Privacy Policy

This policy describes what the xRead service at https://www.xread.io (and related xread.io hosts) actually collects and processes when you use the Microsoft Word add-in, the Google Chrome extension (“xRead – Review Assistant”), or our website. Last updated: April 2026.

What xRead is

xRead helps you extract, verify, summarize, and discuss academic references. The Word add-in loads UI from our servers into Word’s task pane. The Chrome extension opens a side panel and can inject a content script on pages you visit so that, when you choose a command, the extension can read the active tab’s DOM to obtain text (for example a selection or page content). We do not upload full documents automatically. Data is sent to our API when you take an action that requires processing (for example running citation tools, chat, grading, or sync).

Data you send to xRead

Depending on the feature you use, requests to our servers may include:

  • Text excerpts from your document or web page (including selections, reference sections, or passages you paste).
  • Structured citation lists, rubric text or uploaded rubric files, and grading-related fields you submit.
  • Chat messages, optional conversation history your client sends, and sometimes an image URL you ask us to consider.
  • Authentication tokens when you are signed in (see “Account data”).

Traffic is sent over HTTPS. Our backend may forward portions of that content to AI providers (today primarily Google Gemini) and to scholarly or search APIs such as OpenAlex, Semantic Scholar, and where configured SerpAPI, solely to fulfill the feature you invoked.

Account data we store

If you create an account, we store typical account records in our database, including:

  • Your email address, a password hash (not your plain password), and session / refresh-token material for secure login.
  • Optional institutional association if your organization provisions xRead.
  • Saved references (“library”): citation strings and related metadata you save to your account.
  • Grading calibration: when you correct AI-suggested scores, we may store rubric titles, scores, rationales, optional short document snippets you supplied as context, and related feedback so we can improve alignment for your account.
  • Rubrics you upload or create: titles, criteria, and any file content you attach may be stored so you can reuse them.
  • Persona and “skills” markdown you configure for Lux / grading, and structured activity events (for example timeline or assistant events) tied to your user id for product features and diagnostics.

The Chrome extension stores your session token in browser local storage so you stay signed in; Word uses the same account system through the hosted task pane.

Chat and “ephemeral” processing

Chat and similar endpoints process the payload you send to return an answer. We do not advertise a separate long-term “chat transcript” product in our database schema; treat chat content as sensitive and avoid pasting legally restricted or highly personal data. Standard server and cloud operational logs may exist for security and reliability and can briefly include request metadata.

Shared literature cache

To reduce duplicate external API calls, we maintain aggregated public scholarly metadata and derived summaries keyed by citation identifiers (for example DOI or normalized title). This cache does not need to retain your full manuscript; it stores reference-level enrichment that may be reused across users.

Local storage on your device

Clients may cache results (for example summaries or UI state) in local storage, IndexedDB, or Office’s host environment so the product feels responsive. Third-party integration keys you choose to store (for example a reference-manager API key) stay on your device unless you explicitly configure otherwise.

Support form

When you use support.html, your name, email, subject, and message are posted to our /api/support endpoint over HTTPS so our team can reply. Handle support messages like email: do not include secrets or full unpublished work unless you accept that we may need to read it to help you.

Retention and deletion

We retain account-linked data while your account exists and as needed for legal or security obligations. To request deletion or export of personal data, email support@xread.io from your registered address where possible.

Third-party services

  • AI and search providers (for example Google, Semantic Scholar, OpenAlex, SerpAPI) act as sub-processors when we call them on your behalf. Review their policies for how they handle API traffic.
  • We do not sell your personal information to advertisers. We use data to run and improve xRead.

Contact

Questions about this policy: support@xread.io.