Privacy Policy

1. Overview & Scope

Coordinare ("we," "our," or "us") is a clinical research site operations platform operated by DSCS (Data-Driven Site & Contract Services). This policy applies to all services at coordinare.co and coordinare.polsia.app.

2. Data We Collect

Account Information

When you register or use our email-gated tools, we collect:

• Name — provided during registration or tool use
• Work email address — used to identify your account and workspace
• Password — stored as a one-way scrypt hash (never stored in plaintext)
• Role — clinical role (e.g., CRC, PI, CRA) if provided

Site Profile Information

When you use the Feasibility Autopilot or Site Profile tools, we may collect:

• Research site name and address
• Principal Investigator (PI) name
• Contact phone numbers and site email addresses
• Staff headcount and coordinator names
• Therapeutic area experience and past trial history
• IRB information, certifications, and equipment capabilities
• Patient database size and enrollment metrics

Study Organizer & Project Board Data

• Study names, descriptions, and associated sponsor/CRO information you enter
• Bookmark URLs and names (passwords stored encrypted — see Security section)
• Contact information for monitors, CRAs, lab contacts, and sponsor representatives
• Task titles, descriptions, priorities, and due dates
• Files and attachments uploaded to Project Board tasks

Usage & Analytics Data

• Page views, feature interactions, and session duration
• Referrer URLs and UTM parameters
• Browser user agent strings and IP addresses (for rate limiting and security)
• GCP training progress and exam results

AI Interaction Data

• Chat messages sent to the AI assistant (retained for service improvement)
• Feasibility survey questions and AI-generated responses
• Budget parameters entered into the Budget Generator

3. How We Use Your Data

We use your data to provide, maintain, and improve our services. This includes:

• Service Delivery: Personalizing tools and generating AI responses.
• Communication: Sending transactional emails and account updates.
• Product Development: Anonymizing interaction metrics to improve AI accuracy.
• Commercial Insights: Creating industry benchmarks and market research reports.

4. Data Sale & Commercial Disclosure

To support the continued development of clinical research tools, Coordinare may "sell" or "share" certain data (as defined by the CCPA/CPRA and GDPR) to third-party partners, including CROs, Sponsors, and research analytics firms.

What We May Sell/Share

• De-Identified Site Capabilities: Aggregate data regarding therapeutic experience, equipment, and enrollment metrics.
• Industry Benchmarks: Anonymized data regarding trial budgets and feasibility timelines.
• Professional Metadata: Professional contact information (Work Email/Role) for industry-related networking or recruitment opportunities.

What We NEVER Sell

• Raw Study Documents: We never sell uploaded protocols or proprietary study files.
• Passwords: Your security credentials are never shared or sold.
• Specific Clinical Secrets: Site-specific strategies or internal task notes.

5. Data Isolation & Site-Level Access

Workspace Model

Data is isolated by domain (e.g., @westlakeoncology.com). Users sharing the same non-generic email domain are grouped into the same workspace and can see shared data (study lists, tasks, contacts). Users with generic email domains (Gmail, Yahoo, Hotmail, Outlook, iCloud) remain in individual personal workspaces.

Aggregate Learning

We may use aggregate, non-identifying patterns (e.g., "Average enrollment for Phase II Oncology") to train models, but this data is stripped of all site-identifying markers.

What Is Shared Within a Workspace

• Study Organizer studies, bookmarks, and contacts
• Project Board tasks and file attachments
• Site profile information saved by any team member

What Is Never Shared Across Sites

• PI names, site names, and identifying site information
• Site addresses, phone numbers, and contact emails
• Staff information and coordinator details
• Enrollment data, past trial history, and capabilities
• Any data that could identify your site to a competitor or other clinical organization

Admin Access

Coordinare administrators (DSCS team members) can access aggregated platform data for operational purposes. Admin access is protected by a secret key and rate-limited to prevent unauthorized access. Admin activities are logged. Administrators access the minimum data necessary to operate the platform.

6. Storage & Security

Database

All data is stored in a PostgreSQL database hosted on Neon (a managed cloud database provider). Connections to the database use TLS encryption. The database is not publicly accessible.

Password Storage

User passwords are hashed using the scrypt algorithm with a random salt before storage. Plaintext passwords are never stored or logged.

Study Organizer Passwords

Bookmark credentials (sponsor portal passwords, EDC login passwords) stored in the Study Organizer are encrypted at rest using AES-256 encryption before being written to the database. The encryption key is stored separately from the database.

File Attachments

Files uploaded to the Project Board are stored via Polsia's R2 cloud storage (Cloudflare R2-compatible). File access requires authentication — direct file URLs are served only to authenticated users who belong to the same workspace as the task they were attached to.

Data in Transit

All connections between your browser and Coordinare servers use HTTPS (TLS 1.2+). Data is encrypted in transit.

Session Security

• Sessions automatically expire after 30 minutes of inactivity
• Absolute session expiry of 8 hours regardless of activity
• All sessions are invalidated on logout
• Browser localStorage is fully cleared on logout to prevent data leakage between users on shared devices

7. Third-Party Services

We share data with the following categories of providers:

• Cloud Infrastructure: Render, Neon, Cloudflare.
• AI Models: OpenAI (Data sent for processing is not used by OpenAI to train their global models).
• Communication: Postmark.
• Data Partners: Verified clinical research organizations (subject to the Opt-Out in Section 10).

We do not use advertising networks, remarketing pixels, or social media tracking on any authenticated pages.

8. AI Features & Data Use

Chat AI

The Chat AI assistant answers questions about clinical research using Dan Sfera's video library and clinical research knowledge base. Chat messages are stored associated with your account. Chat sessions are scoped to your individual user account — your conversation history is not visible to other users.

Feasibility Autopilot

When you use the Feasibility Autopilot, your site profile data is retrieved from our database and used to generate responses. This data is only sent to OpenAI as part of your specific request and is not used to populate responses for other sites. AI-generated responses are not guaranteed to be accurate and should be reviewed before submission.

Budget Generator

Budget AI insights are generated based on phase, therapeutic area, and visit/subject counts you provide. Budget-specific insights may be cached to improve response times — cached results are based on aggregated parameters only, not site-specific data.

AI Output Disclaimer

All AI-generated content is provided for informational purposes only. AI responses may not be accurate, complete, or appropriate for your specific situation. Always review AI output before use. Coordinare and DSCS are not liable for decisions made based on AI-generated content.

9. Data Retention

If you wish to request removal of your data, contact us at admin@dscssweatequity.com. Coordinare does not automatically delete any user data.

10. Your Rights & "Do Not Sell My Info"

Under GDPR and CCPA, you have specific rights:

• Access/Correction: View or edit your data at any time.
• Right to Deletion: Request total removal of your account.
• Right to Opt-Out of Sale: You may request that we stop selling your personal data to third parties.
• Non-Discrimination: We will not deny service or change pricing if you exercise these rights.

To exercise your right to opt-out of data sales, please email admin@dscssweatequity.com with the subject line "Do Not Sell My Personal Information."

We will respond within 30 days.

11. Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Investigate the breach and contain it as quickly as possible
• Notify affected users by email within 72 hours of becoming aware of a breach (where feasible)
• Provide details on: what data was affected, what we are doing to address it, and what steps you can take
• Notify relevant regulatory authorities as required by applicable law

To report a suspected security vulnerability or incident, contact us immediately at admin@dscssweatequity.com.

12. Contact Us

Questions about this privacy policy or our data practices? We're here to help.

This policy may be updated from time to time. Material changes will be communicated by email to registered users. Continued use of Coordinare after an update constitutes acceptance of the revised policy. The "Effective Date" at the top of this page reflects the most recent revision.