Privacy Policy
Effective Date: February 16, 2026
Introduction
iTrials Inc. ("we," "us," or "our"), a Delaware corporation with its principal place of business at 450 W Charleston Rd, Palo Alto, CA 94306, is committed to protecting the privacy and security of individual data. This Privacy Policy describes how we collect, use, and share personal information and Protected Health Information (PHI).
Our Role in the Healthcare Ecosystem
Business Associate Status
When we provide services to healthcare providers, clinical research centers, or other "Covered Entities," we act as a "Business Associate" under the Health Insurance Portability and Accountability Act (HIPAA). Our handling of PHI is strictly governed by the Business Associate Agreement (BAA), Master Services Agreement (“MSA”) and Data Use Agreement (DUA) signed with our customers.
Service Provider Status
For the purposes of general website interactions and account management for clinical study teams, we act as a service provider or data controller for the personal information of those users.
Regulatory Compliance
We comply with the latest federal and state requirements, including the Health Information Technology for Economic and Clinical Health (HITECH) Act and heightened protections for substance use disorder (SUD) records under 42 CFR Part 2.
Information We Collect
Information Provided by Users
We collect account information from clinical study team members, including names, business email addresses, and professional contact details.
Patient Data from Integrations
Through data pipelines with Electronic Medical Record (EMR) systems (e.g., eClinicalWorks), we collect:
Permitted Identifiers: Names, birth dates, admission/discharge dates, zip codes, telephone numbers, and email addresses necessary for clinical trial recruitment.
Clinical Data: Unstructured data including physician notes, imaging reports, and pathology reports.
Prohibited Information: We do not collect or store Social Security numbers, medical record numbers, or financial/billing information.
How We Use Information
Service Delivery
Our autonomous AI agents (including but not limited to the Eligibility Matching Agent and Medical Record Analysis Agent) analyze clinical data to identify precise cohorts for clinical trial recruitment on behalf of the Data Provider.
Model Improvement via De-identification
We may use de-identified and aggregated data to improve the accuracy and performance of our AI models. De-identification is performed in strict accordance with HIPAA's Safe Harbor or Expert Determination methods. Once de-identified, this data is no longer PHI.
Communication
We use contact information to facilitate recruitment activities as directed by the clinical study teams.
Data Ownership & Insights
User Ownership
Consistent with our Master Service Agreement and DUA, all data provided to us and all insights, analytics, or results generated by the iTrials platform based on that data remain the exclusive property of the User (Data Provider).
Data Security
We implement industry-leading safeguards to protect sensitive information:
Encryption: Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
Access Controls: Multi-factor authentication (MFA) and role-based access controls (RBAC) are mandatory for all users.
Cluster Integrity: User data is maintained in secure, isolated clusters to prevent cross-contamination between different client environments.
Data Retention & Portability
Portability
Upon termination of a service contract, we provide a thirty (30) day Retrieval Period for the Data Provider to export all data and insights from the iTrials platform.
Deletion
Following the Retrieval Period, all patient data and insights are permanently removed and deleted from iTrials clusters and storage systems within thirty (30) days, in compliance with applicable law and the terms of our DUA.
Disclosure of Information
We do not sell personal information or PHI. We may share information only with:
Subcontractors: Cloud hosting providers (e.g., AWS, Azure) who have executed mandatory BAAs and security addendums.
Legal Compliance: When required by law to comply with a valid subpoena or court order.
User Rights
Authorized users and individuals may have rights under the CCPA, GDPR, or HIPAA to access, correct, or delete their data. For PHI held by us on behalf of a healthcare provider, individuals should contact the provider (the Covered Entity) directly to exercise these rights.
Contact Us
For questions or concerns regarding our privacy practices:
iTrials Inc.
Privacy Officer
450 W Charleston Rd, Palo Alto, CA 94306
Email: connect@itrials.ai
Security & Compliance
Built for healthcare. Designed for trust.
Privacy-first architecture
Patient data stays within site-controlled environments.
HIPAA-aligned by design
Our infrastructure and workflows align with HIPAA Security and Privacy Rules.
SOC 2 compliant operations
We maintain SOC 2 controls across security, availability, and confidentiality
Standards-based interoperability
Built on HL7 FHIR®, enabling secure, modern data exchange with EHR systems
