Privacy Policy

Account Information: When you create an account, we collect your name, email address, institution, role, and password (stored as a cryptographic hash — we never store your plaintext password).

Research Data: We store the experimental protocols you generate or design, notebook entries, uploaded files, literature references, and AI conversation history. This data is stored in our database and is subject to row-level security — it is never shared with other users or organizations without your explicit action.

Usage Information: We collect information about how you interact with the Service, including features used, pages visited, protocol generation events, and AI assistant queries. This is used to improve the platform and enforce plan limits.

Technical Data: We automatically collect IP addresses, browser type, operating system, referring URLs, and session timestamps. These are used for security monitoring, audit logging, and service operation.

Payment Information: Payment processing is handled entirely by Stripe, Inc. We store only a Stripe customer ID and subscription ID — we never receive, store, or process your full card number, CVV, or banking details.

We use collected information to:

• Provide, operate, and maintain the Olto Discovery platform
• Process protocol generation and AI assistant requests
• Manage your subscription and billing via Stripe
• Send account-related communications (email confirmation, billing receipts, security alerts)
• Enforce plan limits and detect abuse
• Maintain security audit logs as required for SOC 2 compliance
• Improve and develop new features based on aggregated, anonymized usage patterns
• Comply with applicable laws and regulations

We do not: sell your data to third parties, use your research data to train AI models without explicit consent, display advertisements, or share your data with other users outside your organization.

When you use AI features (protocol generation, AI assistant, literature analysis, simulation), your input text is sent to Anthropic, Inc. for processing via their Claude API. Anthropic's API terms apply. Anthropic does not use API inputs to train their models by default. We recommend reviewing Anthropic's Privacy Policy.

AI-generated protocol outputs are stored in our database under your account. You retain full ownership of all content you create using the Service.

Encryption at rest: All data is encrypted using AES-256 encryption via Supabase's managed PostgreSQL infrastructure hosted on AWS.

Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced.

Row-Level Security: Every table in our database is protected by PostgreSQL Row-Level Security (RLS) policies. These are enforced at the database engine level and cannot be bypassed by application code. You can only access data you own or have been explicitly granted access to.

Audit logging: Every significant action (login, protocol creation, data export, team changes) is logged with your user ID, IP address, user agent, and timestamp. These logs are immutable and are used for security monitoring and compliance.

Data residency: By default, data is stored in US-West-2 (Oregon, USA). EU data residency is available on Enterprise plans.

We retain your data for as long as your account is active. If you cancel your account:

• Your account access is removed immediately
• Your research data (protocols, notebooks, files) is retained for 30 days in case of accidental cancellation, then permanently deleted
• Audit logs are retained for 7 years to meet compliance requirements
• Aggregated, anonymized usage statistics may be retained indefinitely

You may request immediate deletion of your data by contacting support@oltodiscovery.com.

We share your information only in the following circumstances:

• Service providers: With Supabase (database infrastructure), Anthropic (AI processing), Stripe (payment processing), and Vercel (hosting). These providers process data only on our behalf and under contractual data processing agreements.
• Team members: If you are a member of an organization on the Lab or Enterprise plan, your name and email are visible to other members of that organization. Protocol sharing is controlled by you through visibility settings.
• Legal requirements: When required by law, court order, or governmental authority, or to protect the safety, security, and integrity of our Service and users.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice and data protection continuity.

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Correct inaccurate personal data through your account settings or by contacting us.
• Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to portability: Export your research data in JSON or text format from within the platform.
• Right to object: Object to processing of your personal data for certain purposes.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.

To exercise these rights, contact us at support@oltodiscovery.com. We will respond within 30 days.

We use essential cookies for authentication (Supabase session tokens) and your theme preference (light/dark mode). We do not use advertising cookies, cross-site tracking cookies, or third-party analytics. You may disable cookies in your browser settings, but this will prevent you from logging in.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at support@oltodiscovery.com.

We may update this Privacy Policy periodically. We will notify you of material changes by email and by posting the updated policy with a new effective date. Continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us: