Privacy Policy
This Privacy Notice for 37degrees, Inc. ("we," "us," or "our") describes how and why we access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
- Visit our website at https://www.37degrees.io or any website of ours that links to this Privacy Notice;
- Download and use our mobile or desktop applications that link to this Privacy Notice (our product is marketed as 37degrees and implemented as Omeos; it may also be referred to as CultureApp in some materials);
- Use Omeos, a mobile and web platform to connect 37degrees hardware, stream and manage image and video (and related scientific) data, run cloud workflows, collaborate, and use visualization and analysis features;
- Engage with us in other related ways, including sales, marketing, or events.
We are responsible for decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. Questions: team@37-degrees.com.
Summary of key points
This summary highlights key topics; read the full notice for details.
- What personal information do we process? It depends on how you use the Services. See What information do we collect?
- Sensitive categories. We do not ask you for special categories of data (such as racial or ethnic origin, health data, or biometric data used to identify you). Content you upload (for example microscopy images or recordings) is processed as your content to provide the Services; do not upload unlawful or unnecessary sensitive information. See Sensitive information.
- Third parties. We do not buy marketing lists or aggregate data brokers for profiling. We do use service providers (for example cloud hosting, email delivery, payments, subscription metering, and AI inference) that process information on our instructions. See When and with whom we share.
- Why we process data. To run and secure the Services, bill and meter usage where applicable, support you, improve the product, and comply with law. See How we process.
- Your rights. Vary by region. See Privacy rights and U.S. state rights.
- How to exercise rights. https://www.37degrees.io/contactus or team@37-degrees.com.
Table of contents
- What information do we collect?
- How do we process your information?
- Legal bases (EEA/UK)
- When and with whom we share personal information
- Cookies and similar technologies
- How long we keep information
- Minors
- Your privacy rights
- Do-not-track
- U.S. state privacy rights
- Updates to this notice
- Contact
- Review, update, or delete data
1. What information do we collect?
Personal information you provide
In short: We collect information you voluntarily provide when you register, use the Services, or contact us.
Examples include:
- Account and identity: email address, first and last name, username;
- Credentials: password — stored as a one-way hash; we do not store your password in plain text;
- Professional profile (optional): institution, organization, department, job title, research or scientific field category;
- Contact: phone number if you add it;
- Profile: profile photo (typically as a URL we store), biography text, and profile visibility settings;
- Preferences: notification and similar preferences;
- Support and communications: information you include in tickets, emails, or calls. When you submit feedback or bug reports through the app, your name, email, platform details, and any attached screenshots may be included.
Billing. Payments and payment methods may be collected by our payment processor (Stripe) when you add a card or complete billing flows. We may receive identifiers and status from Stripe/Lago (for example customer IDs, subscription state) rather than full card numbers. Billing or mailing addresses are collected only if you or the payment flow provide them to our processors.
Content, devices, and IoT data
To provide Omeos, we process your content that you upload, sync, or generate in the Services, such as files, folders, images, videos, audio recordings, documents, experiment metadata, and outputs from analysis or collaboration features. We also process device and connectivity data needed to pair and operate 37degrees hardware (for example device serial numbers, MAC addresses, sensor telemetry such as temperature, humidity, and CO2 readings, firmware versions, and connectivity state). Device data is transmitted over Bluetooth Low Energy (BLE) when in local mode and via AWS IoT Core (MQTT) when in cloud mode.
Messaging and collaboration data
The Services include direct and group messaging. When you send messages, we store the message content, file attachments, delivery and read timestamps, and related metadata. We also store your connections (contact relationships) and group memberships. If you invite someone to connect by email, we store the invitee's email address, name, and invitation status.
Presence and activity
When you are signed in, the Services may broadcast your online/offline status and last-seen timestamp to users you are connected with, to support real-time collaboration features. This data is stored on your account record.
Information collected automatically
In short: We collect certain technical and usage data automatically.
This may include IP address, approximate location derived from IP, browser and device type, operating system, diagnostic and performance data, log and usage data (such as timestamps, actions in the Services, and error reports), session identifiers, and similar data needed to secure and operate the Services. Each authenticated session also records the IP address, user-agent string, and client metadata (operating system, browser version, app version) for security purposes such as detecting unauthorized access.
Mobile and desktop apps. We may request access to capabilities such as Bluetooth (to discover and connect to devices), microphone (if you record audio messages or attachments), local network (for local device connectivity), storage, and similar features, depending on the platform. Our core mobile experience is not designed to continuously track precise GPS location; if we introduce location-dependent features, we will update this notice and platform permission prompts.
Push notifications may be offered where the platform supports them; you can disable them in device settings. The Services currently deliver in-app real-time notifications via WebSocket connections rather than OS-level push.
Local storage. Our applications may store authentication tokens, a cached copy of your account profile, and session-related data in the browser or app local storage to maintain your signed-in state. Desktop applications may also check for software updates by contacting our update server, which receives your IP address.
External resources. Our web pages may load fonts from Google Fonts (fonts.googleapis.com), which causes your browser to send your IP address to Google when the page loads.
Sensitive information
We do not intentionally collect special categories of personal data about you (as defined under GDPR) or sensitive personal information (as defined under certain U.S. state laws) except where you choose to provide content that may include such information — in which case we process it only as necessary to provide the Services you request. Please avoid uploading content that includes unnecessary sensitive personal information.
Information must be accurate to the best of your knowledge, and you should notify us of material changes to account information.
2. How do we process your information?
In short: We process information to provide and improve the Services, secure our systems, bill and meter usage, communicate with you, and comply with law — and for other purposes with consent where required.
Examples include:
- Creating and managing accounts and authentication;
- Delivering cloud storage, collaboration, visualization, analysis, and device connectivity features;
- Processing uploads, streaming, search, sharing, and permissions you configure;
- Facilitating direct and group messaging, including storing message content, attachments, delivery and read receipts;
- Displaying online/offline presence and last-seen status to your connections for real-time collaboration;
- Running security, fraud prevention, abuse detection, and reliability engineering (including server logs, session tracking, and rate limiting by IP or user);
- Customer support and responding to inquiries — including routing feedback and bug reports to our internal issue tracker;
- Administrative messages, service announcements, and (where permitted) marketing — with opt-out where required;
- Subscription, invoicing, and usage metering with our billing providers;
- Analytics in the sense of product and security analytics (how features are used), not cross-site advertising profiles;
- Compliance with legal obligations and protection of vital interests where applicable.
Artificial intelligence features
Some features use machine learning models hosted on Amazon Web Services (AWS), including Amazon Bedrock, to assist with tasks such as pattern suggestions, mapping or structuring data, document assistance, or similar workflows. When you use those features, portions of your prompts, folder or file metadata, document text, or related context may be sent to the model provider to generate a response. We use these outputs to provide the feature you requested. AWS processes such requests as our subprocessor under our agreement with AWS. Retention of prompts and outputs depends on our configuration and AWS service terms; we will update this notice if we materially change practices.
3. Legal bases (EEA, UK, and similar)
If you are in the EEA, UK, or similar jurisdictions, we rely on appropriate legal bases such as: contract (to provide the Services), legitimate interests (for example security, product improvement, and internal analytics that are not overridden by your rights), consent where required (for example certain cookies or marketing), and legal obligation. You may withdraw consent where processing is consent-based, without affecting prior lawful processing.
If you are in Canada, we collect, use, or disclose your personal information with consent (express or implied where permitted) or as otherwise authorized under applicable Canadian privacy laws. You may withdraw consent where withdrawal does not prevent us from meeting legal or contractual obligations.
4. When and with whom do we share personal information?
In short: We share information with service providers, when legally required, in business transactions, and with other users as you direct.
Service providers and subprocessors (categories and representative services) include:
- Cloud infrastructure and storage — AWS (for example compute, object storage such as S3, databases, networking, logging, IoT, serverless functions);
- AI inference — AWS Bedrock and related AWS AI services we enable;
- Payments — Stripe (payment methods and related transaction data);
- Subscription and usage metering — Lago (or successor billing platform) for plans, usage events, and customer records;
- Email delivery — for example AWS SES or other SMTP/ESP providers we configure;
- Feedback and issue tracking — GitLab (gitlab.com), where user-submitted bug reports and feedback may be stored as issues containing your name, email, user ID, description, platform details, and screenshots;
- Academic reference search — CrossRef (crossref.org), PubMed/NCBI (ncbi.nlm.nih.gov), and Semantic Scholar (semanticscholar.org), which receive only search queries you enter when looking up references — no account or personal data is sent;
- Fonts — Google Fonts (fonts.googleapis.com), loaded by our web pages, which transmits your IP address to Google;
- Hosting and tooling — providers that host websites, help us operate internal tools, or support security monitoring.
We contractually require service providers to protect personal information and use it only for the services they perform for us.
Legal and safety: We may disclose information if required by law, to respond to lawful requests, or to protect rights, safety, and security.
Business transfers: Information may be transferred in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
Other users and collaboration: When you share content, messages, or a public profile, recipients you choose (or the public, if you make information public) can see that information according to your settings. Connected users can see your name, profile information, online/offline status, and last-seen time.
International data transfers
Our servers and primary infrastructure are located in the United States (AWS regions us-east-1 and us-east-2). If you access the Services from outside the U.S., your information will be transferred to and processed in the United States. GitLab (our issue-tracking provider) is hosted in the European Union (Netherlands). We rely on appropriate safeguards for international transfers, including standard contractual clauses or equivalent mechanisms where required by applicable law.
5. Cookies and similar technologies
In short: We use cookies and similar technologies where needed for security, session management, preferences, and basic site operation.
Our public marketing website may use cookies or analytics as described in our Cookie Notice, if that page is published. The authenticated Omeos web application is not used to run cross-site behavioral advertising on our behalf.
If certain cookies or SDKs are deemed a "sale" or "sharing" under U.S. state laws, you may exercise choices through our Cookie Notice (where available) and the rights described in U.S. state privacy rights.
6. How long do we keep your information?
In short: We keep information as long as needed for the purposes in this notice, unless a longer period is required by law.
For many categories tied to an account, we retain data while the account is active and for a reasonable period afterward to resolve disputes, comply with law, enforce agreements, and maintain backups. Backup copies may persist for a limited time after deletion from active systems.
Specific retention periods include:
- Account data: retained while the account is active and for a reasonable period after deletion (the account record itself is soft-deleted and retained for a limited time for fraud prevention and legal compliance);
- Device sensor readings: automatically purged after approximately 90 days;
- Server application logs: retained for approximately 14 days;
- Server error logs: retained for approximately 30 days;
- Expired and revoked sessions: purged automatically within 7 days of expiration or revocation.
7. Do we collect information from minors?
In short: Our Services are not directed to children under 18 (or the age of majority in your jurisdiction).
We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact team@37-degrees.com.
8. What are your privacy rights?
Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to certain processing, and to lodge a complaint with a supervisory authority. Automated decisions producing legal or similarly significant effects are not a routine part of Omeos; if that changes, we will describe the logic and your review rights.
To exercise rights, contact https://www.37degrees.io/contactus or team@37-degrees.com. You may opt out of marketing emails using the unsubscribe link when we send promotional messages.
9. Controls for do-not-track
There is no uniform standard for DNT signals. We do not respond to DNT signals today. If a standard emerges that we must follow, we will update this notice.
10. U.S. state privacy rights
If you are a resident of a U.S. state with a comprehensive privacy law, you may have rights to access, correct, delete, obtain a copy, opt out of certain processing (including targeted advertising, sale, or profiling where applicable), and appeal our responses. Contact us as above. We will verify your request as required by law. Authorized agents may submit requests with appropriate proof.
Categories collected (past 12 months)
The table below is a summary. See Section 1 for detail.
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, username, email, IP address, account ID | Yes |
| B. California Customer Records | Name, contact information | Yes |
| C. Protected classifications | Race, religion, etc. | No |
| D. Commercial information | Subscription or purchase-related records, payment method metadata via processors | Yes |
| E. Biometric information | Fingerprints, voiceprints for ID | No |
| F. Internet or network activity | Interactions with the Services, logs | Yes |
| G. Geolocation data | Approximate location from IP; not continuous GPS tracking in core mobile features as of this notice | Yes (limited) |
| H. Sensory / content | Images, video, audio recordings (including voice messages), documents you upload or create | Yes |
| I. Professional / employment | Institution, department, job title, research field | Yes |
| J. Education | Student records | No |
| K. Inferences | Profiles drawn from the above | No (beyond service personalization) |
| L. Sensitive personal information | As defined in applicable state law | No (except user-provided content as described) |
Disclosure for business purposes
We disclose categories such as A, B, D, F, G, H, and I to service providers (including AWS, Stripe, Lago, and email providers) as needed to operate the Services. We do not "sell" personal information for money. We do not use or disclose sensitive personal information for purposes that require a "limit" request under California law, beyond permitted service and security purposes.
California "Shine the Light"
California residents may request certain information about disclosure of personal information for direct marketing to third parties; contact us using the details below.
11. Do we make updates to this notice?
Yes. We will update this Privacy Notice when our practices or the law change. The Last updated date at the top shows the latest revision. Material changes may be communicated through the Services or by email where appropriate.
12. How can you contact us?
Email: team@37-degrees.com
Postal mail:
37degrees, Inc.111 North Wabash Ave. Ste. 100,
The Garland Building Chicago, #3689
Chicago, IL 60602
United States
13. How can you review, update, or delete data?
Depending on applicable law, you may request access, correction, or deletion by visiting https://www.37degrees.io/contactus or emailing team@37-degrees.com. You can update much of your account information in product settings.
Account deletion. When you delete your account through the app, we:
- Cancel active subscriptions with our billing provider;
- Revoke all active sessions;
- Delete your uploaded files, device data, and associated cloud storage objects;
- Delete your documents, devices, and device shares.
Your account record is soft-deleted (marked as deleted but retained for a limited period) rather than immediately purged, so that we can prevent fraud, honor legal obligations, and resolve any pending matters. Certain data that was shared with or delivered to other users — such as messages you sent, connection records, group memberships, and notifications — may persist in recipients' accounts or in our systems for integrity and compliance purposes. We will permanently purge soft-deleted records in accordance with our retention schedule.