Privacy Policy

1. Who we are

Venari Data is the data controller responsible for the personal data described in this policy. You can contact us about any privacy matter — including to exercise your rights under applicable data protection law — at help@venaridata.com.

2. Personal data we collect

We collect only the data we need to provide the Service. Specifically:

• Account data. When you create an account we collect your email address, name, password (stored as a salted hash — we never see your password in plain text), and the company you indicate you work for during onboarding.
• Billing data. Payments are processed by Stripe. Stripe collects your payment card details directly — they never reach Venari's servers. We store a Stripe customer identifier and subscription status so that we can grant access and issue invoices.
• Usage data. When you use the Service we record server-side events describing which pages you visit and which features you use, together with a logged-in user identifier, the requested URL, browser and operating system reported by your browser, and a truncated IP address. We use this to understand how the product is used and to fix problems. We do not use these events for advertising and we do not combine them with data from other websites.
• Communications. If you contact us by email or via a support form, we keep a record of that correspondence.
• Service content. Items you save while using the Service — for example, watchlists or saved searches — are stored against your account. These typically describe patents and compounds, not people.

The data made available through the Service — extracted pharmacokinetic parameters, compound classifications, patent metadata — is sourced from published patent documents and is not personal data about you.

3. How and why we use personal data

We use the data described above for the following purposes and on the following legal bases under the UK GDPR and EU GDPR:

• To provide the Service — creating and managing your account, granting access, providing support, and operating the features you use. Legal basis: performance of a contract.
• To process payments and manage subscriptions — through Stripe. Legal basis: performance of a contract.
• To send service emails — such as email verification, password resets, billing notices, and material changes to the Service. Legal basis: performance of a contract.
• To understand product usage and improve the Service — using the server-side analytics described in Section 2. Legal basis: legitimate interests (operating and improving a product our customers have asked to use). You may object to this processing at any time by emailing us.
• To keep the Service secure — detecting and preventing abuse, fraud, and unauthorised access. Legal basis: legitimate interests (protecting the Service and our customers).
• To comply with legal obligations — such as keeping accounting records and responding to lawful requests from authorities. Legal basis: legal obligation.

We do not sell personal data, we do not use it for advertising, and we do not use it to train machine learning models.

4. Cookies and similar technologies

We use only cookies that are strictly necessary to operate the Service. We do not use advertising, marketing, or cross-site tracking cookies, and we do not load third-party analytics scripts in your browser.

The strictly necessary cookies we set are:

• Session cookie — keeps you signed in. Expires when your session ends or you sign out.
• CSRF token — protects forms against cross-site request forgery. Expires after approximately one year.
• Authentication cookies set by our authentication library to remember that you have signed in and that your email has been verified.
• Stripe cookies set on Stripe-hosted pages (Checkout and the Customer Portal) for fraud prevention and to operate the payment flow. These are governed by Stripe's privacy policy.

Because these cookies are strictly necessary to deliver a service you have requested, they do not require consent under the UK Privacy and Electronic Communications Regulations or the EU ePrivacy Directive. If we add cookies that are not strictly necessary in the future, we will ask for your consent before setting them.

5. Service providers

We use a small number of vetted third parties to operate the Service. Each acts as a processor on our instructions under a written data processing agreement.

• Stripe — payment processing and subscription management. Stripe receives the payment details you enter at checkout. We share your email address and a customer identifier with Stripe so that invoices and receipts can be linked to your account.
• PostHog (EU region) — product analytics. We send server-side usage events to PostHog's EU infrastructure. Events include a user identifier, page or feature accessed, and a truncated IP address. PostHog does not load any script in your browser and does not set any cookie on our domain.
• Hosting and infrastructure providers — used to run the Service and store the database in which your account data resides.
• Transactional email provider — used to deliver service emails (email verification, password resets, billing notices). The provider receives your email address and the contents of those messages.

We may share personal data with our professional advisers (lawyers, accountants, auditors) where strictly necessary, and with competent authorities where required by law.

6. How long we keep personal data

• Account data is kept for as long as your account is active. If you close your account, we delete or anonymise your account data within 30 days, except where we are required to retain specific records for longer (see below).
• Billing records are retained for the period required by applicable accounting and tax law (typically 5–7 years).
• Usage events are retained for up to 12 months in PostHog and then deleted automatically.
• Support correspondence is retained for up to 3 years after the conversation ends.

7. Your rights

If the UK GDPR or EU GDPR applies to you, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted, where one of the grounds in Article 17 GDPR applies.
• Restrict or object to processing carried out on the basis of legitimate interests.
• Receive your data in a portable, machine-readable format.
• Withdraw any consent you have given (where we rely on consent), without affecting the lawfulness of earlier processing.

To exercise any of these rights, email help@venaridata.com. We will respond within one month. We may need to verify your identity before acting on a request.

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local supervisory authority. Within the European Union, you can find your authority via the European Data Protection Board's members page. In the United Kingdom, the supervisory authority is the Information Commissioner's Office.

8. Security

We protect personal data with technical and organisational measures appropriate to the risk, including TLS encryption in transit, encrypted backups, salted password hashing, role-based access controls, and audit logging of administrative actions. No method of transmission or storage is perfectly secure, but we work to align with industry-standard practice and we keep the list of people with access to production systems short.

9. Changes to this policy

We may update this policy from time to time. When we make a material change we will update the "Last updated" date at the top of this page and, where the change is significant, notify Authorised Users by email at least 14 days before the change takes effect.

10. Contact

Questions about this Privacy Policy or about how we handle personal data should be sent to help@venaridata.com.