Privacy Policy

1.1 Personal Data You Provide Directly

When you create an account, we collect your name, email address, and password. If you sign in through a third-party identity provider such as Google, we receive your name, email, and profile image from that provider. You may optionally provide your organization name and role.

When you contact us for support, we collect the content of your communications and any attachments you send.

1.2 Personal Data Received Automatically

When you use the Services, we automatically collect certain technical information, including your IP address, browser type and version, operating system, device identifiers, referring URL, pages visited, and timestamps. We collect this data through server logs and essential cookies.

1.3 API Usage Data

If you use the Rasyn API, we log request metadata including endpoint, HTTP status code, response latency, and the API key identifier used. We do not log the content of API request or response bodies.

Rasyn processes analytical chemistry data on your behalf. This section describes how we handle that data.

2.1 Uploaded Instrument Data

You may upload instrument files in formats such as mzML, CDF, JCAMP-DX, CSV, and others (“Your Scientific Data”). Your Scientific Data is processed by our automated pipeline — including machine-learning models for peak detection, baseline correction, and quality control — solely for the purpose of returning results to you.

2.2 Model Training

We do not use Your Scientific Data to train, improve, or fine-tune our machine-learning models unless you provide explicit, written opt-in consent through a separate research agreement. Default processing of Your Scientific Data is limited to providing the Services.

2.3 Processing Results

Outputs generated from Your Scientific Data — including detected peaks, quality-control findings, chromatographic baselines, and retrosynthetic routes — are stored in your account and treated with the same protections as Your Scientific Data.

2.4 Aggregated and De-identified Data

We may generate aggregated, anonymized statistics about platform usage (e.g., total datasets processed, average processing latency) that cannot be used to identify any individual or reconstruct any specific dataset. This aggregated data may be used for service improvement, benchmarking, and research publications.

We use your personal data for the following purposes:

• Providing the Services — to operate, maintain, and deliver the functionality of the platform, including processing your analytical data and returning results
• Authentication and security — to verify your identity, manage sessions, and detect unauthorized access
• Communications — to send transactional emails such as account verification, pipeline status notifications, and security alerts
• Service improvement — to monitor performance, diagnose errors, conduct capacity planning, and improve reliability
• Compliance — to comply with applicable laws, respond to legal process, and maintain audit trails as required for regulated environments

We do not sell your personal data. We do not use your data for advertising or behavioral profiling.

4.1 Service Providers

We share personal data with third-party service providers that assist us in operating the Services, subject to contractual obligations to protect your data:

• Amazon Web Services (AWS) — cloud infrastructure, compute, and storage
• Supabase — authentication and user management
• Google — OAuth single sign-on (if you choose to sign in with Google)

4.2 Legal Requirements

We may disclose personal data if required to do so by law, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights or safety, or investigate potential violations of our Terms of Service.

4.3 Corporate Transactions

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

5.1 Retention

• Account data — retained for as long as your account is active
• Your Scientific Data and results — retained until you delete them or close your account
• Server logs and usage data — retained for 90 days
• Audit trail records — retained for 7 years (or as required by applicable regulations such as 21 CFR Part 11)

Upon account deletion, we remove your personal data within 30 days, except where longer retention is required by law or for legitimate compliance purposes.

5.2 Security Measures

We implement commercially reasonable technical and organizational measures to protect your data, including:

• Encryption at rest (AES-256) for all stored data
• Encryption in transit (TLS 1.2 or higher) for all network communications
• Role-based access controls with least-privilege IAM policies
• Tamper-evident audit logging with cryptographic hash-chain integrity
• Regular vulnerability assessments and dependency audits

No method of electronic storage or transmission is completely secure. While we strive to use commercially reasonable means, we cannot guarantee absolute security.

The Services are hosted on Amazon Web Services in the United States (us-east-1 region). If you access the Services from outside the United States, your personal data will be transferred to, stored, and processed in the United States. By using the Services, you consent to this transfer.

Where required by applicable law (such as the GDPR), we rely on appropriate transfer mechanisms including Standard Contractual Clauses approved by the European Commission. For enterprise customers requiring a Data Processing Addendum (DPA), please contact us at legal@rasyn.ai.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate or incomplete data
• Deletion — request that we delete your personal data
• Portability — request your data in a structured, machine-readable format
• Objection — object to certain processing activities
• Restriction — request that we restrict processing of your data
• Withdrawal of consent — where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, email us at privacy@rasyn.ai. We will respond within 30 days (or sooner where required by applicable law). We may verify your identity before fulfilling your request.

We use essential cookies only to maintain your authentication session and remember your preferences. We do not use advertising cookies, analytics cookies, or third-party tracking pixels.

You may configure your browser to reject cookies, but this may prevent you from using certain features of the Services.

The Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@rasyn.ai.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Effective date” at the top of this page and, where appropriate, notify you by email or through the Services. Your continued use of the Services after any changes constitutes your acceptance of the revised policy.

Previous versions of this policy are available upon request.

If you have questions or concerns about this Privacy Policy or our data practices, please contact: