Privacy Policy
Last updated: 2026-04-17
This policy describes how AssayCore collects, processes, and transfers personal data via assaycore.pro and the Managed Subscription service. Controller: AssayCore (info@assaycore.pro).
Data we collect
Contact form: name, email, company, message, approximate timezone. Payments (via Paddle): billing name, email, billing address, country, last-4 of card/IBAN, transaction amount - Paddle processes the full card/bank data, we never see or store it. Server logs: IP address, user-agent, referring URL, timestamp, requested path (retained for security). Cookies: see Cookie Policy.
Legal basis (GDPR Art. 6)
Contact form: consent (Art. 6.1.a). Service delivery and payments: performance of a contract (Art. 6.1.b). Security logs, fraud prevention and essential cookies: legitimate interest (Art. 6.1.f). Non-essential analytics / marketing cookies: consent (Art. 6.1.a) obtained via the cookie banner.
Data retention
Lead / contact-form data: 24 months unless you request deletion sooner. Payment and billing records (via Paddle): 10 years as required by tax law (EU VAT / US IRS). Service data (Managed Subscription): retained per your SOW; deleted within 30 days of contract termination. Server / security logs: 12 months. Encrypted backups: 90 days rolling, then permanently deleted.
Your rights (GDPR Art. 15-21)
You have the right to access, rectify, erase, restrict processing, port, and object. You may also withdraw consent at any time without affecting the lawfulness of prior processing, and lodge a complaint with your local supervisory authority. Email info@assaycore.pro to exercise any right - we respond within 30 days (extendable once by 60 days for complex requests).
Sub-processors
AWS (EU-Frankfurt) - Managed SaaS hosting. Cloudflare (EU/US) - DNS, CDN, WAF. Resend (EU/US) - transactional email. Paddle.com Market Ltd (UK) - payment processing, invoicing, tax handling, fraud protection. Vercel Inc. (US) - static hosting and CDN for the marketing site. Anthropic PBC (US) - AI model inference for optional in-app assistance (data not used for training; DPA in place). The current list is maintained here and updated when a sub-processor is added; material changes are announced with at least 30 days' notice. No data shared with third parties for their own marketing purposes.
International transfers
EU personal data is primarily hosted in EU regions. Transfers outside the EU/EEA (e.g., to Anthropic, Vercel, AWS-US regions when elected) rely on the EU Commission Standard Contractual Clauses (SCC, 2021/914) together with supplementary measures (encryption in transit and at rest, pseudonymisation where feasible). Transfers to the United States additionally rely on the EU-US Data Privacy Framework where the recipient is self-certified. For the UK we use the UK IDTA or UK Addendum to the SCC. A Transfer Impact Assessment (TIA) summary is available on request.
EU / UK representative (GDPR Art. 27)
AssayCore is a controller established outside the EU and the UK. For inquiries from data subjects in the EU or the UK, you may contact Paddle.com Market Ltd - our Merchant of Record and our appointed Article 27 representative under the GDPR and the UK GDPR. Postal address: Paddle.com Market Ltd, Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom. Email: privacy@paddle.com. This does not affect your right to contact us directly at info@assaycore.pro or to lodge a complaint with your local supervisory authority.
California residents - CCPA / CPRA rights
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to: (i) know what personal information we collect, use, disclose and, if applicable, sell or share; (ii) request deletion of your personal information; (iii) correct inaccurate personal information; (iv) opt out of the "sale" or "sharing" of personal information; (v) limit the use of sensitive personal information. To exercise any right, email info@assaycore.pro with subject "CCPA request". We verify your identity and respond within 45 days (extendable once by an additional 45 days when reasonably necessary, with notice). You may designate an authorized agent. We do not discriminate against consumers who exercise their rights.
Do Not Sell or Share My Personal Information
AssayCore does NOT sell your personal information and does NOT share it for cross-context behavioural advertising (as those terms are defined under CCPA/CPRA). If this ever changes, we will publish a "Do Not Sell or Share My Personal Information" opt-out link on every page and honour Global Privacy Control (GPC) browser signals. To submit a request today, email info@assaycore.pro - no verification required for the opt-out itself.
Children's data (COPPA / GDPR Art. 8)
Our services are intended for laboratory professionals and are not directed to children. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, contact info@assaycore.pro and we will delete it promptly.
Contact
Data protection inquiries: info@assaycore.pro. EU/UK representative: privacy@paddle.com (Paddle.com Market Ltd, London).