Privacy Policy
1. Introduction
This Privacy Policy describes how Improbability Works, LLC ("we," "us," or "our") collects, uses, stores, and protects information through the OpenCryo platform ("Platform"), including the hosted cloud service at opencryo.io ("OpenCryo Cloud"), associated APIs, mobile applications, and organization sales and client portals. It applies to all users of the Platform, including organization administrators, staff users, client portal users, and visitors to our public websites.
OpenCryo is a cryogenic specimen chain-of-custody management platform. The nature of the data we handle requires careful attention to privacy and security. We take that responsibility seriously.
2. Information We Collect
2.1 Organization Account Data
When an organization registers for OpenCryo Cloud, we collect information necessary to establish and maintain the account: organization name, billing contact information, administrator names and email addresses, and payment details processed through our payment providers.
2.2 User Account Data
Individual users within an organization are identified by name and email address. Authentication credentials (passkey public keys and magic link tokens) are stored to enable secure access. We do not collect or store passwords.
2.3 Specimen and Operational Data
Organizations use the Platform to track cryogenic specimens, storage locations, chain-of-custody events, and related operational workflows. This data is entered and managed by the organization and its authorized users. Depending on the organization's use case, this data may include protected health information ("PHI") as defined by the Health Insurance Portability and Accountability Act ("HIPAA").
2.4 Client Portal Data
When individuals interact with an organization's sales or client portal hosted on the Platform, we collect the information submitted through those forms: name, contact details, and any additional information the organization's portal is configured to request. Agreement signatures, including the signer's typed name, timestamp, and IP address, are captured and stored.
2.5 Payment Information
We do not directly collect or store credit card numbers, bank account numbers, or other financial instrument details. All payment processing is handled by third-party providers (Stripe, Revolut, and Authorize.net). We store only transaction references, payment status, and amounts necessary to reconcile orders within the Platform.
2.6 Technical and Usage Data
Our servers automatically record certain technical information when you access the Platform: IP addresses, browser type, and request timestamps. This information is retained in server logs for security and operational purposes. We do not currently deploy analytics tracking, advertising pixels, or third-party behavioral monitoring tools on the Platform.
2.7 Google Account Data
Organizations may connect a Google Workspace account to enable authenticated email delivery through Gmail's SMTP service. When an organization completes this integration, we receive and securely store an OAuth2 refresh token that permits the Platform to send transactional emails on behalf of the organization's configured sender address. We do not access, read, or store the contents of any Gmail mailbox. The sole scope of this integration is outbound email delivery.
3. How We Use Information
We use collected information for the following purposes: operating and maintaining the Platform; authenticating users and enforcing access controls; processing transactions and fulfilling orders; sending transactional communications (magic link emails, order confirmations, account invitations); generating audit trails for chain-of-custody compliance; providing customer support; and improving Platform reliability and security.
We do not sell, rent, or trade personal information to third parties. We do not use personal information for advertising or marketing purposes unrelated to the Platform.
4. Legal Bases for Processing
For users in jurisdictions that require a legal basis for processing personal data (including the European Economic Area and United Kingdom under the General Data Protection Regulation), we process personal data on the following bases: performance of a contract (operating the Platform for subscribing organizations and their users); legitimate interests (maintaining security, preventing fraud, improving the Platform); compliance with legal obligations; and consent where specifically obtained.
5. Data Sharing and Subprocessors
We share data with third parties only as necessary to operate the Platform. Our current subprocessors are:
Hosting and Infrastructure. RackNerd provides the virtual private server infrastructure where the Platform operates. Servers are located in the United States.
Email Delivery. Amazon Web Services Simple Email Service (AWS SES) handles outbound transactional email delivery. Organizations may also configure their own SMTP providers, including Google Workspace Gmail via OAuth2 integration.
Payment Processing. Stripe, Revolut, and Authorize.net process payments on behalf of organizations using the Platform's portal payment features. Each payment provider receives only the transaction data necessary to process the payment.
SSL Certificates. Let's Encrypt provides automated SSL certificate issuance and renewal.
Typography. Google Fonts serves web font files to portal pages. This results in the requesting user's IP address being transmitted to Google's servers. No cookies or tracking identifiers are set by this service.
We may also disclose information when required by law, regulation, or legal process, or to protect the rights, safety, or property of our users or the public.
6. Data Storage and Security
All Platform data is stored on servers located in the United States. Data is encrypted in transit using TLS 1.2 or higher. Sensitive credentials (SMTP passwords, payment provider API keys, OAuth tokens) are encrypted at rest using AES-256-GCM before storage.
Access to the Platform is controlled through passkey-based authentication (WebAuthn) and magic link email verification. Role-based access controls restrict what authenticated users can see and do within their organization. Row-level security policies at the database layer provide an additional enforcement boundary.
We maintain regular database backups for disaster recovery purposes.
7. Data Retention
Organization data is retained for the duration of the organization's active subscription. Specimen tracking data, chain-of-custody audit events, and signed agreements are retained indefinitely while the organization's account is active, consistent with the long-term nature of cryogenic specimen storage and healthcare record-keeping obligations.
When an organization terminates its subscription, the organization will have a 30-day transition period during which administrative users may log in and export their data. After this transition period, the organization's account will be deactivated. Active operational functionality (creating orders, scanning specimens, configuring portals) will be disabled at the start of the transition period; only data access and export capabilities will remain available.
Deactivated organization data will be retained in archived form for a minimum of seven years to satisfy healthcare record retention requirements, after which it may be permanently deleted. Organizations requiring earlier deletion of non-regulated data may submit a written request.
Audit log entries are immutable and retained for a minimum of seven years regardless of organization account status.
8. HIPAA
For organizations that are covered entities or business associates under HIPAA, Improbability Works, LLC will execute a Business Associate Agreement ("BAA") governing the handling of PHI within OpenCryo Cloud. The BAA is available upon request and must be executed before any PHI is stored on the Platform.
The Platform's architecture includes technical safeguards relevant to HIPAA compliance: role-based access controls with configurable PHI access, audit logging of all data access and modifications, encryption of data in transit and sensitive data at rest, and user authentication without shared credentials. These technical controls support but do not independently constitute HIPAA compliance; organizational policies and the executed BAA together with these controls form the compliance framework.
Self-hosted OpenCryo instances operate outside the scope of our BAA. Organizations that self-host are responsible for their own HIPAA compliance.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data: the right to access the personal data we hold about you; the right to correct inaccurate data; the right to request deletion of your data (subject to legal retention requirements); the right to restrict or object to certain processing; and the right to data portability.
Client portal users should direct data access and deletion requests to the organization through which they submitted their information, as that organization is the data controller for the information collected through its portal.
Organization administrators may export their organization's data through the Platform's export functionality or by contacting us directly.
To exercise any of these rights, contact us using the information in Section 13.
10. International Data Transfers
The Platform is hosted in the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States. We rely on the necessity of transfer for the performance of a contract between you (or your organization) and us as the legal basis for such transfers.
11. Children
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, notify organization administrators via email. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
13. Contact
For questions about this Privacy Policy, data handling practices, or to exercise your privacy rights:
Improbability Works, LLC
Email: privacy@opencryo.io