Privacy Policy | Trialetics | Trialetics Technologies

1. Introduction

Trialetics Technologies (the "Company") is committed to protecting the privacy of customers and authorized users who subscribe to use the Services as defined below ("Customers"). This Privacy Policy describes the Company's privacy practices in relation to the use of the services offered by the Company (the "Services").

The Services include our online, on-demand, software-as-a-service Clinical Trial Management System (CTMS) and Electronic Trial Master File (eTMF) product ("Trialetics Modules"), custom software development services, Excel to SaaS conversion services, and ready-to-use modules available through our App Store.

Please note that for the purpose of EU data protection legislation, Customers and their authorized users are the data controllers of the information that is entered into the CTMS application for the established business purpose. Authorized users are individuals who are invited by the customer to create CTMS accounts to utilize the Trialetics services. Trialetics is the data processor except where we utilize third party partners to support the Services provided to you as described further in this document.

1.5 Regulatory Compliance

21 CFR Part 11 & EU GMP Annex 11 Compliance: Trialetics Technologies maintains compliance with 21 CFR Part 11 requirements for electronic records and electronic signatures in clinical trial management and aligns with EU GMP Annex 11 expectations for computerized systems used in regulated environments. Our platform implements appropriate controls for data integrity, audit trails, system validation, and electronic signature authentication to support regulated-use requirements.

Key compliance features include:

Comprehensive audit trails tracking all data changes with user identification and timestamps
Secure electronic signature capabilities with unique user authentication
Data integrity controls preventing unauthorized alteration of records
System validation documentation and regular security assessments
User access controls and role-based permissions

HIPAA Compliance for Custom Builds: While our standard CTMS platform does not process Protected Health Information (PHI) and is not HIPAA-compliant by default, we offer HIPAA-compliant custom software development services upon client request.

For custom builds requiring HIPAA compliance, we implement:

Execution of Business Associate Agreements (BAAs) with clients
Enhanced data encryption for PHI at rest and in transit
Additional access controls and authentication mechanisms
Comprehensive audit logging for all PHI access and modifications
Regular security risk assessments and vulnerability testing
Incident response procedures for potential PHI breaches
Staff training on HIPAA Privacy and Security Rules

Important: Clients requiring HIPAA compliance must explicitly request this during the initial project scoping phase. HIPAA-compliant custom builds are subject to additional security requirements, validation procedures, and contractual obligations beyond our standard service offerings.

2. Types of Information Collected and How We Collect It

This policy applies to all information collected or submitted via Trialetics licensed CTMS Services. We collect information in several ways, which are described below.

A. Information We Collect from You Automatically

As you utilize the Company's Services, we gather certain information automatically from your device and store it in log files. This information may include personal information such as your internet protocol (IP) address and non-personal data such as browser type, operating system, website navigational information, and date/time stamp.

We collect information through the use of commonly used information-gathering tools, such as cookies and web beacons. Website Navigational Information includes standard information from your web browser and the actions you take within Trialetics. We make no attempt to link this information with your identity without express permission.

We may review server logs for system administration and security purposes, for example, to detect intrusions and to monitor usage statistics. In instances of criminal malfeasance, server log data containing IP addresses could be used to trace users, and we may share raw data logs with appropriate authorities for investigating security breaches.

B. Information You Provide

As you utilize the Company's Services, the information collected depends on the content you enter for the established business purpose. For example:

Subscription Information - If you are performing the initial Trialetics subscription on behalf of the Customer, subscription details include information about the Customer, the subscription plan, and your personal data. This includes billing name and address, credit card number and/or banking information, and contact details ("Billing Information"). We may also request optional information such as number of employees or specialty ("Optional Information"). Required Contact Information, Billing Information, and Optional Information are referred to collectively as "Subscription Data".

The Company does not store, retain, or use your Billing Information except for payment processing activities associated with Customer subscriptions.

Customer Data - To use the Services, licensed customers and authorized users will be inputting, importing, utilizing data integration and/or uploading files to the CTMS (referred to collectively as "Customer Data") for the established business purpose. Customer Data entered may include organization and person contact records, documents and files, calendar records, study definitions, study planning data, subject data (for high-level tracking, not personal health information), and study tracking data related to clinical trial management.

Personal data including name, address, email, and phone numbers may be entered into the Services. Care should be taken by Customers and their authorized users as the established data controllers with respect to the input of personal data. Personal health data should not be entered into the Service. All customer data is owned by the subscribing customer.

Support Data - When utilizing the Service, authorized users may contact the Company for support or guidance. When you submit support tickets, these will be collected in our ticketing system. Personal data submitted might include your name, email address, and phone, along with other non-personal data describing the problem encountered.

C. Information We Create

You may generate Support Data as you use the Service. The Company may communicate with you to support your business needs. We may also create internal tasks to manage your support issues, develop product features, or manage activities for multiple users within a customer. This information may be created and processed in third-party services and may include your personal information such as name, phone number, and email.

The Company may also send you emails related to your use of the Service, such as email alerts related to actions you are performing in the CTMS. We may process this information using a third-party email provider.

3. The Way We Use the Information We Collect

We securely store the customer data and support data you input into our CTMS application and support ticketing system in accordance with the established business purpose. Some of the ways we use your information for legitimate purposes include:

Customer Data - Customers electronically enter and submit data to the Services for hosting and processing purposes related to clinical trial management. The Company will not review, share, distribute, or reference any such Customer Data except as provided in the Master Subscription Agreement or as may be required by law. We may access Customer Data only for providing the Services and support, or as required by law. We may use Customer Data in system-wide aggregated analytics to make internal business decisions (such as feature enhancements) and public statements about the service. No single customer, study, organization, contact, or user will be identifiable in these aggregated metrics.
Support Data - The Company will use your support data to provide assistance on your use of the Service. We may also use support data to trend issues, improve training materials, and identify product improvements.
Subscription (Financial Data) - The Company will use your financial information only to facilitate payment for use of the Service. We use Subscription Data solely to check financial qualifications and collect payment from Customers. We use a qualified third-party service provider to manage payments. This service provider is not permitted to store, retain, or use Billing Information except for payment processing on our behalf.
Tracking Technologies - The Company may use tracking technologies (e.g., detection of delivered and viewed email alerts) in combination with Support Data to assist you when providing support.

4. Who We May Share Your Data With

Personal information that you submit through the Service may be transferred to countries other than where you live, such as to our servers and third-party affiliates that support the Services (including our CTMS/eTMF modules, custom software development services, Excel to SaaS conversion services, and App Store modules). Where required by law, we obtain your consent to use and process your personal data for these purposes (e.g., via your agreement with the Terms of Use when activating your account).

Unless you give us your permission, we don't share data we collect from you with third parties, except as described below:

A. Third Party Service Providers or Consultants

We may share data collected from you via the Service with third party providers or consultants who need access to the data to support you or enable the Company to improve the service. These third party service providers are limited to only accessing or using this data to provide services to us and must provide contractual assurances that they will appropriately safeguard the data.

The following third-party providers support Trialetics through information collected from the Service:

OpenAI - We utilize OpenAI's artificial intelligence services to power certain features within our platform, including AI-assisted functionality. OpenAI maintains SOC 2 Type II compliance and provides robust data protection measures. https://openai.com/privacy
Anthropic (Claude) - We use Anthropic's Claude AI services to provide intelligent features and assistance within the platform. Anthropic maintains strong security practices and data protection standards. https://www.anthropic.com/legal/privacy
Supabase - We use Supabase as our backend database and authentication provider. They store customer data for the established business purpose. Supabase maintains SOC 2 Type II compliance and is GDPR compliant with robust data protection measures. https://supabase.com/privacy
Stripe - We utilize Stripe to facilitate secure credit card processing for customer subscriptions. Stripe Inc. complies with PCI Security Standards Council and has executed a Data Protection Agreement with Trialetics. https://stripe.com/privacy
Loops.so - We use Loops for email communications and transactional emails to users related to their specific use of the Service. Loops maintains strong security practices and provides data protection measures. https://loops.so/privacy

B. Compliance with Laws

We may disclose your data to a third party if: (i) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or government request; (ii) to enforce our agreements and policies; (iii) to protect the security and integrity of our Service; (iv) to protect ourselves, our other customers, or the public from harm or illegal activities.

If Trialetics is required by law to disclose any of your data that directly identifies you, then we will use reasonable efforts to provide you with notice of that disclosure requirement unless prohibited by statute, subpoena, or court order. We object to requests that we do not believe were issued properly.

C. Business Transfers

Information may be disclosed and otherwise transferred to any potential acquirer, successor, or assignee as part of any proposed merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.

5. Legal Basis for Processing Personal Information

Our legal basis for collecting and using the personal information described will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you where we have your consent to do so, where we need the personal information to contact you, or where processing is in our legitimate interests and is not overridden by your data protection interests or fundamental rights and freedoms.

In some cases, we may also have a legal obligation to collect the personal information in question. If we ask you to provide personal information to comply with a legal requirement, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not.

Similarly, if we collect and use your personal information in reliance on our or a third party's legitimate interests and those interests are not already listed above, we will make clear to you at the relevant time what those legitimate interests are.

Exceptions

Except as described above, we will not otherwise use or disclose any of your personally identifiable information, except to the extent reasonably necessary: (i) to correct technical problems and malfunctions; (ii) to protect the security and integrity of our Service; (iii) to protect our rights and property and the rights and property of others; (iv) to take precautions against liability; (v) to the extent required by law or to respond to judicial process; or (vi) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.

6. Our Commitment To Data Security and Data Retention

Trialetics is committed to protecting your information. To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect in our Service.

The information you provide us may be archived or stored periodically by us according to backup processes conducted in the ordinary course of business. Information stored as part of this backup process will be deleted in due course on a regular schedule.

In general, we retain personal information we collect from you where we have an ongoing legitimate business need to do so (e.g., your organization is an active subscriber to the Services). When we have no ongoing legitimate business need to process your personal information, we will either delete it, or if this is not possible, then we will securely store your personal information and isolate it from any further processing until deletion is complete.

Personal Data Storage Locations

Production/live system database: The Data Controller (the Client) is responsible for maintaining accurate data. This data is persisted until the Client terminates use of the Service.
System audit log: For regulatory purposes, the system maintains an audit log of all system changes. The audit log cannot be altered and is deleted along with other customer data after the Client terminates use of the Service.
Server log files: Maintained for a brief amount of time on a rolling basis for support purposes and are deleted on a regular schedule.
System backups: Database and system backups are maintained for a brief amount of time on a rolling basis for support and system recovery purposes.
Third party providers: Your personal data may be stored according to their policies and procedures in accordance with the established business need and our established agreements.

7. Sensitive Data

Trialetics does not knowingly solicit or collect, and you should not provide to us, any information regarding an individual's medical or mental health condition, race or ethnic origin, political opinions, religious or philosophical beliefs, or other sensitive data.

Exceptions: 'Gender' and 'date of birth' fields may be available in certain anonymized subject tracking features within the Services. This is intended to facilitate reconciliation of anonymized subject records across systems/trackers, as no subject name or other uniquely identifying personal information is captured (only an anonymous subject number). Although this data is optional, care should be taken if you decide to enter this information in accordance with the established business purpose.

8. Tracking Technologies

A. Website Navigational and Performance Information

The Company uses Website Navigational Information to operate and improve the Service. For example, server performance metrics are utilized to monitor application loading time. Error monitoring tools capture details about your navigational experience so we may provide support. We may also use Website Navigational Information alone or in combination with Subscription Data and Customer Data to provide support and enhance the services.

B. Cookies

A cookie is a piece of data stored on the hard drive of your computer. The Company uses cookies that are session-based and persistent-based. Session cookies are removed when you close your browser or application tab. Persistent cookies remain on your computer after you close your browser.

Session cookies provide an industry standard method to allow a single login to authorize a user until the user logs out or the session expires. Persistent cookies and browser storage features may be used to store user preferences for a longer period of time.

Note: If you disable your web browser's ability to accept cookies, you will not be able to successfully use the Services. Data from cookies is not used for advertising, nor is it shared with third parties except when necessary to provide the intended business use and support licensed customers.

C. Web Beacons

The Company uses web beacons alone or in conjunction with cookies to track and support Customers' usage of the Services and interaction with emails. Web beacons are clear electronic images that can track simple user activity, such as viewing of a transactional email or clicking on a link within an email. We use this information to track user activity and improve our communications.

D. IP Addresses

When you use the Services, the Company collects your Internet Protocol ("IP") addresses to track and aggregate non-personal information as well as to provide customer support. For example, we use IP addresses to monitor the regions from which Customers utilize the Services.

9. Public Forums

Within the Services, the Company may direct users to public forums for support purposes, where users can post questions or issues and receive assistance from Company support personnel or other users. Such forums may be used in addition to direct customer support.

Public Forums will be clearly labeled and will exist outside of the user-login area of the Service. Users should take care to understand these are public forums and not reveal any personal, confidential, or sensitive information in any posts made to a public forum.

10. Your Choices and Opt-Outs

Trialetics takes reasonable steps to ensure that the data we collect is reliable for its intended use, accurate, complete, and up to date.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You may update or remove the information you provided to us by contacting us at contact@trialetics.io. To protect your privacy and security, we will take reasonable steps to verify your identity before updating or removing your information. Given that the Customer is the data controller for the Service, the Company will work with them to facilitate your requests.

Note: The Services require the authorized use of personal data by users in order to fulfill the intended business Services. An email address, first name, and last name are required to be a user of the Trialetics Services. Opting out of sharing this information with Trialetics would preclude that person from having a user account to access the Services.

11. Your Data Protection Rights Under GDPR and CCPA

Subscribers from all locations have the following data protection rights:

Access, Correct, Update, or Delete: If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by emailing contact@trialetics.io. Users can update their personal and contact information within the Service (e.g., User Account or Profile form). Note that email address is required for users, and can be edited, but not removed.
Object to Processing: You can object to the processing of your personal information, ask us to restrict the processing, or request portability of your personal information. You can exercise these rights by emailing contact@trialetics.io. Access to the data described in this policy is critical and necessary for Trialetics to provide and support the Service. Therefore, the only effective way for a user to opt-out of Company use of data is to deprovision (deactivate) your account.
Opt-Out of Marketing: Although the Company does not typically send marketing emails to users, we may do so on occasion (e.g., to notify users of new services, industry events). You have the right to opt-out of marketing communications at any time by clicking the "unsubscribe" or "opt-out" link in marketing emails, or by contacting us at contact@trialetics.io.
Transactional Emails: Users of the Services will receive transactional email related to their account and the intended business purpose (e.g., management of clinical trials). Transactional emails are required for use of the system (e.g., to facilitate password resets). Opting out of transactional emails would preclude that person from having a user account to access the Services.
Withdraw Consent: If we have collected and processed your personal information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal. Access to the data described in this policy is critical and necessary for Trialetics to provide and support the Service. Therefore, the only effective way to opt-out is to terminate the customer subscription or deprovision a specific user.
Complain to Data Protection Authority: You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. A list of European Data Protection Board Members can be found at https://edpb.europa.eu/about-edpb/board/members_en.

12. Children's Privacy

Children under 18 are prohibited from using our Services. If you learn that a child has created a user account or provided us with personal information in violation of this Privacy Policy, you can alert us at contact@trialetics.io.

13. Notification of Changes to this Privacy Policy

As we expand our Service and as privacy laws and regulations evolve, it may be necessary to revise or update our Privacy Policy from time to time. If we make changes to this Privacy Policy, we will notify you by posting an announcement on our Service.

If we materially change the ways in which we use or share personal information previously collected from you through our Service, we will notify you by email or other communication.

14. International Data Transfers

Trialetics is a US-based company. Our policy is to ensure effective procedural and organizational controls are in place to maintain all customer and personal data with adequate protections.

As these protections relate to European Commission requirements for cross-border and international data transfer mechanisms, the Company relies on Standard Data Protection Clauses and other means to ensure compliance with processing of personal information by recipients outside the European Economic Area. Other means includes the transfer of personal data to recipients that are in a country recognized by the European Commission as offering an adequate level of protection, compliance with approved Binding Corporate Rules, or pursuant to an approved certification mechanism or code of conduct.

Additionally, the Company uses robust security measures to protect Customer Data and user's personal information. This includes physical security of data centers, network security, operating system security, and application security. All third party partners (vendors) who support the Service are assessed to ensure they provide adequate levels of protection with appropriate contractual obligations. All data transferred over the public Internet is encrypted.

Authorized users have the ability to export and download customer data, which may include personal data, from the Services anywhere they have internet access. As the Data Controllers, the Client should have adequate policies and procedures in place regarding data transfers performed by their Authorized Users.

15. Compliance and Safeguarding Your Information

If utilizing offline browser functionality provided by the Service, then Customer Data may be stored within the browser. As with exported or downloaded data, the user is responsible for maintaining security around their personal computer or device.

16. Contact Us

If you have questions or concerns about this Privacy Policy, please feel free to email us at contact@trialetics.io.