Privacy Policy

ACI Writer (“we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our AI-powered research article generation platform.

1. Data We Collect

1.1 Account Information

• Name, email address, and phone number (if phone authentication is used).
• Authentication credentials (hashed passwords, OAuth tokens).
• Account preferences and settings.

1.2 Research Content

• Research topics, hypotheses, and expected findings you provide.
• Data summaries and reference materials you upload.
• Generated articles, abstracts, keywords, and verification reports.
• Review invitation emails and article texts submitted for review assistance.

1.3 Usage Data

• Pages visited, features used, and interaction patterns.
• Device information (browser type, operating system, screen resolution).
• IP address and approximate geographic location.
• Timestamps and session duration.

1.4 Payment Data

• Transaction records (plan purchased, credits, amount, date).
• We do not store credit card numbers, CVVs, or full payment card details. All payment processing is handled by Stripe.

2. How We Use Your Data

We process your data for the following purposes:

• Service Delivery: To generate research articles, run verification pipelines, and produce review drafts using our collective intelligence engine.
• Account Management: To create and maintain your account, authenticate your identity, and manage your credit balance.
• Communication: To send you service-related notifications, support responses, and (with your consent) product updates.
• Improvement: To analyze aggregated, anonymized usage patterns to improve pipeline accuracy, model selection, and user experience.
• Security: To detect and prevent fraud, abuse, and unauthorized access.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. Data Retention

• Account data is retained for the lifetime of your account plus 30 days after deletion.
• Generated articles and review drafts are retained for 12 months after creation, unless you delete them earlier.
• Pipeline logs and verification reports are retained for 6 months for quality assurance.
• Usage analytics are retained in anonymized form indefinitely.
• Payment records are retained for 7 years to comply with tax and accounting regulations.
• Support tickets are retained for 24 months after resolution.

4. Encryption & Security

We employ multiple layers of security to protect your data:

• In Transit: All data is transmitted over TLS 1.3 encrypted connections.
• At Rest: Data is encrypted using AES-256 encryption on AWS infrastructure.
• Passwords: User passwords are hashed using bcrypt with appropriate cost factors and are never stored in plaintext.
• Tokens: JWT access tokens have short expiration periods. Refresh tokens are rotated on use.
• Infrastructure: Our backend runs on AWS (us-east-1) with VPC isolation, security groups, and regular vulnerability scanning.

5. Third-Party Services

We share data with the following categories of third-party services, strictly for the purposes outlined:

5.1 LLM Providers

Your research inputs are sent to AI model providers to generate articles and reviews. These providers include Anthropic (Claude), OpenAI (GPT), Google (Gemini), DeepSeek, Mistral, xAI (Grok), and Perplexity. Each provider processes data according to their own privacy policies and API terms. We send only the minimum data necessary for generation and do not share your account information with these providers.

5.2 Payment Processing

Stripe handles all payment processing. Your payment card details are transmitted directly to Stripe and are never stored on our servers. Stripe's privacy policy governs their handling of your payment data.

5.3 Cloud Infrastructure

Our application runs on Amazon Web Services (AWS). AWS provides the compute, storage, and networking infrastructure. Data is stored in the US East (N. Virginia) region and is subject to AWS's shared responsibility model.

5.4 Communication

We may use third-party services (such as Twilio for SMS OTP verification) to communicate with you. These services receive only the minimum information necessary (e.g., your phone number for OTP delivery).

6. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated data. We will process deletion requests within 30 days, subject to legal retention requirements.
• Export: Download your generated articles, review drafts, and account data in machine-readable format (JSON) through the Settings page or by contacting support.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Objection: Object to processing of your data for specific purposes, including analytics.
• Portability: Receive your data in a structured, commonly used format for transfer to another service.

To exercise any of these rights, contact us at privacy@aciwriter.com or use the data management tools in your account settings.

7. Cookies & Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising trackers or sell data to advertisers.

• Essential cookies: Authentication tokens stored in localStorage for session persistence.
• Analytics: We may use privacy-respecting analytics to understand aggregate usage patterns. No personally identifiable information is shared with analytics providers.

8. International Data Transfers

Our primary infrastructure is located in the United States (AWS us-east-1). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We take appropriate measures to ensure your data is treated securely and in accordance with this Privacy Policy.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending you an email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.