Privacy Policy

We collect the following categories of information:

• Information you provide directly. Name, work email, company, role, and free-form messages submitted through the demo-request form or other contact channels.
• Customer account information. When you become a customer, account data including authorized-user identities, roles, and audit-relevant metadata.
• Customer trial data. Clinical data submitted to the Service is processed on behalf of our customers (the controllers). We act as a data processor for that data. See Section 6 and our Data Processing Agreement.
• Usage and device data. IP address, browser type and version, pages visited, referrer, and similar technical information collected automatically through standard server logs and cookies.
• Cookies and similar technologies. Strictly necessary cookies plus, with your consent, analytics cookies. See Section 8.

We use information for the following purposes:

• To provide, operate, secure, and improve the Site and the Service.
• To respond to demo requests, sales inquiries, and customer support requests.
• To send transactional emails (account, billing, validation pack delivery, etc.).
• To send marketing communications, where lawful and where you have not opted out.
• To detect, investigate, and prevent fraud, abuse, security incidents, and other harmful activity.
• To comply with our legal, regulatory, and contractual obligations.

Where the EU General Data Protection Regulation (“GDPR”) or the UK GDPR applies, we process personal data on the following legal bases: (a) performance of a contract; (b) compliance with a legal obligation; (c) your consent (which you may withdraw at any time); and (d) our legitimate interests in operating, securing, and improving the Site and Service, balanced against your rights.

We share personal data only as described below. We do not sell personal data.

• Subprocessors. We engage vetted subprocessors (cloud hosting, email delivery, analytics, customer support tooling, etc.) under written contracts that require equivalent data-protection commitments. A current list of subprocessors is available on request and in our DPA.
• Customers and authorized users. Information you submit through the Service may be visible to the customer organization on whose behalf the data was submitted.
• Legal, regulatory, and safety. Where required by law, court order, or to protect rights, property, or safety.
• Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

Customer trial data and personal data are stored on infrastructure operating on controls aligned to ISO 27001, ISO 27017, and ISO 27018. Enterprise customers may opt in to a dedicated single-tenant environment or regional failover. Our processing of personal data complies with the Digital Personal Data Protection Act, 2023 (“DPDP Act”). The full subprocessor list is published in our Data Processing Agreement at /dpa.

For trials with international filings, transfers of de-identified or submission-grade datasets outside India occur only at the customer’s direction and under appropriate safeguards (CDISC SDTM export controls, contractual confidentiality, and, where required, EU Standard Contractual Clauses).

When customers process clinical or health-related data through the Service, we act as a data processor (and where applicable a HIPAA business associate). Our handling of such data is governed by our Data Processing Agreement and, where required, by a Business Associate Agreement signed with the customer.

We retain personal data for as long as needed to provide the Site and Service, comply with legal obligations (including 21 CFR Part 11 and ICH E6(R3) audit-trail requirements applicable to clinical trials), resolve disputes, and enforce our agreements. Marketing-list contacts are retained until you unsubscribe.

We use strictly necessary cookies required to operate the Site. With your consent, we use analytics cookies to measure traffic and improve content. You can withdraw cookie consent at any time through our cookie banner or your browser settings. We do not use cross-site advertising cookies.

Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), Indian residents have the right to: access the personal data we hold about you; correct inaccurate data; request erasure; nominate a representative; and withdraw consent. You may also raise grievances directly with our Data Protection Officer and, if unresolved, with the Data Protection Board of India.

EEA, UK, and Swiss residents retain GDPR rights; California residents retain CCPA/CPRA rights, for trials whose personal data they fall within.

To exercise any of these rights, contact us at privacy@trialion.com.

We maintain administrative, technical, and physical safeguards designed to protect personal data against loss, misuse, and unauthorized access — including encryption in transit and at rest, role-based access control, least-privilege permissions, security monitoring, and regular vulnerability and penetration testing. No system is perfectly secure; we encourage you to use strong, unique passwords and notify us promptly of any suspected incident.

The Site and Service are not directed to children under 16. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. The “Effective” date at the top of this page reflects the current version. Material changes will be notified through the Site or, where applicable, by email to account administrators.

For questions about this Privacy Policy or our data practices, contact:

Trialion, Inc.
Trialion, Inc. · Minarch Tower, Sector 44, Gurugram, India
Email: privacy@trialion.com