GalenLogic, LLC ("GalenLogic," "we," "us," or "our") operates the AURA pharmacovigilance platform. We are committed to protecting the privacy of our customers, their users, and the individuals whose data may appear in safety reports processed through AURA. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
This Privacy Policy applies to:
This Policy applies to information about Customer Users — employees and contractors of our business customers who use AURA — and Site Visitors who browse our marketing site.
This Policy does not govern the personal data of patients or reporters contained within adverse event cases submitted by our customers. That data is Customer Data, processed on behalf of our customers under their instructions and their applicable regulatory obligations. Customers are the data controllers for patient data; GalenLogic acts as a data processor.
When you or your organization creates an account, we collect:
As you use AURA, we automatically collect:
When you contact us via email (e.g., Demo@aurapv.com) or submit a demo or beta request, we collect the information you provide, including your name, email, organization, and the content of your message.
When you visit our marketing site, we may collect standard web server logs including IP address, browser, referring URL, and pages visited. We do not use persistent third-party analytics trackers on the marketing site.
AURA processes case data submitted by customers, which may include information about patients (age, sex, medical history, adverse events) and reporters. This data is processed as described in Section 5.
| Purpose | Legal Basis |
|---|---|
| Providing and operating the AURA platform | Contract performance |
| Authenticating users and maintaining session security | Contract performance; Legitimate interest |
| Generating audit trails for 21 CFR Part 11 compliance | Legal obligation; Contract performance |
| Responding to support requests and communications | Legitimate interest; Contract performance |
| Sending account-related notifications (billing, security alerts) | Contract performance; Legal obligation |
| Improving platform features and AI model performance (anonymized) | Legitimate interest |
| Detecting and preventing fraud, abuse, or security incidents | Legitimate interest; Legal obligation |
| Complying with legal obligations and responding to lawful requests | Legal obligation |
We do not use Customer Data to train external AI models or share it with AI providers in identifiable form.
AURA is built on Google Firebase (part of Google Cloud Platform). This means:
Google's data processing terms and applicable Google Cloud certifications (including ISO 27001, SOC 2) govern GalenLogic's use of Firebase infrastructure. Data is stored in Google Cloud data centers in the United States by default.
Adverse event case records submitted through AURA may contain sensitive information about patients, including health conditions, medications, and outcomes. This data is considered highly sensitive and is handled accordingly.
Your organization (the Customer) is the data controller for patient data entered into AURA. GalenLogic acts as a data processor, processing this data only on your instructions and for the purposes of providing the Service.
If you are a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA) and you intend to process protected health information (PHI) through AURA, you are responsible for ensuring appropriate contractual safeguards are in place. Please contact us at Demo@aurapv.com to discuss a Business Associate Agreement (BAA) before processing PHI.
Patient data submitted to AURA is used exclusively to provide case management, reporting, and export services to your organization. GalenLogic does not use patient data for marketing, analytics, AI training, or any purpose other than delivering the contracted Service.
We encourage customers to enter only the minimum information necessary for regulatory reporting purposes and to apply appropriate de-identification or pseudonymization where permitted by their regulatory obligations.
GalenLogic does not sell personal information. We share information only in the following limited circumstances:
We share data with third-party service providers who process it on our behalf to deliver the Service:
All service providers are bound by contractual data processing obligations and are prohibited from using your data for their own purposes.
We may disclose information if required by law, regulation, court order, or lawful government request, or where we believe disclosure is necessary to protect the rights, property, or safety of GalenLogic, our customers, or the public.
In the event of a merger, acquisition, reorganization, or sale of substantially all of GalenLogic's assets, Customer Data may be transferred as part of that transaction. We will provide notice of such events and, where required, seek your consent.
We may share information with third parties when you have given explicit consent.
We retain different categories of data for different periods:
| Data Type | Retention Period |
|---|---|
| Account & user records | Duration of subscription + 90 days post-termination |
| Adverse event case data | Duration of subscription + 30-day export window |
| Audit logs (21 CFR Part 11) | Minimum 7 years or as required by applicable regulation |
| Document attachments (Firebase Storage) | Duration of subscription + 30-day export window |
| Usage logs and error logs | Up to 12 months |
| Marketing communications | Until unsubscribed or contact requests deletion |
After the applicable retention period, data is deleted or permanently anonymized. You may request early deletion of your data subject to our legal obligations (see Section 10).
GalenLogic implements reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, or disclosure, including:
No security system is impenetrable. In the event of a data breach, GalenLogic will notify affected customers without undue delay in accordance with applicable law.
The AURA marketing site uses minimal tracking. We do not currently deploy third-party advertising cookies or persistent analytics trackers. Standard server logs (IP address, browser, pages visited) are collected for security and performance monitoring only.
The AURA web application uses session cookies and local browser storage strictly necessary for authentication and application functionality (e.g., Firebase Authentication session tokens, user preferences). These are not used for advertising or cross-site tracking.
We honor Do Not Track ("DNT") browser signals where technically feasible. Our application does not engage in cross-site behavioral tracking.
Depending on your location, you may have the following rights regarding your personal information:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete personal data |
| Deletion | Request deletion of your personal data (subject to legal retention requirements) |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing of your data based on legitimate interest |
| Restriction | Request restriction of processing in certain circumstances |
| Opt-out (CCPA) | California residents may opt out of the sale of personal information (we do not sell data) |
To exercise any of these rights, contact us at Demo@aurapv.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
Note: Rights requests from Customer Users regarding data held within adverse event cases should be directed to your organization (the data controller), not to GalenLogic.
If you are located in the European Economic Area (EEA) or United Kingdom and believe your rights have not been respected, you have the right to lodge a complaint with your local supervisory authority.
GalenLogic is based in the United States. Customer Data is primarily stored and processed in Google Cloud data centers in the United States. If you access AURA from outside the United States, your data may be transferred to and processed in the U.S., which may have different data protection standards than your home country.
For customers in the European Economic Area (EEA) or United Kingdom, GalenLogic relies on applicable transfer mechanisms (including Standard Contractual Clauses where required) to transfer data to the U.S. lawfully. Please contact us to request applicable data transfer documentation.
AURA is a professional enterprise software platform and is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. Note that adverse event case records may contain anonymized or pseudonymized data about pediatric patients as part of pharmacovigilance reporting — this is governed by the Customer Data provisions in Section 5, not this section.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users by email at least 30 days before the effective date. The updated policy will also be posted on this page with a revised "Last Updated" date.
Your continued use of AURA after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
For privacy questions, requests, or concerns — including requests to exercise your data rights or to discuss a Business Associate Agreement — please contact:
GalenLogic, LLC
Privacy & Data Inquiries
Demo@aurapv.com
© 2026 GalenLogic, LLC All rights reserved. AURA is a trademark of GalenLogic, LLC