Privacy Policy
Trialcraft BV (trading as Studia)
Last Updated: 11/02/2026
Introduction
This Privacy Policy ("Policy") governs the processing of personal data by Trialcraft BV ("we," "us," or "our") in connection with the website studia.health (the "Website") and the associated software platform (the "Platform").
We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Belgian Law of 30 July 2018 regarding the protection of natural persons with regard to the processing of personal data.
1. Identification of the Data Controller
Trialcraft BV
Registered in Belgium (CBE/KBO): BE1010925090
Address: Baron Opsomerdreef 32, 3090 Overijse, Belgium
Email: privacy@studia.health
2. Our Roles: Controller vs. Processor
Given the B2B nature of our services, our legal role differs depending on the data type:
- Trialcraft as Data Controller: regarding User Account Data (e.g., your login credentials, professional contact details) and Website Visitor Data. We determine the purposes and means of this processing to manage our business relationship with you.
- Trialcraft as Data Processor: regarding Customer Data (e.g., research documents, health-related data uploaded to the Platform). For this data, the Client (your organization) acts as the Data Controller, and we act strictly as a Data Processor acting on the Client's instructions. This relationship is further governed by our Terms of Service and Data Processing Agreement (DPA).
3. Personal Data We Collect
3.1. When Visiting the Public Website
We minimize data collection on our public website. If you accept analytics cookies via our consent banner, we use PostHog to collect anonymous usage data, including page interactions, anonymous session information, and browser errors. No advertising pixels are used. If you decline or take no action, no analytics data is collected.
Contact Form Data:
When you voluntarily submit an inquiry via our contact form, we collect:
- Full Name
- Email Address
- Content of your message
3.2. When Using the Platform (Registered Users)
To provide our services, we process the following information:
- Account Information: First name, last name, professional email address, and organization.
- Uploaded Content: Documents uploaded by users for analysis. While we discourage the upload of unredacted sensitive personal data, we acknowledge that documents may contain special categories of data (e.g., health data). This data is processed strictly for the provision of the requested service.
- Usage Analytics: Behavioral metrics (mouse movements, clicks) via Hotjar, subject to the specific conditions outlined in Section 7.
4. Purposes and Legal Basis for Processing
We process personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Client Administration: Creating accounts, billing, and authentication. | Art. 6(1)(b) Performance of a Contract |
| Communication: Responding to inquiries via Formspree. | Art. 6(1)(f) Legitimate Interest (or Consent) |
| Platform Security: Monitoring for fraudulent activity or breaches. | Art. 6(1)(f) Legitimate Interest |
| Platform Optimization: Analytics via Hotjar (Platform only). | Art. 6(1)(a) Explicit Consent |
| Website Analytics: Anonymous usage analytics via PostHog (Public Website). | Art. 6(1)(a) Explicit Consent |
| Compliance: Adhering to legal obligations (tax, accounting). | Art. 6(1)(c) Legal Obligation |
5. Data Retention
We adhere to strict retention policies:
- Contact Inquiries: Retained for one (1) year following the last communication, after which they are securely deleted.
- Account Data: Retained for the duration of the active contract plus any statutory limitation periods required by Belgian law.
- Uploaded Documents: Retained only as long as the account is active or until manually deleted by the User.
6. Third-Party Recipients (Sub-Processors)
We do not sell or rent personal data. We engage the following trusted third-party service providers ("Sub-processors") to support our technical infrastructure:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting, Storage, & Computing | Belgium (Europe-West) |
| Formspree Inc. | Contact Form Management | USA (SCCs / DPF) |
| Hotjar Ltd. | Usage Analytics (Platform Only) | Malta (EU) |
| PostHog Inc. | Website Analytics | EU (Frankfurt) |
Where data is transferred to a provider outside the European Economic Area (EEA), such as Formspree, we ensure appropriate safeguards are in place, such as the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).
7. Cookies and Analytics
Public Website: We use PostHog for anonymous, consent-based analytics on studia.health. PostHog is only activated if you explicitly accept analytics cookies via the consent banner. If you decline, no cookies are set and no analytics data is collected.
Platform: We utilize Hotjar to analyze user behavior for the purpose of improving user experience.
- Consent Required: Both Hotjar and PostHog are only activated if you explicitly accept analytics cookies via the respective Cookie Banner / Settings.
- User Responsibility: If you consent to analytics, you acknowledge that while we employ technical measures to mask keystrokes, it is your responsibility to ensure that no sensitive personal data (health data, patient names) is displayed on-screen during active sessions.
For detailed information about the cookies and local storage used on the Platform, please refer to our Cookie Policy.
8. Security Measures
We implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:
- Encryption of data at rest and in transit (TLS/SSL).
- Strict access controls (IAM) and authentication protocols.
- Regular backups and disaster recovery procedures.
9. Automated Decision Making
We do not engage in automated decision-making or profiling that produces legal effects concerning the user. Any AI-driven features within the Platform are assistive in nature and do not use Customer Data to train public models.
10. Your Rights
Under the GDPR, you have the right to:
- Access and obtain a copy of your data.
- Rectify incomplete or inaccurate data.
- Request deletion ("Right to be forgotten"), subject to legal retention requirements.
- Restrict or Object to processing.
- Withdraw consent at any time (where processing is based on consent).
To exercise these rights, please contact us at privacy@studia.health. We will respond within 30 days.
11. Competent Authority
If you believe your rights have been violated, you have the right to lodge a complaint with the Belgian Supervisory Authority:
Autorité de protection des données (APD) / Gegevensbeschermingsautoriteit (GBA)
Rue de la Presse 35, 1000 Brussels, Belgium
Email: contact@apd-gba.be
Website: www.autoriteprotectiondonnees.be
12. Changes to This Policy
We reserve the right to update this Policy to reflect changes in our practices or legal obligations. The latest version will always be available on this page.