TrialForge Privacy Policy
Last Updated: June 17, 2026
This Privacy Policy explains how TrialForge, Inc. ("TrialForge," "we," "us") collects, uses, and protects personal data in connection with the TrialForge clinical trials intelligence platform and the trialforge.app website. TrialForge is a business-to-business product built on public clinical trial registry data. We keep the privacy story simple because the architecture is simple: no patient data, no protected health information, minimal personal data, encrypted everywhere.
1. Personal data we collect
Account data: name, business email address, employer, job title, and authentication records.
Website enquiry data: when you request a demo or subscribe to a research list on trialforge.app, we collect the details you provide, such as your name, business email, company, and any message. These submissions are stored in our database (Supabase), and we send confirmation and notification emails through our email provider (Resend).
Usage data: product usage events such as searches, filters, exports, and AI questions.
Billing data: processed by our payment processor (Stripe); we do not store full payment card numbers.
We do not collect or process: protected health information (PHI), patient-level data, or special categories of data under the GDPR. The core dataset is public clinical trial registry content, which is not personal data about you.
2. How we use personal data
- to provide, maintain, secure, and support the platform;
- to respond to demo requests and send the research materials you ask for;
- to process payments and manage accounts;
- to analyze and improve the product using usage data;
- to communicate with you about your account and the service;
- to comply with legal obligations and enforce our terms.
We never: sell your personal data, share your query patterns with other customers, or use your inputs or outputs to train AI models. We treat each customer's queries as their confidential information.
3. Legal bases (GDPR)
Where the GDPR applies, we rely on: performance of a contract (to provide the service); our legitimate interests (to secure and improve the product, and for business communications), balanced against your rights; consent (for non-essential cookies and optional marketing); and compliance with legal obligations.
4. Sharing and subprocessors
We share personal data only with service providers that process it on our behalf under written agreements, and as required by law. Our current subprocessors are:
- Cloudflare (edge security, CDN, DNS, and bot protection);
- Supabase (database, authentication, and website form submissions);
- Anthropic (AI models, via API, under terms that prohibit training on our data);
- PostHog (product analytics);
- Lovable (application hosting and front-end platform); and
- Resend (transactional email delivery).
The binding, current list is maintained in our Data Processing Agreement, available on request. We do not sell personal data or share it for cross-context behavioral advertising.
5. International transfers
Where we transfer personal data of EU, EEA, UK, or Swiss individuals outside their region, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, together with appropriate safeguards.
6. Data retention
We keep account data for the life of the account and for 12 months after closure, then delete or de-identify it, except where longer retention is required by law. Usage data is retained for 24 months for security and product improvement.
7. Security
We protect personal data with TLS 1.2 or higher in transit, AES-256 encryption at rest, HSTS, Cloudflare edge protection, database-layer row level security, least-privilege access, daily backups, and audit logging. No method of transmission or storage is completely secure, but we maintain commercially reasonable safeguards. We will provide further detail on our security practices on request.
8. Your rights
GDPR/UK (EEA, UK, Switzerland): you may request access, rectification, erasure, restriction, portability, and you may object to processing or withdraw consent. You may lodge a complaint with your supervisory authority.
California (CCPA/CPRA): you may request to know, access, correct, and delete personal information, and to opt out of sale or sharing. We do not sell or share personal information as those terms are defined. We will not discriminate against you for exercising these rights.
To exercise any right, contact us at support@trialforge.app.
9. Cookies
We use strictly necessary cookies to operate the site and authenticate users, and, with your consent where required, analytics cookies (PostHog) to understand and improve usage. You can manage non-essential cookies through our consent banner and your browser settings. Declining non-essential cookies will not prevent you from using the core service. Signup is protected by Cloudflare Turnstile.
10. Children
TrialForge is a business product and is not directed to children. We do not knowingly collect personal data from anyone under 16.
11. Changes and contact
We will post changes to this policy here and update the date above. Questions or requests: support@trialforge.app.