Legal

Data Policy

Last updated: June 11, 2026

1. Overview

This Data Policy explains how Coventra collects, uses, stores, and protects data when you use our systematic review platform. We are committed to transparency and data protection in research workflows.

2. Data We Collect

2.1 Account Information

When you create an account:

Email address: For authentication and account recovery
Password: Handled by Supabase Auth; Coventra application code does not store plaintext passwords
User ID: Unique identifier generated by Supabase

2.2 Research Data You Upload

PDF files: Study documents you upload for extraction
Extracted data: Baseline characteristics, outcomes, effect sizes you enter
Risk of Bias assessments: Assessment judgments and support text
GRADE assessments: Certainty ratings and explanations
Comments and annotations: Collaborative review notes
Project metadata: Names, descriptions, PICO elements
Community data: If Community is enabled, public profile fields, structured opportunities, reports, and participant-only private messages

2.3 Usage Data

API request logs: Endpoints accessed, response times (monitoring only)
Error logs: Stack traces when errors occur (no personal data)
Performance metrics: Web Vitals (LCP, FID, CLS) sent to monitoring

2.4 AI Processing Data

When you use optional AI-assisted features:

Study-characteristics suggestions: Selected abstract, methods, first-page, and relevant table context may be sent to the configured language-model provider
Table-processing endpoints: Selected table text or images may be processed when those optional endpoints are enabled and invoked
Screening ML and local NLP: Project text is processed by backend models for ranking or extraction endpoints

Important: Third-party AI processing is subject to the provider's Data Processing Terms. The active study-characteristics workflow sends selected PDF context, not the complete PDF. Suggestions are returned for user review before they can be applied.

3. How We Use Your Data

To provide the service

Store and retrieve your systematic review projects
Run meta-analysis calculations via R service
Enable collaborative review workflows (shared projects)
If enabled, provide Community opportunity discovery, participant conversations, reporting, and moderation
Generate exports (CSV, RevMan XML, forest plots)

To improve the service

Monitor API performance and error rates
Debug issues reported by users
Optimize database queries and infrastructure

We do not

Sell your research data to third parties
Use your systematic reviews for our own publications
Train AI models on your extracted data (all models are pre-trained)
Share data with advertisers or marketing platforms

4. Data Storage and Security

4.1 Infrastructure

Database: Hosted by Supabase (cloud infrastructure)
File storage: Supabase Storage by default, or Cloudflare R2 when configured
Authentication: Supabase Auth with industry-standard password hashing
Encryption: Industry-standard encryption for data in transit and at rest

4.2 Access Controls

Database security: Backend authorization checks and configured database policies restrict project access
Project permissions: Project-owner, full-project collaborator, and screening-only access paths
Session management: Secure authentication tokens with automatic expiration
Community permissions: If enabled, open opportunities and selected profile fields are public; posting and private actions require sign-in

4.3 Data Location

Database data is stored in Supabase-managed infrastructure. PDF objects use Supabase Storage by default or Cloudflare R2 when configured. Refer to the selected providers for deployment regions.

5. Data Sharing

5.1 Within Coventra

When you invite collaborators to a project, they gain access according to their assigned role:

Owner: Full access (edit, delete, export)
Full-project collaborator: Project-wide working access; owner-only management actions remain restricted
Screening-only member: Access limited to screening workflows

5.2 Third-Party Services

Supabase: Processes all database and authentication requests
Configured AI provider: Receives selected context for optional study-characteristics or table-processing requests
Mozilla PDF.js: PDF evidence viewer runs in your browser (no data sent externally)

5.3 Legal Requests

We may disclose data if required by law, court order, or government regulation. We will notify you unless prohibited by law.

6. Data Retention

Active accounts: Data retained indefinitely while account is active
Deleted projects: Removed from the active database when the project owner confirms deletion
Account deletion: Requests are recorded; accounts without owned projects can be disabled automatically, while owned projects require transfer or deletion review
Backups: Deleted data may remain in provider-managed backups until those backups expire under the configured provider policy
Logs: Retained only as needed for security and operations under the deployed logging configuration

7. Your Rights

You have the right to:

Access: Download project research data through the available export features
Rectification: Edit or correct any data you uploaded
Deletion: Request account deletion from Profile & Security, or contact support
Portability: Export data in standard formats (CSV, JSON, RevMan XML)
Objection: Do not invoke optional AI-assisted actions

8. Cookies and Tracking

Coventra uses minimal cookies:

Authentication session: Supabase Auth manages the browser session used for login
Local storage: Session state and UI preferences may be stored in your browser
No advertising trackers: We do not use Google Analytics, Facebook Pixel, or similar advertising trackers

9. Data Protection Regulations

9.1 GDPR (EU/EEA Users)

If you are in the European Economic Area, your data is protected by GDPR. Our lawful basis for processing:

Contract: To provide the systematic review service you requested
Legitimate interest: Service improvement and security monitoring
Consent: For optional AI features (can be withdrawn)

9.2 Research Ethics

If you upload study data containing human participant information:

You are responsible for obtaining proper ethical approval
Do not upload individual participant data (IPD) without consent
Aggregate data only — no PHI or PII

10. AI and Automated Processing

Coventra uses AI to assist (not replace) human reviewers:

Screening ranking: A project model prioritizes records; reviewers make every decision
Study-characteristics suggestions: A configured model suggests field values and source quotes for review before application
Staged endpoints: Table, baseline, outcome-synthesis, and entity routes process data only when enabled and invoked; they are not all exposed in the launch UI

No automated decisions: We do not make automated decisions that significantly affect your research. All AI outputs require human review.

11. Data Breaches

In the event of a data breach affecting your account:

We will assess the affected data, accounts, and likely impact
We will notify affected users and relevant authorities when required by applicable law
Notifications will describe known impact and available remediation steps

12. Children's Privacy

Coventra is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, contact us for immediate deletion.

13. Changes to This Policy

We may update this Data Policy to reflect new features or legal requirements. Material changes will be announced via email. Continued use after changes constitutes acceptance.

14. Contact

For data privacy questions or to exercise your rights, contact us through the Coventra support page. Data Subject Access Requests can be fulfilled via in-app export features or by contacting support directly.