Privacy Policy
Last updated: 10 May 2026
This Privacy Policy explains how Solas (“we”, “us”, “our”) handles your information when you use the Solas Chrome extension (the “Extension”) and the website at solastool.com (the “Site”). It applies to everyone who uses Solas, regardless of where you live.
We’re committed to collecting only what we genuinely need to make Solas work, and to telling you exactly what that is in plain English.
1. Who we are
Solas is operated by an independent developer based in the United Kingdom. You can reach us at support@solastool.com for any privacy-related questions or requests.
For the purposes of UK GDPR and EU GDPR, Solas is the data controller for the personal data described below.
2. What we collect, and why
We only collect the data we need to run the service. There are four categories.
2.1 Account data (when you sign in)
When you click “Continue with Google”, Google sends us:
- Your email address
- Your display name (as shown on your Google account)
- A unique Google account identifier so we can match future sign-ins
We never see, store, or transmit your Google password. Authentication is handled entirely by Google’s OAuth 2.0 flow.
Why we need it: to identify your saved citations, project folders, and subscription status across devices and across sessions.
Lawful basis (UK/EU GDPR): performance of a contract.
2.2 Citation metadata (when you click “Cite this page”)
When you ask Solas to cite a page, the Extension reads a deliberately minimal slice of the page’s HTML — only the metadata needed to build a citation. Specifically:
<meta>tags (Open Graph, Dublin Core, Schema.org, citation_*)- The page’s
<title>and the first<h1>element - JSON-LD structured-data blocks
- The page’s URL and host
- Publication date and author byline (where present)
We do not read the page body, form fields, cookies, browser history, login state, or any other content of the page. We do not screenshot or record your screen.
If you save a citation to your library (Pro feature), the resulting reference text plus the metadata above is stored against your account. If you only copy a citation to your clipboard, nothing leaves your browser.
Why we need it: to format an accurate citation. Saving to your library is optional and only happens with an explicit click.
Lawful basis: performance of a contract.
2.3 Diagnostic data (when you submit feedback)
If you click “Feedback & feature requests” and submit a message, we receive:
- The category you selected (bug, feature, general)
- The message you wrote
- The URL of the page you had open at the time
- The Solas extension version
- Your browser’s user-agent string
Why we need it: to fix bugs and prioritise improvements.
Lawful basis: legitimate interest (improving the service).
2.4 Subscription data (Pro users only)
When you purchase a Pro subscription, our payment processor (Lemon Squeezy — see §4) sends us:
- The fact that you’re an active subscriber
- Your plan (monthly or yearly)
- The renewal date
We do not receive your card number, billing address, or other payment credentials. Those are held by Lemon Squeezy.
Lawful basis: performance of a contract.
3. What we don’t collect
To be unambiguous, Solas does not collect:
- The text content of pages you visit
- Your browsing history beyond the single tab you actively cite
- Cookies or local-storage values from third-party websites
- Form inputs, passwords, or login state on any site
- Your IP address (beyond what is automatically logged at the network layer by our infrastructure providers)
- Any data from sites you have not actively chosen to cite
- Data about you that you have not directly given us
We have no advertising trackers, analytics scripts, or marketing pixels in the Extension or the Site.
4. Who we share data with (sub-processors)
We use a small number of trusted infrastructure providers to operate Solas. They act as our data processors and are contractually bound to the same standards described in this policy.
| Provider | Purpose | Region |
|---|---|---|
| Supabase, Inc. | Database, authentication, server functions | EU-West-2 (London, UK) |
| Google LLC | Sign-in (OAuth 2.0) | Global |
| Lemon Squeezy LLC | Subscription billing & invoicing | United States |
| CrossRef, OpenAlex | Reliability scoring lookups (Pro) | Global, public APIs |
When the Reliability Score (Pro) feature queries CrossRef or OpenAlex, the request is made server-side from our infrastructure — your identity, IP, and account are never disclosed to those APIs.
We never sell your data. We never share it with advertisers or data brokers. We will only disclose it if compelled by valid legal process, and we’ll notify you if we’re allowed to.
5. Where your data is stored
Your account data and saved citations are stored in Supabase’s EU-West-2 region (London, UK). Backups are encrypted at rest.
If you are outside the UK/EU, your data may be transferred to the UK for processing. We rely on the UK ICO’s adequacy regulations or the EU Standard Contractual Clauses for any cross-border transfer.
6. How long we keep your data
- Account data: kept while your account exists. Deleted within 30 days of account deletion.
- Saved citations: kept while you have an active account. You can delete individual citations or whole folders at any time from the Library tab.
- Feedback messages: kept for 24 months for product-improvement purposes.
- Subscription records: kept for 7 years for tax and accounting purposes (UK statutory requirement).
The Phase 2 Citation Auditor (when launched) operates under a strict zero-retention policy — pasted essay text is processed in volatile server memory and discarded immediately. No copy is stored.
7. Your rights
Under UK GDPR, EU GDPR, and similar regimes, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”)
- Restrict or object to our processing
- Port your data to another service
- Withdraw consent at any time
To exercise any of these, email support@solastool.com from the email address on your account. We aim to respond within 14 days and will fulfil valid requests within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.
8. Security
Solas uses industry-standard security practices:
- All traffic is encrypted in transit using TLS 1.2+
- Database content is encrypted at rest
- Authentication uses OAuth 2.0 with rotating short-lived JWTs
- Row-level security policies in our database mean even our own server functions can only read your data with your authenticated session token
- We never store your Google password
- Our codebase is reviewed for security vulnerabilities before each release
No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR.
9. Cookies and similar technologies
The Site (solastool.com) uses only essential cookies required for the page to function. We do not use tracking cookies, analytics cookies, or advertising cookies.
The Extension uses Chrome’s local storage API to cache your sign-in session and preferences. This data never leaves your browser.
10. Children’s privacy
Solas is intended for university students and academics aged 16 and over. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, please email us and we’ll delete the account immediately.
11. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the latest revision. If we make material changes (e.g., introducing a new sub-processor, expanding data collection), we will notify active users by email at least 14 days before the change takes effect.
The current version is always available at solastool.com/privacy.
12. Contact us
For privacy questions, data requests, or anything else:
Email: support@solastool.com
Postal: Harrow Rd, Knockholt, Sevenoaks TN14 7JS, United Kingdom
This Privacy Policy is provided in good faith and is intended to be readable. If anything is unclear, please email us — we’d rather rewrite a paragraph than have you leave confused.