Privacy Policy

Last updated: July 12, 2026

Overview

TrialWave (“we”, “us”, “our”, or the “Service”) provides business-development software for clinical research sites. This Privacy Policy explains what information we collect, how we use it, the choices you have, and how we protect it. It applies to trialwave.org and the TrialWave application. By creating an account or using the Service, you agree to this Policy.

TrialWave is operated from the United States. If you have any question about this Policy or how your data is handled, contact us at trialwaveadmin@gmail.com.

No patient PHI

The Service is designed so that you do not enter individual patient identifiers or protected health information (PHI) such as names, dates of birth, medical record numbers, or contact details of patients. Patient population information is stored only as de-identified, aggregate counts by condition and specialty.

You are responsible for not entering PHI into the Service. If you need to process PHI, this Service is not the appropriate tool and you should use a system covered by an appropriate business associate agreement.

Information we collect

Account data: your name, work email, hashed password, and role within your organization.

Organization data you enter: clinic and site details, specialties, locations, sponsors and CRO contacts, study opportunities, document metadata, agreements, follow-ups, and aggregate patient-population counts.

Usage and audit records: important actions taken within your workspace (for traceability and security), and basic technical logs such as timestamps and error events.

Cookies: a single, essential authentication cookie used to keep you signed in. We do not use advertising or third-party tracking cookies.

How we use information

To operate and provide the Service for your organization; to authenticate users and enforce role-based access; to provide features such as study matching, outreach drafting, feasibility tracking, and reporting; to maintain security and an audit trail; and to communicate with you about your account.

AI-assisted features run in a review-required mode and clearly flag generated output for human review. The Service never sends email to sponsors on your behalf automatically.

We do not sell your data, and we do not use your organization's content to train third-party AI models.

Legal bases (where applicable)

Where data-protection law such as the GDPR applies, we process personal data to perform our contract with you, to pursue our legitimate interests in operating and securing the Service, and to comply with legal obligations. Where required, we rely on your consent, which you may withdraw at any time.

Sharing and subprocessors

We share data with service providers (subprocessors) only as needed to run the Service, under confidentiality and data-protection terms. Our current subprocessors are: Supabase (managed PostgreSQL database and file storage, United States); Vercel (application hosting and content delivery, United States); Stripe (payment processing and subscription billing); Resend (transactional email such as verification and password-reset messages); and Upstash (rate limiting and ephemeral caching). Each processes data only to perform its function for us.

Study search uses the public ClinicalTrials.gov API; we send it only your search terms — never your account details or Customer Data. Payments are processed by Stripe under its own terms, and we never receive or store full card numbers.

We do not sell or rent personal data, and we do not share it for advertising. We may disclose information where required by law, to comply with valid legal process, or to protect the rights, safety, and security of our users and the Service.

Data retention

We retain your organization's data for as long as your account is active. When you delete your workspace, we remove associated Customer Data from our live systems within 30 days, and it is purged from encrypted backups within a further 35 days. Security and audit logs are retained for up to 24 months. We may keep limited records longer where required by law — for example, tax and accounting records relating to payments.

Security

We apply administrative and technical safeguards including encrypted transport (HTTPS), hashed passwords, role-based access control, tenant isolation, row-level database security, rate limiting, and audit logging. No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard practices.

Your rights and choices

Depending on your location, you may have rights to access, correct, export, delete, or restrict the processing of your personal data, and to object to certain processing. Account owners can export their workspace data and delete their workspace at any time from within the Service. To exercise any other right, email trialwaveadmin@gmail.com and we will respond within the timeframe required by applicable law.

If you are in the European Economic Area or the UK, the lawful bases for our processing are described above, and you may lodge a complaint with your local supervisory authority. If you are a California resident, we do not sell or “share” your personal information as those terms are defined under the CCPA/CPRA, and we will not discriminate against you for exercising your privacy rights.

International transfers

We may process and store data in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards for cross-border transfers.

Children

The Service is intended for business use by professionals and is not directed to children. We do not knowingly collect personal information from children.

Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected by updating the date below and, where appropriate, by additional notice.

Contact

Questions or requests about privacy can be sent to trialwaveadmin@gmail.com. We aim to respond promptly and within any timeframe required by law.