Privacy Policy

1. Introduction

AqtaBio is committed to protecting your privacy and operating transparently. This Privacy Policy explains how we collect, use, store, and protect information when you use the AqtaBio platform.

Fundamental principle: AqtaBio is a population-sensing system, not individual surveillance. We process only ecological, environmental, and climate data at population scale. We do not collect, process, or store individual-level health data, medical records, or personally identifiable health information.

2. Information We Collect

2.1 Account Information

When you create an AqtaBio account, we collect:

• Name and email address
• Organisation name and role
• Country and region of operation
• Authentication credentials (managed securely via our email-based authentication service)

2.2 Usage Data

To improve the platform and ensure responsible use, we log:

• Tiles viewed, risk scores accessed, and time spent on platform
• Scenario Explorer queries and parameter adjustments
• Export requests and data downloads
• SHAP explanation views and governance badge interactions
• Technical data: IP address, browser type, device type, session duration

2.3 Audit Logs (Governance Layer)

Every prediction generated by AqtaBio is logged with:

• Model version and SHA-256 hash
• Feature hash and data freshness timestamp
• Tile coordinates, risk score, and confidence interval
• User ID and timestamp of access
• Human-in-the-loop sign-off status (for top 1% risk tiles)

These logs are retained for accountability, bias monitoring, and model performance auditing. They do not contain individual health data.

3. What We Do NOT Collect

AqtaBio is explicitly designed to avoid individual-level surveillance. We do not collect, process, or store:

• Individual health records, medical histories, or diagnostic data
• Patient names, addresses, or contact details
• Case reports or outbreak notifications containing individual identifiers
• Genomic, biometric, or biological samples
• Real-time location tracking or mobility data of individuals
• Social media content, communications, or behavioural profiles

All data processed by AqtaBio is aggregated at the population level (25km grid tiles) and derived from publicly available ecological, environmental, and climate datasets.

4. How We Use Information

We use collected information for the following purposes:

• Service Delivery: Generate risk predictions, SHAP explanations, confidence bands, and comparable tile analysis
• Governance and Accountability: Maintain audit trails, enforce human-in-the-loop workflows, and monitor for bias
• Platform Improvement: Analyse usage patterns to enhance usability, accuracy, and performance
• Security: Detect and prevent unauthorised access, abuse, or security incidents
• Communication: Send service updates, maintenance notifications, and pilot feedback requests
• Research and Validation: Evaluate model performance against historical spillover events (anonymised, aggregated data only)

5. Ecological Data Sources

AqtaBio fuses data from 15+ publicly available One Health sources. These are population-level, environmental datasets with no individual identifiers:

• Wildlife: IUCN Red List species range maps, G-ZOD spillover event database
• Land Use: MODIS land cover, Hansen Global Forest Change, SEDAC anthromes
• Climate: ERA5 temperature, precipitation, humidity anomalies
• Population: WorldPop gridded population density (aggregated, no individuals)
• Livestock: FAO Gridded Livestock of the World (GLW4)
• Conflict: ACLED event counts (aggregated by tile)
• Infrastructure: OpenStreetMap road density (no individual routes)

Some data may be synthetic or historical. Live integration with WHO GOARN, CIFOR, NASA LP DAAC, FAO EMPRES-i, and ECDC is planned subject to partnership agreements.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your information. We may share data in the following limited circumstances:

• Partner Organisations: Aggregated usage statistics and feedback may be shared with partner organisations
• Service Providers: Authentication, hosting (cloud infrastructure within the EEA where possible), and analytics providers under strict data processing agreements
• Legal Obligations: If required by law, court order, or regulatory authority
• Research Collaboration: Anonymised, aggregated usage data may be shared with academic partners for validation studies (no individual identifiers)

Risk predictions and SHAP explanations remain within your organisation unless you choose to export or share them.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control (RBAC) with least-privilege principles
• Multi-factor authentication (MFA) for administrator accounts
• Regular security audits and penetration testing
• Model SHA verification to prevent unauthorised model deployment
• Audit logging with tamper-evident timestamps

While we take security seriously, no system is completely secure. If you become aware of a security vulnerability, please report it to security@aqtabio.org.

8. Data Retention

We retain data for the following periods:

• Account Information: Retained whilst your account is active, plus 12 months after closure for audit purposes
• Audit Logs: Retained for 7 years to support governance, bias monitoring, and model validation
• Usage Data: Aggregated and anonymised after 24 months; individual session data deleted after 12 months
• Risk Predictions: Historical predictions retained indefinitely for model validation and comparable tile analysis (no personal data)

You may request deletion of your account and associated data at any time, subject to legal retention requirements.

9. Your Rights (EU GDPR)

Under the European Union General Data Protection Regulation (EU GDPR), you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your data (subject to legal retention requirements)
• Right to Restriction: Limit how we process your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing at any time

To exercise these rights, contact privacy@aqtabio.org. We will respond within 30 days.

10. International Data Transfers

AqtaBio platform infrastructure is hosted within the European Economic Area (EEA) where possible (e.g. AWS eu-west-1, Ireland). When transferring data outside the EEA, we ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) approved by relevant data protection authorities
• Adequacy decisions recognising equivalent data protection standards
• Binding Corporate Rules (BCRs) where applicable

11. Cookies and Tracking

AqtaBio uses minimal cookies and tracking technologies:

• Essential Cookies: Authentication session management
• Functional Cookies: User preferences (map view, pathogen selection)
• Analytics: Aggregated usage statistics (no third-party advertising trackers)

You can manage cookie preferences in your browser settings. Disabling essential cookies may affect platform functionality.

12. Children's Privacy

AqtaBio is designed for professional use by public health agencies, epidemiologists, and researchers. We do not knowingly collect information from individuals under 18 years of age. If you believe a child has provided us with personal data, please contact privacy@aqtabio.org.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or platform capabilities. Material changes will be communicated via email at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact and Complaints

For privacy-related questions, data subject access requests, or complaints, please contact: