Privacy Policy

Last updated: December 27, 2025
Effective date: December 27, 2025

1. Who We Are (Controller) / How to Contact Us

FedResearch ("FedResearch," "we," "us," "our") is the controller of personal data processed under this Privacy Policy.

  • Contact (Privacy): privacy@fedresearch.co
  • Response times: We aim to respond within 30 days for GDPR requests and within legally required timeframes for California requests.

Company details:

  • Legal entity name: FedResearch
  • Mailing address: Available upon request via privacy@fedresearch.co

EEA/UK representative (GDPR Art. 27): If you are located in the EEA or UK and need to contact a local representative, please email privacy@fedresearch.co.

If you are in the EEA/UK and believe we have not resolved a concern, you may lodge a complaint with your local supervisory authority.

2. Scope

This Privacy Policy applies to personal data we process when you visit or use the FedResearch website, applications, and services (the "Service").

3. Data We Collect

3.1 Data You Provide

  • Account data: email address; name (optional); password (stored as a cryptographic hash)
  • Security data: TOTP/2FA secret if you enable 2FA
  • Support communications: content of messages you send to support
  • Email subscriptions: email address and subscription settings (preferences/frequency)

3.2 Data Collected Automatically

  • Search and usage: search queries (including search type, filters, result counts), pages/features used, timestamps, session duration
  • Document access: documents viewed and when; PDF URLs accessed through the Service
  • AI interactions: prompts/questions, conversation context/history, AI outputs and citations associated with your account/session
  • Device/connection data: IP address, user agent/browser, OS, referring URLs
  • Diagnostics: error logs, performance metrics (e.g., load times)

3.3 "Sensitive" Data (Special Handling)

Account login credentials (hashed password) and 2FA secrets are treated as sensitive and access is restricted.

4. Cookies, Local Storage, and Similar Technologies

We use first-party technologies to operate the Service.

  • Strictly necessary cookies (always on): authentication/session cookies (HTTP-only, secure).
  • Functional storage (preferences): may use local storage or similar device storage for UI preferences (e.g., sort order, results per page).

EEA/UK/CH cookie rule: Where required, we will obtain consent before using any non-essential cookies/device storage and will provide a way to withdraw consent as easily as it was given. (We do not run third-party ad tracking cookies.)

You can also control cookies via your browser settings, but disabling necessary cookies will prevent login features.

5. How We Use Data (Purposes + Legal Bases)

We process personal data for these purposes:

A. Provide and operate the Service (account creation, authentication, document viewing, search features).

  • Legal basis (GDPR): contract necessity.

B. Provide AI features (AI search, summarization, question answering).

  • Legal basis (GDPR): contract necessity; in limited cases, legitimate interests (improving reliability and preventing abuse).

C. Security, abuse prevention, and service integrity (fraud detection, rate limiting, audit logging).

  • Legal basis (GDPR): legitimate interests; legal obligation where applicable.

D. Product improvement and debugging (performance monitoring, error resolution, internal analytics).

  • Legal basis (GDPR): legitimate interests.

E. Communications

  • Service/transactional messages (security alerts, account notices): contract necessity / legitimate interests.
  • Email notifications you opt into (new documents, digests): consent (opt-in). You can unsubscribe anytime.

6. Sharing and Disclosure

We do not sell personal information. We also do not "share" personal information for cross-context behavioral advertising (as defined by California law).

We disclose personal data only to:

  • Service providers / processors (hosting, email delivery, security tooling) under contract terms restricting use to providing services to us.
  • Legal and safety disclosures (to comply with law, enforce terms, or protect rights/safety).
  • Business transfers (merger, acquisition, financing, bankruptcy, sale of assets): data may be transferred subject to this Policy.

7. Key Service Providers (Current)

  • Google Cloud Platform (hosting/storage): Google Cloud Storage and related infrastructure for storing and delivering documents and operating the Service.
  • Google Vertex AI / Discovery Engine / Gemini API (AI processing): may receive queries and relevant context needed to generate results and responses.
  • Email provider: delivers account emails and optional subscriptions.
  • Email tracking: We may track delivery and may track opens/clicks where permitted. Where required by law, we will offer appropriate controls/consents.

8. International Transfers

We operate and use providers in the United States. If you access the Service from the EEA/UK/Switzerland, your data may be transferred outside your jurisdiction.

For EEA transfers, we rely on appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs), and/or
  • Provider participation in the EU-U.S. Data Privacy Framework where applicable, plus supplemental measures as needed.

9. Retention

We keep personal data only as long as necessary for the purposes described:

  • Account data: until you delete your account, plus up to 30 days for backups/recovery
  • Search history: up to 2 years, unless you delete earlier
  • AI conversation history: up to 2 years, unless you delete earlier
  • Document access logs: up to 2 years
  • Security/audit logs: up to 3 years
  • Email subscription data: until you unsubscribe, plus up to 30 days

We may retain aggregated/de-identified data longer where permitted.

10. Your Rights and Choices

10.1 Rights for All Users

  • Access, correct, delete
  • Data export (portability where applicable)
  • Withdraw consent for optional processing (e.g., subscriptions)

10.2 GDPR Rights (EEA/UK)

  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Portability (where applicable)
  • Lodge a complaint with a supervisory authority
  • Not to be subject to solely automated decisions with legal/similarly significant effects (we do not use the AI features for such decisions)

10.3 California Rights (CCPA/CPRA)

If you are a California resident, you may have:

  • Right to know (categories and specific pieces; sources; purposes; recipients)
  • Right to delete
  • Right to correct
  • Right to opt-out of "sale"/"sharing" (we do not sell/share for cross-context behavioral advertising)
  • Right to limit use/disclosure of sensitive personal information (we do not use it beyond what's needed to provide the Service)
  • Right to non-discrimination
  • Use of authorized agents (with verification)

California categories we collect may include: identifiers; internet/network activity (searches, usage); inferences about interests based on in-service activity.

11. How to Exercise Rights

Email privacy@fedresearch.co with the subject "Privacy Request."

We will verify your identity (and authorized agent authority where applicable). We may deny requests where legally permitted (e.g., security, fraud, legal compliance).

12. Security

We use administrative, technical, and physical safeguards, including TLS in transit, encryption at rest where supported, password hashing (e.g., bcrypt), HTTP-only secure cookies, access controls, and monitoring. No system is 100% secure.

13. Children

The Service is not directed to children under 16 and we do not knowingly collect personal data from them.

14. Changes

We may update this Policy. If changes are material, we will provide notice (e.g., in-product notice or email). Continued use after the effective date means you accept the updated policy to the extent permitted by law.

← Back to HomeTerms of Service →