Privacy Policy

TL;DR:We protect your data, don't sell it, give you full control to access or delete it, and only share what's needed to operate the Service. Published experiments are public by design.

Welcome to Xpriments ("Xpriments," "we," "us," or "our"). Xpriments is an open registry for scientific experiments.

Xpriments (xpriments.com) is a product of smarts.bio. References to "we," "us," or "our" in this Privacy Policy refer to smarts.bio, the owner and operator of xpriments.com.

This Privacy Policy explains what information we collect, how we use it, and your rights when using xpriments.com (the "Service").

By using Xpriments, you agree to this Privacy Policy. If you don't agree, please don't use the Service.

1. Information We Collect

1.1 Information you provide directly

• Account details: name, email, institutional affiliation, login credentials
• Experiments and attachments: .xpr files, data files (CSV, JSON, images), and associated metadata you publish
• Community contributions: reviews, replication reports, discussion comments
• Messages, feedback, or support requests

1.2 Information collected automatically

• Technical data: IP address, browser, OS, device identifiers
• Usage data: pages visited, experiments viewed or forked, timestamps, feature usage
• Cookies and analytics (Google Analytics — see Section 6)

1.3 Public data

Published experiments, their metadata (author, title, description, license), and community content (reviews, replications, comments) are publicly visibleby design. This is the core purpose of Xpriments as an open registry. If you don't want data to be public, don't publish it.

2. How We Use Information

We use your information to:

• Operate and maintain the Service
• Host, serve, and index published experiments
• Enable search, browsing, and discovery of experiments
• Facilitate forking, replication, and community interactions
• Enhance functionality, performance, and user experience
• Communicate updates, announcements, and support messages
• Ensure security, prevent abuse, and comply with legal obligations
• Improve the platform using aggregated, anonymized usage patterns

Important: We do not use your private (unpublished) data or account content to train AI models.

3. How We Share Information

We don't sell or rent your personal data. Sharing occurs only in the following cases:

• Public content: Published experiments and community contributions are publicly accessible on xpriments.com and may be indexed by search engines
• Service providers — trusted partners for hosting and operations:
  • Amazon Web Services (AWS) — cloud hosting and file storage
  • Google Analytics — website analytics (consent-gated; see Section 6)
  • Email service providers — transactional emails
• Legal requirements — compliance with laws, court orders, or to protect our rights
• Business transfers — mergers, acquisitions, or asset sales under equivalent protection terms
• With your consent — when you explicitly authorize sharing

We never share your private (unpublished) data or account information with other users without your consent.

4. International Transfers & Compliance

Data Location: Xpriments is based in the U.S.; data is stored primarily on AWS US East (N. Virginia). Backups may replicate to additional regions for redundancy.

International Users: By accessing the Service outside the U.S., you consent to data transfer and processing in the U.S.

Privacy Frameworks: We comply with GDPR, UK GDPR, CCPA/CPRA, and PIPEDA (Canada). Legal basis for EU/UK users: performance of contract, consent, legal obligations, or legitimate interests.

5. Data Retention & Deletion

• Active accounts: We retain account info, private experiments, and community content while your account is active
• Published experiments: Remain publicly accessible until you delete them from the Settings tab
• Account deletion:
  • Personal info and private data removed from active systems within 14 days
  • Published experiments are unpublished and removed
  • Forks created by other users before deletion remain accessible
  • Backups retained 90 days for disaster recovery, then permanently deleted
  • Metadata in logs retained 12 months for security auditing
  • Aggregated or anonymized data may be retained indefinitely
• Data portability: You can request your data in machine-readable formats
• Inactive accounts: Accounts inactive more than 2 years may be deleted after 30 days notice

6. Cookies & Analytics

6.1 Cookie Consent

We use a cookie consent system on xpriments.com. Your consent preferences are stored in a secure cookie (cookie-consent) with domain .xpriments.com and are remembered for 365 days.

A cookie consent banner appears on your first visit, allowing you to accept all cookies, reject non-essential cookies, or customize your preferences.

6.2 Types of Cookies We Use

• Essential cookies: Authentication cookies (auth_token) required for login and access to private experiments. These cannot be disabled.
• Preference cookies: Store your accessibility settings (font size, contrast, theme) and cookie consent choices. Domain: .xpriments.com.
• Analytics cookies: Google Analytics helps us understand how users discover and use the platform. Only activated with your explicit consent. If you reject analytics cookies, no tracking scripts are loaded.
• Marketing cookies: Not currently in use. May be used in the future with separate consent.

6.3 What Happens When You Reject Analytics

If you reject analytics cookies: no Google Analytics scripts are loaded, no analytics data is collected, and all platform features continue to function normally.

6.4 Do Not Track (DNT)

We respect Do Not Track browser signals. If DNT is enabled, analytics cookies will not be activated even if you previously consented.

6.5 Third-Party Cookie Policies

• Google Analytics Privacy Policy

7. Data Security

Technical safeguards: TLS 1.3 encryption in transit, AES-256 at rest, role-based access control, firewalls, intrusion detection, DDoS mitigation, and regular vulnerability scans.

Limitations: No system is 100% secure. You are responsible for maintaining the confidentiality of your login credentials.

Breach notification: We notify affected users via email within 72 hours of discovering a data breach affecting their personal information.

8. Your Rights

Depending on your location, you may:

• Access or receive a copy of your data
• Correct or update your account information
• Request deletion of your account, private data, or published experiments
• Object to or restrict processing of your data
• Withdraw consent for optional processing (analytics)
• Receive your data in a portable, machine-readable format

Exercising your rights: Email privacy@smarts.bio with your name, email, and request. We respond within 30 days.

Complaints: EU/UK users can contact their local data protection authority; U.S. users can contact their state attorney general.

9. Children's Privacy

• Xpriments is intended for users 18+
• We don't knowingly collect personal data from users under 13
• Educational accounts for supervised minors (13–17) require institutional oversight

If you believe someone under 13 has provided us with personal information, contact privacy@smarts.bioand we'll delete it promptly.

10. Changes to This Policy

• Material changes: 30-day notice on the website; email if your rights are significantly affected
• Continued use after changes indicates acceptance
• The "Last Updated" date at the top reflects the latest version
• Previous versions available on request

11. Contact Us

• Privacy inquiries: privacy@smarts.bio
• Data Protection Officer: nir@smarts.bio
• Security issues: security@smarts.bio
• General: hello@smarts.bio