Privacy Policy

2.1 Information You Provide

• Account Information: Email address, name, organization affiliation
• Research Data: Search queries, uploaded documents, annotations
• Payment Information: Billing details processed through Stripe
• Communications: Support requests, feedback, correspondence

2.2 Information Collected Automatically

• Usage Data: Features used, search patterns, session duration
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP addresses, access times, pages viewed
• Cookies: Session tokens, preferences, analytics data

2.3 Information from Third Parties

• OAuth Providers: Google account information when you sign in
• Payment Processors: Transaction confirmations from Stripe
• Analytics Services: Aggregated usage statistics

2.4 Special Categories of Data

Our Service is a research tool. We do not intentionally collect data concerning your personal health. Search queries about biomedical topics are processed to deliver research results and are not used to infer your personal health status. We recommend that you do not upload documents containing your own personal health data.

3.1 Service Delivery

• Provide and maintain the Service
• Process your research queries and requests
• Manage your account and subscriptions
• Provide customer support

3.2 Service Improvement

• Improve AI models and search algorithms
• Develop new features and functionality
• Analyze usage patterns and optimize performance
• Conduct research and analytics

3.3 Communication

• Send service-related notifications
• Provide updates about your account
• Share important security alerts
• Send marketing communications (with consent)

3.4 Legal Compliance

• Comply with legal obligations
• Respond to lawful requests
• Protect our rights and property
• Enforce our Terms of Service

3.5 Legal Basis for Processing (EEA Users)

Under GDPR, we process your data on the following bases:

• Contractual necessity (Article 6(1)(b)): Service delivery, account management, subscription processing
• Legitimate interest (Article 6(1)(f)): Service improvement, security, analytics, AI model training from anonymized conversation patterns (see Section 3.6), knowledge graph contributions for Starter and Pro tier subscriptions (see Section 3.6)
• Consent (Article 6(1)(a)): Marketing communications, optional knowledge graph contributions (Max/Lab tiers), analytics cookies
• Legal obligation (Article 6(1)(c)): Tax records, regulatory compliance

3.6 AI Development and Knowledge Graph Contributions

We may use anonymized conversation patterns to improve our AI models. This setting is enabled by default and can be disabled at any time by an organization owner or admin through the dashboard settings. When enabled, data is anonymized before any use for model improvement. We do not use your raw research documents or uploaded files as training data.

For Starter and Pro tier knowledge graph contributions, we rely on legitimate interest (Article 6(1)(f)). We have conducted a balancing test weighing our interest in building a comprehensive biomedical knowledge base against your privacy rights. Contributions are anonymized before aggregation, minimizing privacy impact. You may object to this processing under Article 21 GDPR by contacting hello@motif.bio, which may require upgrading to a tier with private knowledge graph features.

4.1 Service Providers

• Cloud Infrastructure: Google Cloud Platform, Vercel (hosting and compute)
• Database Services: Neon (PostgreSQL database)
• Payment Processing: Stripe (billing and subscriptions)
• Email Services: Resend (transactional emails)
• AI Processing: Third-party AI model providers via API (query processing, entity extraction, and cross-referencing). A current list of AI sub-processors is available upon request.
• Analytics: Google Analytics (usage statistics, when analytics cookies are consented to)
• Marketing: Meta (advertising measurement, when marketing cookies are consented to)

AI Processing Disclosure: Your search queries and selected documents are processed through third-party AI model provider APIs to provide AI-powered summaries, entity extraction, relationship identification, and cross-referencing. These providers process this data under our data processing agreements and do not use your data to train their models. A current list of AI sub-processors is available upon request at hello@motif.bio.

4.2 Knowledge Graph Contributions

Starter and Pro tiers: Your extractions contribute anonymously to the shared knowledge graph. This is required for these tiers and helps build a comprehensive biomedical knowledge base for all users.

Max and Lab tiers: Your extractions are private by default. You may optionally enable sharing to contribute to the shared knowledge graph.

Contributions to the knowledge graph are stored without personal identifiers. If both you and your organization opt in to public attribution, a separate metadata record linking your identity to your contributions is maintained. Without this opt-in, no such link exists and contributions cannot be attributed to you. Our anonymization process removes all data that could be used to identify the contributing user, rendering contributions non-identifiable in accordance with GDPR Recital 26.

4.3 Legal Requirements

• To comply with legal process
• To respond to government requests
• To protect our rights or safety
• In connection with corporate transactions

4.4 With Your Consent

We may share information for other purposes with your explicit consent.

4.5 Controller and Processor Roles

When you use the Service as an individual, Motif is the data controller. When your organization subscribes and you use the Service as an authorized user, your organization is the data controller and Motif acts as a data processor under a Data Processing Agreement in accordance with GDPR Article 28.

6.1 Access and Portability

• Access your personal data
• Export your data in standard formats
• Receive a copy of your information

6.2 Correction and Deletion

• Update inaccurate information
• Request deletion of your data
• Withdraw consent for processing

Withdrawal of consent is as easy as giving it: manage cookie preferences via the consent panel, or adjust knowledge graph sharing and AI training preferences via your dashboard settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.3 Opt-Out Rights

• Marketing communications
• Knowledge graph contributions (available for Max and Lab tiers; Starter and Pro tiers contribute as a core part of the service per our Terms of Service)
• AI model training (via the AI Training toggle in dashboard settings)
• Non-essential cookies

6.4 GDPR Rights (EEA Users)

• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right regarding automated decision-making: We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects concerning you (Article 22)
• Right to lodge a complaint with your local data protection authority

6.5 CCPA/CPRA Rights (California Residents)

• Know what personal information is collected and how it is used
• Request deletion of personal information
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of personal information
• Access their personal information
• Equal service and price, regardless of privacy choices

Motif does not sell your personal information as defined under the CCPA/CPRA. Our tiered subscription model reflects different feature sets, not compensation for personal data.

To exercise your CCPA rights, contact hello@motif.bio.

6.6 Response Timeline

We will respond to privacy requests within one month of receipt (GDPR) or 45 days (CCPA). If an extension is necessary, we will inform you within the initial period.

7.1 Technical Measures

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Access controls and authentication
• Regular security assessments

7.2 Organizational Measures

• Employee training on data protection
• Incident response procedures
• Vendor security assessments
• Regular policy reviews

7.3 Breach Notification

• We will notify the competent supervisory authority within 72 hours where the breach is likely to result in a risk to your rights, in accordance with GDPR Article 33
• Where the breach is likely to result in a high risk to your rights, we will notify you without undue delay, in accordance with GDPR Article 34
• For California residents, we will provide notification as required by Cal. Civ. Code Section 1798.82
• We will document all breaches and our response measures

9.1 Data Location

Your data may be processed in:

• United States (primary)
• European Union (for EU users when available)
• Other jurisdictions where our AI processing sub-processors operate, subject to the transfer safeguards described in Section 9.2

9.2 Transfer Safeguards

For international transfers, we use:

• Standard Contractual Clauses
• Data Processing Agreements
• Appropriate security measures