Legal

Privacy Policy

Last updated: 2026-05-21

In development

Our full Privacy Policy is being finalized with legal counsel.

We’ll publish the complete document here when it’s finalized. In the meantime, this page documents the practices we already follow today.

What we already do

  • Minimum data collection. We collect only what's required to match you to studies and to comply with research-recruitment regulations. We don't ask for data we don't need.
  • Field-level encryption at rest. Sensitive health data — date of birth, medications, conditions, identity tokens — is encrypted with AWS KMS data keys at the column level. Plaintext is never written to long-term storage.
  • No third-party sale. We don't sell your data. Study coordinators see only the information necessary to evaluate your eligibility for their specific study.
  • Avarithim is cryptographic. Identity verification through Avarithim uses cryptographic proof — Arctuva never stores your raw identity documents.
  • Audit-logged PHI access. Every read of encrypted health data produces an audit_log entry with the actor, request IP, and outcome. Available to your compliance team or to you on request.
Questions

About a specific data-handling question?

Email privacy@arctuva.com or use the contact page.