Privacy Policy

INDBridge is operated by Q BRIDGE AI, a brand of Q BRIDGE S.A.P.I. DE C.V. (“Q BRIDGE,” “we,” “us”). For platform customers, the contractual roles of data controller and data processor are set out in the Master Services Agreement (MSA) and Data Processing Addendum (DPA): for customer regulatory content, the customer is the controller and Q BRIDGE acts as a processor.

This policy covers the public website and the authenticated INDBridge application. Where a signed DPA or Business Associate Agreement (BAA) exists, that agreement governs the processing of customer and regulated data and prevails over this policy to the extent of any conflict.

• Account & contact data — name, work email, organization, role, and authentication data (including WebAuthn credential identifiers). Passwords are stored only as salted hashes.
• Customer regulatory content — the drug-candidate, CMC, nonclinical, clinical, eCTD, and FDA-form data a customer enters or uploads to prepare an IND submission.
• Audit & security logs — a tamper-evident, hash-chained record of actions, signatures, and agent runs (required for 21 CFR Part 11).
• Operational diagnostics — limited error and performance telemetry, with personal data scrubbed at the boundary before it leaves the application.

Patient-level PHI: INDBridge does not store patient-level protected health information by default. Subject data is held in aggregate (e.g., enrollment counts). If a customer requires subject-level data, it is gated behind a HIPAA BAA, a dedicated tenant, and additional controls.

• To provide, secure, and operate the INDBridge platform.
• To maintain the 21 CFR Part 11 audit trail and electronic-signature records.
• To provide support, communicate about the service, and meet legal obligations.

We do not sell personal information, and we do not use customer content to train AI models. Agent drafting uses third-party model inference under contractual terms that prohibit training on customer data.

We rely on: performance of a contract (providing the service); legitimate interests (securing and improving the service, fraud prevention); legal obligation (regulatory record-keeping); and consent where required (e.g., certain communications). You may withdraw consent at any time.

We use a small set of vetted infrastructure sub-processors:

• Vercel — web hosting / edge (US).
• Fly.io — application & agent compute (US).
• Supabase — Postgres database & object storage with row-level tenant isolation (US).
• Sentry — error/performance monitoring (PII-scrubbed).
• Postmark — transactional & inbound FDA-correspondence email.
• Anthropic — Claude model inference for agent drafting (no training on customer data).

A current sub-processor list, and our committed AWS healthcare-grade hosting roadmap, are available to customers on request. We require data-protection terms from every sub-processor.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Per-tenant Row-Level Security so one organization cannot see another's data.
• WebAuthn second factor and an e-signature PIN on every regulatory signature.
• An append-only, SHA-256 hash-chained audit ledger (21 CFR Part 11 §11.10(e)).
• Least-privilege access, secrets management, and continuous security monitoring.

We retain account and customer data for the term of the agreement and as required to meet legal and regulatory record-retention obligations (FDA records can carry multi-year retention). The integrity-critical audit trail is immutable by design. On termination, data is returned or deleted per the MSA/DPA, subject to retention required by law.

The platform is hosted in the United States. Where personal data is transferred from the EEA, UK, or other regions, we use appropriate safeguards such as Standard Contractual Clauses. Details are available in the DPA.

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data (e.g., under the GDPR, UK GDPR, CCPA/CPRA, and Mexico's LFPDPPP). Data Subject Access Requests are a first-class operation. To exercise a right, email privacy@qbridge.ai. If we process your data on behalf of a customer, we will direct your request to that customer (the controller).

Where a customer is a HIPAA covered entity or business associate and a BAA is in place, our handling of any protected health information is governed by that BAA. By default, INDBridge is architected to avoid storing patient-level PHI.

The service is a business tool and is not directed to children under 16.

We may update this policy from time to time. Material changes will be posted here with an updated date and, where appropriate, communicated to customers.

Privacy questions: privacy@qbridge.ai. See also our Cookie Policy and Terms of Service.