Privacy Policy
Privacy Policy
1) Who We Are and Scope
This Privacy Policy explains how One Zyme, Inc. (“One Zyme,” “we,” “us,” or “our”) collects,
uses, discloses, and protects information in connection with our websites, applications, and
services that analyze and synthesize life‑sciences data for pharma business development and
competitive intelligence (the “Services”). This Policy covers:
• Site Data: information collected on our websites and marketing properties.
• Service Data: information processed within the Services for customers.
• Business Contact Data: professional contact details we process for B2B outreach.
If you have an agreement with us (e.g., a Pilot or Master Services Agreement), that agreement
controls to the extent of any conflict with this Policy.
2) Our Roles
• For Service Data that customers or their users submit or connect (e.g., documents,
prompts, dataset connectors), we act as a processor/service provider to the customer (the
“Controller/Business”).
• For Site Data and Business Contact Data, we act as a controller/business.
3) Information We Collect
A. You Provide
• Account & Profile: name, business email, company, role, password.
• Customer Content (“Inputs”): prompts, feedback, and other material or information
you submit to or connect with the Services.
• Communications: support requests, survey responses, call/meeting notes.
• Billing: billing contact details, bank information.
B. Automatically Collected
• Usage & Log Data: feature usage, timestamps.• Device & Technical Data: IP address, browser/OS, SDK versions, telemetry.
• Cookies & Similar Tech: see Cookies section below.
C. From Third Parties
• Public & Licensed Sources: scientific publications, private data purchased from various
data providers, clinical trial registries, patents, regulatory filings, conference abstracts,
company websites, and a range of other sources, subject to their terms.
• Business Contact Data: professional contact details from B2B data providers or public
sources (e.g., corporate websites, conference programs).
Sensitive Information: Our Services are not designed to process Protected Health Information
(PHI). Do not submit PHI or other sensitive data unless we have a separate written agreement
(e.g., BAA) permitting such processing.
4) How We Use Information
• Provide and Operate the Services: authenticate users, process inputs, generate Outputs
(“Outputs”), maintain/secure the platform, and provide support.
• Improve and Develop: enhance features, quality, safety, and reliability (including model
routing and quality evaluation).
• Communications: send service notices, security alerts, administrative messages.
• Safety, Security & Compliance: detect/prevent abuse, investigate incidents, comply
with legal obligations.
• Business Operations: billing, accounting, audits, and corporate transactions.
Model Training & Product Improvement.
• Customer Content (Inputs/Outputs): We do not use Customer Content to train
foundation models or to improve models for other customers.
• We may use aggregated/de‑identified telemetry (e.g., feature usage counts, latency, error
rates) to improve the Services.
5) Sharing and Disclosures
We share information with:
• Service Providers/Sub‑processors: cloud hosting, security, email, analytics,
authentication, and LLM/AI providers that process data under our instructions. All LLMswe work with have contractual stipulations in place that they will not train their models
on your data.
• Corporate Transactions: in mergers, acquisitions, or asset sales.
• Legal/Protection: to comply with law or protect rights, safety, and the integrity of the
Services.
We do not “sell” personal information as defined by applicable US state privacy laws,
nor do we “share” it for cross‑context behavioral advertising.
6) Data Processing Addendum and International Transfers
Where we process personal data as a processor/service provider, such processing is governed by
our Data Processing Addendum (“DPA”), which is incorporated by reference into customer
agreements. The DPA includes Standard Contractual Clauses approved by the European
Commission and, where applicable, the UK International Data Transfer Addendum. We maintain
appropriate safeguards for cross-border data transfers.
7) Retention
We retain personal data and customer content for as long as needed to provide the Services,
comply with legal obligations, resolve disputes, and enforce agreements. Once user and
organization accounts are deleted we delete all the related data within 90 days (GDPR
compliant).
8) Security
We employ industry‑standard technical and organizational measures (e.g., encryption in transit
and at rest, access controls, logging) on all the user data and customer content.
9) Technology Stack
One Zyme is primarily hosted on AWS. We utilize several AWS services for different
requirements like storage, data processing servers, authentication etc. All of the services are used
with industry standard and highly secure practices like encryption at rest and transit. We use
several LLMs from different providers like Anthropic and Gemini. User data and customer data
is not used to train third-party or proprietary models, and is processed only to provide the
service. All the model hosting providers (AWS and Google Cloud) adhere to a zero data retention
policy.
10) Incident ResponseIn the event of a confirmed personal data breach affecting Customer Content, we will notify the
customer without undue delay and in accordance with applicable law and contractual obligations.
11) Legal Bases for Processing (EEA/UK)
When acting as a controller, we process personal data based on:
• Performance of a contract
• Legitimate interests (e.g., service improvement, security)
• Compliance with legal obligations
• Consent, where required
12) Your Rights
Depending on your location, you may have rights to access, correct, delete, port, or restrict
processing of your personal data, and to object to certain processing. To exercise rights, contact
privacy@onezyme.ai.
• US (e.g., CA/CO/CT/VA/UT): You may request access/deletion and opt out of certain
processing. We do not sell/share personal information as defined by these laws. Appeals
process: contact privacy@onezyme.ai with “Appeal” in the subject.
13) Cookies & Similar Technologies
We use:
• Strictly Necessary (auth, security),
• Functional (preferences),
• Analytics (traffic/usage), and
• Categories
• Opt-out mechanism
14) Children’s Privacy
The Services are for business use and not directed to children under 16. Do not submit children’s
personal data.
15) Third‑Party Links
Our Services may link to third‑party sites/services. Their privacy practices govern their
properties.16) Changes to This Policy
We may update this Policy. Material changes will be communicated (e.g., via email or in‑app).
Continued use after the effective date constitutes acceptance.
17) Contact Us
One Zyme, Inc.
Privacy Email: privacy@onezyme.ai
1) Who We Are and Scope
This Privacy Policy explains how One Zyme, Inc. (“One Zyme,” “we,” “us,” or “our”) collects,
uses, discloses, and protects information in connection with our websites, applications, and
services that analyze and synthesize life‑sciences data for pharma business development and
competitive intelligence (the “Services”). This Policy covers:
• Site Data: information collected on our websites and marketing properties.
• Service Data: information processed within the Services for customers.
• Business Contact Data: professional contact details we process for B2B outreach.
If you have an agreement with us (e.g., a Pilot or Master Services Agreement), that agreement
controls to the extent of any conflict with this Policy.
2) Our Roles
• For Service Data that customers or their users submit or connect (e.g., documents,
prompts, dataset connectors), we act as a processor/service provider to the customer (the
“Controller/Business”).
• For Site Data and Business Contact Data, we act as a controller/business.
3) Information We Collect
A. You Provide
• Account & Profile: name, business email, company, role, password.
• Customer Content (“Inputs”): prompts, feedback, and other material or information
you submit to or connect with the Services.
• Communications: support requests, survey responses, call/meeting notes.
• Billing: billing contact details, bank information.
B. Automatically Collected
• Usage & Log Data: feature usage, timestamps.• Device & Technical Data: IP address, browser/OS, SDK versions, telemetry.
• Cookies & Similar Tech: see Cookies section below.
C. From Third Parties
• Public & Licensed Sources: scientific publications, private data purchased from various
data providers, clinical trial registries, patents, regulatory filings, conference abstracts,
company websites, and a range of other sources, subject to their terms.
• Business Contact Data: professional contact details from B2B data providers or public
sources (e.g., corporate websites, conference programs).
Sensitive Information: Our Services are not designed to process Protected Health Information
(PHI). Do not submit PHI or other sensitive data unless we have a separate written agreement
(e.g., BAA) permitting such processing.
4) How We Use Information
• Provide and Operate the Services: authenticate users, process inputs, generate Outputs
(“Outputs”), maintain/secure the platform, and provide support.
• Improve and Develop: enhance features, quality, safety, and reliability (including model
routing and quality evaluation).
• Communications: send service notices, security alerts, administrative messages.
• Safety, Security & Compliance: detect/prevent abuse, investigate incidents, comply
with legal obligations.
• Business Operations: billing, accounting, audits, and corporate transactions.
Model Training & Product Improvement.
• Customer Content (Inputs/Outputs): We do not use Customer Content to train
foundation models or to improve models for other customers.
• We may use aggregated/de‑identified telemetry (e.g., feature usage counts, latency, error
rates) to improve the Services.
5) Sharing and Disclosures
We share information with:
• Service Providers/Sub‑processors: cloud hosting, security, email, analytics,
authentication, and LLM/AI providers that process data under our instructions. All LLMswe work with have contractual stipulations in place that they will not train their models
on your data.
• Corporate Transactions: in mergers, acquisitions, or asset sales.
• Legal/Protection: to comply with law or protect rights, safety, and the integrity of the
Services.
We do not “sell” personal information as defined by applicable US state privacy laws,
nor do we “share” it for cross‑context behavioral advertising.
6) Data Processing Addendum and International Transfers
Where we process personal data as a processor/service provider, such processing is governed by
our Data Processing Addendum (“DPA”), which is incorporated by reference into customer
agreements. The DPA includes Standard Contractual Clauses approved by the European
Commission and, where applicable, the UK International Data Transfer Addendum. We maintain
appropriate safeguards for cross-border data transfers.
7) Retention
We retain personal data and customer content for as long as needed to provide the Services,
comply with legal obligations, resolve disputes, and enforce agreements. Once user and
organization accounts are deleted we delete all the related data within 90 days (GDPR
compliant).
8) Security
We employ industry‑standard technical and organizational measures (e.g., encryption in transit
and at rest, access controls, logging) on all the user data and customer content.
9) Technology Stack
One Zyme is primarily hosted on AWS. We utilize several AWS services for different
requirements like storage, data processing servers, authentication etc. All of the services are used
with industry standard and highly secure practices like encryption at rest and transit. We use
several LLMs from different providers like Anthropic and Gemini. User data and customer data
is not used to train third-party or proprietary models, and is processed only to provide the
service. All the model hosting providers (AWS and Google Cloud) adhere to a zero data retention
policy.
10) Incident ResponseIn the event of a confirmed personal data breach affecting Customer Content, we will notify the
customer without undue delay and in accordance with applicable law and contractual obligations.
11) Legal Bases for Processing (EEA/UK)
When acting as a controller, we process personal data based on:
• Performance of a contract
• Legitimate interests (e.g., service improvement, security)
• Compliance with legal obligations
• Consent, where required
12) Your Rights
Depending on your location, you may have rights to access, correct, delete, port, or restrict
processing of your personal data, and to object to certain processing. To exercise rights, contact
privacy@onezyme.ai.
• US (e.g., CA/CO/CT/VA/UT): You may request access/deletion and opt out of certain
processing. We do not sell/share personal information as defined by these laws. Appeals
process: contact privacy@onezyme.ai with “Appeal” in the subject.
13) Cookies & Similar Technologies
We use:
• Strictly Necessary (auth, security),
• Functional (preferences),
• Analytics (traffic/usage), and
• Categories
• Opt-out mechanism
14) Children’s Privacy
The Services are for business use and not directed to children under 16. Do not submit children’s
personal data.
15) Third‑Party Links
Our Services may link to third‑party sites/services. Their privacy practices govern their
properties.16) Changes to This Policy
We may update this Policy. Material changes will be communicated (e.g., via email or in‑app).
Continued use after the effective date constitutes acceptance.
17) Contact Us
One Zyme, Inc.
Privacy Email: privacy@onezyme.ai