Privacy Policy

This Policy applies to all personal information collected through the Platform, including information provided during registration, subscription management, and use of analytical features. It does not apply to third-party websites or services that may be linked from the Platform.

The Platform is designed for research use only. Users are responsible for ensuring that any human-subject data uploaded complies with applicable consent requirements, IRB approvals, and data-protection regulations prior to upload.

We use the information we collect to:

• Create and manage your account and authenticate your identity.
• Process transactions and send related information (receipts, invoices, renewal notices).
• Provide, operate, and improve the Platform and its analytical pipelines.
• Generate aggregated, anonymised usage statistics to understand how the Platform is used and to improve it.
• Send administrative communications (security alerts, policy updates, maintenance notices).
• Send marketing communications about new features or plans — only with your consent or where permitted by law. You may opt out at any time.
• Respond to customer support inquiries.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not use your research datasets or analysis results to train, fine-tune, or benchmark any machine-learning model without your explicit, informed consent.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

• Contract performance: processing necessary to provide the Service you have requested.
• Legitimate interests: platform security, fraud prevention, and product improvement, where these interests are not overridden by your rights.
• Consent: where we ask for and receive your consent (e.g., marketing emails).
• Legal obligation: compliance with applicable law.

We do not sell your personal information. We may share it in the following circumstances:

Genomic and biological datasets are sensitive by nature. We apply the following protections specifically to your uploaded research data:

• Research files are stored encrypted at rest (AES-256) in AWS S3 and in transit (TLS 1.2+).
• Access is restricted to authenticated users; files are served via short-lived presigned URLs.
• CytoHub staff access to raw research data is limited to authorised personnel for the purpose of debugging, security investigation, or legal compliance, and is logged.
• We do not share, sell, or otherwise make your research data available to any third party except as necessary to provide the Service (e.g., cloud storage).
• Users are solely responsible for ensuring compliance with applicable data-protection regulations, IRB protocols, and patient-consent requirements before uploading human-subject data.
• If you believe you have uploaded data that may contain identifiable human-subject information in error, contact legal@cytohub.com immediately.

• Account information is retained for the duration of your account and up to 3 years after termination for legal and compliance purposes.
• Research datasets and analysis results are retained until you delete them. Soft-deleted records may remain in our backups for up to 90 days before permanent deletion.
• Billing records are retained for 7 years as required by applicable tax and accounting regulations.
• Usage logs are retained for up to 12 months.
• You may request deletion of your personal data (subject to legal retention obligations) by contacting legal@cytohub.com.

We use the following types of cookies:

• Strictly necessary cookies: session authentication tokens required for the Platform to function. These cannot be disabled.
• Analytics cookies: anonymised usage statistics via Vercel Analytics. These help us understand feature adoption and improve the Platform. You may opt out by blocking analytics cookies in your browser.
• Preference cookies: theme (light/dark mode) and UI preferences stored locally.

We do not use third-party advertising or cross-site tracking cookies.

We implement commercially reasonable administrative, technical, and physical safeguards to protect your information, including:

• TLS encryption for all data in transit.
• AES-256 encryption for data at rest in cloud storage.
• JWT-based authentication with RS256 signing.
• Role-based access controls and least-privilege infrastructure access.
• Regular dependency updates and security patching.
• Automated backups with point-in-time recovery.

No method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability or incident, please report it to legal@cytohub.com.

CytoHub is headquartered in the United States. If you access the Platform from outside the United States, your information may be transferred to and processed in the United States or other countries. We rely on appropriate safeguards — including Standard Contractual Clauses (SCCs) approved by the European Commission — for transfers of personal data from the EEA, UK, and Switzerland.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure ('right to be forgotten'): request deletion of your personal data, subject to legal retention requirements.
• Restriction: request that we limit processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint: with your local data-protection authority (e.g., the ICO in the UK, or a supervisory authority in your EU member state).

To exercise any of these rights, contact us at legal@cytohub.com. We will respond within 30 days (or as required by applicable law).

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know what personal information we collect, use, disclose, and sell.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell personal information.
• Right to non-discrimination for exercising your privacy rights.

To submit a verifiable consumer request, contact us at legal@cytohub.com.

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a minor has provided us with personal information, contact us immediately at legal@cytohub.com and we will take steps to delete it.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or prominent in-app notice at least 14 days before the changes take effect. The “Effective date” at the top of this page indicates when the current version was last revised. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

CytoHub Inc. is the data controller for personal information collected through the Platform. For privacy-related enquiries, requests, or complaints: