Privacy Policy
DRAFT (v1.0-draft) — pending legal review. This document is provided for transparency and is not yet legal advice. It will be finalised with counsel before public launch.
Effective date: 26 June 2026
Scinova Group LLP ("ReadNTag", "we", "us", "our") provides the ReadNTag reference-management service at readntag.com, including the web app, the browser extension, and the Microsoft Word add-in (together, the "Service"). This Privacy Policy explains what personal data we collect, why, how we protect it, and the rights you have under Singapore's Personal Data Protection Act 2012 ("PDPA") and, where applicable, the EU/UK GDPR.
1. Who we are
Scinova Group LLP (UEN T23LL1363K) is a Singapore Limited Liability Partnership at 60 Paya Lebar Road, #06-28 Paya Lebar Square, Singapore 409051. We are the data controller for personal data processed through the Service.
Our Data Protection Officer can be reached at dpo@readntag.com.
2. What we collect
- Account data: your email address, display name, and a securely hashed password (we never store
your password in plain text). If you sign in with a third-party provider in future, we receive the basic profile that provider shares.
- Your content: the references, PDFs and other files you upload or capture, plus the metadata,
topics, projects, highlights, notes, snaps, citations, matrices and screening decisions you create.
- Usage data: events needed to run and secure the Service — for example logins, paper views,
exports, and storage used — together with session records (sign-in time and duration) and the IP address and browser/user-agent of your requests.
- Browser-extension data: the extension stores, on your device only, the address of your
ReadNTag backend and an access token you paste in. When you clip a page, it sends that page's bibliographic metadata (such as DOI, title, authors) to your ReadNTag backend.
- Payment data (future): if and when we introduce paid plans, payments are handled by our payment
processor (e.g. Stripe). We do not store full card numbers; we keep only limited billing records.
3. How we use your data
We use personal data to: create and secure your account; store and display your library and annotations; provide features you ask for (capture, enrichment, citation, export, sharing); maintain, debug and improve the Service; prevent abuse and fraud; comply with law; and, where you have agreed, send you service or marketing communications (which you can opt out of at any time).
4. Legal basis / consent
Under the PDPA, we collect, use and disclose your personal data with your consent and for the purposes notified in this Policy. Where the GDPR applies, we rely on: performance of our contract with you (to provide the Service), our legitimate interests (to secure and improve the Service), your consent (e.g. optional analytics or marketing), and legal obligations.
5. Third-party enrichment (what leaves our servers)
To enrich references, the Service may query public scholarly APIs — Crossref, OpenAlex, Unpaywall and PubMed/arXiv. Only identifiers you already have (such as a DOI or title) are sent; we do not send your account details or private notes. These lookups are server-to-server and degrade silently if a provider is unavailable.
6. Sharing & processors
We do not sell your personal data. We share it only with:
- Infrastructure providers that host the Service (e.g. Amazon Web Services) under a data
processing agreement;
- A payment processor (future paid plans);
- An email provider for transactional email (e.g. verification, password reset);
- Authorities, where we are legally required to disclose.
Public reading lists you choose to share expose only bibliographic fields (title, authors, journal, DOI) of the papers in that list — never your annotations, files, or account information — and only while the share link is active.
7. Where your data is stored (cross-border)
Your data is hosted in the United States (AWS us-east-1, N. Virginia). If we process or back up data outside Singapore, we ensure, as required by the PDPA's Transfer Limitation Obligation, that it receives a standard of protection comparable to the PDPA — through our providers' contractual commitments and our own security controls.
8. Retention
We keep your personal data for as long as your account is active and as needed to provide the Service. When you delete your account, we erase your content and personal data from our active systems, except where we must retain limited records to comply with law, resolve disputes, or enforce our agreements. Backups are purged on our routine backup cycle.
9. Your rights
You may, at any time:
- Access & correct your account data in Settings;
- Export your data — download a copy of your references, annotations and account data ("Export my
data");
- Delete your account — request full erasure ("Delete my account");
- Withdraw consent to optional processing (e.g. marketing).
To exercise any right not available in-app, contact dpo@readntag.com. We respond within the timeframe required by law.
10. Security
We protect your data with encryption in transit (TLS) and at rest, access controls, hashed passwords, audit logging, and regular dependency and backup hygiene. No system is perfectly secure, but we work to apply protection reasonable for the sensitivity of the data.
11. Cookies
We use a small number of strictly-necessary cookies and local storage for sign-in and your preferences. See our Cookie Notice.
12. Children
The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect their personal data.
13. Changes
We may update this Policy. Material changes will be notified in-app or by email. The "Effective date" above reflects the latest version.
14. Contact & complaints
Questions or requests: dpo@readntag.com. If you are in Singapore and are not satisfied with our response, you may contact the Personal Data Protection Commission (PDPC).