Privacy Policy
Last updated: July 1, 2026
Provenza is an agentic lab notebook for wet-lab research. This policy explains what we collect, why, and what control you have over your data. We wrote it in plain English because the people who use Provenza care about accuracy, and so do we.
Provenza is software. It records and structures your research. It does not run a wet lab, and it is not a party to your experiments.
If anything here is unclear, email us at privacy@provenza.bio.
What we collect
We collect three kinds of information.
Account information. Your name, work email, organization, role, and password (stored as a hash, never in plain text). If you sign in through your organization's identity provider, we receive the identity details that provider sends us.
Research and experiment content. This is the core of what you put into Provenza: protocols you log by voice or text, steps, reagents and lot numbers, conditions, results, deviations, versions, and any notes, files, or attachments you add. Voice capture is transcribed to text; we keep the transcript and, if you allow it, the short audio clip so you can re-check the transcription.
Usage and telemetry. Basic technical data about how the product runs: pages and features used, timestamps, device and browser type, IP address, and error logs. We use this to keep the service working and to fix problems. We do not sell it.
We do not ask for and do not want special-category personal data (for example patient health records or human-subject identifiers). Provenza is built for bench science, not clinical data. Please do not enter identifiable patient information.
How we use your information
We use your data to:
- Run the service: store your protocols, version every change, detect deviations across runs, and compute a reproducibility score per experiment.
- Authenticate you and keep your account secure.
- Provide support when you ask for it.
- Send you account and service messages (billing, security notices, material changes to this policy). You can opt out of product marketing separately.
- Diagnose bugs, monitor reliability, and improve the product using aggregated usage patterns.
We do not use your account or usage data for advertising, and we do not run third-party ad trackers.
Your research content is yours
You own the protocols and experiment content you enter. We act as a custodian of it, not an owner.
We do not use your research or experiment content to train shared or third-party AI models without your explicit opt-in. By default, your protocols, reagents, results, and deviations stay inside your account and are used only to deliver Provenza's features to you.
Some features (structuring a protocol into steps, transcribing voice, flagging deviations) run your content through automated models to produce your output. That processing happens to serve you and produces results only you and your team see. It does not add your data to a shared training set.
If we ever offer a program where your data helps improve models used across customers, it will be opt-in, described plainly, and reversible. Opting out never reduces the features you already pay for.
Data storage and security
We encrypt your data in transit (TLS) and at rest (AES-256).
Access to production systems is limited to a small number of trained staff, gated by role-based access controls and multi-factor authentication, and logged. Engineers do not browse customer content; access to your data happens only to operate the service, fix a specific issue you have reported, or meet a legal requirement.
Org-plan customers can enforce single sign-on (SSO) through their identity provider and get an audit log of access and changes. An on-prem deployment option is available for Org customers who need data to stay inside their own infrastructure.
No system is perfectly secure, but we design, review, and test Provenza to keep the risk low, and we will notify affected customers promptly if a breach affects their data.
Sub-processors
We use a small set of vetted third-party providers to run Provenza: cloud hosting and storage, database and backup infrastructure, error monitoring, email delivery, and payment processing. These sub-processors act on our instructions, are bound by contract to protect your data, and may only use it to provide their service to us.
We keep a current list of sub-processors available on request at privacy@provenza.bio, and Org customers can receive advance notice of material changes to that list.
Data retention and deletion
We keep your account and research content for as long as your account is active, so your version history stays intact and your experiments remain rerunnable.
When you delete an experiment, it is removed from your active workspace immediately and purged from our systems, including backups, within 30 days.
When you close your account, we delete your content within 30 days, except where we must keep limited records (for example billing history) to meet legal or accounting obligations. Backups roll off on a fixed cycle, so residual copies are fully gone within 90 days.
You can ask us to delete your data sooner. See "Your rights" below.
Your rights
Wherever you are, you can:
- Access the personal data we hold about you.
- Export your protocols and experiment content in a portable format, plus export to ELN and common regulatory formats.
- Correct account information that is wrong.
- Delete your data or close your account.
To exercise any of these, email privacy@provenza.bio. We verify the request and respond within 30 days. We will not charge you or degrade your service for exercising these rights.
Regional notes
GDPR and UK. If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights to access, correct, delete, restrict, and object to processing of your personal data, and to data portability. For account and content data you provide, Provenza acts as processor and you (or your organization) are the controller; for account administration and telemetry, we act as controller. Our lawful bases are performance of our contract with you, our legitimate interest in running and securing the service, and your consent where required. If we transfer data outside your region, we rely on Standard Contractual Clauses or an equivalent safeguard. You may lodge a complaint with your local data protection authority.
California (CCPA/CPRA). If you are a California resident, you can request the categories and specific pieces of personal information we hold, request deletion, and correct inaccurate information. We do not sell your personal information and we do not share it for cross-context behavioral advertising. We will not discriminate against you for exercising these rights.
To use any regional right, contact privacy@provenza.bio.
Children
Provenza is a professional research tool. It is not directed to anyone under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has given us data, email privacy@provenza.bio and we will delete it.
Changes to this policy
If we make a material change, we will notify account owners by email and update the date at the top before the change takes effect. Continued use after that date means you accept the updated policy.
Contact
Questions, requests, or concerns about privacy:
privacy@provenza.bio Provenza, provenza.bio