Privacy Policy

Applied Research & Computing, Corp. ("we", "us", or "our") operates the Carbon platform ("the Service"), a team-based platform for controlling laboratory instruments, running compute workloads, and collaborating on research with AI assistance. This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have over it. It applies to the Carbon website and application; it does not cover third-party sites or services we link to.

Account information

When you create an account, we collect your name and email address. Carbon's authentication runs within our own application; we do not rely on an external identity provider to hold your account. If you choose to sign in with Google, GitHub, or GitLab, we receive basic profile information (such as your name, email, and avatar) from that provider. If you create an email-and-password account, we store your password only as a salted, hashed value — never in plaintext, and we cannot recover the original.

Usage data

We collect information about how you use the Service, including AI token usage, compute hours, storage consumption, and feature interactions. We use this for billing, rate limiting, security, and improving the Service.

Content

We store the files, reports, analyses, datasets, instrument profiles, and other content you create within the Service. This content is associated with your team and is accessible to team members according to their roles and permissions.

Payment information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. We retain Stripe customer and subscription identifiers to manage your billing, and the billing details you submit on our order forms.

• Providing, maintaining, and improving the Service
• Authenticating you and managing access and permissions
• Processing payments and tracking usage for billing
• Sending transactional communications (for example, billing receipts and security alerts)
• Monitoring for abuse, fraud, and security threats
• Complying with our legal obligations

Where the EU/UK GDPR applies, we process personal data under one or more of these legal bases: performance of our contract with you (to provide the Service), our legitimate interests (to secure, maintain, and improve the Service), your consent (where we ask for it), and compliance with legal obligations.

When you use Carbon's AI agent or analysis features, the content needed to fulfil your request — such as your prompt, relevant files, and instrument context — is sent to the configured AI model provider to generate a response. We route model traffic through providers such as Anthropic, OpenAI, and Google (via OpenRouter); teams may instead supply their own provider API keys ("bring your own key"), in which case requests go directly to that provider under your own account. We do not use your content to train our own models.

We use the following cookies and browser storage, all of which are essential for the Service to function:

• Session cookie — maintains your authenticated session
• Team selection cookie — remembers your active team for navigation
• Theme preference — stores your light/dark mode choice
• Local storage — persists UI state such as your active team selection

We do not use third-party tracking or advertising cookies.

We share data with a limited set of vendors who process it on our behalf, under contracts that require appropriate safeguards:

• Stripe— payment processing
• Amazon Web Services — cloud hosting and infrastructure
• Neon— managed PostgreSQL database hosting
• Cloudflare— DNS, content delivery, and network security
• Sentry— application error and performance monitoring
• Resend— transactional and notification email delivery
• AI model providers — Anthropic, OpenAI, and Google (via OpenRouter), to power AI and agent features, unless your team brings its own keys
• Google, GitHub, GitLab — only if you choose to sign in with that provider

We do not sell your personal information. We may share data:

• With your team members — content and activity within a team is visible to other members based on their permissions
• With service providers — the vendors listed above, acting on our instructions
• For legal reasons — when required by law, subpoena, or to protect our rights, users, or the public
• In a business transfer — in connection with a merger, acquisition, or sale of assets, subject to this Policy

We operate primarily in the United States, and our infrastructure is hosted there. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where we or our service providers operate. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

We retain your account data for as long as your account is active. Usage events are retained for billing and audit purposes. If you delete your account or team, we will delete the associated data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

We use industry-standard security measures to protect your data, including encryption in transit (TLS), encryption at rest, role-based access controls, and token-based authentication using short-lived, signed credentials. No method of transmission or storage is completely secure, so while we work hard to protect your information we cannot guarantee absolute security.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent

If you are in California, the CCPA/CPRA gives you the rights to know, delete, and correct your personal information, and to not be discriminated against for exercising those rights. We do not sell or share personal information as those terms are defined under the CPRA. To exercise any of these rights, contact us at the address below; we will respond within the timeframe required by applicable law.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at support@appliedrnc.com.