Privacy Policy
Last updated: December 16, 2025
This policy explains how we handle data in the TrialTrack application.
Our Role
For account information (your name, email, organisation), we act as the data controller.
For operational data you enter into TrialTrack (studies, tasks, sites, vendors, participants), we act as a data processor on your behalf. You control what data you enter; we process it only to provide the service.
What We Collect
- Account data: Name, email address, role, organisation name
- Operational data: Studies, tasks, sites, vendors, participants, and related records you create
- Usage data: Audit logs, timestamps, IP addresses for security and compliance purposes
TrialTrack is designed for operational task management. It is not intended for storing patient health records or personally identifiable patient data.
How We Use Your Data
- To provide and maintain the TrialTrack service
- To authenticate users and enforce permissions
- To generate audit trails for compliance purposes
- To send transactional notifications (e.g., task reminders, system alerts)
- To respond to support requests
Legal Basis (GDPR)
- Contract: Processing necessary to provide the service you signed up for
- Legitimate interest: Security, fraud prevention, service improvement
- Legal obligation: Where required by law
Subprocessors
The following third parties process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Heroku (Salesforce) | Hosting infrastructure | EU / US |
| Customer.io | Transactional email | US |
| HelpScout | Customer support | US |
We maintain contracts with each subprocessor requiring them to protect your data. We will notify customers of material changes to this list.
Data Location
TrialTrack is hosted in AWS data centres via Heroku. Your data is stored in either EU (Dublin) or US (Virginia), based on your location. Customers outside these regions are assigned the nearest data centre.
For EU customers whose data may be processed by US-based subprocessors, we rely on Standard Contractual Clauses and equivalent safeguards.
Data Retention
We retain your data for as long as your account is active. If you cancel your account or request deletion, we will delete all your data within 30 days, except where retention is required by law.
Audit logs are retained for the lifetime of the account to support regulatory compliance.
Your Rights
Under GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Restrict or object to processing
- Data portability
- Withdraw consent (where applicable)
To exercise these rights, contact us.
If you believe your rights have been violated, you may lodge a complaint with the Information Commissioner's Office (UK) or your local EU data protection authority.
Security
We implement technical and organisational measures to protect your data, including encryption in transit (TLS 1.2/1.3), encryption at rest (AES-256), role-based access controls, and continuous backups. We are Cyber Essentials Plus certified.
Data Processing Agreement
Business customers requiring a Data Processing Agreement for vendor qualification can contact us to request one.
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification.
Legal
- Legal
-
Website
- Cookies
- Privacy Policy
-
SaaS
- Cookies
- Privacy Policy
- Disclosure Policy
- Terms of Use