Privacy Policy

1. Who We Are

Burhan Niaz ("we," "us," or "our") operates the Burhan Niaz platform at researchai.app. We are committed to protecting your personal data and complying with applicable data protection laws, including the UK GDPR and EU GDPR.

For data protection inquiries, contact our Privacy Officer at: privacy@researchai.app

2. Data We Collect

We collect data in three ways:

Information you provide directly:

• Account information: name, email address, password (hashed)
• Billing information: processed and stored by Paddle — we do not store full card numbers
• Research content: queries you submit, reports generated, documents you upload
• Communications: support tickets, feedback, emails you send us

Information collected automatically:

• Usage data: pages visited, features used, session duration
• Technical data: IP address, browser type, device type, operating system
• Cookies: session cookies, preference cookies, analytics cookies (see Section 7)

Information from third parties:

• OAuth sign-in data from Google or GitHub (email, name, profile photo)
• Payment status information from Paddle

3. How We Use Your Data

We use your personal data to:

• Provide, operate, and improve the Burhan Niaz Service
• Process payments and manage your subscription
• Send transactional emails (account confirmations, invoices, security alerts)
• Respond to support requests and troubleshoot issues
• Send product updates and newsletters (you can unsubscribe anytime)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not use your research content to train AI models and do not share your queries or reports with third parties for marketing purposes.

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract performance: to provide the Service you signed up for
• Legitimate interests: security, fraud prevention, product improvement
• Consent: marketing emails, non-essential cookies
• Legal obligation: tax records, compliance with court orders

5. Data Sharing and Third Parties

We share your data only with trusted service providers who process it on our behalf:

• Paddle — payment processing (Merchant of Record)
• AWS — cloud infrastructure and data storage
• PostHog — product analytics (anonymized)
• Loops — transactional email delivery

All third-party providers are contractually bound to process your data only as instructed and to maintain appropriate security standards.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion:

• Account and profile data is deleted within 30 days
• Research content is deleted within 30 days unless you request an export first
• Billing records are retained for 7 years to comply with tax regulations
• Anonymized analytics data may be retained indefinitely

7. Cookies

We use the following types of cookies:

• Essential cookies: required for the Service to function (session management, authentication)
• Preference cookies: remember your settings and display preferences
• Analytics cookies: understand how users interact with the platform (can be declined)

You can manage cookie preferences via your browser settings or our in-app cookie banner.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of your personal data
• Correction: request correction of inaccurate data
• Deletion: request deletion of your data ("right to be forgotten")
• Portability: receive your data in a machine-readable format
• Objection: object to certain types of processing
• Withdrawal of consent: withdraw consent at any time for consent-based processing

To exercise your rights, email privacy@researchai.app. We will respond within 30 days.

9. Security

We protect your data using industry-standard security measures including AES-256 encryption at rest, TLS 1.3 in transit, regular security audits, and role-based access controls. We are working toward SOC 2 Type II certification.

In the event of a data breach that affects your rights, we will notify you within 72 hours as required by GDPR.

10. International Transfers

Your data may be processed in countries outside your own. We ensure appropriate safeguards are in place (such as Standard Contractual Clauses) for any transfers outside the UK or EEA.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email at least 14 days before they take effect.

12. Contact and Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority (in the UK: the ICO at ico.org.uk).