This policy describes which personal data People's Group processes in connection with People's Research, why we process it, how we protect it, and what rights you have. The policy covers visits to peoplesresearch.ai as well as enquiries from researchers, hospitals, universities and medtech companies via the contact form.
1 Who we are
People's Research is a consent-borne research environment for clinical studies, delivered by People's Group, Teglværksvej 2, 5600 Faaborg, Denmark (CVR 40930809).
Enquiries can be directed to:
- General contact: hello@peoplesresearch.ai
- Privacy matters and rights requests: support@peoplesresearch.ai
- Security incidents: support@peoplesresearch.ai
2 Roles and data responsibility
People's Group is data controller for the personal data processed via this website and in the initial dialogue with researchers, clinical departments, universities and medtech companies. This covers contact form data, support correspondence and visit analytics.
In the research studies themselves - where citizen consent gates access to clinical data - the research institution running the study is data controller for the study's dataset. People's Group provides the research environment and acts as data processor under a data processing agreement (GDPR Art. 28). The citizen controls the granular consent per study via People's Wallet.
This policy covers the data controller role for visitors to the site and for incoming enquiries. For study datasets, please refer to the data processing agreement concluded with the individual research institution.
3 Which data we process
We process the following categories of data from you as a visitor or enquirer:
- Contact form: name, work email, organisation, role, sector and your message to us.
- Technical metadata: referrer, language preference, timestamp, any UTM parameters.
- Session data: anonymised session ID and form flow time (elapsed_ms) for bot protection.
- Analytics (consent only): anonymised usage data via cookie-based tracking.
We do not process special categories of personal data (GDPR Art. 9) through the website. Clinical data from citizens is included in research studies under the citizen's explicit consent (GDPR Art. 9(2)(a)) and is regulated by the study's data processing agreement - not by this policy.
4 Purpose and legal basis
Each category of information is processed for a specific purpose with a specific legal basis:
- Contact form, purpose: respond to enquiry and initiate dialogue about a possible study or collaboration. Legal basis: consent (GDPR Art. 6(1)(a)).
- Technical metadata and session data, purpose: operational security, bot protection and access documentation. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). Balancing test: the need to protect the research environment and visitors from misuse outweighs the individual visitor's interest in complete absence of logging.
- Analytics, purpose: improve the website and its content. Legal basis: consent (GDPR Art. 6(1)(a)).
5 AI, automation and human oversight
The research environment includes AI assistance for hypothesis, literature and trend work. The AI makes no clinical decisions and does not diagnose participants. The researcher sees the source, approves the proposal and signs the final output. Every time.
For visitors to peoplesresearch.ai, no automated decision-making takes place under GDPR Art. 22. The contact form is answered manually by the research team.
People's Research is designed with EU AI Act high-risk obligations in mind - audit trail, transparency and human oversight from the start. We say "aligned" and not "compliant" where the regime is not yet fully in force (high-risk obligations from 2027).
6 No training on clinical data
Clinical data from citizens - chart notes, lab results, wearable readings, citizen-reported responses - is used exclusively for the study the citizen has consented to. Data is never sent to external AI APIs, including OpenAI, Anthropic, Google or other third-party providers, and is not used for training, fine-tuning or model optimisation, neither in identifiable, anonymised nor aggregated form.
Model updates come from external, documented sources and undergo internal validation before being put into production.
7 Retention and deletion
We retain information only as long as necessary for the purpose for which it was collected:
| Data category | Retention period |
|---|---|
| Contact form (without subsequent collaboration) | 24 months from receipt |
| Contact form (collaboration concluded) | Duration of collaboration + 5 years (Bookkeeping Act) |
| Technical operational logs | 185 days |
| Analytics data | Deleted on consent withdrawal or at the latest after 26 months |
| Encrypted backups | Included in the above periods; deletion requests are reapplied to restored backups |
Citizen consent for study participation is managed separately via People's Wallet - the study's own retention rules apply, and the citizen can at any time withdraw consent with one tap. Requests for earlier deletion of contact form data should be directed to support@peoplesresearch.ai.
8 Sub-processors
We use sub-processors in the following categories:
- Cloud hosting of peoplesresearch.ai in EU region.
- AI compute for the research environment on EU-hosted infrastructure via People's Lab.
- Form handling on EU-hosted infrastructure.
An up-to-date list of specific sub-processors can be requested from support@peoplesresearch.ai. Research institutions that have concluded a data processing agreement are notified of changes with at least 30 days' notice, per the data processing agreement.
9 Data location
The core of the research environment - compute, storage and AI inference for study datasets - runs on EU-hosted infrastructure in the Frankfurt region via People's Lab. Study datasets do not leave the EU.
This website (peoplesresearch.ai) is hosted by a provider in EU region. Contact form data passes through EU-hosted infrastructure.
10 Transfers outside the EU/EEA
For the core of the research environment: no transfers outside the EU/EEA. Study datasets, AI inference and backups remain on EU-hosted infrastructure.
For the website hosting, a provider with primary business activity outside the EU is used, in EU region. Operational metadata (not form data) may theoretically be transferred to the US through the provider's global infrastructure. Such transfer is covered by EU Standard Contractual Clauses (SCC). Contact form data containing personal data is processed exclusively in EU-hosted infrastructure.
11 Technical and organisational security measures
We have implemented the measures appropriate to the risk under GDPR Art. 32, including particularly stringent requirements for clinical research data:
Encryption:
- In transit: TLS 1.2 or newer on all network traffic.
- At rest: full-disk encryption on database servers.
- Backups: AES-256 encryption on separate EU storage.
Access control:
- Role-based access control (RBAC) with least-privilege principle.
- Access to study data is gated behind a data-access committee.
- MFA/TOTP required for all privileged access.
- VPN required for administrative access to production.
- Four-eyes principle for production changes.
Monitoring and integrity:
- File integrity monitoring on production nodes.
- Centrally collected system logs.
- SHA-256 hashing of critical transaction logs (immutable audit trail).
- Trail of who has seen which study datasets - visible to the citizen via Wallet.
Organisational:
- Staff by default have no access to study data (no-access support model). Access in specific support situations requires prior approval from the research institution and is documented.
- Confidentiality agreements for all personnel with access to the production environment.
- Regular security training.
12 Research independence
Pharma-sponsored studies on the research environment cannot suppress unfavourable findings. Study protocols are registered before data access, and results are reported regardless of sponsor outcome. University collaborations retain full publication freedom. Policy document available on request.
13 Your rights
You have the following rights under GDPR. Which route your request takes depends on whether we process your information as data controller (visits to the site, contact form, collaboration dialogue) or as data processor (study datasets in the research environment):
- Access (Art. 15): obtain confirmation of whether we process information about you, and a copy of the information.
- Rectification (Art. 16): have incorrect information corrected.
- Erasure (Art. 17): have information deleted without undue delay when the conditions in Art. 17(1) are met.
- Restriction (Art. 18): restrict our processing in specific situations.
- Data portability (Art. 20): receive information in a structured, commonly used and machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7(3)): where processing is based on consent, consent can be withdrawn with future effect. For study participation, consent is withdrawn directly in People's Wallet.
How to exercise your rights:
- For study data in the research environment (we are data processor): contact the research institution behind the study. The citizen can withdraw consent directly in People's Wallet.
- For visits to the site, contact form and collaboration dialogue (we are data controller): contact support@peoplesresearch.ai.
We respond within 30 days, per GDPR Art. 12(3). Complex requests can be extended by up to two months with reasoned notice within the same deadline. We do not charge a fee unless the request is manifestly unfounded or excessive (Art. 12(5)).
14 Security breach
If a breach of personal data security occurs:
- The Danish Data Protection Agency is notified within 72 hours of detection, per GDPR Art. 33.
- Affected research institutions (data controllers for study datasets) are notified as quickly as possible, internal goal 48 hours from breach detection.
- Affected data subjects - including citizens whose study data is involved - are notified by the data controller per Art. 34, if the breach is likely to result in a high risk to their rights and freedoms.
Security incidents can be reported to support@peoplesresearch.ai.
15 Cookies and website tracking
peoplesresearch.ai currently uses only strictly necessary cookies (session ID and language preference). We do not use marketing trackers, fingerprinting or cross-site tracking.
Analytics cookies are set only with active consent via the cookie banner. Consent can at any time be withdrawn via "Cookie settings" at the bottom of the page.
16 Complaint to the Danish Data Protection Agency
You can lodge a complaint with the Danish Data Protection Agency if you believe that our processing of your information violates data protection rules:
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Telephone: +45 33 19 32 00
dt@datatilsynet.dk
www.datatilsynet.dk
You do not need to have contacted us first, but we encourage you to give us the opportunity to find a solution before you complain.
17 Changes to this policy
Material changes are communicated to registered partners via email at least 30 days before entry into force. Minor changes (clarifications, updated contact details) may be published without separate notice.
Previous versions can be requested via support@peoplesresearch.ai.