Privacy policy

Last updated: May 3, 2026

1. Information we collect

We collect information you provide directly:

  • Account information: email address, name, and authentication credentials
  • Profile data: academic information you enter or import, including publications, education, awards, and biographical details
  • Site content: pages, images, and other content you create for your published website
  • Uploaded documents: CV/resume PDFs you upload for parsing (see “AI processing” below)
  • Payment information: processed securely by Stripe (web) or Apple (iOS); we do not store card numbers

We also collect automatically:

  • Usage data: pages visited, features used, and general interaction patterns
  • Device information: browser type, operating system, and IP address

2. How we use your information

  • To provide, maintain, and improve the Service
  • To publish your academic website as you configure it
  • To import data from third-party academic sources you connect (Semantic Scholar, ORCID)
  • To process payments for Pro features
  • To send transactional emails (account verification, important updates)
  • To detect and prevent abuse

3. AI processing of uploaded content

When you opt in to AI-assisted CV parsing (a Pro feature), the text content of your uploaded resume is sent to Anthropic, which operates the Claude large language model that extracts publications, awards, grants, education, and experience into structured fields. We use Anthropic’s standard API; per Anthropic’s policy, content submitted via the API is not used to train Anthropic’s models.

Free-tier CV parsing is performed by an in-house regex-based parser and does not involve any third-party AI provider. AI-assisted parsing requires explicit, in-app consent the first time you use it; you may decline and use manual entry or the free regex parser instead.

4. Information sharing

We do not sell your personal information. We share data only in these cases:

  • Published sites: content you choose to publish is publicly accessible
  • Subprocessors: the third-party services listed in section 5 process data on our behalf under written data-protection terms
  • Legal requirements: when required by law or to protect rights and safety

5. Subprocessors

We use the following subprocessors to operate the Service. We update this list as our infrastructure changes; material changes will be announced by email to registered users at least 30 days before they take effect.

SubprocessorPurposeData location
Cloudflare, Inc.Application hosting, database (D1), object storage (R2), CDN, DNS, edge analyticsGlobal edge; primary database in United States
Anthropic, PBCAI-assisted CV parsing (Claude API), opt-in onlyUnited States
Stripe, Inc.Payment processing for web subscriptionsUnited States
Apple, Inc.In-app purchase processing and Sign in with Apple authentication (iOS users only)United States
Google LLCGoogle OAuth sign-inUnited States
Twilio (SendGrid)Transactional email delivery (magic links, account verification, billing notifications)United States

We also integrate with Semantic Scholar and ORCID as data sources for publication and identifier lookups; these are read-only integrations that do not receive your personal information beyond the public identifiers you choose to query.

6. Data storage and security

Your data is stored on Cloudflare infrastructure. We use encryption in transit (TLS 1.2+) for all connections. Authentication supports passkeys (WebAuthn), Sign in with Apple, and Google OAuth for password-less access. We follow the principle of least privilege for internal access to production data.

7. Data retention

  • Account and profile data: retained for the lifetime of your account.
  • After account deletion: personal data is purged from our production systems within 30 days. Aggregate, de-identified analytics may be retained indefinitely.
  • Backups: rolling backups of the production database are retained for up to 30 days, after which deleted records are permanently removed.
  • Server and access logs: retained for up to 90 days for security and abuse-prevention purposes, then deleted.
  • Uploaded CV files: the source PDF is processed and discarded immediately; only the structured fields you choose to import are retained.
  • Billing records: retained for 7 years to comply with United States tax and accounting requirements.

8. Your rights (GDPR, CCPA, and similar laws)

Depending on where you live, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion of your account and associated data
  • Portability: export your data in a machine-readable format
  • Restriction or objection: limit how we process your data
  • Withdraw consent: revoke consent for AI-assisted processing at any time
  • Non-discrimination (CCPA): we will not deny service or charge different prices for exercising your rights
  • Opt-out of sale or sharing (CCPA): we do not sell or share personal information for cross-context behavioural advertising and have no opt-out to provide

You can exercise the access, rectification, erasure, and portability rights directly through the dashboard’s account settings and export tools. For all other requests, email dan@facultydex.org from the address associated with your account. We will respond within 30 days.

9. Children’s privacy

FacultyDex is intended for users 18 and older. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information without verifiable parental consent, we will delete it.

Faculty users may publish lab pages that include photographs and biographical details of research-group members, including students who may be minors. If you publish content about a minor, you are responsible for obtaining the necessary parental or guardian consent under applicable law (including COPPA in the United States and the GDPR in the European Economic Area). Subjects of published photographs may request removal by emailing dan@facultydex.org and we will work with the publishing site owner to remove the content.

10. Data breach notification

In the event of a personal data breach that creates a risk to your rights or freedoms, we will notify affected users by email without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notifications will describe the nature of the breach, the categories of data affected, the likely consequences, and the steps we are taking to address it.

11. Cookies

We use essential cookies for authentication and session management. Cloudflare may use analytics cookies to help us understand usage patterns. We do not use advertising or cross-site tracking cookies.

12. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email. Continued use of the Service after changes constitutes acceptance.

13. Contact

Questions about this policy or to exercise any of the rights described in section 8, contact us at dan@facultydex.org.