How BioPipeline collects, uses, and protects your data.
Last updated: April 27, 2026
BioPipeline ("we", "our", or "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, where it is processed, and the controls available to you under GDPR and applicable data protection laws.
1. Information We Collect
1.1 Account Data
When you create an account, we collect:
- Email address (required) — used for authentication, account recovery, and service notifications
- Username (optional) — display name visible in your workspace
- Password hash — securely stored using bcrypt (never stored in plaintext)
- API key (optional) — if you generate one for programmatic access
1.2 Usage Data
We store pipeline run metadata to provide core features:
- Plant species queries and target protein names
- Docking run results (binding affinities, compound structures, ADMET predictions)
- Saved compound bookmarks and notes
- Run timestamps and execution metadata
- Share links and visibility settings (public/private)
1.3 Technical Logs
We collect standard service logs for reliability, security, and debugging:
- IP addresses (anonymized after 90 days)
- Request paths and HTTP status codes
- Response timing and error messages
- User agent strings (browser/device info)
- Rate limit violation attempts
1.4 Cookies and Local Storage
We use browser storage for:
- Authentication tokens — session management (HttpOnly, Secure flags)
- Theme preference — light/dark mode (localStorage key:
biopipeline_theme) - UI state — sidebar expansion, last active page (non-sensitive)
See our Cookie Policy for full details.
2. How We Use Data
We process personal data for the following purposes:
- Service provision — authenticate users, execute docking pipelines, display results
- Storage and history — save your run history, bookmarked compounds, and workspace state
- Abuse prevention — enforce rate limits (8 runs/month free, 30/month Pro, etc.)
- Support — respond to technical issues and account inquiries
- Legal compliance — fulfill tax, accounting, and regulatory obligations
- Service improvement — aggregate usage statistics (no personally identifiable analysis)
Legal basis (GDPR):
- Contract performance (Art. 6(1)(b)) — providing the service you signed up for
- Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, service optimization
- Consent (Art. 6(1)(a)) — for optional features like API key generation
- Legal obligation (Art. 6(1)(c)) — tax records, DMCA compliance
3. Data Sharing and Processors
We do not sell personal data. We only share data with trusted service providers who process it on our behalf:
| Service | Provider | Purpose | Data Location |
|---|
| Frontend Hosting | Vercel Inc. | Serve web app and static assets | United States (AWS) |
| Backend API | Railway Corp. | Execute docking pipelines | United States |
| Database & Auth | Supabase Inc. | Store account data and run history | United States (AWS us-east-1) |
| AI Insights (optional) | Groq Inc. | Generate pharmacology summaries | United States |
All processors are contractually bound to GDPR-equivalent data protection standards. Data transfers to the U.S. rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.
4. Data Security and Retention
4.1 Security Measures
We protect your data using:
- Encryption in transit — TLS 1.3 for all HTTPS connections
- Encryption at rest — AES-256 database encryption (Supabase default)
- Access controls — Row-Level Security (RLS) policies on all tables
- Password hashing — bcrypt with salt (industry standard)
- Rate limiting — IP-based throttling to prevent brute-force attacks
- JWT authentication — short-lived tokens (1 hour expiry)
4.2 Retention Periods
| Data Type | Retention Period | Reason |
|---|
| Account data | While account is active | Service provision |
| Run history | While account is active | User access to past results |
| IP addresses (logs) | 90 days (then anonymized) | Security, abuse prevention |
| Deleted account data | 30 days (backups) | Disaster recovery |
| Financial records | 7 years after transaction | Tax law compliance |
5. Your Rights (GDPR & CCPA)
You have the following rights regarding your personal data:
5.1 Access and Portability
- Access — View your account data, run history, and saved compounds in your workspace
- Export — Download results in CSV, JSON, or SDF format
- Data portability — Request a full account data export (email privacy@biopipeline.online)
5.2 Correction and Deletion
- Update — Change your username, email, or password in account settings
- Delete — Permanently delete your account and all associated data (Settings → Delete Account)
- Right to erasure — Request manual deletion by contacting privacy@biopipeline.online
5.3 Restriction and Objection
- Restrict processing — Request temporary suspension of data processing (email required)
- Object to processing — Opt out of non-essential data uses (e.g., aggregated analytics)
- Withdraw consent — Revoke API key or other optional features at any time
5.4 Automated Decision-Making
We do not use personal data for automated decision-making or profiling that produces legal or significant effects. Docking predictions are scientific computations, not personal assessments.
5.5 Complaints
If you believe your data rights have been violated, you may lodge a complaint with your local data protection authority:
6. International Data Transfers
BioPipeline is operated from the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on the following safeguards:
- Standard Contractual Clauses (SCCs) — EU-approved data transfer mechanisms
- Data Processing Agreements (DPAs) — with all U.S. processors (Vercel, Railway, Supabase, Groq)
- Encryption — data protected in transit and at rest
If you have concerns about international transfers, contact privacy@biopipeline.online.
7. Children's Privacy
BioPipeline is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.
8. Changes to This Policy
We may update this policy to reflect service changes or legal requirements. Material changes will be notified via:
- Email to your registered address (at least 30 days before effective date)
- In-app notification banner
- Updated "Last updated" date at the top of this page
Continued use after changes constitutes acceptance of the updated policy.
9. Contact and Data Controller
Data Controller:
BioPipeline
Email: privacy@biopipeline.online
Data Protection Officer: dpo@biopipeline.online
For general inquiries, see our Contact page.
10. Additional Information
10.1 Do Not Track
We respect Do Not Track (DNT) browser signals. If DNT is enabled, we do not set non-essential tracking cookies or analytics.
10.2 California Residents (CCPA)
California users have additional rights under CCPA:
- Right to know — categories and specific pieces of personal data collected
- Right to delete — request deletion of personal data (with exceptions for legal obligations)
- Right to opt-out — we do not sell personal data, so no opt-out is required
- Non-discrimination — we will not discriminate for exercising CCPA rights
To exercise CCPA rights, email privacy@biopipeline.online with "CCPA Request" in the subject line.
10.3 Nevada Residents
Nevada users may opt out of the sale of personal data. We do not sell personal data, but you may submit an opt-out request to privacy@biopipeline.online for confirmation.
