Privacy Policy

1. Data controller

The data controller depends on your billing country: Senolytic Lab 合同会社 (セノリティックラブ合同会社) for customers in Japan, and YuniqueS Limited for customers in all other countries (including Hong Kong). The entity shown on this page is based on your detected location. Your billing country at the time of subscription is the definitive determining factor.

Your billing country at the time of subscription determines which entity is your data controller. If you believe the wrong entity is shown, contact us.

2. Audio data and biometric identifiers

Amnis processes audio locally on your device for transcription. We do not receive, store, or upload your audio recordings by default. Amnis does not extract voiceprints or any other biometric identifier from your audio — the transcription process converts speech to text only, and no identifier capable of uniquely identifying you as a speaker is created or transmitted to us. If you share audio with us voluntarily (for example, in a support request), we use it solely to assist you and do not retain it beyond that purpose. This design means Amnis does not create or process biometric data as defined under any applicable law, including GDPR Article 9, Illinois BIPA, Japan APPI, and the Australian Privacy Act.

3. Information we collect

We collect information you provide, information generated when you use the Service, and information from our payment and authentication providers.

• Account information (such as email address, account ID, and sign-in events).
• Device and app information (such as device ID, app version, platform, and language).
• Billing information from Stripe (such as subscription status, payment IDs, and receipts). We do not receive full card details.
• Website technical data (such as IP address, browser type, and server logs) when you visit amnis.one.
• Support communications (such as emails, messages, and attachments you send us).
• Optional diagnostics (such as crash reports) if you enable them.

4. On-device processing

Amnis is designed to process your audio on your device. We do not upload your audio or transcripts to our servers by default. If you choose to share content with us (for example, in a support request), we may receive and store that content to help you.

5. How we use information

We use information to operate, secure, support, and improve the Service, and to meet legal obligations.

• Provide the Service (account access, device linking, and features).
• Authenticate users and prevent fraud, abuse, and security incidents.
• Process billing, taxes, and refunds through Stripe.
• Provide customer support and respond to your requests.
• Maintain and improve reliability and performance (for example, troubleshooting bugs).
• Send product and service communications (you may opt out at any time).
• Comply with legal and accounting obligations and enforce our terms.

6. Legal bases (EEA / UK)

If you are in the EEA or UK, we process personal data under the following legal bases (as applicable):

• Contract: to provide the Service you request.
• Legitimate interests: to secure the Service, prevent fraud, and improve reliability.
• Legal obligations: to comply with tax, accounting, and other laws.
• Consent: for optional features you choose (for example, optional diagnostics or analytics cookies). You can withdraw consent at any time.

7. How we share information

We share information only as needed to operate the Service, for example with:

• Stripe (payment processing). Stripe Japan is used for customers in Japan, and Stripe Hong Kong is used for customers in all other countries (including Hong Kong). Stripe may process payment details under its own policies.
• Supabase (authentication).
• Hosting and infrastructure providers (to run the website and backend).
• Professional advisers (for example, legal or accounting) when needed.
• Authorities if required by law, or to protect our rights, users, and Service.
• A buyer or successor if we are involved in a merger, acquisition, or asset sale (we will notify you if required by law).
• We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

8. International data transfers

Our Japan and Hong Kong entities, together with our service providers, may process information in Japan, Hong Kong, the United States (Stripe, Supabase, hosting providers), and other countries. These countries may have different data protection laws. For transfers from the EEA or UK, we rely on applicable transfer mechanisms (such as standard contractual clauses or adequacy decisions). For transfers under Japan APPI, Stripe Japan and Supabase maintain protective frameworks; details of the legal systems and protective measures of each destination country are available on request. Contact us if you want more information.

9. Retention

We keep personal information only as long as needed for the purposes described above, such as to provide the Service, meet legal obligations, resolve disputes, and enforce our agreements. For example, billing records may be retained for longer periods where required by law. You can request deletion of your account information, subject to legal requirements. Under Japan APPI, we maintain records of third-party data provisions for three years.

10. Security and breach notification

We use reasonable administrative, technical, and physical safeguards to protect personal information (for example, access controls and encryption in transit). No method of transmission or storage is 100% secure. In the event of a data breach that may create a risk of harm to you, we will notify you and the relevant regulatory authority as required by applicable law (for example, within 72 hours to EEA/UK supervisory authorities under GDPR; within approximately 3–5 business days to the Japan PPC; as soon as feasible to the Canadian OPC or CAI; and within 30 days of assessment to the Australian OAIC).

11. Your rights and choices

Depending on where you live, you may have rights regarding your personal information. We may need to verify your identity before responding. To exercise any of these rights, contact us using the details in the Contact section.

• Access / disclosure of the information we hold about you.
• Correction or update of inaccurate information.
• Deletion of information (subject to legal requirements).
• Objection to certain processing or restriction of processing (EEA/UK).
• Data portability (EEA/UK, Quebec, in certain circumstances).
• Withdrawal of consent where processing is based on consent.
• The right to lodge a complaint with your local data protection authority (EEA/UK).
• Suspension of use or third-party provision of your information on specified grounds (Japan APPI — see the Japan section below).

12. US privacy rights (CCPA / CPRA and other state laws)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights. Other US state privacy laws may provide similar rights.

• Right to know: request the categories and specific pieces of personal information we have collected about you in the prior 12 months, including sources, purposes, and third parties with whom it was shared.
• Right to delete: request deletion of personal information we have collected, subject to exceptions (for example, information needed to complete a transaction or comply with a legal obligation).
• Right to correct: request correction of inaccurate personal information we maintain.
• Right to opt-out of sale or sharing: we do not sell personal information and do not share personal information for cross-context behavioral advertising. No opt-out action is required.
• Right to limit use of sensitive personal information (SPI): we do not use SPI beyond what is necessary to provide the Service. No limit request is needed.
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.
• Authorized agents: you may designate an authorized agent to submit requests on your behalf by providing written authorization.
• How to submit a request: contact us by email using the details in the Contact section. We will respond within 45 days (extendable by a further 45 days with notice).
• Categories of personal information collected in the prior 12 months: identifiers (email, device ID, account ID); commercial information (subscription status, purchase records); internet/electronic activity (app usage, website visits). Audio recordings and voiceprints are not collected by our servers — see the Audio section above.
• Shine the Light (Cal. Civil Code §1798.83): we do not disclose personal information to third parties for their direct marketing purposes.

13. Canadian privacy rights (PIPEDA and Quebec Law 25)

If you are a resident of Canada, you have rights under PIPEDA and, if you are in Quebec, under the Act respecting the protection of personal information in the private sector (Law 25 / Bill 64).

• Right to access the personal information we hold about you. We will respond within 30 days (extendable to 60 days with written notice).
• Right to correct inaccurate, incomplete, or out-of-date personal information.
• Right to withdraw consent to collection, use, or disclosure where consent is the processing basis (subject to legal or contractual requirements).
• Right to data portability (Quebec residents): receive your personal information in a structured, commonly used technological format and have it transmitted to another organization.
• Right to be informed of automated decision-making (Quebec residents): if any feature renders a decision affecting you exclusively through automated processing, you have the right to know the personal information used, the principal factors behind the decision, and to submit your views to a person who can reconsider it.
• Right to de-indexing (Quebec residents): request de-indexing or removal of hyperlinks to personal information about you where dissemination contravenes law.
• Privacy by default: we apply the strictest privacy settings by default and collect only what is necessary for the purposes described in this policy.
• Named privacy officer: our designated Privacy Officer can be reached at the email address in the Contact section.
• Breach notification: if a breach of your personal information creates a real risk of significant harm, we will notify you and the relevant regulator (the Office of the Privacy Commissioner of Canada, or the Commission d'accès à l'information for Quebec) as soon as feasible.
• To exercise any of these rights, contact us using the details in the Contact section.

14. Australian privacy rights (Privacy Act 1988)

If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to our handling of your personal information. Amnis is an APP entity for this purpose.

• Right to access: you may request access to the personal information we hold about you. We will respond within a reasonable period (typically 30 days). We may charge a reasonable cost-recovery fee in some circumstances.
• Right to correction: you may request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We will respond within a reasonable period.
• If we refuse an access or correction request, we will provide written reasons and information about how to make a complaint.
• Overseas recipients: we disclose personal information to overseas recipients including Stripe (United States and Ireland), Supabase (United States), and hosting providers. We take reasonable steps to ensure overseas recipients handle information consistently with the APPs or under equivalent contractual protections.
• Notifiable Data Breaches (NDB scheme): if a data breach is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable. Our NDB assessment is completed within 30 days of becoming aware of a suspected breach.
• Complaints: if you believe we have interfered with your privacy, please contact us first. If your complaint is not resolved within 30 days, you may complain to the OAIC at oaic.gov.au.
• Consumer guarantees: nothing in this policy limits any rights you have under the Australian Consumer Law.

15. Japan: additional information under APPI

This section provides additional disclosures required by Japan's Act on the Protection of Personal Information (個人情報の保護に関する法律 — APPI) as amended in 2022. The entity responsible for handling personal information for customers in Japan is Senolytic Lab 合同会社.

• Purpose of use (利用目的): (1) providing and operating the Service (account management, device activation, features); (2) processing billing and subscriptions through Stripe Japan; (3) authenticating users via Supabase; (4) responding to customer support inquiries; (5) improving the Service through aggregated analytics (no audio or transcripts are sent to us); (6) complying with legal obligations; (7) sending product and service communications (you may opt out at any time by contacting us).
• Voiceprints and biometric identifiers (個人識別符号): Amnis does not create, extract, or store voiceprints (声紋) or any other Personal Identifier Code from your audio. Audio is processed locally on your device for transcription only; no biometric identifier is transmitted to us.
• Third-party provision records (第三者提供記録): when we provide personal information to third parties, we maintain records as required by APPI Article 25 (retained for three years). When receiving personal information from third parties, we also record the source, categories, and basis as required by APPI Article 26.
• Cross-border transfers (外国にある第三者への提供): personal information may be transferred to Japan (processed by Senolytic Lab), and to the United States (Stripe Japan, Inc.; Supabase, Inc.; hosting providers). Stripe Japan maintains a global privacy framework aligned with applicable standards; Supabase is covered by data processing agreements meeting APPI requirements. Details of the legal systems and specific protective measures of each destination country are available on request by contacting us.
• Right to request disclosure (開示請求): you may request disclosure of retained personal information we hold about you. We will respond within 30 days.
• Right to request correction or deletion (訂正・削除請求): you may request correction or deletion of inaccurate personal information. We will respond within a reasonable period (typically two weeks to one month).
• Right to request suspension of use or third-party provision (利用停止・消去・第三者提供停止請求): you may request suspension of use or cessation of third-party provision of your personal information on any of the following grounds: (a) use beyond the stated purpose or illegal collection; (b) the information is no longer needed for the purpose; (c) a data breach has occurred; or (d) continued processing is likely to harm your rights and interests. We will respond within a reasonable period.
• Breach notification (漏えい等の報告): if a breach meets the criteria under APPI (sensitive information involved, financial harm risk, malicious attack, or 1,000+ data subjects affected), we will submit a preliminary report to the Personal Information Protection Commission (PPC) promptly (approximately 3–5 business days) and notify affected individuals without delay.
• Complaint handling: for APPI-related inquiries or complaints, contact us at the email address in the Contact section. You may also file a complaint with the Personal Information Protection Commission (PPC) at ppc.go.jp.

16. Cookies and similar technologies

We use cookies and local storage for essential website functions. Optional analytics cookies are used only if you allow them.

• The `amnis_lang` cookie to remember your language preference.
• Supabase authentication storage (to keep you signed in).
• Stripe cookies/local storage during checkout (to process payment and prevent fraud).
• Optional PostHog analytics cookies to understand broad website usage (enabled only with your consent).
• You can choose "Allow all cookies" or "Use necessary only," and update your choice in Cookie settings.
• We do not use advertising cookies or cross-site trackers.

17. Children

The Service is not intended for children. In the United States, users must be at least 13 years old. In the UK, users must be at least 13 years old. In the EEA and all other countries, users must be at least 16 years old (or the age of digital consent in their country, if higher). In Quebec, Canada, users under 14 require parental or guardian consent. We do not knowingly collect personal information from children below the applicable age threshold. If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.

18. Changes to this policy

We may update this Privacy Policy from time to time. We will update the date above when we do. If changes are material (for example, we change how we collect or use your data in a significant way), we will take reasonable steps to provide advance notice before the changes take effect (for example, by posting a notice on our website or sending an email). Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Contact

For privacy questions, requests, or complaints, email support@amnis.one. We aim to respond within 30 days. For EU residents, you also have the right to lodge a complaint with your local data protection authority. For UK residents, with the Information Commissioner's Office (ico.org.uk). For Australian residents, with the OAIC (oaic.gov.au).