Data Policy
Last updated: May 20261. Overview
This Data Policy explains how Coventra collects, uses, stores, and protects data when you use our systematic review platform. We are committed to transparency and data protection in research workflows.
2. Data We Collect
2.1 Account Information
When you create an account:
- Email address: For authentication and account recovery
- Password: Stored as hashed credentials (bcrypt via Supabase Auth)
- User ID: Unique identifier generated by Supabase
2.2 Research Data You Upload
- PDF files: Study documents you upload for extraction
- Extracted data: Baseline characteristics, outcomes, effect sizes you enter
- Risk of Bias assessments: Assessment judgments and support text
- GRADE assessments: Certainty ratings and explanations
- Comments and annotations: Collaborative review notes
- Project metadata: Names, descriptions, PICO elements
2.3 Usage Data
- API request logs: Endpoints accessed, response times (monitoring only)
- Error logs: Stack traces when errors occur (no personal data)
- Performance metrics: Web Vitals (LCP, FID, CLS) sent to monitoring
2.4 AI Processing Data
When you use optional AI-assisted features:
- Table extraction: PDF table text snippets sent to a third-party AI service for data normalization
- Semantic search and entity extraction: Text processed by our proprietary internal models (runs locally on our servers, not sent to third parties)
Important: Third-party AI processing is subject to the provider's Data Processing Terms. We do not send full PDFs — only specific table snippets when you enable this feature.
3. How We Use Your Data
To provide the service
- Store and retrieve your systematic review projects
- Run meta-analysis calculations via R service
- Enable collaborative review workflows (shared projects)
- Generate exports (CSV, RevMan XML, forest plots)
To improve the service
- Monitor API performance and error rates
- Debug issues reported by users
- Optimize database queries and infrastructure
We do not
- Sell your research data to third parties
- Use your systematic reviews for our own publications
- Train AI models on your extracted data (all models are pre-trained)
- Share data with advertisers or marketing platforms
4. Data Storage and Security
4.1 Infrastructure
- Database: Hosted by Supabase (cloud infrastructure)
- File storage: Supabase Storage (encrypted object storage)
- Authentication: Supabase Auth with industry-standard password hashing
- Encryption: Industry-standard encryption for data in transit and at rest
4.2 Access Controls
- Database security: Strict access controls enforce per-user data isolation
- Project permissions: Owner, editor, viewer roles with granular access
- Session management: Secure authentication tokens with automatic expiration
4.3 Data Location
Data is stored in Supabase-managed data centers. Refer to Supabase's documentation for specific geographic regions.
5. Data Sharing
5.1 Within Coventra
When you invite collaborators to a project, they gain access according to their assigned role:
- Owner: Full access (edit, delete, export)
- Editor: Can modify data, cannot delete project
- Viewer: Read-only access
5.2 Third-Party Services
- Supabase: Processes all database and authentication requests
- AI Processing API: Receives table text snippets for normalization (if enabled)
- Mozilla PDF.js: PDF evidence viewer runs in your browser (no data sent externally)
5.3 Legal Requests
We may disclose data if required by law, court order, or government regulation. We will notify you unless prohibited by law.
6. Data Retention
- Active accounts: Data retained indefinitely while account is active
- Deleted projects: Soft-deleted for 30 days, then permanently removed
- Account deletion: Upon request, all data deleted within 30 days
- Backup retention: Backups may retain deleted data for up to 90 days
- Logs: API logs retained for 30 days, error logs for 90 days
7. Your Rights
You have the right to:
- Access: Download all your research data via export features
- Rectification: Edit or correct any data you uploaded
- Deletion: Request account deletion from Profile & Security, or contact support
- Portability: Export data in standard formats (CSV, JSON, RevMan XML)
- Objection: Opt out of optional AI features (disable in settings)
8. Cookies and Tracking
Coventra uses minimal cookies:
- Authentication cookie: Stores secure session token for login
- Local storage: UI preferences stored in your browser (not transmitted to servers)
- No third-party tracking: We do not use Google Analytics, Facebook Pixel, or similar tracking services
9. Data Protection Regulations
9.1 GDPR (EU/EEA Users)
If you are in the European Economic Area, your data is protected by GDPR. Our lawful basis for processing:
- Contract: To provide the systematic review service you requested
- Legitimate interest: Service improvement and security monitoring
- Consent: For optional AI features (can be withdrawn)
9.2 Research Ethics
If you upload study data containing human participant information:
- You are responsible for obtaining proper ethical approval
- Do not upload individual participant data (IPD) without consent
- Aggregate data only — no PHI or PII
10. AI and Automated Processing
Coventra uses AI to assist (not replace) human reviewers:
- Table extraction: AI suggests structured data; you validate
- Semantic search: Sentence embeddings find relevant text; you review
- Entity recognition: spaCy identifies sample sizes, p-values; you confirm
No automated decisions: We do not make automated decisions that significantly affect your research. All AI outputs require human review.
11. Data Breaches
In the event of a data breach affecting your account:
- We will notify you within 72 hours of discovery
- Notification will include: data affected, potential impact, remediation steps
- We will report to relevant authorities as required by law
12. Children's Privacy
Coventra is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, contact us for immediate deletion.
13. Changes to This Policy
We may update this Data Policy to reflect new features or legal requirements. Material changes will be announced via email. Continued use after changes constitutes acceptance.
14. Contact
For data privacy questions or to exercise your rights, contact us through the Coventra support page. Data Subject Access Requests can be fulfilled via in-app export features or by contacting support directly.