Seerai LogoSeerai
FeaturesPricingDocumentationGitHub
On this page

Jump to section

  • 1. Overview and scope
  • 2. Who is the data controller
  • 3. Information we collect
  • 4. How we use information
  • 5. Legal basis for processing (GDPR)
  • 6. Sub-processors and third-party services
  • 7. AI providers, your content, and training
  • 8. Cookies and similar technologies
  • 9. Data retention
  • 10. Security
  • 11. International data transfers
  • 12. Your rights
  • 13. California residents (CCPA/CPRA)
  • 14. EEA, UK, and Swiss residents (GDPR/UK GDPR)
  • 15. Children
  • 16. Changes to this policy
  • 17. Contact us

Privacy Policy

This policy explains what personal information Seerai collects, why we collect it, who we share it with, and what rights you have. It applies to seerai.amayx.com and our hosted services.

Effective: July 8, 2026Last updated: July 8, 2026Version: 2.0
Plain-language summary. Seerai is a research tool. For our hosted service we store your account email, name, payment receipts, encrypted API keys you provide for AI providers, conversation transcripts you create in our hosted agents, and technical logs. We do not store the PDFs or papers in your Zotero library — those stay on your machine. We do not train AI models on your data and we do not sell your personal information. We share data only with the sub-processors needed to run the service, listed in section 6.

§1Overview and scope

This Privacy Policy (“Policy”) describes how Seerai (“Seerai”, “we”, “us”, or “our”) collects, uses, discloses, and retains personal information when you:

  • Visit our website at seerai.amayx.com and any subdomain we control;
  • Create an account, sign in, or use the Seerai hosted dashboard or API at api.seerai.amayx.com;
  • Purchase credits, subscriptions, or other paid features from us; or
  • Communicate with us by email, support channels, or social media.

This Policy does not cover:

  • The open-source Seerai Zotero plugin distributed under the MIT License. When you run the plugin from source against your own local API keys, no personal information reaches us.
  • Third-party services we link to but do not operate, including the AI providers you choose to send requests to.

§2Who is the data controller

The data controller for the personal information described in this Policy is Dr Alk (sole proprietor), operating as Seerai, reachable at:

Email: privacy@amayx.com
Registered email for legal notices: admin@amayx.com
Postal address: [Entity registered address on file — request via email for the current address]

If we engage a sub-processor that independently determines the purposes and means of processing your personal information, that sub-processor acts as its own data controller. For example, PayTabs processes your payment-card data as an independent controller under its own privacy policy.

§3Information we collect

We collect the minimum information needed to operate the service securely and to bill you accurately. The categories below are organized so they map directly to the disclosures required by the EU/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA).

A. Information you give us directly

CategoryExamplesSource
IdentifiersEmail address, display name, user ID assigned at sign-upAccount creation, magic-code sign-in
Account settingsNotification preferences (email/in-app), credit-warning thresholdsDashboard settings page
Support contentMessages and attachments you send to our support email or chatWhen you contact us
Payment identifiersName, billing email, country code, last four digits of the payment instrument (full card numbers never reach our servers)PayTabs checkout flow

B. Information we collect automatically

CategoryExamplesPurpose
Technical identifiersIP address, request timestamps, request IDsRate limiting, abuse prevention, fraud detection
Device & browser metadataUser-Agent string, screen sizeDiagnostic logs and responsive layout
No behavioural analyticsWe do not deploy Google Analytics, Meta Pixel, Plausible, PostHog, Sentry, Mixpanel, or any other analytics or session-replay tool. No advertising pixels are loaded.Privacy by default

Cookies and similar technologies

See our dedicated Cookie Policy for the complete list. We use only strictly-necessary cookies — those required to keep you signed in and to protect against forged requests.

C. Information you create in the hosted service

  • Conversations and messages with hosted agents: stored on our database so you can review history. You can delete a conversation at any time; we delete the underlying messages within 30 days after you delete the conversation.
  • Agent definitions: name, system prompt, model choice. These are your content and you can delete them at any time.
  • Encrypted AI provider keys: when you supply your own OpenAI/Anthropic/Mistral/etc. key through our dashboard we encrypt it with AES-256-GCM at rest using a server-side secret. The plaintext is held in memory only for the duration of a single API call to the upstream provider.

D. Information we do not collect

  • The contents of your Zotero library — PDFs, annotations, notes, tags stored in Zotero. These are fetched in real time from your local Zotero client (or the Zotero web API, depending on your configuration) and are not uploaded to Seerai.
  • The full text of prompts and completions for the open-source plugin when you point it at your own API keys with the network proxy disabled.
  • Government identifiers (SSN, national ID), payment card numbers, biometric data, health information. You should not provide any of these to us.

§4How we use information

We use personal information for the following purposes:

  1. Provide the service: authenticate you, route API requests to the right AI provider, deduct credits, sync state across your devices, deliver conversation history.
  2. Process payments and prevent fraud: create and reconcile PayTabs transactions, detect anomalous login patterns, enforce rate limits.
  3. Communicate with you: send transactional emails (sign-in codes, receipts, payment failures, credit-balance warnings when you opt in), and respond to your inquiries.
  4. Maintain and improve the service: diagnose outages, debug errors, understand feature usage from aggregated, non-identifying server logs. We do not build user profiles and we do not use third-party analytics.
  5. Comply with law and enforce our terms: respond to lawful requests, investigate violations of the Terms of Service.

We do not:

  • Sell personal information for money or other value.
  • Share personal information for “cross-context behavioural advertising” (CCPA “sharing”).
  • Train, fine-tune, or otherwise use your content to improve any AI model. Your prompts and completions are passed through to the AI provider you choose and back to you — we do not retain them for training.

§5Legal basis for processing (GDPR)

For residents of the European Economic Area, the United Kingdom, or Switzerland, Article 6 of the GDPR requires a lawful basis for each processing activity. We rely on the following bases:

Contract (Art. 6(1)(b))
To create and maintain your account, deliver the API and dashboard you have signed up for, deduct credits, and process recurring subscription payments.
Legitimate interests (Art. 6(1)(f))
To keep the service secure (rate limiting, fraud detection, audit logs), prevent abuse, debug errors, and respond to support requests. We balance these interests against your rights and freedoms and offer you the controls in section 12.
Legal obligation (Art. 6(1)(c))
To retain transaction records for tax and accounting obligations (typically 7 years), and to comply with lawful government requests.
Consent (Art. 6(1)(a))
For any optional processing where we ask, including marketing emails beyond the strictly transactional set, and any future non-essential cookies. You can withdraw consent at any time without affecting prior processing.

§6Sub-processors and third-party services

To run the service we share limited categories of personal information with the following sub-processors. We list only those that actually receive personal information. Each is bound by a data-processing agreement that restricts use to the agreed purposes.

Sub-processorWhat they processWhereWhy
InstantDB, Inc.
(database)
Account profile, encrypted AI provider keys, conversation messages, agent definitions, transaction records, plugin session tokensUnited StatesPrimary application database
Cloudflare, Inc.
(Workers & R2)
All request bodies and responses passing through our hosted API and dashboard, IP addresses, edge logs (retention configured at the Cloudflare account level)Global edge (US default)Hosting the Next.js application, edge caching, denial-of-service protection
PayTabs (Saudi Arabia)Name, email, country, IP address, payment instrument data (card numbers are tokenized and never stored on our servers)Saudi Arabia (transaction processing); regional processing nodes for accepted payment methodsProcess credit-pack and subscription payments in SAR and other supported currencies
Email delivery provider
(for magic-code auth and receipts)
Recipient email, message body, bounce & delivery-status metadataUnited StatesDeliver sign-in codes, payment receipts, account notifications
AI providers (only when you send a request that selects them)The prompt you submit and the model provider you select; the response is returned to you. Routing decisions, token counts, and aggregated cost are recorded in our database.Provider’s own region (typically US or EU)Forward your request to the AI model you have chosen

If we engage a new sub-processor that handles personal information, we will update this list at least 30 days before the sub-processor begins processing, and notify active subscribers by email. Continued use of the service after the effective date of any update constitutes acceptance of the updated processing; you may object or close your account as described in section 12.

Linked third-party services (not sub-processors)

The Zotero plugin can connect to third-party services such as Google Drive and Box via an OAuth proxy we operate. When you initiate a connection, the OAuth provider processes your authorization under its own privacy policy. We never see your Google or Box password.

§7AI providers, your content, and training

The Seerai service is a thin routing layer between you and the AI provider you select. Important consequences:

  • Your content is forwarded to your chosen AI provider. When you send a chat message or run an extraction, the request is sent to the provider you selected. That provider’s privacy policy then applies to that request.
  • We do not train models on your content. We do not fine-tune, embed, or otherwise use your prompts, documents, or completions to improve any AI model. The only AI-related processing we do is forwarding, metering, and billing.
  • Your content stays in your control. You can delete conversations, agents, and provider API keys at any time from the dashboard. Deletion removes the data from active systems within 30 days (see section 9).
  • Choose providers that match your jurisdiction.For sensitive academic work, consider using a provider with a data-residency option or a self-hosted model (Ollama, LM Studio) so nothing leaves your device.

Each provider’s data-handling practices are described in its own policy. Common providers include OpenAI, Anthropic, Google (Gemini), Mistral, Groq, Together AI, and any OpenAI-compatible service you configure.

§8Cookies and similar technologies

We use only strictly-necessary cookies. Detailed list with names, purposes, and durations is in our Cookie Policy.

§9Data retention

We retain personal information only as long as needed for the purposes described in this Policy, then delete or irreversibly anonymize it.

CategoryRetention periodBasis
Account profileUntil you delete the account + 30 daysService operation
Encrypted AI provider keysUntil you delete or rotate the keyService operation
Conversation messages & agentsWhile the account is active; purged within 30 days of account deletionService operation
Transaction records (payment receipts)7 yearsTax & accounting law
API usage logs (token counts, model, cost)24 monthsBilling reconciliation, fraud detection
Edge access logs (IP, request path)Up to 30 days at Cloudflare (controlled by our Cloudflare account retention configuration)Security & abuse prevention
Plugin session tokensUntil token expiry or logoutAuthentication
Support emails24 months after last contactService improvement

Aggregated, non-identifying analytics (for example, “the average number of chat requests per user per month”) may be retained indefinitely.

§10Security

No system is perfectly secure, but we apply defence-in-depth measures appropriate to the sensitivity of the data we hold:

  • All traffic is served over HTTPS using TLS 1.2 or higher (Cloudflare edge terminates TLS; we use HSTS).
  • AI provider API keys are encrypted at rest with AES-256-GCM. Plaintext keys are held in process memory only for the duration of a single request.
  • Authentication for the hosted API uses bearer tokens derived from a per-session secret; the secret hash is stored, not the secret itself. Tokens can be revoked at any time from the dashboard.
  • Admin operations require a separate admin role and are logged.
  • Access to production databases and secrets is restricted to named operators; rotation keys are stored in our deployment platform’s secret store.
  • We maintain a process to investigate and notify affected users of security incidents as required by applicable law (including the 72-hour GDPR breach-notification window).

If you discover a vulnerability, please email security@amayx.com with a description and reproduction steps. We commit to acknowledging reports within five business days.

§11International data transfers

Seerai operates globally. Your personal information may be transferred to and processed in countries other than your own, including the United States, the Kingdom of Saudi Arabia, and any region in which an AI provider routes your requests.

When personal information leaves the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (the 2021 EU SCCs and the UK International Data Transfer Addendum) with InstantDB, Cloudflare, our email provider, and any future sub-processor.
  • Encryption in transit and at rest, including AES-256-GCM for stored secrets and TLS 1.2+ for all network traffic.
  • Recipient-side controls: we engage only sub-processors that publish an adequacy-aligned privacy and security posture.

You can request a copy of the transfer safeguards that apply to your data by writing to privacy@amayx.com.

§12Your rights

Regardless of where you live, you have the right to:

  • Access the personal information we hold about you;
  • Correct inaccurate or incomplete information;
  • Delete your account and associated personal information (subject to the retention windows above);
  • Export your data in a machine-readable format (a JSON export of your account profile, conversation messages, agent definitions, and transaction history is available on request);
  • Withdraw consent for any processing based on consent, without affecting prior lawful processing;
  • Object to processing based on legitimate interests;
  • Complain to your local data-protection authority.

To exercise any right, email privacy@amayx.com from the email address on your account. We respond within 30 days (45 days for complex requests, with an explanation of the delay). We will not charge for exercising your rights unless a request is manifestly unfounded or excessive.

§13California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act, or “CCPA/CPRA”) gives you the following rights:

  • Right to know what categories of personal information we collect, the categories of sources, the business or commercial purposes, and the categories of third parties to whom we disclose it. Sections 3, 4, and 6 of this Policy provide that disclosure.
  • Right to delete personal information we have collected from you, subject to the exceptions in CCPA §1798.105(d) (for example, completing the transaction, detecting security incidents, complying with a legal obligation).
  • Right to correct inaccurate personal information (CCPA §1798.106).
  • Right to limit the use of sensitive personal information. We do not collect “sensitive personal information” as defined under CCPA, so this right is generally not applicable.
  • Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising. No action is required to opt out.
  • Right to non-discrimination for exercising any of the above rights.

Notice of collection at collection (CCPA §1798.100(b)): The categories of personal information we collect, the purposes for which we collect it, and whether we sell or share it are described in sections 3, 4, and 6 of this Policy. We do not collect sensitive personal information.

Categories of personal information collected in the preceding 12 months: identifiers (email, user ID, IP address), commercial information (transaction records, credit balance), internet-activity information (request logs), and inferences (rate-limit decisions, fraud signals).

How to submit a verifiable consumer request: Email privacy@amayx.com from the email address on your account. We may need to verify your identity before responding. You may designate an authorised agent by following the CCPA regulations (§999.326).

§14EEA, UK, and Swiss residents (GDPR/UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in section 12, plus:

  • Right to lodge a complaint with your local supervisory authority. A list of national data-protection authorities is maintained by the European Data Protection Board at edpb.europa.eu. The UK’s Information Commissioner’s Office is at ico.org.uk.
  • Right to data portability for information you have provided to us based on contract or consent, in a structured, commonly used, machine-readable format (typically JSON).
  • Automated decision-making. We do not subject your account to decisions based solely on automated processing that produce legal or similarly significant effects under Article 22 GDPR.

Our lead supervisory authority will be the authority for the jurisdiction of our registered establishment. Where required by Art. 27 GDPR, we will designate an EU representative before processing EU residents’ personal data on a systematic basis.

§15Children

Seerai is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. Researchers who are minors should use the service only under the supervision of a parent, guardian, or institutional account holder.

If you believe a child has provided us with personal information, please contact us at privacy@amayx.com so we can delete it.

§16Changes to this policy

We may update this Policy. When we do, we will revise the “Last updated” date above and, for material changes, notify active subscribers by email at least 30 days before the new Policy takes effect. Material changes include adding a new sub-processor, expanding the categories of personal information collected, or changing the purposes of processing.

The previous version of this Policy is available on request.

§17Contact us

Questions, complaints, or rights requests: privacy@amayx.com
Legal notices: admin@amayx.com
Security disclosures: security@amayx.com

We aim to respond to every privacy-related enquiry within 30 days. If we cannot, we will tell you why and what to do next.

Document version 2.0 · Effective July 8, 2026 · Supersedes all earlier versions.

Print or save as PDF
Seerai LogoSeerai

AI-powered research assistant for Zotero. Transform your academic workflow with intelligent chat, semantic search, and data extraction.

Product

FeaturesPricingChangelogDownloads

Resources

DocumentationAPI ReferenceGitHubGuides

Company

AboutBlogContactCareers

Legal

Privacy PolicyTerms of ServiceRefund PolicyCookie Policy

© 2026 Seerai. All rights reserved.

Made with ❤️ for researchers worldwide