Account & privacy

Password reset, data export, account deletion, and what we do with your data.

Resetting your password

  1. Go to /auth/forgot-password
  2. Enter the email you signed up with
  3. Check your inbox for a reset link (sent via the same Resend SMTP relay as signup verification)
  4. Click the link — you'll land on /auth/update-password with a one-time session
  5. Pick a new password (min 8 chars), submit

Changing your email

From /settings/profile, enter the new address. Supabase sends a verification link to the new email; clicking it completes the switch. The old email stays active until you confirm.

Two-factor authentication

Not yet supported. On the roadmap; planned for the same release that adds passkey signin. Until then, use a strong unique password + a password manager.

Exporting your data

From /settings → Export → clickGenerate export. We bundle:

  • Profile JSON (email, plan, settings)
  • One CSV per vault listing sources + ingestion status
  • Full chat history as JSON, one file per session
  • ScholarFlow topics + papers index entries you've ingested
  • Shared answer permalinks you've created

The export is delivered as a ZIP via the download endpoint. Big accounts may take a minute or two to assemble; we email you when it's ready.

Deleting your account

From /settings → Danger Zone → Delete account. We:

  1. Cancel your Stripe subscription if active (no further charges, but no refund of the current period)
  2. Delete every vault, source file in Storage, chat session, ScholarFlow topic, shared answer permalink, and audit-log row tied to you
  3. Delete your auth.users row (Supabase cascades remove the profile)
  4. Email you a confirmation that the delete completed

Hard delete: data is gone, no undo, no soft-delete recovery window. Aggregated anonymized analytics (no PII) may persist for service-improvement metrics — see privacy policy.

What we collect — short version

  • Email address (account identity)
  • Password hash (never the plain text)
  • The documents you upload + URLs you add
  • Your chat history
  • Usage metrics (anonymized aggregates for analytics)
  • IP address (only for the anonymous demo rate limit; deleted after 90 days)

Full detail: /privacy.

Do you train AI models on my content?

No. Per Google's Gemini API terms (which we use for retrieval), submitted content is not used to train Google's public models. We don't train any models of our own.

Related articles