Privacy Policy
Last updated 14 May 2026
1. Who We Are
Explore Science Pty Ltd (“Company”, “we”, “us”, “our”) operates the paper-wizard site and web application, accessible from https://paper-wizard.com (“Service”, “Website”).
Contact: support@paper-wizard.com
Data Protection Officer: dpo@paper-wizard.com
2. What Data We Collect (Data Minimisation Principle)
We collect only the minimum data necessary to provide our Service:
| Category | Details |
|---|---|
| Account Data | Email (required), display name |
| Authentication | Hashed password or OAuth token |
| Profile Data | Academic role, field of study, and usage goals (optional, collected during onboarding) |
| Document Data | User-uploaded research articles and any metadata you supply |
| Review & Chat Data | AI-generated reviews and any follow-up messages you send via the review chat |
| Payment Data | Billing email, name, and payment method (processed by Stripe; we store only the Stripe customer identifier) |
| Usage Data | IP (short-lived), browser type/version, interaction events, and referral/attribution parameters |
| Cookies | Strictly necessary cookies; analytics cookies for registered users |
We do NOT collect demographic or advertising-ID data.
3. Why & How We Use Your Data (Lawful Bases)
| Purpose | Data | GDPR Basis |
|---|---|---|
| Provide and secure the service | Account, Profile, Document, Review & Chat | Contract Art 6(1)(b) |
| Process payments | Payment | Contract Art 6(1)(b) |
| Quality, safety & fraud prevention | Review, Usage | Legitimate interests Art 6(1)(f) |
| Product improvement & analytics | Usage, Profile | Legitimate interests Art 6(1)(f) |
| Optional marketing emails | Account | Consent Art 6(1)(a) |
Definitions
- • “Account” means a unique account created for You to access our Service
- • “Personal Data” is any information that relates to an identified or identifiable individual
- • “You” means the individual accessing or using the Service
4. International Transfers
Storage regions: Central United States and Southeast Australia
AI Processing Providers:
- • OpenAI (United States) - DPF participant
- • Anthropic (United States) - SCCs with supplementary measures
- • Google AI (United States) - DPF participant
- • Mistral AI (France/EEA) - No transfer, EEA-based
- • X AI (United States) - SCCs with supplementary measures
Other Service Providers:
- • Customer.io (EEA) - Email & in-app messaging, no transfer required
- • Stripe (United States) - Payment processing, DPF participant
- • PostHog (United States) - Analytics, DPF participant
- • Google Tag Manager / Google Analytics (United States) - Website analytics, DPF participant
Transfer safeguards:
- • United States: DPF or SCCs 2021 with supplementary encryption and access controls
- • Australia: SCCs 2021 plus the same supplementary safeguards
- • All providers: Data is encrypted in transit, processed with minimal retention, and subject to strict DPAs
You may obtain a copy of the relevant SCCs by emailing dpo@paper-wizard.com.
Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to these transfers. We ensure adequate controls are in place including the security of Your data and other personal information.
5. Retention
- • Uploads & reviews: removed from your workspace on user command; remaining workspace data is purged within 90 days of account closure
- • Chat messages: retained while the associated document exists; deleted with the document
- • Usage/analytics events: 18 months
- • Payment records: retained as required by tax and accounting law (typically 7 years)
6. Your Rights
Under GDPR, you have the following rights:
- • Access to your personal data
- • Correction of inaccurate data
- • Erasure (“right to be forgotten”)
- • Restriction of processing
- • Data portability
- • Objection to processing
- • Right not to be subject to automated decision-making with legal effects
Exercise your rights via dpo@paper-wizard.com
7. Security Measures
We implement the following security measures:
- • TLS 1.2+ encryption in transit; AES-256 encryption at rest
- • Token-based authentication with revocation checking and role-based access control
- • Staff two-factor authentication and GDPR training
- • Structured audit logging on all data access and administrative operations
Your content is never used to train, fine-tune, or improve any AI model. This is a contractual term of every provider's commercial API, not a toggle, and is mirrored in our Terms of Service (§6.3). We use providers' commercial and enterprise API tiers; your content is never routed through consumer products.
Providers may briefly retain processed content (up to 30 days) for automated safety and abuse monitoring under their standard API terms. This retention is segregated from any training or model-development system, and content is discarded at the end of the window.
While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
8. Data Breach Notification
We notify the competent supervisory authority within 72 hours of discovering a personal-data breach and affected users without undue delay, unless strong encryption renders risk unlikely.
9. Children
Our Service is not directed to children under 18; we do not knowingly collect their data. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 18 without verification of parental consent, We take steps to remove that information from Our servers.
10. Third-Party Processors
All processors are bound by Data Processing Agreements (DPAs). AI providers operate under commercial / enterprise API contracts: no training on your content, with a brief automated safety-retention window (up to 30 days) under their standard terms, segregated from training systems.
AI Providers:
- • OpenAI (United States)
- • Anthropic (United States)
- • Google AI Gemini (United States)
- • Mistral AI (France)
- • X AI (United States)
Other Service Providers:
- • Customer.io (EEA) - Email communications and in-app messaging
- • Stripe (United States) - Payment processing
- • PostHog (United States) - Analytics and usage tracking
- • Google Tag Manager / Google Analytics (United States) - Website analytics
Business Transfers
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.
Legal Requirements
The Company may disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities.
11. Changes to This Policy
Updates are published on this page. The “Last updated” date above reflects the most recent revision. We recommend reviewing this page periodically.
12. Cookie Management
You can manage cookie preferences through your browser settings. Strictly necessary cookies cannot be disabled. We do not use third-party advertising cookies.
13. Data Portability
On request, and where required under GDPR or equivalent law, we will provide your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), including account information, document metadata, AI-generated reviews, and chat transcripts. Requests can be made from your account settings or by emailing dpo@paper-wizard.com.
14. Contact
Questions: support@paper-wizard.com
Data Protection Officer: dpo@paper-wizard.com
Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.