Privacy Policy
TrialStack privacy policy for personal data, privacy commitments, and data handling.
1. Introduction
TrialStack ApS (“TrialStack”, “we”, “our”, “us”) is committed to protecting your personal data and being transparent about how we use it. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have - whether you are visiting our website, requesting a demo, or using our platform as a customer.
TrialStack is based in Copenhagen, Denmark, and complies with the EU General Data Protection Regulation (GDPR) 2016/679 and the Danish Data Protection Act (Databeskyttelsesloven).
If you have questions about this policy or wish to exercise your rights, please contact our Data Protection Officer at gitte@trialstack.com.
2. Who We Are
TrialStack ApS is the data controller for all personal data described in this policy.
We can be reached at: TrialStack ApS, Copenhagen, Denmark privacy@trialstack.com trust.trialstack.com
3. What Data We Collect and Why
We collect personal data across three contexts. The section below explains each one.
3.1 Website Visitors
When you visit trialstack.com, we may collect:
- Technical data: IP address (approximate location - country/city level), browser type, operating system, pages visited, and time spent on pages.
- Cookie data: in accordance with your consent preferences and our Cookie Policy (trialstack.com/cookies).
We collect this data to understand how our website is used and to improve it. Where this processing relies on consent (for analytical cookies), you can withdraw consent at any time through the cookie preference centre.
3.2 Prospective Customers and Leads
When you fill in a contact form, request a demo, or sign up for updates, we collect:
- Your name.
- Your work email address.
- Your job title and organisation name.
- The information you provide in your message.
We use this data to respond to your enquiry, arrange a demonstration, or send you relevant updates about TrialStack. The lawful basis is our legitimate interest in developing customer relationships, or consent where you have opted in to marketing communications.
You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in any email or contacting us at privacy@trialstack.com.
We do not sell, rent, or share lead data with third parties for their own marketing purposes.
3.3 Platform Users
When you use the TrialStack application as a registered user, we collect:
- Identity and account data: Full name, work email address, job title, organisation name, and account credentials (authentication managed securely by Clerk, Inc.).
- Usage and activity data: Platform actions, feature interactions, document creation and editing events, and session activity - used to deliver the platform, generate audit trails, and improve the product.
- Technical data: IP address, browser type, session identifiers, and error logs - used for security, performance, and debugging.
- Communication data: Any messages, support tickets, or feedback you send to us.
We do not process patient-level clinical trial data or Protected Health Information (PHI). Our platform processes clinical trial operational data - protocol definitions, study configurations, and regulatory documentation - which belongs to the sponsoring organisation.
4. Lawful Basis for Processing
We process personal data on the following lawful bases under GDPR Article 6:
| Purpose | Lawful Basis |
|---|---|
| Delivering and operating the platform | Performance of a contract |
| Account management and authentication | Performance of a contract |
| Responding to enquiries and demo requests | Legitimate interests |
| Sending marketing communications | Consent (where required) or legitimate interests |
| Security monitoring and incident response | Legitimate interests |
| Legal and regulatory compliance | Legal obligation |
| Analytics and product improvement | Legitimate interests |
| Analytical cookies (website) | Consent |
5. How We Share Your Data
5.1 Subprocessors
We engage trusted third-party service providers (“subprocessors”) to help us deliver the Service. Each is bound by a Data Processing Agreement and required to implement appropriate security measures. Our current subprocessor list is available at trust.trialstack.com.
Key subprocessors include:
- Vercel, Inc. - platform hosting and content delivery.
- Neon, Inc. - database hosting (EU region).
- Clerk, Inc. - identity and authentication management.
- Anthropic, PBC - AI model inference.
- Comp AI - compliance programme management.
We will notify customers of material changes to our subprocessor list with at least 14 days’ notice.
5.2 Other Disclosures
We may also share personal data:
- With professional advisors (legal, financial, audit) under confidentiality obligations.
- With law enforcement or regulatory authorities where required by law.
- In connection with a business merger, acquisition, or restructuring, where the recipient is bound by equivalent obligations.
We do not share personal data with advertisers.
6. International Data Transfers
TrialStack’s primary data storage is within the European Union. Some subprocessors, including Vercel and Anthropic, operate infrastructure in the United States.
Where data is transferred outside the EU/EEA, we ensure appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses (SCCs) and Transfer Impact Assessments where required. Details are available in our full Data Processing Agreement at trust.trialstack.com.
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy or to meet legal obligations.
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of active account + 24 months |
| Usage and activity logs | 12 months rolling |
| Support communications | 3 years from last contact |
| Lead and marketing contact data | 24 months from last interaction, or until unsubscribe |
| Legal and compliance records | As required by applicable law (typically 5-10 years) |
When data is no longer required, it is securely deleted or anonymised.
8. Your Rights
Under the GDPR, you have the following rights. We will respond to all verified requests within 30 days (extendable to 90 days for complex requests).
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your data (subject to legal obligations) |
| Restriction | Ask us to pause processing while a dispute is resolved |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
To exercise your rights, contact our DPO at gitte@trialstack.com. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.
9. Security
We implement a formal information security programme aligned with ISO/IEC 27001:2022 and the SOC 2 Trust Services Criteria. Our security measures include:
- AES-256 encryption at rest; TLS 1.2+ in transit.
- Role-based access control with least-privilege principles.
- Multi-factor authentication for all platform users.
- Immutable audit logging of all material platform actions.
- Independent penetration testing with tracked remediation.
- Automated vulnerability scanning and regular security reviews.
Our security posture, certifications, and compliance documentation are available at trust.trialstack.com.
In the event of a personal data breach likely to affect your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.
10. Cookies
We use cookies and similar technologies on our website and platform. For full details of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy at trialstack.com/cookies.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date above, notify registered platform users by email with at least 14 days’ notice, and post the updated policy at trialstack.com/privacy.
12. Contact
For any questions about this Privacy Policy or to exercise your data subject rights:
Data Protection Officer TrialStack ApS Copenhagen, Denmark gitte@trialstack.com trust.trialstack.com