Privacy statement
This statement describes how Commonscience (“we”) handles personal information when you use our websites, sign-in flows, and GUIDE (invite-only during preview).
Who we are
Commonscience builds research infrastructure. Product and commercial services are operated by Commonscience (for-profit; incorporation in progress). Public-good programs are planned under Commonscience Foundation.
Privacy contact: privacy@commonscience.co
What we collect
- Account and sign-in: email address, identity-provider subject identifier, and session metadata from Cloudflare Access (Google, Microsoft, GitHub, or one-time PIN as configured).
- Waitlist: email address and optional source metadata you submit on commonscience.co.
- Product use: account membership, roles, and workspace metadata stored in our application database. Research content you create in GUIDE is customer data, not telemetry.
- Site operation: standard server and security logs (IP address, user agent, timestamps) retained for a limited period.
What we do not collect
- We do not use customer research content to train third-party AI models.
- We do not sell personal information.
- We do not run cross-context behavioral advertising on the marketing site during preview.
Why we use it
- Authenticate users and enforce invite-only access.
- Operate, secure, and improve the service.
- Respond to waitlist and support requests.
- Meet legal and contractual obligations.
Processors
We use subprocessors to run the service, including Cloudflare (hosting, Access, D1 database) and email providers for transactional mail. Identity authentication is performed by the identity provider you choose at sign-in.
Retention
Operational logs: approximately 30 days unless required longer for security investigation. Account data: retained while your account is active and deleted or anonymized within 90 days of a verified deletion request, subject to backup cycles.
Your rights
Depending on your location, you may request access, correction, deletion, or export of personal information we hold about you. Email privacy@commonscience.co. We respond within 30 days.
We do not sell personal information. California residents: we honor applicable opt-out rights; we do not sell or share personal information for cross-context behavioral advertising.
Security
Traffic is encrypted in transit. Access to production systems is restricted. We do not claim HIPAA Business Associate status, FedRAMP authorization, or SOC 2 certification unless separately agreed in writing.
Children
Our services are not directed to individuals under 16.
Changes
We may update this statement. Material changes will be posted here with a revised effective date.