Legal
Privacy Policy
Effective July 8, 2026
Dissertatio is built for unpublished, competitive research — so we treat privacy as a product requirement, not a legal afterthought. This policy explains what we collect, why, where it lives, and the rights you can exercise directly in the product.
1. Who we are
Dissertatio (www.dissertatio.com and app.dissertatio.com) is operated by Hashtag AI Labs (hashtagai.io), which acts as the data controller for personal data processed in connection with the service, except where an institutional customer has signed a Data Processing Agreement — in which case the institution is the controller and Hashtag AI Labs processes data on its behalf. For any privacy matter, contact privacy@hashtagai.io.
2. What we collect
We collect only what the product needs to function. The categories are:
- Account data — name, email address, ORCID iD (when you sign in with ORCID), institutional affiliation if you provide it, and your plan and workspace memberships.
- Content data — the manuscripts, references, comments, suggestions, and version history you and your collaborators create. This is your research; we process it solely to provide the service to you.
- Usage and audit data — actions recorded in workspace audit logs (edits, permission changes, exports, AI interactions), and aggregate feature-usage signals that tell us what to improve.
- Technical data — IP address, browser type, and device information collected in server logs for security and reliability.
- Billing data — plan, invoices, and payment status. Card details are collected and stored by our payment processor, never by us.
- Communications — messages you send to support and our replies.
3. Why we process it, and on what legal basis
Under the GDPR, every purpose needs a legal basis. Ours are:
- Providing the service (account, content, billing data) — performance of our contract with you (Art. 6(1)(b)).
- Security, audit logging, and abuse prevention (usage, technical data) — our legitimate interest in keeping the service and your research safe (Art. 6(1)(f)).
- Invoicing and tax compliance (billing data) — legal obligation (Art. 6(1)(c)).
- Product communications such as release notes — legitimate interest, with an unsubscribe link in every message; marketing to non-customers only with consent (Art. 6(1)(a)).
- AI validation features (content data you explicitly submit to a check) — performance of the contract. Content sent to our AI model provider is processed for that check only and is never used to train models, ours or anyone else’s. Workspace admins can disable AI features entirely.
We do not sell personal data, we do not run advertising, and we do not use your research content for any purpose other than operating the service you asked for.
4. Where your data lives
All customer data — manuscripts, references, versions, backups — is stored and processed in AWS eu-west-1 (Ireland). Where a sub-processor operates outside the EEA (see section 6), transfers are protected by the European Commission’s Standard Contractual Clauses and supplementary measures.
5. How long we keep it
- Content data — for as long as you keep it in the service. When you delete a project or your account, content is removed from production systems promptly and from encrypted backups within 30 days.
- Account data — for the life of the account, then deleted or anonymized within 90 days of closure, except where retention is legally required.
- Audit logs — up to 24 months, supporting workspace security and research-integrity needs.
- Billing records — as required by tax law, typically 5 years.
- Server logs — up to 90 days.
6. Sub-processors
We keep the list of parties that touch your data deliberately short, and we notify workspace admins in advance of changes:
- Amazon Web Services — cloud infrastructure, storage, and backups, in eu-west-1 (Ireland).
- Anthropic (United States) — AI model provider for validation checks and the research copilot. Content is processed per request and not used for model training.
- PayFast (South Africa) — payment processing for paid plans. PayFast receives the data needed to process payment; we never see or store full card details.
The current list, with purposes and locations, is also published on our Security page.
7. Your rights
If you are in the EEA or UK (and in practice, wherever you are), you can exercise the following rights — most of them directly in the product, without a support ticket:
- Access and portability. Export every manuscript as DOCX, PDF, or LaTeX and every reference library as BibTeX at any time, on any plan — including free and cancelled accounts. Account data is available on request.
- Rectification — correct account details in settings at any time.
- Erasure — delete projects or your entire account from settings; section 5 describes the deletion timeline.
- Restriction and objection — including objection to processing based on legitimate interest; write to us and we will respond within 30 days.
- Complaint — you may lodge a complaint with your local supervisory authority. We would appreciate the chance to resolve the issue first.
8. Cookies
We set only strictly necessary cookies and a consent-state cookie — no advertising or cross-site tracking of any kind. The full details are in our Cookie Policy.
9. Children
Dissertatio is a professional research tool and is not directed at children under 16. We do not knowingly collect their data.
10. Changes to this policy
When we change this policy, we will update the effective date above and, for material changes, notify account holders by email and workspace admins in advance. Prior versions are available on request.
11. Contact
Privacy questions, rights requests, or concerns: privacy@hashtagai.io. We respond within 30 days, and usually much faster.
