Effective Date: March 2026 | Valid for Phonos Web Application
FyreFly Systems GbR
Maximilian Scheinast-Peter, Janek Franz Fabian
Bergstraße 16
06366 Köthen
Germany
Email: service@fyreflysystems.com
Website: fyreflysystems.com
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws is FyreFly Systems GbR, represented by Maximilian Scheinast-Peter and Janek Franz Fabian.
The protection of your personal data is very important to us. This privacy policy informs you about the type, scope, and purpose of the processing of personal data when using our Phonos Web Application ("Service"). We process your data exclusively on the basis of legal provisions (GDPR, German Telecommunications Act).
When accessing our website, the browser on your device automatically sends information to our website server. This information is temporarily stored in a log file:
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in ensuring system security and stability)
Retention Period: Data is deleted as soon as it is no longer required for the purpose of its collection, at the latest after 90 days.
Registration is required to use our service. We collect the following personal data:
| Data Type | Purpose of Processing | Legal Basis |
|---|---|---|
| Username | Identification and authentication | Art. 6 para. 1 lit. b GDPR (contract performance) |
| Email Address | Communication, two-factor authentication, password reset | Art. 6 para. 1 lit. b GDPR (contract performance) |
| Password (hashed) | Authentication and access protection | Art. 6 para. 1 lit. b GDPR (contract performance) |
| Profile Picture (optional) | Personalization of user profile | Art. 6 para. 1 lit. a GDPR (consent) |
| Organization/Team Membership | Project management and access control | Art. 6 para. 1 lit. b GDPR (contract performance) |
When using the service, we process the following data:
Legal Basis: Art. 6 para. 1 lit. b GDPR (contract performance) and Art. 6 para. 1 lit. f GDPR (legitimate interest in providing services)
Retention Period: Your research data is stored as long as your account is active. You can delete individual files or projects at any time.
To improve our service, we collect anonymized usage statistics:
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in optimizing our service)
We use technically necessary cookies to provide the service. These cookies are essential for the website to function:
| Cookie Name | Purpose | Duration |
|---|---|---|
| session | Maintaining your login session | Session (until logout) |
| csrf_token | Protection against cross-site request forgery attacks | Session |
| user_preferences | Storing your user preferences (language, theme, etc.) | 1 year |
| disclaimer_accepted | Storing disclaimer consent | Session |
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in technical functionality and security)
We use Cloudflare as a Content Delivery Network (CDN) and for security services. Cloudflare sets cookies to protect the website and optimize delivery:
| Cookie Name | Purpose | Duration |
|---|---|---|
| __cflb | Load balancing - traffic distribution | Session |
| __cf_bm | Bot management for security | 30 minutes |
| cf_clearance | Security verification (after challenge) | 1 year |
Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and fast website delivery)
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Our server infrastructure is hosted on Google Cloud Platform (GCP) in the European Union. Google may set technical cookies for:
Hosting Location: Google Cloud Platform, European Union
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in reliable hosting)
Privacy Policy: https://policies.google.com/privacy
We do NOT use external tracking services such as Google Analytics, Facebook Pixel, or similar third-party trackers. All usage statistics are collected internally and anonymized.
We do not share your personal data with third parties unless:
We use the following data processors and third-party providers:
| Service Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Hosting of server infrastructure and databases | European Union |
| Nebius AI | GPU compute infrastructure for AI/ML model execution (Boltz2, Evo2, and other computational models) | European Union |
| Cloudflare, Inc. | Content Delivery Network (CDN), DDoS protection, SSL/TLS encryption | EU/USA (Standard Contractual Clauses) |
| IONOS SE | Email delivery (transactional emails, 2FA codes, notifications) | Germany (GDPR compliant) |
| Stripe, Inc. | Payment processing for premium subscriptions | EU/USA (Standard Contractual Clauses, GDPR compliant) |
| NVIDIA DGX Cloud | GPU compute infrastructure used exclusively for demonstration and testing purposes (demo environment only) | USA (Standard Contractual Clauses) |
| Google LLC (Gemini AI) | Optional conversational AI assistance, file analysis, and AI-powered search (activated when using @gemini mentions or search functionality) | Worldwide / USA (Google's data protection framework) |
Data processing agreements have been concluded with all processors in accordance with Art. 28 GDPR. For transfers to third countries outside the EU, EU Standard Contractual Clauses are used.
Our server infrastructure runs on Google Cloud Platform in the European Union. All your data is stored exclusively on servers within the EU.
Privacy Policy: https://policies.google.com/privacy
Legal Basis: Art. 6 para. 1 lit. f GDPR, Art. 28 GDPR
Cloudflare improves the performance and security of our website through caching, DDoS protection, and SSL encryption. IP addresses and technical information are processed.
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in security and performance)
When you subscribe to a paid plan, payment information is transmitted directly to Stripe. We do NOT store complete credit card data on our servers.
Processed Data: Name, email address, billing address, payment method (tokenized)
Privacy Policy: https://stripe.com/privacy
Legal Basis: Art. 6 para. 1 lit. b GDPR (contract performance), Art. 6 para. 1 lit. c GDPR (legal obligations)
NVIDIA DGX Cloud GPU infrastructure is used exclusively for demonstration and testing purposes. No production user data is processed on this platform. Only synthetic or sample data is used during demo sessions.
Privacy Policy: https://www.nvidia.com/en-us/about-nvidia/privacy-policy/
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in platform testing and demonstration)
Note: This infrastructure is not used for processing actual user research data. All production workloads run on Nebius AI within the EU.
When you explicitly use Gemini features by @mentioning gemini in project chats or requesting file analysis, your queries and context are sent to Google's Gemini API.
Processed Data: User queries, project context, file content (optional, limited to 10,000 characters)
Privacy Policy: https://policies.google.com/privacy
Legal Basis: Art. 6 para. 1 lit. a GDPR (consent through active usage), Art. 6 para. 1 lit. b GDPR (contract performance)
Note: This is an optional feature. You can use all core features without activating Gemini integration.
All your core research data and scientific calculations (protein structure prediction, molecular docking, sequence design) are stored and processed exclusively on servers within the European Union (Google Cloud Platform). No transfer of your core research data to third countries outside the EU takes place.
Exception - Optional Gemini Feature: If you choose to use the optional Gemini AI features by @mentioning gemini, the data you send in those specific queries may be processed by Google on servers worldwide, including the USA. This is clearly communicated when you use the feature, and you have full control over what data you share with Gemini.
Cloudflare and Stripe may transfer technical data (IP addresses, metadata) to the USA as part of their services. This is done based on EU Standard Contractual Clauses and additional security measures in accordance with GDPR.
All core AI calculations (ESMFold, AlphaFold2, DiffDock, ProteinMPNN, Metal3D, Boltz2, Evo2) are performed on our own server infrastructure or on Nebius AI GPU infrastructure within the European Union. Your research data for structure prediction, molecular docking, and DNA generation is NOT transmitted to external AI services outside the EU. NVIDIA DGX Cloud is used exclusively for demonstration and testing purposes and does not process any production user data.
The Service offers optional AI-powered features through Google Gemini AI, including conversational assistance, file analysis, and intelligent search. These features are only activated when you explicitly use them by mentioning @gemini in project chats, requesting file analysis, or using the search functionality.
Data Transmitted to Google: When you use Gemini-powered features, the following data may be sent to Google's Gemini API:
Data Processing by Google: Google processes this data to generate AI responses. Google's data processing practices are governed by their Privacy Policy. Google may use API data to improve their services in accordance with their terms. We recommend reviewing Google's privacy policy at https://policies.google.com/privacy and their AI data usage policies.
Data Location: Google Gemini API requests may be processed on Google's servers worldwide, including outside the European Union. Data transfers to the USA are based on Google's compliance with applicable data protection frameworks.
Legal Basis: Art. 6 para. 1 lit. a GDPR (consent through active usage of the feature) and Art. 6 para. 1 lit. b GDPR (contract performance)
Your Control: You have full control over this feature. Simply avoid using @gemini mentions or AI assistance features if you prefer to keep your data entirely within our infrastructure. You can use all core protein analysis features without ever triggering Gemini integration.
We implement technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons:
Under the GDPR, you have the following rights regarding your personal data:
You have the right to obtain information about the personal data we process. You can request an overview of your data in your account settings at any time.
You have the right to rectify inaccurate or incomplete data and to erase your data ("right to be forgotten"). You can delete your account and all associated data in the settings at any time.
You have the right to request restriction of processing of your data if accuracy is disputed, processing is unlawful, or data is no longer needed.
You have the right to receive the data concerning you in a structured, commonly used, and machine-readable format. You can export your research data in the dashboard at any time.
You have the right to object to the processing of your personal data if it is based on legitimate interests.
If processing is based on your consent, you can withdraw it at any time. The lawfulness of processing carried out until withdrawal remains unaffected.
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your data.
We store your personal data only as long as necessary for the fulfillment of purposes or legal retention requirements exist:
| Data Type | Retention Period |
|---|---|
| Account Data (username, email) | Until account deletion |
| Research Data (sequences, structures, jobs) | Until manual deletion or account deletion |
| Server Log Files | Maximum 90 days |
| Billing Data (for paid features) | 10 years (legal retention requirement) |
| Email Communication | Until account deletion + 6 months |
We do not use automated decision-making in accordance with Art. 22 GDPR. AI models are used exclusively for scientific calculation of protein structures and properties, not for evaluation or profiling of individuals.
Our service is intended for persons who have reached the age of 16. Persons under 16 may only use the service with the consent of their legal guardians. We do not knowingly collect personal data from persons under 16 without appropriate consent.
We reserve the right to amend this privacy policy to adapt it to changed legal situations or changes to the service. The current version can always be found on this page. We will notify you of significant changes by email.
If you have questions about data protection, to exercise your rights, or for complaints, you can contact us at any time:
Data Protection Officer:
FyreFly Systems GbR
Maximilian Scheinast-Peter, Janek Franz Fabian
Email: service@fyreflysystems.com
Subject: "Data Protection - Phonos"
We strive to respond to your inquiries within 30 days.
For technical platform issues, you can use the in-app Report Bug button after login. Submitted bug reports may include your issue description plus diagnostic metadata such as current URL/view, browser user agent, platform, language, viewport/screen size, timezone, and IP address to enable troubleshooting.