Plain-language summary: Bioscript stores only what is necessary to provide the service — your account credentials via Google OAuth, paper data you interact with, subscription information, and AI usage records for billing. We do not sell your data. We do not use it for advertising.
Bioscript ("we," "us," or "our") operates the Bioscript Chrome extension and associated website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service.
By installing the Bioscript extension or using the Service, you agree to the collection and use of information in accordance with this policy.
When you sign in with Google, we receive the following information from Google's OAuth service:
We do not receive or store your Google account password.
To provide the Service, we store data you create or interact with:
When you subscribe to Bioscript Pro, payment is processed by Stripe. We do not collect or store your credit card number or other sensitive payment details. We store:
Because Bioscript uses a usage-based billing model, we record data about each AI request you make in order to calculate your monthly charges accurately. For each AI request, we log:
Monthly totals (total requests, total tokens, total cost) are also maintained as aggregates. This data is used exclusively for billing and to display your real-time usage in the Settings panel. It is not used for advertising, model training, or any other purpose.
We do not collect crash reports or behavioral analytics data beyond what is stored as part of the Service itself (e.g., saved papers, chat messages, AI usage logs). We do not track your browsing history outside of the paper metadata explicitly extracted when you visit a supported academic paper page.
We use the information we collect to:
We do not use your data to train AI models, serve advertisements, or share with data brokers.
Bioscript relies on the following third-party services to operate. Each has its own privacy policy:
We use Supabase as our backend database and authentication provider. Your account data, paper data, chat history, and settings are stored in a Supabase database. Supabase is hosted on AWS infrastructure. Data is encrypted at rest and in transit.
Sign-in is handled via Google's OAuth 2.0 service. We only request the minimum scopes required: your basic profile (name, email, picture) and, if you use the Google Docs citation export feature, access to create and edit Google Docs files you explicitly authorize. We do not access your Gmail, Google Drive files outside of those you explicitly export to, or any other Google service.
The use of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
AI-powered features (summaries, chat, data extraction, term definitions) are powered by the OpenAI API. When you use an AI feature, relevant paper text and your message are sent to OpenAI's API via our secure backend infrastructure. We use our own API credentials — you do not need to provide an API key. OpenAI's data handling is governed by their API data usage policies. We recommend reviewing OpenAI's privacy policy for details on how they process API inputs.
Subscription billing is handled by Stripe. Stripe collects and processes your payment card information directly. We never see or store your full card number.
All user data is stored in a Supabase PostgreSQL database protected by Row Level Security (RLS). RLS policies ensure that each user can only access their own data — no user can read or modify another user's records.
Data is transmitted over HTTPS/TLS. All AI requests are routed through our secure backend infrastructure. Our OpenAI API credentials are stored only in server-side secrets and are never exposed in client-side code or transmitted to your device.
While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
We retain your data for as long as your account remains active or as needed to provide the Service. Specifically:
To request deletion of all your data, contact us at the email address below. We will permanently delete your account and associated data within 30 days.
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us at bioscriptapp@gmail.com. We will respond within 30 days. If you are located in the European Economic Area, you also have the right to lodge a complaint with your local data protection authority.
The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will promptly delete it. If you believe a child under 13 has provided us with their information, please contact us.
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will make reasonable efforts to notify you (for example, by displaying a notice in the extension or by email). We encourage you to review this policy periodically.
Your continued use of the Service after any changes constitutes your acceptance of the new policy.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: