Privacy Policy

OncoStrong is a clinical trial navigation and information service. We help people affected by cancer find relevant clinical trials, access genetic testing, and connect with specialist oncologists. References to “OncoStrong”, “we”, “us”, or “our” in this policy refer to the OncoStrong platform and its operating entity.

We collect information you provide directly when using our services:

• Health information: Cancer type, cancer stage, treatment history, biomarker or genetic test results, and other information you provide through the intake questionnaire.
• Identity and contact information: Your name and email address, if provided when submitting an enquiry.
• Enquiry message content: The body of any message you submit through our enquiry system. This content is encrypted before it is stored and cannot be read by any OncoStrong staff member. It is held solely to enable delivery and, where you elect to retain it, to support any follow-up you request. It is never used for any other purpose.
• Approximate location:If you provide a postcode or ZIP code, we store only the district or outward portion (for example “SW1” rather than “SW1A 2AA”, or the first three digits of a US ZIP). The full postcode is never stored. Geographic coordinates derived from your location are rounded to approximately 1 km precision.
• Usage information: Technical data about how you use our platform, including page views and interactions, for the purpose of improving the service.

We use the information you provide to:

• Match your profile to relevant clinical trials.
• Forward your enquiry to a trial team or specialist oncologist, where you have explicitly consented to this. Where a direct contact email is not immediately available, OncoStrong will locate the appropriate contact and deliver your message, typically within two hours. In cases where a contact cannot be located, we may reach out to the organisation running the trial on your behalf.
• Connect you with a gene panel testing partner, where requested.
• Improve the accuracy and relevance of our matching service.
• Comply with our legal obligations and maintain records of consent.

We do not use your health information for advertising, profiling for commercial purposes, or any purpose other than those described above.

Your information is never sold. We share your information only in the following circumstances:

• Trial teams and CROs: When you submit an enquiry for a specific trial and explicitly consent to sharing your information with that trial team. The recipient receives your name, email address, and message. If you elect to copy OncoStrong, a member of our team will also receive this information solely for the purpose of supporting your enquiry. OncoStrong staff do not have access to the stored copy of your message body — only the outbound email transmitted to the designated recipient contains readable content.
• Testing partners: When you submit an enquiry for gene panel testing and consent to sharing your information with the relevant testing provider.
• Specialist oncologists: When you request a specialist connection and consent to sharing your information with the relevant specialist.
• Service providers: Infrastructure and technology providers who process data on our behalf under appropriate contractual data protection arrangements.
• Legal requirements: Where required by law or regulatory authority.

Each time your information is shared with a third party, this is recorded in our consent log. You may request a copy of your consent record at any time.

Where we share health information with a third party (trial team, testing partner, or specialist), we will always ask for your explicit consent at the point of sharing. Consent is specific to each enquiry — consent to share your information with one trial team does not extend to any other party.

When submitting an enquiry, you may elect how long the encrypted copy of your message is retained — from immediate deletion on send through to a maximum of 90 days. You may also delete any enquiry from your profile at any time, which permanently removes the message content from our systems. Metadata confirming that an enquiry was submitted is retained for legal and audit purposes but contains no message content or identifying information after deletion.

You may withdraw consent at any time by contacting us. Withdrawal of consent does not affect the lawfulness of any sharing that took place before the withdrawal.

Your data is stored on secure, encrypted infrastructure. We apply appropriate technical and organizational measures to protect against unauthorized access, disclosure, alteration, or destruction.

Enquiry message content is encrypted using AES-256 encryption before being written to our database. Encryption keys are managed through a dedicated key management service and are never stored alongside the encrypted content. The decryption pathway is restricted to the act of sending or re-sending your message — no interface exists through which any person, including OncoStrong staff, can read your stored message content.

Health-related information entered into our exploratory tools is generally processed transiently within your browser session. Unless you choose to create an account, save information, or submit an enquiry, we do not store your health profile on our servers. Non-identifying, aggregate telemetry and system logs may be processed briefly to ensure platform stability and performance.

We retain personal information only for as long as necessary for the purposes described in this policy, or as required by law.

Health information entered into the intake questionnaire and not associated with an account or enquiry is processed transiently and is not retained on our servers beyond the session.

Enquiry message content is retained only for the period you elect at the time of submission — either deleted immediately on send, or retained for 30, 60, or 90 days to support any follow-up you request. At the end of the elected period, message content is permanently deleted automatically. You may also request deletion at any time from the Enquiry History section of your profile.

Where you create an account or submit an enquiry, we retain the information associated with that account or enquiry for as long as your account remains active, and for a reasonable period thereafter for legal, administrative, or dispute resolution purposes. You may delete your account and all associated data at any time directly from your Account Settings, or by contacting privacy@oncostrong.com.

OncoStrong uses cloud infrastructure and technology providers that may be located in different countries, including the United States and the United Kingdom. By using our platform, your information may be transferred to and processed in countries outside your own.

Where such transfers occur, we take steps to ensure that appropriate safeguards are in place, consistent with applicable data protection law. For UK and EU users, transfers to countries outside the UK/EEA are conducted under standard contractual clauses or equivalent approved mechanisms.

Depending on your location, you may have rights including the right to access, correct, or delete the personal information we hold about you. You may also have the right to data portability and the right to object to certain types of processing.

To exercise any of these rights, you can delete your account directly from Account Settings, or contact us at privacy@oncostrong.com. We will respond to other requests within 30 days.

OncoStrong is intended for use by adults aged 18 and over, or by adults acting on behalf of a patient with appropriate authority. We do not knowingly collect personal information from anyone under 18.

In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@oncostrong.com and we will delete it promptly.

OncoStrong is an informational platform and does not operate as a covered entity or business associate under HIPAA. We apply industry-standard technical and organizational safeguards to health-related information handled on our platform. If you have questions about how specific data may be handled, please contact privacy@oncostrong.com.

For users in California, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. OncoStrong does not sell personal information.

OncoStrong maintains a directory of clinicians who have chosen to partner with us. This is not a comprehensive directory of all clinical trial investigators. Clinicians appear only with the consent of their organization and may request removal at any time by contacting privacy@oncostrong.com.

Information you provide through OncoStrong may be processed using artificial intelligence systems to support functions such as trial matching, generation of patient-facing summaries, relevance explanations, and improvement of platform functionality.

Where AI systems are used in connection with health-related information, we apply safeguards designed to minimize unnecessary disclosure and limit processing to the purposes described in this policy.

We do not use your health information to train public artificial intelligence models.

For users in the UK and European Union, we process your personal data in accordance with UK GDPR and EU GDPR respectively. Health information is classified as special category data and is processed only with your explicit consent or as otherwise permitted by law.

You have the right to lodge a complaint with the relevant supervisory authority — the Information Commissioner's Office (ICO) in the UK, or your national data protection authority in the EU.

OncoStrong uses only essential cookies required for the platform to function. We do not use advertising cookies, tracking pixels, or third-party analytics cookies that transmit personal data. We do not use the Meta Pixel or equivalent tracking on any page where health information is entered or displayed.

We may update this policy from time to time. Where changes are material, we will notify users by email or through a prominent notice on the platform. The date at the top of this page reflects when the policy was last updated.

For questions about this policy or your personal data, contact us at privacy@oncostrong.com.