Privacy Policy — Pure Monograph

Last updated: [DATE] Operated by: Pure Monograph ("we," "us"), Vancouver, British Columbia, Canada.

Draft for legal review. This document reflects how Pure Monograph is intended to handle data. Confirm every technical statement below against the actual implementation before publishing — a privacy claim that the product does not enforce is a legal liability, not a feature.

1. Who this applies to

This policy covers puremonograph.ai and the Pure Monograph platform. It applies to visitors, account holders, and organizations using the service in Canada, the United States, and the European Economic Area / United Kingdom.

2. The short version

3. Information we collect

Account data: name, email, organization, and authentication credentials (passwords are stored only as salted hashes). Billing data: processed by our payment provider (Stripe). We store a customer reference and subscription status, not your full card number. Usage data: which modules you run, credit consumption, timestamps, and error logs — used to operate, secure, and bill the service. Communications: messages you send us by email. Technical data: IP address, browser type, and similar, via essential cookies and security logging.

4. Your molecule and CMC data — how it is handled

Data you upload for a build (structures, formulation data, batch data, and similar) is treated as your confidential material.

Reviewer note: if any part of the build actually transmits raw uploaded files to Pure Monograph servers, or if the Cloudflare frontend sends uploaded content to model APIs from the browser, Sections 2 and 4 must be rewritten to say so. Do not publish "not transmitted" unless the code enforces it.

5. How we use information

We use collected data to: provide and maintain the service; authenticate you; process payments and credits; provide support; secure the platform and prevent abuse; comply with legal obligations; and send service-related (not marketing) messages unless you opt in.

We rely on the following legal bases under GDPR: performance of a contract (providing the service), legitimate interests (security, service improvement that does not involve your uploaded data), consent (any optional marketing), and legal obligation.

6. Sharing

We do not sell personal data. We share it only with: - Service providers who process data on our behalf under contract (payment processing, hosting, email delivery, error monitoring), bound to confidentiality and data-protection terms. - Model providers, only as described in Section 4 and only for managed-engine queries. - Authorities, where required by valid legal process. - A successor, in the event of a merger or acquisition, subject to this policy.

7. International transfers

We operate from Canada and use service providers that may process data in the US and elsewhere. For EEA/UK personal data, transfers rely on appropriate safeguards (e.g., Standard Contractual Clauses) or an adequacy decision where available. Canada has an EU adequacy decision for commercial organizations under PIPEDA.

8. Retention

Account and billing records are kept while your account is active and for the period required by law after closure. Usage logs are kept for a limited operational period. Uploaded molecule/CMC data is not retained (Section 4). Saved project outputs persist until you delete them or close your account.

9. Your rights

Regardless of location, you may request to access, correct, delete, or export your personal data, and to object to or restrict certain processing. - EEA/UK (GDPR): you also have the right to withdraw consent and to lodge a complaint with your supervisory authority. - Canada (PIPEDA / BC PIPA): you may access and correct your information and complain to the Office of the Privacy Commissioner of Canada or the BC OIPC. - US (incl. California/CCPA where applicable): you may request access and deletion and are protected against discrimination for exercising these rights. We do not sell personal information.

To exercise any right, email [email protected]. We respond within the timeframe required by applicable law.

10. Security

We use encryption in transit, hashed credentials, access controls, and audit logging. No system is perfectly secure; we cannot guarantee absolute security, but we design to minimize what we hold — most notably by not retaining your uploaded data.

11. Children

The service is not directed to anyone under 18 and is intended for professional use.

12. Changes

We will post updates here and change the "last updated" date. Material changes affecting your rights will be communicated where required.

13. Contact

Data controller: Pure Monograph Email: [email protected] Mailing address: Vancouver, BC, Canada EU/UK representative (if required under GDPR Art. 27): [TO BE APPOINTED IF NEEDED]