Privacy Notice
Last Updated: 24 April 2026
This Privacy Notice explains how EFEVRE TECH LTD ("EFEVRE TECH," "we," "us," or "our") collects, processes, and protects personal data through the BioSkepsis biomedical literature platform — accessible via bioskepsis.ai, app.bioskepsis.ai, related APIs, SDKs, plug-ins, and applications (collectively, the "Service"). It is issued under the General Data Protection Regulation (EU) 2016/679 (GDPR), the ePrivacy Directive 2002/58/EC, and Cyprus Law 125(I)/2018.
1. Data Controller and Contact
For all personal data processed through the Service — including account data, queries, uploaded documents, model outputs returned to you, billing information, and support correspondence — EFEVRE TECH LTD acts as the data controller within the meaning of Article 4(7) GDPR.
EFEVRE TECH LTD only acts as a data processor on your behalf where we have entered into a separate written Data Processing Agreement (e.g., for enterprise or institutional customers who upload personal data of their own data subjects). Absent a signed DPA, our default role is controller.
EFEVRE TECH LTD
Limited liability company incorporated in the Republic of Cyprus
Cyprus company registration no.: HE 384880
Registered office: 104 Kykliki Leoforos Street, 6056 Larnaca, Cyprus
Email: info@bioskepsis.ai
We have not appointed a Data Protection Officer because our processing does not meet the thresholds in Article 37(1) GDPR. Privacy enquiries should be sent to the email above. As an EU-established controller, we are not required to designate an Article 27 representative.
You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection (Cyprus): www.dataprotection.gov.cy · commissioner@dataprotection.gov.cy, or with the supervisory authority in your EU/EEA Member State of residence.
2. Categories of Data We Process
- Account information: name, email, organisation/affiliation, hashed credentials (managed by Clerk).
- Usage and device data: IP address, user-agent, browser type, device class, timestamps, page views, referrer, and basic technical logs.
- Search and query data: prompts, search terms, filters, uploaded documents, and the AI outputs returned to you. Stored under your account so you can revisit your history.
- Billing data: subscription tier, billing email, transaction identifiers, country, VAT details where applicable. Card and bank data are handled directly by Stripe; we do not store full card numbers.
- Support correspondence: the content of any messages you send us.
- Cookie and consent data: your cookie-consent choice and the resulting analytics/ad-measurement signals — see the Cookie Policy.
We do not request and do not knowingly collect special categories of personal data under Article 9 GDPR (e.g., health, biometric, or genetic data identifying a living individual). Do not upload such data unless you have a clear legal basis and a compelling need. If you do, you are solely responsible for that processing.
3. Purposes and Legal Bases
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service (account, search, AI outputs, billing) | Contract — Art. 6(1)(b) |
| Authentication, security, fraud and abuse prevention | Legitimate interest — Art. 6(1)(f) |
| Service improvement using anonymised, aggregated metrics | Legitimate interest — Art. 6(1)(f) |
| Analytics and ad-measurement cookies | Consent — Art. 6(1)(a) and ePrivacy Art. 5(3) |
| Customer support and product communications | Contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f) |
| Compliance with legal, tax, and accounting obligations | Legal obligation — Art. 6(1)(c) |
| Establishment, exercise, or defence of legal claims | Legitimate interest — Art. 6(1)(f) |
4. No Use of Your Content for Model Training
EFEVRE TECH LTD does not use your prompts, uploaded documents, AI outputs, or any other user-provided content to train, fine-tune, or evaluate our own or any third party's machine-learning models. We do not sell, license, or otherwise disclose your content for marketing, profiling, or AI-development purposes.
Anonymised, aggregated metrics that cannot reasonably be re-identified (e.g., feature usage rates, latency distributions) may be used to improve the Service.
5. Sub-Processors and Recipients
We engage the following sub-processors under written agreements that include the safeguards required by Article 28 GDPR. Each may receive limited categories of personal data strictly necessary for the function described.
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Clerk, Inc. | Authentication, session management, social login (e.g., Google) | United States | EU SCCs + EU–US Data Privacy Framework (where certified) |
| Stripe, Inc. / Stripe Payments Europe Ltd | Subscription billing, payment processing, fraud prevention | United States; Ireland (EU) | EU SCCs + EU–US DPF |
| Google LLC / Google Ireland Ltd (Vertex AI & Gemini) | Large language model inference for AI outputs | EU regions where available; otherwise United States | EU SCCs + EU–US DPF |
| Google LLC (GA4, Google Tag Manager, Google Ads) | Analytics and ad-conversion measurement (only with your consent) | United States | EU SCCs + EU–US DPF; IP truncation enabled |
| Cloud hosting and CDN provider | Application hosting, storage, content delivery | EEA primary; global edge for static assets | EU SCCs where applicable |
| Allen Institute for AI (Semantic Scholar API) | Bibliographic metadata for biomedical literature search | United States | API queries; minimal personal data transmitted |
| NCBI / U.S. National Library of Medicine (E-utilities, PubMed) | Bibliographic metadata for PubMed records | United States | Public API; minimal personal data transmitted |
We may also disclose personal data where required by law, court order, or other lawful request from a competent authority.
6. International Transfers
Several of our sub-processors are located in the United States or process data globally. Transfers outside the EEA are made under the European Commission's 2021 Standard Contractual Clauses, the EU–US Data Privacy Framework where the recipient is certified, or another transfer mechanism recognised under Articles 45–49 GDPR. Where appropriate, we apply supplementary measures (e.g., encryption in transit and at rest, data-minimisation, and access controls) following our transfer impact assessments.
7. Cookies and Analytics
For users in the EEA, UK, and Switzerland, all non-essential cookies (analytics and ad measurement) are denied by default via Google Consent Mode v2 until you grant consent in the cookie banner or on the Cookie Policy page. We do not use behavioural advertising cookies, and ad personalization is forced to "denied" regardless of consent.
8. Data Retention
- Account data: retained for the lifetime of your account, plus up to 90 days in backups after deletion.
- Search history, prompts, uploaded documents, and AI outputs: retained while your account is active so you can revisit them, and for up to 90 days after account deletion (or earlier deletion request) to allow for backup rotation. You may delete individual items at any time from in-app controls.
- Operational and security logs: retained up to 12 months for security auditing and abuse prevention.
- Billing and tax records: retained for the period required by Cyprus tax and accounting law (currently 7 years).
- Cookie-consent record: retained on your device for up to 12 months so we can respect your choice between visits.
- Anonymised, aggregated data: may be retained indefinitely as it no longer identifies you.
9. Your Rights
Under Articles 15–22 GDPR you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure ("right to be forgotten") subject to legal-retention exceptions;
- restrict processing in certain circumstances;
- receive your data in a portable, machine-readable format;
- object to processing based on our legitimate interests;
- withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
- lodge a complaint with a supervisory authority (see §1).
To exercise any of these rights, email info@bioskepsis.ai. We will respond within one (1) month of verifying your identity, extendable by up to two months for complex or numerous requests as permitted by Article 12(3) GDPR.
10. Automated Decision-Making (Article 22 GDPR)
BioSkepsis uses generative-AI models to produce literature summaries, citations, and answers in response to your queries. These outputs are informational and decision-support tools intended to be reviewed by you. We do not make any decision that produces legal effects or similarly significant effects concerning you (such as credit, employment, healthcare, insurance, or access to essential services) based solely on automated processing within the meaning of Article 22(1) GDPR.
11. Personal Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Cyprus supervisory authority within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, we will notify affected data subjects without undue delay, in accordance with Article 34 GDPR.
12. Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, secret rotation, dependency monitoring, and routine vulnerability assessments. No system is perfectly secure, and you remain responsible for the confidentiality of your credentials.
13. Social Logins (Clerk / Google)
Authentication is provided by Clerk, which supports email/password and social login (e.g., Google). If you sign in with a social provider, we receive basic profile data (such as email, name, and avatar URL) from that provider. We never receive your social-account password. Your use of the social provider remains subject to that provider's own terms and privacy policy.
14. Account Management and Deletion
You can view and update your account details from in-app account settings (managed by Clerk). To delete your account, use the in-app delete control where available or email info@bioskepsis.ai. Following a verified deletion request, we will erase your account from active systems within 30 days and from backups within 90 days, except where retention is legally required (see §8).
15. Children's Privacy
The Service is intended for professional and academic use by persons aged 18 or older. We do not knowingly collect personal data from children. If you are a parent or guardian and believe a child has provided personal data, contact info@bioskepsis.ai and we will delete the account and associated data without undue delay.
16. Third-Party Websites
The Service may contain links to third-party websites and resources (for example, publisher pages, PubMed records, or Semantic Scholar). Their privacy practices are not covered by this Notice. Please review the applicable third-party privacy policies before sharing personal data with them.
17. Updates to This Notice
We may update this Privacy Notice to reflect legal, technical, or operational changes. The "Last Updated" date above will always reflect the most recent revision. Material changes will be communicated through the Service or by email where appropriate. Continued use of the Service after the effective date of an update constitutes acceptance of the revised Notice.
18. Contact
Questions or requests should be directed to: info@bioskepsis.ai.