Privacy Policy
Effective date: March 30, 2026. For existing users, this policy take effect on March 30. For users who create an account on or after March 15, or who purchase credits before the effective date, these Terms apply at the time of sign-up or purchase.
Contact: contact@beaverapp.ai
Who we are. Beaver is an AI-assisted research tool that integrates with reference managers and document editors (such as Zotero and Microsoft Word). Features include semantic search, a reading assistant, chat with your library, and automated processing. We are not affiliated with Zotero, Microsoft, or any other third-party platform.
By using Beaver, you agree to this Privacy Policy.
Important: How Your Data Is Handled
Beaver's data practices depend on your account configuration:
Local storage with server-side processing for AI features (default): Local storage for your library and PDFs, with server-side processing for AI features. Your library stays on your device. We only access titles and abstracts for search functionality. Full paper content remains on your device unless it is accessed by an AI-powered feature (such as chat or automated processing).
Cloud Library Sync: Your library data (including files and attachments) is synced to our servers for enhanced AI features, cross-device access, advanced search capabilities, and other features. Cloud Library Sync is not enabled by default and is not available to new accounts. It currently applies only to early-beta accounts that were onboarded with this configuration. We may offer Cloud Library Sync under additional plans in the future; the list of eligible plans may be updated at any time. Cloud Library Sync is never enabled without your explicit action—you must opt in to a plan that includes it.
Subscriptions. Beaver also offers paid subscriptions for AI credits. Subscribing does not change how your library data is handled—that is determined by your account configuration.
This policy describes both configurations. Sections that apply only to one configuration are clearly marked. Where no distinction is made, the provision applies to all users.
1) What data we collect
All users
Account & contact data. Name (if provided), email, settings, plan/tier, and communications with us (e.g., support, Slack).
Connected service identifiers. If you connect external accounts (such as Zotero), we store identifiers necessary to link your Beaver account with those services.
Credit balances. We track your available and used credits (AI credits, page processing credits) for billing and service delivery.
Prompts, outputs, and usage (AI Data). Your queries/prompts (whether entered manually or triggered by automated features), model responses, usage metrics (including model configurations, token counts, cost calculations, and billing information), and technical telemetry (timestamps, request metadata). This includes both interactive chat sessions and any background or automated AI processing. See Section 4 for how this is used.
AI-generated content and history. Your interaction history (including chat conversations and outputs from automated features) is stored on our servers to enable cross-session access. This history includes:
- Prompts and AI Agent responses.
- Document excerpts: When the AI Agent determines a search is necessary to answer your query, relevant text segments are retrieved and become part of the chat history.
- Manual content additions: If you explicitly "attach" a file or annotation, the text is extracted and added to the conversation history.
- Document images: If a page contains visual content (like charts or diagrams) or if text extraction fails, the AI Agent may retrieve an image of that specific page. These images are stored as part of the chat history.
How content is retrieved differs by tier:
- Local-only users: Document excerpts, attached content, and images are retrieved from your local device via a secure connection. We do not store your original PDF files—only the specific text segments and page images that become part of a conversation.
- Cloud Sync users: Document content is retrieved from files already synced to our servers or from your local device via a secure connection.
System logs. We collect and store logs of service activity as part of normal service operation that may include:
- Your user identifier (e.g., user ID, account ID),
- Timestamps, request paths/URLs, HTTP status codes
- Performance metrics (latency, throughput)
- Error, warning, and debug messages
- Tool call information (names, arguments, results) and related diagnostic context
- IP addresses and device/browser metadata
These logs primarily contain request metadata. User content is stripped from system logs, though traces may remain, particularly in error messages.
System logs are temporary. They are processed and stored by our subprocessors (Logfire and Google Cloud Platform) in the United States and are automatically and permanently deleted after 90 days. We use system logs to monitor service performance, diagnose and fix errors, respond to customer support requests, and detect and prevent abuse or fraud. Logs are not used for product development, feature design, or model training. We do not systematically review log content for feature ideas, but fixing a bug may result in a code change that improves the service.
AI usage logs. We maintain operational records of your AI interactions (including chat and automated features) stored in our primary database. These usage logs are used for billing and usage tracking, operational integrity, dispute resolution, regulatory compliance, and diagnosing and fixing errors (such as analyzing failure patterns to resolve recurring issues).
Payments. Payments are handled by our payment processor (Stripe). We don't store full payment card numbers.
BYOK (Bring‑Your‑Own‑Key). If you supply your own AI provider API key, we do not store it server‑side and do not log it; it is transmitted with each request to your chosen provider.
Local-only Users
Limited metadata access. We access only the titles and abstracts of items in your library to generate embeddings for search functionality. We do not access or sync your full library metadata, PDFs, or other file attachments unless they are accessed by an AI-powered feature (such as chat or automated processing).
Your library stays local. Your library database and all files remain on your local device. We do not create a server-side copy of your library.
Temporary processing. Titles and abstracts are transmitted temporarily to generate embeddings. Once the embeddings are sent back to your local device, they are not stored on our servers. We do not maintain a server-side vector database for local-only users.
Cloud Sync Users Only
Full library sync. We access and sync all metadata and files (such as PDFs and other attachments) for the libraries you choose to sync with Beaver. Library metadata includes bibliographic information for each item and attachment, collections, tags, and other organizational data. We process and derive embeddings/indexes from your files to power search and AI features.
Sync logs. We maintain operational records of synchronization activities between your connected libraries and our service, including sync status, timestamps, item counts, and error details. These records are essential for maintaining data consistency and troubleshooting sync issues and are stored in our primary database.
File processing logs. We maintain operational records related to file processing for billing verification, usage tracking, and dispute resolution, stored in our primary database. These file processing logs are used for billing and usage tracking, operational integrity, dispute resolution, and regulatory compliance as required by applicable laws and our billing policies.
2) How we use your data (purposes)
Provide the service.
- Local-only users: Process titles and abstracts to create embeddings/indexes for search; route your prompts to selected AI models; run automated AI features you enable; maintain your account and settings; store interaction history.
- Cloud Sync users: Sync, store, and process your library data; create embeddings/indexes; route your prompts to selected AI models; run automated AI features you enable; maintain your account and settings; store interaction history.
Security & abuse prevention. Detect/prevent misuse, fraud, and service disruption.
Analytics, reliability & improvement. Measure performance, diagnose and fix errors (including analyzing recurring failure patterns), and maintain service quality using operational and aggregate data.
Billing & operational integrity. Track usage metrics, calculate costs and credits, verify billing accuracy, and resolve usage disputes.
AI Data for quality improvement (with your consent only); see Section 4.
Legal. Comply with law, enforce terms, respond to lawful requests.
3) Where we process data; subprocessors
We primarily process and store data in the United States (Google Cloud us‑central). We use reputable subprocessors to host and operate Beaver. Subprocessors include:
- Google Cloud Platform (Cloud Run/Functions/Storage, including infrastructure logs)
- Supabase (database/storage/auth)
- Stripe (payment processing)
- Voyage AI (embedding)
- turbopuffer (vector database)
- Modal (data processing)
- Logfire (application logging and monitoring)
- E2B (sandboxed code execution)
- Generative AI APIs including OpenAI, Anthropic, Google Gemini, Fireworks AI, Baseten, and Groq for chat, summarization, and document processing
This list may be updated from time to time. We will update the published list at least 7 days before routing requests to a newly added provider.
4) Prompts/outputs ("AI Data") & training
Our commitment. We never use your library files, attachments, or images of document pages for model training, quality improvement, or evaluations. For AI Data (text prompts and AI-generated outputs from both interactive and automated features), we only use this data for improvement if you explicitly opt-in via your account settings. Operational logs are handled separately and described in Section 1 ("System logs").
What may be used (with your consent only). If you enable data sharing in your account settings, we may use your AI Data for purposes such as model training, feature evaluation, quality measurement, research, and the overall improvement of Beaver. AI Data includes your prompts, AI responses, and any document excerpts or page images that were retrieved during an interaction—whether from a chat conversation or an automated feature. It may also include metadata associated with library items—such as authors, titles, abstracts, and other bibliographic information. However, we do not use your original PDF files or full library attachments for training—only the specific content processed by AI features. You can change your data sharing preference at any time in your account settings.
30‑day window & de‑identification. AI Data used for product improvement remains linked to your account for up to 30 days to support operations, safety reviews, and user deletion requests. After that, we store the data separately and remove direct identifiers (e.g., account ID/email) and use automated systems to identify and remove or replace personal information within the content itself before using it for product improvement. We do not consider references to published research, academic authors, or scholarly works to be personal information requiring removal. However, we cannot guarantee that all personal information will be detected and removed through this automated process.
Deletion during the window. You can request deletion during the 30‑day window; we will delete linked AI Data and the data will not be used for product improvement even if you previously consented. After de‑identification, we generally cannot re‑associate or delete specific records.
Providers & BYOK reminder. When using Beaver-funded credits, we configure supported providers not to train on your data where such settings are available. When using your own API key (BYOK), your provider's terms and data practices apply and are outside our control. We do not store your API key; it is transmitted securely with each request.
Support access to specific files (only if you ask). If you request support (e.g., "this file doesn't work"), you authorize limited access to that file solely to diagnose and fix the issue. Access is limited to authorized personnel. Any copies or derived troubleshooting artifacts are deleted within 30 days after the ticket is closed (unless you ask us to keep them longer). You are responsible for having the right to share the file.
5) Lawful bases (EU/UK/EEA)
We process personal data on these bases:
Contract (Art. 6(1)(b)): to provide the service you request.
Legitimate interests (Art. 6(1)(f)): service reliability, security/anti‑abuse, analytics, system monitoring, and diagnosing and fixing errors.
Consent (Art. 6(1)(a)): for using AI Data for improvement purposes; you can withdraw consent at any time in Settings.
Legal obligation (Art. 6(1)(c)): compliance with law.
Controller/processor roles.
- Local-only users: We act as an independent controller for your account data, chat data, and the titles/abstracts we process for embeddings.
- Cloud Sync users: For library data you upload/sync, you are typically the controller and we act as your processor; for account/operations data, we may act as independent controller.
A Data Processing Addendum (DPA) is available on request for Cloud Sync users.
6) International transfers
Your data may be transferred to the U.S. and other countries with different data‑protection laws. These transfers are primarily carried out by our trusted infrastructure providers (e.g., Google Cloud, Supabase).
For EU/UK/Swiss personal data, we rely on appropriate safeguards—such as Standard Contractual Clauses (SCCs) and, where applicable, the UK IDTA/Addendum—to ensure an adequate level of protection. These vendors conduct transfer assessments and implement additional technical, contractual, and organizational measures as required under applicable laws.
7) How we share data
Service providers/subprocessors. Hosting, storage, analytics, email, support tools, vector DB, and AI providers for inference/embeddings.
BYOK providers. When you use your own API key, your prompts and necessary context go directly to your chosen provider under their terms.
Legal and safety. To comply with law, protect rights/safety, prevent fraud/abuse, or respond to lawful requests.
Business changes. In a merger, acquisition, or asset transfer, your data may be transferred subject to this Policy.
Data sharing. We do not sell personal information as defined by the California CPRA, nor do we share it for cross‑context behavioral advertising.
8) Retention
Account data: kept while your account is active. Upon deletion request, account deletion is scheduled and completed within 10 days, with email notification sent when deletion is finished. You can continue using the service during this period until your authentication token expires. Some minimal records may be retained for up to 90 days for backup, dispute resolution, and audit purposes.
Embeddings:
- Local-only users: Embeddings derived from titles and abstracts are only stored on your local device. Never on our server.
- Cloud Sync users: Library files and embeddings retained while needed to provide features you use; deleted upon account deletion subject to backup/log schedules.
AI Data: retained while needed to provide the service; when used for product improvement (with your consent), linked up to 30 days, then de‑identified (Section 4).
Usage & billing logs: usage metrics, cost calculations, and billing data retained for operational integrity, dispute resolution, and regulatory compliance as required by applicable laws and our billing policies.
Support artifacts: deleted within 30 days of ticket closure unless you ask us to keep them longer.
System logs: retained for up to 90 days by our logging providers (Logfire and Google Cloud Platform) and then automatically deleted. Infrastructure logs may be retained by our hosting providers per their operational schedules.
Sync logs (Cloud Sync users only): retained in our database while your account is active and for operational integrity. Upon account deletion, these are deleted along with other account data.
AI usage logs: billing and usage tracking data retained in our database for operational integrity, dispute resolution, regulatory compliance, and diagnosing and fixing errors as required by applicable laws and our billing policies.
File processing logs (Cloud Sync users only): billing and usage tracking data retained in our database for operational integrity, dispute resolution, and regulatory compliance as required by applicable laws and our billing policies.
Backups/logs: retained per operational schedules; some records may persist as anonymized or aggregated data.
Storage hygiene (Cloud Sync, free accounts only). For free accounts with Cloud Library Sync enabled, we may periodically delete our stored copies of attachments and derived data (e.g., text extracts, OCR, embeddings, thumbnails) when items are inactive, while your originals remain in connected sources. If you access an item again, we may re‑fetch and re‑process it on demand.
Cloud Sync removal for inactive accounts. If a non-paying account with Cloud Library Sync enabled has no service activity (such as chat messages or automated processing) for 90 days, we may disable Cloud Library Sync and delete server-side copies of your library files and derived data (embeddings, processed text, thumbnails). We will send notice to the email on file and provide at least 14 days to sign in and use the service to retain Cloud Sync. Your account credentials, settings, and interaction history are preserved. Your original files in connected sources are unaffected. This does not apply to paid subscription accounts in good standing.
Inactive account deletion (free accounts). If a free account has no service activity for 90 days, we may deactivate it and later delete the account and remaining data after providing at least 14 days' notice to the email on file. We'll keep only the minimal records we need for security, fraud prevention, accounting, or legal compliance (e.g., transaction records), which we delete when no longer needed.
Backups and logs. Backups and system logs are kept for limited periods and are overwritten on a rolling basis. Deleted items may remain in backups until those backups cycle, after which they are permanently removed.
9) Security
We use reasonable administrative, technical, and physical safeguards (e.g., encryption in transit/at rest where applicable, access controls, monitoring). No system is perfectly secure. You're responsible for:
- Local-only users: Keeping credentials safe and using up‑to‑date software. Your library data remains on your device and is subject to your own security practices.
- Cloud Sync users: Selecting which library to sync, keeping credentials safe, and using up‑to‑date software.
10) Your rights
EU/UK/EEA. You may have rights to access, rectify, erase, restrict, port, or object to processing of your personal data, and to withdraw consent. You can also lodge a complaint with your local supervisory authority.
California (CPRA). California residents may request access, correction, or deletion of personal information, and may opt out of "sale" or "sharing" (we do not sell/share personal information as defined by CPRA). We will not discriminate for exercising your rights.
How to exercise rights. Email contact@beaverapp.ai. We may need to verify your identity and, where we act as a processor, redirect your request to the applicable controller.
Account deletion. You can request account deletion from the account page on our webpage. Deletions are typically completed within 10 days and you'll receive email confirmation when the process is finished.
11) Cookies and similar technologies
Our desktop and plugin-based products do not use browser cookies.
Our website may use essential cookies (e.g., for authentication or remembering settings) to support account management and basic functionality. We may also use analytics or performance technologies to understand usage and improve reliability. You can manage cookies in your browser; blocking some cookies may affect functionality.
If we expand the site into a full web app, we will update this section accordingly.
12) Children
Beaver is not for children under 13, or under the age of digital consent where applicable. We do not knowingly collect data from children in those categories.
13) Non‑affiliation
Beaver is not an official service of Zotero, Microsoft, or any other third-party platform or university.
14) Changes to this Policy
We may update this Policy. If changes are material, we will provide notice at least 15 days before they take effect (e.g., in‑app or by email) and update the effective date. Your continued use after the new effective date means you accept the changes.
15) Contact
Email: contact@beaverapp.ai