Privacy Policy

Version 0.2 — Last Updated March 16, 2026

CaladanAI, Inc. ("CaladanAI," "Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and protect information in two distinct contexts:

  1. When you visit our website at caladan.ai (the "Website") — Part I of this policy applies to you.
  2. When you use our cloud-based clinical trial financial planning platform (the "Platform") as an authorized user of a subscribing organization — Part II of this policy applies to you.

If you are a Platform User, Part II supplements the End-User License Agreement ("EULA") between CaladanAI and your organization. In the event of a conflict between this Privacy Policy and the EULA regarding the handling of Customer Data, the EULA shall govern.

Sections 10 through 16 of this policy apply to both Website Visitors and Platform Users.

Part I — Website Privacy Policy

This section applies to individuals who visit caladan.ai, submit contact forms, request demos, or otherwise interact with our public-facing Website. It does not govern data processed through the CaladanAI Platform, which is addressed in Part II.

1. Information We Collect from Website Visitors

1.1 Information You Provide to Us

When you interact with our Website, we may collect:

  • Contact Information: Name, email address, company name, job title, and phone number when you submit a contact form, request a demo, or sign up for a newsletter
  • Communications: Content of messages you send to us via email, chat, or web forms

1.2 Information We Collect Automatically

When you visit our Website, we automatically collect:

  • Log Data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and time spent on pages
  • Device Information: Device type, screen resolution, and unique device identifiers
  • Cookies and Similar Technologies: See Section 11 (Cookies and Tracking Technologies) for details

1.3 Information We Do Not Collect from Website Visitors

We do not collect from Website Visitors:

  • Protected Health Information (PHI) as defined under HIPAA
  • Payment card information (our payment processor handles this)
  • Social Security numbers or government-issued identification numbers

2. How We Use Website Visitor Information

We use information collected from Website Visitors to:

(a) Respond to your inquiries, demo requests, and support questions

(b) Send you information about our products and services (with your consent, where required)

(c) Improve our Website content, layout, and user experience

(d) Analyze Website traffic and usage patterns

(e) Detect, prevent, and address security issues and fraud

(f) Comply with legal obligations

3. How We Share Website Visitor Information

We do not sell your personal information. We share Website Visitor information only in the following circumstances:

  • Service Providers: We use third-party analytics, email, and hosting providers to operate our Website. These providers are contractually obligated to protect your information and process it only on our behalf. See our sub-processor list.
  • Legal Requirements: We may disclose information if required by law, court order, or to protect the rights, property, or safety of CaladanAI or others. Where legally permitted, we will provide notice before disclosing.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such transfer.
  • With Your Consent: We may share information with third parties when you have explicitly consented.

4. Website Visitor Data Retention

  • Contact form submissions: Retained as long as necessary to respond to your inquiry and maintain the business relationship, or until you request deletion
  • Marketing communications: Retained until you unsubscribe or request removal
  • Website analytics data: Retained in aggregated form; individual log data retained for up to twelve (12) months

Part II — Platform Privacy Notice

This section applies to authorized users ("Platform Users") of organizations ("Customers") that subscribe to the CaladanAI Platform. Platform Users access the Platform through their organization's subscription. Your organization's administrator controls your account, access level, and the Customer Data your organization inputs into the Platform. This notice supplements — and does not replace — the EULA between CaladanAI and your organization.

5. Information We Collect from Platform Users

5.1 Information You or Your Organization Provide

  • Account Information: Name, email address, job title, and role within your organization, provided during account setup or provisioned by your organization's administrator
  • Customer Data: All data that you or your organization input, upload, create, or generate through the Platform, including:
    • Clinical trial cost estimates and financial projections
    • Site and enrollment planning data (aggregate site counts, enrollment targets, visit schedules)
    • Vendor and contract information
    • Scenario analyses and Monte Carlo simulation parameters
    • Organizational and departmental budget information
  • Support Data: Information you provide when contacting our support team, including screenshots, descriptions, and configuration details

5.2 Information We Collect Automatically from Platform Users

  • Usage Data: Feature interactions, module access patterns, session duration, actions taken within the Platform, and performance metrics
  • System Logs: Authentication events, API calls, error logs, and security-related events
  • Log Data: IP address, browser type and version, operating system, date and time of access

5.3 Information We Do Not Collect

We do not collect through the Platform:

  • Protected Health Information (PHI) as defined under HIPAA. The Platform is not designed to process, store, or manage patient-level health information, and users are prohibited from inputting PHI or patient-level data into the Platform
  • Patient-level data, including patient names, medical record numbers, or dates of birth
  • Payment card information — payment processing is handled by our third-party payment processor, and we do not store card numbers or security codes
  • Social Security numbers or government-issued identification numbers

6. How We Use Platform User Information

6.1 Platform Operations

We use information from Platform Users to:

(a) Provide, operate, and maintain the Platform

(b) Authenticate your identity and manage access permissions

(c) Process and display Customer Data within the Platform as directed by your organization

(d) Provide technical support and respond to service requests

(e) Monitor Platform performance, reliability, and security

(f) Send service-related notifications (e.g., maintenance windows, security alerts, feature updates)

(g) Improve and enhance Platform features and functionality

(h) Comply with legal obligations and enforce our agreements

6.2 Anonymized and Aggregated Data

We create Anonymized Data from Customer Data by aggregating, de-identifying, and anonymizing it so that it cannot reasonably be used to identify any individual, organization, or specific clinical trial. We use Anonymized Data to:

(a) Develop and publish industry benchmarks (e.g., clinical trial cost benchmarks by therapeutic area, phase, and geography)

(b) Build enrollment rate benchmarks and site performance metrics

(c) Train, improve, and validate the machine learning models and AI systems that power the Platform

(d) Produce aggregated analytics and industry insights

Anonymization Standards. We ensure that:

  • Individual organizations cannot be re-identified from Anonymized Data through reasonable efforts
  • Specific clinical trials, compounds, or investigational products cannot be attributed to a specific organization
  • Financial figures, vendor names, site names, and other organization-specific identifiers are removed or generalized
  • No benchmark is published that is derived from fewer than ten (10) distinct customer organizations

Opt-Out. Platform Customers may opt out of contributing to the Anonymized Data pool by submitting a written request to us. Customers who opt out will lose access to Benchmark-Dependent Features (features powered by the aggregated data pool, listed at caladan.ai/legal/benchmark-features) but will retain full access to all other Platform functionality. See EULA Section 13.3 for complete opt-out terms.

Transparency. We publish an annual summary describing the categories of benchmarks and aggregate insights derived from Anonymized Data during the preceding twelve months.

7. How We Share Platform User Information

We do not sell Customer Data or Platform User personal information. We share information only in the following circumstances:

7.1 Service Providers (Sub-Processors)

We use third-party service providers to help us operate the Platform. These providers process data on our behalf and are contractually obligated to protect your information. Our current list of sub-processors, including their function and data processing location, is maintained at caladan.ai/legal/sub-processors.

Categories of sub-processors include:

  • Cloud Infrastructure: Hosting, database, and authentication services
  • Application Delivery: Content delivery and edge computing
  • AI/ML Services: Artificial intelligence and machine learning capabilities
  • Analytics: Product analytics and monitoring
  • Communications: Email delivery and customer support tools

We provide at least thirty (30) days' notice before engaging a new sub-processor that will process Customer Data, and Platform Customers have the right to object as described in EULA Section 7.4.

7.2 Within Your Organization

Your account information, activity, and role are visible to administrators within your organization as part of normal Platform functionality.

We may disclose information if required to do so by law or in response to valid legal process, including court orders, subpoenas, or government requests. Where legally permitted, we will notify the affected Customer before disclosing Customer Data in response to legal process.

7.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, Platform User information may be transferred as part of that transaction. We will notify affected Customers of any such transfer.

7.5 Anonymized Data

Anonymized Data (as described in Section 6.2) may be shared, published, or distributed without restriction, as it cannot be used to identify any individual or organization. The sharing of Anonymized Data does not constitute a sale of personal information or Customer Data.

8. Platform User Data Retention

  • Account information: Retained for the duration of the Customer's subscription, plus the 90-day Retrieval Period following termination
  • Customer Data: Retained for the duration of the subscription. Following termination, Customer Data is maintained in accessible form for ninety (90) days (the "Retrieval Period") to allow data export. After the Retrieval Period, Customer Data is deleted within 90 days of termination, plus up to 30 additional days for backup purge cycles, after which it is permanently deleted from all systems
  • Usage and log data: Retained for up to twelve (12) months for security monitoring and Platform improvement
  • Anonymized Data: Retained indefinitely. Anonymized Data is irreversibly de-identified and cannot be attributed to any individual or organization. It is not subject to deletion requests.

9. Platform User Rights

9.1 Your Organization Controls Your Account

If you are a Platform User, your Customer organization controls your account and the Customer Data processed through the Platform. To exercise rights regarding Customer Data, please contact your organization's administrator first. We will cooperate with your organization to fulfill your request in accordance with the EULA.

For requests related solely to your individual account information (name, email, login credentials), you may contact us directly at privacy@caladan.ai.

9.2 Future International Rights (GDPR)

CaladanAI does not currently operate in jurisdictions subject to the EU General Data Protection Regulation (GDPR). Prior to expanding Platform availability to the European Economic Area, we will update this Privacy Policy to address GDPR-specific rights, including lawful basis for processing, right to restriction, right to object, right to lodge a complaint with a supervisory authority, and cross-border data transfer mechanisms.

Shared Provisions

The following sections apply to both Website Visitors and Platform Users.

10. Data Security

We implement commercially reasonable administrative, technical, and physical security measures to protect your information, including:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication for administrative access
  • Data Isolation: Multi-tenant architecture with organization-level data segmentation to prevent unauthorized cross-tenant access
  • Monitoring: Continuous security monitoring, vulnerability scanning, and intrusion detection
  • Incident Response: Documented security incident response procedures with 72-hour Customer notification commitment for confirmed breaches

Compliance Roadmap:

  • SOC 2 Type II certification is actively being pursued
  • GDPR compliance will be implemented prior to expanding to the European Economic Area

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Cookies and Tracking Technologies

Category Purpose Examples
Strictly Necessary Required for the Website and Platform to function (authentication, security, session management) Session cookies, CSRF tokens, authentication tokens
Functional Remember your preferences and settings Language preferences, display settings, dark mode
Analytics Help us understand how visitors use our Website and Platform Third-party analytics providers
  • Browser Settings: Most browsers allow you to refuse or delete cookies through their settings. Note that disabling strictly necessary cookies may prevent you from using the Platform.
  • Analytics Opt-Out: You may opt out of analytics tracking through your browser settings or by using industry-standard opt-out mechanisms.

11.3 Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals to the websites you visit. There is currently no universally accepted standard for how companies should respond to DNT signals. We will update this policy if and when a formal DNT standard is established.

12. General Rights and Choices

12.1 All Users

Regardless of your jurisdiction, you may:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements and the Anonymized Data provisions described in this policy
  • Opt-Out of Marketing: Unsubscribe from marketing communications at any time by clicking the "unsubscribe" link in any marketing email or contacting us directly
  • Data Portability: Request your personal data in a commonly used, machine-readable format

To exercise any of these rights, contact us at privacy@caladan.ai. We will respond to all verified requests within thirty (30) days, or within the timeframe required by applicable law.

12.2 State and International Privacy Rights

We will update this Privacy Policy as additional state or international privacy laws become applicable to CaladanAI's operations. If and when CaladanAI meets the applicability thresholds under the California Consumer Privacy Act (CCPA/CPRA) or other state privacy laws, this policy will be updated to reflect the specific rights those laws provide, including the right to know, right to delete, right to opt-out of sale, and right to non-discrimination.

13. Children's Privacy

The Website and Platform are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us using the information in Section 15.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We distinguish between material and non-material changes:

  • Non-material changes (e.g., clarifications, formatting): We will update the "Last Updated" date. No advance notice required.
  • Material changes: We will update the "Last Updated" date and provide advance notice as follows:
    • For Platform Users: We will provide notice via the Platform or email at least thirty (30) days before material changes take effect. Continued use of the Platform after the effective date of the updated Privacy Policy constitutes acceptance of the revised terms.
    • For Website Visitors: The updated policy will be posted on our Website with the revised effective date.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about our data practices, please contact us:

CaladanAI, Inc.

For data protection inquiries or to exercise your rights, please email privacy@caladan.ai with the subject line "Privacy Request" and include:

  • Your name and email address
  • Whether you are a Website Visitor or Platform User
  • The nature of your request
  • Any details that will help us respond

We will respond to all verified requests within thirty (30) days, or within the timeframe required by applicable law.

This Privacy Policy is part of the broader CaladanAI legal framework:

← Back to Home