Privacy Policy

1. Introduction

Aurora Trials ("we", "our" or "Aurora") is committed to protecting your privacy. This Privacy Policy transparently explains what personal data we collect, why we collect it, how we protect it, and what your rights are as a user of our oncology clinical trial search platform.

This policy applies to all users of the Aurora Trials platform, regardless of access region (Global, EU, Latin America).

2. Data We Collect

2.1 Data you provide at registration

• Email address (used as your account identifier)
• Password (stored exclusively as a cryptographic hash — never in plain text)
• Professional profile: role (patient, doctor, nurse), specialty, institution, country

2.2 Data generated by your use of the platform

• Clinical trial search history (filters applied, search terms)
• Studies saved as favourites and study views
• Conversations with the AI assistant (patient navigator)

2.3 Technical data collected automatically

• Browser type and operating system
• IP address and approximate location (used to determine access region)

3. Purpose of Collection — Why We Collect Your Data

Each type of data is collected for a specific purpose:

• Email and password hash: authentication and secure access to your account
• Professional profile: personalising your experience based on your role (patient vs. doctor)
• Search history: clinical trial matching — finding relevant studies based on your search criteria (only with your explicit consent)
• Search pattern analysis: improving the platform and identifying trends in oncology (only with your explicit consent)
• Technical data: security, abuse prevention and platform maintenance

4. Legal Basis for Data Processing

The processing of your personal data is based on the following legal grounds, in compliance with the General Data Protection Regulation (GDPR) and the Brazilian LGPD:

• Explicit consent (Art. 6(1)(a) GDPR): for data collection for trial matching and for search pattern analysis. This consent is collected granularly at registration via separate checkboxes, and can be withdrawn at any time.
• Performance of contract (Art. 6(1)(b) GDPR): to provide the essential platform services (authentication, access to the trial catalogue).
• Legitimate interest (Art. 6(1)(f) GDPR): for platform security and fraud prevention.
• Legal obligation (Art. 6(1)(c) GDPR): when required by applicable law.

5. Information Sharing

We do not sell your personal data. We may share your information only in the following circumstances:

• With service providers who assist in our operations (Supabase for database, Anthropic for AI) — subject to data processing agreements
• When required by law or to protect our legal rights
• With your explicit consent

6. How We Protect Your Data

We implement rigorous technical and organisational security measures:

• Encryption in transit: all communications are protected by TLS/SSL (HTTPS mandatory)
• Encryption at rest: the database uses AES-256 encryption for stored data
• Passwords are never stored in plain text — we use cryptographic hashing (bcrypt) via Supabase Auth
• Restricted access: Row Level Security (RLS) in PostgreSQL ensures each user can only access their own data
• Administrative access is limited and audited via aurora_audit_logs

7. Your Rights

In accordance with the GDPR (EU) and LGPD (Brazil), you have the following rights:

• Right of access: view all personal data we hold about you
• Right to rectification: correct incomplete or inaccurate data
• Right to erasure ('right to be forgotten'): request deletion of your data
• Right to withdraw consent: you may withdraw any consent given at any time, without affecting the lawfulness of prior processing
• Right to data portability: request your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest

To exercise any of these rights, contact us at support@auroratrials.org or use the options on your account Settings page.

8. Cookies

We use strictly necessary cookies for platform operation (session authentication). We do not use third-party tracking cookies or advertising cookies.

9. Data Retention

We retain your data for as long as your account is active. When you delete your account, we remove your personal data from our active systems within 30 days, except where retention is required by legal obligation. Anonymised and aggregated data may be retained for statistical purposes.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email and by posting the new version on this page. The "last updated" date will always be updated.

11. Contact and DPO

For questions about this Privacy Policy or about the processing of your personal data:

Email: support@auroratrials.org