Delph-AIDelph-AI

Privacy Policy

Effective Date: April 8, 2026

Last Updated: April 8, 2026

This document is only available in English.

At a Glance

WhatDetails
Who we areDelph-AI, a company incorporated in Mexico
What we doAI-powered systematic literature review screening
What data we collectName, email, organization, title, country (account); titles and abstracts (research data); IP, browser (technical)
WhyTo provide, secure, and improve the Service
AI processingWe send only titles and abstracts to AI models — never your personal data
Who we share withAI providers, cloud infrastructure, payment processor — see Sub-Processors
How long we keep itActive account: while active. After deletion: personal data anonymized after 90 days. Billing: 7 years
Your rightsAccess, correct, delete, port, object — email privacy@delph-ai.org
CookiesEssential only (authentication, session). No tracking or analytics cookies

For complete details, please read the full policy below.

Table of Contents

  1. Who We Are
  2. Scope
  3. Data We Collect
  4. How We Use Your Data
  5. AI Processing
  6. Sub-Processors and International Transfers
  7. Data Retention
  8. Your Rights
  9. Cookies and Similar Technologies
  10. Security
  11. Children's Privacy
  12. Changes to This Policy
  13. Additional Information for EEA Residents
  14. Additional Information for Brazil Residents
  15. Additional Information for Mexico Residents
  16. Additional Information for California Residents
  17. Contact Us

1. Who We Are

Delph-AI ("Delph-AI," "we," "us," or "our") is the data controller responsible for processing your personal data when you use the Delph-AI platform and related services (the "Service").

Details
Legal entityDelph-AI, a company organized under the laws of Mexico
AddressMexico
Privacy contactprivacy@delph-ai.org
EU Representative (GDPR Art. 27)We are in the process of appointing a formal EU representative. In the meantime, EEA residents may direct any privacy-related inquiries to privacy@delph-ai.org
Data Protection Contact (LGPD Art. 41)privacy@delph-ai.org

2. Scope

This Privacy Policy applies to all personal data we collect and process when you:

  • Visit our website (www.delph-ai.org);
  • Create an Account and use the Service;
  • Contact us via email or support channels;
  • Subscribe to our communications.

This Privacy Policy does not apply to third-party websites, services, or applications linked from our Service. We encourage you to review the privacy policies of any third-party services you access.

3. Data We Collect

3.1. Data You Provide

CategoryDataRequired?Legal Basis (GDPR)
IdentityFirst name, last name, email addressYesPerformance of contract — Art. 6(1)(b)
ProfessionalAcademic title, position, organization, countryOptionalConsent — Art. 6(1)(a) (provided voluntarily by you)
Use caseType of research (e.g., biomedical, social science)OptionalConsent — Art. 6(1)(a) (provided voluntarily by you)
Research dataBibliographic records (titles, abstracts, authors, metadata) uploaded as datasetsBy user actionPerformance of contract — Art. 6(1)(b)
Screening configurationInclusion/exclusion criteria, AI model selectionBy user actionPerformance of contract — Art. 6(1)(b)
PaymentOnly the Stripe payment method token (pm_xxx). We never receive or store your credit card number, CVV, or card detailsWhen purchasingPerformance of contract — Art. 6(1)(b) + Legal obligation — Art. 6(1)(c)
CommunicationsContent of emails or messages you send to usWhen you contact usLegitimate interest — Art. 6(1)(f)

3.2. Data We Collect Automatically

CategoryDataLegal Basis (GDPR)
AuthenticationFirebase UID, session token (stored in __session cookie)Legitimate interest — Art. 6(1)(f)
TechnicalIP address, browser type, operating system, referring URLLegitimate interest — Art. 6(1)(f)
UsageLogin timestamps, pages visited within the dashboardLegitimate interest — Art. 6(1)(f)

3.3. Data We Do NOT Collect

We do not collect:

  • Credit card numbers, CVVs, or raw payment card data (handled exclusively by Stripe);
  • Health data, genetic data, biometric data, or any special categories of personal data under GDPR Article 9;
  • Data about children under 16;
  • Location data (beyond IP-derived country);
  • Social media activity or browsing history outside our Service.

4. How We Use Your Data

PurposeData UsedLegal Basis (GDPR)Necessary or Optional (LFPDPPP)
Create and manage your AccountIdentity, authenticationContract — Art. 6(1)(b)Necessary
Process Screenings (send bibliographic data to AI Models)Research data, screening configurationContract — Art. 6(1)(b)Necessary
Process paymentsPayment token, billing informationContract — Art. 6(1)(b) + Legal obligation — Art. 6(1)(c)Necessary
Provide customer supportIdentity, communicationsContract — Art. 6(1)(b)Necessary
Send transactional emails (screening completed, payment receipt)Identity (email)Contract — Art. 6(1)(b)Necessary
Maintain security and prevent fraudTechnical data, authentication, login historyLegitimate interest — Art. 6(1)(f)Necessary
Personalize the Service (language, preferences)Configuration dataContract — Art. 6(1)(b)Necessary
Comply with tax and legal obligationsBilling dataLegal obligation — Art. 6(1)(c)Necessary
Improve the Service (using aggregated, anonymized data only)Anonymized usage patternsLegitimate interest — Art. 6(1)(f)Optional
Analytics (if added in the future)To be determinedConsent — Art. 6(1)(a)Optional
Marketing communications (if added in the future)EmailConsent — Art. 6(1)(a)Optional

We will never use your personal data for purposes not listed above without informing you and, where required, obtaining your consent.

5. AI Processing

5.1. What Technology We Use

Delph-AI uses multiple large language models (LLMs) from different providers to evaluate bibliographic records (titles and abstracts) during the screening phase of systematic literature reviews. We use a multi-model consensus method inspired by the Delphi method, in which multiple AI models independently evaluate each record and a weighted agreement determines the final classification.

5.2. What Data AI Models Process

AI models process only:

  • Titles of academic publications;
  • Abstracts of academic publications;
  • Inclusion and exclusion criteria defined by you.

AI models never process:

  • Your name, email address, or any account data;
  • Your payment information;
  • Your IP address or technical data;
  • Any personally identifiable information.

5.3. How AI Decisions Are Made

Each bibliographic record is independently evaluated by multiple AI models against your criteria. Each model produces a binary judgment (include or exclude). A weighted consensus mechanism (Agreement Rate) determines the final classification. The Agreement Rate is a value between 0 and 1, where higher values indicate stronger consensus among models.

You can review all evaluations, modify classifications, and create alternative versions of results. AI evaluations are tools to support your research, not final determinations.

5.4. AI Evaluations Do Not Affect You Personally

The AI evaluations in Delph-AI assess bibliographic records (academic publications), not people. No automated decisions are made that produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Article 22. You always retain full control over the final inclusion and exclusion decisions in your systematic review.

5.5. We Do Not Train AI Models with Your Data

Delph-AI does not use your data to train, fine-tune, or improve any AI model. Our Data Processing Agreements with all AI providers contractually prohibit the use of API inputs and outputs for model training. For details on each provider's data practices, see our Sub-Processors page.

5.6. AI Providers

We currently use AI models from the following providers:

ProviderModelsData Location
OpenAIGPT-4o, GPT-4.1, GPT-4o-mini, GPT-4.1 nanoUS (EU data residency available)
AnthropicClaude Sonnet, Claude HaikuUS (EU routing)
Google (Vertex AI)Gemini Pro, Gemini Flash, MedGemma, Llama, Qwen, DeepSeekEU (Belgium)
MistralMistral Large, Mistral SmallEU (Paris, France)
xAIGrokUS (EU endpoint available)

For the complete and current list, see our Sub-Processors page.

6. Sub-Processors and International Transfers

6.1. Sub-Processors

We use the following categories of third-party service providers (sub-processors) to operate the Service:

CategoryProviderPurposeLocation
Cloud infrastructureGoogle Cloud PlatformHosting (Cloud Run, Cloud SQL)EU (Belgium — europe-west1)
AI ModelsGoogle Vertex AIAI model inference (including partner models)EU (Belgium)
AI ModelsOpenAIAI model inferenceUS / EU
AI ModelsAnthropicAI model inferenceUS
AI ModelsMistralAI model inferenceEU (France)
AI ModelsxAIAI model inferenceUS
AuthenticationFirebase (Google)User authenticationUS
PaymentsStripePayment processingUS / EU
EmailResendTransactional email deliveryUS

For the complete list with DPA links and transfer mechanisms, see our Sub-Processors page. We will update the Sub-Processors page when we add or change sub-processors.

6.2. International Data Transfers

Delph-AI operates from Mexico. Because we and some of our sub-processors are located outside the European Economic Area (EEA), your data may be transferred internationally. We ensure adequate protection through:

MechanismDescription
Standard Contractual Clauses (SCCs)EU-approved contractual clauses (Commission Implementing Decision 2021/914) included in our agreements with sub-processors outside the EEA
EU-US Data Privacy Framework (DPF)For sub-processors certified under the DPF (Google, Stripe)
EU-Brazil Adequacy DecisionMutual recognition of adequacy between the EU and Brazil (ANPD Resolution CD/ANPD No. 32, January 2026) eliminates the need for SCCs for EU-Brazil transfers
Adequate jurisdictionFor sub-processors in EU member states (Mistral in France, GCP in Belgium)

We do not transfer your data to any country without ensuring appropriate safeguards are in place.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Specific retention periods:

DataRetention PeriodBasis
Active account data (name, email, profile)While your account is activeContract performance
Personal data after account deletionAnonymized after 90-day grace periodGDPR Art. 17 — right to erasure
Projects after deletionRestorable for 60 days, then anonymizedBusiness purpose + user convenience
Screenings after deletion (non-draft)Restorable for 30 days, then anonymizedBusiness purpose + user convenience
Draft Screenings after deletionImmediately and permanently deletedNo retention needed
Bibliographic records (titles, abstracts)Retained indefinitely in anonymized formPublic academic data, de-identified
Billing and transaction data7 years from the transaction dateLegal obligation (tax law)
Security and audit logsMaximum 12 monthsLegitimate interest (security)
Session cookiesDuration of the browser sessionFunctionality

Anonymization process: After the grace period expires, we will anonymize your personal data by replacing identifying fields (name, email, organization, title, position, country) with null values or irreversible hashes. Once anonymized, data cannot be re-associated with you.

8. Your Rights

You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@delph-ai.org. We will respond within 30 days of receiving your verified request, or sooner where required by applicable law.

RightDescriptionGDPRLGPDLFPDPPPCCPA
AccessObtain a copy of your personal data✓ (ARCO)
RectificationCorrect inaccurate or incomplete data✓ (ARCO)
Erasure ("right to be forgotten")Request deletion of your personal data✓ (ARCO — "Cancelación")
PortabilityReceive your data in a structured, machine-readable format
RestrictionLimit how we process your data✓ (blocking)
ObjectionObject to processing based on legitimate interest✓ (ARCO — "Oposición")
Withdraw consentRevoke consent previously given
Opt-out of saleWe do not sell your data✓ (N/A — we don't sell)
Non-discriminationWe will not discriminate against you for exercising your rights

How to exercise your rights:

  1. Send an email to privacy@delph-ai.org specifying which right you wish to exercise;
  2. We will verify your identity before processing your request;
  3. We will respond within 30 days of receiving your verified request, or sooner where required by local law;
  4. There is no fee for exercising your rights;
  5. If we cannot fulfill your request, we will explain why.

Right to complain: You have the right to lodge a complaint with your local data protection authority. For EEA residents, see Section 13. For Brazil residents, see Section 14.

9. Cookies and Similar Technologies

9.1. Cookies We Use

We use only strictly necessary cookies that are essential for the Service to function:

CookiePurposeTypeDuration
__sessionFirebase authentication tokenEssentialSession
Stripe cookiesPayment processing securityEssentialSession / persistent
Framework session cookiesApplication state, CSRF protectionEssentialSession

9.2. No Tracking or Analytics Cookies

As of the effective date of this Privacy Policy, we do not use:

  • Analytics cookies (Google Analytics, Mixpanel, PostHog, etc.);
  • Advertising or remarketing cookies;
  • Social media tracking pixels;
  • Any other non-essential cookies.

If we introduce non-essential cookies in the future, we will: (a) update this Privacy Policy; (b) implement a cookie consent banner with granular opt-in controls; and (c) obtain your explicit consent before placing any non-essential cookies.

9.3. Do Not Track

Because we do not use tracking cookies or third-party analytics, the Do Not Track (DNT) browser signal is not applicable to our Service.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

MeasureDescription
Encryption in transitAll data transmitted over HTTPS/TLS
Encryption at restAES-256 encryption (Google Cloud Platform default)
AuthenticationFirebase Authentication with ID tokens; no passwords stored by Delph-AI
Payment securityStripe tokenization — we never receive or store card data. PCI-DSS SAQ A compliant
Access controlRole-based access, principle of least privilege
Input validationAll user inputs validated and sanitized (Zod)
Security headersContent Security Policy (CSP), HSTS, X-Frame-Options, X-Content-Type-Options
InfrastructureGoogle Cloud Platform with automated security patching

No system is perfectly secure. While we take commercially reasonable measures to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to security@delph-ai.org.

11. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe we have collected data from a child under 16, please contact us at privacy@delph-ai.org.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes:

(a) We will provide at least 30 days' notice via the email address associated with your Account and a prominent banner within the Service;

(b) The notice will include a summary of the changes and a link to the updated policy;

(c) Your continued use of the Service after the notice period constitutes acceptance of the updated policy;

(d) We maintain a publicly accessible changelog of previous versions of this policy.

13. Additional Information for EEA Residents

If you are located in the European Economic Area (EEA), the following additional information applies:

We process your personal data based on the legal bases described in Section 3 and 4, primarily:

  • Performance of a contract (Art. 6(1)(b)): to provide the Service you have signed up for;
  • Legitimate interest (Art. 6(1)(f)): for security, fraud prevention, and service improvement, where our interests do not override your rights;
  • Legal obligation (Art. 6(1)(c)): for tax and regulatory compliance;
  • Consent (Art. 6(1)(a)): for any future analytics or marketing communications (we will ask for your explicit opt-in).

13.2. EU Representative

We are in the process of formally appointing a representative in the European Union in accordance with Article 27 of the GDPR. Until this appointment is finalized, EEA residents may direct any privacy-related inquiries to privacy@delph-ai.org, and we will respond within the timeframes required by the GDPR.

13.3. Right to Complain

You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

13.4. International Transfers

For details on how we protect your data during international transfers, see Section 6.2. We rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

14. Additional Information for Brazil Residents

If you are located in Brazil, the following additional information applies under the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018):

14.1. Your Rights Under the LGPD

In addition to the rights listed in Section 8, you have the right to:

  • Confirm the existence of processing of your personal data;
  • Request anonymization, blocking, or deletion of unnecessary or excessive data;
  • Request information about public and private entities with which your data has been shared;
  • Request information about the possibility of denying consent and its consequences;
  • Revoke consent at any time.

14.2. Data Protection Officer (Encarregado)

Our Data Protection Contact for LGPD purposes is reachable at: privacy@delph-ai.org

14.3. Response Time

We will respond to your requests within 15 days for a complete statement, in accordance with LGPD Article 19, II. For a simplified confirmation of the existence and type of processing, we will respond as soon as practicable.

14.4. International Transfers

Transfers of personal data from Brazil to the European Union are covered by the mutual adequacy decision between Brazil and the EU (ANPD Resolution CD/ANPD No. 32, January 2026). For transfers to the United States, we implement appropriate safeguards as required by the LGPD, including contractual provisions with our sub-processors.

14.5. Supervisory Authority

You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD): https://www.gov.br/anpd/

15. Additional Information for Mexico Residents

If you are located in Mexico, the following additional information applies under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), as reformed in March 2025:

15.1. Aviso de Privacidad

This Privacy Policy serves as the comprehensive privacy notice (Aviso de Privacidad Integral) required by the LFPDPPP. The purposes described in Section 4 are distinguished between necessary purposes (required to provide the Service) and optional purposes (for service improvement and personalization), as required by the reformed law.

15.2. Your ARCO Rights

You have the right to exercise your ARCO rights (Acceso, Rectificación, Cancelación, Oposición) by contacting us at privacy@delph-ai.org. We will respond within 20 business days.

By using the Service, you provide your tacit consent for the processing of your personal data for the necessary purposes described in Section 4. For optional purposes, you may withdraw your consent at any time by contacting us at privacy@delph-ai.org.

15.4. Supervisory Authority

You may file a complaint with the Secretaría de Anticorrupción y Buen Gobierno (formerly INAI).

16. Additional Information for California Residents

If you are a resident of California, the following additional information applies as a matter of good practice, even though the California Consumer Privacy Act (CCPA/CPRA) does not currently apply to Delph-AI based on our size and revenue:

16.1. Categories of Personal Information

We collect the following categories of personal information as defined by the CCPA: identifiers (name, email), professional information (title, organization), internet activity (IP, browser), and commercial information (transaction history).

16.2. We Do Not Sell Your Personal Information

We do not sell your personal information to third parties as defined by the CCPA. We do not share your personal information for cross-context behavioral advertising.

16.3. Your Rights

You have the right to: know what personal information we collect; request deletion of your personal information; request correction of inaccurate information; and not be discriminated against for exercising your rights. To exercise these rights, contact us at privacy@delph-ai.org.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please contact us:

PurposeContact
Privacy inquiries and data subject requestsprivacy@delph-ai.org
Legal inquirieslegal@delph-ai.org
Security vulnerability reportssecurity@delph-ai.org
General supportsupport@delph-ai.org

Mailing address: Mexico