Privacy Policy

1. Who we are

Aspis Bio is the data controller responsible for the processing described in this policy. We are an early-stage research project based in the European Union and currently operate as a pre-incorporation alpha. Until a legal entity is formed, all privacy requests, data-subject requests, security reports, and complaints should be sent to main@aspis-bio.com. We will publish the registered legal entity, its address, and any Data Protection Officer appointment on this page when the company is incorporated.

We have not appointed a Data Protection Officer because, given our current scale, this is not required under Article 37 GDPR. We will reassess as the project grows.

2. Scope

This policy covers (a) the aspis-bio.com marketing site, (b) the Aspis Bio account, (c) the RNA-seq workspace and mobile app, (d) the Ask AI feature, and (e) the optional Dropbox and Labguru connectors. Aspis Bio is intended for research support — lab organisation, calculations, notes, and analysis of non-human biological data. It is not a medical device and must not be used for clinical diagnosis, treatment, emergency response, or regulated human-genomics decision-making.

3. Categories of personal data we process

The categories of personal data we may process depend on which features you use:

• Identifiers — email address (used to deliver a one-time login code; stored only as an HMAC-keyed hash and a masked display value such as m***o@gmail.com), account ID derived from that hash, IP address, device platform label (Android / iPhone / browser).
• Account and authentication data — short-lived access tokens, refresh tokens, single-use sign-in codes.
• Research content you create — Lab Book notes and metadata, RNA-seq sample sheets, project names, contrast definitions, AI prompts and responses, microscopy or gel images you submit to Biovision.
• Files you upload — FASTQ files for RNA-seq, image files for Biovision, Lab Book attachments. These are stored on EU object storage (Scaleway, fr-par).
• Usage and technical data — feature usage counters, rate-limit counters, AI quota counters, request timestamps, error logs, security and abuse-prevention signals. Cloudflare may additionally process technical request data for routing, DDoS protection, and analytics.
• Connector state — Dropbox and Labguru tokens (where you have connected them), export status records.
• Waitlist data — if you submit an email to a waitlist form, we may store that email to notify you when alpha access opens.

We do not knowingly collect special categories of personal data under Article 9 GDPR (health data, genetic data relating to identified humans, biometric data, etc.). The product is restricted to non-human model organisms (Drosophila, C. elegans, zebrafish). Do not submit human or patient data, protected health information, or any identifiable clinical material.

4. Purposes and legal bases (GDPR Article 6)

5. How we use AI on your data

Ask AI requests and RNA-seq Director / Aspis Helper requests are routed through Aspis Bio server-side infrastructure. Your phone or browser does not hold AI provider keys. We add a sanitized context summary, choose a model, enforce quotas, and forward the request to an EU-based inference provider (currently Infomaniak in Switzerland and Scaleway in France).

We apply strict data-minimisation before any AI provider receives your data:

• Raw FASTQ bytes, signed S3 URLs, Dropbox links, upload tokens, provider secrets and local file paths never enter the AI prompt.
• Public evidence-search queries are stripped of obvious email addresses, phone numbers, and explicit sample / specimen / subject / patient ID patterns.
• Where supported by the provider, we enable zero-data-retention controls so prompts and responses are not retained after processing.
• AI suggestions are advisory only. The Worker — not the AI — decides whether an action actually runs. There is no automated decision-making producing legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

Please do not submit human personal data, clinical data, protected health information, passwords, secrets, or regulated human-genomics data to any AI feature.

6. Dropbox connector

Dropbox is optional. If you connect Dropbox, Aspis Bio uses an OAuth flow through a Cloudflare Worker; the Dropbox client secret stays server-side. The Android and iPhone apps store the resulting access and refresh tokens in device secure storage. Aspis Bio uses the constrained App Folder scope for Lab Book and analysis exports. Disconnecting Dropbox clears the locally stored tokens. Files already exported remain in your Dropbox until you delete them there. Dropbox is an independent data controller for the content stored in your Dropbox account.

7. Labguru connector

Labguru export is optional. If enabled, Aspis Bio sends sanitized Lab Book payloads (notes, metadata, tags, attachment names) to your Labguru workspace through the Aspis Bio API Worker. Labguru API tokens are kept server-side. Labguru is an independent data controller for the content stored in your Labguru workspace.

8. Account and authentication

Aspis Bio uses passwordless email-code login. The raw email address is used in memory only to deliver the one-time code; account records store a server-side HMAC hash and a masked display value (e.g. m***o@gmail.com) rather than the raw email. Each account is keyed by a deterministic pseudonymous identifier derived from the email hash, so the website and the mobile app give you the same account for the same address.

Account profiles are kept while the account is active and auto-delete after 365 days of inactivity. Each successful sign-in refreshes this rolling retention window. Immediate deletion is self-serve from /account/manage: we email a 6-digit confirmation code and wipe your profile, RNA-seq runs, Lab Book entries, attachments, AI usage, and every active session. If you cannot reach the website, email main@aspis-bio.com from the address tied to your account and we will run the same wipe manually.

9. Subprocessors and recipients

We rely on the following service providers to operate Aspis Bio. They process personal data only on documented instructions, under EU-style data-processing agreements where applicable.

• Cloudflare, Inc. — Workers, Pages, AI Gateway, R2, DNS, DDoS protection, web analytics. Headquartered in the US; EU data residency is used where supported. Transfers rely on the EU Standard Contractual Clauses and the EU–US Data Privacy Framework where Cloudflare participates.
• Scaleway SAS — RNA-seq compute (Paris zone fr-par-1) and object storage (aspis-rnaseq-v0, region fr-par). Established in the EU. No third-country transfer is required for processing performed on this infrastructure.
• Infomaniak Network SA — AI inference (fast tier). Established in Switzerland, which benefits from a European Commission adequacy decision under Art. 45 GDPR.
• Transactional email delivery — used to send sign-in codes and account notifications. The provider receives the destination address, a short subject, and the code at the moment of sending.
• Dropbox and Labguru — only if you explicitly connect them. Each is an independent controller for the content stored in your account with them.

We do not sell personal data, we do not share it for cross-context behavioural advertising, and we do not use it to train AI models. We disclose personal data only to the subprocessors listed above, to comply with a binding legal request, or to defend against a security incident.

10. International data transfers

Most processing happens on EU infrastructure (Scaleway in France) or in a country with a Commission adequacy decision (Switzerland for Infomaniak). When Cloudflare processes data on US infrastructure, the transfer is covered by Cloudflare's EU Standard Contractual Clauses and, where applicable, its certification under the EU–US Data Privacy Framework. You can request a copy of the SCCs by emailing us.

11. Retention

We keep personal data only as long as we need it for the purpose for which it was collected. Specific retention windows:

• Account profile — 365 days rolling, refreshed on each sign-in. After 365 days of inactivity the profile auto-deletes.
• One-time login codes — 10 minutes, single-use; deleted on verification or expiry.
• Raw RNA-seq FASTQ uploads — 30 days from upload, then auto-deleted by lifecycle policy.
• RNA-seq results (report, DE table, counts matrix) — kept while the account is active; same 365-day inactivity auto-delete.
• Lab Book server sync — kept while the account is active; same 365-day inactivity auto-delete. Per-device deletions are propagated as 30-day tombstones for sync, then removed.
• Biovision image uploads — processed in memory; only sanitized metadata and references to user-stored outputs are retained.
• Access tokens — 1 hour TTL; revoked immediately on sign-out or account deletion.
• Refresh tokens — 30 days rolling, single-use rotation; absolute cap of 30 days from the last fresh sign-in.
• Rate-limit and AI usage counters — minutes to days, for abuse prevention and quota accounting.
• Security and audit logs — up to 90 days, except where a longer period is required to investigate a specific incident.
• Waitlist emails — kept until the alpha invitation is sent or you ask to be removed.

12. Security

We use HTTPS everywhere, a strict Content-Security-Policy, Cloudflare Workers with server-side secrets, rate limits, short-lived authentication flows, device secure storage on supported platforms, and encrypted EU object storage. Despite best efforts, no system is perfectly secure. If you believe you have found a vulnerability, please report it to main@aspis-bio.com. We will notify affected users and the competent supervisory authority within 72 hours of becoming aware of a personal data breach where required by Art. 33 GDPR.

13. Cookies and similar technologies

Aspis Bio uses only strictly-necessary cookies and storage: a session token after sign-in, an anti-CSRF token, and limited browser localStorage for client-side preferences. We do not use advertising, profiling, or cross-site tracking cookies, and we do not embed third-party trackers. Cloudflare Web Analytics collects aggregate, cookie-less request metrics. No banner is required for these technologies under the ePrivacy Directive, but you can clear them at any time from your browser settings.

14. Your rights under the GDPR / UK GDPR / Swiss FADP

If you are in the European Economic Area, the United Kingdom, or Switzerland you have the right to:

• Access the personal data we hold about you (Art. 15);
• Have inaccurate data rectified (Art. 16);
• Request erasure of your data (Art. 17) — the self-service flow at /account/manage already implements this;
• Request restriction of processing (Art. 18);
• Receive your data in a portable, machine-readable format (Art. 20);
• Object to processing based on legitimate interest (Art. 21);
• Withdraw consent at any time for processing based on consent, without affecting prior lawfulness;
• Lodge a complaint with a supervisory authority — for Italy the Garante per la Protezione dei Dati Personali (garanteprivacy.it), or with the supervisory authority in your country of residence.

To exercise any of these rights, email main@aspis-bio.com from the address tied to your account. We will respond within one month (extendable by two months for complex requests, with notice).

15. Your rights as a resident of the United States

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, or another US state that has enacted a comprehensive privacy law, you have similar rights, including the right to:

• Know what personal information we have collected about you, the sources, the purposes for which it is used, and the categories of recipients;
• Delete the personal information we have collected from you, subject to limited statutory exceptions;
• Correct inaccurate personal information;
• Opt out of the "sale" or "sharing" of personal information and of profiling that produces legal or similarly significant effects;
• Limit the use of sensitive personal information;
• Designate an authorized agent to exercise these rights on your behalf;
• Receive non-discriminatory service when you exercise these rights.

We do not sell personal information, and we do not share it for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act as amended by the CPRA. To exercise your rights, email main@aspis-bio.com. We will verify your request using the email address on file and respond within the statutory timeframes (typically 45 days under the CCPA, extendable by 45 more with notice).

Notice of financial incentive: we do not offer any financial incentives in exchange for personal information.

California "shine the light" requests (Cal. Civ. Code § 1798.83) can be sent to the same address; we do not disclose personal information to third parties for their direct marketing.

16. Children

Aspis Bio is not directed to children. We do not knowingly collect personal information from anyone under 16 in the EU/EEA/UK or under 13 in the United States (the COPPA threshold). If you believe a child has provided us with personal data, contact main@aspis-bio.com and we will delete it.

17. Automated decision-making and profiling

We do not use solely automated decision-making that produces legal or similarly significant effects on you (Art. 22 GDPR). AI suggestions in Aspis Bio are advisory and require explicit user confirmation before any allowlisted action runs.

18. Changes to this policy

We may update this policy as the product evolves. Material changes will be reflected on this page with a new effective date and, where required by law, communicated to active users by email. The most recent version is always the one published here.

19. Contact

For any privacy question, data-subject request, security report, or complaint about this policy, please contact us at main@aspis-bio.com.