Privacy Policy

Effective Date: February 2026

ZM-BIOTECH, operating as BIIOtech ("we," "us," or "our"), is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and share information when you access or use the BIIOtech platform, including our bioinformatics analysis tools, data processing pipelines, and related services (collectively, the "Service").

We process personal data in accordance with the General Data Protection Regulation (GDPR), applicable EU and national data protection legislation, and other relevant privacy frameworks. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We collect the following categories of information to provide, maintain, and improve the Service:

Account Information: When you register for the Service, we collect your name, email address, institutional affiliation, role, and authentication credentials. If you are part of a team or organization, we may also collect your organizational role and permissions.

Scientific and Research Data: The Service enables you to upload, process, and analyze bioinformatics data, which may include genomic sequences, gene expression data, protein structures, variant annotations, metagenomic datasets, and other biological datasets. We treat all uploaded research data as confidential.

Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, analysis pipelines executed, timestamps, browser type, operating system, IP address, and referring URLs.

Device and Technical Data: We collect device identifiers, browser configuration, screen resolution, and network information to ensure compatibility and optimize performance.

Communications: When you contact our support team, submit feedback, or participate in surveys, we collect the content of those communications along with associated metadata.

2. How We Use Information

We use the information we collect for the following purposes, each supported by a lawful basis under Article 6 of the GDPR:

• Service Delivery (Contractual Necessity): To provide, operate, and maintain the bioinformatics platform, including executing analysis pipelines, rendering results, and managing your account.
• Security and Integrity (Legitimate Interest): To detect, prevent, and respond to fraud, unauthorized access, and other security incidents that may compromise the confidentiality of research data.
• Service Improvement (Legitimate Interest): To analyze usage patterns, diagnose technical issues, and develop new features and improvements to the platform.
• Communication (Contractual Necessity / Consent): To send service-related notices, such as maintenance alerts and security updates, and, where you have opted in, to send product updates and educational content.
• Compliance (Legal Obligation): To comply with applicable laws, regulations, and legal processes, including responding to lawful requests from public authorities.
• Aggregated Analytics (Legitimate Interest): To generate anonymized, aggregated statistics about platform usage. Aggregated data cannot be used to identify any individual user.

3. Data Storage and Security

We implement industry-standard technical and organizational measures to protect your personal data and research data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and the principle of least privilege for all internal systems.
• Regular security audits, vulnerability assessments, and penetration testing.
• Isolated compute environments for bioinformatics pipeline execution to ensure dataset segregation between users.
• Automated backup procedures with encrypted offsite storage and tested disaster recovery protocols.
• Employee access to personal data is limited to authorized personnel who require it for their job function, and all staff are bound by confidentiality obligations.

Your data is stored on secure servers located within the European Economic Area (EEA). If any data transfer outside the EEA is required, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision.

4. Sharing of Information

We do not sell, rent, or trade your personal data or research data. We may share information only in the following limited circumstances:

• Service Providers: With trusted third-party vendors who assist us in operating the platform (e.g., cloud infrastructure providers, monitoring services). These providers are contractually obligated to process data solely on our behalf and in accordance with this policy.
• Organizational Administrators: If your account is managed by an institution or organization, designated administrators may have access to certain account and usage information as permitted by your organization's agreement with us.
• Legal Requirements: When required by law, regulation, or legal process, or to protect the rights, property, or safety of BIIOtech, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections described in this policy.
• With Your Consent: We may share information with third parties when you have provided explicit consent to do so.

5. Data Retention

We retain your personal data and research data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your active account and for up to 12 months following account closure, unless deletion is requested sooner.
• Research Data: Uploaded datasets and analysis results are retained for the duration of your subscription. Upon account termination, research data is securely deleted within 90 days unless you request an earlier deletion or an export of your data.
• Usage Logs: Retained for up to 24 months for security and analytics purposes, then anonymized or deleted.
• Support Communications: Retained for up to 36 months from the date of resolution to ensure continuity of service.

6. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights with respect to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Restriction of Processing: You may request that we restrict the processing of your personal data under certain conditions.
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws.

To exercise any of these rights, please contact us at privacy@biiotech.com. We will respond to your request within 30 days as required by applicable law.

7. Cookies

We use cookies and similar tracking technologies to operate and improve the Service. Cookies are small text files stored on your device that help us recognize your browser and maintain your session.

• Essential Cookies: Required for core platform functionality, such as authentication, session management, and security. These cannot be disabled.
• Analytics Cookies: Used to collect anonymized usage data to help us understand how the Service is used and to identify areas for improvement. These are only activated with your consent.
• Preference Cookies: Used to remember your settings, such as language preference and display options. These are only activated with your consent.

You can manage your cookie preferences through the cookie consent banner presented upon first access to the Service, or through your browser settings at any time. Please note that disabling essential cookies may impair the functionality of the platform.

8. Scientific Data

BIIOtech is designed to process sensitive scientific data, including but not limited to genomic sequences, gene expression profiles, transcriptomic data, proteomic data, variant annotations, and metagenomic datasets. We recognize the sensitive nature of this data and apply the following specific protections:

• All uploaded scientific data remains the exclusive intellectual property of the data owner. BIIOtech does not claim any ownership rights over your research data.
• Scientific data is processed solely for the purpose of executing the analyses and pipelines you initiate. We do not use your research data for any other purpose, including training machine learning models, without your explicit written consent.
• Data isolation is enforced at the infrastructure level, ensuring that your datasets are not accessible by other users or organizations on the platform.
• If your research data includes or is derived from human-origin samples, you are responsible for ensuring that all applicable ethical approvals, informed consents, and institutional review board (IRB) or ethics committee authorizations have been obtained prior to uploading such data. BIIOtech does not process data classified as "special category" personal data under Article 9 of the GDPR (e.g., identifiable human genetic data) unless a valid legal basis has been established.
• You may request the complete and irreversible deletion of your scientific data at any time by contacting us at privacy@biiotech.com.

9. Children's Privacy

The Service is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete that information. If you believe that a child under 16 has provided personal data to us, please contact us at privacy@biiotech.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page with a revised effective date and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Service after any changes to this policy constitutes your acceptance of the updated terms.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

ZM-BIOTECH (BIIOtech)
Data Protection Inquiries
Email: privacy@biiotech.com

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to escalate your concern to the relevant data protection supervisory authority in your jurisdiction.