Privacy Policy

The Platform integrates public scientific data, private research inputs, system-generated network signals, and multi-scan analytical outputs (including up to 70 extensible scans). The SRL is a network inference system, not a deterministic truth engine or database.

Where applicable, we process personal data under the following legal bases:

• Performance of contract (Platform provision and account management).
• Legitimate interests (scientific research, system operation, security, and improvement).
• User consent (where expressly required by applicable law).
• Legal obligation compliance.

Where multiple regulatory regimes apply (GDPR, LGPD, CPRA, PIPEDA, POPIA, APAC frameworks), we apply the highest reasonable privacy standard required for the user's jurisdiction.

Skygenic operates a structured data classification model. The full technical definitions of each classification tier, the Common Knowledge Threshold (CKT), and the Collective Discovery Signal (CDS) mechanism are set forth in the SRL Governance Framework, which is incorporated into this Privacy Policy by reference. A summary is provided below.

• Public Data: Published literature, public datasets, preprints, and open repositories. May be cited, attributed, and directly integrated into SRL structure.
• Private Data: User hypotheses, institutional datasets, and unpublished research. Remains non-attributable, is not exposed in raw form, and contributes only to aggregated network signals.
• Common Knowledge Threshold (CKT): Private data may only transition into aggregated SRL structure when independently validated across multiple organizations or supported by public scientific data. Single-source repetition is insufficient.
• Non-Verification Standard: User scientific inputs are not validated at ingestion, not verified for correctness, and not assumed to be true. They are processed solely as structured scientific signals.

We do not sell personal data.

We may share data only in the following circumstances:

• Service Providers: Cloud infrastructure providers (including Google Cloud Platform), payment processors, analytics providers, and security vendors, under appropriate data processing agreements.
• Institutional Deployments: Governed by separate contractual agreements.
• Legal Compliance: In response to valid legal requests, court orders, or regulatory obligations.
• Corporate Transactions: In the event of a merger, acquisition, or asset transfer, personal data may be transferred as part of that transaction, subject to equivalent privacy protections.
• With Your Consent: For any other purpose with your prior written consent.

Where data is shared with other users for collaborative research, such sharing is governed by user-controlled permission settings. Users are responsible for ensuring that any sharing of Protected Health Information complies with applicable law.

Data may be processed in the United States, European Union/EEA, United Kingdom, Canada, Brazil, Singapore, Australia, South Africa, and other jurisdictions. Safeguards for cross-border transfers include:

• Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.
• Participation in the EU-U.S. Data Privacy Framework (DPF), where certified.
• Adequacy decisions recognized under applicable law.
• Encryption in transit and at rest.
• Least-privilege access controls.

EU, UK, and Swiss individuals may direct privacy inquiries to dpo@skygenic.com. Unresolved complaints may be referred to JAMS Dispute Resolution (www.jamsadr.com), provided at no charge to the individual, as our designated independent recourse mechanism.

Skygenic and its infrastructure partner, Google Cloud Platform, implement industry-standard security measures including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Role-based access control and least-privilege principles.
• Audit logging retained for a minimum of six (6) years in compliance with HIPAA requirements.
• Monitoring, intrusion detection, and incident response procedures.
• OWASP Top 10 security risk prevention controls.
• Physically secured data center infrastructure managed by Google Cloud Platform.

No system guarantees absolute security. Transmission of information via the internet is at your own risk. You are responsible for maintaining the confidentiality of your login credentials.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Access: Request confirmation of whether we hold personal data about you and obtain a copy.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal and technical constraints (see Section 9).
• Data Portability: Request your data in a structured, machine-readable format where applicable.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Opt-Out of Communications: Opt out of non-essential marketing communications.
• California Residents — Do Not Sell/Share: California residents may request that we do not sell or share their personal information. We do not sell personal data. To exercise any opt-out right, contact opt-out@skygenic.com.

To exercise any of the above rights, please contact dpo@skygenic.com or opt-out@skygenic.com for opt-out requests. We will respond within thirty (30) days of receiving a verifiable request, or within such other period as required by applicable law. We may require identity verification before processing requests.

You agree not to input or submit Protected Health Information (PHI) to the Platform unless a Business Associate Agreement (BAA) is in place with Skygenic. The BAA is available on our website. By creating a Skygenic user account, you are deemed to accept Skygenic's standard BAA unless a custom BAA has been separately executed. Custom BAA inquiries should be directed to legal@skygenic.com.

Skygenic acts as a Business Associate under HIPAA and maintains audit logs and security controls as required. Users, as Covered Entities or Business Associates, are responsible for ensuring that PHI is shared only with authorized personnel and that all applicable HIPAA obligations are fulfilled.

The Services are not intended for individuals under the age of 13 (or the applicable age of majority in the user's jurisdiction). We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal data from a minor, we will delete it promptly. Contact dpo@skygenic.com if you believe we have collected data from a minor.

The Platform is a scientific infrastructure system. You acknowledge that outputs are probabilistic and non-deterministic; outputs are network-derived signals, not factual determinations; system behavior may change over time; all outputs are intended to generate scientific insight, not conclusions; and users are solely responsible for interpretation and validation. SRL outputs are aggregate network signals that are not individually attributable and may reflect incomplete or biased datasets. See the SRL Governance Framework for full technical disclosure.

The Platform must not be used for clinical diagnosis or treatment, patient care, regulatory submissions, medical decision-making, or safety-critical applications.

The Services may contain links to third-party websites and resources. These links are provided for convenience only. Skygenic has no control over the contents of those sites and accepts no responsibility for them or for any loss or damage arising from their use. Accessing third-party websites is at your own risk and subject to the terms of those sites.

If you believe that any content on the Platform infringes your copyright, please send a notice of copyright infringement to legal@skygenic.com including: (i) a description of the copyrighted work claimed to be infringed; (ii) identification of the infringing material; (iii) your contact information; (iv) a statement of good faith belief; and (v) a statement, made under penalty of perjury, that the information in the notice is accurate and that you are the copyright owner or authorized to act on their behalf. It is our policy to terminate the accounts of repeat infringers.

Skygenic is committed to making the Services accessible to users with disabilities. We strive to comply with applicable accessibility standards, including WCAG 2.1 guidelines where feasible. If you experience accessibility barriers, please contact info@skygenic.com.

Skygenic is based in the United States. We make no representation that the Services are appropriate or available outside the United States. Users who access the Services from outside the United States do so on their own initiative and are responsible for compliance with local laws. If your Submitted Data must be restricted to a specific geographic region, it is your responsibility to enable such restriction within the Platform.

We may update this Privacy Policy at any time. The updated version will be posted with a revised effective date. For material changes, we will provide notice by: (i) posting a prominent notice on the website; and (ii) where you are a registered Platform user, displaying a notification banner at your next Platform login. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

This Privacy Policy is integrated with and subject to the Skygenic Terms of Use (controlling) and the SRL Governance Framework (technical specification). In the event of conflict between this Policy and the Terms of Use, the Terms of Use shall prevail.

• General Privacy Inquiries: privacy@skygenic.com
• Data Protection Officer: dpo@skygenic.com
• Opt-Out Requests (CPRA / Do Not Sell/Share): opt-out@skygenic.com
• Copyright / DMCA Notices: legal@skygenic.com
• General Contact: info@skygenic.com
• Mailing Address: [Insert Address], United States

This Appendix is provided to align with EU AI Act transparency obligations (including Articles 12, 13, 14, and 50 where applicable) and supports the broader global AI compliance framework described in the SRL Governance Framework.

• A.1 System Classification: The Platform is a scientific research AI-based inference system. It is not a clinical, legal, or safety-critical system and is not designated as a high-risk AI system under Annex III of the EU AI Act as of the effective date.
• A.2 Nature of AI Processing: The SRL includes deterministic computational scans, statistical inference models, graph/network-based reasoning, and semantic agent-based analysis. Outputs represent probabilistic scientific inference.
• A.3 Output Transparency: Outputs are generated via automated processing, may be incomplete or biased, and require expert interpretation.
• A.4 Human Oversight: No output is intended for direct consequential use without human expert review and independent validation.
• A.5 Data Usage for AI: Inputs may be processed for model inference, system improvement, and network signal generation. No personal data is used to produce individualized legal or significant effects.
• A.6 Non-Substitution: The Platform does not replace scientific judgment, clinical expertise, or regulatory decision-making.
• A.7 Classification Evolution: Risk classification may evolve depending on deployment context and jurisdiction.