Privacy Policy

Effective Date: April 2026
Last Updated: April 16, 2026

1. Overview

Arroway Sciences ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data when you use ChiralCall.

Our design philosophy prioritizes data minimization: we collect only what is necessary to provide the service, and we delete data as soon as it is no longer needed.

2. What We Collect

Account Creation (all tiers)

  • Email address
  • Full name
  • Organization name (optional)
  • Academic status (for free/academic tier verification)

Prediction Input (depends on storage mode)

  • Stateless mode: SMILES strings are never retained
  • Store/Contribute modes: SMILES strings and prediction results

Usage Analytics

  • Aggregate API request counts (per account, not per SMILES)
  • HTTP access logs (IP, timestamp, endpoint, response code)
  • No behavioral tracking or session replay

Payment Information

  • Payment data is processed by Stripe and is not stored by Arroway Sciences. See Stripe's privacy policy at https://stripe.com/privacy

3. Storage Modes and Data Retention

Data retention depends entirely on which storage mode you select at prediction time:

Stateless Mode

SMILES and predictions are processed in memory only and are discarded immediately after the prediction response is returned. No data is written to disk, database, or logs. No user dashboard entry is created. This mode is fully compliant with GDPR Article 5 (data minimization) because no personal data is retained.

Store Mode

SMILES and prediction results are saved to your personal user dashboard. Data is encrypted at rest using AES-256 encryption. You can view, search, export, and permanently delete any or all stored predictions from your account settings at any time.

Contribute Mode

Your predictions are saved to your dashboard (like Store mode) plus the SMILES is automatically added to our anonymized validation dataset. The validation data contains only structural information (SMILES) and prediction results—no metadata, account information, or user identification. You can revoke contributions at any time.

Account Data Retention

Account data (email, name, organization) is retained for as long as your account exists. When you delete your account, we delete all associated personal data within 30 days, except where required by law.

4. SMILES and Structural Data

SMILES (Simplified Molecular Input Line Entry System) strings are the primary input to ChiralCall. We treat SMILES very carefully:

  • In Stateless mode: SMILES is never logged, stored, or retained in any form
  • In Store/Contribute modes: SMILES is encrypted at rest (Store) or anonymized and contributed to validation sets (Contribute)
  • SMILES is never transmitted to third parties (except Stripe for payments, which receives no SMILES data)
  • SMILES data in Contribute mode is fully anonymized (no associated metadata, account info, or timestamp)

5. Cookies and Session Management

ChiralCall uses session cookies strictly for authentication and session management. These are transient cookies that are deleted when you log out or when your session expires.

We do not use tracking cookies, third-party analytics cookies, or any form of behavioral tracking. Browser-local storage is used only to store your authentication token and preference settings (e.g., theme).

6. Third-Party Services and Data Sharing

We do not sell, rent, or share personal data with third parties. However, the following service providers may access limited data:

Stripe (Payments)

Payment information (credit card, billing address) is processed directly by Stripe and is not stored by Arroway Sciences. See Stripe's privacy policy at https://stripe.com/privacy for details.

Vercel (Hosting & Infrastructure)

ChiralCall is hosted on Vercel, which operates on AWS infrastructure. Vercel processes requests and may access data logs for security and maintenance purposes. Vercel is bound by its Data Processing Addendum and SOC 2 Type II compliance. See Vercel's privacy policy at https://vercel.com/legal/privacy-policy for details.

No Third-Party Analytics

We do not use Google Analytics, Mixpanel, Segment, or any third-party analytics service that would send user data outside of Arroway Sciences.

7. GDPR and EU Data Protection

If you are located in the European Union, the following applies:

Stateless Mode is Privacy-by-Design

Stateless mode minimizes data retention: SMILES inputs are processed in memory and not retained after the response is returned. Account, authentication, and security logs may still be processed as described elsewhere in this policy. This is the most privacy-friendly option for EU residents.

Data Processing Agreement (DPA)

For users in the EU, a standard Data Processing Agreement is available upon request. Please contact privacy@arrowaysci.com to request a DPA before submitting EU resident data in Store or Contribute modes.

Your GDPR Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion (right to be forgotten)
  • Request data export (data portability)
  • Withdraw consent at any time (e.g., opt out of Contribute mode)

8. Data Export and Deletion

Export Your Data: You can export all stored predictions and account data from your account settings at any time. Exports are available in CSV and JSON formats.

Delete Your Account: You can permanently delete your account from your account settings. This will:

  • Permanently delete all stored predictions from your dashboard
  • Revoke your API key
  • Delete your email, name, and organization data
  • Revoke consent for the Contribute mode (if enabled)

Deletions are processed within 30 days. Once deleted, data cannot be recovered.

9. Security

We implement industry-standard security measures to protect your data:

  • TLS 1.2/1.3 encryption for all data in transit
  • AES-256 encryption for stored data (Store/Contribute modes)
  • API keys are hashed and never stored in plaintext
  • Periodic security review; third-party penetration testing available for enterprise engagements
  • AWS Security Group firewalls and DDoS protection

However, no security system is 100% secure. If you believe your account has been compromised, contact us immediately at security@arrowaysci.com.

10. Children's Privacy

ChiralCall is not directed at users under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that a user is under 13, we will delete their account and data immediately.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising CCPA rights

We do not sell personal information. To exercise your rights, contact privacy@arrowaysci.com.

12. CRO and Enterprise Data Processing

Contract Research Organizations (CROs) and pharmaceutical companies with strict data handling requirements should contact us before using ChiralCall. We offer:

  • Custom Data Processing Agreements (DPA)
  • Non-Disclosure Agreements (NDA)
  • Business Associate Agreements (BAA) if required

ChiralCall is a hosted-only service. We do not offer on-premises or private cloud deployment. The prediction engine is protected as proprietary trade-secret logic, and hosted-only delivery preserves the integrity of the prediction method while enabling confidential stateless evaluation. For CROs whose client contracts prohibit any external hosted processing, ChiralCall may be best suited for internal historical datasets or non-client validation sets.

Contact legal@arrowaysci.com to discuss your data handling needs.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email at least 30 days before they take effect. Your continued use of ChiralCall after the effective date of changes indicates your acceptance of the updated policy.

14. Contact Us

For privacy-related questions, concerns, or requests, please contact:

Arroway Sciences - Privacy Team
Email: privacy@arrowaysci.com
Security Incidents: security@arrowaysci.com
Legal Requests: legal@arrowaysci.com