Privacy Policy
DeepFlare sp. z o.o.
Table of Contents
- Who We Are
- What This Policy Covers
- What Personal Data We Collect
- Why We Process Your Data and Our Legal Basis
- What We Do NOT Collect or Do
- AI Systems and the EU AI Act
- Cookies
- Who We Share Data With
- International Data Transfers
- Your Data Stays Yours - No Training
- How Long We Keep Data
- Your Rights Under GDPR
- Security
- Data Breach Notification
- Changes to This Policy
- Contact and Complaints
1. Who We Are
DeepFlare sp. z o.o. is a Polish company building AI-powered tools for protein engineering and vaccine design.
Data Controller: DeepFlare sp. z o.o. KRS: 0000846289 NIP: 7010986785 REGON: 386316445 Registered office: ul. Złota 7/28, 00-019 Warszawa, Poland Email: privacy@deepflare.ai Website: https://deepflare.ai
We are registered in the National Court Register (Krajowy Rejestr Sadowy) under number 846289.
2. What This Policy Covers
This policy explains how we handle personal data when you:
- Use our bioinformatics platform ("Platform") for protein engineering and analysis
- Visit our website at deepflare.ai
- Communicate with us (email, support, sales)
This policy does not cover the scientific data (protein sequences, structures, predictions) you process through our Platform, except where that data happens to contain personal data. Scientific data processing is governed by your customer agreement.
Where we process personal data on your behalf (as a data processor), your own privacy policy governs. Our obligations as processor are set out in our Data Processing Agreement, available on request.
3. What Personal Data We Collect
Account Data
- Name, business email, job title, organization
- Account credentials (passwords stored hashed only)
Usage Data
- Login times, features used, jobs submitted
- Session data, search queries, UI interactions (aggregated)
Technical Data
- IP address, browser type, operating system
- Session-based device identifiers
Communication Data
- Emails, support tickets, feedback you send us
Billing Data
- Billing contact name, email, address
- Invoice records, subscription tier
- We do not store payment card numbers — payment processing is handled by our payment provider (currently Stripe), which acts as an independent controller for payment instrument data.
4. Why We Process Your Data and Our Legal Basis
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing Platform access and running your jobs | Contract performance (Art. 6(1)(b)) |
| Account setup, authentication, access control | Contract performance |
| Billing and invoicing | Contract performance |
| Platform security, fraud prevention | Legitimate interest (Art. 6(1)(f)) — protecting the Platform and your data |
| Product improvement (aggregated/anonymized metrics) | Legitimate interest — improving our service |
| Customer support | Contract performance + legitimate interest |
| Legal compliance (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Service updates to existing customers | Legitimate interest — you can opt out anytime |
| Website analytics | Consent (Art. 6(1)(a)) — via cookie banner |
5. What We Do NOT Collect or Do
We do not:
- Process personal health data or patient records as a controller
- Collect genetic data of identifiable individuals as a controller
- Use your data to train any AI models (see Section 10)
- Sell, rent, or trade personal data
- Engage in profiling with legal effects on individuals
- Make automated decisions about you under GDPR Art. 22
- Deploy AI systems to infer emotions or mental states from biometric data, including voice patterns (prohibited under EU AI Act Art. 5(1)(f))
- Monitor or profile individual employees' behavior or communication patterns
6. AI Systems and the EU AI Act
What AI We Use
Our Platform uses AI for:
- Computational protein design — AI models predict protein structures, sequences, and properties based on your scientific inputs
- AI-assisted analysis — where you explicitly invoke it.
Our AI systems are classified as minimal risk or limited risk under the EU AI Act (Regulation 2024/1689). We do not operate high-risk AI systems.
Prohibited Practices
We do not and will not deploy AI that performs emotion recognition from biometric data, social scoring, subliminal manipulation, or any other practice prohibited under Article 5 of the EU AI Act.
Transparency (Article 50)
From 2 August 2026 (or earlier), where you interact with an AI system in our Platform, we will clearly indicate this. AI-generated outputs will be marked in machine-readable format per Art. 50(2). If you distribute AI-generated content from our Platform to third parties, you are responsible for your own transparency disclosures.
7. Cookies
Essential cookies: We use strictly necessary cookies for authentication, security (CSRF), and remembering your cookie preferences. These require no consent under the ePrivacy Directive.
Analytics: With your consent, we use Google Analytics. You can withdraw consent anytime via the cookie settings link in our website footer.
No advertising tracking: We do not use advertising cookies or third-party tracking pixels.
8. Who We Share Data With
We use the following service providers (sub-processors) to deliver our Platform:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Cloud infrastructure (compute, storage, database) | EU (Belgium, europe-west1) |
Sub-processor changes: We notify customers at least 30 days before adding a new sub-processor.
A Data Processing Agreement (DPA) covering the details of our processor obligations is available on request.
9. International Data Transfers
Most of your data stays in the EU (Google Cloud Belgium). For transfers to the United States (primarily Anthropic), we rely on:
- EU-U.S. Data Privacy Framework (where certified)
- Standard Contractual Clauses (EU Commission Decision 2021/914)
- Transfer impact assessments — available on request
10. Your Data Stays Yours - No Training
We do not use your data to train any AI models. This applies to everything you upload and everything our Platform generates for you — no exceptions, no "anonymized aggregation" loopholes.
This commitment extends to our sub-processors. Anthropic is contractually prohibited from using data processed for DeepFlare customers for model training.
You can export your scientific data anytime through the Platform. After your contract ends, you get 90 days to export, then we permanently delete everything.
11. How Long We Keep Data
| Data | Retention |
|---|---|
| Account data | Contract duration + 5 years (Polish statutory limitation) |
| Usage data | Contract duration + 1 year (anonymized data kept indefinitely) |
| Technical logs | 90 days |
| Communications | Contract duration + 3 years |
| Billing data | Contract duration + 5 years (Polish accounting law requirement) |
| Scientific data | Contract duration + 90 days for export, then deleted |
| Cookie consent records | 3 years |
12. Your Rights Under GDPR
You have the right to:
- Access your data (Art. 15)
- Correct inaccurate data (Art. 16)
- Delete your data (Art. 17)
- Restrict processing (Art. 18)
- Port your data to another service (Art. 20)
- Object to processing based on our legitimate interests (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Complain to a supervisory authority (Art. 77)
How to exercise these rights: Email privacy@deepflare.ai. We respond within 30 days.
If your request relates to data we process on behalf of your organization (as processor), we will redirect it to the relevant customer.
13. Security
We protect your data with:
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access control: Role-based, multi-factor authentication for infrastructure
- Network isolation: Production services in isolated virtual networks
- Audit logging: Authentication and data access events logged
- Personnel: Confidentiality obligations for all staff with data access
14. Data Breach Notification
If a personal data breach occurs:
- We notify the Polish Data Protection Office (UODO) within 72 hours (GDPR Art. 33)
- We notify affected individuals if high risk (GDPR Art. 34)
- We notify affected customers promptly per our DPA
15. Changes to This Policy
Material changes (new data categories, new purposes, new sub-processors): We notify you by email at least 30 days in advance.
Minor updates (clarifications, formatting): We update the "Last Updated" date.
Current version always available at: https://deepflare.ai/legal/privacy
16. Contact and Complaints
DeepFlare sp. z o.o. Email: privacy@deepflare.ai Address: ul. Złota 7/28, 00-019 Warszawa, Poland
We aim to respond within 5 business days.
Supervisory authority: Prezes Urzedu Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl | kancelaria@uodo.gov.pl | +48 22 531 03 00
You may also complain to your local EU/EEA data protection authority.
This Privacy Policy is governed by Polish law and the GDPR.
DeepFlare sp. z o.o. | KRS 846289 | Privacy Policy