Privacy Policy

Orbitrials Clinical Solutions (“Orbitrials,” “we,” “us,” or “our”) is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our clinical trial management platform.

This policy applies to information we collect through the Platform, not to information processed on behalf of our customers as a Business Associate under HIPAA.

Account Information: When you register, we collect your name, email address, job title, organization name, and password (stored as a bcrypt hash — we never store your plain-text password).

Usage Data: We collect log data including IP addresses, browser type, pages visited, and timestamps for security monitoring and audit trail purposes required by 21 CFR Part 11.

Clinical Trial Data: Data entered into the Platform by your organization (protocols, participant records, CRF data, adverse events, etc.) is owned by you. We process it solely to provide the service.

Payment Information: Billing is handled by Stripe. We do not store credit card numbers. We retain subscription status and billing history.

Communications: If you contact us for support, we retain records of that correspondence.

We use the information we collect to:

• Provide, maintain, and improve the Platform
• Process transactions and send billing notifications
• Maintain the mandatory audit trail required by 21 CFR Part 11
• Detect, investigate, and prevent fraudulent or unauthorized activity
• Respond to support requests
• Send service-related communications (security alerts, policy updates)
• Comply with legal obligations

We do not sell your personal information. We do not use clinical trial data for any purpose other than providing the service.

Orbitrials acts as a Business Associate under HIPAA when processing Protected Health Information on behalf of our customers. All PHI is processed in accordance with our Business Associate Agreement (BAA) and the HIPAA Security Rule (45 CFR Part 164).

PHI fields (including participant names, dates of birth, and contact information) are encrypted at rest using AES-256. PHI is never used for advertising, analytics, or any purpose beyond providing the clinical trial management service.

If you are a research participant whose data may be entered into the Platform, your rights regarding that data are governed by the Informed Consent Form provided to you by the research site — not this Privacy Policy.

We do not sell, rent, or share your personal information with third parties except:

• Service providers: Vercel (hosting), Neon (database), Stripe (payments), Resend (email) — each under appropriate data processing agreements
• Legal requirements: When required by law, court order, or regulatory authority
• Business transfers: In connection with a merger, acquisition, or sale of assets (with advance notice)
• Safety: To protect the rights, property, or safety of Orbitrials, our users, or the public

We implement industry-standard security controls including:

• AES-256 encryption for PHI at rest; TLS 1.2+ for all data in transit
• bcrypt password hashing (cost factor 12)
• Multi-factor authentication (TOTP) required for privileged roles
• Account lockout after 5 failed login attempts
• Append-only audit logs with tamper-evident design
• 8-hour session timeouts with automatic expiration
• Role-based access control with principle of least privilege
• HTTP security headers (HSTS, CSP, X-Frame-Options)

Despite these measures, no system is completely secure. We will notify affected users and regulators of any security breach as required by applicable law.

We retain account data for the duration of your subscription and for up to 90 days after termination, after which it is permanently deleted. Clinical trial data may be retained longer if required by applicable regulations (e.g., FDA requires trial records to be retained for at least 2 years after the investigation is discontinued or the marketing application is approved).

Audit logs are retained for a minimum of 5 years to support FDA inspection readiness.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Request deletion of your personal information (subject to legal retention obligations)
• Export your data in a portable format
• Withdraw consent (where processing is based on consent)

To exercise these rights, contact us at privacy@orbitrials.com. Note that some requests may be limited by our legal obligations or legitimate business needs.

Orbitrials uses strictly necessary cookies only: a session authentication cookie (JWT) and an MFA verification cookie. We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use third-party cookies.

Orbitrials is operated from the United States. If you access the Platform from outside the United States, your data will be transferred to and processed in the United States. By using the Platform, you consent to this transfer.

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. Research participants who are minors are represented in the Platform by their legally authorized representatives and subject to appropriate consent procedures governed by the research protocol.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before they take effect. Your continued use of the Platform after the effective date constitutes acceptance.

For questions about this Privacy Policy or our data practices:
Orbitrials Clinical Solutions
privacy@orbitrials.com

To report a security incident or potential data breach:
security@orbitrials.com