Cora Privacy Policy
Provider: Max Output LLC | North Carolina | founders@maxoutput.ai Service: Cora | https://cora.getmaxoutput.com Document Version: PP-v1.0-2026-02-25 Effective Date: February 25, 2026 Last Updated: 2026-02-25
This Privacy Policy reflects the specific data architecture, AI processing pipeline, and clinical research context of the Cora platform.
1. INTRODUCTION
This Privacy Policy ("Policy") describes how Max Output LLC ("Provider," "we," "us," or "our"), a North Carolina limited liability company, collects, uses, stores, discloses, and protects information in connection with the Cora platform (the "Service"), accessible at https://cora.getmaxoutput.com.
This Policy applies to all users of the Service ("Users," "you," or "your"), including Clinical Research Coordinators, Site Managers, Principal Investigators, and other clinical research site personnel who access the Service.
This Policy should be read in conjunction with our Terms of Service, which govern your use of the Service. Capitalized terms not defined herein have the meanings set forth in the Terms of Service.
2. DATA ROLES AND RESPONSIBILITIES
2.1 Provider as Data Controller
Provider acts as the Data Controller for the following categories of information, meaning Provider determines the purposes and means of processing:
- User account information (name, email address)
- Website and application usage data
- Feedback and support communications
2.2 Provider as Data Processor
Provider acts as the Data Processor for the following categories of information, meaning Provider processes this data solely on behalf of and at the direction of the User's organization:
- Uploaded Protocol Documents (clinical trial protocols in PDF format)
- Protocol text chunks and vector embeddings derived from uploaded documents
- AI-generated outputs produced in response to User queries about uploaded documents
The User's organization retains all Data Controller responsibilities for Protocol Documents, including ensuring that it possesses the necessary rights, licenses, and authorizations to upload such documents to the Service. Provider processes Protocol Documents solely for the purpose of providing the Service and does not determine independent purposes for such processing.
Organizational clients requiring additional contractual protections for Protocol Document processing may enter into a supplemental Data Processing Agreement (DPA) with Provider upon request.
2.3 Shared Responsibility
- User queries and AI interaction logs — Provider collects and retains these to maintain audit trails and improve system quality (Controller function), but the content of queries relates to the User's organization's clinical operations (Processor function). Provider processes query content solely to deliver the Service and maintain audit integrity.
3. INFORMATION WE COLLECT
3.1 Account Information
When you create an account, we collect:
| Data Element | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication (OTP), service communications | Contractual necessity |
| Display name (if provided) | Account identification | Contractual necessity |
| Organization name (if provided) | Multi-tenant data isolation, account management | Contractual necessity |
We authenticate users via one-time password (OTP) sent to the registered email address. We do not collect or store passwords.
3.2 Protocol Documents (Uploaded by Users)
When you upload a clinical trial protocol, the following data is created and stored:
| Data Element | Description | Storage Location |
|---|---|---|
| Original PDF file | The protocol document as uploaded | Supabase Storage (encrypted at rest, AES-256) |
| Text chunks | Extracted text segments from the PDF, optimized for search | Supabase PostgreSQL |
| Vector embeddings | Mathematical representations of text chunks used for semantic search | Supabase PostgreSQL (pgvector extension) |
Important: Protocol Documents may contain confidential and proprietary information owned by third parties, including pharmaceutical sponsors. Provider treats all Protocol Documents as confidential. See Section 5 for how Protocol Documents interact with AI processing.
Vector embeddings are mathematical transformations of text chunks. They are derivative data used exclusively for semantic search within the Service. Vector embeddings are deleted when the corresponding Protocol Document is deleted. Regardless of whether vector embeddings are classified as personal data under applicable privacy frameworks, Provider applies the same security protections (encryption, access controls, tenant isolation) to vector embeddings as to the source text from which they are derived.
3.3 AI Interaction Data
When you use the Service to ask questions about uploaded protocols, we collect:
| Data Element | Storage Location | Purpose |
|---|---|---|
| User queries (questions asked) | query_audit_log table | Audit trail, system quality monitoring |
| AI-generated answers | query_audit_log table | Audit trail, system quality monitoring |
| Confidence scores (HIGH/MEDIUM/LOW) | query_audit_log table | Audit trail, safety monitoring |
| Response times | query_audit_log table | Performance monitoring |
| Chat session history | chat_sessions table | Conversation continuity |
3.4 Feedback and Safety Data
| Data Element | Storage Location | Purpose |
|---|---|---|
| Feedback ratings (thumbs up/down) | feedback table | System quality improvement |
| Safety escalation reports | safety_escalations table | Safety monitoring, system integrity |
Feedback data is collected for the legitimate interest of maintaining and improving the security, accuracy, and performance of the Service. Feedback is never used to train third-party AI models.
3.5 Automatically Collected Technical Data
When you access the Service, we automatically collect:
- IP address (for security and rate limiting)
- Browser type and version
- Device type
- Timestamp of access
- Pages visited within the Service
We do not use third-party analytics trackers, advertising cookies, or behavioral tracking technologies. We do not collect browsing history outside the Service, location data, biometric data, or data from third-party sources about Users.
4. INFORMATION WE DO NOT COLLECT
The Service is designed to process clinical trial protocol documents — study design documents, not patient data. We do not collect, store, or process:
- Protected Health Information (PHI) as defined by HIPAA
- Patient names, medical records, or any patient-identifiable data
- Social Security numbers, dates of birth, or other personal identifiers of research subjects
- Biometric data
- Precise geolocation data
- Financial or payment information (no billing system is currently implemented)
- Data from third-party sources about Users
The Service implements automated detection filters designed to identify and block queries containing patient identifiers across all 18 HIPAA identifier types. These filters operate on a best-efforts basis and do not relieve Users of their obligation to refrain from entering PHI. See the Terms of Service, Section 5.3, for the complete PHI prohibition.
5. HOW PROTOCOL DOCUMENTS ARE PROCESSED BY AI
5.1 Retrieval-Augmented Generation (RAG)
When you ask a question, the Service:
- Searches your uploaded Protocol Document for relevant text sections
- Retrieves matching text chunks from the database
- Sends those text chunks, along with your query, to a third-party AI model via API for answer generation
- Receives the AI-generated answer
- Runs a separate AI verification step to check the answer against the source text
- Returns the answer to you with source citations and a confidence score
The AI model does not "know" anything about your protocol independently. Every answer is generated from the specific text chunks retrieved from your uploaded document.
5.2 Ephemeral AI Processing
Protocol text chunks sent to the AI model via the API are processed ephemerally. This means:
- The text is used solely to generate the immediate response
- The text is not persistently stored by the AI infrastructure provider after the response is generated
- The text is not retained by the AI infrastructure provider for any purpose beyond the immediate inference request
5.3 Absolute Prohibition on Model Training
We do not use your data to train AI models. Specifically:
- Uploaded Protocol Documents, User queries, chat histories, AI-generated outputs, and feedback are never used to train, fine-tune, or improve any foundational large language model, neural network, or machine learning algorithm — whether operated by Provider, by our AI infrastructure provider, or by any third party.
- Our AI infrastructure provider (AWS Bedrock) does not use customer content for model training under its standard service terms.
- Provider does not use Customer Data to train its own internal algorithms without explicit, prior, opt-in consent.
5.4 Data Isolation
Each organization's data is logically isolated from every other organization's data through PostgreSQL row-level security (RLS) policies. Organization A cannot access, view, or query Organization B's Protocol Documents, queries, or AI outputs.
6. HOW WE USE YOUR INFORMATION
We use collected information for the following purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Service (protocol upload, query processing, answer generation) | Account info, Protocol Documents, queries | Contractual necessity |
| Authentication and account security | Email, OTP tokens, IP address | Contractual necessity |
| Maintaining audit trails for clinical research data integrity | Queries, AI outputs, confidence scores, timestamps | Legitimate interest (regulatory compliance support) |
| System quality monitoring and improvement | Feedback, safety reports, response times | Legitimate interest (service quality) |
| Security (rate limiting, abuse prevention) | IP address, request patterns | Legitimate interest (security) |
| Service communications (account notifications, material changes to Terms or Policy) | Email address | Contractual necessity |
| Responding to support requests | Email, account info, relevant interaction data | Contractual necessity |
We do not:
- Sell, rent, or trade your personal information to third parties
- Use your data for advertising or marketing purposes
- Share your data with third parties for their own independent purposes
- Use Protocol Documents or AI interaction data for any purpose other than providing and maintaining the Service
7. THIRD-PARTY SERVICE PROVIDERS (SUB-PROCESSORS)
We use the following third-party service providers to process Customer Data in connection with the Service. Each sub-processor is bound by written agreements imposing confidentiality and security obligations.
| Sub-Processor | Role | Data They Receive | Privacy Commitment |
|---|---|---|---|
| AWS Bedrock (Amazon Web Services, Inc.) | AI infrastructure — hosts and executes AI models for inference and embedding generation | Protocol text chunks and User queries sent as prompts. Ephemeral processing — data not retained after response generation. | Does not use customer content for model training. SOC 2 Type II, ISO 27001 certified. |
| Anthropic PBC (via AWS Bedrock) | AI model provider — Claude models used for answer generation and grounding verification | Same data as AWS Bedrock. Anthropic's models are accessed exclusively through AWS Bedrock infrastructure. There is no direct API relationship between Provider and Anthropic. Data handling is governed by AWS Bedrock's service terms. | Does not use customer content for model training when accessed through Bedrock. |
| Amazon (via AWS Bedrock) | AI model provider — Nova models used for text embeddings | Protocol text chunks sent for embedding generation. Processed ephemerally through Bedrock infrastructure. | Governed by AWS Bedrock service terms. Not retained after processing. |
| Supabase, Inc. | Database hosting (PostgreSQL), vector storage (pgvector), encrypted file storage | All stored data: account info, Protocol Documents, text chunks, embeddings, query logs, feedback | SOC 2 Type II certified. Data encrypted at rest (AES-256). Row-level security for tenant isolation. |
| Railway Corp. | Backend API hosting | Customer Data (queries, protocol text chunks, AI responses) passes through Railway infrastructure during request processing. Railway executes the backend application code. No data is independently stored or processed by Railway beyond request handling. | US-based infrastructure. |
AI Model Routing: The Service uses LiteLLM, an open-source Python library, to route API calls to AWS Bedrock. LiteLLM runs entirely within Provider's own backend infrastructure (self-hosted on Railway). It is not a third-party service and does not transfer Customer Data to any external system independently.
AI Model Specificity: The Service currently uses AI models accessed through AWS Bedrock. The specific model versions used may change as the Service is updated and improved. The current model configuration is documented in a separate, regularly updated Sub-Processor List available upon request. Changes to the AI infrastructure provider (i.e., switching from AWS Bedrock to a different provider) would constitute a material change to this Policy and would be communicated in advance per Section 16.
Infrastructure and Supporting Services: The Service also uses infrastructure hosting providers (Vercel for frontend hosting) and supporting services (GoDaddy for domain registration, GitHub for source code management). These providers do not process Customer Data — they serve static assets or have no access to application data. A complete list of infrastructure and supporting service providers is available upon request.
All data is stored and processed on infrastructure located within the United States.
8. DATA RETENTION
We retain different categories of data for different periods, each tied to a specific, documented purpose:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account information (email, name) | Until account deletion is requested or the agreement is terminated | Contractual necessity |
| Protocol Documents (PDFs) | Until deleted by the User or upon termination of the agreement | User-controlled; deleted within 30 days of request |
| Text chunks and vector embeddings | Deleted when the corresponding Protocol Document is deleted | Derivative data — lifecycle tied to source document |
| AI interaction logs (queries, answers, confidence scores, response times) | Retained for a period commensurate with the statutory retention requirements of the underlying clinical records processed by the User, or until the governing organizational client formally authorizes their secure destruction | Regulatory compliance support — see Section 8.1 |
| Chat session history | Until cleared by User or upon account termination | User-controlled |
| Feedback data | Retained for the duration of the agreement plus 6 months | Legitimate interest in system quality; anonymized after agreement termination |
| Safety escalation reports | Retained for the duration of the agreement plus 24 months | Legitimate interest in safety monitoring and legal defense |
| Technical/access logs (IP, browser, timestamps) | 90 days | Security monitoring; automatically purged |
8.1 Clinical Audit Trail Retention Rationale
The Service is used by clinical research professionals who manage documents subject to regulatory retention requirements. Under FDA 21 CFR Part 11 and ICH Good Clinical Practice (GCP) E6(R3) guidelines, computerized systems used to process clinical trial records must maintain secure, time-stamped audit trails for a period at least as long as that required for the subject electronic records.
Clinical trial essential documents and their associated audit trails must generally be retained for a minimum of 2 years following the formal marketing approval of an investigated drug or the discontinuation of the clinical trial. In some jurisdictions, retention requirements extend further.
Because the Service's query audit logs may constitute part of a site's electronic audit trail for clinical trial operations, we retain these logs for a period aligned with clinical regulatory requirements rather than an arbitrary fixed period. We do not retain data "indefinitely." Retention is bounded by the regulatory lifecycle of the underlying clinical records.
Upon termination of the agreement, Users may request secure destruction of audit logs. If audit logs cannot be immediately destroyed due to overriding regulatory obligations of the User's organization, Provider will anonymize or pseudonymize user identifiers within the logs (removing names and email addresses) while preserving the substantive audit trail content for the organization.
9. DATA SECURITY
We implement commercially reasonable administrative, technical, and physical safeguards to protect your data:
| Safeguard | Implementation |
|---|---|
| Encryption in transit | Transport Layer Security (TLS) for all data transmission |
| Encryption at rest | AES-256 encryption for stored data |
| Multi-tenant isolation | PostgreSQL row-level security (RLS) policies ensure each organization's data is logically isolated |
| Authentication | Email-based one-time password (OTP); no stored passwords |
| Audit logging | All queries, responses, confidence scores, and response times are logged |
| Rate limiting | API endpoint rate limiting to prevent abuse |
| Security headers | X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Cache-Control: no-store |
| PHI detection filters | Automated screening for 18 HIPAA identifier types before queries reach the AI model |
No system is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security. In the event of a data breach involving personal identifying information, we will comply with the North Carolina Breach Notification Law (N.C. Gen. Stat. § 75-65), which requires notification to affected individuals without unreasonable delay.
10. YOUR RIGHTS
10.1 Right to Access
You may request a copy of the personal information we hold about you by contacting us at founders@maxoutput.ai. We will respond within 30 days.
10.2 Right to Correction
You may request correction of inaccurate personal information associated with your account by contacting us at founders@maxoutput.ai.
10.3 Right to Deletion
You may request deletion of your personal information by contacting us at founders@maxoutput.ai. Upon receiving a verified deletion request:
- Account information, Protocol Documents, text chunks, vector embeddings, and chat session history will be permanently deleted within 30 days.
- AI interaction logs (query audit trails): If the User's organization has designated these logs as part of its clinical trial audit trail, or if overriding legal obligations require their preservation, we may retain the substantive audit content in anonymized or pseudonymized form (with user identifiers removed) to comply with regulatory requirements. We will inform you if this exception applies and explain the specific regulatory basis.
- Feedback and safety data will be anonymized (user identifiers removed) rather than deleted if the data is needed for ongoing system safety monitoring.
10.4 Right to Data Portability
You may export your Protocol Documents (original PDFs) at any time through the Service interface. For other data categories, contact us at founders@maxoutput.ai.
10.5 Right to Opt Out of Sale or Sharing
We do not sell or share your personal information with third parties for cross-context behavioral advertising. This right is listed for completeness under California Consumer Privacy Act (CCPA) requirements. There is no sale or sharing activity to opt out of.
10.6 Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. Exercising these rights will not result in changes to pricing, service quality, or access.
10.7 Exercising Your Rights
To exercise any of the rights described above, contact us at:
Email: founders@maxoutput.ai Subject line: "Privacy Request — [Your Request Type]"
We will verify your identity before processing any request. We will respond to all verified requests within 30 days. If we need additional time (up to 60 days total), we will notify you of the extension and the reason.
11. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
11.1 Applicability
As of the effective date of this Policy, Provider is a pre-revenue startup that does not meet the statutory applicability thresholds of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Specifically, Provider does not: (a) have annual gross global revenue exceeding $26.625 million; (b) annually buy, receive, sell, or share the personal information of 100,000 or more California consumers, households, or devices; or (c) derive 50% or more of annual revenue from selling or sharing consumers' personal information.
11.2 Voluntary Compliance
Notwithstanding the above, Provider voluntarily aligns this Policy with CCPA/CPRA principles to support institutional vendor risk assessments and demonstrate our commitment to data privacy. The rights described in Section 10 are available to all Users, including California residents, regardless of whether the CCPA technically applies to Provider.
11.3 Categories of Personal Information
For purposes of CCPA disclosure, the categories of personal information we collect, the purposes of collection, and the categories of third parties with whom information is shared are described in Sections 3, 6, and 7 of this Policy, respectively.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond those necessary to provide the Service.
12. AI TRANSPARENCY AND REGULATORY DISCLOSURES
12.1 Use of Generative Artificial Intelligence
The Service is powered by generative artificial intelligence technology. All responses generated by the Service are machine-generated and should be treated as AI-assisted outputs requiring human verification. The Service displays a persistent disclaimer: "Cora is an AI assistant. All responses should be verified against source documents before making clinical decisions."
12.2 Nature of AI Processing
The Service uses a Retrieval-Augmented Generation (RAG) architecture. The AI does not generate answers from general knowledge. It retrieves relevant text sections from your uploaded Protocol Documents and generates answers grounded exclusively in that retrieved source material. A separate AI verification step fact-checks answers against the source text before delivering them to you.
12.3 AI Accuracy Limitations
Due to the inherent probabilistic nature of large language models, AI-generated outputs may contain inaccuracies, omissions, or errors. The Service assigns confidence levels (HIGH, MEDIUM, LOW) to every response. Low-confidence answers display a visible warning and recommend verification with the Principal Investigator. All outputs, regardless of confidence level, must be verified against source documents.
12.4 Administrative Reference Tool — Not Clinical Decision Support
The Service is an administrative reference tool. It does not provide clinical decision support, does not recommend treatments, does not predict patient outcomes, and does not make or substantially factor into consequential decisions regarding patient care, treatment, or clinical trial eligibility. The Service retrieves and presents information already contained in documents uploaded by the User. Users can independently review the same information in the original source document.
12.5 No Automated Decision-Making
The Service does not make automated decisions with legal or similarly significant effects on Users. AI outputs are informational and advisory only. All clinical and operational decisions remain the sole responsibility of qualified clinical research professionals.
12.6 Regulatory Alignment
This Policy is drafted with awareness of emerging AI transparency requirements, including the Colorado Artificial Intelligence Act (SB 24-205, effective June 30, 2026), the California Generative AI Training Data Transparency Act (AB 2013, effective January 1, 2026), the California AI Transparency Act (SB 942, effective August 2, 2026), and the Utah Artificial Intelligence Policy Act (SB 149).
Provider does not fine-tune, retrain, or substantially modify the foundational AI models accessed through its infrastructure provider. The Service uses these models via API for inference only. Provider does not meet the statutory definition of a "developer" under AB 2013 (California) as it does not design, code, or substantially modify the underlying AI models.
Provider does not meet the threshold of a "covered provider" under SB 942 (California), which applies to entities with over one million monthly users.
The Service is not a "high-risk AI system" under the Colorado AI Act as it does not make or substantially factor into consequential decisions. It is an administrative reference tool as described in Section 12.4.
13. DATA DELETION UPON TERMINATION
Upon termination of the agreement between Provider and User (or upon User's written request):
- Protocol Documents (original PDFs): Permanently deleted from Supabase Storage within 30 days.
- Text chunks and vector embeddings: Permanently deleted from Supabase PostgreSQL within 30 days.
- Account information: Permanently deleted within 30 days.
- Chat session history: Permanently deleted within 30 days.
- AI interaction logs: Anonymized (user identifiers removed) and retained only if required for clinical audit trail compliance, or permanently deleted if no regulatory retention obligation applies. See Section 8.1.
- Feedback data: Anonymized (user identifiers removed) and retained for up to 6 months post-termination, then permanently deleted.
- Safety escalation reports: Anonymized (user identifiers removed) and retained for up to 24 months post-termination for safety monitoring and legal defense purposes, then permanently deleted.
Upon request, Provider will issue a written Certificate of Destruction confirming that all primary records, vector embeddings, and associated data have been purged from production systems. Any residual data in automated backup systems will be securely overwritten in accordance with the applicable sub-processor's standard data retention cycling protocols.
14. CHILDREN'S PRIVACY
The Service is designed for use by clinical research professionals in a professional capacity. The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.
15. INTERNATIONAL DATA TRANSFERS
All data is stored and processed on infrastructure located within the United States. If you access the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.
If Provider expands to serve users in the European Economic Area (EEA) or United Kingdom, this Policy will be updated to address GDPR-specific requirements, including lawful bases for processing, Data Protection Officer designation, and appropriate transfer mechanisms (e.g., Standard Contractual Clauses).
16. CHANGES TO THIS POLICY
We may update this Policy from time to time. If we make material changes, we will:
- Post the updated Policy on the Service with a revised "Last Updated" date
- Notify you via the email address associated with your account at least fourteen (14) days prior to the effective date of the material change
- Where required by law, obtain your consent before the changes take effect
Material changes include, but are not limited to: changes to our AI infrastructure provider, changes to sub-processors that handle Protocol Documents, changes to data retention practices, or changes to how we use AI interaction data.
Your continued use of the Service after the effective date of any change constitutes acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Service.
17. CONTACT US
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled:
Max Output LLC Email: founders@maxoutput.ai Subject line for privacy requests: "Privacy Request — [Your Request Type]"
We aim to respond to all inquiries within 5 business days and to all formal privacy requests within 30 days.
Provider: Max Output LLC | North Carolina | founders@maxoutput.ai Service: Cora | https://cora.getmaxoutput.com Document Version: PP-v1.0-2026-02-25 Framework: Custom-drafted for AI SaaS in clinical research context