Privacy Policy
Effective date: 1 January 2026 — Last updated: 16 April 2026
Clinivion ("Clinivion", "we", "us") operates clinivion.com, nessa.clinivion.com, and app.clinivion.com. This policy explains how we collect, use, and protect information when you use our websites and the Nessa pharmaceutical data integrity platform.
1. Information We Collect
Information you provide:
- Contact information (name, email, company, role) when you request a demo, register for a webinar, or contact us
- Account credentials when you create a Nessa account
- Pharmaceutical data you submit through the Nessa platform (lab results, audit records, equipment data, compliance documentation)
Information collected automatically:
- Usage data including pages visited, features used, and session duration
- Technical data including IP address, browser type, device type, and operating system
- Audit trail metadata generated by the platform (timestamps, user actions, system events)
2. How We Use Your Information
- Provide, maintain, and improve the Nessa data integrity platform
- Generate compliance reports (FDA 21 CFR Part 11, ALCOA+, audit packages)
- Detect data integrity anomalies and security threats
- Respond to enquiries and fulfil demo or webinar requests
- Send service updates and compliance-relevant communications
- Ensure the security and integrity of our systems
3. Pharmaceutical Data & Regulatory Compliance
Data Integrity by Design. Nessa is built to support FDA 21 CFR Part 11, ALCOA+, and EU Annex 11 compliance requirements.
All pharmaceutical data processed through Nessa is protected with:
- Immutable audit trails — every action is logged with cryptographic hash chains (SHA-256). Audit records cannot be modified or deleted.
- Encryption at rest — AES-256-GCM field-level encryption with AWS KMS key management
- Encryption in transit — TLS 1.3 for all data transmission
- Role-based access control — 5 roles (Admin, QA Manager, QA User, Auditor, Viewer) with granular permissions
- Electronic signatures — ED25519 digital signatures with entry-specific nonces, per 21 CFR 11.50/11.70
- Time integrity — NTP quorum verification (3 sources, 500ms drift tolerance) ensures contemporaneous timestamps
We do not use pharmaceutical data for purposes other than providing and improving our services. We do not train machine learning models on customer pharmaceutical data. Customer data is logically isolated using tenant-based separation with PostgreSQL Row-Level Security.
4. Data Sharing
We do not sell your personal data or pharmaceutical data. We may share information with:
- Service providers operating under confidentiality agreements (hosting, email delivery)
- Regulatory authorities where required by law or in response to valid legal process
- Auditors in connection with GxP compliance reviews, SOC 2 audits, or ISO 27001 certification
We will notify you before sharing pharmaceutical data with any third party, except where prohibited by law.
5. Data Retention
- Pharmaceutical data — retained for a minimum of 15 years per FDA 21 CFR Part 11 requirements, or longer if required by your organization's retention policies
- Audit trail records — retained for the lifetime of the associated data (immutable, cannot be deleted)
- Account data — retained while your account is active, plus 90 days after closure
- Marketing data — retained until you unsubscribe or request deletion
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access your personal data and obtain a copy
- Correct inaccurate personal data
- Delete personal data (subject to regulatory retention requirements — pharmaceutical records required by law cannot be deleted)
- Object to processing of your personal data for marketing purposes
- Port your data to another service provider in a structured format
To exercise these rights, contact us at edem@clinivion.com. We will respond within 30 days.
GDPR. If you are in the European Economic Area, we process your data under Article 6(1)(b) (contract performance) and Article 6(1)(f) (legitimate interests in providing secure pharmaceutical data management). Our data processing activities are documented in accordance with Article 30.
7. Cookies & Tracking
We use essential cookies for authentication and session management. We do not use third-party advertising trackers. Analytics are collected via server-side logging only — no client-side tracking scripts are loaded on nessa.clinivion.com.
8. Security
We implement security measures aligned with FDA 21 CFR Part 11 and ISO 27001:
- AES-256-GCM encryption at rest, TLS 1.3 in transit
- Multi-factor authentication (TOTP, WebAuthn/FIDO2)
- Rate limiting and brute-force protection
- Continuous monitoring with automated anomaly detection
- Regular security assessments and penetration testing
For details, see our Security Policy.
9. International Data Transfers
Data may be processed in the European Union (OVH, France) and the United States (AWS). Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Children's Privacy
Nessa is a business-to-business platform. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to This Policy
We may update this policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect.
12. Contact
Clinivion
Edem Agbeko, Founder & Data Controller
edem@clinivion.com
clinivion.com