Last updated: 2026
TrialWave (“we”, “us”, “our”, or the “Service”) provides business-development software for clinical research sites. This Privacy Policy explains what information we collect, how we use it, the choices you have, and how we protect it. By using the Service you agree to this Policy.
This document is a general template provided for convenience and is not legal advice. Before relying on it in production, have it reviewed and adapted by qualified legal counsel for your business and jurisdictions.
The Service is designed so that you do not enter individual patient identifiers or protected health information (PHI) such as names, dates of birth, medical record numbers, or contact details of patients. Patient population information is stored only as de-identified, aggregate counts by condition and specialty.
You are responsible for not entering PHI into the Service. If you need to process PHI, this Service is not the appropriate tool and you should use a system covered by an appropriate business associate agreement.
Account data: your name, work email, hashed password, and role within your organization.
Organization data you enter: clinic and site details, specialties, locations, sponsors and CRO contacts, study opportunities, document metadata, agreements, follow-ups, and aggregate patient-population counts.
Usage and audit records: important actions taken within your workspace (for traceability and security), and basic technical logs such as timestamps and error events.
Cookies: a single, essential authentication cookie used to keep you signed in. We do not use advertising or third-party tracking cookies.
To operate and provide the Service for your organization; to authenticate users and enforce role-based access; to provide features such as study matching, outreach drafting, feasibility tracking, and reporting; to maintain security and an audit trail; and to communicate with you about your account.
AI-assisted features run in a review-required mode and clearly flag generated output for human review. The Service never sends email to sponsors on your behalf automatically.
We do not sell your data, and we do not use your organization's content to train third-party AI models.
Where data-protection law such as the GDPR applies, we process personal data to perform our contract with you, to pursue our legitimate interests in operating and securing the Service, and to comply with legal obligations. Where required, we rely on your consent, which you may withdraw at any time.
We share data with service providers (subprocessors) only as needed to run the Service, under appropriate confidentiality and data-protection terms. These currently include our cloud database and hosting providers, and, when you enable them, an email-delivery provider and a payment processor.
Study search uses the public ClinicalTrials.gov API. Payments, when enabled, are processed by our payment provider under its own terms; we do not store full card numbers.
We may disclose information if required by law or to protect the rights, safety, and security of our users and the Service.
We retain your organization's data for as long as your account is active and as needed to provide the Service. When you delete your workspace, we delete or irreversibly de-identify associated data within a reasonable period, except where retention is required by law.
We apply administrative and technical safeguards including encrypted transport (HTTPS), hashed passwords, role-based access control, tenant isolation, row-level database security, rate limiting, and audit logging. No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard practices.
Depending on your location, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Account owners can export their workspace data and delete their workspace from within the Service. To exercise other rights, contact us using the details below.
We may process and store data in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards for cross-border transfers.
The Service is intended for business use by professionals and is not directed to children. We do not knowingly collect personal information from children.
We may update this Policy from time to time. Material changes will be reflected by updating the date below and, where appropriate, by additional notice.
Questions or requests about privacy can be sent to our support/privacy contact listed on our Contact page.