Privacy Policy

We collect information you provide directly to us, information collected automatically when you use our Services, and information from third-party sources. We are transparent about the categories of data we collect and how we use them.

1.1 Account Information

When you create an account or use our Services, we collect:

• Contact Information: Email address, full name, and phone number (optional)
• Professional Information: Company or organization name, job title, and industry
• Account Credentials: Username and encrypted password
• Billing Information: Payment card details, billing address (processed by secure third-party payment processors)

1.2 Uploaded Documents and Content

When you use our compliance analysis Services, we collect:

• Preclinical Documents: Toxicology studies, pharmacology reports, pharmacokinetic data, Chemistry Manufacturing and Controls (CMC) data, and other preclinical safety documents you upload in PDF or other supported formats
• Analysis Results: Compliance gap analysis reports, findings, MRSD (Maximum Recommended Starting Dose) calculations, clinical hold risk assessments, compliance scores, and recommendations generated from your documents
• User Annotations: Notes, comments, or feedback you add to reports

1.3 Usage Data and Analytics

We automatically collect certain information when you access or use our Services:

• Device Information: IP address, browser type and version, operating system, device identifiers
• Usage Information: Pages viewed, features used, time spent on Services, click patterns
• Log Data: Access times, error logs, referring URLs, search queries within the platform
• Performance Data: Load times, crashes, and system performance metrics

1.4 Cookies and Similar Technologies

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. See Section 7 for detailed information about our cookie practices.

1.5 Information from Third Parties

We may receive information about you from third parties, including:

• Single Sign-On Providers: If you sign in using Google, Microsoft, or other SSO services
• Business Partners: Organizations that refer you to our Services
• Public Sources: Publicly available professional information

1.6 Third-Party AI Processing

To provide our compliance analysis Services, certain portions of your uploaded documents are processed through third-party artificial intelligence services, specifically Anthropic's Claude API, for the purpose of data extraction. This processing is limited to extracting structured data points from your documents. All compliance determinations, validation decisions, and regulatory assessments are performed by ClinShield's proprietary deterministic rule engine, not by AI.

We have executed data processing agreements with our AI service providers that include confidentiality obligations, data use restrictions, and security requirements. Your document content processed through third-party AI services is:

• Used solely for the purpose of extracting data points for your analysis
• Not used to train, fine-tune, or improve any AI or machine learning models
• Not retained by the AI service provider beyond the processing session
• Subject to the same security and confidentiality obligations as all other data we process

For a current list of our subprocessors, including AI service providers, please contact privacy@clinshield.com.

We use the information we collect for the following purposes, consistent with this Privacy Policy and applicable law:

2.1 Providing and Improving Our Services

• Process your document uploads and generate compliance analysis reports
• Create and manage your account
• Process transactions and send related information
• Provide customer support and respond to your inquiries
• Improve, personalize, and expand our Services
• Develop new features, products, and services

2.2 Communications

• Send you transactional emails (account confirmations, password resets, report notifications)
• Send service-related announcements (maintenance, security updates, policy changes)
• Send marketing communications (with your consent where required)
• Respond to your comments, questions, and requests

2.3 Analytics and Performance

• Monitor and analyze usage trends, patterns, and activities
• Measure the effectiveness of our Services and features
• Diagnose and fix technology problems
• Generate aggregated, de-identified analytics and benchmarks

2.4 Security and Compliance

• Detect, investigate, and prevent fraudulent transactions or unauthorized access
• Protect the rights, property, or safety of ClinShield, our users, and others
• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and other policies

2.5 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on:

• Contract Performance: To fulfill our contractual obligations to you
• Legitimate Interests: To operate, improve, and secure our Services
• Legal Compliance: To comply with applicable laws and regulations
• Consent: Where you have provided explicit consent for specific processing

We take the security of your data seriously and implement industry-standard measures to protect your information from unauthorized access, alteration, disclosure, or destruction.

3.1 Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (SSL/TLS encryption)
• At Rest: Stored data is encrypted using AES-256 encryption or equivalent industry-standard algorithms
• Uploaded Documents: Protocol documents are encrypted during upload, storage, and processing

3.2 Infrastructure Security

• Cloud Hosting: Our Services are hosted on secure cloud infrastructure (Railway for backend services, Cloudflare Pages for frontend) with enterprise-grade security controls
• Data Centers: Our cloud providers maintain SOC 2 Type II certified data centers with physical security controls
• Network Security: Firewalls, intrusion detection systems, and DDoS protection

3.3 Access Controls

• Authentication: Strong password requirements and optional multi-factor authentication
• Authorization: Role-based access controls limiting employee access to user data
• Audit Logging: Comprehensive logging of access to sensitive systems and data

3.4 Security Practices

• Regular security assessments and vulnerability scans
• Secure software development practices
• Employee security training and background checks
• Incident response procedures

We retain your information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.

4.1 Active Accounts

While your account remains active, we retain your account information, uploaded documents, and analysis reports to provide our Services. You may delete individual documents or reports at any time through your account settings.

4.2 Account Deletion

• Grace Period: After you request account deletion, we retain your data for 30 days in case you wish to reactivate your account
• Permanent Deletion: After the 30-day grace period, we permanently delete your personal data from our active systems
• Exceptions: Certain data may be retained longer if required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution)

4.3 Backups and Archives

For disaster recovery and business continuity purposes, your data may exist in encrypted backup systems for a limited additional period. Backups are automatically overwritten on a rolling basis and are not used for any purpose other than recovery.

4.4 Anonymized Data

We may retain de-identified, aggregated data that cannot be used to identify you indefinitely for analytics, research, and service improvement purposes.

4.5 Retention Periods by Data Type

We may share your information only in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party companies and individuals to perform services on our behalf, including:

• Cloud Infrastructure: Hosting, storage, and computing services (Railway, Cloudflare, AWS)
• AI Processing: Third-party artificial intelligence services for document data extraction (Anthropic), subject to data processing agreements and strict data use restrictions
• Payment Processing: Secure payment transaction processing (Stripe or similar)
• Analytics: Website and application analytics services
• Email Services: Transactional and marketing email delivery
• Customer Support: Help desk and support ticket systems

These service providers are contractually obligated to protect your data and may only use it to perform services on our behalf.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Subpoenas, court orders, or other legal process
• Requests from law enforcement or government agencies
• Requirements of regulatory authorities (including FDA, EMA, or other health authorities)
• Protection of ClinShield's legal rights or defense against legal claims

Where legally permitted, we will attempt to notify you before disclosing your information in response to legal requests.

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

5.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.5 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for industry analysis, benchmarking, research, or marketing purposes.

Depending on your location and applicable law, you may have certain rights regarding your personal information. We are committed to honoring these rights.

6.1 How to Exercise Your Rights

To exercise any of the above rights, you may:

• Email: Submit a request to privacy@clinshield.com
• Account Settings: Access, download, or delete certain data through your account dashboard
• Written Request: Mail a request to our address (see Contact Information below)

6.2 Verification

To protect your privacy and security, we may need to verify your identity before fulfilling your request. We will ask you to provide information that matches our records. In some cases, we may ask for additional documentation.

6.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require written authorization and verify your identity directly, unless the agent has power of attorney.

6.4 Response Timeline

We will respond to verifiable requests within 30 days (or 45 days for CCPA requests). If we need additional time, we will inform you of the reason and extension period.

We use cookies and similar tracking technologies to collect and store information about your interactions with our Services.

7.1 Types of Cookies We Use

7.2 Essential Cookies

These cookies are strictly necessary for the operation of our Services. They enable core functionality such as:

• User authentication and session management
• Security features and fraud prevention
• Load balancing and performance optimization
• Remembering your cookie consent preferences

Essential cookies cannot be disabled as they are required for the Services to function properly.

7.3 Analytics Cookies

With your consent, we use analytics cookies to understand how visitors interact with our Services. This helps us improve user experience and identify technical issues. Analytics data is aggregated and does not identify individual users.

7.4 How to Manage Cookies

You can control cookies through several methods:

• Cookie Banner: Manage your preferences through our cookie consent banner
• Browser Settings: Configure your browser to block or delete cookies
• Opt-Out Tools: Use industry opt-out tools such as the Network Advertising Initiative (NAI) or Digital Advertising Alliance (DAA)

Note: Disabling certain cookies may affect the functionality of our Services.

7.5 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. There is no uniform standard for responding to DNT signals, and we currently do not respond to DNT browser signals. However, you can manage your tracking preferences using the methods described above.

ClinShield is based in the United States, and our Services are hosted on servers located in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries.

8.1 Data Storage Locations

• Primary Infrastructure: United States (US-East and US-West regions)
• Cloud Providers: Railway (backend), Cloudflare Pages (frontend), utilizing cloud infrastructure
• Backup Locations: Geographically distributed within the United States

8.2 Transfer Mechanisms (EEA/UK Users)

When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the following legal mechanisms:

• Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses (SCCs) as our primary legal mechanism for transferring personal data from the EEA, UK, and Switzerland to the United States. Where applicable, we also rely on supplementary measures including encryption and access controls.
• Consent: In some cases, with your explicit consent

8.3 Your Acknowledgment

By using our Services, you acknowledge that your information may be transferred to and processed in the United States, which may have different data protection laws than your country of residence. We will take appropriate steps to ensure that your information receives adequate protection in accordance with this Privacy Policy and applicable law.

ClinShield does not knowingly collect, maintain, or use personal information from children under 18 years of age. Our Services are designed for business professionals in the clinical research and pharmaceutical industries.

If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe that we might have any information from or about a child under 18, please contact us immediately at privacy@clinshield.com.

Parents or guardians who believe their child has provided personal information to ClinShield may request deletion by contacting us using the information in the Contact section below.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

10.1 Notification of Changes

When we make material changes to this Privacy Policy, we will notify you by:

• Posting the updated Privacy Policy on our website with a new "Last Updated" date
• Sending an email notification to the address associated with your account
• Displaying a prominent notice on our Services

10.2 Review and Acceptance

We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

If you do not agree with the revised Privacy Policy, you should discontinue use of the Services and delete your account.

10.3 Prior Versions

You may request copies of prior versions of this Privacy Policy by contacting us at privacy@clinshield.com.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EU/EEA Representative

For users in the European Union or European Economic Area who have questions about data protection, please contact us at: privacy@clinshield.com. Information about our EU representative (where applicable) is available upon request.

Response Time

We will respond to your inquiry within a reasonable timeframe, typically within 5 business days for general inquiries and within the legally required timeframe for formal data subject requests.

12.1 Preclinical Data and HIPAA

12.2 FDA Regulations and Preclinical Data

ClinShield's compliance analysis tools reference FDA regulations and guidelines applicable to preclinical drug development and IND (Investigational New Drug) applications, including 21 CFR Part 312 (Investigational New Drug Application), 21 CFR Part 58 (Good Laboratory Practice for Nonclinical Laboratory Studies), ICH M3(R2) (Nonclinical Safety Studies for the Conduct of Human Clinical Trials), ICH S6(R1) (Preclinical Safety Evaluation of Biotechnology-Derived Pharmaceuticals), ICH S7A/B (Safety Pharmacology Studies), ICH S9 (Nonclinical Evaluation for Anticancer Pharmaceuticals), and related guidance documents. However, use of our Services does not guarantee FDA acceptance of an IND application or any other regulatory submission. Regulatory requirements evolve and vary by therapeutic area, drug modality, and jurisdiction. Users are solely responsible for ensuring their drug development programs meet all applicable regulatory requirements and should consult qualified regulatory professionals.

12.3 California Shine the Light Law

Under California Civil Code Section 1798.83, California residents who have an established business relationship with us may request information about whether we have disclosed personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

12.4 Nevada Residents

If you are a Nevada resident, you have the right to opt out of the sale of certain "covered information" as defined under Nevada law. We do not sell your covered information as defined under Nevada law. However, you may submit an opt-out request to privacy@clinshield.com.

12.5 Virginia, Colorado, Connecticut, and Utah Residents

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you may have additional rights under your state's privacy law. These rights may include the right to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of targeted advertising and profiling. To exercise these rights, please contact us at privacy@clinshield.com.

12.6 Links to Third-Party Sites

Our Services may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third-party sites. We encourage you to read the privacy policies of any third-party sites you visit.

12.7 Social Features

Our Services may include social media features or integrations. These features may collect your IP address and which page you are visiting, and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy policy of the company providing the feature.

12.8 Subprocessor List

ClinShield engages the following categories of subprocessors to provide the Services. A current, detailed list of subprocessors is available upon request by contacting privacy@clinshield.com. We will notify customers of material changes to our subprocessor list in accordance with applicable data protection laws.

Categories: Cloud Infrastructure and Hosting, AI and Machine Learning Processing, Payment Processing, Email and Communications, Analytics and Performance Monitoring.

12.9 Data Processing Addendum

For customers subject to the General Data Protection Regulation (GDPR) or other data protection laws requiring a data processing agreement, ClinShield offers a Data Processing Addendum (DPA) that supplements these terms. To request a copy of our DPA, please contact privacy@clinshield.com.