Privacy Policy
Effective date: 18 May 2026 · Last updated: 18 May 2026
1. Overview
This Privacy Policy explains how PosterVault Ltd (“PosterVault”, “we”, “us”) collects, uses, stores, and shares personal data when you use the PosterVault service, including our website at postervaultiq.com and the authenticated web application (collectively, the “Service”).
For the purposes of the EU and UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act / California Privacy Rights Act (collectively “CCPA”), PosterVault is the data controller (and, for CCPA, the business) for personal data we process about account holders and visitors. When personal data is uploaded about students or third parties by a lab account, the lab acts as a controller and PosterVault acts as a processor on the lab’s behalf under a Data Processing Agreement.
If you do not agree with this Policy, please do not use the Service.
2. Information We Collect
2.1 Account data
- Name and email address (required to create an account).
- Password — stored only as a salted scrypt hash; we never store or transmit your plain-text password.
- Optional profile information: institution, role (Professor or Student), profile image.
- Plan tier (Free, Lab Pro, Institution) and subscription expiry date.
- OAuth identifiers if you sign in with Google: provider account ID, access token, refresh token, ID token, scope, and expiry. We use these only to authenticate you to PosterVault.
2.2 Content data
- Research posters you or your collaborators upload (PDF or PPTX files, up to 100 MB each).
- Poster metadata: title, tags, year, programme level (Undergraduate, Masters, PhD, Postdoc, Faculty), version, and status.
- Submitter identity — student name and email, where the lab’s invite settings require it.
- Comments and replies posted on posters or subfolders.
- Invite link configuration (expiry, anonymous-submission toggle, comments toggle).
2.3 AI-derived data
When posters are processed by our AI features we generate and store derived content: summaries, methods extracts, findings extracts, key points, themes, emerging trends, and portfolio- or subfolder-level insights. This derived content is stored alongside the source poster and is visible to authorised users of the same lab portfolio.
2.4 Payment data
Billing is processed by Stripe. We store only a Stripe customer identifier on our servers — we do not see or store card numbers, CVCs, or full billing addresses. Stripe’s own privacy notice governs the data they collect at checkout.
2.5 Session and security data
- NextAuth session tokens (an essential cookie that keeps you logged in).
- Password-reset, email-verification, and invite tokens — stored as hashes, with short expiries (60 minutes for password reset, 7 days for invites).
- IP address, user-agent, and timestamps for login and security-relevant actions, used for fraud and abuse prevention.
2.6 Information we do not collect
We do not currently use third-party analytics, advertising, or tracking SDKs (no Google Analytics, no Segment, no Mixpanel, no advertising pixels). If this changes we will update this Policy and surface a consent mechanism where required.
3. How We Use Information
- To create and secure your account and authenticate you.
- To host, organise, and display posters and comments per your settings.
- To generate AI summaries, themes, and trend analyses across the poster, subfolder, and portfolio levels.
- To deliver transactional email — invitations, password resets, comment notifications.
- To process subscription payments through Stripe.
- To detect and respond to fraud, abuse, and service-integrity issues.
- To comply with applicable legal, tax, and accounting obligations.
- To communicate service announcements and material changes to this Policy.
4. Legal Bases (GDPR Article 6)
- Performance of a contract — to provide the Service you signed up for, including hosting, AI analysis, and billing.
- Legitimate interests — to keep the Service secure, detect abuse, and improve features. We balance these interests against your rights and freedoms.
- Consent — for optional features and for OAuth sign-in. You can withdraw consent at any time.
- Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
5. AI Processing
Poster content (PDF / PPTX) is sent to OpenAI’s API for the purpose of generating summaries, methods, findings, themes, and other analyses. OpenAI acts as a sub-processor. Under OpenAI’s API terms in effect on the date above, content submitted via the API is not used to train OpenAI’s models. You can avoid AI processing by not uploading content; AI features are not used on data outside the posters you upload.
AI output is best-effort and may contain inaccuracies. Do not rely on AI output for clinical, regulatory, grant-submission, or other high-stakes decisions without independent verification by a qualified human.
6. Sub-processors and Data Sharing
We share personal data only with the sub-processors required to deliver the Service:
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI | AI analysis of poster content | Poster files and titles | United States |
| SendGrid (Twilio) | Transactional email delivery | Email address, name, message body | United States |
| Stripe | Subscription billing | Email, billing identifiers | United States / EU |
| DigitalOcean | Managed PostgreSQL and object storage (Spaces) | All account, content, and AI-derived data at rest | Canada (Toronto region) |
We do not sell personal data and we do not share it with advertisers. We may disclose personal data when required by law, to enforce our Terms of Service, or to protect the rights, property, or safety of PosterVault, our users, or the public.
7. International Data Transfers
Your data is primarily stored on infrastructure located in Canada, a jurisdiction the European Commission has determined provides an adequate level of data protection for commercial organisations subject to PIPEDA. For transfers to sub-processors in the United States, we rely on Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) together with supplementary technical and organisational measures.
8. Data Retention
- Account data is retained while your account is active and for up to 30 days after a deletion request, after which it is purged from primary systems.
- Posters and comments are retained until deleted by you or until the lab account is closed.
- Authentication tokens are retained only until used or expired (60 minutes for password reset, 7 days for invites, configurable per invite).
- Backups follow a rolling 30-day window; deleted data persists in backups for up to 30 days before being overwritten.
- Billing records are retained for the period required by applicable tax and accounting law (typically 6–7 years).
9. Your Rights
9.1 GDPR / UK GDPR rights
If you are in the EU, EEA, UK, or Switzerland, you have the right to:
- Access the personal data we hold about you.
- Request rectification of inaccurate or incomplete data.
- Request erasure (the “right to be forgotten”).
- Request restriction of processing in certain circumstances.
- Object to processing based on legitimate interests.
- Request portability of data you provided to us, in a structured machine-readable format.
- Withdraw consent at any time, where consent is the basis for processing.
- Lodge a complaint with a supervisory authority — the UK Information Commissioner’s Office (ICO) or your local EU/EEA data protection authority.
To exercise these rights, email privacy@postervaultiq.com. We respond within 30 days; we may extend by up to two further months for complex requests and will tell you if we do.
9.2 CCPA / CPRA rights
If you are a California resident you have the right to:
- Know what categories and specific pieces of personal information we have collected.
- Know the sources, purposes, and categories of third parties we share data with.
- Delete personal information, subject to permitted exceptions.
- Correct inaccurate personal information.
- Opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA.
- Limit the use and disclosure of sensitive personal information.
- Non-discrimination for exercising your rights.
Submit verifiable CCPA requests by emailing privacy@postervaultiq.com. You may designate an authorised agent to make a request on your behalf — we will ask the agent for written proof of authorisation and may verify your identity separately.
10. Children’s Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data without parental consent, contact us and we will delete it.
11. Cookies and Local Storage
We use a single essential session cookie set by our authentication library (NextAuth) to keep you logged in. We do not currently use advertising, analytics, or cross-site tracking cookies. Because all cookies we set are strictly necessary, we do not display a cookie consent banner. If we add non-essential cookies in the future we will obtain consent where required and update this Policy.
12. Security
We protect personal data with industry-standard safeguards including TLS encryption in transit, scrypt password hashing, signed and short-lived object-storage URLs, principle of least privilege for internal access, and segregation between environments. No system is perfectly secure; if you suspect a vulnerability or breach, email privacy@postervaultiq.com. Per GDPR Article 33 we notify the appropriate supervisory authority within 72 hours of becoming aware of a qualifying personal-data breach, and affected data subjects without undue delay where required.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by email to account holders and by a notice on the Service. The “Last updated” date at the top of this page reflects the most recent revision.
14. Contact
Questions about this Policy or the data we hold about you?
- Privacy & data-subject requests: privacy@postervaultiq.com
- General contact: hello@postervaultiq.com
- Data Protection Officer: to be appointed; reachable at the privacy address above.
- EU/UK representative under GDPR Art. 27: to be appointed before EU/UK launch.