Privacy Policy

This policy applies to visitors to our marketing site, account holders, and users invited by an organization (for example, principal investigators, administrators, and reviewers). If your organization has a separate agreement with us (such as a data processing addendum), that agreement may supplement this policy where it applies to organizational data.

Account and profile data. Name, email, role, institution or organization, and similar identifiers you or your administrator provide.

Content you submit. Research-related materials, messages, files, and metadata needed to operate workflows you use within the Services. Depending on your study, this may include information that is sensitive or regulated under research ethics rules, grant requirements, or health-privacy laws when applicable. You and your institution are responsible for determining what may be submitted and for obtaining appropriate authorizations.

Technical and usage data. IP address, device and browser type, approximate location derived from IP, log data, and product usage events to secure and improve the Services.

Support and communications. Information you send when you contact us or we respond to incidents.

We collect only what we reasonably need to provide the Services, secure accounts, and meet our legal obligations. We do not ask you to provide unnecessary personal data beyond what your workflows require.

We use information to:

• provide, maintain, and secure the Services;
• authenticate users and enforce access controls;
• communicate about the Services, including service and security notices;
• analyze usage in aggregate to improve performance and reliability (without using your research content to train machine learning models—see Section 4);
• comply with law and respond to lawful requests; and
• fulfill other purposes described when we collect information or with your consent.

Operational processing only. Some features may use automated processing or third-party inference APIs (for example, to help summarize text or suggest edits). Such processing runs to deliver the specific feature you invoke within the Services—not to build unrelated products.

We do not use your research content to train models. We do not use your protocols, submissions, attachments, messages, or other study materials to train, fine-tune, or improve general-purpose machine learning models—whether operated by Arbiter or by a third party—for advertising, resale, or broad model development. Your research content is not treated as training data for building or improving foundation models.

Subprocessors and APIs. Where we use vendors that provide model inference, we contract for services appropriate to institutional research and configure processing so that your content is used only to return outputs to you within the Services, consistent with our agreements and the provider’s applicable terms (including restrictions on use for model training where those terms are offered). We do not sell your data to AI vendors for training purposes.

Aggregates and telemetry. We may derive de-identified or aggregated statistics (for example, error rates or latency) to operate and improve the platform. Aggregates do not include your study content in identifiable form.

If the GDPR or similar laws apply, we rely on appropriate bases such as contract (providing the Services), legitimate interests (security and improvement, balanced against your rights), legal obligation, and consent where required.

We may share information:

• Within your organization as configured in the product (for example, routing submissions to reviewers and administrators).
• With service providers who assist us (hosting, email, analytics, security, and—where applicable—inference APIs) under contracts that limit use to providing services to us and, where relevant, prohibit use of your customer data for training their models except as stated in Section 4.
• For legal reasons if we believe disclosure is required by law, regulation, legal process, or to protect rights, safety, and security.
• In connection with a transaction such as a merger or acquisition, subject to appropriate safeguards.

We do not sell your personal information as that term is commonly defined in U.S. state privacy laws.

We retain information for as long as your account is active, as needed to provide the Services, and as required for legal, audit, or contractual purposes. Retention periods may be set by your organization’s administrator where the product allows. When data is no longer needed, we delete or de-identify it in line with our retention schedules and your organization’s instructions where applicable.

We implement administrative, technical, and organizational measures designed to protect information, including role-based access within the product, encryption of data in transit (TLS), and safeguards aligned with the sensitivity of research workflows. Access to production systems is limited to authorized personnel with a legitimate need.

No method of transmission or storage is completely secure; we encourage strong passwords, multi-factor authentication where available, and institutional policies appropriate to sensitive research data.

We may process information in the United States and other countries where we or our providers operate. Where required, we use appropriate safeguards such as standard contractual clauses.

Depending on your location, you may have rights to access, correct, delete, or export personal information, or to object to or restrict certain processing. You may also unsubscribe from marketing emails via the link in those emails. To exercise rights, contact us using the details below. You may lodge a complaint with a data protection authority where applicable.

The Services are not directed to children under 16, and we do not knowingly collect their personal data.

We may update this Privacy Policy from time to time. We will post the revised policy and update the “Last updated” date. Where changes are material, we will provide additional notice as appropriate.

Privacy questions and requests: contact@arbitercp.com