Privacy policy
Last updated: 20 May 2026 (version 2.0).
This policy describes, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of 6 January 1978 as amended, how Protocolis processes your personal data.
1. Data controller
The data controller is the publisher of the Protocolis platform, identified in the legal notice. The legal structure of the company is being incorporated; during this phase, the designated publication director acts as the data controller.
No Data Protection Officer (DPO) has been appointed at this stage, as the organisation is not subject to that obligation. Any request relating to your data should be sent to: contact@protocolis.fr.
2. Scope and explicit exclusion of patient data
Protocolis is a tool intended for clinical research professionals (investigators, research offices, methodologists, sponsors). The service covers the drafting of preparatory documents (synopsis, protocol, regulatory qualification, regulatory chat).
Protocolis does not process any personal data relating to a patient or a research participant. No identifying health data is intended to be entered or uploaded to the platform. Users undertake not to transmit such data. The clinical examples processed (methodology, objectives, endpoints) relate to the design of the study, not to patient data.
3. Data processed
3.1. Identification data
- Email address
- Password (stored as a bcrypt hash, never in plain text)
- Name, role, institution (provided during onboarding)
3.2. Business data
- Content of synopses and protocols drafted (text, classifications, bibliographic references)
- Conversations with the AI assistant (synopsis, protocol, regulatory chat)
- Documents uploaded (PDF, Word) for regulatory qualification
- Study metadata (status, modification dates, sharing with collaborators)
3.3. Technical data
- Connection logs and IP address (security)
- Interface preferences (table/card view, sort, filters) — stored locally in the browser via
localStorage - Anonymous audience measurement data (see § 8)
4. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service delivery (drafting, generation, classification) | Performance of the contract (art. 6.1.b GDPR) |
| Account creation and management | Performance of the contract (art. 6.1.b GDPR) |
| Service security and fraud prevention | Legitimate interest (art. 6.1.f GDPR) |
| Anonymous usage statistics | Legitimate interest (art. 6.1.f GDPR) |
| Product communication (newsletters, beta feedback) | Consent (art. 6.1.a GDPR) — opt-in at sign-up |
| Billing and accounting obligations (once paid service is active) | Legal obligation (art. 6.1.c GDPR) |
5. Processors and recipients
To deliver the service, Protocolis relies on the processors (within the meaning of article 28 of the GDPR) listed below. All are bound by a Data Processing Agreement (DPA) or equivalent contractual conditions, guaranteeing the confidentiality and security of processing.
| Processor | Service | Data transmitted | Location | Transfer mechanism |
|---|---|---|---|---|
| Anthropic, PBC privacy / DPA | Claude language model — AI drafting and classification | Synopsis / protocol text, AI conversations, uploaded PDF documents | United States | EU-US Standard Contractual Clauses (SCCs) Anthropic does not reuse customer data to train its models (contractual commitment via the commercial API). |
| OpenAI, LLC privacy / DPA | Embeddings model text-embedding-3-small — indexing of the regulatory corpus (public sources) | No user data. Only the text of public regulatory sources (CNIL, Jardé Act, ICH, EUR-Lex, Légifrance) during weekly indexing. | United States | EU-US SCCs No reuse for training (enterprise API). |
| Resend, Inc. privacy / DPA | Transactional emails (verification, reset) | Email address, content of the email sent | United States (AWS infrastructure) | EU-US SCCs |
| Umami Software, Inc. privacy | Anonymous audience measurement | Page views, device type, country — aggregated, with no individual identification, no cookie | European Union (EU-hosted infrastructure) | No transfer outside the EU |
| Airtable, Inc. (admin / CRM access) privacy / DPA | Read-only export of the account list (email, name, institution, status) for customer relationship management by the Protocolis team | Email, name, role, institution, sign-up date | United States | EU-US SCCs |
| Stripe Payments Europe, Ltd. (planned for July 2026) privacy / DPA | Payment processing for paid plans | Email, name, card data (never stored by Protocolis, collected directly by Stripe) | Ireland, with transfers to the United States for Stripe Inc. | EU-US SCCs |
5.1. External public sources (no user data transfer)
Protocolis periodically queries the following public databases to keep its regulatory corpus up to date. These queries carry no personal data:
- Légifrance (PISTE API — DILA, French public service): articles of the Public Health Code
- EUR-Lex (Publications Office of the EU): Regulation (EU) 536/2014
6. Sharing between users
Investigators may share a study with one or more collaborators (typically their research office or DRCI team). This sharing takes place exclusively at the initiative of the investigator, through an explicit email invitation. Invited collaborators may view and edit the shared synopsis and protocol.
Investigators may revoke any share at any time from the study interface. No automatic sharing between users takes place without this manual action.
7. Transfers outside the European Union
Some processors (Anthropic, OpenAI, Resend, Airtable, Stripe) are established outside the European Union, mainly in the United States. Each of these transfers is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021, complemented where applicable by the additional technical and organisational measures recommended by the European Data Protection Board.
Service delivery by Anthropic and OpenAI is strictly bound by enterprise terms prohibiting the reuse of customer data to train their models.
8. Cookies and trackers
Protocolis exclusively uses strictly necessary technical cookies for the operation of the service (authentication, session). No advertising or third-party tracking cookies are used. Consent is therefore not required for these cookies under CNIL Deliberation 2020-091.
Audience measurement is handled by Umami, without any cookie and without collecting personal data, in line with the exemptions provided by the CNIL for audience measurement tools (recommendation of 6 May 2021).
Interface preferences (table or card view, sort, filters) are stored locally in your browser via localStorage. They never leave your device.
9. Retention period
| Category | Duration |
|---|---|
| Account data (active account) | As long as the account is not deleted |
| Account data (after deletion) | Deleted within 30 days |
| Studies and conversations | As long as the user keeps them; immediate deletion when triggered from the interface |
| PDF / Word documents uploaded for qualification | Not stored long-term. Forwarded to Anthropic for analysis, then destroyed on the Protocolis side as soon as processing ends (a few seconds). |
| Technical connection logs | 12 months |
| Database backups | Latest 7 daily backups (rolling) |
| Billing data (once paid service is active) | 10 years (statutory accounting obligation) |
10. Your rights
You may exercise the following rights at any time:
- Right of access (art. 15 GDPR): obtain a copy of your data
- Right to rectification (art. 16 GDPR): correct inaccurate data
- Right to erasure (art. 17 GDPR): delete your account and your data
- Right to portability (art. 20 GDPR): receive your studies in a reusable format (Word, JSON on request)
- Right to object (art. 21 GDPR): object to processing based on legitimate interest
- Right to restriction (art. 18 GDPR): freeze processing during a verification
- Right to give directives on the fate of your data after your death (art. 85 of the French Data Protection Act)
To exercise these rights, write to contact@protocolis.fr. A response will be provided within one month, in accordance with article 12 of the GDPR.
You also have the right to lodge a complaint with the CNIL (3 place de Fontenoy — TSA 80715 — 75334 Paris CEDEX 07, cnil.fr).
11. Security
Technical and organisational measures implemented:
- Encryption of all communications via TLS 1.2+ (HTTPS)
- Passwords stored with bcrypt (cost factor 10+)
- Per-user data isolation in the database
- Daily encrypted backups (7-day rolling retention)
- Infrastructure access restricted to what is strictly necessary
- No shared passwords; regular rotation of secrets
- Automated tests (~970 tests) and secure continuous deployment
12. Explicit commitments
- We do not reuse your studies to train AI models
- We do not sell your data
- We do not share your data with third parties other than the processors listed in § 5
- We collect no patient data (see § 2)
13. Changes
This policy may be updated to reflect changes in the service or in legal obligations. Any substantial change is notified to users (in-app notification or email) at least 15 days before it takes effect. The version in force is always dated at the top of this document.
14. Contact
For any question regarding the protection of your data:
Email: contact@protocolis.fr