— Legal · DrugRepAI

Privacy Policy

Last updated: May 14, 2026

Information on the processing of personal data pursuant to Articles 13–14 of Regulation (EU) 2016/679 (GDPR).

DrugRepAI, an AI platform for drug repurposing based in Amsterdam, the Netherlands, places primary importance on the protection of personal data and respect for the privacy of its users, customers, and all other individuals with whom it comes into contact in the course of its business. Personal data is processed transparently, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR"), the Dutch Data Protection Act (Uitvoeringswet AVG – UAVG), and the guidelines and recommendations of the European Data Protection Board (EDPB).

This Policy describes how DrugRepAI collects and processes only the personal data strictly necessary to achieve the purposes indicated, illustrates the legal bases of the processing, the rights recognized to data subjects, and the measures adopted to ensure a high level of protection.

1. Data controller and privacy representatives

The data controller is DrugRepAI, with registered office in Amsterdam, Netherlands, […], registration number at the Chamber of Commerce (KVK) […], VAT number NL […] (hereinafter "DrugRepAI" or the "Controller"). DrugRepAI is operated by Moods Studio, Amsterdam, Netherlands.

For any questions regarding the processing of personal data or the exercise of the rights set forth in Section 10, you can contact the Data Controller at the following email address: […]

Data Protection Officer (DPO): as of the date this Policy was last updated, DrugRepAI has not appointed a Data Protection Officer pursuant to Article 37 of the GDPR, as the mandatory requirements set forth in Article 37, paragraphs 1, letters b) and c), of the GDPR are not met. The Data Controller nevertheless ensures the presence of an internal contact person responsible for coordinating data protection activities: […]

2. Personal data processed and purposes of processing

The Data Controller processes personal data in the categories, for the purposes, and within the limits indicated below. DrugRepAI collects and processes only the personal data strictly necessary to achieve each specific purpose, in compliance with the principle of data minimization (Article 5, paragraph 1, letter c), GDPR).

2.1 Professional identification and contact data

The Data Controller processes the personal and professional contact data of users, potential customers, partners, and collaborators who interact with the platform or through the available contact channels. This data includes: first and last name, company email address, professional role, organization name, telephone number if provided by the data subject, as well as the content of messages, demo requests, communications, and correspondence. The processing is aimed at managing contact and demo requests, pre-contractual activities, customer onboarding, and managing the business relationship.

2.2 Account data and authentication

The Data Controller processes the data necessary to create, manage, and maintain user accounts on the platform, including: username, access credentials in encrypted/hashed form, access logs, session timestamps, roles, and permissions assigned to the user within their organization. Processing is aimed at providing the service and ensuring account security.

2.3 Technical and usage data

The Data Controller processes technical data generated by use of the platform and infrastructure, including: IP address, device and browser information, operating system, system logs, diagnostic data, application events, telemetry, and performance metrics. This data is processed for infrastructure security purposes, service quality monitoring, prevention of unauthorized access and abuse, and, in aggregate form compatible with the data minimization principle, for service improvement and development. To the extent cookies or similar technologies are present, please refer to Section 9.

2.4 Contractual and administrative data

The Data Controller processes the data necessary to manage the contractual and administrative relationship with customers, including: billing data, order history, licenses and subscriptions purchased, and contact information for company representatives. The processing is aimed at fulfilling the contract, fulfilling tax and accounting obligations, and managing the administrative relationship.

2.5 Data provided by the user in the context of using the platform

As part of using the platform, users may upload or provide data relating to their research and development processes, within the limits and according to the methods set forth in the license agreement and the applicable terms of service. The scientific and research data uploaded by users — which may include pharmacological profiles, molecular structures, biological targets, failed drug indications, clinical trial data, toxicology data, pharmacokinetic/pharmacodynamic (PK/PD) data, and internal experimental datasets — are processed exclusively for the provision of the service requested by the user. Generally, such data are scientific and technical in nature and do not in themselves constitute personal data or special categories of personal data pursuant to Article 9 of the GDPR, unless the user has included identifying information relating to natural persons, in which case the user remains responsible for the lawfulness of the processing of such data as an independent data controller or, depending on the circumstances, as a data controller who gives instructions to the Data Controller as data processor pursuant to Article 28 of the GDPR.

For pharma enterprise customers and other commercial customers, the data uploaded or processed as part of the service is maintained in segregated environments dedicated to the individual customer (data isolation): this data is not shared with other customers, nor used to train shared or public models, unless otherwise explicitly agreed in the contract.

2.6 Outputs, inferences and results generated by the platform

The platform generates outputs, inferences, rankings, and results related to the scientific analysis requested by the user (e.g., drug-target affinity predictions, drug repurposing hypotheses, pathway analyses, disease modules). To the extent that these outputs do not contain personally identifiable data, they do not fall within the scope of the GDPR. Where the outputs are attributable to identified or identifiable natural persons, the processing occurs within the limits and in accordance with the contractual purposes and the user's instructions.

2.7 Communications with support and business development

The Data Controller processes the data contained in communications with users and potential customers as part of customer success, technical support, account management, and business development activities, for purposes strictly related to managing the relationship and providing the service.

3. Legal bases of the processing

The Data Controller's processing of personal data is based on the following legal bases, as set forth in Article 6 of the GDPR:

3.1 Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)

The processing of professional identification and contact data, account data, contractual and administrative data, and data provided by the user is necessary for the execution of the platform license agreement, for the provision of the service, for onboarding, for managing demo requests, and for carrying out pre-contractual activities requested by the interested party.

3.2 Fulfillment of legal obligations (Article 6(1)(c) GDPR)

The Data Controller processes personal data to the extent necessary to fulfill applicable legal obligations, including tax, accounting, and regulatory obligations and those relating to requests made by competent authorities.

3.3 Balanced legitimate interest (Article 6(1)(f) GDPR)

The Data Controller processes technical and usage data, system logs, and diagnostic data for the purposes of platform security, prevention of abuse, fraud, and unauthorized access, protection of technological and proprietary assets, legal defense, and the protection of the Data Controller's rights. Such processing is based on the Data Controller's balanced legitimate interest, previously assessed in light of the rights and freedoms of data subjects, taking into account the reasonable expectations of professional users of the platform.

The Data Controller also bases the processing of personal data on a balanced legitimate interest, in a manner compatible with the data minimization principle, for the purpose of product improvement, aggregate performance analysis, troubleshooting, and service development and validation. In any case, the data subject has the right to object to such processing pursuant to Art. 21 GDPR, as indicated in Section 10.

3.4 Consent (Article 6(1)(a) GDPR)

To the extent that the Data Controller processes data for marketing purposes, sending newsletters, product updates, or promotional communications that are not strictly necessary to provide the service, or uses cookies or non-essential tracking technologies, the processing will be based on the data subject's prior consent, which may be freely withdrawn at any time without prejudice to the lawfulness of processing based on consent given before its withdrawal.

4. Recipients of personal data

The personal data processed by the Data Controller may be disclosed to the following categories of recipients, to the extent strictly necessary to achieve the purposes indicated in this Policy:

4.1 IT, cloud, hosting and infrastructure service providers

The Data Controller uses providers of cloud computing, hosting, infrastructure management, IT security, technical analysis, CRM, and communication tools. These providers are appointed as data processors pursuant to Art. 28 GDPR where required and process personal data exclusively on the Data Controller's instructions and to the extent necessary to provide the services entrusted to them.

4.2 Legal, tax and professional consultants

The Data Controller may disclose personal data to legal, tax, and other professionals who provide assistance in the course of normal business activities, in compliance with applicable confidentiality obligations.

4.3 Partners, affiliates and scientific collaborators

To the extent provided for by existing contracts and active collaboration relationships, the Data Controller may share data with strategic partners, affiliates, and scientific collaborators, within the limits and for the purposes set forth in the relevant agreements and in compliance with applicable data protection guarantees.

4.4 CRO Partners and White-Label Agreements

The Data Controller may share data with CRO (Clinical Research Organizations) partners under white-label or co-provision agreements, ensuring in any case the segregation of customer data and compliance with the contractually required protection measures.

4.5 Public authorities and entities authorised by law

The Data Controller may disclose personal data to the competent public, judicial, or supervisory authorities where required by applicable law, by an order of the authority, or when necessary to protect the Data Controller's rights in judicial or administrative proceedings.

The Data Controller does not disseminate personal data to the public in a generalized manner, nor does it transfer them to third parties for their own marketing purposes.

5. Data transfers to third countries or international organizations

When using IT service providers and cloud infrastructure, personal data may be transferred to third countries outside the European Economic Area (EEA). In such cases, the Data Controller ensures that the transfer is carried out in compliance with the provisions of Chapter V of the GDPR, in accordance with one of the following safeguards:

  • an adequacy decision by the European Commission pursuant to Art. 45 GDPR;
  • the standard contractual clauses adopted by the European Commission pursuant to Art. 46, paragraph 2, letter c), GDPR;
  • other appropriate safeguards pursuant to Art. 46 GDPR.

Upon request from the interested party, the Data Controller provides information regarding the specific guarantees adopted in relation to the transfers in progress.

6. Retention periods

The Data Controller retains personal data for the period strictly necessary to achieve the purposes for which they were collected, in compliance with the principles of data minimization and storage limitation (Article 5, paragraph 1, letters c) and e), GDPR).

6.1 Account data and data relating to the contractual and commercial relationship

Account data and contractual and administrative data are retained for the entire duration of the contractual relationship with the customer and, after termination of the relationship, for the period necessary to fulfill applicable legal obligations (including tax and accounting) and to protect the Data Controller's rights in judicial or administrative proceedings.

6.2 Technical and usage data

Technical and usage data (logs, diagnostic data, telemetry) are retained for a limited period of time proportionate to the security, diagnostic, and infrastructure monitoring purposes, compatible with operational needs and applicable contractual provisions.

6.3 Marketing data and promotional communications

Personal data processed for marketing purposes based on consent are retained until the data subject withdraws consent or exercises their right to object, without prejudice to any further retention periods imposed by legal obligations.

6.4 Scientific and project data provided by users

Scientific and research data uploaded by users as part of their use of the platform are retained for the period necessary to provide the service and achieve the contractually agreed-upon purposes, as well as in compliance with applicable contractual, regulatory, and defense obligations. The specific retention and deletion procedures are governed by the license agreement and the applicable terms of service.

7. Use of artificial intelligence systems

DrugRepAI is a platform that uses artificial intelligence and machine learning technologies as the core of its service. The platform's technological core is a structure-aware drug-target affinity predictor, based on BRICS decomposition of molecular motifs, multi-pocket protein structure scanning, and fusion via PerceiverIO architecture. This is integrated into a four-layer platform vision: drug-target interaction (DTI), pathway analysis, disease modeling, and real-world evidence (RWE).

In accordance with the principle of transparency, the Data Controller provides the following information on the general logic of the processing carried out using AI systems.

The platform analyzes user-provided input data — molecular structures, biological targets, research data, and other relevant scientific data — to generate predictions, rankings, and drug repurposing hypotheses using proprietary computational models. The platform's outputs are intended to support decision-making and scientific decision-making: they are intended as an auxiliary tool for pharmaceutical research and development professionals and in no way replace specialized human assessments, clinical decisions, regulatory assessments, or medical advice. Responsibility for decisions made based on the platform's outputs remains with the user and their organization.

The Data Controller adopts measures to ensure the explainability of the platform's outputs, in compliance with the principle of transparency and the expectations of professional users. With reference to Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act), the Data Controller monitors and evaluates the evolution of the applicable regulatory framework, adapting its practices in accordance with current provisions.

8. Automated decisions

Unless otherwise specifically agreed upon in the contractual relationship with individual customers, the Data Controller does not adopt solely automated decisions regarding the data subject pursuant to Art. 22 GDPR that produce legal or similarly significant effects on the natural person. The output generated by the platform has a supporting function and in any case requires human supervision and evaluation by the user's qualified personnel.

9. Cookies and similar technologies

The DrugRepAI website and SaaS platform may use cookies and similar technologies for the correct technical functioning of the service (technical/necessary cookies). The use of technical cookies is essential to provide the requested service and does not require the user's consent.

To the extent that the Data Controller uses cookies or similar technologies for purposes other than purely technical ones — such as non-essential analytical cookies or profiling cookies — the Data Controller will obtain the data subject's informed consent before using them, according to the methods provided by the specific consent management tool available on the website or platform. Users can manage their cookie preferences at any time through their browser settings and, where available, the Data Controller's consent management tool.

For further information on the use of cookies, please refer to the Cookie Policy.

10. Rights of the interested party

Data subjects whose personal data is processed by the Data Controller have the right to:

  • access their personal data (Article 15 GDPR) and obtain confirmation of whether or not personal data concerning them is being processed, as well as a copy of the data processed;
  • request the rectification of inaccurate or incomplete personal data (Article 16 GDPR);
  • request the erasure of personal data ("right to be forgotten") in the cases provided for by Article 17 GDPR;
  • request limitation of processing in the cases provided for by Article 18 GDPR;
  • object to processing based on the Data Controller's legitimate interests, for reasons related to your particular situation, pursuant to Article 21 GDPR;
  • obtain data portability in a structured, commonly used, and machine-readable format, in the cases provided for by Article 20 GDPR;
  • withdraw your consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal, pursuant to Article 7, paragraph 3, GDPR;
  • lodge a complaint with the competent supervisory authority.

To exercise their rights, the interested party may send a written request to the Data Controller at the email address indicated in Section 1. The Data Controller will respond without undue delay and, in any case, within the deadlines set by Art. 12 of the GDPR.

With reference to the Data Controller's headquarters in Amsterdam, the Netherlands, the competent national supervisory authority is the Autoriteit Persoonsgegevens (AP), reachable at www.autoriteitpersoonsgegevens.nl. The data subject's right to lodge a complaint with the supervisory authority of the European Union Member State in which he or she habitually resides or works, or where the alleged infringement occurred, remains unaffected.

11. Data security

The Data Controller adopts appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk of the processing performed, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. These measures include, among others:

  • need-to-know access control;
  • encryption and/or pseudonymisation of data where appropriate;
  • segregation of customer environments (particularly for enterprise customers), with data isolation ensuring that each customer's data is not accessible to other customers;
  • infrastructure logging and monitoring;
  • data minimization;
  • protection against loss, destruction, disclosure or unauthorized access.

The Data Controller periodically updates its security measures in line with technological and regulatory developments. Personal data and scientific/technical data provided by enterprise customers are stored in segregated and isolated environments and are never mixed with other customers' data or used to train shared or public models, unless otherwise explicitly agreed upon in the contract.

12. Changes to this Policy

The Data Controller reserves the right to modify or update this Policy at any time, particularly to adapt it to regulatory changes, developments in the service offered, or new processing activities. Substantial changes will be communicated to users using the most appropriate methods, including, where appropriate, via email or prominent notice on the platform.

The date of the last update is indicated at the top of this Policy. Users are advised to periodically consult this Policy to stay up-to-date on how their personal data is being processed.

← Back to home