Legal
Privacy Policy
Last updated: February 25, 2026 · Effective: February 25, 2026
⊕ Your Privacy at a Glance
✓ What we use your data for
- • Save your protocol drafts and let you return to them
- • Generate AI-powered reviews (opt-in, costs credits)
- • Process credit purchases securely via Stripe
- • Send account and receipt emails via Resend
- • Improve the wizard and diagnose technical errors
✗ What we NEVER do
- • Sell, rent, or trade your personal data
- • Store your credit card number or CVV
- • Share your protocol content with other users
- • Use your content to train AI models
- • Use advertising or cross-site tracking scripts
🔒 How we protect your data
- • TLS encryption for all data in transit
- • AES-256 encryption at rest (AWS/Supabase)
- • Row-level security — your data is yours alone
- • API keys server-side only, never in the browser
- • Stripe webhook signature verification on payments
👤 Your rights — always available, no questions asked
Email hello@symbioticscholar.com — we respond within 30 days.
1. Information We Collect
Account Information
When you register, we collect your name, email address, and password (bcrypt-hashed — never stored in plain text). We also record your role (researcher, faculty, student) and institutional affiliation if provided.
Research Protocol Content
IRBWiz stores the answers you enter across the 10-step wizard, including: study title, research objectives, participant population, inclusion/exclusion criteria, recruitment strategies, procedures, risks and benefits, data security measures, and consent form language. This content is stored so you can return to drafts and retrieve generated documents.
⚠ Sensitive Research Data Notice
IRB protocols often describe research involving vulnerable populations, medical or psychological procedures, or sensitive topics. Do not enter real participant names, identifying information, or PHI (Protected Health Information) into the wizard. Describe participant characteristics in general research terms only.
AI Review Inputs
When you request an AI-powered review (which costs credits), your protocol content for that step is transmitted to Anthropic's Claude API for analysis. See Section 4 for details on what is shared and how it is handled.
Usage and Analytics Data
We collect standard server-side logs: pages visited, features used, study types submitted, AI review requests made, and error events. This data is used to improve IRBWiz and diagnose issues. We do not use third-party browser analytics scripts or advertising trackers.
Payment Information
Credit purchases are processed by Stripe, Inc. We never receive, store, or process your full credit card number, CVV, or banking credentials. We receive from Stripe: payment confirmation, transaction amount, and session metadata (user ID, credit quantity) for fulfillment.
Contact Form Submissions
If you contact us via the contact form, we collect your name, email, and message content in order to respond. These are stored in our database and not shared with third parties.
2. How We Use Your Information
- ›Provide the IRBWiz service: storing your protocol drafts, generating documents, and presenting AI-powered review feedback
- ›Process credit purchases and maintain your credit balance and purchase history
- ›Send transactional emails: account confirmation, password reset, purchase receipts, and support responses — via Resend, Inc.
- ›Detect fraud, abuse, and security incidents
- ›Improve the wizard logic, document templates, and AI review prompts
- ›Respond to your support requests and contact form messages
We do not sell, rent, or trade your personal information or protocol content to third parties for marketing or commercial purposes.
3. FERPA, HIPAA & Human Subjects Research
IRBWiz serves academic researchers at universities subject to FERPA. IRB protocols may involve descriptions of student participants, educational records research, or health-related studies.
FERPA
IRBWiz does not access official student educational records from your institution. Any student-related data you enter is submitted voluntarily by you as a researcher describing your study design — not sourced from institutional records. If your research involves student educational records, your institution's IRB and FERPA compliance officer should be consulted before submission.
HIPAA
IRBWiz is not a HIPAA-covered entity and is not designed to store Protected Health Information (PHI). If your research involves health data, describe it in de-identified research terms within the wizard. Do not enter actual patient records, medical record numbers, or other PHI. Your institution's IRB and privacy officer should guide you on HIPAA compliance for health research protocols.
Research Participant Privacy
Participant privacy is the core purpose of IRB oversight. We design IRBWiz to support that mission: your protocol data is isolated per user account, protected by row-level security, and never shared with other researchers on the platform.
4. Artificial Intelligence & Third-Party Services
Anthropic, Inc. (Claude AI)
When you trigger an AI review (per-section or comprehensive), the relevant protocol content for that step is sent to Anthropic, Inc. via their API. Anthropic processes this data to generate the review feedback you see. Key points:
- ›We send only the protocol content fields relevant to the step being reviewed — not your name, email, or institution
- ›We do not use your protocol content to train AI models
- ›Anthropic's data usage is governed by their Privacy Policy
- ›AI-generated reviews are advisory only — they do not constitute IRB review or approval
Supabase, Inc. (Database & Authentication)
All user account data, protocol drafts, credit balances, and purchase records are stored in a Supabase-managed PostgreSQL database hosted on AWS infrastructure in the United States. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-level security policies ensure that each user can only access their own data.
Stripe, Inc. (Payments)
All payment processing is handled by Stripe. Your payment card data goes directly to Stripe's PCI-compliant systems and is never transmitted to or stored by IRBWiz. Stripe's Privacy Policy governs your payment data.
Resend, Inc. (Email Delivery)
Transactional emails (account confirmation, password reset, receipts) are sent via Resend. Your email address is shared with Resend solely to deliver emails you have triggered. Resend does not receive your protocol content.
Vercel, Inc. (Hosting & Edge Network)
IRBWiz is deployed on Vercel's infrastructure. Standard HTTP request data (IP addresses, request paths, response times) passes through Vercel's servers for routing and CDN purposes.
5. Data Sharing
We share your information only in these circumstances:
- ›Service providers — as described in Section 4, with the minimum data necessary for each to perform their function
- ›Legal compliance — if required by applicable law, subpoena, court order, or governmental authority
- ›Business transfer — in connection with a merger, acquisition, or sale of assets, with advance notice to users
- ›Safety — to prevent imminent harm to a person or property where disclosure is legally permitted
We do not share your protocol content with other IRBWiz users, your institution, or any IRB without your explicit action (e.g., downloading and submitting documents yourself).
6. Data Retention
We retain your account and protocol data for as long as your account remains active. If you request account deletion, we will delete or anonymize your personal data and protocol content within 30 days, except:
- ›Stripe transaction records, which are retained for 7 years for financial compliance
- ›Aggregated, anonymized usage statistics that cannot be traced back to you
- ›Data we are required to retain by applicable law
7. Your Rights & Choices
You have the right to:
- ›Access — request a copy of the personal data we hold about you
- ›Correct — update your name or email via account settings
- ›Delete — request deletion of your account and all associated protocol data
- ›Export — request a portable copy of your data
- ›Opt out of AI review — AI reviews are opt-in and credit-gated; you may choose not to use this feature
- ›CCPA (California) — California residents may request disclosure of personal data categories collected and shared, and may opt out of the sale of personal data (we do not sell personal data)
- ›GDPR (EU/EEA) — if you are located in the EU or EEA, you have rights to access, rectification, erasure, restriction, portability, and to object to processing
To exercise any of these rights, email hello@symbioticscholar.com. We will respond within 30 days.
8. Security
IRBWiz implements multiple layers of protection:
- ›TLS encryption for all data in transit
- ›AES-256 encryption for data at rest (Supabase/AWS)
- ›Row-level security on all database tables — no user can access another user's data
- ›API keys (Anthropic, Stripe, Supabase service role) are server-side only, never exposed to the browser
- ›Stripe webhook signature verification to prevent fake payment events
- ›bcrypt password hashing — plaintext passwords are never stored
No system is 100% secure. If you believe your account has been compromised, contact us immediately at hello@symbioticscholar.com.
9. Cookies
IRBWiz uses only essential cookies for authentication session management (Supabase JWT tokens). We do not use advertising cookies, cross-site tracking cookies, or third-party analytics scripts. You cannot opt out of essential authentication cookies without losing the ability to stay logged in.
10. Children's Privacy
IRBWiz is designed for university-level researchers, faculty, and graduate students. We do not knowingly collect personal information from anyone under the age of 18. If we discover that a minor has created an account, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and will update the date at the top of this page. Continued use of IRBWiz after changes take effect constitutes acceptance of the revised policy.