§ Privacy

Privacy Policy.

Last updated: June 6, 2026

PeerPanel (“we,” “our,” or “us”) provides AI-powered pre-submission peer review services at peerpanel.io (the “Service”). This Privacy Policy explains what we collect, how we use it, and the choices you have.

We built PeerPanel for researchers. We treat your manuscripts the way we would want ours treated: processed, never retained, never used to train models.

§ 01

Who we are

PeerPanel is operated by NexAlpha LLC, based in Virginia, United States.

For privacy questions, contact: privacy@peerpanel.io

Mailing address: 111 N Main Street Ste C, Blackstone, VA

§ 02

What we collect

Account information

  • Email address
  • Hashed password (managed by Supabase Auth, so we never see your plaintext password)

Manuscripts you upload

  • PDF files you submit for review
  • Text extracted from those PDFs for the purpose of running the review

Review outputs

  • Review IDs, timestamps, agent findings, deliberation transcripts, readiness scores, generated PDF reports

Usage and technical data

  • IP address, browser type, device type, operating system, referring URL
  • Pages visited, actions taken, error logs

Payment information (when paid tiers launch)

  • Handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers.
§ 03

What we do NOT do

  • We do not train AI models on your manuscripts. Your paper is not used to fine-tune, improve, or evaluate any AI model, ours or anyone else's.
  • We do not sell your data. Ever. To anyone.
  • We do not pass author metadata into agent prompts. Author names, affiliations, institutions, and acknowledgements are not included in the text sent to the AI reviewers. Reviews are structurally blind.
  • We do not use third-party advertising trackers. No Facebook Pixel, no Google Ads tags, no retargeting cookies.
§ 04

How long we keep it

DataRetention
Uploaded PDF (raw file)Deleted within 24 hours of review completion
Extracted text used during reviewDeleted with the PDF
Review report (findings, score, transcript)Retained in your account until you delete it, or for 90 days of inactivity
Account data (email, hashed password)Until you delete your account
Server logs30 days, then deleted
Payment recordsRetained by Stripe per their policy; we keep transaction IDs as long as required by tax law (typically 7 years)

Self-service deletion. You can permanently delete any individual manuscript and its associated review directly from the report page. Deletion removes the uploaded PDF, extracted text, all agent reviews, the deliberation transcript, and the final report. An anonymized billing record (review ID, timestamp, token counts) is retained for accounting purposes. Deletion is immediate and irreversible.

You can also delete your entire account and all associated review reports at any time from your account settings, or by emailing privacy@peerpanel.io.

§ 05

How we use your data

We use your data only to:

  • Provide the review service you requested
  • Authenticate you and secure your account
  • Process payments (when applicable)
  • Communicate with you about the Service (transactional email only)
  • Improve the Service through aggregate, anonymized usage metrics
  • Comply with legal obligations

We do not use your data for marketing without your explicit opt-in.

§ 06

Subprocessors we share data with

We use the following service providers (“subprocessors”) to operate PeerPanel. They are bound by data processing agreements and process your data only to provide their service to us.

SubprocessorPurposeWhat they receive
AnthropicAI agent reviews via Claude APISanitized paper text and prompts. Anthropic's commercial API does not train on customer data.
SupabaseAuthentication, database, file storageAccount data, review reports, temporary PDF storage
RailwayWeb hostingStandard request logs, IP addresses
StripePayment processing (when paid tier launches)Payment details, billing email
CrossRefCitation verificationPublic DOI and reference metadata only, never your manuscript text
Semantic ScholarCitation verificationPublic DOI and reference metadata only, never your manuscript text
OpenAlexCitation verification fallbackPublic DOI and reference metadata only, never your manuscript text
ResendTransactional emailEmail address, message content

We will update this list when we add or change subprocessors.

§ 07

International data transfers

PeerPanel processes data primarily in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data will be transferred to the US.

For these transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent safeguards under UK and Swiss law. Our subprocessors above all support these clauses.

§ 08

Your rights

Depending on where you live, you have rights over your personal data:

All users

  • Access the data we hold about you
  • Export your review reports
  • Correct inaccurate data
  • Delete your account and associated data

EEA / UK / Swiss users (GDPR)

  • Right of access, rectification, erasure (“right to be forgotten”), restriction, portability, and objection
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local data protection authority

California residents (CCPA/CPRA)

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information
  • Right to opt out of sale or sharing of personal information (we do not sell or share for cross-context advertising)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, email privacy@peerpanel.io. We respond within 30 days.

§ 09

Security

We protect your data with:

  • TLS encryption for all data in transit
  • Encryption at rest for stored data (Supabase default AES-256)
  • Access controls limiting who can see customer data
  • Hashed passwords. We never store plaintext
  • Prompt injection defense. Uploaded PDFs are scanned and sanitized before agents see them

No system is 100% secure. If a breach affects your data, we will notify you and the relevant authorities as required by law (typically within 72 hours).

§ 10

Children

PeerPanel is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.

§ 11

Cookies and similar technologies

We use only essential cookies needed to:

  • Keep you logged in (session cookies)
  • Remember your preferences
  • Protect against CSRF attacks

We do not use advertising or tracking cookies. We do not need a cookie banner under most jurisdictions because we use only strictly necessary cookies, but we will display one where required by law.

§ 12

Changes to this policy

We may update this Privacy Policy as the Service evolves. Material changes (new subprocessors, expanded data collection, new use cases) will be announced by email to registered users at least 14 days before they take effect.

The “Last updated” date at the top of this policy reflects the most recent revision.

§ 13

Contact

Questions, requests, or complaints:

Email: privacy@peerpanel.io

Mail: NexAlpha LLC, 111 N Main Street Ste C, Blackstone, VA

If you are in the EEA and we cannot resolve your concern, you have the right to contact your local data protection authority.