Privacy Policy
Last Updated: October 1st, 2025
Tilda Research, Inc. (“Tilda”, “we”, “us”) is committed to protecting your privacy. This Privacy Policy explains how Tilda collects, uses, protects, and shares personal data from visitors to our platforms, portals, and websites where this Privacy Policy is posted (collectively, the “Sites”), and contact/registration information from our customers and their authorized personnel during the provision of our online hosted services (“Service”).
Scope
This Privacy Policy applies to the processing of all personal data, including Protected Health Information (“PHI”), of individuals located in the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), and other regions where applicable data protection laws (such as the General Data Protection Regulation “GDPR”) apply.
We provide the Service to our customers under an agreement with the customer and solely for the benefit of their personnel and other personnel authorized by the customer as users of the Service (“Authorized Users”). Where our customers upload data into the Service (including PHI and other sensitive information), we act as a data processor on behalf of those customers (the “data controllers”).
Acknowledgement of the Privacy Policy
By accessing or using our Service and Sites, you signify that you have read, understand, and agree to our collection, storage, use, and disclosure of personal data as described in this Privacy Policy. For users located in the EU/EEA/UK, additional GDPR rights and safeguards described below also apply.
What Data Do We Collect and How?
Information You Provide
Personal information such as name, postal address, email address, and telephone number.
Business information when registering for an account or subscribing to our Service (“Account Information”).
Communications you exchange with us, including surveys, support requests, and interactive features of the Service.
Information We Collect Automatically
We, and our third-party partners, may collect usage and log data via cookies and similar technologies, including:
IP address, browser type, device identifiers, operating system, ISP, and timestamps.
Information on how you use our Sites (pages visited, links clicked, navigation paths).
Mobile device details and, depending on settings, approximate or precise geolocation.
Information From Other Sources
We may obtain information from:
Third-party information providers, security and fraud detection firms, marketing/business partners.
Corporate transactions (e.g., mergers or acquisitions).
We combine this with other data we hold, and this Privacy Policy governs the combined personal data.
Do Not Track
We honor applicable “Do Not Track” and consent preferences where legally required. Users may withdraw cookie consent at any time (see Consent and Cookies below).
How Do We Handle or Store Your Data?
Location and Security
Tilda securely stores your data in Google Cloud Platform (GCP) and related services, encrypted at rest and in transit where applicable.
Data Retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy, or as required by contract or law. Customer Data that we process on behalf of customers will be retained, stored, and deleted according to our agreement with each customer.
International Transfers
Your data may be processed in the United States or other countries where Tilda or its providers maintain facilities.
For EU/EEA/UK residents, we ensure appropriate safeguards for international transfers under GDPR, such as Standard Contractual Clauses (SCCs) or adequacy decisions.
Where required, Data Processing Agreements (DPAs) are executed with customers and vendors.
How Do We Use Your Data?
We use personal data to:
Operate, maintain, and provide the features and functionality of the Sites and Service.
Communicate directly with you, including sending service-related messages (account verification, purchase confirmations, updates, technical/security notices).
Enhance security, monitor and verify access, prevent fraud and security risks.
Provide personalized content and improve products and services.
Conduct surveys, audits, analytics, and evaluate marketing performance.
Legal Basis (EU/EEA/UK):
We process personal data under one or more of the following lawful bases:
Consent (Art. 6(1)(a), Art. 9(2)(a)) — e.g., marketing, cookies, optional features.
Contractual necessity (Art. 6(1)(b)) — e.g., account setup, Service delivery.
Legal obligations (Art. 6(1)(c)) — e.g., recordkeeping, regulatory reporting.
Legitimate interests (Art. 6(1)(f)) — e.g., product improvement, fraud prevention, provided interests are not overridden by data subject rights.
Special category data (PHI) is processed under Art. 9(2) GDPR, typically with explicit consent, or where necessary for provision of health-related services under contract.
How Do We Share Your Data?
We may share your personal data with:
Service providers and business partners (payment processing, hosting, analytics, communications, etc.).
Affiliates and subsidiaries within Tilda.
Regulators or authorities where required by law.
Corporate transactions such as mergers, acquisitions, or reorganizations.
Aggregated or anonymized data that does not identify individuals.
Control Over Your Information
Email Communications
We send essential Service communications (e.g., account verification, study reminders, clinical updates). For marketing or non-essential communications, we obtain consent and provide an easy opt-out.
Consent and Cookies
Users may manage cookie preferences through our cookie banner and browser settings. Consent is freely given, specific, informed, unambiguous, and may be withdrawn at any time.
Your Rights Under GDPR (EU/EEA/UK)
You have the following rights (subject to limitations in applicable law):
Right of access (Art. 15) — obtain a copy of your personal data.
Right to rectification (Art. 16) — correct inaccurate data.
Right to erasure (“right to be forgotten”, Art. 17).
Right to restrict processing (Art. 18).
Right to data portability (Art. 20).
Right to object to processing (Art. 21).
Right to withdraw consent at any time, without affecting prior processing.
To exercise rights, contact us at privacy@tilda.bio. We will respond within 30 days as required by GDPR.
Data Breach Notification
In the event of a personal data breach, we will:
Notify the relevant supervisory authority within 72 hours (where required by GDPR).
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Special Cases
Customer Data
When customers upload data (including PHI), Tilda acts as a processor. Customer Data is processed solely in accordance with customer instructions and agreements.
Children’s Data
We do not knowingly collect data from children under 13. For EU/EEA, parental consent is required for processing data of children under 16.
Changes to Our Privacy Policy
We may update this Privacy Policy from time to time. The “Last Updated” date indicates when changes were last made. Material changes will be communicated through our Sites or Service.
How to Contact Us
For privacy inquiries or to exercise rights, contact us at: 📧 privacy@tilda.bio
