or object to certain processing;
• port your data to another service in a machine-readable format;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with your local supervisory authority (e.g. ICO in the UK, your national DPA in the EU, the California Privacy Protection Agency).

To exercise any of these rights, contact us using the details below. We will respond within the timeframes required by applicable law (generally one month under GDPR).

8. Cookies & local storage

Symmathy uses strictly necessary cookies and browser local storage to keep you signed in, remember UI preferences (e.g. dismissed banners), and protect against abuse. We do not use third-party advertising cookies. If we add optional analytics in the future, we will request your consent first where required.

9. Children

Symmathy is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided personal data, please contact us so we can delete it.

10. Contact

For privacy questions, data-subject requests, or to report a concern, contact Symmathy LLC at connect@symmathy.org. See also our Legal & Disclaimer page.

← Back to home