Privacy Policy

1. Who we are

This Privacy Policy explains how PharosBio ApS (“Pharos”, “we”, “us”, or “our”) collects, uses, and protects personal data when you use the Pharos platform, websites, and applications (together, the “Service”).

For the purposes of the EU General Data Protection Regulation (GDPR), Pharos is the “data controller” of the personal data described in this Policy.

• Company: PharosBio ApS, a company registered in Denmark (CVR no. 45192903)
• Registered address: Bryghuspladsen 8, 1473 København K, Denmark
• Privacy contact: bz@pharos.bio

2. Scope — your data and your responsibility

Pharos provides tools that let you run analyses on data you choose to upload, including life-science and experimental data (“User Content”).

You are responsible for the data you upload and for how you use the Service and its outputs. In particular:

• You retain full ownership of your User Content. Uploading it to the Service does not transfer ownership to us.
• You own the results, conclusions, and outputs generated from your User Content. Those outputs remain yours.
• You are responsible for ensuring you have the legal right to upload and process the data you submit, including any necessary consents or approvals where the data relates to identifiable individuals.
• You are responsible for evaluating and validating any results or analyses produced through the Service before relying on them. Outputs are provided for your use, and decisions you make based on them are your own.

No responsibility for User Content or results. To the maximum extent permitted by law, Pharos is not responsible or liable for the data you upload, the lawfulness of that data, or any analysis results, conclusions, or decisions derived from it. The Service is provided on an “as-is” basis as set out in our Terms of Service.

3. Personal data we collect

3.1 Information you provide

• Account and contact data: your name, email address, and login credentials when you register or contact us.
• Communications: messages and information you send when you contact support or correspond with us by email.

3.2 Enquiries and marketing — before you sign up

You can contact us, or ask to try our Hydra product, before registering for the Service. If you do, we collect your email address (and any details you choose to include in your message).

Purpose. We use this email address only to respond to your enquiry, give you access to a trial, and — where you have agreed — to send you marketing about Pharos and our products. We do not use it for any other purpose, and we do not sell it.

Your control. You can opt out of marketing at any time by clicking “unsubscribe” in any marketing email or by emailing us at bz@pharos.bio. Opting out of marketing does not stop us replying to a specific enquiry you have sent us.

3.3 Payment data

The Service operates on a pay-as-you-go basis. Credits (“tokens”) are purchased at a rate of 1 token per USD 1.00. Eligible beta users who enter a valid promotional code receive an additional 50 free credits.

Payments are processed by our payment provider, Stripe. Stripe collects and processes your payment-card and billing details directly; Pharos does not store full card numbers. We receive limited billing information such as your name, the last four digits of your card, transaction amounts, and payment status.

3.4 Usage and device data

When you use the Service, we automatically collect data about how you interact with it, including:

• which features and modes you use and how often;
• time spent in different parts of the application and navigation paths through it;
• conversation history — the interactions and prompts exchanged with the Service’s agents (see Section 4);
• technical and device data such as browser type, device information, log data, and cookie identifiers (see Section 9).

3.5 What we do NOT use for our own purposes

Your uploaded User Content stays yours. We do not use your uploaded life-science or experimental data files, or the results and conclusions derived from them, to train or improve our models or for any other purpose of our own. We process that content only to provide the Service to you, and it remains your intellectual property.

4. How we use conversation history to improve the Service

We only do this with your consent. We use conversation history — the flow of interactions between you and the Service’s agents — to evaluate how well our agents perform and to improve and retrain them. We rely on your consent for this, which you give by opting in (for example, by ticking the relevant box). We do not process your conversation history for these purposes unless you have opted in.

This is limited and specific:

• What we use: the conversational flow and metadata about agent behaviour — for example, the sequence of steps an agent took, whether a task succeeded or failed, and feedback you provide.
• What we do not use: your uploaded data files and the experimental results derived from them. These are excluded from evaluation and retraining.
• Why: to measure agent quality, debug failures, and retrain our systems so the Service becomes more accurate and useful.

Withdrawing your consent. You can withdraw your consent at any time by emailing us at bz@pharos.bio. Withdrawal is as easy as giving consent and stops any further use of your conversation history for evaluation and retraining. Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew, and it does not affect your continued use of the Service.

5. Purposes and legal bases for processing

Under the GDPR we must have a legal basis for each use of your personal data. The list below summarises our purposes and bases.

• Provide and operate the Service (accounts, access, core features): performance of our contract with you — Art. 6(1)(b).
• Process payments and manage token balances and promo credits: performance of our contract — Art. 6(1)(b); and compliance with legal/accounting obligations — Art. 6(1)(c).
• Provide customer support and respond to enquiries: performance of our contract and our legitimate interests in supporting users — Art. 6(1)(b)/(f).
• Send marketing about Pharos and our products (including to people who enquire or try Hydra before signing up): your consent — Art. 6(1)(a). You can opt out at any time.
• Analyse general usage to operate and secure the Service: our legitimate interests in measuring, maintaining, and securing the Service — Art. 6(1)(f).
• Evaluate and retrain agents using conversation history: your consent — Art. 6(1)(a). We only do this if you have opted in, and you can withdraw at any time (see Section 4).
• Security, fraud prevention, and protecting the Service: our legitimate interests — Art. 6(1)(f).
• Comply with legal obligations: legal obligation — Art. 6(1)(c).
• Non-essential cookies and analytics: your consent — Art. 6(1)(a) (see Section 9).

6. Who we share data with

We do not sell your personal data. We share it only with:

• Cloud hosting: Amazon Web Services (AWS), which hosts the Service and stores data on servers located in Frankfurt, Germany (within the EU).
• Payments: Stripe, which processes payments and billing on our behalf.
• Other service providers (processors): trusted vendors who process data on our behalf and under contract, such as analytics and email providers. They may only use the data to provide services to us.
• Legal and safety: authorities or advisers where we are legally required to disclose data, or to establish, exercise, or defend legal claims.
• Business transfers: a successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.

7. International data transfers

Your data is hosted in the EU. Pharos is based in Denmark, and we host the Service and store your account data and conversation history on AWS servers in Frankfurt, Germany — within the European Economic Area (EEA).

Some of our service providers (for example, Stripe) may process certain personal data, such as payment details, outside the EEA. Where personal data is transferred outside the EEA, we rely on appropriate safeguards — such as a European Commission adequacy decision or the EU Standard Contractual Clauses — to protect it. You can request more information about these safeguards using the contact details in Section 12.

8. How long we keep data

We keep personal data only as long as necessary for the purposes described in this Policy, and then delete or anonymise it. In general:

• Account data: for as long as your account is active, and for a reasonable period afterwards.
• Payment and billing records: as required by accounting and tax law (typically five years under Danish bookkeeping rules).
• Conversation history used for evaluation and retraining: up to 24 months from collection, after which it is deleted or anonymised. If you withdraw your consent earlier, we stop using it and delete it in line with that request.
• Uploaded User Content: for as long as needed to provide the Service to you, and deleted on your request or account closure.

9. Cookies and similar technologies

We use cookies and similar technologies to operate the Service, remember your preferences, keep you signed in, and understand how the Service is used. Some cookies are strictly necessary for the Service to function; others (such as analytics cookies) are optional and used only with your consent.

You can manage or withdraw your cookie consent at any time through our cookie banner or your browser settings.

10. Your data-protection rights

If you are in the EEA, you have the following rights over your personal data under the GDPR:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — ask us to delete your data (“right to be forgotten”), in certain circumstances.
• Restriction — ask us to limit how we use your data.
• Portability — receive your data in a portable format, or have it transmitted to another controller.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — where we rely on consent, including the use of conversation history to improve our agents, withdraw it at any time (by emailing bz@pharos.bio) without affecting processing carried out beforehand.

To exercise any of these rights, contact us at bz@pharos.bio. We will respond within one month, as required by the GDPR. You will not have to pay a fee unless your request is clearly unfounded or excessive.

11. How we protect your data

We host the Service with Amazon Web Services in Frankfurt, Germany, and use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse — including access controls, encryption in transit, and limiting access to data on a need-to-know basis. No system is completely secure, but we work to protect your information and will notify you and the relevant authority of a personal data breach where the law requires.

12. Contact us and complaints

If you have questions about this Policy or how we handle your data, contact us at bz@pharos.bio.

If you are in the EEA and believe we have not handled your data properly, you have the right to lodge a complaint with your local supervisory authority. In Denmark this is the Danish Data Protection Agency (Datatilsynet), www.datatilsynet.dk.

13. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you through the Service or by email and update the “Last updated” date above. We encourage you to review this Policy periodically.