Privacy Policy

Introduction

At Elnora AI, we take privacy seriously. This Privacy Policy explains how Elnora AI, Inc. and its subsidiary Elnora AI OÜ (collectively, "Elnora," "we," "us," or "our") collect, use, disclose, and protect your personal information when you use our website (www.elnora.ai), our AI-powered protocol generation platform, and related services (collectively, the "Services").

This Policy applies to all individuals who interact with our Services, including visitors to our website, registered users, and business contacts. Please read this Policy carefully to understand our practices regarding your personal information.

Scope
Information We Collect
How We Use Your Information
Cookies and Tracking Technologies
How We Share Your Information
Data Retention
Data Security
International Data Transfers
Your Rights and Choices
California Privacy Rights (CCPA/CPRA)
European, UK, and Swiss Privacy Rights
Children's Privacy
AI and Model Training
Changes to This Policy
Contact Us

1. Scope

This Policy Applies To

Our website at www.elnora.ai
Our AI-powered protocol generation and optimization platform platform.elnora.ai
Communications with us via email, forms, or other channels
Marketing and promotional activities

This Policy Does NOT Apply To

Enterprise Customer Data: Where Elnora acts as a data processor on behalf of enterprise customers, the customer's privacy policy governs. Our processing of Enterprise Customer Data is governed by our Data Processing Addendum (DPA) and customer agreements, which include Standard Contractual Clauses (SCCs) for international data transfers. For questions about such data, please contact your organization's administrator or email us at privacy@elnora.ai to request our DPA.
Third-Party Services: Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties.

Regulatory Coverage

This Policy is designed to comply with:

EU General Data Protection Regulation (GDPR)
UK GDPR
Swiss Federal Act on Data Protection (FADP)
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Other applicable privacy laws

2. Information We Collect

Information You Provide Directly

Category	Examples
Account Information	Name, email address, company name, job title, password, phone number
Payment Information	Billing address and payment details. We use Stripe for payment processing and do not directly store your payment card information on our servers.
Protocol and Research Data	Lab protocols, experimental data, research parameters, and other scientific content you upload or input into our platform. Processed as Customer Data under the DPA where Elnora acts as processor (see §1).
Communications	Support requests, feedback, survey responses, and correspondence with us
Marketing Information	Demo requests, newsletter signups, webinar registrations

Information Collected Automatically

Category	Examples
Usage Data	Pages viewed, features used, actions taken, access times, referring URLs
Device Information	Device type, operating system, browser type and version, device identifiers
Log Data	IP address, browser settings, date/time of access, error logs
Location Information	General location (city/country) derived from IP address

Information From Third Parties

Source	Data
SSO Providers	Name, email address, authentication tokens (when you sign in via Google Workspace or Microsoft Entra ID)
Analytics Partners	Aggregated usage and interaction data
Business Partners	Business contact information from events or partnerships

Sensitive Data

In our role as controller for the data described in this Policy (account, marketing, website and support data), we do not request, require, or intentionally collect special category data (GDPR / UK GDPR Article 9) or sensitive personal information (CPRA). Where you upload protocols, experimental data, or other content to the platform, that content is Customer Data processed on your organisation's instructions under our Data Processing Addendum, where your organisation is the controller. If such content contains special category or sensitive data, it is handled under the DPA and the customer agreement, not this Policy.

3. How We Use Your Information

Purpose	Legal Basis (GDPR Article 6(1))
Providing Services	Performance of a contract to which the data subject is party — Article 6(1)(b). Operate, maintain, and deliver our AI protocol generation platform.
Account Management	Performance of a contract — Article 6(1)(b). Create and manage your account, process transactions.
Customer Support	Performance of a contract — Article 6(1)(b). Respond to inquiries, provide technical assistance.
Service Improvement	Legitimate interests — Article 6(1)(f). Legitimate interest: improving the reliability and quality of the platform for all users. These interests are not overridden by data-subject interests given that improvement uses aggregated or anonymised data.
Security	Legitimate interests — Article 6(1)(f). Legitimate interest: detecting and preventing fraud, abuse, and security threats to protect Elnora and its customers. Also compliance with legal obligations where applicable — Article 6(1)(c).
Communications (transactional)	Performance of a contract — Article 6(1)(b). Service updates, technical notices, and administrative messages required to deliver the contracted service.
Marketing	Consent — Article 6(1)(a) — for marketing to EEA/UK/Swiss data subjects (and equivalent consent requirement under CCPA/CPRA for California residents), except that we may send electronic marketing about our own similar products to existing customers on a soft opt-in basis where permitted by the ePrivacy Directive / PECR, with an opt-out in every message.
Legal Compliance	Compliance with a legal obligation — Article 6(1)(c). Comply with applicable laws, regulations, court orders, and lawful government requests.
Analytics	Legitimate interests — Article 6(1)(f). Legitimate interest: understanding aggregate usage to improve the Services, using privacy-preserving techniques (pseudonymisation after 90 days, deletion of usage logs at 12 months, no individual profiling).

We Do NOT Use Your Data For

Training or fine-tuning our or any provider's AI models using your uploaded protocols or research data (see Section 13)
Selling your personal information to third parties
Cross-contextual behavioral advertising

4. Cookies and Tracking Technologies

Elnora's website and platform do not use cookies, pixels, web beacons, or other tracking technologies. We do not deploy marketing or advertising trackers. Product analytics are collected server-side from your authenticated use of the platform and are not based on cookies, pixels, web beacons, device fingerprinting, or cross-site tracking. Strictly necessary technical mechanisms used to maintain an authenticated session (for example, a short-lived session token stored in browser memory) are limited to operating the Services and are not used for tracking, profiling, or cross-context behavioural advertising.

Because Elnora does not set cookies or process Global Privacy Control (GPC) or Do Not Track (DNT) signals at the browser level, there is nothing to opt out of. If this changes in future, this section will be updated and an opt-in consent mechanism will be deployed before any non-essential tracking is introduced.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

Service Providers (Subprocessors)

We use trusted third-party service providers to help us operate our business, including:

Cloud infrastructure and data hosting
AI model providers for protocol generation
AI request routing and gateway services
Payment processing
Product analytics

All service providers are contractually bound to protect your information and use it only for specified purposes.

For a complete and current list of subprocessors, visit our Trust Center. Enterprise customers with Data Processing Addendums may have specific notification rights as outlined in their agreements.

Other Disclosures

Circumstance	Description
Legal Requirements	When required by law, court order, or government request
Rights Protection	To enforce our terms, protect our rights, or ensure safety
Business Transfers	In connection with a merger, acquisition, or sale of assets, in which case we will provide notice (for example, by email or prominent website notice) of any change in the controller of your personal information and of any choices you may have
With Your Consent	When you have given us permission

6. Data Retention

We retain your personal information only as long as necessary for the purposes described in this Policy.

Data Type	Retention Period
Account Information	Duration of your account plus 60 days for account recovery, then deletion. Where required by law or for legitimate legal claims, specific records may be retained for up to 3 years from the date of the relevant transaction or event.
Customer/Protocol Data	Customer Data is retained for the duration of the contract. On contract termination, Elnora permanently deletes Customer Data, including backup copies, within 30 days, except where and only for as long as retention is required by applicable law or to establish, exercise, or defend legal claims, as set out in our Data Processing Addendum (§12). Customer Data processed on a customer's behalf is governed by the DPA; the deletion timeline mirrors DPA §12.2. You may export your data through the platform's self-service functionality during the contract term and the 30-day deletion window.
Payment Records	7 years from the date of the transaction, in accordance with US federal and state tax and accounting requirements (including IRS recordkeeping rules and Utah state tax law). VAT/sales-tax records for EU/UK transactions are retained for the period required by the applicable member state or HMRC (minimum 6 years for UK VAT records).
Usage/Analytics Data	Usage logs are pseudonymised within 90 days and the pseudonymised logs are deleted 12 months after collection. Aggregate data that has been irreversibly anonymised (no longer personal data) is retained indefinitely for product improvement.
Marketing Preferences	Until you unsubscribe or request deletion, and no longer than 3 years from the date of your last interaction with our marketing communications.
Support Communications	3 years from the date of resolution of the relevant support request, then deletion.

When retention periods expire, we securely delete or anonymize your data.

7. Data Security

We implement robust technical, organizational, and administrative security measures to protect your information:

Encryption: Industry-standard encryption for data at rest and in transit
Access Controls: Role-based access control with principle of least privilege
Authentication: Multi-factor authentication for privileged access
Monitoring: Security monitoring and logging
Audits: Regular security assessments and penetration testing
Compliance: Elnora holds an ISO/IEC 27001:2022 certification and a SOC 2 Type 2 attestation. Audit reports are available on request under standard confidentiality terms.

Visit our Trust Center for current compliance status and security documentation.

While we take extensive measures to protect your information, no method of transmission over the Internet or electronic storage is completely secure. You are responsible for keeping your account credentials confidential. This does not reduce our own obligations to protect your personal information under applicable data-protection law.

Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

Notify the relevant supervisory authority without undue delay and, where required by GDPR (Article 33), within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
Provide information about the nature of the breach, the data affected, and steps we are taking to mitigate harm
Offer guidance on protective measures you can take

To report a suspected security incident, contact us at security@elnora.ai.

8. International Data Transfers

Elnora AI, Inc. is headquartered in the United States. Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States.

Data Location

Customer data is primarily stored and processed in AWS data centers located in the United States. AI model providers may process data in their respective data center locations to provide real-time responses.

Transfer Mechanisms

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States and other countries without an EU / UK adequacy decision, we rely on the following Article 46 transfer tools:

EEA transfers — EU Standard Contractual Clauses (Module 2 / Module 3) per EU Commission Implementing Decision (EU) 2021/914, with the competent EU member-state supervisory authority (see §11.1).
UK transfers — the UK International Data Transfer Addendum to the EU SCCs (UK Addendum, B1.0, in force 21 March 2022) under UK GDPR Article 46, with the UK Information Commissioner's Office (ICO) as the competent supervisory authority.
Swiss transfers — the EU Standard Contractual Clauses with the amendments recognised by the FDPIC for transfers subject to the Swiss FADP (GDPR references read as references to the FADP, and the FDPIC named as the competent supervisory authority), with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent authority.
Supplementary measures — encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, audit logging, no-training contractual prohibitions on AI sub-processors, and the further measures described in our Transfer Impact Assessment.

A completed Transfer Impact Assessment covering EEA, UK, and Swiss transfers is available to enterprise customers on request via privacy@elnora.ai.

Data Controllers

Region	Controller	Address
United States	Elnora AI, Inc.	48 South Rio Grande Street, Salt Lake City, UT 84101
EU/UK	Elnora AI OÜ	Harju maakond, Saue vald, Laagri alevik, Vesiroosi tn 6, 76401, Estonia

9. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

Right	Description	Response Time
Access (Art. 15 GDPR)	Request a copy of the personal information we hold about you, including the categories of data, purposes, recipients, and retention periods.	30 days (extendable by a further 60 days for complex requests, with notice)
Correction (Art. 16 GDPR)	Request correction of inaccurate or incomplete information.	30 days
Deletion (Art. 17 GDPR)	Request deletion of your personal information, subject to legal retention obligations.	30 days
Portability (Art. 20 GDPR)	Receive your data in a structured, machine-readable format (CSV or JSON) and transfer it to another controller where technically feasible.	30 days
Restriction (Art. 18 GDPR)	Request that we limit processing of your information (e.g., while accuracy is contested).	30 days
Objection (Art. 21 GDPR)	Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. Where processing is for direct marketing, you may object at any time and we will stop without any balancing test (GDPR / UK GDPR Article 21(2)-(3)).	30 days
Withdraw Consent (Art. 7(3) GDPR)	Withdraw consent at any time where processing is based on consent. Withdrawal does not affect lawfulness of prior processing.	Immediate effect on future processing
Lodge a Complaint	Lodge a complaint with your local supervisory authority (EU DPA, ICO, or FDPIC — see Section 11).	N/A

Automated Decision-Making (Article 22 GDPR)

Elnora does not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you. Our AI-generated protocol outputs are recommendations that require human review and approval by the scientist or researcher using the platform. No automated decision-making within the meaning of Article 22 GDPR is applied to you as an individual.

How to Exercise Your Rights

Email: privacy@elnora.ai (preferred — fastest response)
Support: support@elnora.ai
Mail:
- US: 48 South Rio Grande Street, Salt Lake City, UT 84101
- EU: Vesiroosi tn 6, 76401 Laagri, Estonia

We will respond to your request within 30 calendar days of receipt of a verifiable request (or within the shorter period required by applicable law, such as 45 days for CCPA/CPRA). For complex or numerous requests, we may extend by a further 60 days (GDPR) or 45 days (CCPA/CPRA) with written notice. We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

Marketing Communications

You can opt out of marketing communications at any time by:

Clicking the "unsubscribe" link in our marketing emails
Contacting us at privacy@elnora.ai
Updating your communication preferences in your account settings

10. California Privacy Rights (CCPA/CPRA)

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

10.1 Notice at Collection

At or before the time of collection, California residents are entitled to know the categories of personal information collected and the purposes for which it will be used. The categories we collect and the purposes are described in Sections 2 and 3 of this Policy.

10.2 California Privacy Rights Summary

Right	Description
Right to Know	Request disclosure of: (a) the categories and specific pieces of personal information collected; (b) the categories of sources; (c) the business or commercial purpose; (d) the categories of third parties with whom information is shared. Covers the 12-month period preceding your request.
Right to Delete	Request deletion of personal information, subject to exceptions (e.g., completion of a transaction, legal obligation, security).
Right to Correct	Request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing	We do not sell personal information and do not share it for cross-contextual behavioural advertising. No opt-out mechanism is required or offered.
Right to Limit Use of Sensitive Personal Information	California residents may direct us to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Services. We do not use sensitive personal information for purposes beyond those permitted by CPRA § 1798.121 without consent.
Right to Non-Discrimination	We will not discriminate against you for exercising any of your CCPA/CPRA rights.

10.3 Authorized Agent

Authorized agents may submit requests on a California resident's behalf at privacy@elnora.ai with written authorization signed by the resident or a power of attorney. We may verify the resident's identity directly.

10.4 How to Exercise California Rights

Submit requests to privacy@elnora.ai with the subject line "California Privacy Request." We will respond within 45 calendar days of receipt; we may extend by a further 45 days with written notice. We will not charge a fee for a first request in any 12-month period.

11. European, UK, and Swiss Privacy Rights

UK GDPR is a distinct legal order from the EU GDPR following the United Kingdom's exit from the European Union. The Swiss Federal Act on Data Protection (FADP) is likewise distinct. The substantive rights below apply across all three regimes; the supervisory authority and any complaint route depend on where you are located.

11.1 EEA — EU GDPR

If you are located in the European Economic Area, the EU GDPR applies to our processing of your personal data. Your competent supervisory authority is the data protection authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A directory is maintained by the European Data Protection Board: List of EU Supervisory Authorities.

11.2 United Kingdom — UK GDPR + Data Protection Act 2018

If you are located in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply. Your competent supervisory authority is the UK Information Commissioner's Office (ICO) at https://ico.org.uk. Cross-border transfers from the UK to non-adequate countries (including the United States) are made under the UK International Data Transfer Addendum to the EU SCCs (see Section 8 — Transfer Mechanisms).

11.3 Switzerland — FADP

If you are located in Switzerland, the revised Swiss Federal Act on Data Protection (FADP) applies. Your competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.

11.4 Legal Bases for Processing

We process your personal data based on:

Contract Performance — to provide our Services to you
Legitimate Interests — for business operations, security, and service improvement
Consent — for marketing communications
Legal Obligation — to comply with applicable laws

11.5 Your Rights Across All Three Regimes

In addition to the rights in Section 9, you have the right to:

Lodge a Complaint with your local data protection supervisory authority (EU DPA, ICO, or FDPIC as applicable)
Data Portability — receive your data in a structured format and transfer it to another controller

11.6 EU and UK Representative

EU establishment and point of contact

Elnora AI OÜ is established in the European Union (Estonia) and is the controller for EU and UK personal data (see Section 8). Because Elnora has an establishment in the Union under Article 3(1) GDPR, a separate Article 27 representative is not required for EU processing. EU data subjects may contact Elnora AI OÜ at the address below or at privacy@elnora.ai for all EU GDPR matters.

Elnora AI OÜ Harju maakond, Saue vald, Laagri alevik, Vesiroosi tn 6, 76401, Estonia Phone: +372 51 96 51 96 Email: privacy@elnora.ai

UK GDPR Article 27 representative

Elnora processes UK Authorized Users' personal data as a processor on behalf of UK-based customers under the UK GDPR. Elnora has no establishment in the United Kingdom and is in the process of appointing a representative in the United Kingdom pursuant to Article 27 of the UK GDPR. Pending that appointment, and in any event within thirty (30) days of any of the following, Elnora will confirm its appointed UK representative: (a) the first UK individual creating a platform account, (b) the launch of UK-specific marketing, or (c) any UK behavioural monitoring activity. UK data subjects may contact privacy@elnora.ai for all UK GDPR matters.

12. Children's Privacy

Our Services are directed exclusively at professionals (scientists, researchers, and enterprise customers in the life sciences and pharmaceutical sectors) and are not intended for use by individuals under the age of 18 in any jurisdiction.

COPPA (US): We do not knowingly collect personal information from children under 13 years of age within the meaning of the Children's Online Privacy Protection Act (COPPA). Our platform requires account creation with verified professional credentials, which provides a functional barrier against use by children under 13.

GDPR Article 8 / UK GDPR (EEA and UK): Where an information society service is offered directly to a child, consent is valid only if the child is at least 16 (or such lower age, not below 13, as the relevant EEA Member State has set) in the EEA, or at least 13 in the UK. Our Services are offered only to professionals via professional registration and are not directed at or offered to children, so this consent requirement does not arise.

If we become aware that we have collected personal information from anyone under 18, we will take prompt steps to delete such information. If you believe we have inadvertently collected information from a minor, please contact us at privacy@elnora.ai.

13. AI and Model Training

Customer Data is NOT Used for Model Training

Important: Elnora does NOT use your uploaded protocols, experimental data, or other customer content to train the underlying AI models. Your research data is never sent to AI providers for the purpose of training their foundation models.

How We Improve Our Product

While we do not train AI models on your data, we may use irreversibly anonymised and aggregated information to improve our Services. This includes:

Refining prompts and instructions that guide our AI agent
Improving tool descriptions and workflow configurations
Enhancing the overall user experience through product analytics

This product improvement process does not involve training or fine-tuning AI models. Your identifiable data is not used for these purposes.

How Our AI Works

We use third-party AI model providers (including but not limited to Anthropic, OpenAI (via Azure), and Google Cloud Platform / Gemini) via their business API services. The current authoritative list is published on the Trust Center and in DPA Schedule 3.
Your data is processed by these providers solely to generate responses for you in real-time
Under our business/commercial agreements with these providers, data submitted via their business APIs is not used to train their foundation models, and we impose no-training obligations on our AI sub-processors contractually (see Section 8). We maintain business accounts with all AI providers to ensure these data-protection terms apply.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

We will update the "Effective Date" at the top of this Policy
For material changes, including any change to our data-processing practices, we will provide notice as described above before the change takes effect. For customers under a Master Service Agreement or Order Form, such changes are governed by the change-control and notice provisions of those agreements and Section 1.5 of our Terms of Service, including at least 30 days' prior written notice and the right to terminate without penalty. Continued use after a material change takes effect does not waive any statutory data-protection right you hold, and where a change requires a lawful basis under applicable data-protection law we will obtain that basis separately.

We encourage you to review this Policy periodically.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

General Inquiries

Email: contact@elnora.ai
Phone (US): +1 801 384 9988
Phone (EU): +372 51 96 51 96

Mailing Addresses

United States (Headquarters) Elnora AI, Inc. 48 South Rio Grande Street Salt Lake City, UT 84101 USA

European Union / United Kingdom Elnora AI OÜ Harju maakond, Saue vald Laagri alevik, Vesiroosi tn 6 76401, Estonia

Trust Center

For detailed information about our security practices, compliance certifications, and data handling procedures, visit our Trust Center.

This Privacy Policy was last updated on June 21, 2026.