- admin@condrug.com
- Mon - Sat: 8.00 am - 7.00 pm
We develop solutions for your clinical data needs
Privacy Policy
ConDrug – Privacy Policy
Effective Date: November 7, 2025
Entity: Aurealcraft Inc., a Delaware corporation, d/b/a “ConDrug” (“ConDrug,” “we,” “us,” “our”).
Contact (privacy): info@aurealcraft.com
Notices & Mailing: Aurealcraft Inc., [Insert mailing address], Delaware, USA.
This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our websites, applications, APIs, and services (collectively, the “Service”). Capitalized terms not defined here have the meanings in our Terms of Service.
Important: ConDrug is an analytics/information service. We are not a medical device and our outputs require human review. Do not submit Protected Health Information (“PHI”) unless we have a signed Business Associate Agreement (“BAA”).
1) Scope & Roles
- Controller vs. Processor.
- For Customer Data you upload to the Service, you are the controller (or business) and ConDrug acts as your processor (or service provider).
- For our Website/Service telemetry, marketing, and account administration, ConDrug is the controller/business.
- A Data Processing Addendum (DPA) with SCCs/UK IDTA is available for customers subject to GDPR/UK GDPR.
2) Information We Collect
We collect information in three ways: (A) from you, (B) automatically, and (C) from third parties.
A. You Provide
- Account & Billing: name, work email, password, role, company, postal address, VAT/tax IDs, billing contacts, payment tokens (via PCI-compliant processors).
- Content/Customer Data: queries, uploads, notes, tags, report settings, organization settings, custom logos. No PHI without BAA.
- Support/Comms: messages, attachments, survey responses, webinar registrations, consent choices.
- SMS/Voice (optional): phone number and message content only with explicit opt-in.
B. Automatic Collection
- Usage/Telemetry: feature use, clicks, session IDs, query performance, error logs.
- Device/Network: IP address, timestamps, user agent, language, time zone.
- Cookies/SDKs: strictly necessary cookies; with consent where required, analytics and functional cookies. See Section 9.
C. Third Parties
- Identity & Enrichment: CRM/lead tools, conference lists (where lawful), anti-fraud, email deliverability.
- Public/Regulatory Data: e.g., FDA labels/NDC and other public datasets we normalize for analytics.
We do not knowingly collect information from children under 16.
3) How We Use Information (Purposes & Legal Bases)
3.1 Service Operation (contract / legitimate interests)
- Provide, secure, personalize, and maintain the Service; create reports/exports; store settings; respond to support.
- Monitor uptime, diagnose issues, and improve performance and UX.
3.2 Security, Abuse, and Compliance (legal obligation / legitimate interests)
- Fraud, abuse, and intrusion detection; audit logs; enforcing our Terms; regulatory requests.
3.3 Research & Product Improvement (legitimate interests / consent where required)
- Aggregated and de-identified analytics to improve models, search quality, and relevance.
3.4 Marketing & Communications (consent / legitimate interests)
- Service announcements, onboarding, newsletters, webinars, and offers. You may opt out anytime (email footer one-click unsubscribe; SMS STOP/HELP). EEA/UK e-marketing uses consent or soft opt-in as permitted.
3.5 Legal
- Establish, exercise, or defend legal claims; mergers, acquisitions, or financing.
We do not use Customer Data to train foundation models for third parties. We may use Aggregated/De-identified Data derived from Customer Data (without identifying you/your users) to improve and operate the Service.
4) Disclosures & Recipients
We disclose information to:
- Sub-processors/Service Providers: cloud hosting, storage, analytics, email/SMS communications, customer support, payments, security monitoring. We bind them to privacy and security obligations.
- Your Organization: if your account is provisioned by a company domain, your admins can access/manage your account and data.
- Professional Advisors & Auditors: as necessary for business operations.
- Authorities: when required by law or to protect rights, safety, or the Service (we’ll notify you when legally permitted).
- Business Transfers: as part of a merger, acquisition, or asset sale (subject to this Policy’s protections).
We do not “sell” personal information as commonly understood. Under CPRA, we also do not “share” personal information for cross-context behavioral advertising unless expressly stated and controlled via opt-out mechanisms (see Section 11).
5) International Transfers
We are U.S.-based. If you are outside the U.S., your data may be transferred to and processed in the United States and other countries with different laws. Where required, we rely on SCCs and, for UK transfers, IDTA/Addendum. We implement technical and organizational measures appropriate to the risk.
6) Data Retention
We retain Customer Data for the subscription term and up to 30 days after termination to enable export (or longer if required by law or your instructions). We retain account, billing, and audit records as needed for legal, tax, and security purposes. We then delete or de-identify data according to our schedules.
7) Security
We use administrative, technical, and physical safeguards (e.g., encryption in transit, segregated environments, access controls, logging, backups, vulnerability management). No method of transmission or storage is 100% secure; you are responsible for securing your credentials and enforcing least-privilege access in your organization.
8) PHI & Regulated Data
Do not submit PHI or other regulated personal data (e.g., special categories, national IDs) unless we execute a BAA or specific written addendum. We may suspend or delete prohibited content to protect the platform and other customers.
9) Cookies, SDKs & Similar Technologies
- Strictly Necessary: login, session, rate limiting, security.
- Functional/Analytics (with consent where required): product analytics, A/B testing, crash reporting.
- Advertising (limited): we do not run third-party behavioral ads inside the product; if we use remarketing on our website, we will honor regional consent/opt-out controls.
Controls: You can manage cookies via our Cookie Banner/Preferences (EEA/UK/LGPD: consent model) and your browser settings. We honor applicable Global Privacy Control (GPC) signals for opt-out where required. We do not respond to legacy “Do Not Track” signals.
10) AI Features & Automated Decision-Making
Our AI features generate summaries and suggestions based on inputs and public/regulatory data. Outputs may be inaccurate or incomplete and must be reviewed by qualified personnel. We do not make legally or similarly significant decisions about individuals solely by automated means.
11) Your Privacy Rights
11.1 GDPR/UK GDPR (EEA/UK Residents)
- Rights: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
- How: email info@aurealcraft.com with “Data Rights Request” and your region.
- Controller/Processor: For Customer Data, contact your organization (controller); we assist per the DPA.
- Supervisory Authority: you may lodge a complaint with your data protection authority.
11.2 California (CPRA/CCPA)
- Consumer Rights: know/access (12-month lookback or longer as required), correction, deletion, portability, limit use of sensitive personal information, opt-out of sale/share (if applicable), and non-discrimination.
- Notice at Collection: see Appendix A for categories, sources, purposes, and retention.
- Sensitive Personal Info: we do not use or disclose SPI for purposes requiring a “Limit Use” link.
- Sale/Share: we do not sell/share personal information as defined by CPRA, except as you direct or as strictly necessary to provide the Service as a service provider.
- Verification & Appeals: we will verify your request (e.g., email confirmation; for sensitive actions, additional verification). If we deny, you may appeal by replying to our decision email.
11.3 Brazil (LGPD), Canada (PIPEDA), and Others
We honor similar rights to access, correction, deletion, portability, and objection as applicable under local law.
Exercising rights: contact info@aurealcraft.com. We typically respond within 30 days (45 days for CPRA, with one extension as allowed).
12) Marketing Preferences
- Email: Unsubscribe via the link in any marketing email or update preferences in your account. Transactional/service emails are required for your account.
- SMS: Only with explicit opt-in. Reply STOP to unsubscribe, HELP for help. U.S. messages comply with A2P 10DLC rules.
- Cookies/Ads: Use our Cookie Preferences and GPC where supported.
13) Third-Party Links & Services
The Service may link to third-party sites/services. Their privacy practices are governed by their policies. We are not responsible for third-party content or practices.
14) Changes to This Policy
We may update this Policy from time to time. If changes are material, we will notify you (e.g., email, banner, or in-product notice). Continued use after the effective date constitutes acceptance.
15) Contact Us
Questions, requests, or complaints: info@aurealcraft.com
For DMCA/IP matters: founder@aurealcraft.com
For security reports: founder@aurealcraft.com
Appendix A – CPRA/CCPA Notice at Collection (12-Month Lookback)
| Category (CPRA) | Examples | Source | Purpose | Disclosure to | Retention |
|---|---|---|---|---|---|
| Identifiers | Name, work email, IP, user ID | You; auto; admin | Account, auth, support, security, billing, comms | Cloud hosting, support, email/SMS, payments | Account life + up to 7 yrs (billing/audit) |
| Customer Records | Company, title, billing info | You; admin | Contract, billing, compliance | Payments, accountants | Contract life + 7 yrs |
| Commercial Info | Plan, usage, transactions | Auto; you | Provide & improve Service; prevent abuse | Hosting, analytics, support | Contract life + product analytics windows |
| Internet/Network Activity | Logs, pages, device data | Auto | Security, analytics, product improvement | Hosting, analytics, security | Rolling logs (e.g., 30–365 days) |
| Geolocation (coarse) | Time zone, region | Auto | Localization, security | Hosting, analytics | Minimal; see logs |
| Professional/Employment | Role, department | You | Account context, support | Support, CRM | Contract life |
| Inferences (product only) | Feature engagement segments | Internal | Improve UX/features | None external except processors | Aggregated/de-identified |
| Sensitive PI | None required; optional phone (SMS with opt-in) | You | Auth for SMS alerts | SMS provider (A2P 10DLC) | As long as SMS program active |
Sale/Share: We do not sell or share personal information as defined by CPRA.
SPI Limitation: We do not use SPI for purposes that require a “Limit Use” link.
Appendix B – Cookies & Signals (Overview)
- Necessary: session_id, csrf_token, rate_limit.
- Analytics (consent where required): app_analytics, ab_test, error_tracking.
- Preferences: locale, theme.
- GPC: We interpret Global Privacy Control signals as an opt-out of sale/share and adjust vendors accordingly.
Appendix C – Sub-Processors (Illustrative)
We use reputable providers for: cloud infrastructure, CDN, databases, logging/monitoring, email/SMS delivery, payments, support desk, and analytics. The current list is available upon request or via our Trust page and may change with notice.
Appendix D – Regional Addenda
- EEA/UK: Controller = your organization for Customer Data; ConDrug = processor. We offer DPA with SCCs/UK IDTA, data minimization, and purpose limitation. Lawful bases include contract, legitimate interests, consent, and legal obligations.
- Brazil (LGPD): We act as operator for Customer Data; rights include confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, and revocation of consent.
- Canada (PIPEDA): We rely on consent/legitimate interests; data may be stored in the U.S. with contractual protections.
Final Notes
- If you need BAA or validated/GxP use, contact us before submitting any regulated data.
- Keep your admin and privacy contact details current in your account.
- This Policy complements, and does not limit, our Terms of Service.
If you have questions about this Policy, email us at info@aurealcraft.com.