Who We Are (Controller)

• Atombio
• Address: 1011 Passport Way, Cary, NC 27513
• Email: privacy@atombio.ai

Scope

This Policy applies to information we process about users of the Service, visitors to our websites, and individuals who communicate with us. It does not apply to third-party websites, services, or integrations you may access through the Service.

Key Definitions

• Personal Information / Personal Data: Information that identifies or relates to an identifiable individual.
• User Record (core to our scientific compliance model): Time-stamped records of the sequences you input into the AutoNA Server and the outputs the Service generates, together with technical context (e.g., algorithm version, parameters, job ID) and your account ID. User Records are retained for an extended period to monitor compliance, enforce and investigate potential violations of the Terms, ensure safety/security, and support reproducibility.
• De-identified / Aggregated Data: Information that cannot reasonably be used to identify you.

What you should know

• We collect account data, inputs/outputs (User Records), usage logs, and device data to operate and secure the Service.
• User Records may be retained for an extended period, even if you delete your account or generation history, to support compliance, security, and reproducibility.
• We do not sell or share Personal Information for cross-context behavioral advertising.
• We use strong security controls and can store User Records in a segregated location upon request.
• Model training policy differs by user type: Academic Tier — your inputs/outputs may be used to improve our models, subject to jurisdictional consent requirements and your right to opt out at any time. Commercial Tier — your organization may request exclusion from future model training and fine‑tuning beyond your original project, and we will honor that request (or any contractual default) without degrading core service quality.

Information We Collect

• Account & Profile: Name, email, affiliation, role, industry, and security credentials.
• Inputs & Outputs (User Records): Sequences, parameters, prompts, and outputs; job metadata (timestamps, version, job ID), provenance and audit logs.
• Usage & Diagnostics: Interaction events, API calls, error logs, performance metrics, and feature usage analytics.
• Device & Network: IP address, browser/OS, device identifiers, cookie IDs, and approximate location derived from IP.
• Billing (if on paid plan): Subscription status and limited billing metadata processed via our payment provider (we do not store full payment card numbers).
• Support: Content of emails, tickets, and chats with us.

We may collect certain information automatically via cookies and similar technologies.

How We Use Information (Purposes & Legal Bases)

We use information for:

• Service Delivery & Account Management: to create and secure accounts, run jobs, and provide support (GDPR legal bases: contract; legitimate interests).
• Security, Compliance & Safety: to monitor misuse, enforce Terms, investigate incidents, and meet legal obligations (legitimate interests; legal obligation). This includes extended retention of User Records.
• Quality, Reliability & Reproducibility: to audit scientific results (including method/version/provenance) and maintain reproducibility (legitimate interests).
• Research & Development: to improve system performance via de-identified or aggregated analytics. We only use your identifiable inputs/outputs to train models with your express opt-in or a separate agreement (consent/contract).
• Communications: transactional emails; product updates (consent where required; legitimate interests otherwise).
• Legal: to comply with applicable laws, respond to lawful requests, and protect rights and safety (legal obligation; legitimate interests).

Special Rules for Inputs/Outputs (User Records)

1. Extended Retention. To support compliance, safety, and reproducibility, we retain User Records for an extended period. Deleting your account or clearing generation history does not delete User Records.
2. Separate Storage Upon Request. Upon written request (e.g., institutional compliance needs), we can store your User Records in a segregated location or tenant with restricted access and additional controls (e.g., separate encryption keys, enhanced auditing). Charges may apply.
3. Model Training & Fine‑Tuning (Tier‑Specific).
   • Academic Tier. By default, we may use your User Records (inputs, parameters, outputs, and related telemetry) to train, fine‑tune, evaluate, and improve our models and heuristics that power the Service. Where required by law (e.g., EEA/UK, certain U.S. states), we will obtain explicit consent before such use. You may opt out at any time via account settings or by emailing privacy@atombio.ai; opting out will stop future training use (previously trained models are unaffected but we will cease further use of your records for training).
   • Commercial Tier. By default, we do not use your User Records for general model training or cross‑customer fine‑tuning beyond your original project/tenant. We may use your User Records to provide and maintain your project, including quality, reliability, and fine‑tuning limited to your original project/tenant. Any broader training/fine‑tuning requires your express written authorization (e.g., in an Order Form or DPA). We may use de‑identified and/or pseudonymized telemetry for aggregated service analytics unless your contract prohibits it. Contractual terms (e.g., Enterprise/DPA) will control if they provide stricter limits. We will not disclose your confidential information in a manner that allows reconstruction of your proprietary sequences.
   • Safeguards. For any training/fine‑tuning permitted under this §7.3, we apply data minimization, access control, pseudonymization/de‑identification where feasible, purpose limitation, and retention limits. We maintain audit trails for training data lineage and review datasets for safety and biosecurity risks.
   • Opt‑Out / Exclusion Effect. Opt‑out or exclusion requests apply prospectively and do not require us to retrain or roll back previously released models, but we will remove excluded User Records from future training cycles and datasets.
4. Sensitive Data. The Service is not designed to process regulated health information (e.g., PHI under HIPAA) unless we have a signed Business Associate Agreement (BAA). Do not upload PHI or other regulated personal data without an executed agreement. We may block or delete such data to reduce risk. 5 Research Publication & Provenance. We may generate de-identified, aggregate statistics (e.g., throughput, error rates, parameter distributions) to improve the Service and for transparency. We do not disclose your sequences or outputs outside your organization without authorization, legal requirement, or de-identification.

How We Share Information

We do not sell Personal Information and we do not share it for cross‑context behavioral advertising.

We may disclose information to:

• Service Providers / Subprocessors: Hosting, storage, security, observability, email, and billing providers under contract (confidentiality, security, and data processing terms). We publish a current list upon request or at [subprocessors URL].
• Affiliates: Only as necessary for the purposes in this Policy.
• Research Safety & Compliance: If we believe use of the Service violates our Terms, applicable law, or biosecurity/biosafety norms, we may use and disclose User Records to investigate and mitigate harm.
• Legal: Lawful requests by public authorities; to comply with legal process; to protect rights, safety, and property.
• Business Transfers: In the event of a merger, acquisition, or asset sale, subject to this Policy’s protections.

We require third parties to implement appropriate security controls and use information only for contracted purposes.

Your Rights & Choices

Training Exclusion / Opt‑Out.

• Academic Tier users may opt out of model‑training use of their User Records at any time via account settings or by contacting privacy@atombio.ai. Where consent is required by law, you may withhold or withdraw consent without affecting access to the Academic Tier (though some personalization features may be limited).
• Commercial Tier organizations may request exclusion from model training and cross‑customer fine‑tuning beyond their original project. We will honor exclusion requests and any stricter contractual terms (e.g., DPA, enterprise agreement).
• Opt‑out/exclusion is prospective and will not require re‑training of models already deployed.

Security

We employ administrative, technical, and physical safeguards appropriate to the risk, including: encryption in transit and at rest, access control and least privilege, key management, network segmentation, audit logging, vulnerability management, and incident response. Access to User Records is tightly restricted and logged. Upon request, we can store User Records in a segregated location with separate encryption keys and additional audit controls.

No system is perfectly secure. If we learn of a security incident affecting your information, we will notify you and regulators as required by law.

International Data Transfers

We may transfer and process information in countries other than where it was collected. Where required, we rely on legal mechanisms (e.g., EU/UK Standard Contractual Clauses). You may request a copy of applicable safeguards.

Cookies & Similar Technologies

We use strictly necessary cookies to operate the Service and analytics cookies to improve it. You can control cookies via your browser settings. Some features may not function if you disable certain cookies.

Data Retention

We retain Personal Information for as long as necessary to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. User Records are retained for an extended period for compliance, safety, and reproducibility; account or history deletion does not remove User Records. When retention is no longer necessary, we will delete, de‑identify, or archive the information.

Children’s Privacy

The Service is not directed to children under 16. Do not submit Personal Information about children. If we learn that a child’s information has been collected, we will delete it where required by law.

Changes to This Policy

We may update this Policy from time to time. We will post changes here and update the “Last Updated” date. For material changes, we will notify you via email.

Contact Us

For questions or requests regarding this Policy or your information: Email us at privacy@atombio.ai

Acceptance at Sign‑Up

By clicking “Create account”, you confirm that you have read and agree to: (i) this Privacy Policy; (ii) the Terms of Use; and (iii) any applicable Data Processing Addendum. If you do not agree, do not create an account.

Annex A — Jurisdictional Disclosures

California (CPRA) Categories: We may collect identifiers, professional information, internet activity, geolocation (approximate), and inferences. Sources include you, your devices, and our Service providers. Business purposes are listed in §6. We do not sell or share Personal Information for cross‑context behavioral advertising.

EEA/UK: Controller is Atombio; contact details above. Legal bases are in §6. Data subject rights are in §9. International transfers rely on SCCs or equivalent.

HIPAA: Unless we have a signed BAA, we are not a HIPAA covered entity or business associate for purposes of your use of the Service; do not upload PHI without a BAA.

Annex B — Enterprise Data Processing Addendum (Controller ↔ Processor)

This Annex applies when Atombio acts as a processor/service provider on behalf of a Commercial Tier customer (the “Customer”) under an enterprise agreement or order form (collectively, the “Agreement”). Capitalized terms not defined here have the meanings in the Agreement. Where applicable, this Annex is intended to satisfy GDPR Art. 28, UK GDPR Art. 28, Swiss DPA, and U.S. state privacy laws (e.g., CCPA/CPRA service provider requirements).

B1. Roles; Processing Details.

• Roles. Customer is the controller/business; Company is the processor/service provider.
• Subject‑Matter & Duration. Provision of the Service to Customer during the Agreement term.
• Nature & Purpose. Hosting, processing, and generating designs/predictions, and providing support, security, and analytics permitted by this Annex.
• Personal Data Types & Data Subjects. Account data (e.g., names, emails), usage telemetry, and any personal data contained in inputs/outputs provided by authorized Users.

B2. Customer Instructions. Company will process Personal Data only on documented instructions from Customer (including via the Agreement, this Annex, and Customer’s configuration of the Service), unless required by law. Company will notify Customer if an instruction infringes applicable law.

B3. Confidentiality. Company ensures personnel with access to Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training.

B4. Security Measures. Company implements technical and organizational measures appropriate to the risk, including those described in Appendix 1 (Security Measures), and will maintain certifications/reports where available (e.g., SOC 2, ISO 27001). Company will not materially decrease the protections during the term.

B5. Sub‑processors. Customer provides general authorization for Company to engage sub‑processors for hosting, storage, security, email, and support. Company will: (a) impose data‑protection obligations at least as protective as this Annex; (b) remain responsible for sub‑processors’ performance; and (c) provide a current list at [subprocessors URL] and advance notice of changes (e.g., 30 days). Customer may object on reasonable data‑protection grounds; Company may propose alternatives or, if unresolved, Customer may suspend the affected processing.

B6. International Transfers. Where Company transfers Personal Data outside its origin jurisdiction, Company will implement a valid transfer mechanism (e.g., EU SCCs with applicable module(s) and Annexes, UK Addendum/IDTA, and Swiss addenda) as set out in Appendix 3 (Transfer Mechanisms).

B7. Audit & Assistance. Upon written request and no more than annually (unless required by a regulator or security incident), Company will provide audit reports or complete a reasonable security questionnaire and, where necessary, allow on‑site or remote audits subject to confidentiality, safety, and non‑interference requirements. Company will reasonably assist Customer with DPIAs, data‑subject requests, and regulatory inquiries related to the Service.

B8. Incident Notification. Company will notify Customer without undue delay (and, where feasible, within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notifications will include known details, mitigation, and contacts for follow‑up.

B9. Deletion or Return. Upon termination or at Customer’s written request, Company will delete or return Customer Personal Data and existing copies within a reasonable period, subject to: (i) legal retention requirements; (ii) archived backups subject to restricted access and scheduled deletion; and (iii) retention of User Records strictly for compliance/safety if required by law or to establish/exercise/defend legal claims (use restricted to such purposes).

B10. Training Exclusion (Default). As a default contractual commitment, Company will not use Customer User Records for general model training or cross‑customer fine‑tuning beyond Customer’s original project/tenant unless expressly authorized in writing by Customer (e.g., Order Form, DPA addendum). Company may use de‑identified and/or pseudonymized telemetry for aggregated service analytics unless prohibited by the Agreement. Any authorized training will be subject to data minimization, purpose limitation, and dataset lineage controls.

B11. Data Localization & Segregation (Optional). Upon request, Company can provision: (a) tenant‑level segregation with dedicated encryption keys; (b) region‑specific hosting; and/or (c) a segregated storage location for User Records with enhanced access logging. Additional fees may apply.

B12. CCPA/CPRA. For California, Company acts as a service provider/contractor and will not sell or share Personal Information (as defined by CPRA) or use it for cross‑context behavioral advertising. Company will not retain, use, or disclose Personal Information for any purpose other than providing the Service or as permitted by law and the Agreement.

B13. HIPAA (Optional). If the parties execute a Business Associate Agreement (BAA), Company will process PHI in accordance with the BAA. Absent a BAA, Customer will not submit PHI.

B14. Liability; Order of Precedence. Liability and remedies follow the Agreement’s limitation and indemnity terms. If there is a conflict between this Annex and the Agreement, this Annex controls with respect to processing of Personal Data. Where the SCCs/UK Addendum conflict with this Annex, the SCCs/UK Addendum control to the extent required by law.