Log In
Book a Demo

Privacy Policy

Yendou Privacy Policy

Last Updated: March 20, 2026

This Yendou Privacy Policy ("Privacy Policy") applies to the collection, use, transfer, and disclosure of personal information for users of the Yendou platform ("Platform"), a website and application of Yendou GmbH, Rheinsberger Strasse 31, 10435 Berlin, Germany ("Yendou", "we", "our", and/or "us"). We value the privacy of individuals ("you", "your" and/or "users") who use the Platform.

Your Personal Information

We may collect a variety of information from or about you or your devices from various sources, as described below. If you do not provide your information when requested, you may not be able to use the Platform if that information is necessary to provide you with the Platform or if we are legally required to collect it.

When you use the Platform, you may provide us with personal information, such as your name, telephone number, email address, job title, and organization details. You may also provide profile preferences including your availability, communication channel preferences, and connections with other users.

For site networks/contributors, we collect Contributor Data such as site infrastructure details, patient population availability, operational data, and staff personal information (e.g., names, emails, phone numbers, CVs, GCP certifications) for the global site directory.

We may also collect your IP address, web browser type, operating system version, phone or internet carrier, manufacturer, application installation details of the Platform, and device identifiers.

Information Collected from Public Sources

We may collect professional information about clinical investigators, research site staff, and other individuals from publicly available sources, including clinical trial registries (such as clinicaltrials.gov and EU Clinical Trials Register), professional directories, institutional websites, and public databases. This information includes names, contact details, professional qualifications, institutional affiliations, and clinical trial experience. We process this data on the basis of our legitimate interest in maintaining an accurate and comprehensive global site directory (see GDPR section below for legal basis details). Due to the large volume of publicly available records processed, individual notification to each data subject is not feasible and would involve disproportionate effort within the meaning of GDPR Article 14(5)(b). As an alternative measure, we make this Privacy Policy publicly available, maintain an opt-out mechanism, and review data at least quarterly for accuracy. If your information has been collected from public sources and you wish to access, correct, or request deletion of your data, or to object to this processing, please contact us at zina@yendou.com. Upon receiving a valid objection, we will cease processing and remove your data from the directory within 30 calendar days, unless we demonstrate compelling legitimate grounds that override your interests. We will inform you of the outcome.

Sensitive Data

The Platform is not designed to collect or process special category data as defined under GDPR Article 9. Users must not intentionally submit special category data (including health data) to the Platform. However, certain user-generated content -- such as feasibility questionnaire responses, investigator medical specialties, or patient population information -- may incidentally contain health-related information. Yendou does not monitor user-submitted content for the presence of special category data. Where such data is incidentally present, it has been manifestly made available by the user or sourced from public registries (GDPR Art. 9(2)(e)), and is subject to the same security safeguards described in the Security section of this Policy. Responsibility for ensuring that submitted data is appropriate for the Platform rests with the user or their organization as data controller. Customers are advised to consider the suitability of Platform features for processing data that may contain special category information.

How We Use Your Information

We may use the information we collect for the following purposes and as otherwise described in this Privacy Policy:

  • To provide, maintain, improve, and enhance the Platform;

  • To create and improve profiles about you or your sites within the Platform that we may share with third parties;

  • To personalize your experience on the Platform, such as by providing tailored content, site recommendations, and visibility to business opportunities providers;

  • To understand and analyze how you use the Platform and to help us improve it to develop new products, features, and functionalities by collecting information about your use of and interactions within the Platform, like the pages or content you view, searches you conduct, connections you make, comments/posts, communications via the Platform, services/transactions requested, and dates/times of interactions;

  • To communicate with you, provide updates and other information relating to the Platform, provide information that you request, respond to comments and questions, and otherwise provide support;

  • To facilitate connections with third-party services or applications;

  • To generate and publish reports, provide analytics or to support Yendou products that we may provide to Yendou customers and for which we may charge a fee;

  • To understand and analyze site data for business benefits, such as enabling access to clinical trial opportunities;

  • To find and prevent fraud and respond to trust and safety issues that may arise;

  • For compliance purposes, including enforcing our Terms or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency; and

  • For other purposes for which we provide specific notice at the time the information is collected.

Data Controller and Processor Roles

Yendou acts as a data controller for personal data collected directly from Platform users (e.g., account registration, platform usage) and from public sources (e.g., clinical trial registries). Yendou acts as a data processor for personal data managed by customers on the Platform (e.g., research site and contact data uploaded or maintained by a customer organization). If your data is managed by a Yendou customer and you wish to exercise your data protection rights, please direct your request to that customer as the data controller. Yendou enters into Data Processing Agreements with customers in accordance with GDPR Article 28. To request a DPA, contact zina@yendou.com.

Sharing Your Personal Information

We may share personal information about you as described in this Privacy Policy.

  • Yendou Affiliates, Subsidiaries, Service Providers, and Other Third Parties: We may share personal information about you with our affiliates and subsidiaries and with our service providers for the purpose of providing the Platform. These service providers include cloud infrastructure providers, analytics providers, email delivery providers, collaborative tooling providers, and artificial intelligence (AI) service providers. AI service providers may process certain Platform data, including communications and CRM records, to provide AI-assisted features, which are opt-in and may be enabled or disabled by you or your organization. Data is not pseudonymized or filtered before transmission to AI service providers; customers are responsible for ensuring that data processed by AI-assisted features is appropriate for transmission to third-party providers. Our service providers do not use your data submitted through the Platform for training their own models. A complete list of authorized sub-processors is provided in the Authorized Sub-Processors section below. We may also share personal information about you with third parties who access Yendou products, reports, or analytics that include information you have shared through the Platform.

  • Other Users of the Platform: We display your user profile, posts, and site details (e.g., qualification data) on the Platform for other users to view, subject to Visibility Controls and your consents.

  • As Required By Law and Similar Disclosures: We may access, preserve, and disclose your information if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; (b) respond to your requests; or (c) protect your, our, or others' rights, property, or safety.

  • Merger, Sale, or Other Asset Transfers: We may transfer your information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets.

  • Consent: We may also disclose your information with your permission or at your direction, such as granular consents for sharing with all clinical trial provider clients or logo use in marketing.

Information from Cookies and Similar Technologies

We collect information using cookies, pixel tags, and similar technologies. Cookies are small text files containing a string of alphanumeric characters. We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the Platform.

We use cookies that are strictly necessary for the Platform to function. These include authentication cookies (which expire after 30 days if not refreshed) and cookies set by PostHog, which provides essential platform functionality including feature delivery, error tracking, and operational monitoring. Third-party cookie retention periods are determined by the respective provider. Because these functions are required for the Platform to operate correctly, these cookies do not require separate consent. We do not use cookies for advertising or cross-context behavioral tracking.

Please review your web browser's "Help" file to learn the proper way to modify your cookie settings. Please note that if you disable strictly necessary cookies, the Platform may not function correctly.

Third Parties

The Platform may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party sites and services or any information you disclose to these third parties. We encourage you to read their privacy policies before providing any information to them.

Security

The Platform implements security safeguards to protect the personal information it collects and uses. Yendou partners with internationally recognized cloud platform providers, such as Microsoft Azure, to provide the Platform. These cloud providers operate data centers certified against established standards such as ISO 27001 and SOC 2. All data is encrypted in transit and at rest using industry-standard encryption. The security of your personal information, the service, and the infrastructure it operates on are protected by a combination of security controls provided by our cloud platform provider and additional security measures, which are monitored by a dedicated Yendou Security Operations team. Yendou is currently undergoing SOC 2 Type II certification. Yendou's data handling practices, including audit logging, access controls, and data integrity measures, are designed to support customers' compliance obligations under ICH Good Clinical Practice (GCP) guidelines. Customers requiring specific GCP compliance commitments should refer to their Master Services Agreement or contact us to discuss a Quality Agreement.

Children's Privacy

We do not knowingly collect, maintain, or use personal information from children under 16 years of age, and no part of the Platform is directed or marketed to children.

HIPAA

The Platform is not designed to store Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), and Yendou is not a Covered Entity or Business Associate by default. Users must not submit PHI to the Platform absent a separately executed Business Associate Agreement (BAA). Aggregate feasibility-level site data (such as patient population counts by therapeutic area) is generally not considered PHI; however, customers are responsible for ensuring that data submitted to the Platform does not contain individually identifiable health information absent a BAA. If your use of the Platform involves PHI, please contact us at zina@yendou.com to discuss a BAA prior to submitting such data.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following general retention periods apply:

  • Account data: Retained for the duration of your relationship with Yendou, plus a reasonable period thereafter (typically 3 years) to address any post-termination inquiries or legal obligations.

  • Platform usage and analytics data: Retained for up to 24 months.

  • AI provider processing: Data transmitted to AI service providers is retained by those providers for up to 30 days for abuse and safety monitoring, after which it is automatically deleted.

  • Public source directory data: Reviewed at least quarterly for accuracy and relevance. Retained for no longer than 5 years from last verification of accuracy, after which records are re-verified or deleted.

  • Transactional email logs: Retained for up to 12 months.

Deletion requests will be honored subject to applicable legal and regulatory hold requirements. In particular, customers in regulated industries (such as clinical research) may be subject to retention obligations under applicable laws and regulations that supersede deletion requests.

Changes to this Privacy Policy

We will post adjustments to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we use or share personal information previously collected from you through the Platform, we will notify you through the Platform, by email, or other form of communication.

Data Breach Notification

Yendou maintains a data breach response procedure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and the relevant supervisory authorities within the timeframes required by applicable law.

Right to Access, Change, or Delete Your Personal Data

If you wish to access, amend, or delete any personal information you have provided to us, you may contact us via email at zina@yendou.com. You may also direct data protection inquiries to our Data Protection Officer at alexander@yendou.com. We will respond to data subject requests within 30 days, or the applicable statutory period. You also have the right to lodge a complaint with your relevant supervisory authority. For withdrawal of consents (e.g., data sharing or logo use), use platform settings or the same email -- revocation triggers immediate cessation and deletion where feasible.

Region-Specific Policies

CCPA/CPRA

This section supplements the information contained in the rest of our Privacy Policy and applies to all Consumers residing in the state of California according to "The California Consumer Privacy Act of 2018" (California Civil Code Sections 1798.100 to 1798.199) as amended by the California Privacy Rights Act of 2020 ("CPRA"), and their implementing regulations (collectively, "CCPA"). Consumers are referred to below as "you", "your", "yours", and, for such Consumers, these provisions supersede any other possibly divergent or conflicting provisions contained in the Privacy Policy. This part of the Privacy Policy uses the terms "Consumer", "Personal Information", "Sale", "Share" and "Business Purpose" as they are defined in the CCPA. All other capitalized terms in this section of the Privacy Policy are intended to have the same meaning as in the CCPA.

Categories of Personal Information Collected

Yendou collects the following categories of Personal Information: identifiers (name, email address, phone number), professional information (job title, organization, qualifications, CVs, certifications), internet or electronic network activity (IP address, browser type, Platform usage data), and general geolocation data (derived from IP address).

Sale and Sharing of Personal Information

Yendou does not sell or share Personal Information as defined under the CCPA. Personal data made available to customers through the Platform, including curated professional directory information sourced from publicly available registries, is provided as part of Yendou's Platform services and constitutes a disclosure for a business purpose, not a sale.

Your CCPA Rights

As a California Consumer, you have the right to:

  • Know what Personal Information we collect, use, and disclose about you;

  • Delete Personal Information we have collected from or about you, subject to certain exceptions;

  • Correct inaccurate Personal Information we maintain about you;

  • Limit the use of sensitive Personal Information to purposes authorized by the CCPA;

  • Opt out of automated decision-making technology, including profiling, to the extent applicable;

  • Non-discrimination for exercising your privacy rights.

Exercising Your CCPA Rights

To exercise your CCPA rights, contact us at zina@yendou.com. We may need to verify your identity by matching request details against existing account information before fulfilling your request. We will respond within 45 days of receiving a verifiable request. We will not discriminate against you for exercising your rights.

GDPR

This section provides specific information about how the Platform complies with the EU General Data Protection Regulation ("GDPR"). It supplements the information contained in the rest of our Privacy Policy and applies to all data subjects residing in the European Union, the United Kingdom, or Switzerland.

Our EU Data Protection Officer and Information Security Officer have assessed our obligations as a data controller for the Platform. Operating in a way that fosters trust and transparency, we appreciate the GDPR benefits of improving our business, becoming more efficient, and creating better relationships with our users and those whose data they collect.

Legal Bases for Processing

In compliance with the EU General Data Protection Regulation, Yendou processes your personal data based on the following legal bases:

  • Provide, maintain, and improve the Platform — Contractual necessity (Art. 6(1)(b))

  • Communicate with you, respond to inquiries — Contractual necessity (Art. 6(1)(b))

  • Facilitate third-party service connections — Contractual necessity (Art. 6(1)(b))

  • Create and improve profiles, site recommendations — Legitimate interest (Art. 6(1)(f)) -- operating and improving the Platform

  • Personalize your experience — Legitimate interest (Art. 6(1)(f)) -- providing relevant content and recommendations

  • Analyze Platform usage and develop new features — Legitimate interest (Art. 6(1)(f)) -- improving our services

  • Generate reports and analytics for customers — Legitimate interest (Art. 6(1)(f)) -- providing valuable products and services

  • Analyze site data for clinical trial opportunities — Legitimate interest (Art. 6(1)(f)) -- enabling access to business opportunities

  • Collect and curate data from public sources — Legitimate interest (Art. 6(1)(f)) -- maintaining an accurate global site directory, including providing curated directory information to customers as part of paid services

  • Fraud prevention and trust/safety — Legitimate interest (Art. 6(1)(f)) -- protecting users and the Platform

  • AI-assisted features — Consent (Art. 6(1)(a)) -- opt-in, may be withdrawn at any time

  • Legal compliance and enforcement — Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time. Yendou conducts Data Protection Impact Assessments where required under GDPR Article 35.

By using the Platform, you acknowledge this Privacy Policy. The processing of your personal data is based on the legal bases described above. Where consent is required (e.g., for optional AI-assisted features), we will obtain it separately and you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal. You may withdraw consent by contacting Yendou via email at zina@yendou.com or through Platform settings.

Transfer of Your Personal Data Outside of the EU

Yendou collects and processes your data in the European Economic Area (EEA). Some of our sub-processors are located outside the EEA, including in the United States. Any transfer of or access to personal data outside of the EEA will only be made using legal mechanisms approved by the EU, such as the EU Standard Contractual Clauses (SCCs) and supplementary technical, organizational, and contractual measures. Copies of the relevant Standard Contractual Clauses are available upon request by contacting zina@yendou.com.

For data subjects in the United Kingdom, in accordance with the UK GDPR and the Data Protection Act 2018, transfers are governed by the UK International Data Transfer Addendum to the EU SCCs. The relevant supervisory authority is the UK Information Commissioner's Office (ICO). For data subjects in Switzerland, transfers are governed by the Swiss Federal Act on Data Protection (nFADP), and the relevant authority is the Federal Data Protection and Information Commissioner (FDPIC).

Your Data Privacy Rights Under the GDPR

You can exercise your data protection rights under Articles 15-22 GDPR, including the right to access, rectify, restrict, or erase your data, to object to processing, to data portability, and to withdraw consent. These rights may be exercised free of charge by contacting Yendou at zina@yendou.com. We will respond within one month, which may be extended by two months for complex requests. You may also lodge a complaint with your relevant supervisory authority. For Yendou, the lead supervisory authority is the Berliner Beauftragte fur Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).

Automated Decision-Making and Profiling

The Platform may use AI-assisted features to provide recommendations, such as matching research sites to clinical trial opportunities. These features are assistive in nature and do not produce solely automated decisions that have legal or similarly significant effects on individuals. Human review is involved in consequential decisions. You have the right to object to processing based on profiling under Article 21 GDPR.

How Long Your Personal Data Is Kept

Retention periods are described in the Data Retention section above. In general, we retain personal data only for as long as necessary to fulfill the purposes for which it was collected, subject to applicable legal retention obligations. You may request deletion by contacting Yendou at zina@yendou.com.

Yendou's Data Protection Officer

Yendou has voluntarily appointed a Data Protection Officer, who can be contacted at alexander@yendou.com.

LGPD

Law no. 13.709/2018 of Brazil, the Lei Geral de Protecao de Dados Pessoais ("LGPD"), entered into effect on August 16, 2020. The LGPD applies to businesses (both inside and outside Brazil) that process the personal data of users who are located in Brazil. The LGPD provides users with the following rights regarding their data:

  • confirmation of the existence of treatment;

  • access to data;

  • correction of incomplete, inaccurate or outdated data;

  • anonymization, blocking or elimination of unnecessary, excessive or treated data in discrepancy with the provisions of the law;

  • data portability to another service provider or product, upon express request and observance of commercial and industrial secrets, in accordance with the regulations of the controlling body;

  • data portability to another service or product provider, upon express request, in accordance with the national authority regulations, observing the commercial and industrial secrets;

  • elimination of personal data processed with the consent of the holder, except in the cases provided for in Article 16 of the law;

  • information of any public and private entities with which the controller has made shared use of data;

  • information on the possibility of not providing consent and on the consequences of refusal;

  • revocation of consent, pursuant to paragraph 5 of Article 8 of the law.

Legal Bases for Processing under LGPD

Yendou processes personal data of users located in Brazil on the following legal bases under LGPD Art. 7: consent (Art. 7(I)) for optional features such as AI-assisted features; compliance with legal or regulatory obligations (Art. 7(II)); execution of a contract or preliminary procedures related to a contract (Art. 7(V)) for core Platform functionality; exercise of rights in judicial, administrative, or arbitration proceedings (Art. 7(VI)); legitimate interest (Art. 7(IX)) for analytics, directory services, and Platform improvements, subject to a balancing test against the rights and freedoms of the data subject. For further detail, refer to the Legal Bases for Processing table in the GDPR section above.

International Data Transfers

Personal data of users located in Brazil may be transferred to countries outside Brazil, including the United States, where some of our sub-processors are located. Such transfers are carried out in compliance with LGPD Arts. 33-36 and are subject to standard contractual clauses or equivalent safeguards ensuring an adequate level of data protection.

Encarregado (Data Protection Officer)

Yendou's Encarregado, appointed in accordance with LGPD Art. 41, can be contacted at alexander@yendou.com.

Complaints

You may file a complaint regarding Yendou's processing of your personal data with the Autoridade Nacional de Protecao de Dados (ANPD). More information is available at the ANPD's official website.

Authorized Sub-Processors

The following sub-processors are authorized to process personal data on behalf of Yendou in connection with the Platform.

  • Microsoft Azure (Microsoft Corporation) — Cloud infrastructure, hosting, and managed database services (EU / US)

  • PostHog, Inc. — Product analytics and feature delivery (US)

  • Postmark (ActiveCampaign, LLC) — Transactional email delivery (US)

  • TipTap GmbH — Collaborative document editing and synchronization (EU)

  • OpenAI, L.L.C. — AI services (US)

  • Anthropic, PBC — AI services (US)

Yendou will provide at least 30 days' advance notice to affected customers before adding or removing sub-processors. Customers may object to a new sub-processor by contacting zina@yendou.com within that notice period.

Yendou: The AI Site Engagement Platform of the Future—Smarter, Faster, AI-Powered.

The content and works on these pages, created by the site operators, are subject to German copyright law. Duplication, processing, distribution, or any form of commercialization beyond the scope of copyright law requires the prior written consent of the respective author or creator.

© 2026 and registered trademarks