Privacy Policy

1. What we collect

Account information. Your name and email address, supplied by you or by your sign-in provider when you create an account, and the academic profile you enter during onboarding: your level, field, and stage.

Thesis content. The thesis file you upload and the text extracted from it. This is the most sensitive data Thesisroom holds, and it is treated accordingly (see section 3).

Usage and module data. The viva sessions, citation runs, and chapter audits you generate, and your interactions with them.

Payment information. When you subscribe, payment is handled by our payment processor. Thesisroom stores a customer reference and your plan status. Thesisroom never sees or stores your card number.

Abuse-prevention signals. A device fingerprint and a content fingerprint of your thesis, used only to prevent repeated free-tier abuse, as described in section 6.

Operational data. Logs needed to run the service, including a record of which external systems each request used (provider, size, and timing, never the content itself).

2. Why we process it, and our lawful bases

To provide the service you asked for: running the modules on your thesis, saving your history, and managing your subscription. Lawful basis: performance of our contract with you.

To prevent fraud and free-tier abuse, and to keep the service secure. Lawful basis: our legitimate interest in protecting the service and other users.

To improve the product using anonymised, aggregated patterns. Lawful basis: your consent, which is optional and revocable at any time from your settings.

To send you product updates. Lawful basis: your consent, which you can withdraw using the unsubscribe link in any such message.

Transactional messages about your account, such as receipts, password resets, and account notices, are sent on the basis of our contract with you and are not marketing.

3. How your thesis is processed

When a module runs, excerpts of your thesis are sent to our AI provider's API for analysis. Before any text leaves our servers, a redaction step strips identifying information: your name, your supervisor's name, your institution, your email address, your phone number, your student ID, and the title page, declaration, and acknowledgements. The analysis operates on your academic arguments, not your identity.

Your thesis text is never used to train any AI model. Our AI provider's commercial terms prohibit training on customer data. Inputs and outputs may be retained by the provider for a short period for security review, then deleted. We are pursuing a zero-retention agreement that removes even that short-term retention.

A second AI provider may be used for non-thesis tasks such as turning Thesisroom-generated questions into speech. That provider receives no thesis content. A runtime control blocks any thesis text from reaching it until a data processing agreement is in place.

Citation checks query public academic databases to confirm whether a reference exists. These queries carry citation metadata such as authors, titles, and identifiers. They do not carry your thesis text.

The original, un-redacted text of your thesis is stored only so that you can read it back in your own account. It is never sent to an external provider.

4. Who we share it with

Thesisroom does not sell your data, and does not share your thesis with any third party except the processors needed to run the service.

Those processors are: our database and file-storage provider, which hosts your data; our AI provider, which performs analysis on redacted text; our payment processor, which handles billing; our email provider, which delivers account and product messages; and the public academic databases used to verify citations.

Each processor handles your data only on our instructions and for the purposes described here. We share the minimum necessary for each task.

5. Where your data is processed

Thesisroom's database, file storage, and AI processing take place in the United States. If you are located outside the United States, your data is transferred there to provide the service. Where required, that transfer is made under recognised safeguards such as standard contractual clauses.

By using Thesisroom you understand that your data, including your thesis, is processed in the United States.

6. Abuse prevention and retention of hashed identifiers

The free tier costs real money to provide. To stop a single person from repeatedly creating free accounts to extract outputs, Thesisroom keeps a small set of hashed identifiers when a free account is deleted: a one-way hash of the email address, a device fingerprint, and content fingerprints of the thesis. The raw email address is never stored in this record.

These hashed identifiers are kept for twelve months and then deleted automatically. They cannot be reversed to identify you, and accounts that ever held a paid plan are never recorded.

You may ask us to delete your hashed identifiers. We will do so, with the consequence that the protection is lifted: a thesis you previously uploaded could then be re-uploaded by anyone matching the same fingerprints.

7. How long we keep your data

We keep your account data and thesis content for as long as your account is active.

When you delete your account, deletion is completed within seven days. All thesis content, the original and redacted text, your module history, your session data, and your audit logs are permanently removed from our systems. A confirmation is sent when this is complete.

Two categories survive deletion for the reasons given above: the hashed abuse-prevention identifiers, kept for up to twelve months, and the customer record held by our payment processor, which is retained to meet financial and legal obligations and is controlled by that processor.

8. Your rights

You can access and correct your profile and account data from your settings at any time.

You can delete your account and all associated data from your settings. You can withdraw consent for product-improvement data or for marketing at any time, with no effect on the quality or features of the service.

Depending on where you live, you may also have the right to receive a copy of your data in a portable form, to object to or restrict certain processing, and to lodge a complaint with your local data protection authority. To exercise any of these, contact us at the address below.

Declining optional consent never changes the product you receive. Consent is freely given.

9. Security

Files and thesis content are held in encrypted storage. Access is limited to the systems that need it to run the service. External requests are logged so that we can show what was sent and when, without keeping a second copy of the content.

No system is perfectly secure, but the architecture is built so that your identity is removed from your thesis before any analysis, which limits the impact of any single failure.

10. Cookies and local storage

Thesisroom uses the storage needed to keep you signed in and to remember small preferences, such as a notice you have dismissed. It does not use advertising cookies and does not track you across other websites.

11. Eligibility and age

Thesisroom is built for candidates preparing to defend academic work and is not directed at children. You must be old enough to enter a contract in your country, and at least sixteen, to use it. If you believe a younger person has created an account, contact us and we will remove it.

12. Changes to this policy

If this policy changes in a way that materially affects how your data is handled, we will update the effective date and, where appropriate, notify you. Continued use after a change means you accept the updated policy.

13. Contact

Questions about this policy, or requests to exercise your rights, can be sent to support@thesisroom.com. General questions can be sent to support@thesisroom.com, and a real person will answer.