Trialflare logo
PlatformHow it worksSecurity
LoginSee a demo

Privacy Policy

This policy is designed to be accessible, understandable, and easy to read without legal and other jargon. If you have any comments, questions, or concerns about this policy, please get in touch with us by emailing

Trialflare and its services and websites at (and any subdomains of) ('our services', Trialflare, etc.) is owned and operated by Seastorm Limited (‘we’, ‘our’, ‘us’, etc.). Seastorm Limited is a company registered in England and Wales, with company number 11867862 and registered office at 141 Albany Road, Cardiff, CF24 3NT.

This policy governs our use and protection of personal data of people (‘users’, ‘you’, etc.) using any and all of our services.

Data protection, as governed by the General Data Protection Regulation (GDPR), refers to the responsible security of personal data and transparency in the way we handle and process such data.

This document will have slight changes made to it occasionally. If there are more significant changes made that affect you, and if we have personal data about you, we will do our best to notify you of these changes.

We take the collection and handling of personal data very seriously, and this Policy aims to make clear our purposes and methods for collecting and processing any personal data we may have about you.


Seastorm Limited is registered with the Information Commissioner's Office (ICO), with registration number ZA503096. For more information on what this means and about data protection in general, please visit the "Your Data Matters" page on the ICO website:

Data Protection Officer

Seastorm has a dedicated Data Protection Officer (DPO). For any questions regarding this or to raise a query, please email


If you would like to complain about this policy, or how we may have treated a request from you with respect to data protection, then please get in touch with us in the first case so that we can help rectify the problem.

In other cases, you may also want to get in touch with the Information Comissioner's Office (ICO), who may be able to provide you with more information and support. Their website is at

Data controller

We act as Data Controller for all people who use our services on behalf of their company, group, or team who is a licence-holder of our services (for example, staff in a licence-paying organisation). As such, any rights to be exercised against or queries about such people's personal data should be directed to the email address at the top of this Policy.

However, we do not act as Data Controller for participants taking part in trials you create, and the data they contribute. As such, you will need to have the relevant policies and protections in place to ensure that you safeguard access to their data both via and outside the use of our services. You should also make participants aware of your Policies, and display them where appropriate. Trialflare lets you display a Policy when setting up a trial. We use industry best practice to secure participant data but we do not ask that participants agree to this particular Policy before they take part in a trial.

This policy is relevant to people who browse our website, but does not include or pertain to data collected as part of a trial.

Key information

Personal data

Personal data does have a legal definition, but in general it refers to any data that, on its own or in conjunction with other available data, can be used to identify an individual person.

Data processors

In order to provide access to our services to users, we sometimes need to pass pieces of your personal data to third-party services (known as ‘data processors’ for the purposes of the GDPR). We only ever do this when we absolutely need to, and only send the minimum amount of information required. For example, we may need to do this in order to handle your payments (through Stripe) or to send you emails (through Mailgun).

Please note that we continuously review data processors we use, and ensure that their privacy policies and our contracts with them follow suitable data protection practices. If you have any questions or concerns around our data processors, then please contact us.

Usage examples

The remainder of this policy describes our practices relating to processing and securing your private data. This section gives an indication of the processing of your personal data under different scenarios in using our services. Any and all personal data you provide to us through using our services is protected by this policy.

Visiting and browsing our services

When you visit our services using a web browser, we collect some data about your computer and the way our services are used by you. We do not collect your name or other details about you at this stage, but we may process information such as your computing device’s location, its IP address, and details about relevant software your device may be running. This data is processed by Google Analytics (for tracking aggregated use of our services, so that we can better understand how to improve our services for their audiences).

Sending us an email

Sometimes you may wish to send an email to us or reply to an email we have sent you. Any emails received will be treated in confidence and kept securely. Strong passwords and multi-factor authentication is implemented on all email accounts that can receive such emails.

Using contact forms on our services

Some of our services have contact forms that enable you to communicate with us and to ask us questions. Such forms may ask for information about you (such as your name and contact details), which enables us to reply to you and to allows us to understand more about your particular query.

Using such forms usually results in the details you submit being compiled into an email and sent to a member of our team, who will handle your query. As such, users should treat such forms in the same way as they would if they were to send an email to us (please see above).

Signing-up for an account with our services

Some of our services allow you to register for an account with us. This is the primary way by which we collect personal data from you, since such data is needed in order to identify you when you want to login and use these services (please see the section covering our lawful basis for collecting data below). We refer to this data as ‘application data’.

Such data might initially include a username and an email address, but may go on to collect further details, such as a bio and other details needed to set-up a profile. All application data is stored in secure databases. Such applications may utilise further data processors in order to provide you with their services. For example, Stripe may be used to handle billing and Mailgun may be used to send you emails.

Policy details

Legal basis for storing and processing personal data

Whenever we can, we will indicate to you a brief summary of why and how we are asking for your information, along with a link to this privacy policy, for you to view before you submit any information to us. This section describes our legal basis for collecting and processing this data.

Where appropriate, we will obtain your explicit consent to hold and process your personal data before it will do so. If you do not give your consent, or if you withdraw your consent, then we will stop storing and processing your personal details with respect to the specific consent that you withdrew.

In other scenarios, we may use a legitimate interest of providing our services to you as a basis for storing and processing your data. For example, we generally require that account-holders on our services provide some information (including a name and email address) for the purposes of maintaining the account. In these cases, we cannot use consent, since this data is required in order to provide you with this part of our service.

In either case, our storage and processing of your personal data is entirely subject to your rights, as set out in the GDPR, which are outlined below. For example, even if we do have a legal basis to maintain your personal data, you have the right to ask us (and we have an obligation) to stop processing that data.

Information we may collect about you

We will collect information about you when you use our services (including setting up accounts or contacting us). This information may include personal data, such as your name, your contact details, and other data necessary for us to provide our services to you or necessary for you to get the most out of our services.

Additionally, we may collect other types of data which might, in concert with other types of available data, be constituted as personal data. This could include your location, internet address, operating system type and version, your browser software, and links you clicked on in order to visit our services. This type of information is useful for us to see how people use our services, and to find the best ways to improve them.

Information from other sources

From time to time we may receive information about you from other sources. We may add this to information we already hold about you. At any time you can find out what information we hold about you by emailing our DPO.

Child safety

Children under the age of 16 are not allowed to use our services or to directly provide us with personal data. As such, we do not knowingly store or process personal data relating to children under the age of 16. If users become aware of our storage and/or processing of the personal data of such people, they should contact us immediately, and any such data may be immediately deleted without warning.

How long we keep data for

We keep data for as long as we need to in order to provide you with our services or, subject to your rights below, as long as we need in order to conduct ongoing communications (such as newsletters). For example, if you choose to delete an account you may have with us we will immediately remove all application data about you and which you have contributed. Data held in backup systems may be held for up to 30 days after such an event before it too is deleted.

How we use your information

We primarily use your data solely for the purposes of providing you with our services which you choose to sign-up for.

Specifically, we use it for:

  • Supporting accounts that you sign-up for;
  • Enabling higher-level account holders to identify you (for example, staff in your own organisation/institution that use or subscribe to our services may view data about you);
  • Supporting newsletters and other subscriptions that you opt-in to;
  • Sending you company and relevant updates by email, such as news and important changes (from us - we do not provide your data to third parties for these purposes);
  • Sending you marketing information by email (from us - we do not provide your data to third parties for these purposes);
  • Billing, and administration of services of products you purchase from or use through us;
  • Research into usage and behaviour for improving and changing our services, including personalisation to your needs;
  • Improving security and detecting fraud.

Who we give your data to

Generally, we do not provide your information or personal data to third parties aside from to:

- Data processors whom we may need to give some data to in order to provide our services to you. For example, this may include (but is not limited to): Stripe (for billing); Mailgun (for sending automated emails - such as “forgotten password” emails) and for marketing campaigns and updates, if necessary; Google Analytics (so that we can analyse how people use our services so that we can improve them); Companies or other entities who may merge with or purchase our company. In such an event, you will be contacted if factors relating to your privacy are changed, or to ask for your consent to continue processing your data if there are significant changes. Government agencies (such as HMRC) for the purposes of security, fraud prevention, and other official purposes.

Geographic location of your data

Where possible, and in general, your personal data is stored in (or on servers in) the European Economic Area (EEA). In some cases, we transfer your data to data processors in countries outside of the EEA (generally only the United States). This may include, for example, Google Analytics, and Stripe.

In such cases, we ensure that such data processors we use either adhere to the EU-US Privacy Shield (a framework governing transatlantic personal data exchanges between the EU and the US designed to protect EU citizens) or - at the very least - have strict privacy practices that protect your data.

Data transmission

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, We cannot guarantee the security of your data transmitted to our services; any transmission is at your own risk. Once we have received your information, We will use strict procedures and security features to try to prevent unauthorised access.

Your rights

We take the handling of personal data very seriously, and we want to make sure that our users are aware of their rights.

If your wish to invoke your rights requires us to complete some action on your behalf (for example, to stop processing your data), then we will always deal with your request in total confidence, at no cost, and as soon as we can (within 30 days of receiving your request).

In order to discuss your rights, or to make a request in exercising a right, please get in touch with our DPO using the details near the top of this Policy.

Right to be informed

You have a right to know about how we handle and process your personal data. This Privacy Policy aims to fulfil this Right, but please email us if you have further questions or concerns.

Right of access

You have a right to know if we store or process your personal data and to obtain access to the personal data about you that we, or any data processors that process data on our behalf, have about you. To obtain this information, please email us.

Right to rectification

You have a right to have personal data we keep or process about you rectified. If data we have about you is incorrect or incomplete, then please email us with details of any corrections to be made.

Right to erasure

You have the right to have all of your personal data erased, which will prevent any further storage or processing any of your personal data on our behalf, and will sometimes result in a necessary deletion of any accounts you hold with us. In many cases, deleting any accounts you hold with us will erase your details. However, if you wish to make sure of this, then please email us with details of your request.

Right to restrict processing

You have the right to halt the processing of your personal data in the way that you choose. For example, you may wish to maintain an account with us but no longer want us to use one of our data processors to process your data. To restrict the processing of your personal data, please email us with details of your request.

Right to data portability

You have the right to obtain personal data we have or process about you in a format that is useful to you or to another service you would like to use with your data. We are happy to provide data to you in formats including CSV, JSON, PDF, Microsoft Word, and more. Please email us with details of your request.

Right to object

You have a right to object to the processing of your personal data in particular ways. For example, for marketing or profiling purposes. If you would like to object to our processing of your data, then please email us.

Rights related to automated decision making including profiling

We do not use personal data for automated decision making, and does not use such data for profiling users. Additionally, any processing done for analytics and reporting is done on an entirely anonymous basis. For more information or if you have any concerns, please email us.