Privacy Policy - TheraLyze.ai

1. Introduction

TheraLyze.ai ("we," "our," or "us") provides AI-powered pharmacovigilance case management software. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

Data Controller: TheraLyze.ai
Contact: privacy@theralyze.ai
DPO: dpo@theralyze.ai

2. Information We Collect

2.1 Account Information

Name and email address (for account creation)
Company domain (for tenant identification)
Country (for regional compliance)
Authentication credentials (hashed passwords, MFA settings)

2.2 Pharmacovigilance Data (Customer Data)

Data you upload to process adverse event reports, including:

Patient information (initials, age, sex, medical history)
Adverse event descriptions
Product and medication details
Reporter and healthcare provider information
Source documents (PDFs, emails, forms)

Important: You are the Data Controller for this information. We process it only per your instructions.

2.3 Technical Information

IP addresses and device information
Browser type and version
Login timestamps and session data
API usage and performance metrics

2.4 Usage Analytics

Feature usage statistics
Processing time metrics
Error logs (anonymized)

3. How We Use Your Information

Purpose	Legal Basis (GDPR)
Provide pharmacovigilance services	Contract performance
Account authentication and access control	Contract performance
Security monitoring and fraud prevention	Legitimate interest
Service improvement and bug fixes	Legitimate interest
Regulatory compliance (GxP, GDPR)	Legal obligation
Customer support	Contract performance

We DO NOT:

❌ Use your data to train AI models
❌ Sell or rent your data to third parties
❌ Share data between different customer tenants
❌ Use pharmacovigilance data for marketing

4. Data Storage and Security

4.1 Location

All data is stored in AWS data centers within the European Union:

Primary: EU-West-1 (Ireland)
Backup: EU-Central-1 (Frankfurt)

4.2 Security Measures

Encryption: AES-256 at rest, TLS 1.3 in transit
Access Control: Multi-factor authentication required
Network Security: VPC isolation, WAF, DDoS protection
Monitoring: 24/7 security operations center
Compliance: ISO 27001, SOC 2 Type II, HIPAA
Backups: Encrypted backups in separate EU region

4.3 Data Isolation

Each customer tenant is logically isolated. Your data is never commingled with other customers' data.

5. Data Sharing and Disclosure

5.1 Service Providers (Sub-processors)

AWS: Cloud infrastructure (EU regions only)
AI Service Providers: Machine learning inference (no training on customer data, EU endpoints)

All sub-processors are GDPR-compliant and bound by data protection agreements.

5.2 Legal Requirements

We may disclose information if required by law, court order, or regulatory authority (e.g., EMA, FDA audit).

5.3 No Third-Party Marketing

We never share your data with advertisers or marketing platforms.

6. Your Rights (GDPR)

As an EU data subject, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate information
Erasure: Delete your account and data
Restriction: Limit processing of your data
Portability: Export data in machine-readable format (E2B XML)
Objection: Object to processing based on legitimate interest
Withdraw Consent: Revoke consent at any time

To exercise your rights: Email privacy@theralyze.ai with your request. We respond within 30 days.

7. Data Retention

7.1 Account Data

Retained while your account is active. Deleted within 30 days of account closure unless regulatory requirements apply.

7.2 Pharmacovigilance Data

Sandbox: You can delete anytime. Auto-deleted after 90 days of inactivity.
Production: Retained per your instructions, typically 10 years for regulatory compliance.

7.3 Audit Logs

Security and compliance logs retained for 7 years per GxP requirements.

8. Cookies and Tracking

We use only essential cookies for:

Session management (authentication)
Security (CSRF protection)

We do NOT use:

❌ Analytics cookies (Google Analytics, etc.)
❌ Advertising trackers
❌ Social media pixels

9. International Data Transfers

We do not transfer data outside the EU. If you are outside the EU and use our service, your data is transferred to and processed in the EU under GDPR protections.

10. Children's Privacy

TheraLyze.ai is a B2B service not intended for children under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in practices or legal requirements. Material changes will be notified via email 30 days in advance. Continued use after changes constitutes acceptance.

12. Contact Us

For privacy questions, concerns, or to exercise your rights:

Privacy Team: privacy@theralyze.ai
Data Protection Officer: dpo@theralyze.ai
General Support: support@theralyze.ai
Security Issues: security@theralyze.ai

Postal Address:
TheraLyze.ai
[Your registered address]
Ireland

13. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe your privacy rights have been violated.

Irish Data Protection Commission:
Website: www.dataprotection.ie
Phone: +353 57 868 4800