Privacy Policy

1. Introduction

This Privacy Policy ("Policy") explains how Inflexa, Inc. ("Inflexa," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal data when you access or use our website at inflexa.ai (the "Site"), our web-based scientific analysis platform (the "Platform"), and any related services (collectively, the "Services").

When we process personal data on behalf of an organization that has entered into a separate agreement with us (e.g., an Enterprise customer), we act as a data processor (or "service provider" under applicable U.S. privacy laws) and process that data in accordance with the customer’s instructions and the terms of that agreement. This Policy does not apply to data we process in our capacity as a data processor; the customer’s own privacy policy governs that processing.

By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Services.

2. Personal Data We Collect

2.1 Information You Provide Directly

• Account information. When you create an account, we collect your name and email address. Authentication is managed by our third-party identity provider, Auth0 (an Okta company); we do not store passwords on our servers. If you sign in via SSO / SAML (Enterprise plan), we receive your identity attributes from your organization’s identity provider.
• Payment information. If you purchase a paid plan, we collect billing details (such as company name, billing address, and payment card information). Payment card data is processed by our third-party payment processor and is not stored on our servers.
• Contact and communication data. When you submit a contact form, request a demo, or email us, we collect your name, email address, organization (if provided), and the content of your message.
• Scientific data. When you use the Platform, you may upload experimental datasets, including but not limited to count matrices, sequence files, sample metadata, clinical annotations, and analysis results (collectively, "Scientific Data"). Scientific Data may contain personal data (for example, clinical annotations or patient-level metadata).
• Feedback. If you provide feedback, ratings, or report issues, we collect the content of that feedback along with any associated account identifiers.

2.2 Information Collected Automatically

• Device and browser data. We collect your IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage data. We collect information about how you interact with the Services, including pages visited, features used, analysis workflows executed, timestamps, click paths, and referral URLs.
• Log data. Our servers automatically record information including your IP address, request timestamps, HTTP methods, response codes, and user-agent strings.
• Cookies and similar technologies. We use cookies and similar tracking technologies as described in Section 7.

2.3 AI Context Data

When you use the Platform’s AI-powered analysis features, prompts, queries, and data excerpts ("AI Context Data") are sent to our large language model ("LLM") provider to generate analysis plans, interpret results, and produce explanations. AI Context Data may include fragments of your Scientific Data, such as gene expression values, sample annotations, or summary statistics. We minimize the amount of raw data included in AI Context Data by sending summary statistics and representative samples rather than full datasets where possible. See Section 6 for details on our AI data practices.

2.4 Information We Do Not Collect

We do not knowingly collect biometric identifiers, religious or philosophical beliefs, trade union membership, sexual orientation, or data concerning criminal convictions, except to the extent such data is included in Scientific Data that you voluntarily upload to the Platform. We do not collect information from individuals under 18 (see Section 13).

3. How We Use Your Data

We use personal data for the following purposes:

• Providing and operating the Services. To create and manage your account, process your Scientific Data, run analyses, generate reports, and deliver results.
• Processing payments. To process subscriptions, issue invoices, and manage billing.
• Communicating with you. To respond to your inquiries, send service-related notices (e.g., maintenance schedules, security alerts), and, where you have opted in, promotional communications.
• Improving the Services. To analyze usage patterns, diagnose technical issues, and develop new features. We use aggregated and de-identified data for this purpose wherever possible.
• Safety and security. To detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms of Service.
• Legal compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Audit and provenance. To maintain audit logs that trace every result to the input data, code version, analytical method, and parameter set used, supporting regulatory and reproducibility requirements.

We do not sell your personal data. We do not use your Scientific Data to train machine learning models.

4. Legal Bases for Processing

If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation ("GDPR") and equivalent local laws:

• Performance of a contract. Processing necessary to provide you the Services you have requested (e.g., account creation, running analyses, generating reports).
• Legitimate interests. Processing necessary for our legitimate interests (e.g., improving the Services, ensuring security, preventing fraud), provided such interests are not overridden by your rights and freedoms.
• Consent. Where you have given explicit consent (e.g., for non-essential cookies or promotional communications). You may withdraw consent at any time by contacting us or adjusting your preferences.
• Legal obligation. Processing necessary to comply with applicable legal obligations (e.g., tax record-keeping, responding to lawful data requests).

5. Data Sharing and Disclosure

We do not sell personal data. We share personal data only in the following circumstances:

5.1 Subprocessors and Service Providers

We engage a limited number of third-party subprocessors to help us operate the Services. Each subprocessor is bound by contractual obligations to protect your data and use it only as instructed by us.

We do not use any subprocessors domiciled in China, and to our knowledge none of our subprocessors do either. We will notify Enterprise and Biotech customers before adding new subprocessors that access Scientific Data.

5.2 Organization Administrators

If your account is part of a Biotech or Enterprise organization, the organization’s administrator(s) may have access to your account information, usage data, and audit logs in accordance with that organization’s policies.

5.3 Shared Reports

The Platform allows you to share analysis reports via link. Shared reports are accessible to anyone with the link and do not require a login. You are responsible for the content of any reports you choose to share and for ensuring that sharing complies with applicable data protection obligations.

5.4 Legal Requirements and Safety

We may disclose personal data if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms of Service or other agreements, including investigation of potential violations.
• Detect, prevent, or address fraud, security, or technical issues.
• Protect the rights, property, or safety of Inflexa, our users, or the public as required or permitted by law.

5.5 Business Transfers

If Inflexa is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control and any choices you may have regarding your data.

6. AI and Large Language Model Processing

The Platform uses large language models to power conversational analysis agents that interpret results, suggest analytical approaches, generate code, and explain findings. Our sole LLM provider is Anthropic. All communication with Anthropic’s API is encrypted via TLS.

6.1 What Data Is Sent to the LLM

During analysis, prompts and data excerpts are transmitted to Anthropic’s API. This AI Context Data may include gene expression values, sample annotations, summary statistics, and other fragments of your Scientific Data necessary to produce meaningful analytical output. We minimize the volume of raw data sent by transmitting summary statistics and representative samples rather than complete datasets where possible. However, certain analyses require sending data excerpts (e.g., specific gene expression values or sample annotations) to produce accurate results.

6.2 How the LLM Provider Uses Your Data

Under our agreement with Anthropic, Anthropic does not use API inputs or outputs to train its models. Anthropic processes your data solely to serve your requests and in accordance with its own data processing terms.

6.3 Privacy Mode

Inflexa offers a "Privacy Mode" feature that controls whether AI Context Data may be retained by our LLM provider beyond serving the immediate request:

• When Privacy Mode is enabled: We enforce zero data retention with Anthropic. No prompt data, no response data, and no logging of requests by the LLM provider. Data is not used for model training or any purpose beyond serving the immediate request.
• Personal plan: Privacy Mode is not available.
• Biotech and Enterprise plans: Privacy Mode is on by default. Organization administrators may disable it.

When in doubt about the privacy status of any given request, our systems default to treating it as Privacy Mode enabled.

6.4 BYOC Deployments

In Bring Your Own Cloud ("BYOC") deployments (Enterprise plan only), the Inflexa application runs inside your own cloud account and your Scientific Data does not leave your virtual private cloud. However, AI Context Data (prompts and data excerpts sent to the LLM) must still transit to Anthropic’s API, which is the sole data flow that exits your infrastructure.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on the Site, as described below.

You can manage your cookie preferences at any time through the CookieHub consent banner or your browser settings. Essential cookies cannot be disabled as they are necessary for the Site to function, but you may opt out of analytics cookies at any time.

8. International Data Transfers

Inflexa is based in the United States and our primary infrastructure is hosted on AWS servers in the United States. If you access the Services from outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those of your jurisdiction.

For transfers of personal data from the EEA, the United Kingdom, or Switzerland to the United States or other countries not recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs). We use the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) in our agreements with subprocessors.
• Data Processing Agreements. We maintain data processing agreements with all subprocessors that access personal data, requiring them to implement appropriate technical and organizational measures.

Customers on the BYOS (Bring Your Own Storage) plan may retain Scientific Data in the region of their choice by configuring their own cloud storage. BYOC customers retain full control over where their infrastructure is deployed.

9. Data Retention

We retain personal data only for as long as reasonably necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention practices:

• Account data. Retained for the duration of your account and for a reasonable period thereafter to fulfill legal obligations (e.g., tax and accounting records) and resolve disputes.
• Scientific Data (hosted storage). Retained for the duration of your account. Upon account deletion, Scientific Data is removed from active systems within 30 days. Backup copies are rotated on a 30-day cycle, after which deleted data is no longer recoverable.
• Scientific Data (BYOS). We store only metadata and pointers; your Scientific Data remains in your own storage. Upon account deletion, metadata and pointers are deleted. Your Scientific Data in your storage is unaffected.
• Scientific Data (BYOC). You retain full control. Upon account deletion, account and platform configuration are removed from Inflexa’s systems.
• Audit logs. Retained in accordance with your plan’s terms. Enterprise customers may configure custom retention periods.
• AI Context Data. When Privacy Mode is enabled, AI Context Data is not retained by our LLM provider beyond serving the immediate request. When Privacy Mode is disabled, retention is governed by Anthropic’s data processing terms.
• Analytics data. Aggregated usage analytics are retained for up to 24 months and are not linked to individual users after de-identification.

10. Data Security

We implement commercially reasonable technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include but are not limited to:

• Encryption in transit. All data transmitted between your browser and our servers, and between our servers and third-party services, is encrypted using TLS 1.2 or higher.
• Encryption at rest. Scientific Data and other sensitive data stored on our infrastructure is encrypted using AES-256 via AWS-managed encryption keys. BYOS and BYOC customers manage their own encryption keys.
• Access controls. We enforce least-privilege access, multi-factor authentication for all cloud provider accounts, and role-based access control for Platform users. Projects and datasets are scoped to organizations with no cross-tenant access.
• Network security. Production infrastructure uses virtual private clouds, security groups, and network-level controls. DDoS protection is provided by Cloudflare.
• Audit logging. All user actions and system events are logged. Audit records are cryptographically signed and tamper-evident.
• Compliance. We are pursuing SOC 2 Type II certification and building an ISO 27001:2022-compliant information security management system. Enterprise customers may request a HIPAA Business Associate Agreement or 21 CFR Part 11 validation support.

No method of electronic transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. We are transparent about where we are in our security maturity journey and will update these measures as our program evolves.

To report a security vulnerability, please contact security@inflexa.ai. We will acknowledge receipt within 3 business days and provide an initial assessment within 10 business days.

11. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. To exercise any of these rights, please contact us at privacy@inflexa.ai.

11.1 Rights Under the GDPR (EEA, UK, Switzerland)

• Right of access. You may request a copy of the personal data we hold about you.
• Right to rectification. You may request that we correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"). You may request deletion of your personal data, subject to certain legal exceptions (e.g., data required for legal compliance or the defense of legal claims).
• Right to restriction of processing. You may request that we restrict processing of your personal data under certain circumstances.
• Right to data portability. You may request that we provide your personal data in a structured, commonly used, and machine-readable format.
• Right to object. You may object to processing based on legitimate interests, including profiling. You may also object to processing for direct marketing purposes at any time.
• Right to withdraw consent. Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal.
• Right not to be subject to automated decision-making. You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. Inflexa does not make automated decisions about individuals that produce legal effects.
• Right to lodge a complaint. You have the right to lodge a complaint with your local supervisory authority.

11.2 Rights Under U.S. State Privacy Laws (CCPA / CPRA and Similar)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another U.S. state with an applicable consumer privacy law, you may have the following rights:

• Right to know. You may request that we disclose the categories and specific pieces of personal data we have collected about you, the categories of sources, the business or commercial purpose for collecting the data, and the categories of third parties with whom we share it.
• Right to delete. You may request that we delete your personal data, subject to certain exceptions.
• Right to correct. You may request that we correct inaccurate personal data.
• Right to opt out of sale or sharing. We do not sell personal data and do not share personal data for cross-context behavioral advertising.
• Right to non-discrimination. We will not discriminate against you for exercising any of your privacy rights.

To submit a verifiable consumer request, please contact us at privacy@inflexa.ai. We will verify your identity before fulfilling your request by matching information you provide against information we maintain. You may also designate an authorized agent to make a request on your behalf.

In the preceding twelve months, we have collected the following categories of personal data: identifiers (name, email, IP address); commercial information (billing records, subscription plans); internet or electronic network activity (usage data, log data); and professional or employment-related information (organization name). We have not sold any category of personal data and have not shared any category of personal data for cross-context behavioral advertising.

11.3 Data Export

You may export all of your results, code, and provenance metadata from the Platform at any time in standard, open formats. We do not impose data lock-in.

12. Account and Data Deletion

You may request deletion of your account and associated data by contacting support@inflexa.ai. Upon receiving a verified deletion request:

• All platform metadata, analysis configurations, and stored results will be permanently removed from active systems within 30 days.
• Backup copies are rotated on a 30-day cycle, after which deleted data is no longer recoverable.
• BYOS customers: Metadata and pointers held by Inflexa are deleted. Scientific Data stored in your own storage is unaffected.
• BYOC customers: You retain full control of your infrastructure. Account and platform configuration are removed from Inflexa’s systems.

Certain data may be retained beyond the deletion timeline where required by law (e.g., billing records for tax purposes) or to resolve pending disputes or enforce our agreements.

13. Children's Privacy

The Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe a child under 18 has provided personal data to us, please contact us at privacy@inflexa.ai.

14. Third-Party Links

The Services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policy of every site you visit.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the revised Policy on the Site with an updated "Last updated" date and, where required by law, by providing additional notice (such as an email notification or an in-Platform banner). We encourage you to review this Policy periodically.

Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree with any changes, you should discontinue use of the Services and request deletion of your account.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@inflexa.ai
• Legal questions: legal@inflexa.ai
• Security questions or vulnerability reports: security@inflexa.ai
• Account deletion: support@inflexa.ai
• General inquiries: hello@inflexa.ai

Inflexa, Inc.