Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and authentication)
• Display name (your preferred name for the platform)
• Password (encrypted and never stored in plain text)
• Phone number (optional, for multi-factor authentication and notifications)
• Location/region (optional, for timezone and localisation)
• Profile photo URL (optional)

1.2 Company and Billing Information

For company accounts and billing purposes, we collect:

• Company name and industry
• Billing contact information (name, email, phone)
• Billing address (street address, city, region, postal code, country)
• Legal company name (if different from trading name)
• GST/VAT registration number (for tax purposes)
• Payment method information (processed securely by Stripe, we do not store full card details)

1.3 Service Usage Data

To provide and improve the Service, we collect:

• Sites, vessels, and test results you create and manage
• Schedules, certificates, and documents you upload
• User roles and permissions within your organisation
• Settings and preferences you configure
• Notifications you send and receive

1.4 Technical and Activity Data

For security, audit, and service improvement, we automatically collect:

• IP address (for all actions and login attempts)
• Browser type and version (user agent string)
• Device type and operating system
• Date and time of access
• Pages viewed and actions performed
• Referral source (how you arrived at our Service)
• Session duration and interaction patterns

1.5 Email Ingestion Data

If you use our email ingestion feature for test results, we process:

• Sender email address and name
• Recipient email address (your BioPortal inbox address)
• Email subject line
• Email body and attachments (PDF test reports)
• Email metadata (date sent, message ID)

1.6 Communications Data

When you contact us for support or enquiries, we collect:

• Your name and email address
• Content of your messages and support tickets
• Any files or screenshots you provide

2.1 Service Delivery

• Creating and managing your account
• Providing access to the BioPortal platform
• Processing and storing your test results and schedules
• Enabling collaboration between users in your organisation
• Processing payments and managing subscriptions
• Sending transactional emails (account verification, password resets, receipts)
• Providing customer support

2.2 Security and Compliance

• Authenticating your identity and managing access permissions
• Detecting and preventing fraud, abuse, and unauthorised access
• Maintaining audit logs for security investigations
• Enforcing our Terms of Service
• Complying with legal obligations and regulatory requirements

2.3 Service Improvement and Analytics

• Analysing usage patterns to improve platform performance
• Identifying and fixing bugs and technical issues
• Developing new features and enhancements
• Conducting research and analysis to improve user experience
• Generating aggregated, anonymised statistics

2.4 Communications (with your consent)

• Sending product updates and feature announcements
• Providing tips and educational content
• Notifying you of important service changes
• Marketing communications (you can opt out at any time)

3.1 Data Storage Infrastructure

Your data is stored using Google Cloud Platform and Firebase services:

• Primary region: Singapore (asia-southeast1) for hosting and functions
• Database region: Australia (australia-southeast1) for Firestore data
• Backup storage: Multi-region redundancy for data protection

3.2 Security Measures

We implement industry-standard security practices:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Encryption at rest: All data stored in our databases and file storage is encrypted
• Password security: Passwords are hashed using industry-standard algorithms (never stored in plain text)
• Multi-factor authentication: Optional 2FA/MFA available for all accounts
• Access controls: Role-based permissions and the principle of least privilege
• Security monitoring: Continuous monitoring for suspicious activity and security threats
• Regular audits: Periodic security assessments and vulnerability scanning

3.3 Data Isolation

Each company's data is logically isolated in our database. Users can only access data for companies they are explicitly authorised to view. Company administrators control user permissions within their organisation.

4.1 Essential Service Providers

• Google Cloud Platform / Firebase: Infrastructure hosting, database, authentication, and file storage. Data stored in Singapore and Australia regions.
• Stripe: Payment processing and subscription management. Stripe processes payment card details securely; we never see or store your full card number.
• SendGrid: Transactional and notification email delivery.
• OpenRouter / Anthropic: AI-powered document processing for extracting test results from PDF reports. Documents are processed securely and not retained by AI providers.

4.2 Third-Party Policies

Each third-party provider has their own privacy policy and terms of service. We recommend reviewing their policies:

• Google Cloud / Firebase: cloud.google.com/privacy
• Stripe: stripe.com/privacy
• SendGrid: twilio.com/legal/privacy
• Anthropic: anthropic.com/legal/privacy

4.3 Data Processing Agreements

We have data processing agreements in place with all third-party providers that handle personal information, ensuring they meet our privacy and security standards.

5.1 Right to Access

You have the right to request a copy of the personal information we hold about you. You can access most of your information directly through your account settings. For a complete data export, please contact us at privacy@bioportal.io.

5.2 Right to Correction

If any of your personal information is inaccurate, incomplete, or out of date, you have the right to request correction. Most information can be updated directly in your account settings. For assistance, contact privacy@bioportal.io.

5.3 Right to Deletion

You can request deletion of your personal information. However, we may retain certain data where we have a legal obligation to do so, including:

• Test results and compliance records (retained for 7 years for regulatory purposes)
• Audit logs and security records (retained for 7 years)
• Billing and tax records (retained for 7 years as required by law)
• Data required for dispute resolution or legal proceedings

To request deletion, contact privacy@bioportal.io. Personal identifiers will be removed after the required retention period.

5.4 Right to Complain

If you believe we have not handled your personal information appropriately, you have the right to lodge a complaint with the New Zealand Privacy Commissioner:

• Office of the Privacy Commissioner
• PO Box 10094, Wellington 6143, New Zealand
• Phone: 0800 803 909
• Email: enquiries@privacy.org.nz
• Website: privacy.org.nz

7.1 Within Your Organisation

Users within your company account can access data you create, subject to role-based permissions set by your company administrator.

7.2 Service Providers

We share data with third-party service providers (listed in Section 4) who help us deliver the Service. These providers are contractually obligated to protect your data and use it only for providing services to us.

7.3 Legal Obligations

We may disclose your information if required by law or in response to:

• Valid legal requests (court orders, subpoenas)
• Government or regulatory authority requests
• Emergency situations involving danger to life or health
• Enforcement of our Terms of Service
• Protection of our rights, property, or safety, or that of others

7.4 Business Transfers

If BioPortal is involved in a merger, acquisition, or sale of assets, your information may be transferred to the new owner. We will notify you before your information becomes subject to a different privacy policy.

9.1 Essential Cookies

Required for authentication, security, and core platform functionality. These cannot be disabled without preventing you from using the Service.

9.2 Analytics Cookies

Help us understand how users interact with the platform so we can improve it. We use Google Analytics with anonymised IP addresses.

9.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from using the Service.