GDPR Compliance Statement

TierraViva AI

Effective Date: October 2025 Last Updated: February 2026

1. Introduction

TierraViva AI ("we," "our," or "the Company") is committed to protecting personal data and ensuring compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws in EU member states.

This compliance statement explains how we process personal data, the legal bases for our processing activities, and the measures we have implemented to ensure GDPR compliance.

2. Our Data Processing Activities

2.1 Nature of Our Business

TierraViva AI processes scientific literature, patent data, genetic sequence data, and curated web data at scale (hundreds of millions of records) to provide research analytics, innovation intelligence, and scientific discovery services. Our processing activities include:

  • Analysis of publicly available scientific publications and academic literature
  • Processing of patent databases and intellectual property records
  • Processing of genetic sequence data, including metadata for biosamples, DNA and protein sequences
  • Analysis of cleaned snapshots of Common Crawl data
  • Generation of aggregated statistics, trends, and insights

2.2 Types of Personal Data Processed

Primary Data Sources: We process publicly available information from scientific and patent databases, which may include:

  • Names of authors, researchers, and inventors
  • Institutional affiliations
  • Geographic locations associated with research activities
  • Publication and citation records
  • Patent authorship and filing information
  • Metadata associated with genetic sequences, biosamples, DNA and protein sequences (e.g., submitter information, collection dates, geographic origins, institutional sources)

Important Note on Genetic Data: We process metadata associated with genetic sequences exclusively from public scientific databases, notably the European Bioinformatics Institute (EBI) of the European Molecular Biology Laboratory (EMBL). Our analytics focus on non-human organisms. We do not process information about human donors, and we do not process genetic sequence data for the purpose of identifying individuals. Our use of biosample and sequence metadata is limited to research analytics, trend analysis, and statistical purposes relating to scientific research patterns and biodiversity.

Incidental Personal Data: In rare cases, our raw data sources may contain incidental personal information (such as email addresses in data submission records). We actively identify and remove such information where it should not appear in our datasets.

Aggregated Information: Our interactive dashboards and reports present aggregated statistics, including:

  • Publication counts by author
  • Citation metrics
  • Geographic distribution of research activity
  • Temporal trends in scientific output
  • Patent filing patterns
  • Trends and patterns in genetic sequence submissions and biosample metadata
  • Statistical analysis of sequence data characteristics and origins

2.3 Indigenous Peoples' Interests and Biocultural Labels

As part of our commitment to the protection and promotion of the rights of indigenous peoples, we may apply metadata markup to research data, such as through the use of biocultural labels, to indicate that indigenous peoples may have a specific interest in certain subject matter. This labeling serves to invite users to be aware of and respect these interests.

Important Clarification:

  • This labeling involves adding metadata to research records (e.g., species, geographic regions, traditional knowledge areas)
  • We do not collect, process, or provide information about individual indigenous persons
  • This practice does not involve the processing of personal data about indigenous individuals
  • The labels relate to categories of research subject matter, not to identified or identifiable persons

2.4 What We Do NOT Do

  • We do not actively collect information about individual persons for the purpose of identifying or profiling them
  • We do not process human genetic data or information about human genetic donors
  • We do not process health data or medical information about individuals
  • We do not process personal information about indigenous individuals or communities
  • We do not use personal data for marketing, advertising, or commercial profiling of individuals
  • We do not sell or trade personal information
  • We do not make automated decisions that produce legal or similarly significant effects on individuals

3. Legal Basis for Processing

3.1 Legitimate Interests (Article 6(1)(f) GDPR)

Our primary legal basis for processing publicly available personal data is legitimate interests. We have conducted a Legitimate Interests Assessment (LIA) and determined that:

Our Legitimate Interests:

  • Advancing scientific research and knowledge discovery
  • Facilitating innovation tracking and technology intelligence
  • Providing analytics services that benefit the scientific and research communities
  • Supporting evidence-based policy making and research funding decisions

Necessity: Processing publicly available author, inventor, and researcher information is necessary to provide accurate attribution, track research impact, and generate meaningful analytics about scientific and technological developments.

Balancing Test: We have assessed that our processing does not override the rights and freedoms of data subjects because:

  • The data processed is intentionally made public by researchers and inventors through scientific publications and patent filings
  • Individuals have a reasonable expectation that their publicly disclosed research contributions will be analyzed and cited
  • We implement technical measures to minimize privacy impact, including data minimization and aggregation
  • We do not use the data for purposes incompatible with scientific research analytics
  • Individuals retain the ability to exercise their data protection rights (see Section 5)

3.2 Processing of Genetic Sequence Data

Genetic Data from Public Scientific Databases:

We process genetic sequence metadata exclusively from public scientific databases, primarily the European Bioinformatics Institute (EBI) of the European Molecular Biology Laboratory (EMBL). Our processing activities focus on:

  • Non-human organisms (plants, animals, microorganisms, etc.)
  • Publicly submitted research data intended for scientific analysis
  • Metadata for research analytics purposes (e.g., submission patterns, geographic distribution of research, temporal trends)

Limited Personal Data Implications:

While genetic data is classified as a "special category" of personal data under Article 9(1) GDPR when it relates to identified or identifiable natural persons, our processing has minimal personal data implications because:

  • Focus on Non-Human Organisms: Our analytics concentrate on genetic sequences from non-human species for biodiversity, evolutionary, and scientific research purposes
  • No Human Donor Information: We do not process information about human genetic donors or health data
  • Publicly Available Research Data: Data is sourced from public databases (EBI/EMBL) submitted specifically for scientific research purposes under Article 9(2)(j) and Article 9(2)(e) GDPR
  • Researcher Metadata Only: Any personal data processed relates to researchers and institutions submitting sequences (names, affiliations), not to genetic donors

Legal Basis Where Applicable:

To the extent that processing involves special category data (e.g., if researcher information is associated with sequences), we rely on:

  • Article 9(2)(j) - Processing necessary for scientific research purposes with appropriate safeguards under Article 89(1) GDPR
  • Article 9(2)(e) - Data manifestly made public by researchers through submission to public databases

3.3 Other Legal Bases

Where applicable, we may also process personal data based on:

  • Contractual necessity (Article 6(1)(b)): To fulfill our obligations to customers and service users
  • Legal obligation (Article 6(1)(c)): To comply with applicable laws and regulations
  • Consent (Article 6(1)(a)): In specific circumstances where we obtain explicit consent

4. Technical and Organizational Measures

We have implemented technical and organizational measures to ensure data security and GDPR compliance:

4.1 Data Minimization and Privacy by Design

  • Incidental Data Removal: We actively identify and remove personal data that appears inappropriately in raw datasets (e.g., email addresses in submission metadata)
  • Aggregation: Our dashboards and reports present aggregated statistics rather than individual-level data where possible
  • Purpose Limitation: We process data only for specified, explicit, and legitimate purposes related to scientific research analytics

4.2 Data Security Measures

  • Secure Infrastructure: Data is stored on secure servers located in Germany, Sweden, and the United Kingdom, utilizing enterprise-grade hosting providers (Contabo and AWS)
  • Access Controls: Implemented role-based access controls to limit data access to authorized personnel only
  • Encryption: Data in transit is encrypted using industry-standard protocols
  • Regular Updates: Systems are regularly updated and patched to maintain security standards

4.3 Data Retention and Deletion

  • Retention Policy: We retain processed data for as long as necessary to fulfill our legitimate business purposes and analytical services
  • Routine Updates: Data is routinely updated with current information from public sources
  • Deletion Practices: Older data is regularly reviewed and deleted when no longer necessary for our purposes
  • Retention Periods: Typically, data may be retained for several years but is subject to ongoing review and deletion cycles

4.4 Data Protection Governance

  • Data Protection Contact: Our Chief Executive Officer serves as the primary data protection contact
  • UK ICO Registration: We are registered with the UK Information Commissioner's Office (ICO), with registration details available on our website
  • Documentation: We maintain records of processing activities as required under Article 30 GDPR
  • Regular Reviews: We conduct periodic reviews of our data processing activities and compliance measures

5. Data Subject Rights

We respect and facilitate the exercise of data subject rights under the GDPR. Individuals whose personal data appears in our systems have the right to:

5.1 Rights Available

  • Right of Access (Article 15): Request information about how your publicly available data appears in our systems
  • Right to Rectification (Article 16): Request correction of inaccurate or incomplete information
  • Right to Erasure (Article 17): Request deletion of your personal data, subject to our legitimate interests and legal obligations
  • Right to Restriction (Article 18): Request limitation of processing in certain circumstances
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used format (where technically feasible)

5.2 Limitations on Rights

Please note that certain rights may be limited because:

  • The data is publicly available and intentionally disclosed through scientific publications and patent filings
  • We have overriding legitimate interests in maintaining accurate scientific and patent records
  • Deletion or restriction may be incompatible with our purpose of providing accurate research analytics
  • Legal obligations may require us to retain certain information

We will evaluate each request individually and provide clear explanations for any limitations.

5.3 How to Exercise Your Rights

To exercise your data protection rights or make an inquiry, please contact us at:

Email: gdpr@tierraviva.ai
Subject Line: "GDPR Data Subject Request"

Please include:

  • Your full name
  • The publication(s) or patent(s) you are inquiring about
  • The specific right you wish to exercise
  • Any additional information that will help us locate and verify your data

We will respond to your request within one month of receipt, or inform you if an extension is necessary.

6. International Data Transfers

6.1 Data Location

Our data processing infrastructure is located in:

  • Germany (EU member state)
  • Sweden (EU member state)
  • United Kingdom

6.2 UK Data Transfers

Following Brexit, the United Kingdom is considered a third country under GDPR. However:

  • The European Commission has adopted an adequacy decision for the UK under Article 45 GDPR (as of June 28, 2021)
  • This adequacy decision allows for the free flow of personal data from the EU to the UK without requiring additional safeguards
  • We monitor developments in UK data protection law to ensure ongoing compliance

6.3 Other International Transfers

If we engage third-party service providers located outside the EU/EEA or UK, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for the recipient country
  • Other legally recognized transfer mechanisms under Chapter V GDPR

7. Data Sources and Third-Party Data Processors

7.1 Public Data Sources

We obtain data from publicly available sources, including:

  • Scientific publication databases and repositories
  • Patent databases and intellectual property offices
  • European Bioinformatics Institute (EBI) of the European Molecular Biology Laboratory (EMBL) for genetic sequence data and metadata
  • Common Crawl (cleaned and curated snapshots)

These sources make data publicly available for scientific research and analysis purposes.

7.2 Third-Party Service Providers

We may engage third-party service providers to assist with our data processing activities, including:

  • Cloud hosting and infrastructure providers (AWS, Contabo)
  • Technical service providers for data processing and analytics

All third-party processors are:

  • Carefully selected based on their ability to meet GDPR requirements
  • Bound by data processing agreements that comply with Article 28 GDPR
  • Required to implement appropriate technical and organizational measures
  • Prohibited from processing data for their own purposes

8. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to individuals' rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR)
  • We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR)
  • We maintain an internal breach response procedure to ensure timely and appropriate action

9. Supervisory Authority

9.1 Lead Supervisory Authority

Our lead supervisory authority is:

UK Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Website: https://ico.org.uk
Telephone: +44 303 123 1113

9.2 Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of their habitual residence, place of work, or place of the alleged infringement, if they believe our processing of their personal data violates the GDPR.

10. Cooperation with Supervisory Authorities

TierraViva AI is committed to cooperating with EU data protection authorities. We:

  • Respond promptly to inquiries from supervisory authorities
  • Provide requested documentation and information regarding our processing activities
  • Implement recommendations and corrective measures as appropriate
  • Maintain open communication channels with relevant authorities

11. Changes to This Statement

We may update this GDPR Compliance Statement from time to time to reflect:

  • Changes in our data processing activities
  • Updates to applicable laws and regulations
  • Improvements to our technical and organizational measures
  • Feedback from supervisory authorities or data subjects

The "Last Updated" date at the top of this document indicates when changes were last made. We encourage periodic review of this statement.

12. Contact Information

For questions about this GDPR Compliance Statement or our data protection practices, please contact:

TierraViva AI
Data Protection Contact: Chief Executive Officer
Email: gdpr@tierraviva.ai
Website: https://www.tierraviva.ai/

13. Commitment to Compliance

TierraViva AI is committed to:

  • Processing personal data lawfully, fairly, and transparently
  • Respecting the rights and freedoms of individuals
  • Implementing and maintaining robust data protection measures
  • Continuously improving our compliance practices
  • Operating with accountability and demonstrating compliance with the GDPR

This compliance statement demonstrates our ongoing commitment to data protection excellence and our respect for the privacy rights of individuals in the European Union.

Document Control:

  • Version: 1.0
  • Approved by: Dr Paul Oldham (CEO)
  • Next Review Date: February 2027