Skip to main content
Clinical Trial Compass
Back

Privacy Policy

Last updated: 12 May 2026

Clinical Trial Compass ("Compass", "we", "us") operates clinicaltrialcompass.org as a free consumer interface on top of public clinical trial registries. This policy explains what data we collect, how we use it, and the controls you have over it.

Plain-English summary: The core site works without an account. If you create one, we store the minimum needed to deliver the product. We never sell your data, never accept pharma sponsorship, and never train AI models on your personal information.

1. What we collect

  • Anonymous usage data: Page views, search queries, and aggregate analytics via Google Analytics 4. Used to understand which features patients find useful. No personally identifying information is sent to GA4.
  • Account data (if you sign up): Email address and authentication identifier, managed by our auth provider Clerk. We do not store your password.
  • Health profile data (Pro tier): Whatever you voluntarily enter into the eligibility wizard or upload as a pathology report. Stored encrypted at rest on Neon (Postgres) and Vercel Blob, scoped to your account.
  • Inquiry messages (Pro tier): Messages you send to trial coordinators through Compass, and replies received, stored to provide the inquiry tracking feature.
  • Billing data (Pro tier): Handled by Stripe. We never see or store your card details. We retain only the Stripe customer ID and subscription status.

2. What we never do

  • We do not sell your data to any third party, under any circumstances.
  • We do not accept pharmaceutical advertising, sponsored placements, or referral fees from drug companies, clinical sponsors, or contract research organisations.
  • We do not use your uploaded medical records to train AI models. AI is used to translate eligibility criteria into plain English; that pipeline runs on trial data from ClinicalTrials.gov, not on your personal data.
  • We do not share your data with trial sponsors. When you send an inquiry, only the contents of that specific message reach the coordinator — your profile, history, and other inquiries stay with us.

3. Data retention

  • Uploaded medical records: Auto-deleted 90 days after upload. You can delete them sooner from your dashboard.
  • Eligibility wizard answers (anonymous): Stored only in your browser session unless you save them to a Pro account.
  • Inquiry messages: Retained for the lifetime of your account so you can reference past coordinator conversations.
  • Account deletion: Deletes everything associated with your account within 24 hours, including stored profiles, uploads, inquiries, and authentication records.

4. Third-party processors

We use the following providers, each bound by contract to handle data appropriately:

  • Vercel — hosting, deployment, edge caching, blob storage
  • Neon — Postgres database for profiles, alerts, inquiries
  • Upstash — Redis cache and rate-limiting
  • Clerk — authentication and session management
  • Stripe — payment processing (Pro tier only)
  • Resend — transactional email (alerts, inquiry replies)
  • Anthropic / Vercel AI Gateway — AI translation of eligibility criteria. Trial data sent through the gateway is public registry data, not your personal information.
  • Sentry — error tracking and performance monitoring. We send technical metadata about errors (stack traces, browser, route, IP address, request headers) and a subset of session recordings. Session recordings mask all text content and block all media — only structural DOM is recorded, not what you typed or uploaded. Recordings are sampled (10% of sessions, 100% of sessions where an error occurs).
  • Google Analytics 4 — anonymous traffic analytics

We do not currently hold HIPAA Business Associate Agreements with these providers. Clinical Trial Compass is a consumer research tool, not a HIPAA-covered entity. Do not upload information you would not be comfortable storing on standard cloud infrastructure.

5. Your rights

Wherever you live, you have the right to access, correct, export, or delete your data. For users in the EEA / UK (GDPR) and California (CCPA), those rights are statutory and we will respond within 30 days. Contact privacy@clinicaltrialcompass.org for any data request.

6. Cookies

We use first-party cookies for authentication (session management) and Google Analytics for anonymous traffic measurement. We do not use advertising or cross-site tracking cookies. You can disable analytics cookies in your browser without losing site functionality.

7. Children

Compass is not directed at children under 16. If you are a parent or guardian and believe a child has provided us with personal information, contact us and we will delete it.

8. Changes to this policy

If we materially change this policy, we will update the "last updated" date at the top and, for account holders, send an email notice at least 14 days before the change takes effect.

9. Contact

Privacy questions or data requests: privacy@clinicaltrialcompass.org.

Terms of Service →Back to home