BIOS Privacy Policy

1. Definitions

For the purposes of the Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, contact information such as an email address or address, and other identifying information that specifically belongs to said natural person.
• "Input(s)" or "Input Data" means any information that you freely choose to disclose and provide in your usage of the Services, including but not limited to Personal Data, prompts, code, figures, files, and any other data.
• "Output(s)" or "Output Data" means any data generated from usage of the Services as a result of processing based on your Inputs.
• "Trainable Data" means data such as agent decisions and behaviors in response to Inputs ("trajectory" or "trajectories"), user interaction data such as clicks and usage behavior, and software data created as part of coding notebooks by our agents.
• "Processing" means any operation or set of operations performed upon data, whether or not by automated means, including collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, dissemination, and erasure.
• "Applicable Law" means relevant statutes or regulations particular to the jurisdiction that is being referenced.

2. Collection of Data

Personal Data

We collect Personal Data that you provide to us directly, including name and email address in the course of registering to use our Services or to receive information about our Services ("Account" or "Account Information"). We collect Personal Data that you provide as an Input to our Services. We collect data we receive automatically from your use of our Services, including browser information, connection information, mobile operator or internet service provider, time zone setting, IP address, and the geolocation associated with your IP address.

Payments and Billing Data

All payments for subscriptions and credits are processed through Stripe, Inc. Bio Protocol does not collect or store your full payment card information. When you provide payment details, those are submitted directly to Stripe via a secure, PCI-DSS-compliant process. Stripe may share limited transactional data (such as payment status or billing country) with us to confirm payments, prevent fraud, and maintain your subscription. For more information on how Stripe collects and uses your billing information, please refer to Stripe's Privacy Policy.

Logging and Observability Data

We collect data about our Services system health when you use them. This includes log files for error reporting if you experience an error in the course of using our Services, and this data will include the timestamp of when the error occurred, which Service the error occurred in, and any logged data provided related to the error at the time of occurrence.

Usage Data

We collect data on your usage of the Services, such as usage timestamps, browsing history, click history, pages viewed, and other analytical information about your interactions with the Services.

Cookies & Similar Technologies

We currently do not implement cookies and tracking technologies on the browser.

Uploaded Data

When you upload files or datasets to use with BIOS, we store this data intermediately on our secure cloud storage infrastructure. This uploaded data may be transmitted to third-party foundational AI model providers (including but not limited to Anthropic, Google, and OpenAI) as necessary to provide you with the Services. We will not misuse your uploaded data or use it to train our own models unless you explicitly provide consent to do so. As of January 1, 2026, we do not request such consent, though we may introduce opt-in training programs in the future.

Please note that Bio Protocol is not responsible for how third-party AI model providers process your data once transmitted to their systems. We encourage you to review the privacy policies of Anthropic, Google, and OpenAI if you have concerns about their data practices.

Feedback Data

We collect data you freely, voluntarily, and directly send to us through email communications or through our Services via interfaces clearly designated for user feedback, which may include support ticket portals and live agent chat boxes.

3. Uses of Data

We use collected data for the following purposes:

• To create and administer your Account.
• To provide, maintain, and facilitate all necessary and optional Services for your Account, which is governed by our Terms of Service.
• To communicate with you, including to send you information about our Services and any Bio Protocol events.
• To facilitate payments for the Services and any other products offered by us.
• To prevent and investigate the following: fraud, abuse, and violations of Terms of Service; unauthorized access to Personal Data or the Services; and unlawful or criminal activity involving Personal Data or the Services.
• To protect our rights and others' rights in meeting legal regulations and obligations.
• To investigate and resolve disputes and security issues.
• To debug and fix errors that impair the Services.
• To improve the Services, including model training. For model training, unless you explicitly opt out through your Account, we may use your Trainable Data as defined in Section 1 to train our models to better improve the Services, however we do not and will not intentionally train on any user's uploaded data, such as any scientific data that may be uploaded.
• To enforce our Terms of Service and other applicable agreements.

We do not sell, use, or process your Personal Data for any advertising, promotional, or consumer characterization purposes.

4. Data Disclosures

We may disclose your Personal Data in the following scenarios.

Vendors

In order to provide, maintain, and facilitate all necessary and optional Services for your Account, we may disclose your Personal Data to vendors such as cloud hosting providers, email communication providers, customer service vendors, content delivery providers, payment transaction processors, and other information technology providers. These Vendors, pursuant to being party to business agreements with us, will access, process, and store Personal Data in compliance with industry standards and only as necessary to perform their business functions with us.

Government Authorities

Pursuant to regulatory or legal requirements, we may disclose your Personal Data and other collected data with government authorities or other third parties: to comply with good faith that such disclosure is necessary to comply with a legal obligation to assist with or in connection to an investigation, claim, dispute, or litigation; to defend our rights or property; to enforce contractual commitments; or as otherwise permitted or required by Applicable Law.

Significant Corporate Event

In the event that we undergo a material corporate event, including but not limited to a merger, acquisition, bankruptcy, or corporate business transaction involving transfer of business assets, we will disclose your Personal Data as part of due diligence processes and requirements.

Per Individual Consent

We will disclose personal data when you give us permission or direct us to disclose information in the course of using the Services.

Other Third Parties You Share Information With

Our Services may include the ability to integrate with or may provide links to websites, applications, and services managed by third parties that you can interact with. By interacting with a third party, you may be disclosing information that is governed by the third party's terms and privacy policies, and you should ensure you understand those terms and policies before proceeding to interact with them.

5. Your Rights

In accordance with the jurisdiction in which you reside, the Applicable Laws may grant you certain statutory rights in relation to your Personal Data, including:

Right to Be Informed

You have the right to know what Personal Data is processed, the sources from which Personal Data is collected, the business or commercial purposes for collection, and the third parties that Personal Data is disclosed to.

Right to Access

You have the right to request a copy of Personal Data that is processed. Subject to Applicable Law, you have the right to request a copy in portable format.

Right to Be Forgotten

You have the right to request that we delete your Personal Data, except in cases where legal obligations require us to keep your data. You may also have the ability to delete your data from the Services through the user interface.

Right to Rectification

You have the right to request that we correct your Personal Data, except in cases where legal obligations require us to keep your data, and except in any Outputs generated by your Inputs.

Right to Objection of Processing

You have the right to object to and request a stoppage of our processing of your Personal Data. We will continue to process data as necessary if we demonstrate a compelling and legitimate need which overrides your request, such as but not limited to the establishment, exercise, or defense of legal claims. In the cases of direct marketing, you can object and opt out of future direct marketing messages using the unsubscribe mechanism contained within such direct marketing messages.

Right to Restriction of Processing

You have the right to restrict how we process your Personal Data in such cases of objection to processing, data accuracy disputes, unlawful processing, or when your Personal Data is no longer needed to serve its purpose for the Services. Restrictions may be temporary.

Right to Withdraw Consent

You have the right to withdraw your consent for processing your Personal Data in cases where we have, at a prior point in time, received your consent as a legal basis for processing. A withdrawal of consent does not invalidate the lawfulness of processing arising from the originating consent given.

Rights Related to Automated Decision-Making and Profiling

You have the right to not be subjected to any decisions based solely on automated processing, including profiling, which may produce legal or similarly significant effects. We do not engage in decision-making based solely on automated processing or profiling.

You may exercise these rights through your Account. If you are unable to access these rights through your Account, you may submit your request to info@bio.xyz.

6. Children

Our Services are neither directed towards nor intended for children under the age of 18 ("Child" or "Children"). We do not collect, use, disclose, sell, share, or distribute in any way any information from Children. If you come to the knowledge that a Child has provided any Personal Data to us while using our Services, please immediately contact us at info@bio.xyz. We will promptly investigate the matter and delete the Personal Data, if appropriate. Children must have explicit permission and supervision from a parent or legal guardian to use our Services.

7. Retention

We will retain your Personal Data for as long as reasonably necessary for the purposes of providing our Services to you and other legitimate business reasons such as dispute resolutions and legal obligations, as stated in the Policy. When your collected Personal Data is no longer required, we and our Vendors will perform the required procedures for deleting, erasing, anonymizing, or destroying it as permitted and in required compliance with Applicable Laws.

8. Data Transfers

In the course of accessing and using our Services, your Personal Data may be transferred to our server systems located within the United States. If your jurisdiction lies within the European Economic Area ("EEA") or the United Kingdom, we rely on the adequacy decisions under Article 45 GDPR and, in absence of an adequacy decision, standard contractual clauses under Article 46 GDPR to ensure your Personal Data benefits from adequate data protection compliant with GDPR regulations.

9. Analytics

We may process your data in an aggregated or de-identified form for the purposes of analytics to understand user behavior, the effectiveness of our Services, and overall legitimate business interests. We do not sell this processed data to third parties.

10. Security

We implement commercially reasonable and appropriate administrative, organizational, and technical security measures to protect Personal Data from unauthorized access, disclosure, misuse, alteration, or loss. While we strive to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective" date at the top of this Policy and, where appropriate, notify you by email or through our Services. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.