Bystro Data Retention Policy

1. Data Retention by Service Component

The Service currently includes two platforms: THiNK and DASH.

THiNK Platform

All data entered into the THiNK agentic platform is retained on our servers until deleted by the user or upon account closure. Data is retained until deleted by the user or upon account closure, with no automatic deletion schedule. Users may delete all of their THiNK chat data at any time using the bulk delete control available within the platform.

DASH Platform

VCF formatted genetic files submitted through the DASH dashboard are never retained by Bystro. These files are processed and immediately discarded upon completion of annotation processing. Users may delete all data in the DASH platform at any time, including annotated variant files, quality control files, and analysis outputs such as polygenic risk scores and ancestry results using the bulk delete control available within the platform.

2. AI Observability and Session Logs

To maintain platform reliability, debug issues, and operate our safety systems, Bystro collects session logs through our AI observability infrastructure. These logs may include the content of queries and responses during a short operational window. The following retention rules apply:

• Unflagged sessions: Session content, including inputs, outputs, and intermediate agentic steps, is automatically and permanently deleted after 7 days. After deletion, only standard operational logs are retained for platform monitoring. These logs contain no personal content.
• Policy violation sessions: If a session is flagged by our trust and safety systems as violating our Terms of Service, we retain inputs and outputs for up to 2 years and trust and safety classification scores for up to 7 years, only as reasonably necessary for security, abuse prevention, policy enforcement, legal compliance, and audit purposes. This retention is necessary to investigate incidents, enforce our policies, and improve our safety systems.

VCF genetic file content is never present in session logs. This is handled at the application level and does not change as part of this policy.

3. Data Visibility and Sharing

Data on the Bystro platform can exist in one of three states, each with different retention implications:

Private (Default)

All data is private by default and accessible only to the account holder. Private data is permanently deleted upon a valid user deletion request with no copies retained by Bystro.

Shared via Link

Users may share specific content by generating a link. Shared content is accessible to any user who has the link and a Bystro account. Shared content is not cached or indexed separately. When the user deletes shared content, it is fully removed from Bystro's systems. However, Bystro cannot guarantee that recipients of the link did not download or save the content prior to deletion.

Public

Users may choose to make their data fully public on the Bystro platform. Once data has been made public, Bystro cannot guarantee that all copies can be deleted upon request, as the data may have been accessed, downloaded, or saved by third parties prior to the deletion request. Given the sensitive nature of genomic and health data, users are strongly encouraged to carefully consider the implications of making data public before doing so.

4. User Deletion Rights

Users may delete their data at any time through self-serve controls available directly within each platform:

• THiNK: Bulk delete all chat data directly within the THiNK platform.
• DASH: Bulk delete all data directly within the DASH platform.

Deletion is initiated promptly and removed from active systems, subject to limited exceptions, backup cycles, legal obligations, and security retention periods. Please note the following:

• Standard operational logs used for platform monitoring cannot be individually deleted, as they contain no personal content.
• Session logs for policy violation sessions (Section 2) are retained for up to 2 years regardless of deletion requests, as required for platform safety and policy enforcement.
• Data shared via link or made public prior to deletion may not be fully recoverable from third parties.

To request deletion of your account or for assistance with data deletion, please contact us at team@bystro.io.

Residents of Washington and Nevada: Statutory deletion timelines under the Washington My Health My Data Act and Nevada's consumer health data law may differ from the general timelines described above. Please refer to our Consumer Health Data Privacy Policy for the applicable SLAs in those states.

5. Account and Profile Data

When you create a Bystro account, we collect and retain account and profile information such as your name, email address, and registration details for as long as your account remains active. This information is used to authenticate your login, provide account-related communications, and maintain your account.

Upon account closure, we will retain your account information for up to 30 days to allow for account reactivation requests, after which it will be permanently deleted. The following exceptions apply:

• Where data has been included in aggregated or de-identified analytics that cannot be traced back to you individually.
• Where a session was flagged for a policy violation, in which case the retention periods in Section 2 apply.
• Where we are otherwise legally required to retain it.

Billing and transaction records are retained by our payment processor, Stripe, in accordance with their own policies and applicable financial regulations. Stripe's retention of payment records is independent of your Bystro account status.

To request closure of your account, please contact us at team@bystro.io.

6. Enterprise and On-Premises Deployments

Enterprise customers may request zero log retention as part of their agreement with Bystro. Under a zero log retention agreement, no session content is retained beyond what is required to complete the current session. On-premises deployments are available for organizations requiring full data sovereignty.

For more information about enterprise data arrangements, please contact us at team@bystro.io.

7. Changes to This Policy

We may update this Data Retention Policy from time to time to reflect changes in our practices, legal requirements, or platform functionality. When we make changes, we will revise the date at the top of this page. Your continued use of the platform after any changes become effective means that you accept the updated policy.