aitios® Privacy Notice

Last updated: March 2026

This Privacy Notice explains how aitiologic GmbH ("aitiologic", "we", "us", or "our") collects, uses, and protects personal data when you use the aitios® platform, associated websites operated by aitiologic, and related services (collectively, the "Services").

This notice applies where aitiologic acts as the controller of personal data under the EU General Data Protection Regulation (GDPR).

For certain data processed through the platform, including research datasets uploaded by users, aitiologic may act as a processor on behalf of customers or users of the Services.

1. Controller Information

The controller responsible for processing personal data under this notice is:

aitiologic GmbH
Karl-Farkas-Gasse 18
Vienna, Austria
Email: privacy@aitiologic.com

2. Roles in Data Processing

Depending on the context, aitiologic may act as either:

Controller

For example when we process personal data related to:

  • user accounts
  • website operation
  • platform administration
  • communications with users
  • service security and monitoring

Processor

Users of the Services may upload datasets that contain personal data, including potentially genomic or health-related data.

In those situations:

  • the user or organization uploading the data is the controller
  • aitiologic acts as a processor and processes the data only on their instructions

Users are responsible for ensuring that any data uploaded to the Services:

  • is collected lawfully
  • is supported by an appropriate legal basis or consent
  • complies with applicable research and data protection laws
  • complies with the Terms of Service

3. Personal Data We Collect

We may collect the following categories of personal data.

Account Information

When you create or use an account, we may collect:

  • name
  • company or organization name
  • job title
  • email address
  • postal address
  • telephone number

Usage and Technical Data

When you access the Services we may automatically collect:

  • IP address
  • browser type and version
  • operating system
  • device information
  • referring URLs
  • usage logs
  • interaction with platform features

This information helps us operate, maintain, and secure the Services.

Data Uploaded to the Platform

Users may upload datasets to the Services, including:

  • genomic sequence data (DNA, RNA, etc.)
  • metadata related to samples
  • research data associated with those sequences
  • other software or reference data uploaded for use with the Services

Such datasets may contain personal data or sensitive data, depending on how they were collected and prepared by the user.

aitiologic processes such datasets only on behalf of the user or organization controlling the data.

4. Important Considerations for Health and Genomic Data

The Services may be used in research or clinical contexts involving genomic and biological data.

Such data may qualify as:

  • special category personal data under GDPR (Article 9)
  • health data
  • genetic data
  • Protected Health Information (PHI) under certain regulatory frameworks such as HIPAA

When uploading such data, users must ensure that:

  • appropriate legal bases and ethical approvals exist
  • necessary informed consent has been obtained
  • data protection and research regulations are respected
  • data is pseudonymized or anonymized where appropriate
  • applicable cross-border data transfer rules are satisfied

aitiologic does not independently verify consent or ethical approval for uploaded datasets and relies on the user controlling the data to ensure compliance.

Organizations intending to upload PHI or other regulated health data should ensure appropriate contractual, regulatory, and security arrangements are in place before doing so.

For high-risk or regulated processing, consultation with legal or regulatory advisors may be appropriate.

5. How We Use Personal Data

We process personal data for the following purposes.

PurposePersonal DataLegal Basis
Providing and operating the Servicesaccount information, usage dataContract performance (Art. 6(1)(b))
Account administrationaccount informationContract performance (Art. 6(1)(b))
Service security and fraud preventionusage logs, IP addressLegitimate interests (Art. 6(1)(f))
Platform maintenance and improvementusage dataLegitimate interests (Art. 6(1)(f))
Communications about service updatescontact informationLegitimate interests (Art. 6(1)(f))
Legal complianceaccount and transaction dataLegal obligations (Art. 6(1)(c))

Where required by law, we may request consent for certain processing activities such as optional cookies.

6. Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve the Services.

Cookies may include:

Essential cookies

Required for authentication, security, and core functionality of the Services.

Analytics or performance cookies

Used to understand how users interact with the Services and improve functionality.

Where required by applicable law, non-essential cookies are only used with your consent.

You may control cookies through your browser settings or through the cookie preferences on our website.

7. Sharing of Personal Data

We may share personal data with the following categories of recipients.

Infrastructure and Hosting Providers

Providers that host and operate the infrastructure supporting the Services, including cloud providers. Example: Amazon Web Services (AWS).

Technical Service Providers

Providers supporting platform operation such as:

  • authentication services
  • system monitoring
  • logging and infrastructure management
  • email delivery services

Additional information about our subprocessors is available on the Subprocessors page.

These providers process personal data only on our behalf and under contractual safeguards.

Business Transfers

If aitiologic undergoes a merger, acquisition, restructuring, or asset sale, personal data may be transferred as part of that transaction subject to applicable confidentiality obligations.

8. International Data Transfers

aitiologic primarily stores data within the European Economic Area (EEA).

Our infrastructure is currently located in:

  • Vienna, Austria
  • Frankfurt, Germany

If personal data is transferred outside the EEA, we ensure that appropriate safeguards are implemented, such as:

  • European Commission Standard Contractual Clauses
  • other lawful transfer mechanisms under GDPR

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this notice.

Typical retention periods include:

  • Account data: retained while the account remains active
  • Service logs: retained for limited periods necessary for security and debugging
  • Operational records: retained as required for legal, contractual, or compliance obligations

Data uploaded to the Services is retained according to the instructions of the customer or user controlling the dataset.

10. Security Measures

We implement appropriate technical and organisational measures designed to protect personal data against:

  • unauthorized access
  • loss
  • misuse
  • alteration
  • disclosure

These measures include infrastructure security controls, access management, and operational monitoring.

11. Your Data Protection Rights

Under GDPR, you may have the following rights:

  • Right of access - obtain a copy of your personal data
  • Right to rectification - correct inaccurate or incomplete data
  • Right to erasure - request deletion of your data under certain conditions
  • Right to restrict processing - limit how your data is used
  • Right to object - object to processing based on legitimate interests
  • Right to data portability - receive your data in a structured format
  • Right to withdraw consent - where processing relies on consent

To exercise these rights, contact us at privacy@aitiologic.com.

We will respond to requests within one month, as required by GDPR.

12. Right to Lodge a Complaint

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with a supervisory authority.

In Austria, the competent authority is:

Austrian Data Protection Authority (Datenschutzbehoerde)
Barichgasse 40-42
1030 Vienna
Austria

Website: www.dsb.gv.at

You may also contact the supervisory authority in the EU Member State where you reside or work.

13. Third-Party Websites

The Services may contain links to third-party websites or services.

aitiologic is not responsible for the privacy practices of these third parties. Users should review the privacy policies of those services before providing personal data.

14. Changes to this Privacy Notice

We may update this Privacy Notice from time to time.

Material changes will be communicated by posting the updated notice on the Services and updating the "Last updated" date at the top of this page.

15. Contact

For questions about this Privacy Notice or our data protection practices, please contact:

privacy@aitiologic.com