Privacy Policy

Effective date: 2026-04-24. This policy is reviewed at least annually and on material change.

Draft notice. This document has been drafted in good-faith alignment with GDPR and CCPA/CPRA requirements but has not yet been reviewed by legal counsel. Treat it as a working policy pending that review.

1. Who we are

FlashPath Inc. ("FlashPath," "we," "our," "us") operates the FlashPath AI platform at https://flashpathai.com, including the ToxiDex Browser and FlashAE Browser.

Data controller: FlashPath Inc. (United States)
Privacy contact: contact@flashpathai.com

2. Scope

This policy covers the information we collect from visitors and registered users of the FlashPath AI platform. It does not cover third-party websites you may reach through links from our service; their privacy practices are governed by their own policies.

3. Information we collect

3.1 Information you provide

Account information — name, email address, organization (optional), and a password. The password is stored only as a bcrypt hash; we never see or retain the plaintext.
Two-factor authentication — if you enroll, an encrypted TOTP secret and bcrypt-hashed backup codes.
Content — blog posts, uploaded data files, and other content you author within the platform.
Communications — messages you send via the contact form or email.

3.2 Information we collect automatically

Activity log — security-relevant events tied to your account (login attempts, password changes, 2FA events, admin actions) recorded with a timestamp, IP address, and browser user-agent string. Used for security monitoring and audit purposes.
Server logs — HTTP request metadata (IP, user-agent, URL, status code, timestamp), retained by our hosting provider per their policy.
Analytics — aggregated page-view statistics via Google Analytics (see §8).

3.3 Information we do not collect

We do not collect payment card information (we do not process payments on the site), biometric data, or location data beyond the approximate geographic information inherent in your IP address.

4. How we use your information

To provide and maintain the FlashPath AI platform and your account
To authenticate you and secure your account (including sending password-reset emails, 2FA codes, and security alerts)
To detect, investigate, and respond to security incidents
To communicate service updates, account notifications, and responses to your inquiries
To analyze aggregate usage of the service for product improvement
To comply with legal obligations and enforce our terms of service

We do not sell your personal information. We do not use your information for cross-context behavioral advertising.

5. Legal bases for processing (GDPR)

For visitors and users in the European Economic Area or United Kingdom, we rely on the following lawful bases under Article 6 of the GDPR:

Performance of a contract — to provide the account and service you've requested.
Legitimate interests — to secure our service (rate limiting, audit logging, abuse detection), improve it, and administer our business. We balance these interests against your rights and freedoms.
Consent — for optional analytics cookies, where consent is required under applicable law.
Legal obligation — where processing is required to comply with applicable law.

6. Sharing and sub-processors

We share your information with the following categories of third parties only as necessary to operate the service:

Hosting and database provider — Heroku (Salesforce), USA
Transactional email provider — Mailgun (Sinch), USA
File storage — Amazon Web Services (AWS S3), USA, when configured for uploads
Source code hosting — GitHub (Microsoft), USA — source code only, not user application data
Analytics — Google Analytics (Google), global infrastructure
Content delivery — jsDelivr, global CDN, for loading a password-strength library on the registration form

Each primary processor is contractually bound to data-protection terms consistent with applicable law (typically via the vendor's Data Processing Addendum). A current inventory with purposes and data categories is maintained in our engineering repository.

We may also disclose information (a) to comply with a lawful legal process, (b) to protect the rights, property, or safety of FlashPath, our users, or others, or (c) in connection with a business transfer (merger, acquisition), in which case we will notify affected users and, where required, obtain consent.

7. International data transfers

We operate in the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses (SCCs) published by the European Commission, either directly or via our sub-processors' own compliance arrangements.

8. Cookies and tracking

We use the following categories of cookies and similar technologies:

Strictly necessary cookies — a single session cookie (connect.sid) used to keep you signed in. Cannot be disabled for authenticated features.
Analytics cookies — Google Analytics cookies (_ga, _gid, and related) for aggregated page-view counting. We use Google Analytics for internal product analytics only, not for cross-context behavioral advertising.

You can disable cookies in your browser settings, but strictly necessary cookies are required for authenticated use of the service. You can opt out of Google Analytics site-wide via the Google Analytics opt-out browser add-on.

9. Data retention

Account information — retained until you or an administrator deletes the account. You can delete your account at any time from your account page.
Content you authored — retained until you delete it or delete your account.
Audit log entries — retained for 365 days, after which they are automatically purged. Entries about a deleted user are preserved (for security-incident forensics) but anonymized by removing the user identifier.
Password reset tokens — retained for 7 days past expiry, then purged.
Security alert records — retained for 90 days, then purged.
Backups — retained per Heroku's backup-retention policy for our plan.

10. Your rights (GDPR and others)

Depending on where you live, you may have one or more of the following rights:

Access / portability — download a copy of the personal information we hold about you as JSON, from your account page (also satisfies GDPR Art. 20 data portability).
Deletion — delete your account and associated data from your account page. Audit-log entries are preserved but anonymized (the user identifier is removed).
Rectification — correct inaccurate account information by updating your profile or contacting us.
Object or restrict — object to or restrict our processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of earlier processing.
Lodge a complaint — with a data-protection supervisory authority in your jurisdiction. For the UK, this is the Information Commissioner's Office (ICO). For the EU, your national authority.

To exercise any right that isn't covered by the self-service controls on your account page, email contact@flashpathai.com. We will respond within 30 days.

11. California residents (CCPA/CPRA)

Under the California Consumer Privacy Act (as amended by the CPRA), California residents have specific rights with respect to their personal information. FlashPath Inc. does not currently meet the CCPA applicability thresholds ($25 million annual gross revenue, processing the personal information of 100,000+ California consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information), but we nevertheless extend the following rights to all California residents as a matter of policy:

Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
Right to delete personal information we have collected about you.
Right to correct inaccurate personal information.
Right to opt out of sale/sharing — not applicable; we do not sell personal information and do not share it for cross-context behavioral advertising.
Right to limit use of sensitive personal information — we do not use sensitive personal information for any purposes requiring this limit.
Right to non-discrimination — you will not be denied service or charged a different price for exercising your rights.

To exercise these rights, email contact@flashpathai.com from the email address associated with your account, or use the self-service export and deletion controls on your account page.

12. Security

We protect your information using controls including encryption at rest and in transit, bcrypt password hashing, multi-factor authentication for administrator accounts, rate limiting, audit logging, and automated alerting on suspicious activity. Full detail is in our public Security Policy. No security program can guarantee perfect protection; we aim for controls proportional to the sensitivity of the data we hold.

13. Children's privacy

FlashPath AI is a professional tool intended for toxicology and pharmacovigilance professionals. The service is not directed to children under 16, and we do not knowingly collect personal information from anyone under that age. If we learn we have collected personal information from a child under 16, we will delete it promptly.

14. Changes to this policy

We may update this policy from time to time. When we do, we will update the effective date at the top of this page. For material changes — changes that expand the scope of data we collect, change how we use your data, or add a new category of recipient — we will also notify affected users by email to the address on file. Continued use of the service after a material change constitutes acknowledgment of the updated policy.

15. Contact

Questions, requests, or complaints about this policy or your personal information:

FlashPath Inc.
Email: contact@flashpathai.com