Privacy Policy

This notice explains what personal data Nabu Science collects when you use our research-evaluation service, why we collect it, the legal basis for each use, how long we keep it, and the rights you have over it. It is provided under Article 13 of the UK and EU General Data Protection Regulation (GDPR).

Who we are

Nabu Science (“Nabu”, “we”, “us”) is the data controller responsible for the personal data described in this notice.

For any privacy question, or to exercise the rights described below, you can reach us at privacy@nabu.science.

What we collect

Depending on how you use Nabu, we collect:

• Account data — your email address and authentication identifiers (such as your user ID and the login method you use).
• Uploaded papers — the PDF files you upload, and the text we extract from them so they can be evaluated.
• Paper metadata — bibliographic details such as the DOI, title, and authors of a paper.
• Evaluation outputs — the quality scores we generate and the written rationale for each evaluation dimension.
• Your library — the papers and evaluations you choose to save.
• Audit events — a log of legally significant actions, including the rights affirmation you make when you upload a paper (that you hold the rights needed to upload it).
• Analytics and error data — product usage events (such as signing up, requesting an evaluation, or uploading a paper) together with device and browser metadata, and diagnostic or error reports that help us keep the service working and secure. When you are signed in, usage events are linked to your account (your user ID and email address).

Why, and on what legal basis

We only process your personal data where we have a legal basis to do so. Each purpose below maps to a basis under Article 6 of the GDPR:

• Providing the evaluation service — creating and maintaining your account, accepting your uploads, generating and storing evaluations, and maintaining your library.
  Legal basis: performance of a contract (Art. 6(1)(b)) — we process this data to deliver the service you have signed up for.
• Security, abuse prevention, and product analytics — protecting accounts and infrastructure, detecting and preventing fraud and misuse, and understanding how the product is used so we can improve it (including the account-linked usage events described above).
  Legal basis: legitimate interests (Art. 6(1)(f)) — our legitimate interest in keeping the service secure and reliable, preventing abuse, and developing the product. We balance this interest against your rights and freedoms.
• Non-essential cookies and marketing — any optional analytics cookies and any marketing or product-update communications.
  Legal basis: consent (Art. 6(1)(a)) — we only do this where you have opted in, and you can withdraw your consent at any time.

Who we share with

We rely on a small number of third-party service providers (subprocessors) to operate Nabu — for example, PDF parsing, AI evaluation, hosting, email delivery, product analytics, and error monitoring. We share only the data each provider needs to perform its function, and we do not sell your personal data. The current list of subprocessors, the data each one receives, its purpose, and where it operates is published at /legal/subprocessors.

International transfers

Some of our subprocessors are located in the United States, so your personal data may be transferred there. Where data is transferred outside the UK and the European Economic Area, we rely on the EU–US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses (SCCs) to ensure it remains protected to GDPR standards.

How long we keep it

• Uploaded PDFs — kept for 30 days by default. If you save a paper to your library, we keep its PDF for as long as your account remains active. If you remove a paper from your library, we delete its PDF within 7 days.
• Account and other identifiable data — when you delete your account, we delete all identifiable data within 30 days.
• Evaluation outputs — retained for the life of your account so your evaluation history stays available to you, and removed as part of the account-deletion process above.

Your rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectification — correct data that is inaccurate or incomplete.
• Erasure — ask us to delete your personal data.
• Portability — receive a copy of your data in a portable format, or have it exported.
• Restriction — ask us to limit how we use your data.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent at any time, where we rely on your consent (this does not affect processing carried out before you withdrew).
• Lodge a complaint with a data protection supervisory authority in your country.

To exercise any of these rights, email privacy@nabu.science. You can also export your data or delete your account directly from the data tools in your account settings.

Automated processing

Nabu’s evaluations are generated by large language models (LLMs) that read a paper and apply a structured rubric, then record their reasoning. These evaluations are not solely-automated decisions that produce legal or similarly significant effects about you. If you would like to discuss any evaluation output, a human at Nabu can review it and talk it through with you — just email privacy@nabu.science.

No-train commitment

We treat the papers you upload as yours. Specifically:

• We do not train AI models on the papers you upload.
• We do not sell paper content to third parties.
• We do not redistribute uploaded PDFs.
• We do not provide an API that returns paper text.
• We do not let anyone download another user’s original PDF.