Privacy Policy | OmicsPlot

Section 1

Who We Are

OmicsPlot LLC is a North Carolina limited liability company currently in formation, operating OmicsPlot, a web-based bioinformatics visualization platform at omicsplot.com. When this policy refers to "OmicsPlot," "we," "us," or "our," it means OmicsPlot LLC once formed, and the founder operating in their individual capacity until formation is complete. Both are bound by the commitments in this Policy.

This Privacy Policy explains how we collect, use, and protect information about you when you use our Service. It applies to all OmicsPlot tools — Volcano Plot, Heatmap, GO Dotplot, Gene Annotate, Figure Builder, and any other features we offer.

Section 1a

Geographic Scope & International Users

OmicsPlot is operated from North Carolina, United States, and is primarily intended for users within the United States. We do not actively target, solicit, or market to users in the European Union, United Kingdom, Canada, or other international jurisdictions.

If you access OmicsPlot from outside the United States, you do so voluntarily and at your own risk with respect to compliance with your local laws. We do not represent that the Service complies with the data protection laws of any jurisdiction outside the United States, including but not limited to the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, or Canada's PIPEDA.

We do not knowingly process the personal data of EU or UK residents in a manner that triggers GDPR or UK GDPR obligations. If you are subject to GDPR or other international data protection laws, you are responsible for ensuring that your use of OmicsPlot complies with those laws before uploading any data. We recommend consulting your institution's data protection officer if you are unsure.

California residents: We do not sell or share your personal information as defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). We do not use your data for cross-context behavioral advertising. You have the right to know what personal information we collect, to request deletion, and to opt out of sale — though there is nothing to opt out of, as we do not sell data.

Section 2

What We Collect

We collect the minimum information necessary to provide the Service.

Category	What it includes	Why we collect it
Account information	Name, email address, profile picture — received from your OAuth provider (GitHub or Google) when you sign in	To identify your account and display your name/avatar in the interface
Saved content	Plot presets, figure builder layouts, analysis settings you explicitly save	To restore your settings across sessions
Uploaded files	CSV, TSV, or Excel files you upload for analysis	To generate your requested plots — deleted within 24 hours
Usage information	Server logs including IP address, browser type, pages visited, and timestamps — anonymized or deleted after 90 days	To diagnose errors, prevent abuse, and understand general usage patterns. We do not build individual user profiles from log data.
Contact submissions	Email address and message content when you submit a bug report or contact form	To respond to your inquiry

We do not collect:

Payment information (OmicsPlot is currently free)
Your OAuth password — we only receive a token from GitHub or Google
Location data beyond IP address
Data from tracking pixels, advertising networks, or third-party analytics

Section 3

How We Use Your Information

We use the information we collect to:

Provide the Service — process your uploaded data, generate plots, and return results to you
Maintain your account — store your saved presets, settings, and figure layouts so they persist across sessions
Communicate with you — respond to support requests, bug reports, and contact form submissions
Improve the Service — understand how OmicsPlot is used in aggregate to prioritize new features and fix problems
Ensure security and prevent abuse — detect and block malicious or excessive requests

We do not use your information to:

Serve you advertisements
Sell or rent your data to third parties
Train AI or machine learning models on your research data
Profile you for marketing purposes
Build individual usage profiles or behavioral records

Future AI features: If OmicsPlot adds AI-assisted features in the future (such as automated threshold suggestions or figure optimization), any such features will process your data ephemerally — solely to generate the requested output — without retaining your data for model training or improvement purposes, unless you explicitly and separately consent to such use. We will update this Privacy Policy before introducing any AI features that involve data retention.

Section 4

Your Uploaded Research Data

This section deserves special attention because it covers your most sensitive information — the research data you upload.

When you upload a file (CSV, TSV, Excel) to OmicsPlot:

The file is transmitted over an encrypted HTTPS connection to our servers
It is processed to generate your requested visualization
It is stored temporarily in a server-side session tied to your browser session
It is automatically and permanently deleted within 24 hours of your session ending, or sooner if you explicitly clear your session

We do not analyze, index, share, copy, or retain your uploaded research data beyond the time needed to generate your output.

Technical isolation: Temporary uploaded files are processed in isolated server-side environments with a unique session identifier. They are not backed up, replicated, or cached beyond the active session. Saved account content (presets, settings) stored in Supabase benefits from Supabase's encryption at rest and in transit. We do not maintain any secondary copies of uploaded research files.

Important limitation: OmicsPlot is not designed or certified for processing protected health information (PHI), personally identifiable information (PII), or data subject to HIPAA, FERPA, ITAR, or similar regulations. Please do not upload patient data, identified clinical datasets, or any data whose processing is subject to regulatory restrictions.

Human-derived data requirement: Any human-derived biological data you upload — including genomic, transcriptomic, proteomic, or other omics data — must be fully de-identified or pseudonymized in accordance with your institution's IRB requirements and applicable law before upload. OmicsPlot is not a HIPAA-covered entity and does not assume any data stewardship obligations under 45 C.F.R. Parts 160 and 164.

Not a medical device: OmicsPlot is a general-purpose data visualization tool. It does not constitute a "medical device" as defined under 21 U.S.C. § 321(h), nor does its use constitute the practice of medicine or the provision of professional healthcare services in any jurisdiction.

Section 5

How We Share Information

We do not sell your personal information. We share information only in the following limited circumstances:

Service providers: We use Supabase (database and authentication infrastructure) to store account data and saved content. Supabase acts as a data processor on our behalf and is contractually prohibited from using your data for other purposes. See Section 6 for details.
Legal requirements: We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Business transfers: If OmicsPlot LLC is acquired, merged, or its assets transferred, your information may be transferred as part of that transaction. We will notify you before your information is subject to a different privacy policy.

In all other cases, your information stays with us.

Section 6

Third-Party Services

OmicsPlot uses the following third-party services to operate:

Service	Purpose	Data they receive
Supabase	Database, authentication, and session management	Account info (name, email), saved presets and settings, auth tokens
GitHub OAuth	Optional sign-in method	Only if you choose to sign in with GitHub — they handle authentication and send us your basic profile
Google OAuth	Optional sign-in method	Only if you choose to sign in with Google — they handle authentication and send us your basic profile
Google Fonts	Typography	Your IP address may be logged by Google when fonts are loaded
Resend (built on Amazon SES)	Delivery of contact form submissions to OmicsPlot administrators	When you submit a contact form, the email address you provide and the message content are sent to Resend for delivery to admin@omicsplot.com. Resend processes the message and delivers it; it does not use submissions for its own purposes. Resend's privacy policy: resend.com/legal/privacy-policy

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioral tracking services. These are the only subprocessors that receive your personal data — there are no other hidden processors. Our web hosting infrastructure is provided through our cloud hosting provider under equivalent data protection standards. Contact form submissions are delivered via Resend (a transactional email service) directly to OmicsPlot administrators; we do not use third-party email marketing services such as Mailchimp or SendGrid Marketing.

Data processing agreements: We have data processing agreements (DPAs) or equivalent contractual protections in place with our primary subprocessors, requiring them to process personal data only on our instructions, maintain appropriate technical and organizational security measures, and not use your data for their own purposes beyond service delivery. Supabase's DPA is available at supabase.com/legal/dpa.

Each of these services has its own privacy policy. We encourage you to review them: Supabase Privacy Policy, GitHub Privacy Statement, Google Privacy Policy.

Section 7

Cookies & Local Storage

OmicsPlot uses a minimal set of browser storage mechanisms:

Authentication cookie — when you sign in, Supabase sets a secure session cookie to keep you logged in across page loads. This is strictly necessary for authentication and expires when you sign out or after a set period of inactivity.
localStorage — we store your theme preference (light/dark) and whether you have visited the Figure Builder. This is stored entirely in your browser and never sent to our servers.
sessionStorage — we store your current analysis session state (which tools you've loaded) for the duration of your browser session. This is cleared when you close your browser tab.
IndexedDB — Figure Builder panels and slides are stored locally in your browser's IndexedDB. This data never leaves your device unless you explicitly export it. You are responsible for the security of your browser environment, including browser extensions and plugins that may have access to locally stored data. Extensions with broad permissions may be able to read IndexedDB storage.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies.

Section 8

Data Retention

Data type	How long we keep it
Uploaded research files (CSV, TSV, Excel)	Deleted within 24 hours of session end, or immediately on session clear
Account information (name, email)	Until you delete your account
Saved presets and settings	Until you delete them or delete your account
Server logs	Up to 90 days for security and debugging purposes
Contact form submissions	Up to 2 years, or until resolved
Figure Builder panels (browser)	Until you clear your browser data or delete them manually — stored locally, not on our servers

When you delete your account, all associated Supabase data — presets, settings, saved sessions — is deleted within 30 days. Server logs may retain your IP address for up to 90 days in anonymized form for security purposes.

Section 9

Security

We take reasonable technical and organizational measures to protect your information, including:

All data in transit is encrypted using HTTPS/TLS
Authentication is handled via industry-standard OAuth 2.0 — we never see your password
Database access is protected by row-level security (RLS) — users can only access their own data
Uploaded files are isolated per-session and automatically deleted within 24 hours
Rate limiting is applied to all endpoints to prevent abuse

Known limitations and risks you should be aware of:

Transmission security: While we use HTTPS/TLS encryption, no method of internet transmission is 100% secure. Data could theoretically be intercepted on compromised networks before reaching our servers. Do not upload data you cannot afford to have intercepted.
Account compromise: If your GitHub or Google account is compromised, an attacker may gain access to your OmicsPlot account. OmicsPlot LLC is not liable for unauthorized access arising from breaches of your OAuth provider or your own device. We strongly recommend enabling two-factor authentication on your GitHub or Google account.
Shared devices: If you use OmicsPlot on a shared, lab, or institutional computer, you are responsible for signing out when finished. OmicsPlot LLC is not liable for unauthorized access by other users of the same device.
Browser-stored data: Figure Builder panels and slides are stored in your browser's local storage (IndexedDB). This data does not leave your device but is accessible to anyone who has access to your browser profile. If your device is compromised, this data may be exposed. OmicsPlot LLC is not responsible for the security of data stored locally in your browser.
Third-party provider security: We rely on Supabase for database and authentication infrastructure. While Supabase maintains industry-standard security practices, a breach of Supabase's systems could affect your account data. We cannot guarantee the absolute security of third-party providers. See their privacy policy at supabase.com/privacy.
Data integrity: Software bugs, database errors, or storage failures may result in loss or corruption of saved presets, settings, or figure layouts. We make no guarantee that saved content will persist indefinitely. We recommend exporting and backing up critical work locally.

Data breach notification: In the event of a security incident that results in unauthorized access to personal information as defined under North Carolina G.S. § 75-65, we will notify affected users in an expeditious manner consistent with applicable law and the legitimate needs of law enforcement. We will notify you by email to the address associated with your account, or by a prominent notice on the OmicsPlot website if individual notification is not practicable. Notification will include a description of the incident, the type of information involved, and steps you can take to protect yourself.

If you discover a security vulnerability in OmicsPlot, please disclose it responsibly by emailing admin@omicsplot.com before public disclosure. We will acknowledge receipt within 5 business days and work to address confirmed vulnerabilities promptly.

Section 10

Your Rights & Choices

You have the following rights with respect to your information:

Access: You can view your saved presets and settings directly in the OmicsPlot interface.
Correction: Your account name and email are managed by your OAuth provider (GitHub or Google). Update them there and they will sync to OmicsPlot.
Deletion: You can delete individual presets and saved content from within the app. To delete your entire account and all associated data, email us at admin@omicsplot.com. We will complete deletion within 30 days.
Portability: Your saved presets are stored as JSON and can be exported on request. Contact us at admin@omicsplot.com.
Opt out of communications: We don't send marketing emails. The only emails we send are in response to your contact form submissions.
Do Not Sell or Share (CCPA): We do not sell, share, or use your personal information for cross-context behavioral advertising. There is nothing to opt out of — this right is already honored by default. California residents may submit a formal request to confirm this at admin@omicsplot.com.

To exercise any of these rights, email admin@omicsplot.com with your request. We will respond within 30 days.

Section 11

Children's Privacy

OmicsPlot is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at admin@omicsplot.com and we will delete it promptly.

OmicsPlot is designed as a research and academic tool and is most appropriate for users 18 and older, or users under 18 who are accessing the Service under the supervision of an educational institution or adult research supervisor. If you are under 18, you represent that you have obtained any required parental or institutional consent to use the Service.

Section 12

Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the effective date at the top of this page.

Material changes — defined as new categories of data collected, new purposes for which data is used, new third-party sharing, or material reductions in user rights — will be communicated via: (1) a prominent banner on the OmicsPlot website for at least 14 days, and (2) an email notification to registered users at least 14 days before the changes take effect, where practicable. Non-material changes (such as clarifications or formatting) may be made without specific notice beyond updating the effective date.

Your continued use of OmicsPlot after changes take effect constitutes your acceptance of the revised Privacy Policy.

Section 13

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out:

OmicsPlot LLC
North Carolina, United States
admin@omicsplot.com

We take privacy inquiries seriously and aim to respond within 5 business days.