Privacy Policy

The data controller responsible for your personal data is:

Data Protection Officer: enquiries regarding data protection can be directed to the same contact details above. We will respond within the legally required timeframe.

We collect and process the following categories of personal data:

Account & identity data

• Email address (used as unique account identifier)
• Password (stored as a one-way bcrypt hash; the plaintext is never retained)
• Account role (user, admin, super_admin) and subscription tier
• Account status (active / inactive) and email-verification status
• Date and time of account creation and last login
• Notification preferences (analysis completion alerts, system updates, security alerts)

Billing data

• Billing name, email address, and organisation
• Billing postal address
• Invoice history (tier selected, amounts, status, dates)
• Payment is handled via bank transfer or other offline methods; we do not store card numbers or payment credentials.

Scientific / analysis data

• Protein structure files (PDB format) uploaded by you for analysis
• Analysis results, annotations, and metadata (protein names, descriptions, classifications, activity notes)
• File names, file sizes, and upload timestamps
• Protein group names and user-defined comments

Technical & security data

• IP address of the connecting client
• Browser type and version (User-Agent string)
• HTTP request method, endpoint accessed, and response status code
• Request duration and unique request identifiers
• Session tokens (cryptographically random, stored as database-backed identifiers)
• Password-reset and email-verification tokens (time-limited; expire after 24 hours)
• Failed login attempts and other security events

Communication data

• Support enquiries, feedback, and correspondence submitted to us
• Contact-sales form submissions (name, email, organisation, message)

Most data is collected directly from you when you:

• Register for an account or update your profile
• Submit protein structures for analysis
• Complete a subscription request form (which triggers invoice generation)
• Contact our support team or complete a feedback form
• Log in to and use the platform

We also collect technical data automatically via our server-side audit logging system when you interact with the platform (IP address, User-Agent, request details). This logging is necessary for security monitoring and compliance purposes.

We use the data we collect to:

• Provide the platform — process protein analysis requests, store results, manage accounts and subscriptions
• Communicate with you — send email verification, password-reset links, analysis-completion notifications, and invoice PDFs
• Manage billing — generate and send invoices, record payment status, and comply with accounting obligations
• Ensure security — detect and respond to suspicious activity, prevent unauthorised access, and maintain audit trails
• Improve the platform — analyse aggregated, anonymised usage patterns to identify issues and improve functionality
• Comply with legal obligations — respond to lawful requests from authorities, meet accounting and tax requirements

We do not sell your personal data to third parties. We do not use your protein structure data or analysis results for model training or research without your explicit consent.

Under the FADP and, where applicable, the GDPR, we rely on the following legal bases:

Processing activity	Legal basis (GDPR Art. 6)
Account creation, login, analysis submission, results storage	Performance of a contract — Art. 6(1)(b)
Invoice generation and payment tracking	Performance of a contract — Art. 6(1)(b)
Security monitoring, audit logging, fraud prevention	Legitimate interests — Art. 6(1)(f)
Retention of billing records for tax/accounting purposes	Legal obligation — Art. 6(1)(c)
Optional marketing communications	Consent — Art. 6(1)(a)
Transactional emails (verification, password reset, analysis alerts)	Performance of a contract — Art. 6(1)(b)

Your data is stored on servers located in Switzerland. All data in transit is protected using HTTPS/TLS encryption. Access to the underlying infrastructure is restricted to authorised personnel only, and access attempts are logged.

Data at rest is protected through operating-system-level access controls. We are working toward implementing full disk-level encryption on our database storage and will update this policy when that measure is in place.

Passwords are stored as one-way bcrypt hashes and are never recoverable in plaintext. Session tokens and password-reset tokens are generated using cryptographically secure random functions and are time-limited.

Multi-tenant isolation: each organisation's data is stored in a dedicated database file, logically separated from other tenants' data.

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

Data category	Retention period	Basis
Account data (profile, preferences)	Duration of account; deleted on account closure	Contract performance
Analysis data (protein structures, results)	Duration of account or until you delete the data	Contract performance
Security / audit logs (IP, User-Agent, request logs)	90 days	Legitimate interests (security)
Support correspondence	2 years from last contact	Legitimate interests (quality assurance)
Invoice and billing records	10 years (Swiss accounting law OR 61 Art. OR Code of Obligations)	Legal obligation
Email verification / password-reset tokens	24 hours from issuance, then invalidated	Security

When you close your account, your account data and analysis data are deleted. Billing records required for legal compliance are retained for the statutory period even after account closure.

We do not sell your personal data. We share data with third parties only where necessary to operate the platform:

Recipient	Purpose	Data shared	Location
Email delivery provider (SMTP)	Transactional emails — verification, password reset, invoice delivery, analysis notifications	Email address, email content (which may include your name and invoice details)	Configured per deployment (see your account administrator)
Cloud infrastructure / hosting provider	Server hosting, storage	All data stored on the platform	Switzerland

All third-party processors are bound by data processing agreements that restrict how they may use your data and require them to implement appropriate technical and organisational security measures.

We may also disclose personal data where required by law, court order, or to protect the rights or safety of inseit AG or others.

Our primary data storage is located in Switzerland. The EU Commission has recognised Switzerland as providing an adequate level of data protection (adequacy decision). Transfers of personal data to EEA countries therefore benefit from that adequacy framework.

Where we use email delivery services whose infrastructure may be located outside Switzerland or the EEA, we ensure that appropriate safeguards are in place (e.g. Standard Contractual Clauses under GDPR, or equivalent mechanisms under the FADP) before transferring personal data.

You may request information about the specific safeguards we use for any particular transfer by contacting us at privacy@inseit.ch.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, inseit AG will:

• Notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as reasonably possible and, where GDPR applies, within 72 hours of becoming aware of the breach (GDPR Art. 33)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34 / revFADP Art. 24)
• Document all breaches internally, including those that do not meet the notification threshold

If you believe your personal data may have been compromised, please contact us immediately at privacy@inseit.ch.

We will only send you marketing communications if you have explicitly opted in to receive them. We will never use your email address for unsolicited marketing.

You may withdraw consent for marketing at any time. To opt out, email us at privacy@inseit.ch or use the unsubscribe link included in any marketing email we send.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, and does not prevent us from sending transactional emails that are necessary to provide our services (e.g. invoice PDFs, analysis completion notifications).

Under the FADP and GDPR you have the following rights with respect to your personal data:

• Right of access — You may request a copy of the personal data we hold about you.
• Right to rectification — You may request that we correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — You may request deletion of your personal data where there is no overriding legal basis for us to retain it. Note that billing records subject to statutory retention obligations cannot be deleted before the applicable period expires.
• Right to restriction of processing — You may request that we restrict how we process your data in certain circumstances (e.g. while accuracy is disputed).
• Right to object — You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to data portability — Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent — Where processing is based on consent (e.g. marketing), you may withdraw it at any time without affecting prior processing.

We will respond to all requests within one month. For complex or multiple requests we may extend this by a further two months, in which case we will notify you within the first month.

To exercise any of these rights, please contact us:

You can also delete your account directly from the platform (Account Settings → Delete Account), which will immediately erase your account and analysis data.

Cookies are small text files placed on your device by a website. We use cookies solely to provide the essential functionality of the platform. We do not currently use third-party analytics or advertising cookies.

For more general information about cookies, visit allaboutcookies.org.

We use only essential (strictly necessary) cookies. These cookies are required for the platform to function and cannot be switched off without preventing you from using core features.

Cookie	Purpose	Duration
session	Maintains your authenticated session. Stored as an encrypted, HttpOnly, Secure, SameSite=Lax cookie — JavaScript cannot access it.	30 days (or until you log out)
CSRF token (form field)	Prevents cross-site request forgery on state-changing requests. Transmitted as a hidden form field, not a persistent cookie.	Per request

Because we use only strictly necessary cookies, no cookie consent banner is legally required under the ePrivacy Directive. Should we introduce non-essential cookies in the future, we will update this policy and implement an appropriate consent mechanism before doing so.

You can configure your browser to block or delete cookies. However, blocking the session cookie will prevent you from logging in. Instructions for managing cookies in common browsers:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

Our website may contain links to third-party websites or services. This privacy policy applies only to inseit Protein Suite. We have no control over the content or privacy practices of other websites and encourage you to read their privacy policies before providing any personal data.

We keep this policy under regular review. The "Last updated" date at the top of this page reflects the most recent revision. We will notify you of material changes by email or by posting a prominent notice on the platform before the changes take effect.

Continued use of the platform after notification of material changes constitutes acceptance of the revised policy.

For any questions about this privacy policy, the data we hold, or to exercise your data protection rights, please contact us:

If you are not satisfied with how we have handled your privacy concern, you have the right to lodge a complaint with the competent supervisory authority.

Swiss supervisory authority

EU supervisory authority

If you are based in the EEA and believe GDPR applies to your situation, you also have the right to complain to the supervisory authority in your country of residence or the authority where the alleged infringement occurred.