Privacy Policy
Information pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
1. Controller
The controller responsible for the processing of personal data on this website is:
Alexander Pekarsky
Austria (postal address available on request to legal@bioproguide.com)
Email: privacy@bioproguide.com
2. Scope and summary
This Privacy Policy applies to the website bioproguide.com and to all related sub-pages and services provided thereunder (collectively, the "Service"). It explains what personal data we collect, why we collect it, with whom we share it, and what rights you have.
3. Data we collect
3.1 Account data (collected when you register)
- Email address.
- A one-way cryptographic hash of your password (if you choose email/password registration). Your plain-text password is never stored or transmitted to us in a recoverable form.
- OAuth provider identifier and email (if you register via Google, Microsoft, or ORCID).
- Account creation timestamp, email verification status, and last login timestamp.
3.2 Usage data
- A daily tool-usage counter per account, used solely to enforce the fair-use rate limit (currently ten generations per 24 hours). We do not record what you did — only a count.
3.3 Server-side logs
Our hosting provider (Vercel) automatically logs standard HTTP request metadata for security and abuse prevention:
- IP address
- User agent (browser / device identifier)
- Request timestamp and requested resource
These logs are retained for up to 30 days and are accessed only for security investigations.
3.4 Analytics
We use a privacy-friendly analytics tool (Plausible Analytics, EU-hosted) that collects aggregated, cookie-less pageview counts and referrer data. No personal data is transmitted, IP addresses are anonymised, and no cross-site tracking occurs.
3.5 Bot protection
During signup, we use hCaptcha to verify that you are a human. hCaptcha processes technical data (IP address, browser signals, cookies set by Intuition Machines, Inc.) for this purpose. See the hCaptcha Privacy Policy at https://www.hcaptcha.com/privacy.
3.6 What we do NOT collect
- Protein sequences, amino-acid data, FASTA files, structural models, or any bioprocess data you enter into the tool.
- Outputs generated by the BioProGuide tool (all predictions, recommendations, tables, charts).
- Advertising identifiers or tracking cookies.
- Any sensitive categories of personal data (Art. 9 GDPR).
4. Purposes and legal bases
We process your personal data for the following purposes and on the following legal bases:
| Purpose | Data processed | Legal basis (GDPR) |
|---|---|---|
| Account management | Email, OAuth identifier, hashed password | Art. 6(1)(b) — performance of contract |
| Email verification | Email, verification token | Art. 6(1)(b) — performance of contract |
| Rate-limit enforcement | User ID, daily usage counter | Art. 6(1)(f) — legitimate interest (fair use) |
| Bot prevention | IP address, browser signals (hCaptcha) | Art. 6(1)(f) — legitimate interest (security) |
| Server-side security logs | IP address, user agent, timestamp | Art. 6(1)(f) — legitimate interest (security) |
| Aggregated analytics | Pageview counts, referrer, country (anonymised) | Art. 6(1)(f) — legitimate interest (service improvement) |
| Service communications | Email, message content | Art. 6(1)(b) / (f) — contract / legitimate interest |
5. Retention
- Account data: for the duration of your account, plus up to 90 days after deletion (to allow recovery of accidental deletions and to meet accounting/audit obligations).
- Server logs: up to 30 days.
- Analytics data: up to 24 months, in aggregated form only.
- Rate-limit counters: a rolling 24-hour window, automatically reset.
6. Recipients and sub-processors
We do not sell or rent personal data. We share personal data only with the sub-processors listed below, each of which is bound by a data-processing agreement (DPA) and processes data only on our instructions.
| Processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Vercel Inc. | USA | Website hosting, CDN, server-side request logs | EU Standard Contractual Clauses; EU-US Data Privacy Framework |
| Supabase Inc. | Germany (Frankfurt region) | Authentication, user account database, session management | EU hosting; Data Processing Agreement in place |
| Resend Inc. | USA | Transactional email delivery (verification, password reset) | EU Standard Contractual Clauses |
| Intuition Machines, Inc. (hCaptcha) | USA | Bot and abuse prevention on signup forms | EU Standard Contractual Clauses |
| Plausible Analytics | Germany / EU | Privacy-friendly, cookie-less aggregated analytics | EU hosting; no personal data or cross-site tracking |
| Proton AG | Switzerland | Inbound email hosting for info@/privacy@/legal@bioproguide.com | Swiss DPA (adequate under Art. 45 GDPR); end-to-end encrypted where supported |
| Formspree Inc. | USA | Pre-launch waitlist signup-form handling | EU Standard Contractual Clauses |
7. International transfers
Where a processor is located outside the European Economic Area (EEA), transfers are safeguarded by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR and, where applicable, by certification under the EU-US Data Privacy Framework or an adequacy decision under Art. 45 GDPR.
8. Your rights
Under the GDPR you have the following rights:
- Right of access (Art. 15): you may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): you may request correction of inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17): you may request deletion of your data.
- Right to restriction (Art. 18): you may request that we limit processing in certain cases.
- Right to data portability (Art. 20): you may request a machine-readable copy of your data.
- Right to object (Art. 21): you may object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time with effect for the future.
You can exercise these rights by emailing privacy@bioproguide.com. You may also delete your account at any time from your account settings page; account deletion triggers the erasure of associated personal data within the retention limits described in Section 5.
9. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Austria is:
Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria
Email: dsb@dsb.gv.at · Web: https://www.dsb.gv.at
10. Security
We implement reasonable technical and organisational measures to protect your personal data, including:
- HTTPS-only connections (TLS 1.2+).
- One-way password hashing (bcrypt / argon2) performed by our authentication provider.
- Mandatory email verification before account activation.
- Rate limiting and bot protection on authentication endpoints.
- EU-hosted authentication database with access restricted to authorised personnel.
- Regular security updates to hosting and authentication infrastructure.
11. Cookies
We use only strictly necessary cookies required for the authentication session (so that you remain logged in across page loads). We do not use advertising, profiling, or cross-site tracking cookies. Because no non-essential cookies are used, no cookie consent banner is required under the EU ePrivacy Directive. Our analytics tool is cookie-less.
12. Children
The Service is not directed at individuals under the age of 16. If you are under 16, please do not register for or use the Service. If we become aware that a child under 16 has provided us with personal data, we will delete the account.
13. Automated decision-making
The tool performs automated scientific computations at your request, but does not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The current version is always published at bioproguide.com/privacy with the revision date. Material changes will additionally be communicated by email to registered users at least 14 days before they take effect.
15. Contact
Questions about this Privacy Policy or data-protection matters: privacy@bioproguide.com