# Privacy Policy **Version 1.0 - effective 01 June 2025** _Last updated: 01 June 2025_ ## 1. Who we are **INSYSBIO UK LIMITED** E-mail: [info@insysbio.com](mailto:info@insysbio.com) We operate the Immune Response Template (**IRT**) web application at **https://irt.insysbio.com** (the **“Service”**). We are the **data controller** for all personal data described below. ## 2. What data we collect & why | Category | Examples | Purpose | Legal basis (UK GDPR) | |----------|----------|---------|-----------------------| | **Account data** | Name, e-mail, phone number, employer, password hash | Create and maintain your account | Art. 6 (1)(b) – contract | | **Authentication tokens** | AWS Cognito `idToken`, `accessToken`, `refreshToken`, `LastAuthUser` | Secure access to your workspace | Art. 6 (1)(b) | | **Generated content** | QSP models, diagrams, comments | Provide the core modelling functionality | Art. 6 (1)(b) | | **Usage & log data** | IP address, timestamps, HTTP headers, error traces | Security, debugging, abuse prevention | Art. 6 (1)(f) – legitimate interests | | **Analytics data** | Google Analytics cookies (`_ga`, `_gid`, `_gat`) | Understand aggregate behaviour & improve the Service | Art. 6 (1)(a) – your consent via cookie banner | We **do not** use your data for advertising or profiling. ## 3. Cookies & browser storage The Service uses strictly-necessary storage (AWS Cognito tokens, cookie-banner preference) and, with your consent, analytics cookies. Full details are in our separate **[Cookie & Browser-Storage Policy](/legal/cookies)**. ## 4. How long we keep your data | Data set | Retention rule | |----------|----------------| | Account & generated content | Stored **until you delete your account** or ask us to erase the data. | | Server access logs | 90 days, then aggregated or deleted. | | Authentication tokens | Max 30 days (refresh token) or on logout. | | Google Analytics reports | 26 months, per GA retention setting. | Back-ups containing your data are kept for **30 days** before automatic deletion. ## 5. Who can access your data * **InSysBio staff** under confidentiality obligations. * **Sub-processors** strictly for hosting and analytics: | Provider | Location | Safeguard | |----------|----------|-----------| | Amazon Web Services | USA, eu-central-1 | Intra-group DPA & Standard Contractual Clauses | | Google LLC (Analytics) | USA | EU/UK SCC + Google DPA | No other third parties receive your personal data unless required by law. ## 6. International transfers When you use the Service, certain data (e.g. log files, analytics) is processed on servers in the **United States**. Transfers rely on the **UK Addendum to EU Standard Contractual Clauses (2021/914/EU)** and supplementary technical measures (TLS in transit, AES-256 at rest). ## 7. Your rights Under the UK GDPR you can: * **Access** your personal data * **Rectify** inaccurate data * **Erase** data (“right to be forgotten”) * **Restrict** or **object** to processing in certain cases * **Port** data to another provider * **Withdraw consent** at any time (analytics cookies) Just e-mail us at **info@insysbio.com**. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). ## 8. Security * TLS 1.2/1.3 encryption for all traffic * At-rest encryption (AES-256) on AWS EBS & S3 * Role-based access, MFA for admin accounts * Automated vulnerability patching and periodic penetration testing However, no system is 100 % secure; use the Service at your own risk. ## 9. Children The Service is intended for users **18 years or older**. We do not knowingly collect data from minors. ## 10. Changes to this policy We may update this document. Significant changes will be posted here and - if you have an account - announced by e-mail at least **14 days** before they take effect. ### Contact > **INSYSBIO UK LIMITED** > E-mail: [info@insysbio.com](mailto:info@insysbio.com) If anything is unclear, let us know we will clarify or supply the missing detail.