Privacy Policy

Pre-launch beta

This Privacy Policy describes how SciMatch processes personal data during its beta phase. It will be reviewed jointly with the Data Protection Officer of Wrocław University of Science and Technology and complemented with a binding Polish-language version before the full public launch on scimatch.pwr.edu.pl.

1. Who is responsible for your data

The controller of personal data processed through SciMatch (the "Service") is Wrocław University of Science and Technology (Politechnika Wrocławska), ul. Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, Poland (the "Controller").

You can reach the SciMatch team through our contact form. The Data Protection Officer (Inspektor Ochrony Danych) of the University can be contacted at IOD@pwr.edu.pl for any matter concerning the processing of your personal data.

2. Scope of this policy

This policy covers personal data processed through the SciMatch web application and its supporting APIs. It does not cover third-party websites you may reach through outbound links (for example a researcher's ORCID page, OpenAlex, or an institutional homepage), which operate under their own privacy terms.

3. What we collect and why

We process the following categories of personal data:

Account data

Email address, hashed password, sign-up timestamp, last sign-in time, and authentication metadata.

Purpose: creating and securing your account, authenticating you, restricting sign-ups to permitted email domains. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Search activity

Search queries you submit, the filters and search mode you apply, the researchers returned to you and their ranks, and the timestamp of each search. When you are signed in, these events are linked to your user identifier; for signed-out visitors they are stored without a user identifier.

Purpose: operating the search service, monitoring quality, debugging, evaluating ranking changes, building aggregate analytics, and improving the platform. Legal basis: our legitimate interest in operating and improving the Service (Art. 6(1)(f) GDPR).

AI assistant conversations

Messages you exchange with the AI assistant, the resulting responses, and conversation metadata (titles, timestamps).

Purpose: answering your questions and preserving your chat history so you can return to it. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Uploaded documents and derived metadata

Documents you upload for analysis (e.g. PDFs, project briefs), their extracted text, and AI-derived metadata such as topics, keywords, document type and detected language.

Purpose: performing the document analysis feature, caching results so the same file does not need to be re-analyzed, and suggesting relevant researchers. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Please do not upload documents containing personal data of third parties unless you have a lawful basis to do so.

Collections, notes and preferences

Researcher lists you create, their names, colors and saved researchers; UI preferences stored under your account.

Purpose: providing personalised features. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Technical and security data

IP address, browser user agent, HTTP request metadata (endpoint, status code, timing), authentication and error logs.

Purpose: operating the Service, abuse prevention, rate limiting, debugging and security investigations. Legal basis: our legitimate interest in providing a secure and reliable Service (Art. 6(1)(f) GDPR); where required, performance of a legal obligation (Art. 6(1)(c) GDPR).

Publicly sourced researcher data

Names, affiliations, ORCID/OpenAlex identifiers, publication lists, citation counts, publicly observed email addresses from institutional pages (shown only to authenticated users), and similar academic metadata aggregated from public sources such as OpenAlex, institutional pages and, where licensed, Scopus.

Purpose: providing the research-discovery functionality that is the substance of the Service. Legal basis: our legitimate interest in supporting research and collaboration within the academic community (Art. 6(1)(f) GDPR). Researchers may exercise the right to object — see Section 9.

4. Who processes data on our behalf

We rely on the following categories of trusted service providers (processors), each bound by a written data-processing agreement:

• Supabase — managed authentication, PostgreSQL database and file storage.
• Hosting providers — application hosting and content delivery for the SciMatch web application and API (web frontend and backend API host).
• Hugging Face — managed inference endpoint that produces vector embeddings for search queries. Queries are forwarded to compute the embedding and are not retained by the provider for training.
• AI model providers (OpenAI, Anthropic) — processing of prompts and uploaded documents to generate AI responses and metadata. Content sent to these providers is limited to what is necessary to fulfil your request, and the providers are contractually prevented from using it to train their models.
• Email delivery — for transactional messages such as sign-up confirmation, password reset and security notices.
• Error monitoring (Sentry) — receives stack traces and request metadata when the Service encounters an error, to help us diagnose and fix issues. Personal data is filtered out of these reports where reasonably possible.

We do not sell personal data and do not share it for advertising purposes.

5. Transfers outside the EEA

Some of our processors (notably AI model providers) are established in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under Chapter V of the GDPR, including certification under the EU–US Data Privacy Framework and, where applicable, the European Commission's Standard Contractual Clauses. You may request a copy of these safeguards from the Data Protection Officer.

6. How long we keep data

• Account data: for the lifetime of your account, and then deleted within 30 days of account deletion, except where retention is required by law.
• Search activity: retained for up to 24 months for analytics and quality evaluation, after which entries are either deleted or aggregated into non-identifiable form. On account deletion the user identifier is removed from past search records.
• AI conversations and uploaded documents: retained for as long as your account is active, or until you delete them through the application.
• Technical and security logs: typically retained for up to 90 days, longer if needed to investigate an incident.
• Researcher database content: kept and refreshed for the lifetime of the Service; subject to correction or removal on request (Section 9).

7. Cookies and local storage

SciMatch uses only strictly necessary cookies and local-storage entries required to keep you signed in and to remember interface preferences (for example, a cached snapshot of the homepage statistics). We do not use third-party advertising or tracking cookies. Because these technologies are strictly necessary for the Service to function, they do not require consent under Article 173 of the Polish Telecommunications Act.

8. AI processing and automated decisions

The Service uses search-ranking models and large language models to surface relevant researchers and to generate textual answers. These features are decision-support tools: the rankings and responses they produce do not have legal or similarly significant effects on individuals within the meaning of Article 22 GDPR, and no automated decision is made about you on the basis of these outputs alone. Outputs may be inaccurate and should always be verified before being used in any consequential decision.

9. Your rights

Under the GDPR you have the right to:

• access your personal data and obtain a copy (Art. 15),
• request rectification of inaccurate or incomplete data (Art. 16),
• request erasure of your data (Art. 17),
• request restriction of processing (Art. 18),
• data portability for data you provided to us and that we process by automated means (Art. 20),
• object to processing carried out on the basis of our legitimate interest, including objection to your researcher profile being displayed (Art. 21),
• withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing (Art. 7(3)),
• lodge a complaint with the Polish supervisory authority: President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

To exercise your rights, contact us through the contact form or email the Data Protection Officer at IOD@pwr.edu.pl. We will respond within one month, with the possibility of extension for complex requests as permitted by Art. 12(3) GDPR.

10. Researchers featured in the database

If you are a researcher whose publicly available academic profile appears in SciMatch and you would like your entry corrected or removed, you may exercise your right to object or to erasure at any time. Send a request through the contact form or to IOD@pwr.edu.pl and we will action it without undue delay.

11. Is providing data mandatory?

Providing your email address is necessary to create an account and use account-based features. Providing search queries, AI messages or documents is voluntary, but the relevant features cannot operate without that input.

12. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit, row-level access controls in the database, restricted administrative access, audit logging and regular security review. No system can be guaranteed absolutely secure; please report any vulnerability through the contact form.

13. Children

SciMatch is not directed at children under the age of 16 and we do not knowingly collect their personal data. If you believe a minor has provided personal data to the Service, please contact us so we can delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. The version currently in force, together with its effective date, is always published at this URL. Material changes will be communicated through the Service or by email to registered users.

See also our Terms of Service.