1. Who we are

SiMologics SmartAntibody Platform ("we", "us") is operated by SiMologics. We act as the data controller for personal account data (email address, hashed credentials, subscription tier) and as data processor for any antibody sequences, CSV files, and analysis results that you submit. This policy explains what we store, where, and for how long.

Payments. Card payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. Your card details are entered on Stripe's hosted checkout and are never sent to, seen by, or stored on our servers — we retain only a non-sensitive Stripe customer reference and your subscription status. Stripe's handling of payment data is governed by Stripe's own privacy policy.

2. Data residency

All customer data — submitted antibody sequences, uploaded CSV files, generated results, job records, and application logs — is stored and processed exclusively in Amazon Web Services eu-west-2 (London, United Kingdom). No customer data leaves the UK region.

Amazon CloudFront is used only as a global content delivery network for the static frontend assets (HTML, JavaScript, CSS, images) so that pages load quickly worldwide. API requests, authentication, model inference, and database operations are routed to eu-west-2 only and are not cached or processed at CloudFront edge locations.

3. What we store and for how long

Retention rules apply uniformly to every submission type — single-sequence, non-batch, and batch jobs alike — and are enforced automatically by AWS-managed lifecycle mechanisms:

• Uploaded CSV files — deleted automatically after 7 days (S3 lifecycle policy).

• Generated analysis results — deleted automatically after 30 days (S3 lifecycle policy).

• Job records (job ID, status, timestamps, operation type) — deleted automatically after 180 days (DynamoDB time-to-live).

• Application logs in CloudWatch — retained for 90 days then deleted.

• Usage counters (monthly request and batch totals per account) — retained for 70 days after the relevant billing month.

• Account records (email, hashed credentials, subscription tier) — retained while the account is active, deleted within 30 days of account closure.

We do not use customer-submitted sequences to train or fine-tune our models. We do not share customer data with third parties for marketing.

4. Security

• All traffic is encrypted in transit (HTTPS / TLS 1.2+).

• All data at rest in S3 and DynamoDB is encrypted using AWS-managed keys.

• Authentication is handled by Amazon Cognito with industry-standard JWT access tokens.

• S3 buckets are not publicly readable; access is restricted via CloudFront Origin Access Control or signed application requests.

5. Your rights

You have the right to access, correct, export, or delete your personal data and any submitted sequences or results at any time, ahead of the automatic retention windows above. To exercise these rights, email privacy@simologics.co.uk from the address associated with your account.

For complaints about how we handle personal data, you can also contact the UK Information Commissioner's Office (ICO) at ico.org.uk.

6. Cookies and local storage

We use browser localStorage to hold your Cognito authentication tokens so that you stay signed in between visits, and to remember your theme preference (light/dark mode). We do not use third-party advertising or tracking cookies.

7. Changes to this policy

We will update this page if our data handling practices change and update the "Last updated" date above. Material changes will be highlighted on the dashboard the next time you sign in.