Your information,handled with care.

ClinicalMatchMate (“we,” “our,” or “us”) operates the website at clinicalmatchmate.com and related services (the “Platform”). Our Platform helps patients and caregivers discover and understand clinical trials that may match their condition, preferences, and location.

Questions about this policy should be directed to privacy@clinicalmatchmate.com.

2a. Information you provide directly

• Contact and account information: If you create an account or submit a contact form, we collect your name and email address (and any message you include). Account identifiers and profile fields are stored in Supabase, our database and authentication provider.
• Intake responses: When you submit the intake form, we store your responses in our Supabase database so your profile and matches can persist. This occurs when you submit the form—an account is not required first; intake submitted without an account is linked to a private token in your browser and can later be claimed by an account. We store: your name, email, date of birth, age, biological sex, and (if provided) height, weight, and pregnancy status; your condition, diagnosis date, severity, biomarkers, other conditions and comorbidities, allergies, current medications, supplements, smoking and alcohol use, prior treatments, and any additional context you enter; your location (ZIP or city and the latitude/longitude derived from it) and travel preferences; and your consent timestamp. Clinical and trial-related text from these fields is sent to our own matching service to generate matches (see Section 4); it is not sent to any third-party AI provider.
• Feedback submissions: If you submit feedback, we collect the content of that feedback and, if you choose to provide it, your email address.

2b. Information collected automatically

• Usage data: Standard server logs, including IP address, browser type, referring page, and pages visited. We use this for security and performance monitoring.
• Session data: If you are logged in, we maintain an authenticated session managed by Supabase. Session identifiers do not contain your health information.
• Product analytics (first-party): We measure how the Platform is used with our own first-party analytics — we do not use third-party analytics or advertising services. We set a random identifier cookie (cmm_aid, kept for up to 13 months after your last visit) and a short-lived session cookie (cmm_sid, expires after 30 minutes of inactivity) to count visits, page views, and clicks. With each event we record the page address, how you arrived (the referring site and any campaign tags in the link you clicked), and a coarse device type (mobile, tablet, or desktop). Analytics events never include your name, contact details, free-text answers, intake responses, or your location. Because the page address is recorded, these events can show which public pages you visit — including condition guide pages, which indicates an interest in a condition — tied only to the random identifier, never to your identity or your intake, and never shared with anyone. Events carry only fixed event names and pre-approved structured values, stored in our Supabase database. Visits from our own team are flagged and excluded from product metrics.

2c. Location data

You enter a ZIP code or location during intake. To rank trials by distance, we send that ZIP to OpenStreetMap’s Nominatim geocoding service to look up approximate latitude and longitude. Your location text and the derived latitude and longitude are stored with your intake row in our database, and are also sent to our matching service so it can rank nearby trial sites. See the OpenStreetMap Foundation Privacy Policy.

We use the information we collect to:

• Generate and display clinical trial matches based on your inputs
• Respond to contact form submissions and feedback
• Authenticate your account and maintain session security
• Monitor and improve Platform performance and reliability
• Understand how visitors find and use the Platform, via our own first-party analytics (see Section 2b) — never for advertising
• Comply with legal obligations

We do not use your health-related responses to build advertising profiles, sell them to data brokers, or use them to train third-party foundation models. Third-party AI APIs process prompts we send them to perform the functions described in Section 4, subject to those vendors’ terms and policies.

We do not sell, rent, or trade your personal information. We may share data with:

• Supabase: Our database and authentication provider. Account and intake data, match jobs, and match results tables used by the product are stored in our Supabase project. See Supabase’s Privacy Policy.
• Matching infrastructure:Matching runs in a separate HTTP matching service we operate (“Trail_Matcher”) that reads trial catalog data and your intake payload and writes match results to our database. Processing is for generating your matches—not for advertising—and does not involve any third-party AI provider.
• Google (Gemini): We use Google Gemini only to generate plain-language explanations built from public trial information. Those requests contain trial catalog text only — your personal and clinical information is never sent to Google. See Google’s Privacy Policy. We do not send your data to Anthropic or any other AI provider.
• OpenStreetMap (Nominatim):We send the ZIP code you enter to OpenStreetMap’s Nominatim geocoding service to convert it into approximate coordinates for distance-based trial ranking. See the OpenStreetMap Foundation Privacy Policy.
• Resend:Used to deliver contact form submissions and notification emails. Message content is transmitted through Resend’s infrastructure.
• Legal requirements: If required by law, regulation, or valid legal process, we may disclose information to the appropriate authorities.

• Intake responses (with an account): Retained while your account exists. When your account is deleted, related rows that reference your user id (including intake responses, match jobs, and match scores) are removed from our database via cascading delete.
• Intake submitted without an account: If you submit intake but never create or link an account, that unclaimed submission is automatically deleted after 30 days.
• Account data: Retained while your account is active. You can delete your account and its associated data yourself at any time from your account Settings; you may also email privacy@clinicalmatchmate.com to request deletion.
• Contact form submissions: Retained for up to 12 months for follow-up and quality purposes, then deleted.
• Server logs: Retained for up to 90 days for security monitoring.
• Product analytics events: Stored in our database with random identifiers only (see Section 2b) — they contain no direct identifiers and are not linked to your account or intake. The cmm_aid cookie that groups them expires 13 months after your last visit.

We use industry-standard practices to protect your data, including TLS encryption in transit, authenticated access via Supabase, and access controls on application routes. No method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal data. To exercise these rights, contact us at privacy@clinicalmatchmate.com. We will respond within 30 days.

The Platform is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately.

We may update this Privacy Policy from time to time. We will indicate the effective date on this page. Continued use of the Platform after changes constitutes acceptance of the updated policy where permitted by law.

For privacy-related inquiries, email privacy@clinicalmatchmate.com or use our contact page.