Privacy Policy
Last updated: 9 June 2026 · covers Solas Chrome extension v1.11.0
This Privacy Policy explains how Solas (“we”, “us”, “our”) handles your information when you use the Solas Chrome extension (the “Extension”) and the website at solastool.com (the “Site”). It applies to everyone who uses Solas, regardless of where you live.
We collect only what we genuinely need to make Solas work, and we tell you exactly what that is in plain English.
1. Who we are
Solas is operated by an independent developer based in the United Kingdom. You can reach us at support@solastool.com for any privacy-related question or request.
For the purposes of UK GDPR and EU GDPR, Solas is the data controller for personal data processed through the Site and the free Extension.
If you are using a build of the Extension that was linked to your university (Solas for Institutions), your institution is the Data Controller for the anonymous module-level event data collected on its behalf. Solas acts as a Data Processor under a signed Data Processing Agreement. See §11 below.
2. What we collect, and why
Solas is designed local-first. The default behaviour collects nothing about you on our servers. The categories below describe data that may leave your browser when you use specific features.
2.1 Citation metadata (when you click “Cite this page”)
When you ask Solas to cite a page, the Extension reads a deliberately minimal slice of the page so it can build an accurate reference. Specifically:
<meta>tags (Open Graph, Dublin Core, Schema.org,citation_*)- The page’s
<title>,<h1>, and visible byline text - JSON-LD structured-data blocks
- The page’s URL and host
- Publication date where present
If our local parsers can build the citation from the structured fields above, nothing leaves your browser. If the local parsers can’t (or return suspicious values), Solas falls back to AI extraction (see §2.3).
Solas does not read form fields, cookies, browser history, login state, or anything else on the page beyond what is described above. We do not screenshot or record your screen.
Lawful basis (UK/EU GDPR): performance of a contract / legitimate interest in providing the citation service.
2.2 Saved citations and quotes (when you click “Save”)
When you save a citation to your Library, the resulting reference text, the source URL, and the page metadata used to build it are stored in your browser’s Chrome local storage. This data stays on your machine. Solas has no cloud-sync layer for the student build — we never see your saved sources.
Highlighted passages saved through the “Save quote” shortcut are likewise stored locally alongside their parent citation.
Lawful basis: not applicable — the data never reaches Solas’s systems.
2.3 AI extraction data (when fallback is needed)
When the Extension can’t build a complete citation from local parsing alone, it sends a request to our processing server at solas-ai.thomasmulvany1.workers.dev. That request may include:
- The URL of the page being cited
- The page’s title and the metadata fields already extracted
- Up to 24KB of the page’s visible text (the readable body content, never form data or hidden fields)
The processing server forwards the request to OpenAI via API call. OpenAI returns the parsed citation fields, which are then returned to your browser. The request body is not stored by Solas after the response is returned. OpenAI’s API-tier data handling policy applies: per OpenAI’s contractual commitments, API data is not used to train OpenAI’s models and is retained for at most 30 days for abuse-monitoring purposes.
Lawful basis: performance of a contract / legitimate interest in producing accurate citations.
2.4 Citation Integrity verification data (v1.11.0+)
When you save a citation, the Extension also runs a Citation Integrity check to confirm the source actually exists. This sends the following to our processing server’s /verify-citation endpoint:
- The DOI of the source (if present)
- The source URL
- The source type (journal, book, web, etc.)
- The page title and author surnames
- The publication year
The processing server queries one or more academic registries to confirm the source exists:
- CrossRef — for academic articles with DOIs
- OpenAlex — for academic works by title
- Google Books — for books
- A direct HTTP HEAD request to the source URL — for web articles, news, and other web sources
The Extension stores the verdict (verified / unverifiable) locally alongside the citation. The verification request itself is not logged on our server.
Lawful basis: legitimate interest in academic integrity.
2.5 The Audit tab (paste a paragraph)
When you paste a paragraph into the Audit tab, the Extension detects in-text citations and matches them against your local Library. The pasted text never leaves your browser. All detection, matching, and rendering happens locally.
Lawful basis: not applicable — no data leaves your machine.
2.6 Diagnostic data (when you submit feedback)
If you click “Feedback & feature requests” and submit a message, the form is hosted on the Site via Netlify Forms. We receive:
- The category you selected (bug, feature, general)
- The message you wrote
- The URL of the page you had open at the time (only if you explicitly include it)
- The Solas Extension version
- Your email address (only if you provide it)
Lawful basis: legitimate interest in improving the service.
2.7 Demo request data (institutions only)
If your institution submits a demo request through the form at solastool.com/institutions, we receive the email address provided. We use it only to reply to the demo request. We do not add it to any marketing list.
Lawful basis: legitimate interest in business communication.
3. What we don’t collect
To be unambiguous, Solas does not collect:
- The text of pages you visit, except as described in §2.3
- Your browsing history beyond the single tab you actively choose to cite
- Cookies or local-storage values from third-party websites
- Form inputs, passwords, or login state on any site
- Your IP address (beyond what is automatically processed at the network layer by our infrastructure providers for routing — never persisted by Solas)
- Data from sites you have not actively chosen to cite
- Your essay or draft text (the Audit tab runs entirely locally)
- Anything for advertising or marketing-profile purposes
The Extension and the Site contain zero advertising trackers, analytics scripts, or marketing pixels.
4. Who we share data with (sub-processors)
We use a small number of trusted infrastructure providers to operate Solas. They act as our data processors and are contractually bound to handle data according to UK/EU data-protection law.
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Workers (citation processing), D1 database (institutional only), KV (rate limiting), Pages (the Site) | London, UK (region lhr) |
| OpenAI, L.L.C. | Large-language-model inference for citation field extraction | United States (zero training, ≤30-day retention) |
| Netlify, Inc. | Hosting for the website, contact forms | EU edge |
| CrossRef | Citation verification + reliability lookups (DOI registry) | Global, public API |
| OpenAlex (OurResearch) | Citation verification + reliability lookups (academic works) | Global, public API |
| Google Books API | Book metadata lookups | Global, public API |
| Unpaywall (ImpactStory) | Open-access PDF discovery for cited papers | Global, public API |
| UK Companies House | UK legal-entity verification for cited organisations | United Kingdom, public API |
When Solas queries CrossRef, OpenAlex, Google Books, Unpaywall, or Companies House, the request is made server-side from our Cloudflare Worker. Your identity, IP, and any account info are not disclosed to those APIs. The query payload contains only the citation metadata necessary to perform the lookup (typically a DOI, title, or ISBN).
We never sell your data. We never share it with advertisers or data brokers. We will only disclose data if compelled by valid legal process, and we will notify you if we are legally allowed to.
5. Where your data is stored
For users of the free Extension: your saved citations live on your own machine, in Chrome’s local storage. We have no copy.
For users of Solas for Institutions: anonymous module-level event data is stored on Cloudflare D1 in the London (UK) region. Backups are encrypted at rest and never replicated to a non-UK/non-EU region. See the Solas for Institutions privacy whitepaper for the full detail.
For the Site: page-level data (e.g. the contact form submissions) is held by Netlify in their EU edge region. We retrieve these submissions to respond to you and do not retain them beyond reply.
If you are outside the UK/EU, your request payload may transit through the UK or US (OpenAI’s region) for processing. We rely on the UK ICO’s adequacy regulations or the EU Standard Contractual Clauses for any cross-border transfer.
6. How long we keep your data
- Saved citations (free build): for as long as you keep them. You can delete individual citations, whole folders, or your entire local Library at any time from the Library tab. We have no server-side copy to delete.
- Citation extraction requests (AI fallback): not stored by Solas. OpenAI retains the request body for at most 30 days for abuse-monitoring, then deletes it.
- Verification requests (v1.11.0+): not stored. The verdict is returned to your browser and then discarded server-side.
- Feedback messages: kept for 24 months to inform product improvement, then deleted.
- Demo requests (institutions): kept until the conversation concludes, plus 12 months for follow-up. Deleted on request.
- Institutional event data: covered separately by the institutional privacy whitepaper.
7. Your rights
Under UK GDPR, EU GDPR, and similar regimes, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”)
- Restrict or object to our processing
- Port your data to another service
- Withdraw consent at any time
To exercise any of these, email support@solastool.com. We aim to respond within 14 days and to fulfil valid requests within 30 days.
For users of the free Extension, the answer to most subject-access requests is straightforward: we hold no personal data about you on our servers. Your saved citations are entirely on your own device.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.
8. Security
Solas uses industry-standard security practices:
- All traffic between your browser and our processing server is encrypted using TLS 1.2+
- Our processing server requires a shared API key in addition to the Chrome-extension origin header for every request — arbitrary external callers receive a 401 or 403
- Per-IP daily rate limits enforced via Cloudflare KV protect against abuse
- Our OpenAI API key never leaves our Cloudflare infrastructure; the Extension never has access to it
- Worker code is open to security review on request under NDA
- The Extension’s source code is shipped as plain JavaScript on Chrome Web Store, inspectable by any reviewer
No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR.
9. Cookies and similar technologies
The Site (solastool.com) uses only essential cookies required for the page to function. We do not use tracking cookies, analytics cookies, or advertising cookies.
The Extension uses Chrome’s local-storage and session-storage APIs to hold your saved citations, project folders, theme preference, and so on. This data never leaves your browser unless you take an action that explicitly transmits it (e.g. clicking Cite).
10. Children’s privacy
Solas is intended for higher-education students and academic researchers. The Extension is rated suitable for users aged 13 and over on the Chrome Web Store, but our typical user is 18+. We do not knowingly collect data from anyone under 13. If you believe a child has shared data with us, please email us and we will delete it.
11. Solas for Institutions
Solas for Institutions is a separate licensed offering for universities. Under that arrangement, the institution is the Data Controller for module-level event data; Solas is the Data Processor under a signed Data Processing Agreement.
The institutional product is architected so that no student identifier is ever collected. Events arrive with a module code and a verdict type only. The complete details — threat model, retention, audit rights, breach notification — are documented in the Solas for Institutions Privacy Whitepaper.
If your university has not subscribed to Solas for Institutions, none of the institutional-event collection applies to you. You are using the free Extension as described in §§1–10.
12. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the latest revision. If we make material changes (a new sub-processor, expanded data collection, or a change to the AI processing path), we will surface the change in the Extension and on the Site before it takes effect.
The current version is always available at solastool.com/privacy.
13. Contact us
For privacy questions, data requests, or anything else:
Email: support@solastool.com
For institutional / procurement enquiries: institutions@solastool.com
Postal: Harrow Rd, Knockholt, Sevenoaks TN14 7JS, United Kingdom
This Privacy Policy is written in good faith and intended to be readable. If anything is unclear, please email us — we’d rather rewrite a paragraph than have you leave confused.