Legal

Privacy Policy

Clinical Trial OS, Inc. · Last updated 14 June 2026

This notice explains how Clinical Trial OS handles personal data for visitors to this site and users of the platform. We are decision-support software for clinical-trial feasibility; we are not a medical device.

Draft pending counsel review

This document is a good-faith draft published so the policy is accessible. It will be finalised by qualified counsel before general availability. Questions: [email protected].

01. Who we are (data controller)

Clinical Trial OS, Inc., incorporated in Delaware, United States, is the controller for personal data processed through this website and account signups. For personal data you upload into your tenant workspace, you are the controller and we act as your processor — see the Data Processing Addendum. Contact: [email protected].

02. What we collect and why

Account & contact data (name, work email, company, role) — to create your workspace, respond to demo requests, and provide support. Legal basis: contract and legitimate interests.
Usage & security logs (IP, device, audit events) — to operate, secure, and meter the service, and to maintain the 21 CFR Part 11 audit trail. Legal basis: legitimate interests and legal obligation.
Protocol & tenant content you submit — processed solely to produce your feasibility verdicts. We do not use it to train models. Legal basis: contract (processed under the DPA).

03. How we use it

To deliver and improve the service, authenticate users, maintain audit and security records, bill accounts, and communicate with you. We do not sell personal data and we do not use submitted protocols or tenant content to train machine-learning models.

04. Sharing and sub-processors

We share personal data only with sub-processors that help us run the service (e.g. cloud hosting and email delivery), under contract and only as needed. The current list is in the DPA. We disclose data when required by law or to protect rights and safety.

05. International transfers & data residency

The service can be operated in US (AWS us-east-1, with a HIPAA BAA path) or EU regions. Where personal data is transferred across borders, we rely on appropriate safeguards such as the EU Standard Contractual Clauses. EU customers can request EU-region residency.

06. Retention

We keep personal data for as long as your account is active and as required to meet legal, audit, and regulatory obligations (including Part 11 audit retention), then delete or anonymise it.

07. Your rights

Subject to applicable law (including GDPR), you may request access, correction, deletion, restriction, portability, and objection, and may withdraw consent. Submit requests to [email protected]. You may also complain to your local data-protection authority.

08. Security

We use encryption in transit and at rest, per-tenant isolation, access controls, and a tamper-evident audit trail. Report security concerns to [email protected].

09. Changes

We will post material changes here and update the date above.