Legal

Policies governing use of the Cato platform

Terms of ServiceUsage PolicyPrivacy Policy

Usage Policy

Last updated: February 2026

1

Purpose

Cato is a data analysis platform designed for biomedical researchers. It provides AI-assisted data exploration, statistical analysis, code execution, and literature review capabilities. By using Cato, you agree to the following terms.

2

Acceptable Use

Cato is intended for:

  • Exploratory data analysis and statistical modeling
  • Generating and executing analysis code in sandboxed environments
  • Biomedical literature search and review, including multi-source academic search, AI-powered evidence extraction, citation network analysis, and document generation
  • Organizing and managing research datasets

When using Literature Intelligence, your search queries are transmitted to external academic databases and APIs (PubMed, BioRxiv, arXiv, ClinicalTrials.gov, EPO, OpenAlex). You should not include personally identifiable information or PHI in literature search queries.

3

Protected Health Information (PHI)

Standard accounts may not upload, enter, or otherwise transmit Protected Health Information (PHI) as defined under HIPAA. This includes any individually identifiable health information such as patient names, medical record numbers, dates of birth, or any combination of data elements that could identify an individual patient.

If your data originates from health records, you are responsible for ensuring it has been properly de-identified in accordance with HIPAA Safe Harbor (removal of all 18 identifier categories) or Expert Determination (a qualified statistician has certified the re-identification risk is very small) before uploading it to Cato.

You must also refrain from entering PHI into chat conversations, including patient names, identifiers, or any information that could be linked to a specific individual.

4

Enterprise Deployments

Organizations that need to process PHI must enter into an enterprise agreement that includes Business Associate Agreements (BAAs) with Cato and all relevant third-party service providers. Contact us to discuss enterprise deployment options including self-hosted and VPC configurations where data does not leave your infrastructure.

5

Prohibited Uses

You may not use Cato to:

  • Process PHI without an enterprise BAA in place
  • Attempt to re-identify de-identified datasets
  • Circumvent security controls or sandbox restrictions
  • Generate malicious code or conduct unauthorized access
  • Violate any applicable laws or regulations
6

Account Conduct

You are responsible for maintaining the confidentiality of your account credentials. Do not share your login or API keys with others. Automated or programmatic abuse of the platform is prohibited.

7

Termination

Cato reserves the right to suspend or terminate accounts that violate this policy. We will make reasonable efforts to notify you before taking action, except in cases of egregious or urgent violations.