Privacy Policy

Deepflare sp. z o.o.

1. Data Controller

The controller of your personal data is:

DeepFlare sp. z o.o. KRS: 846289 Poland

Email: privacy@deepflare.ai Website: https://deepflare.ai

DeepFlare sp. z o.o. ("DeepFlare", "we", "us", or "our") is a Polish limited liability company (spółka z ograniczoną odpowiedzialnością) registered in the National Court Register (Krajowy Rejestr Sądowy) under number 846289.

Data Protection Officer: Email: privacy@deepflare.ai

2. Scope and Applicability

This Privacy Policy explains how DeepFlare processes personal data in connection with:

• (a) our bioinformatics software-as-a-service platform for protein engineering and vaccine design (the "Platform");

• (b) our website at https://deepflare.ai and any associated subdomains (the "Website"); and

• (c) any related services, communications, and interactions between DeepFlare and its customers, prospective customers, and website visitors (collectively, the "Services").

This Policy applies to:

• Account holders and authorized users of the Platform;

• Customer administrators who manage organizational accounts;

• Website visitors who access our Website;

• Business contacts with whom we communicate in the ordinary course of business.

This Policy does not apply to the scientific data (protein sequences, 3D structures, computational predictions) that customers submit to or generate through the Platform, except to the extent such data constitutes or contains personal data. The processing of scientific data is governed primarily by the terms of our customer agreements. See Section 5 for further detail.

Where DeepFlare processes personal data on behalf of a customer (acting as a data processor), the customer's own privacy policy governs. DeepFlare's obligations as a processor are set out in our Data Processing Agreement ("DPA"), available upon request.

3. Definitions

In this Policy:

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

• "Personal Data" has the meaning given in Article 4(1) of the GDPR.

• "Processing" has the meaning given in Article 4(2) of the GDPR.

• "Customer" means an organization that has entered into a subscription or services agreement with DeepFlare for use of the Platform.

• "Authorized User" means an individual granted access to the Platform by a Customer.

• "Scientific Data" means protein sequences, three-dimensional molecular structures, computational predictions, annotations, and other bioinformatics data submitted to or generated by the Platform.

• "Platform" means the DeepFlare bioinformatics software-as-a-service application.

• "DPA" means the Data Processing Agreement between DeepFlare and a Customer.

4. Categories of Personal Data We Process

4.1 Account and Identity Data

When a Customer creates an organizational account or when Authorized Users are provisioned, we process:

• Full name

• Business email address

• Job title and organizational role

• Organization name and department

• Account credentials (passwords are stored only in hashed form)

• Multi-factor authentication tokens

4.2 Usage and Interaction Data

When Authorized Users interact with the Platform, we process:

• Login timestamps, session duration, and authentication events

• Features accessed and actions performed (e.g., pipeline executions, structure visualizations)

• Computational jobs submitted, including timestamps and configuration parameters

• Search queries and filter selections within the Platform

• User interface interactions for the purpose of product improvement (aggregated and pseudonymized)

4.3 Technical and Device Data

We automatically collect:

• IP addresses (truncated for analytics purposes where feasible)

• Browser type and version

• Operating system

• Device identifiers (limited to session-based identifiers)

• Referral URLs (for Website visits only)

4.4 Communication Data

When you contact us, we process:

• Email correspondence content and metadata

• Support ticket content and resolution records

• Feedback and survey responses (where voluntarily provided)

4.5 Billing and Commercial Data

For Customer account administration, we process:

• Billing contact name and email

• Organization billing address

• Invoice records and payment history

• Subscription tier and usage metering data

We do not directly process payment card numbers, bank account details, or other financial instrument data. Payment processing is handled by our third-party payment processor, which acts as an independent data controller for payment instrument data.

5. Categories of Scientific Data We Process

5.1 Nature of Scientific Data

The Platform processes the following categories of Scientific Data on behalf of Customers:

• Protein sequences (amino acid sequences submitted for analysis or design)

• Three-dimensional molecular structures (PDB files, coordinate data, structural predictions)

• Computational predictions and annotations (folding predictions, binding affinity scores, solubility assessments, stability metrics, toxicity evaluations, sequence design outputs)

• Pipeline configurations and parameters (job definitions, algorithmic settings)

• Derived data (metrics, alignments, surface annotations, and other computed outputs)

5.2 Scientific Data Is Generally Not Personal Data

Protein sequences, molecular structures, and computational predictions processed through the Platform are not personal data within the meaning of the GDPR in the vast majority of use cases. This data relates to molecular biology research and does not identify or relate to an identified or identifiable natural person.

5.3 Exception: Potential Personal Data in Scientific Inputs

In limited circumstances, Scientific Data could constitute or contain personal data — for example, if a Customer submits protein sequence data derived from an identifiable individual's biological sample. In such cases:

• (a) The Customer, as the entity determining the purposes and means of processing, acts as the data controller with respect to such personal data.

• (b) DeepFlare acts as a data processor and processes such data solely in accordance with the Customer's instructions and our DPA.

• (c) Customers are responsible for ensuring they have an appropriate legal basis (including, where applicable, informed consent or a research exemption under Article 9(2) of the GDPR) for submitting any personal data to the Platform.

6. Purposes and Legal Bases for Processing

We process personal data for the purposes and on the legal bases set out below, in accordance with Article 6(1) of the GDPR:

Where we rely on legitimate interests as a legal basis, we have conducted a balancing test and concluded that our interests do not override the fundamental rights and freedoms of data subjects, taking into account the business-to-business nature of our Services, the limited categories of personal data involved, and the safeguards we apply (including pseudonymization and aggregation).

7. Data We Do Not Collect

For the avoidance of doubt, DeepFlare does not:

• Process personal health data, patient records, or clinical trial data as a controller;

• Collect or process genetic data of identifiable individuals as a controller;

• Use Customer Scientific Data to train, fine-tune, or improve any machine learning models (see Section 15);

• Sell, rent, or trade personal data to third parties;

• Engage in profiling that produces legal or similarly significant effects on individuals;

• Process personal data for automated decision-making within the meaning of Article 22 of the GDPR.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

We use strictly necessary cookies to:

• Maintain authenticated sessions

• Enforce security controls (e.g., CSRF protection)

• Remember cookie consent preferences

These cookies are set under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive) as transposed into Polish law, which permits cookies that are strictly necessary for the provision of a service explicitly requested by the user.

8.2 Analytics Cookies

With your prior consent, we may use analytics tools to understand how visitors interact with our Website. Analytics cookies are set only after you affirmatively consent through our cookie banner. You may withdraw consent at any time by adjusting your cookie preferences via the link in the Website footer.

8.3 No Third-Party Advertising or Tracking

We do not use advertising cookies, social media tracking pixels, or any third-party tracking technologies for behavioral advertising purposes.

9. Sub-Processors

We engage the following sub-processors to deliver our Services. Each sub-processor is bound by a data processing agreement incorporating appropriate safeguards:

Sub-processor change notification: We will notify Customers of any intended changes to our sub-processor list at least 30 days before engaging a new sub-processor, in accordance with our DPA. Customers may object to a new sub-processor as set out in the DPA.

9.1 Anthropic — Specific Safeguards

Where Customers use AI-assisted features powered by Anthropic's Claude models:

• Data transmitted to Anthropic is limited to the specific inputs provided by the Authorized User for the AI-assisted task;

• Anthropic is contractually prohibited from using DeepFlare Customer data for model training or improvement (zero-retention API usage).

10. International Data Transfers

10.1 EU-Native Processing

DeepFlare is established in Poland, a Member State of the European Union. Our primary data processing infrastructure is located within the European Economic Area ("EEA"), specifically in Google Cloud's europe-west1 region (Belgium).

For Customers established in the EEA, the vast majority of data processing occurs entirely within the EEA, and no adequacy decision or supplementary transfer mechanism is required for the core Platform functionality.

10.2 Transfers to Third Countries

Certain sub-processors are established in or may process data in countries outside the EEA, in particular the United States. For such transfers, we rely on the following safeguards in accordance with Chapter V of the GDPR:

(a) Standard Contractual Clauses (SCCs)

We have entered into the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) with relevant sub-processors, including:

• Google LLC — SCCs incorporated into Google Cloud's Data Processing Amendment

• Anthropic PBC

(b) EU-U.S. Data Privacy Framework

Where a sub-processor is certified under the EU-U.S. Data Privacy Framework (as recognized by the European Commission's adequacy decision of 10 July 2023), we may additionally rely on such certification as a valid transfer mechanism.

(c) Transfer Impact Assessments

We have conducted transfer impact assessments for each transfer to a third country, evaluating the legal framework of the recipient country and the effectiveness of the supplementary measures in place. These assessments are available upon request.

10.3 Transfers for UK Customers

For Customers subject to the UK GDPR, we rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable, for transfers of personal data outside the United Kingdom.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, subject to applicable legal retention obligations:

Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized. Scientific Data deletion follows the procedures set out in our customer agreements.

12. Data Subject Rights

Under the GDPR, you have the following rights with respect to your personal data. You may exercise these rights by contacting us at privacy@deepflare.ai:

12.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, to access the personal data and specified information about the processing.

12.2 Right to Rectification (Art. 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data and to have incomplete personal data completed.

12.3 Right to Erasure (Art. 17 GDPR)

You have the right to obtain the erasure of your personal data where one of the grounds set out in Article 17(1) applies, subject to the exceptions in Article 17(3).

12.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to obtain the restriction of processing where one of the conditions set out in Article 18(1) applies.

12.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance.

12.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data based on our legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

You have the right to object at any time to the processing of your personal data for direct marketing purposes, in which case we will cease such processing without exception.

12.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

12.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. See Section 19 for details.

12.9 How We Handle Requests

We will respond to data subject requests without undue delay and in any event within one month of receipt, in accordance with Article 12(3) of the GDPR. This period may be extended by a further two months where necessary.

We verify the identity of all requesters before disclosing personal data. Requests may be made electronically to privacy@deepflare.ai.

Where the request relates to personal data processed by DeepFlare as a data processor on behalf of a Customer, we will redirect the request to the relevant Customer or assist the Customer in responding, as set out in our DPA.

13. Security Measures

DeepFlare implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:

13.1 Technical Measures

• Encryption in transit: All data transmitted between clients and the Platform is encrypted using TLS 1.2 or higher.

• Encryption at rest: All data stored on our infrastructure is encrypted at rest using AES-256 encryption, managed through Google Cloud's default encryption with customer-managed encryption keys where applicable.

• Access controls: Role-based access control (RBAC) is enforced at both the organizational and Platform levels. Administrative access to production infrastructure requires multi-factor authentication and is limited to authorized personnel on a need-to-know basis.

• Network security: Production services are deployed within isolated virtual networks with ingress restrictions. Internal compute services are not exposed to the public internet.

• Audit logging: Authentication events, data access, administrative actions, and computational job executions are logged and retained for security review.

• Vulnerability management: We conduct regular dependency scanning and apply security patches in a timely manner.

13.2 Organizational Measures

• Personnel: Access to personal data is limited to employees and contractors who require it for the performance of their duties. All personnel with access to personal data are bound by confidentiality obligations.

• Incident response: We maintain a documented incident response procedure for security incidents, including data breaches (see Section 14).

• Sub-processor oversight: Sub-processors are selected based on their ability to provide sufficient guarantees regarding technical and organizational measures, and are subject to ongoing monitoring.

14. Data Breach Notification

14.1 Notification to Supervisory Authority

In the event of a personal data breach, DeepFlare will notify the competent supervisory authority (UODO) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

14.2 Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, DeepFlare will communicate the breach to the affected data subjects without undue delay, in accordance with Article 34 of the GDPR.

14.3 Notification to Customers (Processor Obligations)

Where DeepFlare becomes aware of a personal data breach affecting data processed on behalf of a Customer, we will notify the affected Customer without undue delay and in accordance with the timeframes set out in our DPA.

15. Customer Data Ownership and No-Training Commitment

15.1 Customer Ownership

Customers retain full ownership of all data they submit to the Platform and all outputs generated by the Platform from such data, including but not limited to:

• Protein sequences and molecular structures;

• Computational predictions, folding results, and design outputs;

• Pipeline configurations and annotations;

• All derived data and results.

DeepFlare acquires no ownership interest, license, or other rights in Customer data beyond the limited rights necessary to provide the Services.

15.2 No Training on Customer Data

DeepFlare does not use Customer data to train, fine-tune, improve, or develop any machine learning models, artificial intelligence systems, or algorithms. This prohibition is absolute and applies to all forms of Customer data, whether aggregated, anonymized, pseudonymized, or otherwise transformed.

This commitment extends to our sub-processors. Our agreements with AI service providers (including Anthropic) contractually prohibit the use of data processed on behalf of DeepFlare Customers for model training or improvement.

15.3 Data Export

Customers may export their Scientific Data at any time during the term of their subscription through the Platform's export functionality. Upon termination of the customer agreement, Customers are provided a 90-day window to export their data, after which all Customer data is permanently deleted from our systems, including backups, within 30 additional days.

16. Children's Data

The Platform is a business-to-business service designed for use by professional researchers and scientists in pharmaceutical and biotechnology organizations. The Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16.

If we become aware that we have collected personal data from a child under 16 without appropriate parental or guardian consent, we will take steps to delete such data without undue delay.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices.

Material changes: For material changes affecting the processing of personal data, we will:

• (a) Notify Customers via email to their designated administrative contact at least 30 days before the changes take effect;

• (b) Post an updated version of this Policy on our Website with a revised "Last Updated" date;

• (c) Where required by applicable law, obtain renewed consent.

Non-material changes: For non-material changes (e.g., clarifications, formatting, or changes that do not substantively affect data processing), we will update this Policy on our Website with a revised "Last Updated" date.

18. Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact:

DeepFlare sp. z o.o. Data Protection Inquiries Email: privacy@deepflare.ai

We aim to respond to all inquiries within 5 business days. Data subject rights requests will be handled within the statutory timeframes set out in Section 12.9.

19. Supervisory Authority

DeepFlare's lead supervisory authority is:

Prezes Urzędu Ochrony Danych Osobowych (UODO) (President of the Personal Data Protection Office) ul. Stawki 2 00-193 Warszawa, Poland Website: https://uodo.gov.pl Email: kancelaria@uodo.gov.pl Tel: +48 22 531 03 00

Data subjects in other EU/EEA Member States may also lodge complaints with their local supervisory authority, in accordance with Article 77 of the GDPR.

Data subjects in the United Kingdom may contact:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF, United Kingdom Website: https://ico.org.uk Tel: +44 303 123 1113

Applicable Law

This Privacy Policy is governed by the laws of the Republic of Poland. To the extent applicable, the GDPR and the Polish Act of 10 May 2018 on the Protection of Personal Data apply.

For Customers subject to the UK GDPR (the Data Protection Act 2018 and the UK GDPR as retained EU law), the relevant provisions of UK data protection law apply to the processing of their personal data.

DeepFlare sp. z o.o. | KRS 846289 | Privacy Policy v1.0