RefScout

Privacy Policy

Last updated: 2026-07-05. This document describes RefScout as it currently operates during its friendly pilot phase and will be updated as features change.

Short version: We collect only what is needed to run the service. We do not sell your data and we do not use your content to train AI models. Manuscript text you submit for analysis is sent to Anthropic (Claude) to process your request and is not stored by us afterwards.

Data controller: Insectivora Oy, the operator of RefScout. Business ID (Y-tunnus): 3482079-5. Registered address: Nikinväylä 38 C 10, 33580 Tampere, Finland. Privacy contact: roman.v.glazkov@gmail.com (interim address — this will change to privacy@refscout.app once the refscout.app domain cutover completes).

1. Who we are

RefScout is an academic source-discovery tool that helps researchers find and cite real papers. The data controller responsible for your personal data is Insectivora Oy (see the controller box above). "We", "us" and "our" refer to Insectivora Oy operating RefScout. For any privacy question or request, contact roman.v.glazkov@gmail.com (interim contact until privacy@refscout.app goes live with the domain cutover).

2. What data we collect

3. What we do NOT store

4. Why we process your data, and the legal basis

PurposeLegal basis (GDPR Art. 6)
Create your account and authenticate youPerformance of a contract — Art. 6(1)(b)
Run Scout / Cite / BibCheck / PreSubmit, including sending manuscript text you submit to Anthropic for processing and search terms to academic databasesPerformance of a contract — Art. 6(1)(b)
Save your library, tags and notesPerformance of a contract — Art. 6(1)(b)
Enforce fair-use limits and prevent abuse of the service and third-party APIs; keep security logsLegitimate interests — Art. 6(1)(f)
Product analytics and product-improvement processingConsent — Art. 6(1)(a) (only if you opt in; withdraw any time)
Optional profile fields (discipline, institution, etc.)Consent — Art. 6(1)(a)
Process payments (when a paid plan is active — currently disabled)Performance of a contract — Art. 6(1)(b)

5. Who we share data with

We do not sell your data. We share it only with the providers needed to run RefScout:

6. International transfers

Some providers process data in the United States. Where we transfer personal data outside the EU/EEA, we rely on an appropriate safeguard:

These transfer mechanisms are re-verified periodically, as certifications can change.

7. How long we keep data

These periods are our current defaults for the pilot and may be adjusted as the service matures.

8. Your rights

If you are in the EU/EEA you have the right to:

How to exercise these rights. Email roman.v.glazkov@gmail.com (interim contact until privacy@refscout.app goes live), preferably from the email address on your account. Requests are handled manually (we do not yet offer an automated self-service tool) and completed within 30 days. Account and data deletion (profile, saved papers, collections, search history, usage records) works the same way.

9. Right to complain

If you believe we have handled your data unlawfully, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the Finnish supervisory authority, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi.

10. Is providing data required?

An email address and a sign-in identity are required to create an account and use the parts of RefScout that need an account — without them we cannot provide those features. Optional profile fields and analytics consent are entirely voluntary and not required to use the service.

11. Automated decision-making

RefScout's outputs — BibCheck, PreSubmit, Cite (and, if enabled, Verify) results — are academic writing aids. They are suggestions and checks to help you, not automated decisions that produce legal or similarly significant effects about you. GDPR Article 22 (automated individual decision-making) does not apply. You remain responsible for verifying results before relying on them.

12. Security

Passwords are hashed with bcrypt. Sessions/JWTs are signed with a server-side secret. All traffic uses HTTPS. Payments, when active, are handled entirely by Stripe's PCI-compliant infrastructure.

13. Changes to this policy

We may update this policy as the service changes. Significant changes will be communicated to registered users. The "Last updated" date at the top reflects the most recent revision.