Scope
This notice covers public website visitors, prospective customers, design
partners, vendors, security researchers, and other people who contact
CliniStack outside a signed customer agreement. The public site is intended
for business and professional audiences.
Customer use of the CliniStack application, protected health information,
clinical-trial records, sponsor/CRO/site data, business associate terms,
data-processing terms, validation commitments, and retention obligations
must be governed by signed agreements. Do not send PHI, subject identifiers,
medical records, document names, protocol identifiers, or regulated trial
evidence through public email or public website channels.
This notice covers public-site and public-contact data only. Customer application
processing, HIPAA notices, and business-associate commitments are governed by
signed customer terms.
Information We Collect
- Contact information you provide, such as name, work email, company, role, and message content.
- Business-context information needed to respond to a demo, vendor, support, or security inquiry.
- Public website telemetry, such as IP address, user agent, requested URLs, timestamps, referrer, and basic security logs generated by AWS hosting services.
- Security-report metadata and attachments that a researcher intentionally submits to security@clinistack.dev.
How We Use Information
- Respond to inquiries, demo requests, vendor communication, and security reports.
- Operate, protect, troubleshoot, and improve the public site and email intake route.
- Prepare customer contracting, security, privacy, and compliance discussions.
- Meet legal, security, audit, fraud-prevention, and dispute-resolution obligations.
Cookies And Tracking
The public site currently does not use advertising pixels, behavioral advertising
cookies, analytics cookies, or cross-context tracking. If that changes, we will
update this notice and add any consent or opt-out controls required by applicable
law before relying on that processing.
Sale, Sharing, And Targeted Advertising
CliniStack does not sell personal information, share personal information for
cross-context behavioral advertising, or use the public site for targeted
advertising. If we later introduce processing that requires honoring opt-out
preference signals, we will treat recognized browser-based signals as legally
required opt-out requests where applicable.
Legal Bases For EU And UK Visitors
Where EU or UK data protection law applies, we rely on legitimate interests to
operate, secure, and improve the public site and to respond to business inquiries;
contract or pre-contract steps for demo and customer discussions; legal obligation
for required records; and consent only where we ask for optional consent, such as
for a future marketing list.
Disclosure
We use service providers to host the site, route email, protect infrastructure,
manage source code and deployment, and operate business communications. Service
providers for public-site hosting, email, source control, and deployment include
Google Workspace, AWS, and GitHub.
We may also disclose information when required by law, to protect CliniStack,
users, or the public, or as part of a merger, financing, acquisition, or similar
corporate transaction.
Retention
Demo, vendor, privacy, security, and business correspondence may be retained
while an inquiry, business relationship, legal obligation, security investigation,
or dispute remains active, then deleted or de-identified when no longer needed.
Your Rights
Depending on where you live, you may have rights to request access, correction,
deletion, portability, restriction, objection, withdrawal of consent, opt-out of
sale/sharing or targeted advertising, opt-out of certain profiling or automated
decision-making, and appeal of a denied privacy request.
CliniStack does not currently use the public site for automated decision-making
that produces legal or similarly significant effects. To make a privacy request,
email privacy@clinistack.dev or
hello@clinistack.dev. We may need to
verify your request before acting on it.
Health And Clinical Data
Public website and public email channels are not intended for PHI, subject
identifiers, clinical-trial source records, safety reports, protocol deviations,
or regulated document evidence. If a signed customer implementation handles PHI
or regulated clinical-trial data, that processing must run through the governed
application environment and signed customer terms, including a BAA or DPA where
applicable.
Contact
Privacy requests and questions: privacy@clinistack.dev.
General public contact: hello@clinistack.dev.