Privacy Policy

Introduction

Lantern Pharma Inc. ("Lantern Pharma", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and share your personal information when you use withZeta ("Zeta", "Service", "Platform").

This Privacy Policy applies to all users of withzeta.ai and related services. By using the Service, you consent to the data practices described in this policy.

Important Compliance Note: This Privacy Policy is designed to comply with:

• General Data Protection Regulation (GDPR) - European Union
• California Consumer Privacy Act (CCPA) - California, USA
• Texas Data Privacy and Security Act - Texas, USA

Contact Information:
Data Protection Officer: contact@withzeta.ai
Address: Lantern Pharma Inc., Dallas, Texas, United States

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email Address: Used for authentication and account recovery (via AWS Cognito)
• Name: Collected via Google OAuth or manual entry during email signup
• User ID: Auto-generated unique identifier for your account
• Authentication Method: Whether you signed up via Google OAuth or email

1.2 Usage Data

We automatically collect information about how you use the Service:

• Conversation History: Your queries, AI-generated responses, and conversation metadata
• Tool Execution Logs: Which research tools were called (PubMed, ORPHANET, etc.) and when
• Token Usage: Number of input/output tokens consumed per query (for billing and usage tracking)
• Knowledge Graphs: Automatically generated knowledge graphs from your conversations
• Timestamps: When you accessed the Service, created conversations, or executed queries
• Session Data: Duration of sessions, features used, and interaction patterns
• Feedback Data: When you rate a response (thumbs up/down) or submit feedback, we store the entire conversation thread as context for understanding your feedback

1.3 Technical Data

We collect technical information to operate and secure the Service:

• IP Address: Used for security monitoring, rate limiting, and geographic analytics
• Browser Type & Version: For compatibility and debugging purposes
• Device Information: Operating system, screen resolution, device type (desktop/mobile/tablet)
• Cookies & Session Tokens: Authentication tokens, session IDs, and preference cookies
• Referral Source: How you arrived at withzeta.ai (direct, search, referral link)

1.4 File Uploads (When Enabled)

• Uploaded Documents: PDF, text, or markdown files you upload for analysis
• File Metadata: Filename, file size, upload timestamp, and file type
• S3 Storage Location: AWS S3 key where the file is stored
• File Content: Extracted text from uploaded documents for AI analysis

1.5 Data We Do NOT Collect

• ✗ Protected Health Information (PHI): Patient names, medical record numbers, diagnoses linked to individuals
• ✗ Social Security Numbers: Or any government-issued identifiers
• ✗ Payment Information: No credit cards or financial data during beta (future payments via Stripe - we won't store card data)
• ✗ Biometric Data: No fingerprints, facial recognition, or biometric identifiers
• ✗ Precise Geolocation: We collect country/region from IP, not GPS coordinates

HIPAA Compliance: The Service is NOT HIPAA-compliant. Do not input any Protected Health Information (PHI) or patient-identifiable data.

2. How We Use Your Information

2.1 Service Provision

We use your information to provide and operate the Service:

• Authentication: Verify your identity via AWS Cognito
• Conversation Storage: Save your chat history for retrieval and continuity
• AI Response Generation: Process your queries through large language models (Anthropic Claude)
• Tool Execution: Call medical APIs (PubMed, ORPHANET) based on your research needs
• Knowledge Graph Creation: Generate visual relationship maps from conversation content
• Beta Credit Allocation: Track usage against your free beta credit allowance

2.2 Service Improvement & AI Model Training

How to opt-out:

• Go to Account Settings → Privacy Settings
• Toggle "Use my conversations for model improvement" to OFF
• This applies to future conversations only

When we WILL use your data even if opted-out:

• Conversations flagged for safety review (abuse, illegal activity, policy violations)
• Content you explicitly report via feedback mechanisms (thumbs up/down, safety reports)
• Materials required for legal or regulatory compliance

General service improvement activities:

• Query Pattern Analysis: Understand common research questions to optimize tool selection
• AI Model Training: Use conversation data to improve model performance (unless opted-out)
• LLM Performance Monitoring: Track response quality, hallucination rates, and citation accuracy
• Bug Detection: Identify system errors, crashes, and performance bottlenecks
• Feature Usage Metrics: Determine which features are most valuable to users
• A/B Testing: Compare different UI designs or AI prompt strategies (anonymized data only)

Important: If you provide explicit feedback (rate responses, submit safety reports), that conversation will be used for improvement even if you have opted out of general training data usage.

2.3 Security & Fraud Prevention

We use your information to protect the Service and our users:

• Abuse Detection: Identify unusual query patterns, bot activity, or automated scraping
• Rate Limiting: Prevent service abuse by monitoring per-user request rates
• Unauthorized Access Prevention: Detect suspicious login attempts or account takeover
• System Health Monitoring: Track performance metrics to prevent outages

2.4 Communication

We may use your email address to send:

• Service Updates: Announcements about new features, maintenance, or downtime
• Security Notifications: Alerts about account security issues or required actions
• Beta Program Updates: Information about beta program changes or graduation to paid tiers
• Marketing Communications: Newsletters or product announcements (opt-in only - you can unsubscribe anytime)

3. How We Share Your Information

3.1 Third-Party Services

We share data with trusted third-party service providers to operate the Service:

Amazon Web Services (AWS)

• Purpose: Hosting, database storage, authentication, file storage
• Data Shared: All account data, conversation history, uploaded files
• Privacy Policy: aws.amazon.com/privacy

Google OAuth (Optional Authentication)

• Purpose: Single sign-on authentication (if you choose Google Sign-In)
• Data Shared: Email address, name, profile picture URL (we don't store the picture)
• Privacy Policy: policies.google.com/privacy

Large Language Model Providers

We use multiple AI model providers (both open-source and commercial APIs) which may change over time. Current providers include Anthropic (Claude), and others. When you interact with our Services:

• Purpose: Large language model inference for AI responses
• Data Shared: Your queries, conversation history (as context), system prompts
• Data Retention (Commercial APIs): Commercial API providers like Anthropic do NOT train models on our data (per commercial API terms). They may retain API logs temporarily for abuse monitoring (typically 30 days), then delete them.
• Training Prohibition: Commercial API providers do NOT train models on Zeta user data under our agreements
• Model Changes: We may change AI model providers or use different models without notice as we improve our Services

External Medical APIs

When you use research tools, we send queries to external databases:

• PubMed/MEDLINE: Search queries only (no personal data) - nlm.nih.gov/web_policies
• ORPHANET: Disease queries only - orpha.net
• NCI Thesaurus: Cancer terminology queries - cancer.gov/policies
• PredictBBB.ai: SMILES strings for BBB prediction - predictbbb.ai

Important: These APIs receive your research queries but NOT your personal information (name, email, account details).

3.2 Legal Requirements

We may disclose your information if required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations (subpoenas, court orders, legal process)
• Protect Lantern Pharma's legal rights and property
• Prevent fraud, security threats, or illegal activity
• Protect the safety of users or the public

3.3 Business Transfers

If Lantern Pharma is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred to the successor entity. You will be notified via email of any such change in ownership or control of your personal information.

3.4 We DO NOT Sell Your Data

• ✓ No data brokerage or marketing lists
• ✓ No third-party advertising networks
• ✓ No social media pixel tracking (beyond basic analytics)

4. Data Storage & Security

4.1 Storage Location

Your data is stored in the following AWS regions and services:

• Primary Region: us-east-2 (Ohio), United States
• DynamoDB: Conversation history, user accounts, WebSocket connections
• Aurora PostgreSQL: Rare Cancers Knowledge Base (curated medical data)
• S3: File uploads, knowledge graph exports, PDF exports
• AWS Cognito: Authentication tokens and user credentials

4.2 Security Measures

We implement industry-standard security practices:

• Encryption in Transit: All data transmitted via TLS 1.2+ (HTTPS)
• Encryption at Rest: All databases and file storage encrypted via AWS KMS
• IAM Role-Based Access: Least-privilege access control for AWS resources
• Authentication: AWS Cognito with multi-factor authentication support (optional)
• Regular Security Audits: Quarterly internal reviews and annual external penetration testing
• Secrets Management: API keys and credentials stored in AWS Secrets Manager (not in code)
• VPC Isolation: Lambda functions and databases run in isolated Virtual Private Cloud

4.3 Data Retention

We retain your information for the following periods:

• Active Accounts: Conversation history retained indefinitely while your account is active
• Deleted Accounts: 30-day grace period (account recoverable), then permanent deletion
• Backup Retention: Encrypted backups retained for 90 days for disaster recovery
• Audit Logs: Security and access logs retained for 1 year (compliance requirement)
• Anonymized Analytics: Aggregated usage statistics retained indefinitely (no personal identifiers)

4.4 Security Limitations

Your Responsibilities:

• Use strong, unique passwords
• Enable two-factor authentication (when available)
• Do not share your account credentials
• Report security concerns immediately to contact@withzeta.ai

5. Your Rights & Choices

5.1 Access Your Data

You have the right to access your personal information:

• Download Conversations: Export your chat history via in-app export feature
• Request Data Report: Email contact@withzeta.ai for a complete data access report
• Response Time: We will respond within 30 days (45 days for complex requests)

5.2 Delete Your Data

You can delete your information at any time:

• Delete Individual Conversations: Use the delete button in the conversation sidebar
• Delete Entire Account: Go to Account Settings → Delete Account, or email contact@withzeta.ai
• Grace Period: 30 days to recover account after deletion
• Permanent Deletion: After 30 days, all data is permanently deleted (except audit logs required by law)

5.3 Correct Your Data

You can update your account information:

• Email Address: Update via Account Settings (requires email verification)
• Name: Update via Account Settings
• Password: Change via Account Settings or password reset flow

5.4 Opt-Out of Marketing

You can control marketing communications:

• Unsubscribe Links: All marketing emails include one-click unsubscribe
• Email Preferences: Manage preferences in Account Settings
• Note: You cannot opt-out of essential service emails (security alerts, account changes)

5.5 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under GDPR:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Data Portability: Receive your data in machine-readable format (JSON export)
• Right to Object: Object to processing of your data for direct marketing
• Right to Restrict Processing: Limit how we use your data
• Right to Withdraw Consent: Withdraw consent for processing at any time

To exercise these rights, contact our Data Protection Officer at contact@withzeta.ai.

5.6 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: (Not applicable - we don't sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights

California residents can exercise these rights by emailing contact@withzeta.ai with subject line "CCPA Request".

5.7 Automated Decision-Making & Profiling

• We do NOT use AI to make automated decisions about your eligibility for services, employment, housing, credit, or other legal rights
• We do NOT create automated profiles that determine access to features or services
• All account-related decisions (suspension, termination) involve human review

This means you have no need to object to automated decision-making under GDPR Article 22, because we do not engage in such processing.

6. Cookies & Tracking

6.1 Essential Cookies

We use cookies and similar technologies that are necessary for the Service to function:

• Authentication Tokens: AWS Cognito session tokens (stored in browser localStorage)
• Session Management: Track your login session and keep you authenticated
• Security: CSRF (Cross-Site Request Forgery) protection tokens
• User Preferences: Remember your settings (theme, sidebar state, etc.)

These cookies cannot be disabled as they are required for the Service to work.

6.2 Analytics Cookies (Future)

We may implement analytics cookies in the future to understand usage patterns:

• Google Analytics: Anonymized IP addresses, page views, session duration
• Opt-Out: You can opt-out via browser settings or Do Not Track (DNT) signal

Current Status: We do NOT currently use third-party analytics cookies.

6.3 Third-Party Cookies

We do NOT use third-party cookies for advertising or cross-site tracking.

6.4 Browser Controls

You can control cookies via your browser settings:

• Chrome: Settings → Privacy and Security → Cookies
• Firefox: Preferences → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and Website Data

Warning: Blocking essential cookies will prevent you from logging in and using the Service.

7. Children's Privacy

We do not knowingly collect personal information from children under 13. If you are between 13-17 years old, you must have parent or guardian consent to use the Service.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information immediately.

Parents/guardians who believe their child has provided personal information can contact us at contact@withzeta.ai to request deletion.

8. International Data Transfers

8.1 Data Storage Location

Your data is stored on servers located in the United States (AWS us-east-2 region, Ohio). If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the U.S.

8.2 EU-US Data Transfers

For users in the European Union:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for data transfers
• AWS GDPR Compliance: AWS complies with GDPR requirements - aws.amazon.com/compliance/gdpr-center
• Data Protection Impact Assessment: Available upon request to contact@withzeta.ai

8.3 Privacy Shield

While the EU-US Privacy Shield framework was invalidated in 2020 (Schrems II decision), we comply with Standard Contractual Clauses as an alternative legal mechanism for EU data transfers.

9. Changes to This Policy

9.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Changes will be effective immediately upon posting to this page.

9.2 Notification of Material Changes

For material changes that significantly affect your rights, we will:

• Email you at your registered email address (minimum 30 days notice)
• Display a prominent notice in the Service
• Update the "Last Updated" date at the top of this page

9.3 Your Options After Changes

If you disagree with changes to this Privacy Policy:

• You may delete your account before the changes take effect
• Continued use of the Service after changes = acceptance of the new policy

10. Contact Us

10.1 Data Protection Officer

For privacy-related inquiries, data access requests, or to exercise your rights:

Email: contact@withzeta.ai
Subject Line: "Privacy Inquiry" or "Data Request"
Response Time: 30 days (45 days for complex requests)

10.2 General Contact

Lantern Pharma Inc.
Address: Dallas, Texas, United States
Website: lanternpharma.com
Support: contact@withzeta.ai

10.3 EU Representative (If Required Under GDPR)

If our EU user base grows significantly, we will appoint an EU representative as required under GDPR Article 27. Currently, you can contact our Data Protection Officer directly at the email above.

10.4 Supervisory Authority (EU Users)

EU users have the right to lodge a complaint with their local data protection authority if they believe we have violated GDPR. A list of EU data protection authorities is available at: edpb.europa.eu

Last Updated: January 16, 2026

Version 1.0 (Beta)