NeuroGenesis
privacy-policy

CITESCOUT PRIVACY POLICY

Last Updated: 2026-03-05

Effective Date: 2026-03-05

1. Introduction

This Privacy Policy (“Policy”) describes how Neurogenesis Ltd. (“Company”, “Neurogenesis”, “we”, “us”, “our”) collects, uses, and shares the personal information of users of the CiteScout application, located at https://citescout.app, (the “Site”), and its associated products and services (together, the “Services”). This Policy applies to personal information we collect through the Site, our Services, and any personal information you provide to us directly.

CiteScout is a local-first application. This means that while we provide global cloud synchronization to enable full cross-device drafting and persistence, your primary data interaction happens on your own device. By using the Site or the Services, you accept the practices described in this Policy. If you do not agree, please do not use the Site or the Services.

2. Personal Information We Collect

We collect information to provide, secure, and improve Neurogenesis Services. Because CiteScout operates on a local-first architecture, much of your data is stored on your device before being fully synced to our infrastructure.

Information You Provide Directly

  • General & Professional Identifiers: Through our authentication provider, WorkOS, we collect your account ID, name, email address, and (if applicable) employment, organizational, or Single Sign-On (SSO) identifiers used to create or authenticate your account.

  • User Content: We collect the data you enter into the Services (including but not limited to, paper titles, abstracts, and drafting prompts) and other content generated in the process of using the Services (such as, reports, forecasts, analytics or other generated data). This data is stored locally in your browser and fully synced to our backend to allow cross-device usage and ensure persistence across browser cache wipes.

  • Consent Metadata: We track your acceptance of this Privacy Policy, our Terms of Service. This metadata is attached securely to your user account object.

  • Feedback & Communications: If you contact us for support, provide product feedback, or communicate with us in any other way, we collect the information you choose to share in those communications.

  • Additional Information Interactions: If you choose to interact on the Site or through the Services (such as by registering; using our Services; entering into agreements with us; or requesting information from us), we will collect the personal information that you provide. We may collect personal information about you that you provide through telephone, email, or other communications. If you provide us with personal information regarding another individual, please do not do so unless you have that person’s consent to give us their personal information.

Information Collected Automatically

  • Device & Connection Data: We use third-party infrastructure, including Cloudflare, to host, secure, and optimize our Services. These services automatically log certain information to verify legitimate API requests and protect against spoofing, bot access, and cyberattacks. This includes your IP address, browser type, operating system, and general geographic location.

  • Cookies: We use cookies primarily to store an encrypted session token provided by our authentication provider. This allows us to securely verify your identity on every backend request and gate access to your synced data.

  • Local Browser Storage (IndexedDB): We use local browser storage databases to locally store your User Content and your associated User ID. This ensures the app functions offline, allows for seamless cross-device drafting, and verifies that the local data matches the currently authenticated account.

  • Analytics Information: We may use analytics services to analyze how users interact with the Site and Services, such as time spent on a page or interacting with a certain element. These services may collect data regarding the time-course of interactions with the Site or Services, pages viewed, storage utilization, and referring websites. This information is used strictly to improve our Site and Services. We use the information we get from use of these analytics services only to improve our Site and the Services. This process does not use cookies, does not store any data on your device, and does not collect any personal information or persistent identifiers. All data is fully aggregated and anonymized to protect your privacy.

3. How We Use Your Personal Information

Subject to this Privacy Policy, our Terms of Service, and applicable terms and conditions of third-party applications, you retain ownership of all User Content you enter or generate through the Site and Services. However, we retain a license to store and serve this content to provide the service to you.

  • Machine Learning and AI: We do not use your data to train Machine Learning or AI models.

  • Service Delivery: For the purposes for which you specifically provided it to us, including, without limitation, to enable us to process and fulfill your requests or provide the Services to you.

  • Personalisation: To provide you with a personalised experience when you use the Site or by delivering relevant Site content.

  • Communications: To provide you with effective customer service, and to send you information about your relationship or transactions with us.

  • Persistence & Syncing: To persist your User Content across potential browser cache wipes and provide cross-device access. Your synced data is stored securely using our provider's global edge storage infrastructure. Access to this backend is strictly gated; our system verifies your session cookie on every request before granting access to the database associated with your specific User ID.

  • Inference & AI Processing: User Content submitted for analysis is processed ephemerally via custom models hosted by third-party compute providers.

  • Security & Integrity: Connection data and IP addresses are used to maintain infrastructure security, perform security audits, and train systems to detect unauthorized access. We may retain these specific security logs (including IP addresses) for up to 1 year.

  • Marketing: We may use your email address to send you Service-related communications, promotional materials, or other information we believe will be of interest to you. You may opt-out of marketing communications at any time by following the unsubscribe instructions provided in those emails.

  • Compliance & Protection: We may use your personal data to comply with applicable laws, respond to lawful requests and legal process, to protect our, your, and others rights, privacy, safety, and property (including making and defending legal claims), prevent fraudulent, unauthorized, or illegal activity, audit out internal processes for compliance with legal and contractual requirements and internal policies, and enforce the terms this Privacy Policy and or out Terms of Service.

  • Additional uses: We may also use personal information for other purposes consistent with this Privacy Policy or that are explained to you at the time of collection of your personal information.

4. How We Share Your Personal Information

We do not sell your personal information. We disclose personal information only to the following specific sub-processors and entities necessary to operate our business:

  • WorkOS: Used for identity verification, organizational SSO authentication, session management, and storing user consent metadata. View WorkOS’s Privacy Policy at: https://workos.com/legal/privacy

  • Cloudflare: Used for Edge hosting, bot protection, and global data syncing. User Content is stored securely within their cloud infrastructure. View Cloudflare’s Privacy Policy at: https://www.cloudflare.com/privacypolicy/

  • Modal: Used for AI inference. Applicable User Content is securely routed here for forecasting and processing, subject to their respective data handling policies. View Modal’s Privacy Policy at: https://modal.com/legal/privacy-policy

  • Polars: Used for billing and subscriptions. Payment processing is handled via a secure redirect; Neurogenesis Ltd. does not store your payment or credit card information on our servers. View Polars Privacy Policy at: https://polar.sh/legal/privacy-policy

  • Professional Advisors: We may share data with our lawyers, accountants, or other outside advisors in the course of the services they provide to us.

  • Corporate Restructuring: We may share some or all of your personal information in connection with or during negotiation of any merger, financing, acquisition or dissolution, transaction or proceeding involving the sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. In the event of an insolvency, bankruptcy, or receivership, personal information may also be transferred as a business asset. If another company acquires Neurogenesis Ltd., our business, or assets, that company will possess the personal information collected by us and will assume the rights and obligations regarding your personal information described in this Privacy Policy.

  • Legal & Law Enforcement: We may disclose your information if we believe in good faith that such disclosure is necessary to comply with the law, respond to legal process, or protect the rights and safety of Neurogenesis Ltd. or our users.

Third-Party Websites Our Site may contain links to third-party websites or services. We have no control over, do not review, and cannot be responsible for these outside websites or their privacy practices.

5. Data Residency & International Transfers

Neurogenesis Ltd. is operated from the United Kingdom. However, CiteScout utilizes a global "Edge" architecture to ensure high-speed performance worldwide.

  • Global Sync: Your User Content stored within our cloud infrastructure will generally be processed in data centers closest to your geographic location. You can learn more about Cloudflare's global network and privacy practices on their official website.

  • Inference: Data sent for AI processing may be routed to servers located in the United States.

  • Safeguards: Whenever we transfer personal data outside of the UK, we ensure a similar degree of protection by utilizing approved Standard Contractual Clauses (SCCs) provided by our infrastructure partners.

6. Your Rights & Data Deletion

Under the UK GDPR, you have the right to access, correct, or delete your personal data. You also have the right to opt-out of cookies via your browser settings, though doing so may impact the functionality of the Services.

The Right to be Forgotten & Account Deletion: You may delete your account at any time via the CiteScout user dashboard or by contacting us at privacy@ngenesis.co.uk. Because CiteScout operates locally and in the cloud, please note the following deletion sequence:

  • Online Requirement: You must have an active internet connection to initiate the account deletion process.

  • The Process: Upon triggering deletion, the Site will immediately flush your local browser storage, flag your cloud-synced data for removal, and permanently delete your identity with our authentication provider.

  • 30-Day Retention Sweep: Once flagged, your cloud data enters a 30-day deletion window. We perform routine, systematic database sweeps that permanently purge flagged data from our backend within this 30-day period.

7. Security Of Your Personal Information

Neurogenesis Ltd. uses reasonable security technologies to protect your data once it leaves your device, note that User Content stored locally on your device is not encrypted. Our identity provider WorkOS handles all sensitive authentication data, Neurogenesis does not store or process your passwords. Your cross-device synced data is protected by strict authentication rules; our backend verifies your encrypted session token prior to granting access to your isolated cloud storage (Cloudflare). Whilst we take the security of your data seriously, and use reasonable efforts to protect your personal information, no method of transmission over the internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.

8. Children’s Privacy

Our Site and Services are not directed at children under the age of 13. We do not knowingly collect or process personal data from children under 13. If we become aware that we have collected such data without verifiable parental consent, we will take immediate steps to delete it.

9. Do Not Track

We currently do not support the Do Not Track (DNT) browser setting or respond to Do Not Track signals. DNT is a preference you can set in your browser to inform websites that you do not want to be tracked.

10. Updates To This Privacy Policy

We reserve the right to change this Privacy Policy at any time. If we make material changes, we will post the revised version to our website and update the “Effective Date” at the top of this Policy.

11. Contact Us

For any questions regarding this policy or to exercise your data rights, please contact us at:

Neurogenesis Ltd.

Office 14410,

182-184 High Street North,

East Ham, London, E62JA

Email: privacy@ngenesis.co.uk