Envision Trials← Back home

Privacy Policy

Last updated: June 11, 2026

Overview

Envision Trials provides a multi-tenant SaaS platform for sponsors, CROs, and clinical-trial sites. We process two categories of data: (1) account and usage data about platform users, and (2) trial-operations data — including Protected Health Information ("PHI") — submitted by your organization. This policy explains how we handle both.

Data we collect

  • Account data: name, work email, organization, role, MFA enrollment.
  • Operational data: studies, sites, investigators, documents you upload.
  • PHI: patient records your organization chooses to enter under its BAA with us.
  • Usage telemetry: IP address, browser, pages visited, actions performed (for audit logs).

How we use it

  • To deliver the Service and route data only to the originating tenant.
  • To generate immutable, 21 CFR Part 11–compliant audit trails of every change.
  • To run AI agents (feasibility, doc assembly, patient matching) on tenant-scoped data.
  • To detect security incidents and meet regulatory reporting obligations.

AI processing

When AI agents are invoked, prompts are passed to model providers under contractual no-training terms. We apply PHI-detection guardrails to block obvious identifiers before sending data to external models. Outputs are persisted as part of the audit trail.

Security

  • AES-256 encryption at rest, TLS 1.3 in transit.
  • Row-Level Security enforces tenant isolation in every query path.
  • MFA support; HIBP-checked passwords; least-privilege RBAC.
  • WORM audit log retained for 7 years.
  • US-only data residency for PHI / PII.

Sharing

We do not sell personal data. We share data only with sub-processors required to operate the Service (cloud hosting, AI model providers, email delivery), each bound by data-processing terms. A current sub-processor list is available on request.

Your rights

Platform users may update profile data in Settings → Profile or sign out of all sessions. For requests under HIPAA, GDPR, or CCPA — including access, correction, or deletion of tenant-controlled records — contact your organization's administrator, who can coordinate with us as the data processor.

Retention

Operational records and audit logs are retained for 7 years to satisfy 21 CFR Part 11. Account data is retained for the life of the account plus the period required by law.

Contact

Privacy questions: privacy@envisiontrials.example. Security reports: security@envisiontrials.example.