Privacy Policy

How 37degrees, Inc. collects, processes, stores, and shares personal information.

Last updated

This Privacy Notice for 37degrees, Inc. (“we,” “us,” or “our”) describes how and why we access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

  • Visit our website at https://www.37degrees.io or any website of ours that links to this Privacy Notice;
  • Download and use our mobile or desktop applications that link to this Privacy Notice (our product is omēos, developed by 37degrees, Inc.);
  • Use omēos, a mobile and web platform to connect 37degrees hardware, stream and manage image and video (and related scientific) data, run cloud workflows, collaborate, and use visualization and analysis features;
  • Engage with us in other related ways, including sales, marketing, or events.

We are responsible for decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. Questions: team@37-degrees.com.

Summary of key points

  • What personal information do we process? It depends on how you use the Services.
  • Sensitive categories. We do not ask you for special categories of data (such as racial or ethnic origin, health data, or biometric data used to identify you). Content you upload (for example microscopy images or recordings) is processed as your content to provide the Services; do not upload unlawful or unnecessary sensitive information.
  • Third parties. We do not buy marketing lists or aggregate data brokers for profiling. We do use service providers (for example cloud hosting, email delivery, payments, subscription metering, and AI inference) that process information on our instructions.
  • Why we process data. To run and secure the Services, bill and meter usage where applicable, support you, improve the product, and comply with law.
  • Your rights. Vary by region.
  • How to exercise rights. https://www.37degrees.io/contactus or team@37-degrees.com.

1. What information do we collect?

Personal information you provide

We collect information you voluntarily provide when you register, use the Services, or contact us.

  • Account and identity: email address, first and last name, username
  • Credentials: password — stored as a one-way hash; we do not store your password in plain text
  • Professional profile (optional): institution, organization, department, job title, research or scientific field category
  • Contact: phone number if you add it
  • Profile: profile photo (typically as a URL we store), biography text, and profile-visibility settings
  • Preferences: notification and similar preferences
  • Support and communications: information you include in tickets, emails, or calls. When you submit feedback or bug reports through the app, your name, email, platform details, and any attached screenshots may be included.

Billing. Payments and payment methods may be collected by our payment processor (Stripe) when you add a card or complete billing flows. We may receive identifiers and status from Stripe / Lago (for example customer IDs, subscription state) rather than full card numbers. Billing or mailing addresses are collected only if you or the payment flow provide them to our processors.

Content, devices, and IoT data

To provide omēos, we process your content that you upload, sync, or generate in the Services — such as files, folders, images, videos, audio recordings, documents, experiment metadata, and outputs from analysis or collaboration features. We also process device and connectivity data needed to pair and operate 37degrees hardware (for example device serial numbers, MAC addresses, sensor telemetry such as temperature, humidity, and CO₂ readings, firmware versions, and connectivity state). Device data is transmitted over Bluetooth Low Energy (BLE) when in local mode and via AWS IoT Core (MQTT) when in cloud mode.

Messaging and collaboration data

The Services include direct and group messaging. When you send messages, we store the message content, file attachments, delivery and read timestamps, and related metadata. We also store your connections (contact relationships) and group memberships. If you invite someone to connect by email, we store the invitee’s email address, name, and invitation status.

Presence and activity

When you are signed in, the Services may broadcast your online/offline status and last-seen timestamp to users you are connected with, to support real-time collaboration features. This data is stored on your account record.

Information collected automatically

This may include IP address, approximate location derived from IP, browser and device type, operating system, diagnostic and performance data, log and usage data (such as timestamps, actions in the Services, and error reports), session identifiers, and similar data needed to secure and operate the Services. Each authenticated session also records the IP address, user-agent string, and client metadata (operating system, browser version, app version) for security purposes such as detecting unauthorized access.

Mobile and desktop apps may request access to capabilities such as Bluetooth (to discover and connect to devices), microphone (if you record audio messages or attachments), local network (for local device connectivity), storage, and similar features, depending on the platform. Our core mobile experience is not designed to continuously track precise GPS location; if we introduce location-dependent features, we will update this notice and platform permission prompts.

Push notifications may be offered where the platform supports them; you can disable them in device settings. The Services currently deliver in-app real-time notifications via WebSocket connections rather than OS-level push.

Local storage. Our applications may store authentication tokens, a cached copy of your account profile, and session-related data in the browser or app local storage to maintain your signed-in state. Desktop applications may also check for software updates by contacting our update server, which receives your IP address.

External resources. Our web pages may load fonts from Google Fonts (fonts.googleapis.com), which causes your browser to send your IP address to Google when the page loads.

Sensitive information

We do not intentionally collect special categories of personal data about you (as defined under GDPR) or sensitive personal information (as defined under certain U.S. state laws) except where you choose to provide content that may include such information — in which case we process it only as necessary to provide the Services you request. Please avoid uploading content that includes unnecessary sensitive personal information.

2. How do we process your information?

We process information to provide and improve the Services, secure our systems, bill and meter usage, communicate with you, and comply with law — and for other purposes with consent where required.

  • Creating and managing accounts and authentication
  • Delivering cloud storage, collaboration, visualization, analysis, and device-connectivity features
  • Processing uploads, streaming, search, sharing, and permissions you configure
  • Facilitating direct and group messaging — including storing message content, attachments, delivery and read receipts
  • Displaying online/offline presence and last-seen status to your connections
  • Running security, fraud prevention, abuse detection, and reliability engineering
  • Customer support and responding to inquiries — including routing feedback and bug reports to our internal issue tracker
  • Administrative messages, service announcements, and (where permitted) marketing — with opt-out where required
  • Subscription, invoicing, and usage metering with our billing providers
  • Product and security analytics — not cross-site advertising profiles
  • Compliance with legal obligations and protection of vital interests where applicable

Artificial intelligence features

Some features use machine-learning models hosted on Amazon Web Services (AWS), including Amazon Bedrock, to assist with tasks such as pattern suggestions, mapping or structuring data, document assistance, or similar workflows. When you use those features, portions of your prompts, folder or file metadata, document text, or related context may be sent to the model provider to generate a response. We use those outputs to provide the feature you requested. AWS processes such requests as our subprocessor under our agreement with AWS. Retention of prompts and outputs depends on our configuration and AWS service terms; we will update this notice if we materially change practices.

If you are in the EEA, UK, or similar jurisdictions, we rely on legal bases such as: contract (to provide the Services), legitimate interests (security, product improvement, and internal analytics not overridden by your rights), consent where required, and legal obligation. You may withdraw consent where processing is consent-based, without affecting prior lawful processing.

If you are in Canada, we collect, use, or disclose your personal information with consent (express or implied where permitted) or as otherwise authorized under applicable Canadian privacy laws.

4. When and with whom do we share personal information?

Service providers and subprocessors include:

  • Cloud infrastructure and storage — AWS (compute, object storage such as S3, databases, networking, logging, IoT, serverless functions)
  • AI inference — AWS Bedrock and related AWS AI services
  • Payments — Stripe
  • Subscription and usage metering — Lago (or successor)
  • Email delivery — AWS SES or other SMTP/ESP providers
  • Feedback and issue tracking — GitLab (gitlab.com)
  • Academic reference search — CrossRef, PubMed/NCBI, Semantic Scholar (receive only your search queries — no account or personal data)
  • Fonts — Google Fonts (fonts.googleapis.com)
  • Hosting and tooling — providers that host websites, help us operate internal tools, or support security monitoring

We contractually require service providers to protect personal information and use it only for the services they perform for us.

Legal and safety. We may disclose information if required by law, to respond to lawful requests, or to protect rights, safety, and security.

Business transfers. Information may be transferred in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

Other users and collaboration. When you share content, messages, or a public profile, recipients you choose (or the public, if you make information public) can see that information according to your settings. Connected users can see your name, profile information, online/offline status, and last-seen time.

International data transfers

Our servers and primary infrastructure are located in the United States (AWS regions us-east-1 and us-east-2). If you access the Services from outside the U.S., your information will be transferred to and processed in the United States. GitLab (our issue-tracking provider) is hosted in the European Union (Netherlands). We rely on appropriate safeguards for international transfers — standard contractual clauses or equivalent mechanisms — where required by applicable law.

5. Cookies and similar technologies

We use cookies and similar technologies where needed for security, session management, preferences, and basic site operation. See our Cookie Policy for details.

6. How long do we keep your information?

We keep information as long as needed for the purposes in this notice, unless a longer period is required by law.

  • Account data: retained while the account is active and for a reasonable period after deletion
  • Device sensor readings: automatically purged after approximately 90 days
  • Server application logs: retained for approximately 14 days
  • Server error logs: retained for approximately 30 days
  • Expired and revoked sessions: purged automatically within 7 days of expiration or revocation

7. Do we collect information from minors?

Our Services are not directed to children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact team@37-degrees.com.

8. What are your privacy rights?

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to certain processing, and to lodge a complaint with a supervisory authority. To exercise rights, contact /contactus or team@37-degrees.com. You may opt out of marketing emails using the unsubscribe link.

9. Do-not-track

There is no uniform standard for DNT signals. We do not respond to DNT signals today. If a standard emerges that we must follow, we will update this notice.

10. U.S. state privacy rights

If you are a resident of a U.S. state with a comprehensive privacy law, you may have rights to access, correct, delete, obtain a copy, opt out of certain processing, and appeal our responses. Contact us as above.

We do not “sell” personal information for money. We do not use or disclose sensitive personal information for purposes that require a “limit” request under California law, beyond permitted service and security purposes.

11. Updates to this notice

We will update this Privacy Notice when our practices or the law change. The Last updated date at the top shows the latest revision. Material changes may be communicated through the Services or by email where appropriate.

12. Contact

Email: team@37-degrees.com

Postal mail:

37degrees, Inc.
111 North Wabash Ave., Suite 100
The Garland Building #3689
Chicago, IL 60602
United States

13. Review, update, or delete data

Depending on applicable law, you may request access, correction, or deletion by visiting /contactus or emailing team@37-degrees.com. You can update much of your account information in product settings.

Account deletion. When you delete your account through the app, we:

  • Cancel active subscriptions with our billing provider
  • Revoke all active sessions
  • Delete your uploaded files, device data, and associated cloud storage objects
  • Delete your documents, devices, and device shares

Your account record is soft-deleted (marked as deleted but retained for a limited period) rather than immediately purged, so that we can prevent fraud, honor legal obligations, and resolve pending matters. Certain data shared with or delivered to other users — messages, connection records, group memberships, notifications — may persist in recipients’ accounts or in our systems for integrity and compliance purposes.