Privacy Policy

This Privacy Policy explains how FluxMateria Labs S.r.l.s. – Socio unico, with registered office at Via Regione Su Pinu 2, 07020 Monti (SS), Italy, P.IVA 03066670906, REA SS-226916, share capital € 200,00 i.v. (“FluxMateria,” “we,” “us,” or “our”), collects, uses, shares, and protects personal data in connection with our website, public demos, platform, APIs, and related services.

This Policy is provided in accordance with Regulation (EU) 2016/679 (“GDPR”), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (the “Codice Privacy”), and applicable ePrivacy and cookie rules.

1. Who We Are

FluxMateria is the data controller for the personal data described in this Policy, unless a separate agreement states otherwise.

FluxMateria is not currently required to appoint a Data Protection Officer under Article 37 GDPR.

2. Scope

This Policy applies to personal data processed in connection with:

• visits to the public website;
• use of public demos;
• account registration and administration;
• pilot, subscription, and enterprise services;
• business inquiries, support, and communications;
• newsletters, events, and marketing where applicable.

FluxMateria is a B2B-only platform for paid and production use. However, members of the public may visit the website and may use public demos where made available. This Policy therefore applies both to professional users and to public website/demo visitors.

3. Personal Data We Collect

3.1 Data You Provide Directly

Depending on how you interact with us, we may collect:

• name;
• business email address or other contact email;
• company, organization, institution, or employer name;
• job title or role;
• phone number, if provided;
• billing name, billing address, VAT number, and related invoicing details;
• credentials and account information;
• support messages, inquiries, feedback, and correspondence;
• newsletter or event registration details;
• scientific or technical inputs submitted to the Services, to the extent those inputs contain personal data.

3.2 Scientific and Technical Inputs

When using the Services, including demos, pilots, or platform features, you may submit:

• molecular structures, formulas, compounds, SMILES, InChI, SDF files, or similar scientific inputs;
• materials compositions and parameters;
• workflow inputs, query parameters, and model settings;
• datasets uploaded by or on behalf of your organization.

These inputs are usually not personal data, but they may be personal data if you include personal identifiers or other information relating to an identified or identifiable person. You are responsible for ensuring that you have a lawful basis to submit any personal data to the Services.

3.3 Data Collected Automatically

When you visit the website or use the Services, we may automatically collect:

• IP address;
• approximate geolocation inferred from IP;
• browser type and version;
• operating system and device data;
• referring URLs and navigation paths;
• pages viewed and time spent;
• timestamps and access logs;
• service usage data, diagnostics, error logs, and performance metrics;
• API request metadata and similar operational logs.

3.4 Public Demo Data

When you use a public demo, we may collect and process:

• IP address;
• timestamp;
• request metadata;
• anti-abuse and rate-limit signals;
• input data submitted to the demo;
• generated output data.

We process this information to provide the demo, protect the service against abuse, investigate misuse, maintain service security, and understand demo usage at an aggregate level. Public demo use is not anonymous.

3.5 Data From Third Parties

We may receive limited personal data from third parties such as:

• payment processors;
• analytics providers;
• cloud and infrastructure providers;
• email and communications providers;
• referral partners or public business sources;
• authentication providers, where applicable.

4. How We Use Personal Data

We use personal data to:

• provide, operate, maintain, and secure the website and Services;
• create and manage accounts;
• authenticate users and administer subscriptions or pilots;
• process transactions and invoices;
• respond to support requests and business inquiries;
• provide scientific outputs requested by users;
• detect, prevent, and investigate fraud, abuse, misuse, and security incidents;
• monitor performance, reliability, and service quality;
• improve the website and Services;
• communicate service notices, updates, and administrative messages;
• send marketing communications where consent is required and has been obtained;
• comply with legal, regulatory, accounting, tax, and contractual obligations;
• establish, exercise, or defend legal claims.

5. What We Do Not Do

6. Legal Bases for Processing

Where GDPR applies, we process personal data on one or more of the following legal bases under Article 6(1) GDPR. Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

6.1 Contract (Art. 6(1)(b))

We process personal data as necessary to take steps prior to entering into a contract or to perform a contract, including to:

• create and administer accounts;
• provide pilots, subscriptions, and enterprise services;
• authenticate users;
• provide requested outputs;
• manage billing and invoicing;
• provide support tied to the contracted Services.

6.2 Legitimate Interests (Art. 6(1)(f))

We process personal data where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. These interests include:

• securing the website, demos, and platform;
• preventing abuse, fraud, misuse, and unauthorized access;
• enforcing usage limits and protecting service integrity;
• maintaining logs necessary for troubleshooting and incident response;
• monitoring performance, reliability, and quality;
• improving our website, products, and user experience using non-cookie operational data;
• conducting internal reporting and aggregated usage analysis;
• managing ordinary business communications with prospective and current business contacts;
• establishing, exercising, or defending legal claims.

6.3 Consent (Art. 6(1)(a))

We rely on consent where required by law, including for:

• non-essential analytics cookies or similar tracking technologies on the website;
• marketing emails or newsletters where consent is required.

Where processing is based on consent, you may withdraw consent at any time (Art. 7(3) GDPR). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6.4 Withdrawing Consent

To withdraw consent for consent-based processing:

• Analytics cookies: Use our cookie preference center or adjust your browser settings.
• Marketing communications: Click the unsubscribe link in any email, or contact us directly.

Note: The demo gate (fm_demo_terms_accepted) records your acknowledgment of the applicable legal notices; demo security logging itself is processed under legitimate interests (Section 6.2), not consent. If you wish to exercise your right to object to legitimate-interest processing or request erasure of demo logs, see Section 15.

6.5 Legal Obligation (Art. 6(1)(c))

We process personal data where necessary to comply with legal obligations, including accounting, tax, corporate, regulatory, law-enforcement, and data-protection obligations.

7. Cookies, Analytics, and Similar Technologies

This section is provided in accordance with Art. 122 of the Codice Privacy (D.Lgs. 196/2003) and the Garante’s Guidelines on cookies and similar tracking technologies (Provvedimento del 10 giugno 2021, n. 231).

7.1 Strictly Necessary Technologies

We use certain cookies and local-storage items that are strictly necessary for the website or Services to function. These do not require consent where exempt under applicable law.

Name	Provider	Purpose	Duration
__cflb, __cf_bm	Cloudflare	Bot management, load balancing, DDoS protection	Session / 30 min
fm_session	FluxMateria	User authentication session	Session
fm_consent	FluxMateria	Stores cookie consent preferences	12 months
fm_demo_terms_accepted (localStorage)	FluxMateria	Records acceptance of the Terms of Service and acknowledgment of the Privacy Policy for demo access	Persistent (until cleared)

7.2 Analytics

Analytics cookies are classified as profiling cookies under the Garante’s guidelines and are only set after you give explicit consent via our cookie banner.

Name	Provider	Purpose	Duration
_ga, _ga_*	Google Analytics	Distinguish unique users, track page views and navigation	2 years

Analytics data helps us understand how visitors use the website, improve performance, and evaluate website effectiveness.

7.3 Managing Cookies

You may manage cookie preferences through:

• our cookie preference center, where available;
• your browser settings;
• applicable provider opt-out tools.

Blocking strictly necessary technologies may affect website functionality.

7.4 Do Not Track

Some browsers offer a “Do Not Track” feature. There is currently no industry-wide standard for how websites should respond to DNT signals. Non-essential tracking on our website (analytics cookies) is already gated behind explicit consent and is not set unless you opt in.

8. Public Demo Logging and Rate Limiting

Public demos are protected by technical and organizational measures designed to prevent abuse and maintain availability.

For these purposes, we log information such as IP address, timestamp, request metadata, and related anti-abuse signals. We process this information on the basis of our legitimate interests in maintaining platform security, preventing abuse, enforcing fair-usage limits, and protecting infrastructure.

This processing is separate from cookie-based website analytics.

9. Sharing of Personal Data

We may share personal data with trusted service providers and recipients where necessary for the purposes described in this Policy, including:

• cloud hosting and infrastructure providers;
• content delivery, DNS, and security providers;
• payment processors and billing providers;
• analytics providers, where consent has been obtained if required;
• communications, support, and email-delivery providers;
• professional advisers, auditors, insurers, and legal counsel;
• competent authorities, regulators, law enforcement, or courts where required.

We do not sell personal data to data brokers.

10. Sub-Processors / Service Providers

Depending on the Services used, we may use providers such as:

Provider	Purpose	Location
Cloudflare, Inc.	CDN, DDoS protection, DNS, website delivery	US (DPF certified; SCCs in place)
Amazon Web Services EMEA (AWS)	Hosting, compute, storage, database infrastructure	EU (eu-west-1, Ireland)
Stripe Technology Europe, Ltd.	Payment processing, billing, invoicing	Ireland (EU); card network data may transit US (SCCs in place)
Google LLC (Google Analytics)	Website usage analytics (consent required)	US (DPF certified; SCCs in place)

We use appropriate contractual and technical safeguards with all service providers, including Data Processing Agreements under Art. 28 GDPR. We will update this table as sub-processors change and will make reasonable efforts to communicate significant changes to registered users in advance.

11. International Transfers

FluxMateria is based in Italy, and core infrastructure is operated primarily within the European Economic Area (AWS eu-west-1, Ireland).

Where personal data is transferred outside the EEA, we rely on appropriate transfer mechanisms under Chapter V GDPR (Art. 44–49), including:

• EU–US Data Privacy Framework: Where the US-based sub-processor is certified under the EU–US Data Privacy Framework (adequacy decision of 10 July 2023, Commission Implementing Decision (EU) 2023/1795). Both Cloudflare and Google are currently certified participants.
• Standard Contractual Clauses (SCCs): Approved by the European Commission (Implementing Decision (EU) 2021/914), executed with each US-based sub-processor as a supplementary safeguard.
• Adequacy decisions: Where applicable for non-US transfers.
• Supplementary technical measures: Encryption in transit and at rest, in line with EDPB Recommendations 01/2020 on supplementary transfer tools.

A copy of the relevant safeguards, including executed SCCs, may be obtained by contacting privacy@fluxmateria.com.

12. Data Retention

In accordance with the data minimisation principle (Art. 5(1)(e) GDPR), we retain personal data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law. When data is no longer needed, it is securely deleted or anonymised.

Typical retention periods include:

Data Type	Retention Period
Account and business contact data	Duration of account or business relationship + 30 days
Public demo IP logs and anti-abuse logs	Generally up to 90 days, unless longer retention is necessary for security investigations or legal claims
Support and business correspondence	Typically up to 3 years, unless longer retention is needed for contractual or legal matters
Billing, invoicing, and accounting records	As required by applicable Italian tax and accounting law (Art. 2220 c.c.)
Marketing-consent records	As long as needed to demonstrate consent and manage opt-outs
Scientific inputs and outputs	Per applicable service tier, Order, or deletion request, subject to legal retention obligations
Analytics data	26 months

We may retain data longer where necessary to establish, exercise, or defend legal claims, investigate abuse, comply with law, or preserve evidence. You may request earlier deletion of your data (except where retention is legally required).

13. Security

We implement reasonable technical and organizational measures designed to protect personal data, including measures relating to:

• encryption in transit;
• access controls;
• account security;
• infrastructure monitoring;
• logging and incident response;
• backup and recovery;
• least-privilege access practices.

For complete details, see our Security page. No system is completely secure, and we cannot guarantee absolute security.

14. Data Breach Response

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (Garante per la protezione dei dati personali) without undue delay and, where feasible, within 72 hours after becoming aware of it, in accordance with Art. 33 GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, in accordance with Art. 34 GDPR.

15. Your Rights

Where GDPR or similar laws apply, you may have the following rights. These rights are not absolute and may be subject to legal exceptions.

• Access (Art. 15): Request a copy of your personal data and information about how it is processed.
• Rectification (Art. 16): Update inaccurate or incomplete personal data.
• Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Restriction (Art. 18): Request that we limit processing while a dispute or verification is resolved.
• Data portability (Art. 20): Receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), and have it transmitted directly to another controller where technically feasible.
• Object to processing (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Object to direct marketing (Art. 21(2)): You have an absolute right to object to processing for direct marketing purposes at any time, and we will cease such processing without delay.
• Withdraw consent (Art. 7(3)): Withdraw previously given consent at any time. See Section 6.4 for specific withdrawal mechanisms.
• Lodge complaint: File a complaint with your local supervisory authority (see Section 20 for the competent Italian authority).

15.1 How to Exercise Your Rights

To exercise any of these rights, contact: privacy@fluxmateria.com

We will respond within one month of receiving your request (Art. 12(3) GDPR). For complex or numerous requests, this period may be extended by a further two months; we will inform you of any extension and the reasons for the delay within the first month. We may need to verify your identity before fulfilling a request. All requests are handled free of charge, unless they are manifestly unfounded or excessive (Art. 12(5) GDPR).

16. Marketing Communications

Where required by law, we send marketing emails only with appropriate consent. You may opt out at any time by using the unsubscribe link in the email or by contacting us.

Administrative, legal, billing, support, and service messages are not marketing communications.

17. AI and Automated Decision-Making

FluxMateria does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you, as defined under Art. 22 GDPR. Our computational chemistry predictions are scientific tools used by you at your discretion and do not constitute automated decisions about individuals.

With respect to Regulation (EU) 2024/1689 (the EU AI Act): FluxMateria’s computational engine is a deterministic, physics-based system — not a machine-learning model. It does not learn from, train on, or adapt to user data. The Services do not constitute a high-risk AI system and are provided as scientific research and screening tools. No AI-generated profiling of individuals is performed.

18. Children

Our Services are not directed to children, and we do not knowingly collect personal data from individuals under 16 years of age in connection with the Services. If we learn that we have collected information from a child, we will delete it promptly.

19. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and may also provide additional notice, such as by posting a website notice or emailing registered users where appropriate.

Where a change requires new consent under applicable law, we will request that consent.

20. Contact and Complaints

For EEA users, you may also contact your local data protection authority. The competent Italian authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).