Legal

Privacy Policy

Last updated: 15 June 2026

This Privacy Policy explains how CERULEON ("we", "us", "the Service") processes personal data when you use our literature-search and clinical-evidence-review platform at ceruleon.app. We comply with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable national data-protection laws.

1. Data controller

CERULEON acts as the data controller for personal data collected through this Service. You can contact us at contact@ceruleon.app for any privacy-related question, including exercising your GDPR rights.

2. What data we process

2.1 Account data

Email address (used for authentication and account recovery)
Password (stored as a salted hash by our authentication provider — we never see your plaintext password)
Subscription tier, billing status, and Stripe customer identifier

2.2 Project data

Project metadata (name, device, intended use, regulatory class) that you enter
Search queries, screening decisions, AI prompts and outputs, audit-log events
Files you upload (PDFs, IFUs, citations) within a project

2.3 Technical data

Browser type, OS, screen size (collected only when needed for rendering)
Application logs (errors, performance traces) — no IP-address profiling

We do not use third-party advertising or tracking cookies.

3. Lawful bases (GDPR Art. 6)

Purpose	Lawful basis
Providing the Service (account, search, AI, exports)	Performance of contract — Art. 6(1)(b)
Billing and tax records	Legal obligation — Art. 6(1)(c)
Security, fraud prevention, abuse detection	Legitimate interest — Art. 6(1)(f)
Product improvement on anonymised aggregates	Legitimate interest — Art. 6(1)(f)

4. Processors and sub-processors

We use the following processors. Each is bound by a Data Processing Agreement (DPA) under GDPR Art. 28:

Processor	Purpose	Region
Supabase, Inc.	Database, authentication, file storage, Edge Functions	EU (Frankfurt)
Stripe Payments Europe, Ltd.	Subscription billing and payment processing	EU (Ireland)
Anthropic PBC	AI features (query optimisation, screening, synthesis)	US (with SCCs)

The PubMed E-utilities, iCite, Unpaywall and Datamuse public APIs are queried directly from your browser and receive only the literature-search terms you submit — no account identifier is sent. When you invoke AI-assisted web research (for example, the "similar devices" enrichment), the device name, manufacturer, and intended-use context you provide are sent to the AI provider's web-search tool in order to retrieve relevant results. Content sent to our AI provider is processed under its commercial API terms and is not used to train its models.

5. International transfers

Where data is processed outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and on the processor's Transfer Impact Assessment. AI processing in the United States is performed only when you opt in and is governed by the EU–US Data Privacy Framework where the processor is certified.

6. Retention

Account data — kept while the account is active; deleted within 30 days of account closure.
Project data — kept under your control; you may export or delete projects at any time. Deleted projects are purged from backups within 90 days.
Audit-log events — stored locally in your browser (the most recent 10,000 events) and exportable at any time. Where medical-device documentation must be kept for a statutory minimum (e.g. 10 years from device end-of-life under MDR Art. 10(8)), you are responsible for exporting and retaining these records externally; CERULEON does not currently provide server-side long-term retention of the audit log.
Billing records — kept for 10 years (legal obligation, accounting law).

7. Your rights (GDPR Arts. 15–22)

Access, rectification, erasure
Restriction of processing, data portability
Objection to processing based on legitimate interest
Withdrawal of consent at any time (where consent is the basis)
Right to lodge a complaint with your national supervisory authority

To exercise any of these rights, write to contact@ceruleon.app. We respond within 30 days.

8. Security

Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by the underlying storage provider. Authentication uses salted password hashing and rate-limited login. The application enforces a strict Content-Security-Policy together with anti-clickjacking protection (frame-ancestors 'none' / X-Frame-Options), X-Content-Type-Options=nosniff and Strict-Transport-Security, delivered as HTTP response headers. Audit-log events are hash-chained to make silent tampering detectable.

9. Cookies and local storage

We use a small number of strictly necessary cookies and browser-local storage entries:

Authentication session token (Supabase) — required to keep you signed in.
Theme preference and last-viewed project — saved in localStorage for usability.
Local audit-log mirror — written to localStorage so your decisions survive offline use.

No analytics, advertising or social-media cookies are set.

10. Children

CERULEON is a professional tool for medical-device manufacturers, consultants and clinical researchers. It is not directed at children under 16 and we do not knowingly collect data from them.

11. Changes

Material changes to this Policy will be announced in-app and by email to active subscribers at least 30 days before they take effect. Non-material edits (typos, clarifications) take effect on publication.

12. Contact

Questions, requests, or DPA enquiries: contact@ceruleon.app.