B
BiblioCheck
reference verifier
← Back to app Terms
Effective May 16, 2026

Privacy Policy

BiblioCheck collects the minimum data needed to run the service. This page lists every piece of data we touch, where it lives, and how to delete it.

What we store

If you're signed in

  • Google profile. Your Google account ID (stable identifier), email address, display name, and profile picture URL — taken from Google's OpenID Connect id_token at sign-in.
  • Credit balance and transaction history. Two columns on your account — subscription credits and pack credits — plus an append-only ledger of every credit purchase, spend (one row per manuscript), refund, expiry, and admin adjustment. The ledger is what makes refunds and dispute handling auditable.
  • Subscription state (if you subscribe). Lemon Squeezy customer and subscription IDs, current tier, status, and renewal date. Mirrored from Lemon Squeezy so we can render the right UI without a round trip on every page load.
  • Consent timestamps. When you accepted this Privacy Policy and our Terms of Service.

If you're signed out

We don't store anything tied to anonymous visitors. The reference verifier requires a signed-in account, so anonymous browsers can view this page and the public site but can't submit a manuscript or otherwise generate data we'd record.

What we don't store

  • The contents of your manuscript. PDFs and pasted text are held in memory while we extract references, then discarded. We do not save the file, the extracted text, or the bibliography to disk.
  • The verification results. Reference matches, DOIs, and statuses are streamed back to your browser and held in memory for the duration of the request only. We do not log them.
  • Analytics or advertising trackers. No Google Analytics, no Facebook pixel, no third-party JS that profiles your behaviour.

Who we share data with

  • Google — when you click "Sign in with Google", you authenticate against Google directly. Google sees your account ID, email, name, and picture and shares them back with us. Read Google's privacy policy.
  • CrossRef, Semantic Scholar, optionally Google Custom Search — when verifying a reference, we send the title / authors / year / DOI of that one reference to these services. We never send your identity, your IP, or your manuscript title.
  • Google Gemini — to extract structured references from a PDF, we send the extracted text of the PDF to Google's Gemini API. Per Google's enterprise terms for paid Gemini API usage, your content is not used to train their models.
  • Lemon Squeezy (only if you purchase credits) — Lemon Squeezy is the merchant of record for paid plans. They handle the payment, collect VAT / sales tax where applicable, and are the legal seller of the credits to you. They see your name, email, billing address, and payment details; we never receive your card number. They retain a payment record for the statutory window for chargeback / dispute / tax-audit handling. Read Lemon Squeezy's privacy notice.
  • Railway — our hosting provider. Standard infrastructure access only; they don't read your data.

Your rights

You can:

  • Delete your account at any time — there's a delete button on your account page; the server hard-deletes your user row, transaction history, and free-tier counters in one cascade. Lemon Squeezy keeps the payment record on their side because they have to under tax / consumer-protection law.
  • Revoke consent without deleting the account — same effect as deletion for paid features, but the account stays.
  • Email us via the feedback form on the home page if you want a copy of your data, or have any other question.

If you're in the EU / UK: this is also how we satisfy GDPR's right to erasure and right of access.

Cookies

  • session — only after you sign in. Holds your decoded Google profile claims. Signed (not encrypted) with our server secret. Expires after 30 days, HttpOnly, SameSite=Lax.

No third-party cookies are set by BiblioCheck. Lemon Squeezy sets its own cookies on the checkout and Customer Portal pages (a separate domain it controls); we don't read or share them.

Changes to this policy

If we update this page in a way that meaningfully changes how we handle your data, we'll show a banner in the app and ask signed-in users to re-accept consent. Cosmetic edits don't trigger that.

Contact

Use the feedback form on the home page, or write to d.duque25@gmail.com.

© 2026 BiblioCheck · Made for academics, by academics No tracking · No ads · No nonsense