Science CRO Science CRO

Privacy Policy

Effective date: January 27, 2026

Last updated: January 27, 2026

1. Who we are

Science CRO ("Science CRO," "we," "us," "our") operates the website located at sciencecro.com (the "Site"). We provide computational science services, including fixed-scope pilot engagements and related research deliverables.

Controller contact:
Email: AWORKMAN@SCIENCECRO.COM

If you are in the United Kingdom or European Economic Area, we act as the "controller" of personal data processed in connection with the Site.

2. Scope of this policy

This policy describes how we collect, use, disclose, retain, and protect personal data when you visit the Site, communicate with us, request information, or purchase or initiate services. It does not govern how third-party websites, platforms, or processors handle your information once you leave the Site.

3. Personal data we collect

We collect personal data in three predominant ways: information you provide, information collected automatically, and information obtained from third parties.

3.1 Information you provide

We may collect the following categories when you submit forms, request a pilot, contact us, or otherwise communicate with us.

Contact and identity data includes name, email address, organization, role or title, and any other identifiers you choose to include. Commercial and engagement data includes details about your inquiry, requested scope, timelines, constraints, budgets, and communications history. Content data includes text, documents, datasets, or other materials you provide for scoping, evaluation, or delivery of services, including scientific or technical content.

Payment-related data is handled primarily by Stripe Checkout. We generally receive confirmation, status, limited transaction metadata, and fraud-prevention signals rather than full payment card details, which are processed by Stripe.

If you submit personal data about other individuals, you represent that you have authority to do so and have provided appropriate notices to them.

3.2 Information collected automatically

We may collect device and usage data such as IP address, browser type, device identifiers, operating system, referring URLs, pages viewed, and approximate location derived from IP. We may also collect log and security data such as timestamps, request headers, and diagnostic events used for performance and security.

3.3 Information from third parties

We may receive personal data from Stripe for transaction confirmation and limited billing metadata, and from tools used to capture leads and operationalize inquiries, including Notion when we store inquiry or customer relationship management records created from information you provide.

3.4 Third-party enrichment

We integrate publicly available chemical and assay data from PubChem using the PUG REST API, a REST-style interface that encodes each request in a single URL so we can retrieve structured compound, substance, and bioassay information without downloading entire datasets before responding to inquiries or informing our content.

4. How we use personal data

We use personal data to operate, maintain, and secure the Site, including debugging, preventing abuse, and ensuring service availability. We use personal data to respond to inquiries, provide quotes, scope engagements, and communicate about services, including fixed-scope pilot offerings. We use personal data to perform contracts or take steps at your request prior to entering a contract, including onboarding, provisioning deliverables, and providing project communications.

We use personal data to process payments and manage billing, refunds, and accounting, predominantly via Stripe Checkout. We use it to understand demand patterns, improve the Site, and plan marketing and distribution efforts, including measuring content performance and diagnosing user experience issues. We rely on Google Analytics to produce aggregated traffic and behavioral reports. Google Analytics collects metrics such as number of users, session statistics, approximate geolocation, and browser and device details; it stores a pseudonymous client identifier in a first-party cookie so that we can recognize returning visitors without logging or storing their IP addresses, and Google uses the data only to provide the measurement service described in its privacy disclosures policy.

We use personal data to comply with legal obligations and to enforce agreements, protect our rights, and manage disputes.

5. Lawful bases for processing (UK GDPR / EU GDPR)

Where UK GDPR or EU GDPR applies, we rely on the following lawful bases, depending on context.

We process data to perform a contract or take steps at your request prior to entering a contract, such as responding to an inquiry or delivering a pilot. We process data based on our legitimate interests, including operating and securing the Site, preventing fraud, improving services, and maintaining business records, provided those interests are not overridden by your rights. We process data based on consent where required, particularly for certain cookies or analytics identifiers. We process data to comply with legal obligations, including tax and accounting requirements.

6. Cookies and analytics technologies

The Site may use cookies, local storage, and similar technologies for functionality, security, and analytics. Google Analytics uses first-party cookies (including the `_ga` cookie that stores a pseudonymous client identifier), and it collects the device/browser metadata, approximate geolocation, and interaction data needed to build reports about traffic, conversions, and user interests. Google Analytics does not log or store IP addresses and is only used to help us monitor and improve the Site.

Where required by applicable law, we will request consent before placing non-essential cookies or enabling analytics. You can control cookies through browser settings and may reject or delete cookies. If you disable cookies, some Site features and our ability to personalize materials may not function as intended.

6.1 Anonymous visitor surveys

The anonymous surveys featured on the Site are stored in cookie-linked database files so that each visitor’s responses stay associated with the same browsing session without being tied to a specific identity. These survey outcomes inform our marketing and distribution planning and help us modify how materials are presented on the Site, but we do not use the surveys to directly identify or contact the person who submitted them.

7. Artificial intelligence and automated processing

Science CRO may provide features that accept scientific text or other inputs and return generated summaries, analyses, or study artifacts. Such processing may involve automated systems.

We operate a self-hosted Llama inference endpoint, so prompt text you submit and the outputs we generate are processed on infrastructure we control rather than being routed through a third-party model vendor, except insofar as hosting or network providers necessarily carry the traffic. We treat client-provided project materials as confidential in the ordinary course of providing services.

You should avoid submitting sensitive personal data unless it is necessary and proportionate for the requested purpose. If you have heightened confidentiality requirements, you should request an NDA or a project-specific data-handling addendum prior to transmitting restricted materials.

8. How we share personal data

We do not sell personal data. We share personal data only as necessary for the purposes described in this policy.

We share personal data with vendors and service providers that support the Site and operations, including:

  • Google Analytics, which provides website analytics and may process limited device and usage data on our behalf.
  • Stripe, which provides payment processing via Stripe Checkout and processes payment details as an independent processor for payment data.
  • Notion, which stores lead and relationship records created from information you submit.
  • Hosting, infrastructure, and security providers that enable site delivery and protection, such as cloud compute, storage, monitoring, and email delivery, to the extent applicable to your deployment.

We may also disclose personal data to professional advisors such as accountants and legal counsel where necessary, and to comply with law, respond to lawful requests, protect the security and integrity of the Site, and enforce agreements.

9. International transfers

Your personal data may be processed in countries other than where you reside. This may occur, for example, if Google Analytics, Stripe, Notion, or infrastructure providers process data from locations outside your jurisdiction.

Where UK GDPR or EU GDPR applies and data is transferred internationally, we use appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or other lawful mechanisms, as applicable.

10. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy.

Inquiry and correspondence data is retained for a reasonable period to manage follow-up, recordkeeping, and dispute resolution. Contract and billing records are retained as required by tax and accounting rules. Security logs are retained for a limited period consistent with operational needs. Lead records stored in Notion are retained for as long as needed to manage prospective and customer relationships, unless you request deletion and we are not legally required to retain the information.

Client project materials and technical prompts are retained according to the applicable engagement terms and practical necessities of reproducibility, revision cycles, and auditability, unless you request earlier deletion and we are not legally required to retain them.

11. Security

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we will act promptly to investigate and remediate incidents consistent with applicable law.

12. Your rights

Depending on your location, you may have rights regarding your personal data.

12.1 UK and EEA rights

If UK GDPR or EU GDPR applies, you may have the right to access, correct, delete, restrict processing, object to processing, and request portability. Where we rely on consent, you may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

12.2 United States state privacy rights

If you reside in certain U.S. states, you may have rights to access, delete, and correct personal data, and to opt out of certain uses such as targeted advertising or the "sale" or "sharing" of personal data as defined by state law. We do not sell personal data in the ordinary sense. If you wish to exercise rights, contact us using the email in Section 1.

13. Children's privacy

The Site is not directed to children, and we do not knowingly collect personal data from children under 13, or under the age threshold required by applicable law in your jurisdiction. If you believe a child has provided personal data to us, contact us so we can take appropriate action.

14. Changes to this policy

We may update this policy from time to time. We will update the "Last updated" date above, and we may provide additional notice where required by law. Continued use of the Site after an update constitutes acceptance of the revised policy to the extent permitted by law.

15. How to contact us

For privacy questions or requests, contact:
Email: AWORKMAN@SCIENCECRO.COM