Privacy Policy

Last updated: February 2026

What InCite Does

InCite is a citation recommendation tool. When you request recommendations, InCite reads text from your document (the sentences around your cursor or your selection) and sends it to the InCite cloud service at inciteref.com to find relevant papers from your personal library.

Data We Collect

  • Account information — email address and hashed password when you create an account.
  • Your library — paper metadata and full text you upload to build your personal corpus.
  • API tokens — stored securely to authenticate your requests.

Data We Do NOT Store

  • Document text — the text sent for recommendations is used only to compute results and is not stored on our servers. It is discarded after the response is returned.
  • Document contents — we never access, read, or store the full contents of your Google Docs or other documents.

Google Docs Add-on

The InCite Google Docs add-on requests the following permissions:

  • View your current document (documents.currentonly) — to read the text around your cursor for generating recommendations. Only the selected context is sent to the InCite API; the full document is never transmitted.
  • Display sidebar (script.container.ui) — to show the recommendations panel inside Google Docs.

Your API token is stored in Google Apps Script UserProperties, which is private to your Google account and not accessible by other users or the add-on developer.

Chrome Extension

The InCite Chrome extension reads selected text or text around your cursor in Google Docs and Overleaf. This text is sent to inciteref.com for recommendations and is not stored. Your API token is stored in Chrome's local extension storage.

Third-Party Sharing

We do not sell, share, or transfer your personal data or document text to any third parties. Paper metadata in your library may be enriched using public academic APIs (Semantic Scholar, OpenAlex) but no personal data is sent to these services.

Data Security

All communication between clients and the InCite server uses HTTPS encryption. Passwords are hashed using bcrypt. API tokens can be regenerated at any time from your account page.

Data Deletion

You can delete your account and all associated data at any time by contacting us. Your library, account information, and all stored data will be permanently removed.

Contact

For questions about this privacy policy, email [email protected].