Privacy Policy

Last Updated: March 20, 2026

1. Introduction

Welcome to Clinics Arm ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

Our platform connects research participants with laboratories conducting clinical studies and research projects. We take privacy seriously and implement industry-leading security measures to protect your data.

If you do not agree with this Privacy Policy, please do not use our services.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide when using our platform:

  • Account Information: Full name, email address, phone number, password (encrypted)
  • Profile Information: Date of birth, gender, ethnicity, residential address
  • Verification Information: Email verification status, phone verification status, identity verification documents (if provided)
  • Application Information: Study applications, custom form responses, eligibility criteria responses
  • Payment Information: Stripe account details for receiving payouts (processed and stored by Stripe, not on our servers)
  • Communication Preferences: Email notification settings, marketing consent

2.2 Automatically Collected Information

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Information: Pages visited, time spent on pages, click data, referring URLs
  • Location Information: General location based on IP address (not precise geolocation)
  • Cookies and Tracking: Session cookies, authentication tokens, analytics cookies

2.3 Information from Third Parties

  • Stripe: Payment processing information, payout status, transaction history
  • Twilio: Phone verification status, SMS delivery status
  • Authentication Providers: Email verification status

3. How We Use Your Information

We use your information for the following purposes:

3.1 Platform Functionality

  • Create and manage your account
  • Authenticate your identity and prevent fraud
  • Process study applications and match you with appropriate research opportunities
  • Facilitate communication between participants and laboratories
  • Process payments and payouts
  • Send transactional notifications (application status, payment confirmations)

3.2 Legal Basis for Processing (GDPR)

  • Contractual Necessity: To perform our services under the Terms of Service
  • Consent: When you explicitly consent to share data with specific laboratories
  • Legitimate Interest: Fraud prevention, security, platform improvement
  • Legal Obligation: Compliance with financial regulations, tax reporting

3.3 Improvement and Analytics

  • Analyze platform usage to improve user experience
  • Monitor and prevent fraud, abuse, and security incidents
  • Conduct research and analytics (using aggregated, anonymized data)
  • Develop new features and services

3.4 Marketing (With Your Consent)

  • Send newsletters about new studies (only if you opt-in)
  • Notify you of platform updates and new features
  • Conduct surveys to improve our services

You can opt-out of marketing communications at any time in your account settings.

4. Data Sharing and Disclosure

4.1 Sharing with Laboratories (With Your Explicit Consent)

🔒 Privacy Protection:

We implement data masking to protect your privacy. Laboratories only see masked information (e.g., "John D.", "j***n@example.com") until they approve your application. Full contact information is only revealed after you've been accepted to a study and you've provided explicit consent.

When you apply to a study, we share information with the laboratory as follows:

  • Before Approval (Masked Data): Partial name, masked email, masked phone, age range, study responses
  • After Approval (Full Data): Complete name, email address, phone number, date of birth, application responses
  • Consent Requirement: You must explicitly consent before applying to each study
  • Audit Trail: All data access by laboratories is logged for compliance

4.2 Service Providers

We share information with trusted third-party service providers who help us operate the platform:

  • Supabase: Database hosting and authentication (SOC 2 Type II certified)
  • Stripe: Payment processing and payouts (PCI DSS compliant)
  • Vercel: Website hosting and CDN
  • Twilio: Phone verification and SMS notifications
  • Resend: Transactional email delivery

All service providers are contractually obligated to protect your data and use it only for providing services to us.

4.3 Legal Requirements

We may disclose your information if required by law:

  • To comply with legal obligations, court orders, or government requests
  • To protect our rights, property, or safety, or that of our users
  • To investigate fraud, security issues, or terms of service violations
  • In connection with a merger, acquisition, or sale of assets (with notice to you)

4.4 What We Never Do

  • We never sell your personal information to third parties
  • We never share your data with advertisers
  • We never rent your contact information to marketing companies
  • We never share your information without your consent (except as legally required)

5. Data Security

We implement industry-leading security measures to protect your information:

5.1 Technical Safeguards

  • Encryption: All data in transit uses TLS 1.3 encryption
  • Database Security: Row-level security policies prevent unauthorized access
  • Password Protection: Passwords are hashed using bcrypt with salt
  • Multi-Factor Authentication: Available for enhanced account security
  • Fraud Detection: Automated systems detect and prevent suspicious activity

5.2 Organizational Safeguards

  • Access to personal data is restricted to authorized personnel only
  • Regular security audits and penetration testing
  • Employee training on data protection and privacy
  • Incident response plan for security breaches

5.3 Data Breach Notification

In the unlikely event of a data breach, we will notify affected users within 72 hours as required by GDPR and applicable laws. Notifications will include the nature of the breach, data affected, and steps we're taking to address it.

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

  • Active Accounts: Data retained while your account is active
  • After Account Deletion: Personal information is anonymized (see Section 8)
  • Financial Records: Transaction records retained for 7 years (legal requirement)
  • Consent Records: Kept for 7 years for compliance purposes
  • Fraud Prevention Data: Normalized email/phone retained indefinitely to prevent duplicate accounts after payout

See our Terms of Service for details on our fraud prevention system.

7. Your Privacy Rights

7.1 GDPR Rights (EU/UK Users)

If you are located in the EU or UK, you have the following rights:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data (with limitations, see Section 8)
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights:

  • Right to Know: Request information about data collected, used, and shared
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of the "sale" of personal information (we do not sell data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.3 How to Exercise Your Rights

To exercise any of these rights:

  1. Log into your account and visit Settings → Privacy & Data
  2. Or email us at: privacy@clinics-arm.com
  3. We will respond within 30 days (GDPR) or 45 days (CCPA)
  4. We may request verification of your identity for security purposes

8. Account Deletion and Data Retention for Fraud Prevention

⚠️ Important Information About Account Deletion

When you delete your account, we anonymize your personal information. However, to prevent fraud (users claiming duplicate signup bonuses), we retain certain identifiers in a non-reversible format.

8.1 What Happens When You Delete Your Account

  • Immediately Anonymized: Your name becomes "Deleted User," email becomes "deleted_[id]@deleted.com"
  • Retained for Fraud Prevention: Normalized email and phone (hashed format) to detect duplicate signups
  • Financial Records: Application and payout records retained for legal compliance (7 years)
  • Consent Records: Kept to prove compliance with data sharing agreements
  • Re-signup Policy: If you received payouts, you cannot create a new account with the same credentials

8.2 Legal Basis for Retention

This retention is based on:

  • Legitimate Interest (GDPR Art. 6(1)(f)): Preventing fraud and abuse
  • Legal Obligation: Financial record retention requirements
  • Minimal Data: We only keep what's necessary for fraud detection (not full PII)

This complies with GDPR as we use the least invasive means to prevent fraud while respecting your right to erasure.

9. Children's Privacy

Our platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@clinics-arm.com. We will delete such information promptly.

10. International Data Transfers

Our platform is hosted in the United States. If you access our services from outside the US, your information may be transferred to, stored, and processed in the US.

For EU/UK Users: We use Standard Contractual Clauses (SCCs) approved by the European Commission to protect data transfers. Our service providers are certified under relevant data protection frameworks.

11. Cookies and Tracking Technologies

11.1 Cookies We Use

  • Essential Cookies: Required for authentication and security (cannot be disabled)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use the platform (can be disabled)

11.2 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may affect platform functionality. To opt-out of analytics, visit your Account Settings.

12. Third-Party Links

Our platform may contain links to third-party websites (e.g., laboratory websites, Stripe). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be notified via email or prominent notice on the platform.

Your continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Clinics Arm

Email: privacy@clinics-arm.com

Data Protection Officer: dpo@clinics-arm.com

Phone: +1 (555) 123-4567

Address: [Your Business Address]

Response time: We aim to respond to all privacy inquiries within 3 business days.

15. EU Representative (GDPR Article 27)

If you are located in the European Union and have questions about our data practices, you may also contact our EU representative:

[EU Representative Name]

Email: eu-rep@clinics-arm.com

Address: [EU Representative Address]

By using Clinics Arm, you acknowledge that you have read and understood this Privacy Policy.