Public notice

Privacy Notice

This notice explains how CliniStack handles personal information from the public website, demo requests, and early-access communications, as well as public email sent to us.

Last updated: June 4, 2026

Scope

This notice covers public website visitors, prospective customers, design partners, vendors, security researchers, and other people who contact CliniStack outside a signed customer agreement.

Customer use of the CliniStack application, protected health information, clinical-trial records, sponsor/CRO/site data, business associate terms, data-processing terms, validation commitments, and retention obligations must be governed by signed agreements. Do not send PHI, subject identifiers, medical records, document names, protocol identifiers, or regulated trial evidence through public email or public website channels.

Information We Collect

Contact information you provide, such as name, work email, company, role, and message content.
Business-context information needed to respond to a demo, vendor, support, or security inquiry.
Public website telemetry, such as IP address, user agent, requested URLs, timestamps, referrer, and basic security logs generated by AWS hosting services.
Security-report metadata and attachments that a researcher intentionally submits to security@clinistack.dev.

How We Use Information

Respond to inquiries, demo requests, vendor communication, and security reports.
Operate, protect, troubleshoot, and improve the public site and email intake path.
Prepare customer contracting, security, privacy, and compliance discussions.
Meet legal, security, audit, fraud-prevention, and dispute-resolution obligations.

Cookies And Tracking

The public site currently does not use advertising pixels, behavioral advertising cookies, analytics cookies, or cross-context tracking. If that changes, we will update this notice and add any consent or opt-out controls required by applicable law before relying on that processing.

Sale, Sharing, And Targeted Advertising

CliniStack does not sell personal information, share personal information for cross-context behavioral advertising, or use the public site for targeted advertising. If we later introduce processing that requires honoring opt-out preference signals, we will treat recognized browser-based signals as legally required opt-out requests where applicable.

Legal Bases For EU And UK Visitors

Where EU or UK data protection law applies, we rely on legitimate interests to operate, secure, and improve the public site and to respond to business inquiries; contract or pre-contract steps for demo and customer discussions; legal obligation for required records; and consent only where we ask for optional consent, such as for a future marketing list.

Disclosure

We use service providers to host the site, route email, protect infrastructure, manage source code and deployment, and operate business communications. Current bootstrap providers include AWS and GitHub. Public inbound email is archived in AWS-controlled storage, and operators receive a minimum-necessary notification rather than a full message forward.

We may also disclose information when required by law, to protect CliniStack, users, or the public, or as part of a merger, financing, acquisition, or similar corporate transaction.

Retention

Raw public inbound email is configured for short retention in the AWS archive. Demo, vendor, and business correspondence may be retained while an inquiry, business relationship, legal obligation, security investigation, or dispute remains active, then deleted or de-identified when no longer needed.

Your Rights

Depending on where you live, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, opt-out of sale/sharing or targeted advertising, opt-out of certain profiling or automated decision-making, and appeal of a denied privacy request.

CliniStack does not currently use the public site for automated decision-making that produces legal or similarly significant effects. To make a privacy request, email privacy@clinistack.dev or hello@clinistack.dev. We may need to verify your request before acting on it.

Health And Clinical Data

Public website and public email channels are not intended for PHI, subject identifiers, clinical-trial source records, safety reports, protocol deviations, or regulated document evidence. If a signed customer implementation handles PHI or regulated clinical-trial data, that processing must run through the governed application environment and signed customer terms, including a BAA or DPA where applicable.

Children

The public site is intended for business users and is not directed to children. We do not knowingly collect personal information from children through the public site.

Contact

Privacy requests and questions: privacy@clinistack.dev. General public contact: hello@clinistack.dev.