Privacy Policy
Effective date: May 16, 2026 · Last updated: May 16, 2026
1. Who we are
The Service is operated by Протасов Александр Романович (Protasov Alexander Romanovich), an individual taxpayer registered under the Russian “Tax on Professional Income” regime (self-employed status).
- Tax ID (ИНН): 663905577316
- Contact for privacy questions: [email protected]
In this Policy “kResearch”, “we”, “us” and “our” refer to the operator above.
2. Scope
This Policy applies to the websites at krsrch.com and app.krsrch.com and any related kResearch web application pages, features and APIs (together, the “Service”).
kResearch is a research-workflow assistant. It is not a medical device and not a diagnostic or treatment tool, and it does not provide medical advice.
3. Data we collect
We collect only the data needed to provide the Service. Categories of data we collect:
- Google account identity. Email address, display name and the Google account identifier returned by Google OAuth during sign-in.
- Account and session data. A signed session cookie tying a browser to an account, plus account metadata such as creation time and plan tier.
- Study content. Study titles, descriptions, target population notes, selected scales, custom form sections you author, variable / codebook structure and form configuration.
- AI prompts and AI outputs. When you trigger an AI feature, the prompt you submit and the resulting draft are stored on your account so the workspace can show them back to you.
- Uploaded document metadata. When you upload a questionnaire PDF or DOCX, we record the filename, MIME type and size.
- Extracted document text. During upload, the document is parsed in memory so the AI can extract sections and fields. The structured extraction result (sections, detected scales, notes) is stored on your account. The raw uploaded file bytes are not stored after the request completes — only the metadata above and the structured extraction result are persisted.
- Google OAuth tokens and granted scopes. When you authorize Google Forms / Sheets / Drive generation, we store the access and refresh tokens and the granted scopes so we can call Google APIs on your behalf. Tokens are encrypted at rest.
- Generated Google asset metadata. Identifiers and links of the Google Forms and Google Sheets created on your behalf, so the workspace can show you and re-open them.
- Usage, telemetry, quota and AI-cost data. Per-call AI model identifier, input/output token counts and computed cost, plus per-user rate-limit and monthly quota counters used to enforce plan limits. We do not store the prompt or response text in the telemetry record itself.
- Payment and paid access data from Robokassa. Transaction ID, amount, currency, plan, payment status, payment date, billing email, and masked card details (such as last four digits) if Robokassa returns them.
- Support correspondence. Email you send to [email protected], including the content and headers necessary to reply.
4. Data we do NOT intentionally collect
- We do not intentionally collect real patient health records, protected health information (PHI) or directly identifiable patient data. The Service is designed so respondent data lives in your own Google Forms / Google Sheets workspace, not in kResearch.
- We do not intentionally collect respondent answers submitted into the Google Forms you generate, unless you manually paste such data back into kResearch.
- We do not collect or store full card numbers or CVV.
- We do not sell personal data.
- We do not use Google user data for advertising.
- We do not use Google user data to train general AI or ML models.
5. How we use data
- Authentication, sign-in and account management.
- Creating and managing the research workflows you build inside kResearch (studies, scale selections, form sections, codebooks, scoring metadata).
- Creating Google Forms, Google Sheets and Google Drive artifacts you explicitly request, on your behalf.
- Generating downloadable research kits, codebooks and scoring metadata.
- Providing the optional AI features (study drafts, scale recommendations, document extraction).
- Managing plans, paid access, payments, refunds, receipts and quota enforcement.
- Security, abuse prevention, troubleshooting and Service reliability.
- Responding to support requests.
- Meeting legal, tax, accounting and payment obligations applicable to the operator.
6. Google user data and Google API access
This section describes how kResearch handles data obtained through Google OAuth and Google APIs.
- kResearch uses Google OAuth for sign-in and, when explicitly authorized by you, to create Google Forms, Google Sheets and related Google Drive artifacts on your behalf.
- Basic “Sign in with Google” requests only your identity (OpenID, email address and basic profile). It does not request any Google Drive, Google Forms or Google Sheets access.
- Google Workspace access is a separate, optional step. kResearch only requests it if you explicitly choose “Connect Google Drive”, and it then requests a single, minimal scope:
drive.file. That scope lets kResearch see and manage only the files it creates for you (the generated Google Forms and the linked Google Sheet). It does not grant access to any other file in your Google Drive — kResearch cannot read, list or modify your existing Drive content. - kResearch uses Google user data only to provide and improve the user-facing features that you request.
- kResearch does not sell Google user data.
- kResearch does not use Google user data for advertising or any advertising-related purpose.
- kResearch does not use Google user data to train general AI or ML models.
- kResearch does not allow humans to read Google user data except: (a) with your explicit permission, (b) for security or debugging necessary to protect the Service, (c) to comply with applicable law, or (d) where strictly necessary to operate the Service (for example, investigating a specific support ticket you opened).
- kResearch does not transfer Google user data to third parties except: (a) as needed to provide the user-requested feature (for example, sending a Google Forms / Sheets API request back to Google), (b) to comply with applicable law, (c) as part of necessary security measures, or (d) with your explicit consent.
- You can revoke kResearch’s Google access at any time at myaccount.google.com/permissions. If you revoke access, kResearch may no longer be able to create or update Google Forms, Sheets or Drive artifacts on your behalf.
Regional availability. For users located in the Russian Federation, Google sign-in and the Google Drive connection may be disabled, and access to features that require authorization is not provided, because we cannot currently offer an authorization method that meets local requirements. In that case no Google user data is collected, since the authorization flow does not run. See the Terms of Service for details.
7. AI providers
When you trigger an AI feature, kResearch sends the relevant prompt and context (study description, selected scale identifiers, extracted document text) to the configured AI provider so it can return a draft. AI features are optional and user-triggered.
The current AI providers are:
- Anthropic Claude — the Anthropic API, when configured;
- OpenAI — the OpenAI API, when configured.
We do not send Google OAuth tokens or payment card data to AI providers. PHI is prohibited by the Terms and must not be uploaded to the Service, so it must not reach AI providers either.
8. Robokassa and payment processing
Card entry and payment authorization are handled by Robokassa via the Robokassa payment form or related Robokassa payment infrastructure. Robokassa may process card details, perform 3-D Secure authentication and report payment status back to kResearch.
kResearch receives only the payment and paid access metadata it needs for billing, account status, refunds, support and accounting. kResearch does not store full card numbers or CVV.
9. Cookies
kresearch_session— HTTP-only, Secure session cookie used to keep you signed in.kresearch_oauth_state— short-lived HTTP-only cookie used to protect the Google sign-in flow from CSRF.kresearch_oauth_connect_state— short-lived HTTP-only cookie used to protect the opt-in “Connect Google Drive” flow from CSRF.
We do not use cookies for tracking, profiling or advertising. If tracking cookies are ever added later, they will be introduced with notice and, where required, consent.
10. Sharing and subprocessors
We share data with the following categories of subprocessors only as needed to operate the Service:
- Google — Google OAuth, Google Forms, Google Sheets, Google Drive.
- Anthropic — optional AI provider, when configured and triggered by you.
- OpenAI — optional AI provider, when configured and triggered by you.
- Robokassa — card payment processing and payment status.
- Hosting and infrastructure provider — servers, database and cache hosting for the application.
- Email and support tooling, where applicable, to handle support correspondence and operational notifications.
A current subprocessor list will be made available on request and may evolve as the Service grows.
11. International data transfers
The Service is offered to a global audience. You may be located outside the country where the operator or one of our subprocessors operates, in which case your data may be processed in countries where those providers operate. We rely on the contractual and technical protections those providers offer.
12. Security
- All traffic between your browser and the Service is encrypted with HTTPS / TLS.
- Session cookies are marked HTTP-only and Secure outside of local development.
- Google OAuth tokens are encrypted at rest using AES-256-GCM before being written to the database.
- Access to production data is restricted to the operator on a need-to-know basis.
kResearch does not currently claim SOC 2, ISO 27001, HIPAA compliance, an external audit or a third-party penetration test. We will update this section as additional measures or certifications are completed.
13. Retention
- Account and study content is retained while your account is active.
- If you delete a study, it is removed from the live database promptly.
- If you delete your account (Profile & account → Danger zone, or by email), we remove your studies, AI drafts, personal scale library and encrypted Google credentials. Catalog scales and content shared with other users are not affected.
- Backups taken before deletion may be retained for a short operational window before being aged out.
- Billing, tax and payment records may be retained for the period required by applicable law and accounting obligations even after account deletion.
- Support emails are retained as long as needed to respond and to keep a reasonable support history.
14. Your rights
Subject to applicable law, you can ask us to:
- access or export a copy of your account data;
- correct inaccurate data;
- delete your account and associated data;
- object to or restrict certain processing where the law allows.
You can revoke Google access at any time in your Google Account settings. To exercise any of the above rights, email [email protected] from the email tied to your kResearch account.
California residents. If you are a California resident, you have the right to know what personal information we collect about you, the right to access and delete that information, the right to correct inaccurate information, the right to opt out of any sale or sharing of personal information for cross-context behavioral advertising, and the right not to be discriminated against for exercising these rights. kResearch does not sell personal information and does not share personal information for cross-context behavioral advertising.
15. Children
The Service is not directed to children under 13 and is not intended for users under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us so we can remove it.
16. Changes to this Policy
We may update this Policy from time to time. The “Last updated” date at the top of the page reflects the latest revision. Material changes that affect active users will be announced through the Service or by email.
17. Contact
Privacy questions, deletion requests and other data-rights requests can be sent to [email protected].