Sponsor Platform
For Pharmaceutical, Biotech & CRO Partners
Privacy Policy
Effective Date: April 8, 2026 | Version 1.0
HEKMA Clinical Intelligence Platform, Inc. | legal@hekma.io
1. Introduction
HEKMA Clinical Intelligence Platform, Inc. (“HEKMA”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal information processed through the HEKMA Sponsor Platform. This Privacy Policy explains what data we collect from Sponsor organizations and their authorized users, how we use it, and your rights.
This policy applies to authorized Sponsor users accessing the HEKMA Sponsor Platform and does not govern data collected about patients or research participants.
2. Data We Collect from Sponsor Users
2.1 Account & Identity Data
-
- Full name, job title, and professional email address of authorized users
-
- Organization name, address, and regulatory identifiers (e.g., DUNS number, sponsor IND number)
-
- Username, hashed passwords, and multi-factor authentication credentials
-
- Role assignments and system access permissions
2.2 Study & Protocol Data
-
- Clinical trial protocols, eligibility criteria, and study design parameters you upload to the platform
-
- Site configurations, investigator assignments, and study milestone data
-
- Protocol amendments and version histories
2.3 Platform Usage Data
-
- Log data including IP address, browser type, session timestamps, and feature interaction logs
-
- Search queries, report exports, and dashboard activity
-
- Audit trail records required by 21 CFR Part 11
2.4 Communications
-
- Messages sent through the platform’s sponsor-site communication system
-
- Support tickets and correspondence with HEKMA’s team
3. How We Use Sponsor Data
We use the data described above for the following purposes:
-
- Providing, operating, and maintaining the Sponsor Platform
-
- Authenticating users and enforcing role-based access controls
-
- Generating AI TrialMatch Engine outputs based on your configured eligibility criteria
-
- Producing analytics dashboards and study performance reports
-
- Complying with 21 CFR Part 11 audit trail requirements
-
- Communicating platform updates, maintenance windows, and security notices
-
- Improving platform functionality through aggregated, de-identified usage analysis
-
- Enforcing this Privacy Policy and our Terms and Conditions
4. Legal Basis for Processing (GDPR & US State Laws)
-
- Contract performance: Processing necessary to deliver the Sponsor Platform services under your Subscription Agreement
-
- Legitimate interests: Platform security, fraud prevention, and service improvement
-
- Legal obligation: Compliance with FDA 21 CFR Part 11, HIPAA (as Business Associate where applicable), and applicable data protection laws
-
- Consent: For any optional communications, analytics participation, or non-essential cookies
5. Data Sharing & Disclosure
HEKMA does not sell Sponsor data. We may share data with:
-
- Cloud infrastructure providers (e.g., AWS, Azure) under Data Processing Agreements that require equivalent security standards
-
- Site platform users: Your configured study parameters are shared with Sites you onboard to a Study through the platform
-
- Regulatory authorities or law enforcement where required by applicable law
-
- Successor entities in the event of a merger, acquisition, or asset sale, subject to equivalent privacy protections
6. Data Security
HEKMA implements the following security controls for Sponsor Platform data:
-
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
-
- Role-based access controls enforcing least-privilege principles
-
- 21 CFR Part 11-compliant audit trails for all data modifications
-
- Multi-factor authentication for all sponsor user accounts
-
- Regular penetration testing and SOC 2 Type II compliance auditing
-
- Formal data breach notification procedures with 72-hour reporting to affected parties
7. Data Retention
Sponsor account data is retained for the duration of your active Subscription Agreement plus seven (7) years thereafter, or longer if required by applicable clinical trial record-keeping regulations (21 CFR 312.62, ICH E6). Study protocol data that forms part of a regulatory submission record is retained in accordance with FDA and ICH retention requirements.
8. International Data Transfers
HEKMA operates in the United States and UAE. Sponsor data may be processed in both jurisdictions. For transfers of EU/EEA or UK personal data, HEKMA relies on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required by GDPR.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
-
- Right of access: Request a copy of personal data we hold about you
-
- Right to rectification: Request correction of inaccurate data
-
- Right to erasure: Request deletion of data where legally permissible (note: 21 CFR Part 11 audit trails cannot be deleted)
-
- Right to portability: Receive your data in a structured, machine-readable format
-
- Right to object: Object to certain processing activities
-
- Right to lodge a complaint with a supervisory authority (e.g., your national Data Protection Authority)
To exercise your rights, contact our Data Protection Officer at dpo@hekma.io.
10. Cookies on the Sponsor Platform
The Sponsor Platform uses the following cookies:
-
- Strictly necessary cookies: Session management and authentication (cannot be disabled)
-
- Analytics cookies: Aggregated, anonymized usage analytics to improve the platform (opt-out available in platform settings)
We do not use third-party advertising or tracking cookies on the authenticated Sponsor Platform.
11. Contact & Data Protection Officer
HEKMA Clinical Intelligence Platform, Inc.
Data Protection Officer: dpo@hekma.io
Legal & Compliance: legal@hekma.io
Postal: HEKMA CIP Inc., 7250 Redwood Blvd, Suite # 211, Novato, CA 94945
