Privacy Policy

Version 2.0 Effective February 17, 2026 Current

Privacy Policy

Last updated: 3/21/2026

1. Who we are

This Privacy Policy describes how Cubic Serveis Tecnològics S.L. (“Cubic”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you use our subscription-based research platform and related services (the “Services”). The Services enable you to store, organize, and query scientific documents using AI-powered retrieval and analysis, as further described in our Terms of Service [available at: https://transparentlab.ai/terms-of-service]. Cubic is the data controller for all personal data processed under this Privacy Policy.

[Company details:]{.mark}

  • Legal name: Cubic Serveis Tecnològics S.L.

  • Registered office: Carrer Mas de Xaxas, 13 2-1, Sant Andreu de Llavaneres, 08392, Barcelona, Spain

  • Tax ID (NIF): B61686218

  • Commercial registry: Mercantile Registry of Barcelona, Volume [X], Folio [X], Sheet [X]

  • Contact email: privacy@transparentlab.ai

This Privacy Policy applies to all users of the Services worldwide. We use EU data-protection law --- specifically, the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) --- as our baseline standard and extend GDPR-level protections to all users regardless of location. Our infrastructure is hosted in the United States (see Sections 4.1 and 6); appropriate safeguards for international data transfers are in place. If you reside in a jurisdiction that affords additional protections, those protections apply to the extent required by local law.

This Privacy Policy is accepted separately at registration and is complementary to, but independent of, our Terms of Service (“ToS”). In the event of conflict between this Privacy Policy and the ToS on data-protection matters, this Privacy Policy governs.

2. What data we collect

We collect and process the following categories of personal data:

2.1 Account data

Data you provide when registering and managing your account: email address, password (stored only in hashed form; we never store or access your plaintext password), biographical summary, institution, department, title, user ID, tier and group membership, billing status, and registration date.

2.2 Content you provide

Documents and materials you upload or retrieve through the Services, including PDFs, EPUBs, books, open-access publications retrieved on your behalf, and any annotations, labels, notes, or hashtags you create. User Content may incidentally contain personal data (for example, author names in publications); we process this solely to provide the Services, not to profile third parties.

In the course of providing the Services, we generate derived data from your Content, such as document summaries, text chunks, extracted figures, vector embeddings (mathematical representations that cannot be meaningfully reversed into original text), and extracted entities and relationships. These are treated as part of your Content for privacy purposes.

2.3 AI interaction data

Data generated when you use the AI features: your queries (“Inputs”), AI-generated responses (“Outputs”), conversation context, mode selections, and document scope selections.

2.4 Conversation logging data (opt-in)

If you enable conversation logging in your settings, we collect pipeline execution traces at a privacy level you choose:

  • Full: complete query and response text with your user ID.

  • Anonymized: complete text with a hashed, non-reversible user identifier and PII masked.

  • Metrics only: performance metrics (latency, token counts, model identifiers) without query or response text.

  • None (default): no conversation logging.

You may change your privacy level or disable logging at any time; changes take effect immediately. We maintain an audit trail of your consent choices.

2.5 Technical and usage data

Data collected automatically: usage logs (actions performed, timestamps, associated user and group IDs), system performance metrics (collected in aggregate), server logs (IP addresses, request timestamps, HTTP methods, response codes), and authentication tokens (session identifiers and expiry timestamps). We do not use persistent tracking cookies.

2.6 Flagging, feedback, and payment data

If you flag content or submit feedback: your report comments, the flagged content identifier, your user ID, and the timestamp. If you subscribe to a paid plan: your payment is processed by a third-party payment processor (e.g., Stripe). We receive and store only billing status, subscription state, and the last four digits of your payment method. We do not store full payment credentials.

3. How we use your data

We process personal data only where we have a valid legal basis under Article 6 GDPR.

Purpose Data Legal basis (GDPR categories Art. 6)

Provide the Services --- Account data, Performance of account management, document Content, AI contract (Art. storage, indexing, RAG interaction 6(1)(b)) processing, AI responses, group data
operations

Manage your subscription --- Account data, Performance of billing, quota enforcement, tier usage data, contract (Art. management payment data 6(1)(b))

Conversation logging --- Conversation Consent (Art. pipeline traces at your chosen logging data 6(1)(a)); opt-in via privacy level settings, withdrawable at any time

Security and abuse Technical data, Legitimate interest prevention --- unauthorized usage logs, (Art. 6(1)(f)) access monitoring, acceptable server logs
use enforcement

Service improvement --- Usage data, Legitimate interest aggregate usage analysis, performance (Art. 6(1)(f)) performance monitoring metrics
(aggregated)

Communications --- service Email address Contract (Art. notifications, security alerts, 6(1)(b)) for policy changes service-critical; legitimate interest (Art. 6(1)(f)) for non-critical

Legal compliance --- Any relevant Legal obligation (Art. responding to lawful requests, data 6(1)(c)) or legitimate legal claims interest (Art. 6(1)(f))

What we do NOT do

  • We do not train or fine-tune any AI models on your Content (see ToS Section 5.3(a)). If this ever changes, we will obtain your explicit opt-in consent first.

  • We do not sell your personal data.

  • We do not use your data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects.

  • We do not expose individual-tier documents to other users.

4. How we share your data

4.1 Sub-processors

We use sub-processors for infrastructure hosting, AI inference, and embedding generation. All sub-processors are currently located in the United States; transfer safeguards are described in Section 5.

Each sub-processor is bound by a data processing agreement that restricts processing to the purposes we specify, prohibits use of your data for the provider’s own purposes (including model training), requires appropriate security measures, and requires deletion or return of data upon termination.

A current list of sub-processors, including their purposes and the data they process, is maintained at https://transparentlab.ai/sub-processors. We will notify you at least 30 days before adding a new sub-processor, giving you the right to object. If you object and we cannot reasonably accommodate your objection, you may terminate your subscription without penalty.

Third-party data sources (not sub-processors): The Services may query public data sources at your direction, such as OpenAlex and Unpaywall (both operated by OurResearch, a nonprofit). These queries transmit only search terms or document identifiers (e.g., DOIs) --- no personal data. These providers are not sub-processors.

4.2 Group tier members

If you participate in a group tier, your Content in the shared document pool is accessible to other members of your group. Your profile data (name, email) may be visible to the group owner and other group members to facilitate collaboration.

We may disclose personal data where required or permitted by law, including to comply with legal obligations, protect rights and safety, enforce our ToS, or support investigations of suspected fraud or abuse. We will notify you of such disclosures unless prohibited by law.

4.4 Business transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will provide at least 30 days’ advance notice and ensure the acquiring entity assumes the obligations under this Privacy Policy.

5. International data transfers**

Cubic is established in the European Union (Spain). Your personal data is stored and processed in the United States on infrastructure provided by the sub-processors listed in Section 4.1.

Because the United States has not received a general adequacy decision from the European Commission, we rely on the following safeguards to ensure your data receives an equivalent level of protection:

  • EU Standard Contractual Clauses (SCCs): We have entered into SCCs (adopted under Commission Implementing Decision (EU) 2021/914) with each sub-processor, or rely on the sub-processor’s Data Processing Addendum that incorporates SCCs.

  • Transfer impact assessments: We have assessed the legal framework applicable to each sub-processor and concluded that, together with the supplementary measures below, the transfer provides essentially equivalent protection to that guaranteed within the EU.

  • Supplementary measures: These include encryption of data in transit and at rest, contractual prohibitions on data use beyond service provision, transient-only processing for LLM inference and embedding providers, access controls limiting who can access personal data, and our ability to respond to data subject requests regardless of where data is stored.

If a sub-processor becomes certified under the EU-U.S. Data Privacy Framework, we may rely on that certification as an alternative or additional transfer mechanism.

We review our transfer mechanisms periodically. You may request a copy of the relevant SCCs or transfer impact assessments by contacting us at [privacy@cubic.com].

6. Data retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy.

Data category Retention period

Account data, Content, Duration of your account + 90 days and AI interaction data post-termination (for data export), then deleted within 30 days

Conversation logging 90-day rolling retention (configurable); data deleted on request or at account termination

Usage logs and server 90 days, then deleted or anonymized. logs Anonymized aggregate summaries may be retained longer.

Payment records Duration of subscription + as required by Spanish commercial law (minimum 6 years)

Consent records Duration of account + 3 years post-deletion (for GDPR accountability)

Group tier --- departure: When you leave a group (without deleting your account), your documents remain with the group as described in ToS Section 2.5(c). Your personal account data reverts to the individual tier.

Right to erasure: You may request deletion of your data at any time (see Section 7). Upon a valid request, we will delete your data without waiting for the post-termination retention period, except where retention is required by law.

7. Your rights

Under the GDPR, you have the right to: access your personal data (Art. 15), request rectification of inaccurate data (Art. 16), request erasure (Art. 17), request restriction of processing (Art. 18), receive your data in a portable format (Art. 20), object to processing based on legitimate interest (Art. 21), and withdraw consent at any time where processing is consent-based (Art. 7(3)). You may also lodge a complaint with the AEPD or your local supervisory authority (Art. 77). We extend these rights to all users regardless of location.

How to exercise your rights

  • Self-service: Update your profile, change conversation logging preferences, and export your data via your account settings.

  • Contact us: privacy@transparentlab.ai. Your registered email address will usually suffice for identity verification.

  • Response time: Within one month (extendable by up to two months for complex requests, with notice).

  • No fee unless requests are manifestly unfounded or excessive.

8. Data security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit (TLS) and at rest, role-based access control with multi-tenant data isolation (individual-tier data is logically siloed; group-tier data is accessible only within your group), secure credential management, and continuous monitoring for anomalous activity. We regularly review and update our security measures. No system is completely secure, and we cannot guarantee absolute security, but we maintain commercially reasonable protections appropriate for the data we process.

9. Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Spanish Data Protection Authority (AEPD) within 72 hours (Art. 33 GDPR) and notify affected users without undue delay where the breach poses a high risk (Art. 34 GDPR). Notification will describe the breach, its likely consequences, and the measures taken.

10. Cookies and tracking

The Services use only strictly necessary mechanisms for authentication and session management. We store an authentication token in your browser to maintain your session; it contains only a session identifier and expiration timestamp. Our content delivery network (AWS CloudFront) may set a technical routing cookie. Both are strictly necessary and exempt from consent requirements under the ePrivacy Directive.

We use Cloudflare Web Analytics on our marketing site (transparentlab.ai) to measure aggregate page views and visitor counts. Cloudflare Web Analytics does not use cookies, does not collect personal data, does not track individual users across sites, and does not store IP addresses. All metrics are aggregated and anonymous. Because no personal data is processed and no cookies are set, no consent is required under the ePrivacy Directive or GDPR.

We do not use analytics cookies, advertising cookies, tracking pixels, third-party cookies, social media plugins, or fingerprinting technologies. No cookie consent banner is required. If we introduce non-essential tracking in the future, we will implement an appropriate consent mechanism first.

11. Children’s data

The Services are not directed at children. You must be at least 18 years old (or the age of legal capacity in your jurisdiction, if higher) to create an account. We do not knowingly collect personal data from anyone under 18. If we become aware that we have done so, we will delete that data promptly. Contact us at [privacy@cubic.com] if you believe a child has provided us with personal data.

12. Automated decision-making

The Services use AI-powered features to generate Outputs in response to your queries. This does not constitute automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR. Outputs are informational research-support tools; they are not used by Cubic to make decisions about you.

13. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, the Services, or applicable law. For non-material changes, we will post the updated policy with a revised date. For material changes, we will notify you at least 30 days in advance by email or through the Services. If you do not agree to material changes, you may terminate your account without penalty within 30 days of notice.

14. Additional jurisdictions

If you are in the United Kingdom, references to the GDPR include the UK GDPR, and references to the AEPD include the UK Information Commissioner’s Office (ICO). If you reside in any jurisdiction that affords data-protection rights beyond those described here, those additional rights apply to the extent required by local law. Contact us for jurisdiction-specific information.

15. Contact us

If you have questions, wish to exercise your data-protection rights, or have a complaint, contact us:

You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) (www.aepd.es), or your local EU/EEA supervisory authority.

This Privacy Policy was last reviewed on [3/21/26].