Privacy Policy

Last updated: March 2026

Research Assistant ("the App") is a tool designed to help medical professionals manage and review clinical and scientific literature. This policy explains what information is collected, how it is used, and how it is protected.

1. Who This Policy Applies To

This App is intended for use by authorized medical professionals and researchers. Access is restricted to verified users who authenticate via Google OAuth. The App is not intended for, and does not knowingly collect data from, the general public or minors.

2. Information We Collect

• Google account identity: When you sign in with Google, we receive your email address and basic profile information (name, profile picture) from Google's OAuth service.
• Google Drive access: With your permission, the App reads and writes files in a Google Drive folder you designate. This is used to store citation exports, PDF files, and article data.
• Configuration data: Settings you enter in the App, including PubMed search parameters, email notification preferences, and optional third-party API keys (OpenAI, Anthropic, Gemini, PubMed). Sensitive values such as API keys and email passwords are encrypted before storage.
• Article review activity: Records of which articles you have reviewed, saved, or rated (thumbs up/down) are stored to support the relevance matching features of the App.
• Session data: A secure, encrypted session cookie is stored in your browser for up to 7 days to keep you logged in.

3. How We Use Your Information

• To authenticate you and verify your identity via Google OAuth.
• To fetch and display relevant medical literature from PubMed based on your configured search parameters.
• To write citation files and article data to your designated Google Drive folder.
• To send email notifications about articles you have selected, using the SMTP credentials you provide.
• To improve article relevance recommendations using your review history (thumbs up/down feedback).
• To process citations and answer queries using AI language models (if you have configured API keys for OpenAI, Anthropic, or Google Gemini).

We do not use your data for advertising, do not sell your data to third parties, and do not share your data with any party except as described below.

4. Third-Party Services

The App connects to the following external services to provide its functionality:

• Google OAuth & Google Drive API — for authentication and Drive file storage. Governed by Google's Privacy Policy.
• NCBI PubMed E-utilities — for fetching medical literature metadata. No personal data is sent; only your configured search queries.
• Unpaywall / Crossref — for locating open-access PDF links. Only article DOIs are transmitted.
• OpenAI, Anthropic, Google Gemini (optional) — if you configure API keys for these services, article text and citation data may be sent to them for AI-assisted querying. Their respective privacy policies apply. We do not store AI responses beyond your current session.

5. Data Storage and Security

• User configuration data, including encrypted OAuth tokens and API keys, is stored in Google Cloud Firestore.
• Sensitive values (OAuth access tokens, refresh tokens, email passwords, API keys) are encrypted at rest using AES-128 Fernet encryption. Encryption keys are stored in Google Cloud Secret Manager, not in application code.
• All data is transmitted over HTTPS. Session cookies are marked Secure, HttpOnly, and SameSite=Lax.
• The App is hosted on Google Cloud Run in the United States.

6. Data Retention

Your configuration and article review history are retained in Firestore for as long as your account is active. If you wish to have your data deleted, contact the administrator. Article data and citation files stored in your Google Drive are under your own control and can be deleted by you at any time.

7. Your Rights

• You may revoke the App's access to your Google account at any time via Google Account Permissions. Revoking access will prevent the App from accessing your Drive but existing session cookies may remain valid for up to 7 days.
• You may request deletion of all stored configuration data by contacting the administrator.
• You may export your current configuration at any time using the Export function in the App settings (sensitive fields are excluded from exports).

8. Changes to This Policy

This policy may be updated from time to time. The date at the top of this page reflects when it was last revised. Continued use of the App after changes constitutes acceptance of the revised policy.

9. Contact

For questions about this privacy policy or to request data deletion, contact the App administrator at ra@aeq.com.