Privacy Policy

Olto Discovery is owned and operated by Velora Biotech LLC (DMCA registration number DMCA-1073266). References below to “Olto”, “we”, “us”, or “our” mean Velora Biotech LLC. You can reach us at support@oltodiscovery.com.

This Privacy Policy applies to https://oltodiscovery.com and its subdomains, our web and mobile applications, and any related services we provide (collectively, the “Service”). It does not apply to third-party websites or services, even when they are linked from the Service.

We use your information to: (a) provide, maintain, and improve the Service; (b) authenticate you and secure your account; (c) generate AI content you request via our AI inference partners; (d) deliver collaboration and team features; (e) respond to support inquiries; (f) bill you and prevent fraud; (g) send transactional emails (e.g. password resets, billing) and, with your consent, product updates; (h) comply with legal obligations; (i) detect, prevent, and respond to security incidents or abuse.

If you are in the European Economic Area or United Kingdom, we process personal data on the following bases: performance of a contract (to deliver the Service to you), legitimate interests (to secure and improve the Service, where not overridden by your rights), consent (for optional analytics and marketing communications), and legal obligations (e.g. tax records). You have the right to withdraw consent at any time.

We do not sell your personal information. We do not use your private research content to train any public AI model unless you have clearly consented to that use. We share information only with: (a) infrastructure and service providers acting as data processors on our behalf: Supabase, Inc. (database, authentication, and file storage, hosted in the United States); Vercel, Inc. (application hosting, Vercel Analytics, and Vercel Speed Insights); Anthropic PBC (AI inference for protocol generation, assistant chat, and related AI features); Stripe, Inc. (payment processing); PostHog, Inc. (product analytics, used with your consent); Google LLC (Google Analytics, used with your consent); hCaptcha (Intuition Machines, Inc.) (bot-protection on sign-in and sign-up); (b) team members you explicitly invite to your workspace; (c) authorities when required by valid legal process; (d) acquirers in connection with a merger, acquisition, or asset sale, in which case we will notify you. We require all processors to maintain appropriate technical and organizational safeguards. Some of these providers operate SOC 2-aligned security programs; that is a property of the provider, not a certification of Olto Discovery itself.

Essential cookies (always active): authentication session tokens, CSRF tokens, theme preference, and security cookies. These are required to operate the Service and cannot be disabled.

Analytics (optional, with your consent): Google Analytics (with IP anonymization) and PostHog. Analytics is denied by default until you explicitly accept via the on-site cookie banner. You can change your analytics preference at any time at oltodiscovery.com/cookies. We honor Global Privacy Control (GPC) and “Do Not Track” signals where technically feasible. We do not use advertising cookies.

When you use AI-powered features (protocol generation, assistant chat, paper analysis, statistical analysis, simulation, or refinement), the prompts you submit, files you upload for AI processing, and assistant conversations are sent to our AI inference partner to produce the response. We do not use this content to train Olto-owned or public AI models. Our AI inference partner’s handling of API content is governed by their applicable API terms and privacy commitments at the time of the request. AI-generated content is a starting point and must be reviewed by a qualified person before it is used in research, clinical, or regulated contexts. See our AI Disclosure & Safety section in the documentation for additional limitations.

Unless expressly permitted in a signed Enterprise agreement with appropriate configuration, users must not upload protected health information (PHI), patient-identifiable clinical data, classified information, export-controlled data, controlled unclassified information (CUI), or other regulated sensitive data to the Service. Olto Discovery is not, by default, a HIPAA-covered platform and does not provide a Business Associate Agreement on standard plans. Where research involves sensitive data, you are responsible for ensuring an appropriate configuration is in place before uploading.

We retain account information while your account is active and for a period after deletion to permit account recovery and meet legal obligations, after which records are removed from active systems. Protocols and content you generate are retained while your account is active; on deletion they are removed from active systems within a reasonable period, though encrypted backups may persist until they are overwritten by the backup rotation. Security and audit logs (a record of security-relevant actions) are retained on a bounded schedule (routine events for up to 365 days and security-relevant events for up to 730 days), after which they are automatically purged. AI inference logs and metadata are retained in line with our AI provider’s API terms and our security needs. Billing records are retained for at least 7 years to meet tax obligations.

Depending on your jurisdiction, you may have rights to: (a) access the personal data we hold about you; (b) correct inaccurate data; (c) delete your data (“right to be forgotten”); (d) export your data in a portable format; (e) restrict or object to processing; (f) lodge a complaint with a supervisory authority. California residents have additional rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, the right to opt out of “sale” or “sharing” (we do neither), and the right not to be discriminated against for exercising these rights. To exercise any right, email support@oltodiscovery.com. We will respond within 30 days where required by applicable law.

Individual accounts are intended for users who are 18 years of age or older. The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13 without required parental consent. Under-18 use is permitted only through an authorized educational structure (a school, teacher, parent or guardian, or other educational organization that has agreed to supervise the minor's use) and only for learning, classroom-safe planning, simulation, and educational experiment design. Student and minor use must be supervised, must not replace teacher, parent, institutional, or other qualified adult judgment, and must not include advanced regulated, clinical, pathogenic, controlled-substance, dual-use, or otherwise dangerous research workflows. If you believe a child has provided us personal information without required consent, contact us at support@oltodiscovery.com and we will delete it.

Olto Discovery is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate. For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission to safeguard such transfers.

We implement industry-standard security measures, including TLS in transit, encryption at rest, database-level access controls (PostgreSQL Row-Level Security), salted password hashing, rate limiting on authentication and AI endpoints, and audit logging of security-relevant events. No system is perfectly secure. To report a vulnerability or security concern, email security@oltodiscovery.com. See our Security page for more detail.

You retain ownership of the protocols, notebooks, files, AI-generated outputs (based on your inputs), and other content you create using the Service. We receive only the limited license needed to store, process, display, and provide the Service to you. By making content “public” in the library, you grant Olto a non-exclusive, royalty-free license to display and distribute it as part of the Service. Velora Biotech LLC has registered for DMCA protection under DMCA registration number DMCA-1073266. To report copyright infringement, send notice to support@oltodiscovery.com with: (i) identification of the copyrighted work claimed to have been infringed; (ii) identification of the material claimed to be infringing and its location; (iii) your contact information; (iv) a statement of good faith belief that the use is not authorized; (v) a statement under penalty of perjury that the information is accurate and you are authorized to act; (vi) your physical or electronic signature.

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email (to the address on your account) and by posting a notice on the Service before the change takes effect. The “Last updated” date below indicates the current version.