Privacy Policy

Last Updated: May 11, 2026 (rev 4)
Effective Date: November 10, 2025

1. Introduction

Daly Innovations Ltd T/A FlowSEQ® ("we," "us," "our," or "FlowSEQ") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our FlowSEQ platform (the "Service"). FlowSEQ is a registered trademark of Daly Innovations Ltd in Ireland.

Our Contact Information:

  • Company: Daly Innovations Ltd T/A FlowSEQ
  • Address: 11 Ard Coillte, Ballina, Co. Tipperary, Ireland
  • Email: support@flowseq.bio

By using FlowSEQ, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

  • Contractual Necessity: To provide you with access to and use of the FlowSEQ Service
  • Legitimate Interest: To improve our Service, prevent fraud, and ensure security
  • Consent: Where you have given explicit consent for specific processing activities
  • Legal Obligation: To comply with applicable laws and regulations

3. Information We Collect

3.1 Information You Provide to Us

When you create an account or use FlowSEQ, we collect:

Account Information:

  • Email address (required, verified via a one-time link before first login)
  • Full name (required)
  • Password (stored hashed using bcrypt, cost factor 12)
  • Two-factor authentication secret if you enable 2FA (stored encrypted at rest using AES-256-GCM; backup codes are hashed with bcrypt)

Profile Information:

  • Job title or role (optional)
  • Research interests (optional)
  • Profile preferences and settings

User-Generated Content:

  • Sequencing cost calculations and planning data
  • Cost library items and parameters
  • Cost profiles and combinations
  • Sustainability metrics and environmental impact data
  • Custom genome definitions and sequencing workflows
  • Protocol selections and laboratory settings
  • Saved sequencing runs and configurations
  • Lab configuration data
  • Any other data you input into the Service, including files you upload (e.g. cost library CSV imports)

Note: Your cost library data and business calculations are treated as confidential business information. If you are a solo user, your data is not visible to anyone else. If you join an Organisation, see Section 3.4 — Organisation Data Sharing below for how data is shared with org owners and admins.

3.2 Information Automatically Collected

When you access and use FlowSEQ, we automatically collect:

Technical Information:

  • IP address (used for session records and short-lived rate-limit windows; see below)
  • Browser type and version
  • Device type and operating system
  • Time zone setting and location (country/region level only)
  • Pages visited and features used
  • Date and time of access
  • Referring website addresses

Session Records:

Each time you log in, we record a session row capturing the timestamp, originating IP address, and a short device/browser fingerprint string. You can see your own session history in the Activity dashboard. Session rows are retained while your account is active and are deleted in full when you delete your account.

Rate-Limiting:

We use a Redis-backed rate limiter (Upstash, EU region) to throttle abusive login and 2FA attempts. Your IP address is stored only as a transient counter; counters expire within minutes and never persist as a long-term record.

Cookies and Similar Technologies:

  • One authentication cookie named token (HttpOnly, Secure, SameSite=Strict, 4-hour expiry) — required to keep you signed in
  • Browser localStorage / sessionStorage for non-sensitive UX state (form drafts, in-app sync flags). This data stays on your device and is not transmitted to our servers

We do not use third-party advertising cookies, tracking pixels, or preference cookies.

3.3 Analytics and Usage Tracking

User Opt-In Tracking:

We collect usage analytics only with your explicit consent to help us improve FlowSEQ and understand how users interact with the Service. You can enable or disable tracking at any time in your account settings.

When tracking is enabled, we collect:

  • Session information (duration, timestamps, navigation patterns)
  • User interactions (feature usage, button clicks, form submissions)
  • Page views (URLs, time spent, scroll depth)
  • Performance data (page load times, API response times, errors)

Important:

  • Tracking is disabled by default and requires your explicit opt-in
  • We do not use third-party advertising or marketing analytics
  • All analytics data is used solely for improving FlowSEQ's functionality
  • Analytics data is aggregated and anonymized for reporting purposes
  • You can disable tracking at any time without affecting your use of FlowSEQ

3.4 Organisation Data Sharing

FlowSEQ supports team accounts ("Organisations"). If you join an Organisation, please be aware of the following sharing relationships:

What organisation owners and admins can see about you:

  • Your saved calculations, genome runs, and cost-tracking data
  • Your sustainability / ESG metrics (carbon, energy, plastic, score) — owners and admins see org-wide aggregates that include your data
  • Your feature usage (which calculators and modules you have used) — surfaced in the organisation's analytics dashboards
  • Your name, email, role, and last-login timestamp on the member management page

What is not shared:

  • Your password, password reset tokens, or 2FA secrets (never shared with anyone, including admins)
  • Your account preferences (currency, number format, etc.)
  • Other organisations' data (each organisation is fully isolated)

Solo users: If you are not part of an organisation, none of the above sharing applies. Your data is visible only to you and to FlowSEQ system administrators for the purposes set out in Section 4.

Leaving an organisation: If your membership is removed or you leave, future data is no longer visible to org owners/admins, but data created during your membership remains visible to them as part of the organisation's historical records. To erase that data, exercise your Right to Erasure (see Section 8).

4. How We Use Your Information

4.1 Service Delivery

  • To create and manage your account
  • To provide access to FlowSEQ features and functionality
  • To process and store your sequencing cost calculations
  • To enable collaboration features (if applicable)
  • To provide customer support and respond to inquiries

4.2 Service Improvement

  • To analyze usage patterns and improve user experience
  • To develop new features and functionality
  • To troubleshoot technical issues and bugs
  • To conduct research and analytics (aggregated and anonymized)

4.3 Communication

  • To send account-related notifications (password resets, security alerts)
  • To provide service updates and feature announcements
  • To send educational content about cost optimization (with your consent)
  • To respond to your support requests

4.4 Security and Legal Compliance

  • To detect and prevent fraud, abuse, and security incidents
  • To enforce our Terms of Service
  • To comply with legal obligations and respond to lawful requests
  • To protect our rights, property, and safety

5. Data Storage and Security

5.1 Data Storage Location

Infrastructure and Data Location:

  • Hosting: Vercel (Application servers)
    • EU users: Frankfurt (fra1) or Dublin (dub1) region deployment
    • Ensures EU data residency compliance for application processing
  • Database: PostgreSQL
    • Configuration: EU region hosting for GDPR compliance
    • All user data stored in EU-based database instances
    • Encrypted at rest and in transit

For EU Users (GDPR Compliance):

  • User data for EU residents is stored on servers located within the European Union
  • Application hosting and database storage maintain EU data residency
  • Application and database processing is configured to EU regions; certain operational sub-processors (e.g. error logging, transactional email) are US-based and process data under their published privacy terms (see Section 6 — Beta Status note)

5.2 Security Measures

We implement industry-standard security measures to protect your data:

Encryption:

  • Data in transit: TLS/SSL encryption (HTTPS) for all connections
  • Data at rest: Encrypted database storage
  • Passwords: Hashed using bcrypt with a cost factor of 12
  • Two-factor authentication (TOTP) secrets: Encrypted at rest using AES-256-GCM; backup codes hashed with bcrypt cost 12
  • Password reset tokens: Hashed with SHA-256 before storage; 1-hour expiry; single-use

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) for administrative access
  • Regular access reviews and principle of least privilege

Note: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5.3 Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by GDPR Article 34.

6. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

  • With your consent: When you explicitly authorize us to share your data
  • Within your organisation: If you join an organisation, your data is shared with your owners and admins as described in Section 3.4
  • Service providers (sub-processors): With the third-party vendors listed below, who process data on our behalf under each vendor's published terms of service and privacy notice
  • Legal requirements: When required by law, regulation, legal process, or government request
  • Business transfers: In connection with a merger, acquisition, or sale of assets (users will be notified)
  • Protection of rights: To protect our rights, property, safety, or that of our users or the public

Beta Status — Sub-Processor Agreements:

FlowSEQ is currently in beta. Sub-processor relationships rely on each vendor's publicly published privacy notice and standard terms rather than separately negotiated Data Processing Agreements (DPAs). We will execute formal DPAs (including EU Standard Contractual Clauses where applicable) with each US-based processor as we move to commercial release. If you require a signed DPA before your organisation can use FlowSEQ, please contact support@flowseq.bio — we can prioritise on a case-by-case basis.

Current Sub-Processors:

  • Application Hosting: Vercel Inc. (US parent; deployments configured to EU regions — Frankfurt / Dublin — for application processing). Governed by Vercel's published privacy policy.
  • Database: Prisma Cloud (PostgreSQL, EU region) — encrypted at rest. Governed by Prisma's published privacy policy.
  • Performance Monitoring: Vercel Analytics — cookieless, IP-anonymised aggregate web-vitals only. No personal identifiers transmitted. Covered by Vercel's privacy policy above.
  • Rate Limiting: Upstash (Redis, EU region) — transient IP counters for login / 2FA throttling; counters expire within minutes. Governed by Upstash's published privacy policy.
  • Transactional Email: Resend Inc. (US) — sends verification emails, password resets, member invites, and support replies. Governed by Resend's published privacy policy.
  • Error Logging: Sentry (US) — error events only. We configure Sentry to strip cookies, auth headers, and sensitive query parameters before transmission; session replay is not enabled. Governed by Sentry's published privacy policy.
  • Authentication: Self-hosted within FlowSEQ (no third party).

A current list of sub-processors is available on request to support@flowseq.bio.

7. Data Retention and Deletion

7.1 Active Accounts

We retain your personal data for as long as your account is active and as necessary to provide you with the Service, comply with legal obligations, resolve disputes, and enforce agreements.

7.2 Inactive Accounts

Inactive Account Policy:

  • If your account has been inactive for an extended period (typically 2 or more consecutive years), we may contact you by email to confirm whether you wish to retain it
  • If we receive no response after reasonable notice, the account may be deleted
  • You can always pre-empt this by logging in or by deleting your account yourself at any time (Section 7.3)

Note: automatic inactive-account purging is not yet enforced by a scheduled job. We will give you advance email notice before any deletion takes place.

7.3 User-Requested Deletion

You can delete your own account at any time without contacting us: go to Settings → Privacy → Delete Account. The flow requires your current password plus typing DELETE as a second confirmation. Deletion is immediate and irrevocable — your user record, all calculations, genome runs, cost data, sessions, and interaction logs are removed in a single transaction. If you prefer to delete by email, contact support@flowseq.bio and we will action your request within 60 days.

Organisation owners: If you own an organisation with active members, you must first transfer ownership or remove all other members before your account can be deleted. This prevents orphaning organisational data.

7.4 Retention by Data Category

  • Account data (profile, calculations, runs, cost library): retained while your account is active; see Section 7.2 for inactive-account handling and Section 7.3 for self-service deletion
  • Session records (IP, device, login times): retained while your account is active; deleted in full when you delete your account
  • Interaction logs & page views (analytics): only collected if you have opted in (Section 3.3); retained while your account is active and tracking remains enabled; deleted in full when you delete your account or disable tracking and request data clearing via support
  • Rate-limit counters: transient — expire within minutes (enforced automatically by Upstash Redis TTL)
  • Password reset tokens: 1 hour expiry; cleared on use (enforced in code)
  • Error reports (Sentry): subject to Sentry's default retention policy (90 days)
  • Backup snapshots: retained by our database provider for disaster-recovery purposes per their published retention policy

Note: aside from the explicitly time-bound items above (rate-limit counters, password reset tokens, Sentry retention), routine data is retained for the lifetime of your account. Scheduled automatic purging of older operational data is on our roadmap and this policy will be updated when it becomes enforced.

8. Your Rights Under GDPR and CCPA

8.1 Rights for EU Users (GDPR)

If you are located in the European Union, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Data Portability: Request your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for specific processing activities
  • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority

8.2 Rights for California Users (CCPA)

If you are a California resident, you have the following rights:

  • Right to Know: Categories of personal data collected, sources, purposes, and third parties
  • Right to Delete: Request deletion of personal data (subject to exceptions)
  • Right to Opt-Out: Opt-out of sale of personal data (we do not sell personal data)
  • Right to Non-Discrimination: No discrimination for exercising your CCPA rights
  • Right to Correct: Request correction of inaccurate personal data

8.3 How to Exercise Your Rights

Self-service in the app:

  • Right of Access / Data Portability: Go to Settings → Privacy → Export My Data. We generate a JSON file containing your profile, preferences, calculations, genome runs, cost data, lab settings, sessions, and interaction logs from the last 30 days. Your password and 2FA secret are never exported.
  • Right to Erasure: Go to Settings → Privacy → Delete Account (see Section 7.3).
  • Right to Rectification: Edit your profile fields directly in Settings → Account.
  • Right to Withdraw Consent (for analytics tracking): Toggle off in Settings → Preferences.

For any other rights, or if the self-service tools do not meet your needs, contact us at:

Email: support@flowseq.bio

Subject Line: "Data Rights Request - [Your Request Type]"

Response Time: GDPR requests within 30 days; CCPA requests within 45 days

9. Cookies and Tracking Technologies

Cookies and Storage We Use

  • Authentication cookie (token): HttpOnly, Secure, SameSite=Strict, 4-hour expiry. Strictly necessary — keeps you signed in. Cleared when you log out.
  • Browser storage: A small amount of localStorage / sessionStorage is used for in-app UX state (form drafts, cross-tab sync flags). This data is never transmitted to FlowSEQ servers and is cleared when you log out.

What We Do NOT Use:

  • Third-party advertising cookies
  • Social media tracking pixels
  • Cross-site tracking cookies
  • Retargeting or remarketing cookies

Do Not Track (DNT) Signals

The "Do Not Track" browser signal is inconsistently implemented across browsers and has no agreed-upon technical standard. Rather than rely on it, FlowSEQ provides an explicit opt-in tracking toggle in Settings → Preferences. Analytics tracking is off by default for every account; we only collect interaction analytics once you turn the toggle on, and you can turn it off again at any time.

Cookie Consent Banner

We do not display a cookie consent banner because the only cookie we set is strictly necessary for authentication (the token cookie described above), and strictly-necessary cookies are exempt from prior consent requirements under the EU ePrivacy Directive and GDPR. We do not load any non-essential cookies, advertising trackers, or third-party analytics that would require a banner.

10. Children's Privacy

FlowSEQ is a professional tool intended for laboratory and research use. It is not intended for use by anyone under the age of 18, and we do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a person under 18, please contact us at support@flowseq.bio and we will delete it without delay.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

  • Material Changes: We will notify you by email or prominent notice in the Service at least 30 days before changes take effect
  • Minor Changes: We will update the "Last Updated" date at the top of this policy
  • Your Continued Use: Continued use of FlowSEQ after changes constitutes acceptance of the updated policy

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@flowseq.bio

Address:
Daly Innovations Ltd T/A FlowSEQ
11 Ard Coillte
Ballina, Co. Tipperary
Ireland

Response Time: We aim to respond to all inquiries within 5 business days.

Data Protection Officer (DPO):

FlowSEQ is not required to appoint a designated Data Protection Officer under GDPR Article 37, because we do not conduct large-scale processing of special-category personal data and our core activities do not require regular and systematic monitoring of data subjects on a large scale. Data-protection matters are handled directly by Daly Innovations Ltd via the contact details above.

13. Governing Law and Jurisdiction

This Privacy Policy is governed by:

  • EU Users: Irish law and the General Data Protection Regulation (GDPR)
  • California Users: California Consumer Privacy Act (CCPA) and applicable US federal law
  • Other Users: Irish law and applicable international data protection regulations

Additional Resources

Learn More About Your Privacy Rights:

EU Resources:

California Resources:

Back to Home