Privacy Policy
Last updated: 2026-05-27
Effective Date: 2026-05-27 Last Updated: May 25, 2026
Quick Summary
This summary is informational. The full Privacy Policy below is the binding document.
- Who we are. Arctuva, Inc., a Delaware corporation. We operate Arctuva, a platform that helps US adults discover paid clinical research studies and apply to them.
- What we collect. Account information (email, phone), self-reported health information (medications, conditions, demographics), study activity, and — if you choose to verify your identity — a verification token from our sister product, Avarithim.
- What we do with it. Match you to studies you may qualify for, operate the platform, communicate with you, and (with your consent) share limited information with research sites you apply to.
- What we don't do. We don't sell your personal information. We don't share your health information with advertisers. We don't process payments between research sites and you — sites pay you directly.
- Your rights. You can access, correct, delete, and export your information. California and Virginia residents have additional rights described below.
- Contact. privacy@arctuva.com | Arctuva, Inc., 1301 N Broadway STE 61913, Los Angeles, CA 90012
1. About This Policy
This Privacy Policy describes how Arctuva, Inc. ("Arctuva," "we," "us," or "our") collects, uses, shares, and protects information when you use the Arctuva platform at arctuva.com and any related services (collectively, the "Services").
By using the Services, you agree to the practices described in this Policy. If you do not agree, please do not use the Services.
Arctuva is intended only for individuals located in the United States who are 18 years of age or older. See Sections 11 and 12.
2. About Arctuva
Arctuva is a clinical research matching platform. We list paid clinical research studies sourced from ClinicalTrials.gov, the public US government registry of clinical trials. Based on information you provide to us, we match you to studies you may qualify for and help you express interest in studies and apply to participate.
We are a recruitment and matching platform. We are not:
- A healthcare provider, healthcare clearinghouse, or health plan
- A research sponsor, research site, or institutional review board (IRB)
- A payment processor for participant payments — when you participate in a study, the research site pays you directly
- A provider of medical advice, diagnosis, or treatment
Our regulatory posture. Arctuva is not a HIPAA Covered Entity or Business Associate. We do not receive protected health information from healthcare providers. We do collect self-reported health information from you, and we apply industry-standard safeguards to that information as described in Section 9 and Section 8.
3. Information We Collect
3.1 Information You Provide to Us
Account information. When you create an Arctuva account, we collect:
- Email address
- Phone number
- Password (stored only as a cryptographic hash; we never see your plaintext password)
- Authentication tokens issued by Amazon Cognito, our identity provider
Profile information. To match you to studies, we ask you to provide:
- Date of birth
- Biological sex and sex assigned at birth
- Race and ethnicity (using US Census taxonomy)
- ZIP code (which we convert to an approximate latitude and longitude for distance-based matching)
- Height, weight, smoking status, and alcohol consumption frequency
- Medications you take
- Health conditions you have or have had
- Prior research participation history
- Availability windows, transportation access, and primary motivation for participating in research
- Maximum distance you are willing to travel for a study
Profile information beyond what is required for basic account creation is optional, but providing more information allows us to match you to more relevant studies.
Pre-account information. Before you create an account, our onboarding funnel may collect information about you to determine which studies might be relevant, including email, phone, demographic information, and information about conditions you are interested in. We retain this pre-account information for up to 30 days unless you create an account, in which case it is associated with your account and retained according to your account preferences.
Communications. When you contact us by email or other means, we collect the content of your communication and any information you provide.
Self-reported earnings (Pro subscribers). If you log earnings from research participation in your account, we collect the study name, amount, payment method, and date. We do not verify these amounts and do not report them to any tax authority. See Section 8 and our Terms of Service.
3.2 Information We Collect Automatically
Device and usage information. When you use the Services, we automatically collect:
- IP address and approximate location derived from your IP address
- Browser type, operating system, and device identifiers
- Pages you visit, features you use, and timestamps of your activity
- Referring website addresses
Cookies and similar technologies. We use cookies and similar technologies as described in our Cookie Policy. Our analytics and session-replay tools load only after you affirmatively consent through our cookie banner.
3.3 Information We Receive from Third Parties
Identity verification (optional). If you choose to verify your identity through Avarithim, our sister product operated by Avarithim, Inc., Avarithim shares with us:
- An Avarithim identifier
- Confirmation that your email address has been verified
- Confirmation that your phone number has been verified
We never receive copies of your identity documents, biometric data, or other underlying verification materials from Avarithim. See Section 5.2 for more on our relationship with Avarithim.
Payment information. When you subscribe to Arctuva Pro, Stripe processes your payment. Stripe shares with us a Stripe customer identifier and subscription metadata. We never receive or store your full payment card details.
4. How We Use Your Information
We use your information to:
- Provide the Services. Match you to clinical research studies, display studies you may qualify for, and facilitate your expression of interest in or application to studies.
- Maintain your account. Authenticate you, manage your account preferences, and provide customer support.
- Communicate with you. Send you transactional emails (account verification, security alerts, application status), and — if you have opted in — marketing communications about new features, relevant studies, or platform updates.
- Operate and improve the platform. Analyze platform usage in aggregate to improve our matching algorithms, fix bugs, and develop new features.
- Process subscriptions. Manage your Arctuva Pro subscription, billing, and refunds.
- Protect the Services. Detect, investigate, and prevent fraudulent, unauthorized, or unlawful activity, and enforce our Terms of Service.
- Comply with legal obligations. Respond to lawful requests from public authorities and meet our legal, regulatory, and audit obligations.
We do not use your information to:
- Sell it to data brokers, advertisers, or other third parties
- Train artificial intelligence models on your personal or health information
- Make automated decisions that produce legal or similarly significant effects on you without human review
5. How We Share Your Information
5.1 Service Providers
We share information with service providers that help us operate the Services. These providers act on our behalf under contract and are restricted from using your information for any purpose other than providing services to us.
| Service Provider | Purpose | Information Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, authentication (Cognito), database (RDS), encryption (KMS), file storage (S3), monitoring (CloudWatch), and message queuing (SQS) | All information you provide is stored on AWS infrastructure under a Business Associate Addendum |
| Stripe | Subscription billing and payment processing | Email, name (collected by Stripe), payment card information (collected and stored by Stripe; not by Arctuva), and subscription metadata |
| Postmark | Transactional and marketing email delivery, and inbound email processing | Email address, message content, and email engagement events |
| PostHog | Product analytics and session replay (loaded only with your consent) | Anonymous usage data, page views, click patterns; all form inputs and text content are masked; no personally identifiable information, health information, contact information, or compensation amounts are captured |
| Sentry | Error monitoring | Error messages, stack traces, and request paths. Personally identifiable information is filtered before transmission. |
| Better Stack | Uptime monitoring | Server health-check responses only; no participant data |
| Google Workspace | Email aliases (support@, privacy@, legal@, etc.) | Whatever is sent to or received at those addresses |
5.2 Avarithim, Inc. (Cross-Product Data Sharing)
Avarithim, Inc. ("Avarithim") is our sister company. Avarithim and Arctuva are both controlled by the same founder and operate within the same corporate family, but they are separate legal entities, and information sharing between them is governed by a written data sharing agreement.
Avarithim is optional. You can use Arctuva without verifying your identity through Avarithim. However, certain features may require Avarithim verification.
If you choose to connect Avarithim, you will be presented with a separate, dedicated consent screen — apart from any Avarithim sign-in screen — that describes the specific data flows below. Connecting Avarithim is not the same as accepting this Privacy Policy. You must affirmatively consent to cross-product sharing on that screen.
What flows from Avarithim to Arctuva:
- Your Avarithim identifier
- Confirmation that your email is verified
- Confirmation that your phone is verified
What flows from Arctuva to Avarithim (only if you connect):
- Verification milestone events (which tier of verification you have completed)
- Reliability score updates (a single integer score reflecting your platform reputation)
- In future versions: earnings bracket markers (e.g., "over $500") and study-category indicators (e.g., "drug," "device") — never specific dollar amounts, never study names, never health conditions
What never flows between Arctuva and Avarithim:
- Your health conditions or medications
- Specific studies you have viewed, expressed interest in, or applied to
- Specific dollar amounts of earnings
- Your profile responses to onboarding questions
- Any information you exchange with research sites through Arctuva
You can disconnect Avarithim from your Arctuva account at any time through your account settings. Disconnecting stops future data flow but does not retroactively delete information already shared.
5.3 Research Institutions and Sites
When you express interest in or apply to a clinical research study, we may share information with the research site or sponsor running the study, but only the information necessary for that specific study and only with your consent at the point of application.
The information shared may include:
- Your contact information (so the site can reach you)
- Profile information relevant to the study's eligibility criteria
- Your responses to study-specific pre-screening questions
Each application is a separate consent event. You will see what information is being shared before submitting an application. Research sites are independent of Arctuva; their use of your information is governed by their own privacy practices and the informed consent forms they provide to you when you enroll in their studies.
5.4 Anthropic, PBC (AI Processing of Public Study Data)
We use Anthropic's Claude API to interpret and structure public information about clinical research studies — specifically, eligibility criteria text and compensation amounts published on ClinicalTrials.gov. We do not send any information about you, your profile, your account, or your activity to Anthropic. Only public study text from ClinicalTrials.gov is processed through Anthropic's API.
We disclose this for transparency, even though no personal information is involved.
5.5 Legal and Safety
We may share information when we believe in good faith that disclosure is necessary to:
- Comply with applicable law, valid legal process (such as a subpoena, court order, or warrant), or government request
- Protect the rights, property, or safety of Arctuva, our users, or others
- Detect, prevent, or address fraud, security, or technical issues
- Enforce our Terms of Service or other agreements
Our approach to law enforcement requests is described in our Law Enforcement Request Policy.
5.6 Corporate Transactions
If Arctuva is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you (by email or a prominent notice on the Services) of any change in ownership or use of your information, and any choices you may have.
5.7 No Sale of Personal Information
Arctuva does not sell your personal information, and we have not sold personal information in the preceding 12 months.
Arctuva does not share your personal information for cross-context behavioral advertising, and we have not done so in the preceding 12 months.
We honor Global Privacy Control (GPC) signals as opt-out preference signals where applicable law requires.
5.8 Not a Data Broker
Arctuva is not a "data broker" as defined under California Civil Code § 1798.99.80. We collect personal information directly from the individuals to whom it pertains and maintain a direct relationship with each of our users.
6. Data Retention
We retain your information for as long as your account is active or as needed to provide the Services, and as required to comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:
| Category | Retention Period |
|---|---|
| Account information (email, phone, profile) | Until you delete your account, then 30 days for reversal, then deleted or anonymized |
| Self-reported health information | Until you delete your account, then deleted (encryption keys are destroyed) |
| Pre-account funnel information | 30 days from last activity, then deleted; or transferred to your account if you create one |
| Application and engagement records | Anonymized at account deletion (user identifier removed; aggregate retained for platform analytics) |
| Subscription and payment records | 7 years after termination, for tax and audit purposes |
| Audit logs of access to your information | 7 years |
| Marketing email suppression lists | Indefinitely, to honor your opt-out |
| Avarithim verification tokens | Deleted on account deletion or Avarithim disconnect |
Detailed retention rules are codified in our internal Records Retention Schedule, which is reviewed annually.
7. Your Privacy Rights
You have rights regarding your personal information. Some rights are available to all users; others depend on your state of residence.
7.1 Rights Available to All Users
- Access. You can view and download your profile information at any time through your account settings, including a complete data export bundle.
- Correction. You can update or correct your information at any time through your account settings.
- Deletion. You can request deletion of your account and personal information at any time. After verification, your account enters a 30-day reversal window, after which information is deleted or anonymized as described in Section 6.
- Communication preferences. You can opt out of marketing emails at any time through your account settings or by clicking the unsubscribe link in any marketing email. Transactional emails (account verification, security alerts, billing) are required to use the Services and cannot be opted out of while your account is active.
7.2 California Residents (CCPA / CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
- Right to know. You can request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it.
- Right to delete. You can request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct. You can request that we correct inaccurate personal information we maintain about you.
- Right to limit use of sensitive personal information. You can request that we limit our use of your sensitive personal information (which includes your precise geolocation, racial or ethnic origin, and health information) to the purposes necessary to provide the Services. We do not use sensitive personal information for purposes beyond those described in this Policy.
- Right to opt out of sale or sharing. Arctuva does not sell or share personal information for cross-context behavioral advertising. You have the right to opt out at any time even though no active opt-out is presently required.
- Right to non-discrimination. We will not discriminate against you for exercising any of these rights.
To exercise any of these rights, email privacy@arctuva.com from the email address associated with your account, or use the in-account tools at /account/privacy. We will respond within 45 days (extendable by an additional 45 days when reasonably necessary, with notice to you).
We may need to verify your identity before processing certain requests. For deletion and access requests, verification typically consists of confirming control of the email address associated with your account; for higher-risk requests, we may require additional verification.
You may designate an authorized agent to make a request on your behalf. We will require written authorization signed by you and may require verification of your identity directly with us.
7.3 Virginia Residents (VCDPA)
If you are a Virginia resident, you have the following rights under the Virginia Consumer Data Protection Act:
- Right to access. Confirm whether we process your personal data and access that data.
- Right to correct. Correct inaccuracies in your personal data.
- Right to delete. Delete personal data we process about you.
- Right to data portability. Obtain a copy of your personal data in a portable, machine-readable format.
- Right to opt out. Opt out of the processing of your personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. Arctuva does not engage in any of these activities.
To exercise these rights, email privacy@arctuva.com. We will respond within 45 days. If we decline to act on your request, you may appeal by emailing privacy@arctuva.com with the subject line "Appeal" within 30 days of our decision. We will respond to appeals within 60 days. If your appeal is denied, you may contact the Virginia Attorney General at oag.state.va.us.
7.4 Other US States
Residents of Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights substantially similar to those described above. To exercise such rights, contact us at privacy@arctuva.com.
8. Health-Adjacent Information
Arctuva is not a HIPAA Covered Entity, and the information you provide to Arctuva is not protected health information ("PHI") under HIPAA. HIPAA applies to information held by healthcare providers, health plans, healthcare clearinghouses, and their business associates. Arctuva is none of these.
However, we understand that information about your health is sensitive, and we apply heightened safeguards regardless of whether HIPAA legally requires them. Specifically:
- Field-level encryption. Information about your medications, health conditions, prior research participation, and date of birth is encrypted at the database column level using AWS Key Management Service (KMS), with encryption keys that are themselves access-controlled.
- Audit logging. Every read of your health-adjacent information by Arctuva systems or personnel is logged with the actor, timestamp, IP address, and outcome. Audit logs are retained for seven years.
- Access controls. Internal access to health-adjacent information is restricted to a named set of personnel with a documented business need, subject to dual-control requirements for bulk access, and reviewed quarterly.
- Business Associate Addendum with AWS. While not legally required, we maintain a BAA with AWS as our infrastructure provider.
When you connect with a research site through Arctuva, the site may collect medical records, diagnostic results, and other PHI from you directly as part of the study enrollment process. That information is held by the research site, not by Arctuva, and is subject to HIPAA (because the site is typically a Covered Entity) and to the informed consent forms you sign with the site.
9. Security
We implement administrative, technical, and physical safeguards designed to protect your information, including:
- Encryption in transit (TLS 1.2+) and at rest (AWS-managed encryption for all storage)
- Field-level encryption for sensitive categories (health-adjacent information and date of birth)
- Multi-factor authentication for all administrative access
- Continuous monitoring and alerting for unusual access patterns
- Regular security reviews and penetration testing
- Employee training on privacy and security practices
No security program is perfect. While we work to protect your information, we cannot guarantee absolute security. If we become aware of a breach involving your information, we will notify you in accordance with applicable law. Our Breach Notification policy is reviewed annually.
10. Cookies and Similar Technologies
We use cookies and similar technologies as described in our Cookie Policy. In summary:
- Strictly necessary cookies (authentication, session management) are set without consent.
- Functional cookies (remembering your onboarding progress) are set without consent.
- Analytics cookies (PostHog) load only after you affirmatively accept through our consent banner. You can change your preference at any time.
11. International Users
Arctuva is intended only for users located in the United States. We do not target our Services to users outside the US, and the Services are not designed to comply with GDPR, UK GDPR, or other non-US data protection regimes.
If you are accessing Arctuva from outside the US, please be aware that information you provide will be transferred to, stored, and processed in the United States, where data protection laws differ from those of your country. By using the Services, you consent to this transfer and processing.
12. Children's Privacy
Arctuva is intended only for individuals 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you are under 18, do not use the Services and do not provide any information to us.
If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at privacy@arctuva.com.
We do not knowingly collect personal information from children under 13 and do not direct the Services to children under 13. The Services are not subject to the Children's Online Privacy Protection Act (COPPA) because they are not directed to children.
13. Third-Party Links and Services
The Services may contain links to third-party websites, including ClinicalTrials.gov and research site websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any third-party websites you visit.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and post a prominent notice on the Services before the changes take effect. Non-material changes (such as clarifications or formatting updates) may be made without prior notice; we will update the "Last Updated" date at the top of this Policy.
Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the updated Policy.
15. Contact Us
For questions, concerns, or to exercise your privacy rights, contact us:
Email: privacy@arctuva.com
Mail: Arctuva, Inc. Attn: Privacy Officer 1301 N Broadway STE 61913 Los Angeles, CA 90012
Response time. We aim to respond to all privacy inquiries within 5 business days. Formal rights requests under CCPA, CDPA, or other privacy laws are subject to the response timeframes described in Section 7.
Appendix A — Notice at Collection (California)
This Notice at Collection is provided in compliance with the California Consumer Privacy Act. It summarizes the categories of personal information we collect, the purposes for which we collect it, and your rights. The full Privacy Policy above provides additional detail.
Categories of Personal Information We Collect
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, phone number, IP address, account identifiers | Yes |
| Customer records | Account information, billing information | Yes |
| Protected classifications | Age, sex, race, ethnicity | Yes |
| Commercial information | Subscription history, study application history | Yes |
| Internet activity | Browsing and usage of the Services | Yes |
| Geolocation | Approximate location derived from ZIP code and IP address | Yes (approximate only) |
| Sensory data | Audio, video | No |
| Professional information | Employment information | No |
| Education information | School records | No |
| Inferences | Match scores, study recommendations | Yes |
| Sensitive personal information | Health conditions, medications, racial/ethnic origin, precise geolocation | Yes (health-adjacent and demographic only; we do not collect precise geolocation, government IDs, biometric data, or contents of mail/email/text messages) |
Purposes for Which We Collect
- Provide and operate the Services
- Match users to clinical research studies
- Communicate with users about their accounts and the Services
- Process subscriptions and billing
- Protect the Services from fraud and abuse
- Comply with legal obligations
Sale or Sharing
We do not sell or share personal information as those terms are defined under the CCPA.
Retention
Personal information is retained as described in Section 6 of the full Privacy Policy.
Your Rights
You have the right to know, delete, correct, and limit the use of your sensitive personal information, as described in Section 7 of the full Privacy Policy.
To exercise your rights, contact privacy@arctuva.com.
End of Policy