Privacy Policy

Trial Beacon is a free, public, pre-screening tool that helps people identify oncology clinical trials for which they may be eligible. Our core privacy commitment is structural: protected health information that you choose to import from a patient portal is processed entirely within your browser and is not transmitted to, stored on, or accessible by Trial Beacon’s servers.

The Service is operated as an informational tool. It is not health care, is not a substitute for professional medical advice, and does not establish a physician-patient or other treatment relationship.

This Policy applies to information collected through the Service. It does not apply to (i) third-party websites or services we link to, including ClinicalTrials.gov and Epic / MyChart, each of which is governed by its own privacy notice; or (ii) the relationship between you and any clinical trial sponsor, investigator, or care provider with whom you may interact as a result of using the Service.

3.1 Information you provide.

You may use the Service without creating an account. The Service does not require, and does not offer, user registration. If you contact us directly (for example, by email), we receive whatever information you choose to share in that communication.

3.2 Information processed locally in your browser.

If you elect to connect a patient portal, your browser authenticates directly with that portal and retrieves health information (such as demographics, conditions, observations, and medications) using a secure authorization protocol (OAuth 2.0 / SMART on FHIR). That information is held in your browser’s memory for the duration of your session and used solely to compute eligibility matches on your device. It is not transmitted to Trial Beacon, persisted to local storage, written to cookies, or otherwise retained after the session ends.

3.3 Information collected automatically.

When you visit the Service, our hosting infrastructure automatically receives standard request metadata, including IP address, user-agent string, requested URL, referrer, and timestamp. We use this information for security, abuse prevention, debugging, and aggregate, non-identifying analytics. We do not combine this metadata with any health information.

3.4 Public trial data.

The Service maintains a database of publicly available clinical trial information sourced from ClinicalTrials.gov and similar public registries, together with derived structured eligibility rules and plain-language summaries. This data is not about you and is not derived from your health information.

We use information for the following purposes:

• To operate, maintain, and improve the Service;
• To compute clinical-trial eligibility matches locally in your browser, when you have authorized a patient-portal connection;
• To monitor for security, fraud, abuse, and technical errors;
• To respond to inquiries you send us and to comply with legal obligations.

We do not sell personal information. We do not use your information for advertising. We do not use any health information to train, fine-tune, or evaluate machine-learning models.

Because Trial Beacon does not receive your health information, we have nothing of that kind to share. With respect to the limited request metadata we do receive, we may disclose it:

• To service providers (such as hosting and infrastructure providers) acting on our behalf and bound by appropriate confidentiality and security obligations;
• To comply with applicable law, valid legal process, or enforceable governmental request;
• To protect the rights, property, or safety of Trial Beacon, our users, or the public; and
• In connection with a corporate transaction (such as a merger, financing, acquisition, or asset sale), subject to customary confidentiality protections.

The Service uses only the minimum cookies and similar technologies required for the site to function (such as preserving your session and security state). We do not use third-party advertising cookies, cross-site tracking pixels, or session replay tools.

Health information loaded from a patient portal exists only in your browser’s memory and is discarded when you disconnect, navigate away, or close the tab. Standard server logs containing request metadata are retained for a limited period consistent with security and operational needs and are then deleted or aggregated.

We use commercially reasonable administrative, technical, and physical safeguards designed to protect information processed through the Service, including transport-layer encryption (HTTPS) for all communications. No method of transmission or storage, however, is perfectly secure. We cannot, and do not, guarantee the absolute security of any information.

Depending on where you live, you may have rights under applicable privacy laws, such as the right to access, correct, delete, or port information about you, or to object to or restrict certain processing. Because the Service does not maintain accounts and does not retain health information on its servers, in most cases there is no personal record for us to access, correct, or delete on your behalf. For inquiries about server-side metadata or to exercise any right that may apply to you, contact us using the information in Section 14.

California residents may have additional rights under the California Consumer Privacy Act (as amended). Residents of the European Economic Area, the United Kingdom, and Switzerland may have rights under the GDPR or analogous laws. We do not engage in “sales” or cross-context behavioral advertising as those terms are defined under such laws.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, please contact us so we can take appropriate action.

The Service is operated from the United States. If you access the Service from outside the United States, you understand that any server-side metadata we receive may be processed in the United States, which may have data-protection laws that differ from those of your jurisdiction.

12.1 Not a HIPAA covered entity.

Trial Beacon is not a health care provider, health plan, or health care clearinghouse, and does not act as a business associate of any such entity. Accordingly, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) do not govern our handling of information through the Service. The privacy of any health information you choose to load from a patient portal is protected by the architectural design of the Service, by your relationship with your provider, and by the terms governing the patient portal itself, but not by HIPAA as it applies to us.

12.2 Not medical advice.

The Service is informational only. It does not provide medical advice, diagnosis, treatment recommendations, or eligibility determinations. Eligibility for any clinical trial is decided by a qualified clinical investigator, not by the Service. Always discuss any clinical trial with your treating physician or qualified health care provider before acting on information you obtain through the Service. Never disregard professional medical advice or delay seeking it because of something you read on the Service.

12.3 No warranty.

The Service is provided on an “as is” and “as available” basis without warranties of any kind, express or implied, including any warranty of accuracy, completeness, merchantability, fitness for a particular purpose, or non-infringement.

We may update this Policy from time to time. When we do, we will revise the “Effective” date at the top of this page. Material changes will be highlighted on the Service for a reasonable period before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Questions about this Policy or our privacy practices can be directed to privacy@trialbeacon.org.