Privacy Policy

Information you provide directly. When you create an account, subscribe, or contact us, we collect information such as your name, email address, billing information (processed by our payment processor — we do not store full card numbers), organization name, and any other details you choose to provide.

Research content. We collect the research objectives, queries, custom corpora, documents, and other materials ("User Content") you submit when using the Service. This content is processed to generate reports and is stored to maintain your history and allow exports.

BYOK credentials. If you use the Bring Your Own Keys (BYOK) feature, we collect the API keys you supply. These are encrypted at rest, never logged in plaintext, and used only to route your model calls to the third-party provider you designate.

Usage and log data. We automatically collect information about how you interact with the Service, including IP address, browser and device type, operating system, referring URL, pages viewed, features used, run identifiers, timestamps, and error logs.

Cookies and similar technologies. We use session cookies, persistent cookies, and similar tracking technologies to authenticate you, remember your preferences, and gather analytics. You can configure your browser to refuse cookies, but some features may not function correctly if you do.

We use the information we collect to:

• Provide, operate, and improve the Service;
• Process transactions and send related invoices and receipts;
• Authenticate you and secure your account;
• Respond to your support requests and inquiries;
• Send product and service communications (you may opt out of marketing emails at any time);
• Monitor usage for abuse prevention, rate limiting, and platform security;
• Conduct analytics and research to understand usage patterns and improve model performance — using only anonymized or aggregated data;
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information or User Content to third parties.

We do not use identifiable User Content (your research queries or report text) to train or fine-tune AI models without your explicit opt-in consent.

If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are:

• Contract performance — processing necessary to provide the Service to you under our Terms of Service;
• Legitimate interests — fraud prevention, security monitoring, product improvement using anonymized analytics, and other interests that do not override your rights;
• Legal obligation — compliance with applicable laws;
• Consent — where we ask for it, such as for optional marketing communications or AI-model improvement programs.

We may share your information with:

Service providers. We engage third-party vendors to help operate the Service (e.g., cloud infrastructure, payment processing, email delivery, error monitoring, analytics). These parties access personal information only as needed to perform their functions and are contractually required to protect it.

AI model providers. When you submit a research query, the query text is sent to one or more AI inference providers (e.g., OpenRouter, Hugging Face, Together.ai) to generate report content. Only the content necessary for inference is transmitted; it is subject to those providers' own data-handling terms.

Business transfers. If the Company is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your personal information becomes subject to a different privacy policy.

Legal and safety disclosures. We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not share personal information with advertisers or data brokers.

ResearchOne is a research-report generation and monitoring service, not a general-purpose file storage or document hosting platform. Temporary workspaces may include uploaded files, extracted text, discovered source snapshots, chunks, embeddings, and intermediate research artifacts.

Unless a report is enrolled as an active Living Report or governed by a separate enterprise agreement, temporary workspace data is ordinarily purged within 30 days after report finalization. Failed or cancelled research runs have their workspace data purged within 14 days. Temporary upload staging data is purged within 72 hours.

Final report outputs (report text, sections, executive summary, citations) are ordinarily retained for 120 days after finalization so you may view, export, or delete them. We will make reasonable efforts to notify you before report content is scheduled for deletion.

Living Reports retain the source set, monitoring configuration, revision history, and related workspace data while the Living Report subscription remains active. If a Living Report subscription is cancelled or payment fails, workspace data enters a 30-day grace period before purge. The final report output remains available for the standard 120-day retention period from finalization or cancellation.

Sovereign and enterprise customers may define custom retention, deletion, and isolation terms by contract.

We retain your account information for as long as your account is active and for a reasonable period thereafter to allow you to reactivate, comply with legal obligations, resolve disputes, and enforce agreements. Billing records, subscription metadata, wallet ledger entries, and security audit logs are retained as required by law and are not deleted as part of workspace or report cleanup.

Anonymized, aggregated analytics data may be retained indefinitely as it cannot reasonably be used to identify you.

You may request deletion of your personal data at any time (see Section 8). Backup copies may persist for up to 30 additional days before being overwritten by routine retention cycles.

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Encryption of BYOK credentials with keys stored separately from data;
• Per-user row-level isolation on shared infrastructure;
• Access controls limiting employee access to personal data on a need-to-know basis;
• Periodic security reviews and dependency audits.

No security system is impenetrable. If you discover a vulnerability, please report it responsibly to security@researchone.io.

Our servers are located in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in a country with different data-protection laws than your own.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or the UK equivalent, or other lawful transfer mechanisms as applicable.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you;
• Correction — request that inaccurate or incomplete information be corrected;
• Deletion — request that your personal information be deleted (subject to legal retention obligations);
• Restriction / objection — request that we restrict processing or object to processing based on legitimate interests;
• Portability — receive your data in a structured, machine-readable format;
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@researchone.io. We will respond within 30 days (or within any shorter period required by applicable law). We may need to verify your identity before acting on a request.

You may also export or delete your research data directly from account settings without contacting us.

Marketing emails. You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in the email or by contacting us. You will continue to receive transactional messages (e.g., receipts, security alerts).

The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@researchone.io and we will delete it promptly.

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you use.

If you are a California resident, you have the right to: know what personal information we collect, use, disclose, or sell; request deletion of your personal information; opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising); and not be discriminated against for exercising these rights.

To submit a CCPA request, contact us at privacy@researchone.io or via account settings. We will respond within 45 days.

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the effective date. For material changes, we will provide at least 14 days' advance notice via email or in-app notification. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

Questions, concerns, or requests regarding this Privacy Policy should be directed to:

If you are located in the EEA or UK and believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your local supervisory authority.