Privacy Policy

BIOME collects the following information when you use the platform:

• Email address or wallet address (used for account creation and authentication)
• Display name, bio, and region (optional profile fields)
• Study participation history (experiments applied for, approved, completed)
• Payout information (bank details, PayPal, or wallet address for reward disbursement)
• Device and browser metadata for security and fraud prevention
• Communications within the platform (comments, Q&A threads)

For participants who complete the full verification process, we may also collect: year of birth, country of residence, and health-relevant eligibility answers. These are stored with strict access controls and are never sold to third parties.

All data is stored on Supabase (hosted on AWS infrastructure). Your data is encrypted at rest and in transit. BIOME uses row-level security policies to ensure you can only access your own data — experimenters cannot see participant personal details beyond what is needed for study coordination.

Authentication is handled by Privy. BIOME does not store your private keys if you log in with a wallet. Privy's privacy policy governs authentication data.

BIOME does not sell your personal data. We may share limited information in the following circumstances:

• With the experimenter running a study you have applied to — only your pseudonym, region, and eligibility status are shared, never your email or full name unless you explicitly consent
• With payment processors (bank transfer intermediaries, PayPal, or on-chain networks) to fulfil payout obligations
• With law enforcement or regulatory bodies if required by law
• With third-party service providers (hosting, analytics) bound by data processing agreements

We retain your account data for as long as your account is active. If you request account deletion, your personal data is anonymised or deleted within 30 days, except where retention is required by law (e.g., financial records must be kept for 7 years under applicable regulations).

Participation records (pseudonymised) may be retained for research integrity purposes even after account deletion. These records cannot be linked back to you.

As a user of BIOME, you have the following rights with respect to your personal data:

• Access — request a copy of all personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and personal data
• Portability — request your data in a machine-readable format
• Objection — object to processing of your data for certain purposes

To exercise any of these rights, contact us at privacy@biome.to. We will respond within 30 days.

BIOME uses essential cookies for session management and authentication. We do not use tracking cookies or third-party advertising cookies. You can disable cookies in your browser settings, but this may prevent you from logging in.

BIOME integrates with the following third-party services:

• Supabase — database and authentication infrastructure
• Privy — wallet and email authentication
• Netlify — hosting and deployment

Each of these services has its own privacy policy. We encourage you to review them. BIOME is not responsible for the data practices of third-party services.

This Privacy Policy is governed by the laws of India. Any disputes arising from this policy will be resolved under the jurisdiction of the courts of India. If you are based in the European Union, you also have rights under the General Data Protection Regulation (GDPR) and may lodge a complaint with your local data protection authority.

For any privacy-related questions or requests, contact BIOME at:

privacy@biome.to