Privacy Statement

Last Updated: March 15, 2026

1. Introduction

BHN Clinical Dashboard ("the Service") is committed to protecting your privacy. This Privacy Statement explains how we collect, use, store, and protect your information when you use the Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Statement. This statement should be read in conjunction with our Terms of Service.

2. Information We Collect

We collect the following types of information:

  • Microsoft Account Information: When you sign in using Microsoft OAuth, we receive and store your email address and display name as provided by Microsoft.
  • Usage Data: We collect information about how you interact with the Service, including pages visited, search queries, features used, and timestamps of activity. This data helps us improve the Service and understand usage patterns.
  • Session Data: Temporary session information required to maintain your authenticated state while using the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Authentication: To verify your identity and provide secure access to the Service.
  • Access Control: To manage user permissions and ensure authorized access to clinical data and features.
  • Service Improvement: To analyze usage patterns and improve the functionality, performance, and user experience of the Service.
  • Communication: To send service-related notifications when necessary.

4. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

  • Session Cookies: Session information is stored in httpOnly cookies that are signed using HMAC-SHA256 to prevent tampering. These cookies are not accessible via client-side JavaScript.
  • Database Storage: User account information and related data are stored in secured PostgreSQL databases with access controls and encryption at rest.
  • Transport Security: All data transmitted between your browser and the Service is encrypted using TLS.

5. Clinical Data Handling

The Service provides access to clinical trial data and research papers. This data is sourced from publicly available registries and databases, including ClinicalTrials.gov and related academic repositories. Clinical trial data presented through the Service does not contain individually identifiable patient information. Research papers and publications are presented in accordance with their original access and licensing terms. We do not modify the underlying clinical data; it is presented as received from the original sources.

6. Cookies

The Service uses the following cookies:

  • hil_session: A session cookie used to maintain your authenticated session. This is an httpOnly cookie signed with HMAC-SHA256 and contains your session identifier. It expires when you sign out or after a period of inactivity.
  • clinical_oauth_state: A temporary cookie used during the Microsoft OAuth authentication flow to prevent cross-site request forgery (CSRF) attacks. This cookie is automatically deleted after the authentication process completes.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

7. Third-Party Services

The Service integrates with the following third-party services:

  • Microsoft OAuth: Used for user authentication. When you sign in, you are redirected to Microsoft's authentication service. Microsoft's use of your data is governed by the Microsoft Privacy Statement.
  • ClinicalTrials.gov API: Used to retrieve clinical trial data. Information about ClinicalTrials.gov's data policies is available on their policy page.

8. Data Retention

We retain your account information for as long as your account remains active or as needed to provide the Service. Usage data may be retained in an aggregated and anonymized form for analytical purposes. Session data is automatically purged upon session expiration or sign-out. If you request account deletion, we will remove your personal data within a reasonable timeframe, subject to any legal obligations requiring longer retention.

9. Your Rights

You have the following rights regarding your personal data:

  • Access: You may request a copy of the personal data we hold about you.
  • Correction: You may request that we correct any inaccurate or incomplete personal data.
  • Deletion: You may request that we delete your personal data, subject to any legal retention requirements.
  • Data Portability: You may request your data in a structured, commonly used, and machine-readable format.

To exercise any of these rights, please contact the BHN Clinical Dashboard administration team through the appropriate internal channels.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly. If you believe we may have inadvertently collected information from a minor, please contact us immediately.

11. Changes to This Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this Privacy Statement periodically to stay informed about how we protect your information.

12. Contact Information

If you have any questions or concerns about this Privacy Statement or our data practices, please contact the BHN Clinical Dashboard administration team through the appropriate internal channels.