Privacy Policy
Last updated May 25, 2026
This Privacy Notice for Lucas Flinders ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
- Visit our website at https://zerocite.com or any website of ours that links to this Privacy Notice.
- Engage with us in other related ways.
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, contact us at support@zerocite.com.
Summary of Key Points
This summary highlights the main points of our Privacy Notice. The full notice follows the table of contents below.
What personal information do we process? When you use ZeroCite, we process information depending on how you interact with us — primarily your email address, password (stored as a one-way hash), and session/authentication data. Learn more in What information do we collect.
Do we process any sensitive personal information? No. We do not collect or process sensitive personal information (such as health, biometric, racial, religious, or political data).
Do we collect any information from third parties? Yes. If you sign in with Google, we receive your email address from Google. If you subscribe, we receive subscription metadata from Stripe. We do not buy data from brokers or marketing partners.
How do we process your information? We process your information to provide and improve our Services, authenticate you, send transactional emails (like sign-in links), process payments, perform AI-assisted citation matching on the text you submit, prevent abuse, and comply with law. Learn more in How we process your information.
When and with whom do we share personal information? We share information with a small set of service providers we rely on to operate ZeroCite: Stripe (payments), Anthropic and Google (AI processing), Resend (email delivery), Render (hosting), and Termly (this privacy policy). Learn more in Who we share with.
How do we keep your information safe? We use industry-standard measures including HTTPS, password hashing (PBKDF2), hashed authentication tokens, session expiration, and rate limiting. No system is 100% secure, but we take reasonable steps to protect your data. Learn more in How we keep your information safe.
What are your rights? Depending on where you live, you may have rights to access, correct, delete, or port your data, and to object to certain processing. Learn more in Your privacy rights.
How do you exercise your rights? Email us at support@zerocite.com. We will consider and act on requests in accordance with applicable data protection laws.
- What information do we collect?
- How do we process your information?
- What legal bases do we rely on?
- When and with whom do we share your information?
- Do we use cookies and other tracking technologies?
- Do we offer AI-based products?
- How do we handle your social logins?
- Is your information transferred internationally?
- How long do we keep your information?
- How do we keep your information safe?
- Do we collect information from minors?
- What are your privacy rights?
- Controls for Do-Not-Track features
- Do U.S. residents have specific privacy rights?
- Do other regions have specific privacy rights?
- Do we make updates to this notice?
- How can you contact us about this notice?
- How can you review, update, or delete your data?
1. What information do we collect?
Personal information you disclose to us
We collect personal information that you voluntarily provide when you register on the Services, express interest in our products, participate in activities on the Services, or contact us.
Personal information you provide includes:
- Email address
- Password (stored as a one-way hash; we never see your plaintext password)
- Authentication data (session tokens, magic-link tokens) — also hashed before storage
Sensitive Information. We do not process sensitive personal information.
Payment Data. If you choose to subscribe, payment processing is handled entirely by Stripe. You enter your payment information directly on Stripe's hosted checkout page. We do not see, collect, or store your full card number, CVV, or billing address. We receive only metadata from Stripe such as your subscription status, customer ID, and the email address you provided at checkout. Your payment information is subject to Stripe's privacy policy and security practices.
Social Login Data. You may register or log in using your Google account. If you do, we receive your email address and email verification status from Google. We do not store any other profile data Google may return. See How do we handle your social logins? below.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.
Information automatically collected
We automatically collect certain information when you visit, use, or navigate the Services. This information does not directly reveal your identity but is needed to operate the Services, prevent abuse, and understand usage patterns. It includes:
- Log and usage data. Service-related, diagnostic, usage, and performance information. This may include your IP address, browser type and settings, device information, the date and time of your activity, pages and features used, errors encountered, and other interactions with the Services. We log this primarily to maintain security (rate limiting, abuse prevention) and for our internal analytics.
- Cookies and similar technologies. Strictly necessary cookies used to keep you signed in (
recite-session) and to protect the Google sign-in flow against CSRF (recite-oauth-state). We do not use analytics, advertising, or marketing cookies.
Google API services
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Information collected from other sources
When you sign in using your Google account, Google sends us your verified email address. When you subscribe through Stripe, Stripe sends us subscription metadata (customer ID, subscription ID, status) and the email address you provided at checkout. We do not receive or store other profile data, friend lists, or demographic information from these sources.
2. How do we process your information?
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To facilitate account creation and authentication. So you can create an account, sign in, and keep your account in working order.
- To deliver and facilitate the delivery of services. To provide the citation-finding service you requested.
- To send administrative information. To send you transactional sign-in emails, notify you about changes to our terms and policies, and other operational information.
- To fulfill and manage your subscription. To process payments, manage subscriptions, handle cancellations, and apply the right access tier (free trial, promo, or Pro).
- To process the text you submit through our AI providers (Anthropic and Google). The substance of ZeroCite is AI-powered citation matching — see Section 6 below for the specific disclosure on how submitted text is processed.
- To enforce free-trial limits and prevent abuse. We track the number of scans per account against the trial allotment and rate-limit requests by IP address to ensure fair access and prevent automated abuse of the free trial.
- To monitor and account for API usage costs. We log token counts and approximate costs per user when forwarding requests to our AI providers, so we can track service costs and enforce monthly usage caps for promotional accounts.
- To identify usage trends. We may analyze how the Services are used so we can improve them.
- To protect our Services. Fraud monitoring and prevention, including verifying webhook signatures, checking request origins, and validating session and scan tokens.
- To save or protect an individual's vital interest. Where necessary to prevent harm.
3. What legal bases do we rely on to process your information?
If you are located in the EU or UK, this section applies to you.
The GDPR and UK GDPR require us to explain the valid legal bases we rely on. We may rely on the following:
- Consent. Where you have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
- Performance of a contract. When processing is necessary to fulfill our contractual obligations to you — for example, to provide the citation-finding service, authenticate you, or process your subscription.
- Legitimate interests. When we believe processing is reasonably necessary to achieve our legitimate business interests and those interests do not override your rights. Examples for ZeroCite include:
- Analyzing how the Services are used so we can improve them.
- Diagnosing problems and preventing fraudulent activities.
- Ensuring fair access across all users and preventing automated abuse of the free trial.
- Tracking service costs, enforcing monthly usage caps for promotional accounts, and ensuring the long-term sustainability of the service.
- Legal obligations. Where necessary to comply with our legal obligations, cooperate with law enforcement, or defend our legal rights.
- Vital interests. Where necessary to protect your or another person's vital interests, such as to prevent harm.
If you are located in Canada, this section applies to you.
We may process your information if you have given us specific permission (express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (implied consent). You can withdraw your consent at any time. In limited situations defined by Canadian law, we may process information without consent — for example, for fraud detection, to comply with a subpoena or court order, or where the information is publicly available and specified by regulation.
4. When and with whom do we share your personal information?
Vendors and service providers. We share data with third-party service providers that perform services for us or on our behalf and require access to such information to do that work. We have data processing agreements in place with these providers, and they may not use your personal information for purposes other than those we've instructed.
The third parties we share personal information with are:
- AI service providers: Anthropic (Claude) and Google (Gemini / Google AI). Receive the text you submit for citation matching plus minimal request metadata. See Section 6 for details.
- Authentication providers: Google (Sign-In with Google). If you choose to sign in via Google, your Google account is the third-party that authenticates you.
- Payment processor: Stripe. Receives payment information directly from you on Stripe's hosted checkout and sends us subscription metadata.
- Email delivery: Resend. Receives your email address and the magic-link URL to deliver sign-in emails.
- Hosting: Render. Hosts our application servers and database where account data is stored.
- Privacy policy hosting: Termly. Generated and hosts the underlying templates for this privacy policy.
- Academic search APIs: Semantic Scholar, OpenAlex, CrossRef, PubMed (NCBI), and arXiv. Receive search queries derived from your submitted text. These are public academic databases.
We may also need to share your personal information in the following situations:
- Business transfers. In connection with, or during negotiations of, any merger, sale of assets, financing, or acquisition of all or part of our business.
5. Do we use cookies and other tracking technologies?
We use cookies and similar tracking technologies (such as web beacons and pixels) only where strictly necessary to operate our Services. Specifically:
recite-session— keeps you signed in. Expires 30 days after issuance.HttpOnly,SameSite=Lax, andSecurein production.recite-oauth-state— CSRF protection during the Google sign-in flow. Expires after 10 minutes.
We do not use cookies for advertising, retargeting, behavioral profiling, or third-party analytics. We do not embed Facebook, X, or other social media plugins.
Most web browsers are set to accept cookies by default. You can usually choose to remove or reject cookies in your browser settings. If you reject our strictly necessary cookies, you will not be able to sign in or use the Services.
6. Do we offer artificial intelligence-based products?
ZeroCite offers AI-powered citation matching as its primary feature ("AI Products"). The terms in this Privacy Notice govern your use of the AI Products.
Use of AI technologies
We provide the AI Products through third-party service providers ("AI Service Providers"), specifically Anthropic (Claude) and Google (Gemini / Google AI). When you use ZeroCite to find citations, the text you submit — including the claims you mark with [src] and the surrounding context — is sent to these AI providers to identify candidate sources.
Important transparency notes about each provider:
- Anthropic states that it does not use API submissions to train its models. See Anthropic's privacy policy.
- Google AI Studio (the free tier of Google's Gemini API) may use your submissions to improve their services. See Google's Gemini API terms.
- Do not submit confidential, classified, or unpublished work you do not want sent to these AI providers. Once submitted, the text is processed by external systems under those providers' policies.
Our AI Products
Our AI Products are designed for the following functions:
- Text analysis (interpreting the meaning of each claim)
- Natural language processing
- Search query generation and source ranking
How we process your data using AI
The text you submit is forwarded to the selected AI Service Provider, processed for citation-matching purposes, and the response (ranked candidate papers) is returned to your browser. Submitted text is not permanently stored on our servers after the response is returned. We do retain operational metadata about each request (timestamps, approximate token counts, cost in cents) for the purpose of usage accounting and abuse prevention.
How to opt out
The AI processing described above is fundamental to ZeroCite — there is no version of the service that does not send your submitted text to an AI provider. If you do not want your text processed by these providers, do not submit it. You can also request deletion of your account and associated data by contacting us at support@zerocite.com.
7. How do we handle your social logins?
You may register or sign in to ZeroCite using your Google account. When you choose this option, Google sends us your verified email address and an email verification flag. While Google's userinfo endpoint also returns fields like your display name and profile picture, we discard those fields and store only your email address.
Our use of your Google sign-in is limited to authentication. We do not control, and are not responsible for, other uses of your personal information by Google. We recommend reviewing Google's privacy policy to understand how they collect, use, and share your information.
8. Is your information transferred internationally?
Our servers are located in the United States. Most of our service providers (Stripe, Anthropic, Google, Resend, Render, the academic search APIs) are also located in the United States. Some, such as Google and Stripe, have operations in multiple regions including the European Economic Area.
If you are a resident of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, please be aware that these countries may not necessarily have data protection laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.
European Commission's Standard Contractual Clauses
We have implemented measures to protect your personal information, including by relying on the European Commission's Standard Contractual Clauses (SCCs) for transfers of personal information between us and our third-party providers. These clauses require all recipients to protect personal information originating from the EEA or UK in accordance with European data protection laws. The SCCs are incorporated into our data processing agreements with each provider, and copies can be provided on request.
9. How long do we keep your information?
We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). Specifically:
- Account information (email, password hash, subscription status): retained for as long as your account is active. If you request deletion, we remove this within 30 days.
- Session tokens: automatically expire 30 days after issuance.
- Magic-link sign-in tokens: automatically expire 15 minutes after issuance and are single-use.
- Scan tokens: automatically expire 30 minutes after issuance.
- Usage logs and analytics events: retained for as long as your account is active for service-improvement and abuse-prevention purposes.
- Billing records: retained for up to 7 years to comply with U.S. tax and accounting requirements.
- Submitted text (claims sent to AI providers): processed in real time and not retained on our servers after the response is returned.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example because the information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.
10. How do we keep your information safe?
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. These include encryption of data in transit (HTTPS/TLS), secure password storage using industry-standard hashing algorithms (PBKDF2 with 200,000 iterations of SHA-256), one-way hashed authentication tokens, session expiration, rate limiting, and secure infrastructure hosting on Render. Payment data is handled entirely by Stripe and never stored on our servers.
However, despite our safeguards, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment, and you are responsible for keeping your password confidential.
11. Do we collect information from minors?
We do not knowingly collect, solicit data from, or market to children under 18 years of age or the equivalent age as specified by law in your jurisdiction, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 (or the equivalent age in your jurisdiction) or that you are the parent or guardian of such a minor and consent to the minor's use of the Services. If we learn that personal information from a user under 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we may have collected from a child under 18, please contact us at support@zerocite.com.
12. What are your privacy rights?
In some regions (such as the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right to: (i) request access and obtain a copy of your personal information; (ii) request rectification or erasure; (iii) restrict the processing of your personal information; (iv) where applicable, data portability; and (v) not be subject to automated decision-making. In certain circumstances, you may also have the right to object to the processing of your personal information.
To exercise any of these rights, email us at support@zerocite.com. We will consider and act upon any request in accordance with applicable data protection laws.
If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or the UK data protection authority.
If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
Withdrawing your consent
If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at support@zerocite.com. Please note that withdrawal of consent does not affect the lawfulness of processing before its withdrawal, and does not affect processing carried out under lawful bases other than consent.
Account information
If you would like to review, change, or delete the information in your account, or terminate your account, please email us at support@zerocite.com with your request. Upon receiving your request, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and comply with applicable legal requirements.
Cookies and similar technologies
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject cookies. If you choose to remove or reject the cookies we use, you may not be able to sign in or use the Services.
13. Controls for Do-Not-Track features
Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature you can activate to signal your preference not to have your online activity monitored. No uniform technology standard for recognizing and implementing DNT signals has been finalized. We do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will inform you in a revised version of this Privacy Notice.
14. Do U.S. residents have specific privacy rights?
Categories of personal information we collect
The table below shows the categories of personal information we have collected in the past twelve (12) months.
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Email address, IP address, account name | YES |
| B. Personal information from California Customer Records statute | Name, contact info, education, employment, financial info | NO |
| C. Protected classification characteristics | Gender, age, race, ethnicity, marital status | NO |
| D. Commercial information | Subscription status, billing records | YES |
| E. Biometric information | Fingerprints, voiceprints | NO |
| F. Internet or similar network activity | Pageviews, scan events, session activity | YES |
| G. Geolocation data | Precise device location | NO |
| H. Audio, electronic, sensory information | Recordings, images | NO |
| I. Professional or employment-related information | Job title, work history | NO |
| J. Education information | Student records | NO |
| K. Inferences drawn from collected information | Profile of preferences and characteristics | NO |
| L. Sensitive personal information | Health, biometric, racial, religious, political data | NO |
We retain personal information for the purposes described above for as long as your account is active. See How long do we keep your information? for full details.
Sources of personal information
Learn more about the sources of personal information we collect in What information do we collect?
How we use and share personal information
Learn more about how we use your personal information in How do we process your information?.
Will your information be shared with anyone else? We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. See When and with whom do we share your personal information?
We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We have disclosed the following categories of personal information to service providers for a business or commercial purpose:
- Category A. Identifiers
- Category D. Commercial information
- Category F. Internet or other electronic network activity information
The categories of third parties to whom we disclosed personal information for a business or commercial purpose are listed under When and with whom do we share your personal information?
Your rights
You may have the following rights under applicable U.S. state data protection laws (rights vary by state):
- Right to know whether or not we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request the deletion of your personal data
- Right to obtain a copy of the personal data you previously shared with us
- Right to non-discrimination for exercising your rights
- Right to opt out of targeted advertising, the sale of personal data, or profiling that produces legal or significant effects (note: we do not do any of these)
How to exercise your rights
To exercise these rights, email us at support@zerocite.com. Under certain U.S. state laws, you can designate an authorized agent to make a request on your behalf. We may require written proof of authorization.
Request verification
Upon receiving your request, we will need to verify your identity. We will only use personal information provided in your request to verify your identity or the requester's authority. If we cannot verify your identity from the information already maintained by us, we may request additional information for verification purposes.
Appeals
Under certain U.S. state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at support@zerocite.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.
California "Shine the Light" Law
California Civil Code Section 1798.83 ("Shine the Light") permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for those third parties' direct marketing purposes. ZeroCite does not disclose personal information to third parties for their direct marketing purposes. If you are a California resident and would like to make such a request, email us at support@zerocite.com.
15. Do other regions have specific privacy rights?
Australia and New Zealand
We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. This Privacy Notice satisfies the notice requirements defined in both Privacy Acts. At any time, you have the right to request access to or correction of your personal information by contacting us at support@zerocite.com. If you believe we are unlawfully processing your personal information, you have the right to submit a complaint to the Office of the Australian Information Commissioner or the Office of New Zealand Privacy Commissioner.
Republic of South Africa
You have the right to request access to or correction of your personal information at any time by contacting us at support@zerocite.com. If you are unsatisfied with the manner in which we address any complaint regarding our processing of personal information, you can contact the Information Regulator (South Africa). General enquiries: enquiries@inforegulator.org.za. POPIA complaints: POPIAComplaints@inforegulator.org.za.
16. Do we make updates to this notice?
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes, we may notify you by prominently posting a notice or by sending you a direct notification. We encourage you to review this Privacy Notice frequently.
17. How can you contact us about this notice?
If you have questions or comments about this notice, email us at support@zerocite.com or contact us by post at:
Lucas Flinders
2293 Neil Ave
Columbus, OH 43201
United States
18. How can you review, update, or delete the data we collect from you?
Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.
To request to review, update, or delete your personal information, email us at support@zerocite.com.