Privacy Policy

1. Who we are

SHEAF is operated by SHEAF LTD, a private limited company registered in England and Wales (company number 17232059) with its registered office at Dormers, Quarry Wood Road, Cookham, Maidenhead, SL6 9UA, United Kingdom. References in this policy to "SHEAF", "we", "us", or "our" mean SHEAF LTD.

SHEAF LTD is the data controller for personal data processed in connection with the Service, within the meaning of UK GDPR Article 4(7).

2. What data we collect

• Account data — your name, email address, and a hashed password. Your API key is stored as a SHA-256 hash; we cannot recover the raw key.
• Paper ratings — when you save, pass, or manually add a paper, we record the paper ID, action, and timestamp, linked to your account.
• Collections — the collections you create, their names, and which papers you add to them.
• Research profile — the topics, authors, and excluded terms you configure, plus the seven quality weights that control your personal paper ranking.
• Derived data — vector embeddings and similarity scores computed from your saved papers, used to rank future recommendations. These are derived from your activity and live alongside your account record.
• Subscription data — when you subscribe to a paid plan, we hold your Stripe customer identifier, subscription tier, and subscription status. See section 6 for how payment data is handled.
• Usage data — request logs (method, path, status code, duration) and error reports via Sentry. Logs do not contain request bodies or paper abstracts.

We do not collect payment card numbers (Stripe handles those), location data, or any data from third-party sources beyond what you explicitly import (e.g. BibTeX or RIS files).

3. Lawful basis for processing

We process your personal data on the following lawful bases under UK GDPR Article 6:

• Contract (Art 6(1)(b)) — to provide the Service you have signed up for. This covers account creation, daily paper recommendations, collections, knowledge graph, literature reviews, and reading paths.
• Legitimate interests (Art 6(1)(f)) — to diagnose errors via Sentry and maintain request logs for security and reliability. We have assessed that our interest in operating a reliable service is not overridden by your interests in this context.
• Legal obligation (Art 6(1)(c)) — to retain certain records for tax and accounting purposes as required by UK law.
• Consent (Art 6(1)(a)) — for any future marketing communications (we do not currently send marketing).

4. How we use your data

• To personalise your daily paper recommendations using your rating history, profile, and quality weights.
• To compute and display your knowledge graph of connections between saved papers.
• To generate literature reviews and reading paths from your collections (via Anthropic Claude — see section 5).
• To diagnose errors and improve the service (Sentry error tracking).
• To handle billing and subscription management (Stripe).

We do not sell, share, or use your data for advertising. We do not engage in cross-context behavioural advertising.

5. Automated decision-making (GDPR Article 22)

The SHEAF paper ranking is fully automated. Each candidate paper is scored against your quality weights, your saved-paper embedding centroid, your declared topics and authors, and your excluded terms — without human review per individual paper. This is automated decision-making within the meaning of UK GDPR Article 22.

The decisions concern which papers are surfaced in your daily feed and in what order. They do not produce legal effects on you or similarly significantly affect you within the meaning of Article 22(1) — they affect what you read, not legal rights or commercial decisions about you.

You retain the right to:

• Request a human review of any ranking decision by emailing legal@usesheaf.io;
• Express your point of view on any ranking decision and contest it;
• Adjust the inputs to the ranking yourself at any time via your Profile settings — your quality weights, topics, authors, and excluded terms are directly editable.

6. Sub-processors

SHEAF uses the following third-party processors to deliver the service. Each is bound by its own privacy commitments and (where applicable) by a written Data Processing Agreement with SHEAF LTD under UK GDPR Article 28:

• Anthropic PBC (Delaware, USA) — paper scoring, concept extraction, literature review generation, reading path generation. Your saved papers, abstracts, and interest profile are sent to Anthropic's API for these purposes. Per Anthropic's Commercial Terms of Service, data sent to the API is not used to train Anthropic's models.
• Stripe Payments UK Limited (London, UK) — subscription billing and payment processing for paid plans. Holds card data subject to its own privacy policy and PCI DSS compliance.
• Oracle Cloud Infrastructure (EU region) — application hosting and database storage.
• Sentry — Functional Software, Inc. (Delaware, USA) — error tracking and observability. Receives request paths and exception traces; never request bodies, never paper abstracts.
• Apple Inc. (California, USA) — App Store distribution of the iOS app, and (when SHEAF push notifications are enabled in future) push-notification delivery via APNs.

This list is current as of the "Last updated" date. We will update this section as sub-processors change.

7. Payment data and PCI compliance

SHEAF uses Stripe Checkout for all subscription billing. Your payment card details are entered on Stripe-hosted pages and never touch SHEAF servers. SHEAF stores only Stripe-provided identifiers and metadata: your Stripe customer ID, subscription tier, subscription status, and (for display purposes only) the last four digits of your card and its expiry month and year.

Because we never hold or process card data, our PCI DSS scope is SAQ-A — the lightest tier, applicable to merchants that fully outsource card handling to a compliant third party (Stripe is PCI Service Provider Level 1).

8. International transfers

Anthropic PBC (Delaware, USA) and Sentry (Functional Software Inc., Delaware, USA) process your data outside the UK and EEA. Stripe Payments UK Limited may transfer data to other Stripe group entities outside the UK and EEA. Where transfers occur, they are made under:

• The European Commission's Standard Contractual Clauses (or the UK addendum) as available from each provider; or
• Other transfer mechanisms recognised under UK GDPR and EU GDPR.

9. Data retention

• Pass ratings — automatically purged after 2 years. Implementation: purge_old_pass_ratings() runs on every server startup.
• Save ratings, manual-add records, and collections — retained for as long as your account is active. These form the basis of your knowledge graph and your personal ranking centroid; deleting them would destroy your recommendations.
• Account data — retained until you request deletion or your account is closed.
• Request logs — retained for 30 days on the server.
• Sentry error data — retained per Sentry's standard retention policy (currently 90 days for free-tier accounts).
• Stripe customer and subscription records — retained for as long as your account is active, plus an additional period required to meet UK tax and accounting obligations (typically 6 years after the end of the relevant accounting period).

10. Your rights

Under UK GDPR (and EU GDPR where applicable) you have the following rights:

• Right of access & data portability — call GET /api/users/me/export with your API key to download all your data as JSON at any time. The export covers your account, ratings, and collections in a machine-readable format.
• Right to erasure — call DELETE /api/users/me to immediately delete all your ratings, paper feedback, collections, and profile data and deactivate your account.
• Right to rectification — email legal@usesheaf.io to correct any inaccurate personal data.
• Right to restrict processing — email legal@usesheaf.io to request that we restrict our processing of your data.
• Right to object — you may object to our processing on the basis of legitimate interests.
• Rights regarding automated decisions — see section 5.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time. Withdrawal does not affect lawfulness of processing carried out before the withdrawal.
• Right to complain to a supervisory authority — UK users can complain to the UK Information Commissioner's Office (ICO). EU users may complain to their local Data Protection Authority.

11. Security

Passwords are hashed with PBKDF2-SHA256 (260 000 iterations) with random 32-byte salt. API keys are stored as SHA-256 hashes. All requests are served over TLS (HTTPS). The service is hosted on Oracle Cloud infrastructure in an EU region. Card data is handled by Stripe and never reaches our servers.

We follow standard development security practices: input sanitisation, rate limiting (via slowapi), parameterised queries (via SQLAlchemy), and XSS-hardening in the web app. We maintain a regular dependency vulnerability scan (pip-audit) as part of our CI pipeline.

12. Cookies and similar technologies

The SHEAF web app uses localStorage to keep you signed in across visits (one item: your session token). No third-party tracking cookies, no advertising cookies, no analytics cookies are set by SHEAF. We do not currently use Google Analytics or equivalent.

If we add analytics in future, we will update this policy and (where required) display a cookie consent banner compliant with UK PECR and EU ePrivacy rules.

13. Children

SHEAF is intended for adult use only. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a child has provided us with personal data, please contact legal@usesheaf.io and we will delete it.

14. Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the UK ICO within 72 hours of becoming aware of the breach and, where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.

15. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify you in advance by email (at the address on file with your account) and via in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this document is updated whenever the policy changes.

Continued use of the service after the effective date constitutes acceptance of the updated policy.

16. Contact

• General: hello@usesheaf.io
• Privacy and data protection: legal@usesheaf.io
• Post: SHEAF LTD, Dormers, Quarry Wood Road, Cookham, Maidenhead, SL6 9UA, United Kingdom