Privacy Policy
Last updated: 17 March 2026
1. Data Controller
The data controller for this website and service is:
LayerThe
Türkiye
Email: [email protected]
2. Data We Collect
2.1 Account Data
When you create an account, we collect your name, email address, and hashed password (if using email/password authentication). If you sign in via Google or another OAuth provider, we receive your name and email from that provider.
2.2 Profile Data
You may optionally provide professional details: academic title, job title, organisation, research interests, and preferred funding schemes. This data is used to personalise your experience.
2.3 Proposal Data
When you submit a proposal for evaluation, we process your proposal title, objectives text, optional consortium description, and optional call code. Proposals are stored in our database and embedded as vectors for similarity search.
2.4 Evaluation Data
AI-generated evaluation reports (scores, analysis, recommendations) are stored and associated with your account.
2.5 Payment Data
Payment processing is handled by Paddle (our Merchant of Record). We store your Paddle customer ID, subscription ID, plan name, and billing period dates. We do not store credit card numbers or payment credentials.
2.6 Usage Data
We collect anonymised analytics data (page views, feature usage) via PostHog. On marketing pages, this data is stored only in memory (no cookies or localStorage). For authenticated users, usage events are associated with your user ID.
2.7 Notification Data
When you use the Service, we store in-app notifications (type, title, body, read status, timestamps) and your notification preferences (per-type toggles for in-app and email channels). This data is used to deliver service communications and respect your channel preferences.
3. Legal Basis for Processing
| Activity | Legal Basis (GDPR Art.) |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| Proposal evaluation | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Transactional emails | Contract performance (Art. 6(1)(b)) |
| Analytics (anonymised) | Legitimate interest (Art. 6(1)(f)) |
| Error tracking | Legitimate interest (Art. 6(1)(f)) |
| Report sharing (recipient email) | Legitimate interest of the sender (Art. 6(1)(f)) |
| In-app & email notifications | Contract performance (Art. 6(1)(b)) |
4. Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, serverless functions | EU (Frankfurt) |
| OpenAI Inc. | Text embeddings & LLM evaluation generation | US (SCCs in place) |
| Resend Inc. | Transactional email delivery | US (SCCs in place) |
| Paddle.com Market Ltd | Payment processing (Merchant of Record) | UK/EU |
| PostHog Inc. | Product analytics | EU (Frankfurt) |
| Sentry (Functional Software Inc.) | Error tracking & performance monitoring | EU |
| Upstash Inc. | Rate limiting (Redis) | EU (Frankfurt) |
| Hetzner Online GmbH | Application hosting | EU (Germany) |
5. International Data Transfers
Some of our sub-processors (OpenAI, Resend) are based in the United States. For these transfers, we rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Art. 46(2)(c).
Your proposal text and objectives are sent to OpenAI for embedding generation and evaluation. OpenAI processes this data as a sub-processor and does not use it for model training (per their API data usage policy).
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Proposals & evaluations | Until account deletion |
| Payment records | 7 years (tax/legal obligation) |
| Analytics data | 24 months |
| Error logs | 90 days |
| Notification data | 90 days |
| Notification preferences | Until account deletion |
7. Your Rights (GDPR Art. 15–21)
You have the right to:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — request deletion of your data ("right to be forgotten"). You can delete your account and all associated data from Settings
- Restriction (Art. 18) — request restricted processing in certain circumstances
- Data portability (Art. 20) — receive your data in a structured, machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interests
You can manage your notification preferences (in-app and email channels) from Settings → Notifications in the dashboard.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Report Sharing
When a user shares an evaluation report with you via email, we process your email address to deliver the shared report link and to control access. Your email is stored as part of the share record. The legal basis is the legitimate interest of the sharing user (Art. 6(1)(f)). If you believe you received a shared report in error, contact us at [email protected].
9. Cookies
We use strictly necessary cookies for authentication (Supabase auth session cookies). We do not use advertising or tracking cookies. Our analytics tool (PostHog) operates in cookieless mode on marketing pages. For full details, see our Cookie Policy.
10. Turkish Data Protection (KVKK)
As a business established in Türkiye, we also comply with the Turkish Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu — KVKK). Under KVKK, you have rights equivalent to those listed above, including the right to learn whether your data is processed, to request information about processing, to request correction or deletion, and to object to automated decisions.
To exercise your KVKK rights, contact us at [email protected]. The supervisory authority is the Turkish Personal Data Protection Authority (KVKK Kurumu — kvkk.gov.tr).
11. Contact
For privacy-related inquiries, contact our data protection officer at:
Email: [email protected]
LayerThe
Türkiye
You also have the right to lodge a complaint with your local data protection authority.