Privacy Policy

This Privacy Policy (“Policy”) describes how ERMA Systems, Inc. (“ERMA,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with our AI-powered software platform and website (collectively, the “Platform”). Throughout this Policy, references to “you,” “your,” “users,” and “clients” mean both individual Platform users and the organizations they work for. This Policy applies to all users of the Platform. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Use. If you do not agree with this Policy, you must not access or use the Platform.

1. INFORMATION WE COLLECT:

   • User Account Information: The Platform requires account registration. During registration and use, we collect names, email addresses, job roles, and login credentials.
   • Client Content and Documents: Users upload content to the Platform for MLR (Medical, Legal, and Regulatory) compliance review and analysis, including reference library documents (clinical studies, data on file, prescribing information, important safety information), marketing materials (PDFs and videos), promotional content for review, and user-generated comments and annotations.
   • We do NOT collect Protected Health Information (PHI) under HIPAA, including patient names, medical record numbers, dates of birth, addresses, or other patient identifiers. The Platform is designed for promotional content and regulatory compliance, not patient health records.
   • Analytics and Usage Data: We automatically collect technical information through cookies and analytics tools:
     • IP addresses
     • Cookie identifiers and device identifiers
     • Browser type, device type, and operating system
     • Usage patterns (pages visited, session duration, features used, button clicks, workflow actions)
     • User behavior and interaction data (required for FDA 21 CFR Part 11 compliance and audit trails)
     • Geographic location (city level)
   • Cookies: We use cookies for two essential purposes: (1) authentication and login to maintain your logged-in state and secure access, and (2) analytics and usage tracking. Authentication cookies are essential for Platform functionality and cannot be declined. You can control analytics cookies through your browser settings.

2. HOW WE USE INFORMATION: We use collected information for:

   • Account Management and Platform Functionality: Verifying user identity, maintaining secure access, managing user accounts and permissions, and providing AI-powered MLR compliance assistance, document analysis, workflow management, and content creation support.
   • AI Model Training and Improvement: Using client data, including reference documents, uploaded content, user behavior, and usage analytics, to train and improve our AI models for the benefit of all Platform users. AI training does not occur continuously. Clients may opt out of AI training by contacting us using the information in the Contact Us section. When client data is used for training, we implement anonymization procedures to remove identifying information. AI model improvements derived from aggregate user data benefit all ERMA clients. Even after account termination, anonymized data remains in AI training models per the perpetual license in our Terms of Use.
   • Compliance and Audit Requirements: Maintaining audit trails, logs, and usage records required for FDA 21 CFR Part 11 compliance and life sciences regulatory frameworks.
   • Marketing Communications: Sending marketing emails, newsletters, and promotional communications about ERMA services and features to registered Platform users. All marketing emails include an unsubscribe link at the bottom of the message. You may opt out of marketing communications at any time by clicking the unsubscribe link or contacting us directly.
   • Platform Improvement: Analyzing aggregated usage patterns to improve Platform functionality, user interface, and features.
   • Research and Analytics: Conducting research on MLR compliance patterns using anonymized, aggregated data; publishing research findings.
   • Legal Compliance: Complying with applicable laws and protecting our legal rights.
   • Customer Support: Providing technical support and responding to user inquiries.
   • We do NOT use personal information for targeted advertising or profiling with legal/significant effects.

3. INFORMATION SHARING:

   • Third-Party Service Providers: We share data with the following service providers:
     • Amazon Web Services (AWS): Platform hosting, data storage (AWS RDS – Relational Database Services), and AI services including Amazon SageMaker (AI model training and deployment), Amazon Textract (document text extraction), and Amazon Comprehend Medical (medical language processing). Data is stored in US East (N. Virginia) or US West (California) regions, as selected by you during onboarding. AWS Privacy Policy: https://aws.amazon.com/privacy/
     • Third-Party Integrations: ERMA integrates with Veeva Vault REST API and other MLR platforms as specified in the service description.
   • Data Segregation: Each client receives a logically segregated database environment with dedicated datastore and encryption keys through AWS RDS. Client data is encrypted both at rest and in transit. Access to client data is restricted to authorized ERMA personnel on a need-to-know basis. We maintain strict segregation to prevent cross-contamination of competitive information between clients. AI models are trained on aggregated, anonymized data, and one client’s proprietary information is not directly exposed to other clients.
   • No Sale of Data: We do not sell, rent, or trade user data to third parties.
   • Legal Disclosures: We may disclose information to comply with legal obligations, enforce our Terms of Use, protect rights and safety, address fraud and security issues, or respond to lawful government requests.
   • Business Transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred to the successor entity, which will be required to maintain equivalent data protection standards.
   • Aggregated Information: We may share anonymized, aggregated information that does not identify individuals or specific clients with third parties for research, publication, or partnerships.

4. DATA RETENTION AND SECURITY:

   • Retention:
     • Client data: Retained for the duration of active subscription; deleted within 60 days of account termination upon request
     • AI training data: Anonymized client data used in AI training remains in models indefinitely, even after account termination, per the perpetual license in our Terms of Use
   • Security Measures: We implement industry-standard security measures including data encryption at rest and in transit, multi-tenant architecture with logically segregated databases per client, dedicated encryption keys per client, multi-factor authentication (MFA) available upon client request, Single Sign-On (SSO) integration available upon client request, access controls limiting data access to authorized personnel only, and compliance with FDA 21 CFR Part 11 requirements including identity verification and access control, electronic signatures, audit trails and version control, and document control and system validation.
   • Data Export and Deletion: Upon account termination, we provide data export via secure access link during a 60-day transition period and destruction of client data upon request (excluding anonymized data in AI models).
   • Limitations: No internet-based system is completely secure. We cannot guarantee absolute security. You are responsible for securing your own devices, credentials, and internet connections.
   • Data Breach Response: In the event of a security incident that may affect your account or data, we will notify affected users without unreasonable delay and take appropriate steps to investigate and remediate the issue.

5. YOUR PRIVACY RIGHTS:

   • What Personal Information We Collect: We collect personal information including names, email addresses, job roles, IP addresses, and cookie identifiers. We also collect client content uploaded to the Platform. We do NOT collect patient health information or other sensitive personal data types.
   • Opt-Out of Analytics: You may opt out of analytics tracking by:
     • Blocking cookies through browser settings
   • Opt-Out of AI Training: You may opt out of having your data used for AI training purposes by contacting us using the information in the Contact Us section. This prevents future use of your data in training but does not remove previously trained models.

6. U.S. STATE PRIVACY RIGHTS: ERMA is incorporated in Florida with operations in the United States. Residents of California, Virginia, Colorado, Connecticut, Utah, and other states with privacy laws may have rights regarding personal information.

   • What We Collect: We collect names, email addresses, job roles, IP addresses, cookie identifiers, and client-uploaded content as described in Section 1. We do not collect sensitive personal information such as health data, biometrics, or precise geolocation under state privacy law definitions.
   • The Most Effective Way to Control Your Data: Opt out of analytics using the methods in Section 5, contact us to opt out of AI training, or contact us to delete your account and associated data (excluding anonymized data in AI models).
   • Your Rights Under State Privacy Laws:
     • Right to know what personal information we collect and how it’s used
     • Right to access personal information we have collected in a portable format
     • Right to correct inaccuracies in personal information
     • Right to delete personal information (subject to exceptions)
     • Right to opt out of sale (we do not sell data)
     • Right to opt out of targeted advertising (we do not engage in targeted advertising)
     • Right to opt out of profiling with legal/significant effects (we do not engage in such profiling)
     • Right to opt out of processing of sensitive personal information (we do not collect sensitive personal information)
     • Right to non-discrimination for exercising privacy rights
   • Limitations on Exercising Rights: We cannot remove anonymized data from AI training models once incorporated. We have limited ability to delete data stored in third-party systems (AWS). Some data must be retained for legal compliance (FDA audit trails, financial records). Data subject to the perpetual license in our Terms of Use remains in AI models even after deletion requests.
   • To Submit a Request: Contact us using the information in the Contact Us section of this Policy with “[Your State] Privacy Request” in the subject line. Include your name and email address associated with your account, specific request type (access, correction, deletion, opt-out), and sufficient information to verify your identity. We will respond within 45 days (extendable by 45 additional days if needed).
   • Authorized Agents: You may designate an authorized agent to submit privacy requests on your behalf. We may require verification of the agent’s authority (such as a signed permission document or power of attorney) before processing the request.
   • Appeals: If we deny your privacy request in whole or in part, you have the right to appeal our decision. To appeal, contact us using the information in the Contact Us section with “Privacy Appeal” in the subject line within a reasonable time after receiving our denial. We will respond to your appeal within 60 days (or as otherwise required by applicable state law).

7. HIPAA:

   • No PHI Collected: The Platform does not collect, store, or transmit Protected Health Information (PHI) under HIPAA. The Platform is designed for marketing content review and MLR compliance, not patient health records.
   • Not a Business Associate: ERMA is not a Business Associate under HIPAA. We do not enter into Business Associate Agreements (BAAs).
   • Your Responsibility: Users must not upload patient names, medical record numbers, dates of birth, addresses, or other patient identifiers to the Platform. You are solely responsible for ensuring no PHI is uploaded to the Platform. ERMA is not liable for any PHI that users upload in violation of this Policy and the Terms of Use.

8. CHILDREN’S PRIVACY: The Platform is intended exclusively for business users aged 18 and older working in the life sciences industry. We do not knowingly collect information from individuals under 18. If we learn we have collected such information, we will delete it promptly.

9. COOKIES AND TRACKING:

   • Cookies We Use: We use (i) essential cookies for authentication, login, and Platform functionality that cannot be disabled, and (ii) analytics cookies for usage tracking and behavioral analytics.
   • Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to view, delete, and block cookies. Consult your browser’s help documentation for instructions. Disabling analytics cookies will not impair core Platform functionality but will prevent usage tracking. Disabling essential authentication cookies will prevent Platform access.
   • Do Not Track Signals: The Platform does not respond to Do Not Track (DNT) browser signals.

10. THIRD-PARTY LINKS: The Platform may include links to external resources (educational materials, industry publications, regulatory guidance). We are not responsible for third-party privacy practices. Review their privacy policies before interacting with their content.

11. UNITED STATES ACCESS: Data is stored in AWS data centers located in US East (N. Virginia) or US West (California) regions, as selected by Client during onboarding. ERMA Platform operations are conducted from US East region. The Platform is currently available for use only within the United States. Use outside the United States requires separate authorization.

12. FDA AND LIFE SCIENCES COMPLIANCE:

    • FDA 21 CFR Part 11 Compliance: ERMA maintains compliance with FDA 21 CFR Part 11 requirements for electronic records and electronic signatures, including identity verification and access control, electronic signature validation, audit trails and complete documentation, document control and version management, system validation and testing, and security controls and data integrity protection.
    • Audit Trails: We maintain comprehensive audit trails of all Platform activities as required for life sciences regulatory compliance.
    • Compliance Assistance Only: ERMA provides tools to assist with MLR compliance processes but does not provide legal, medical, or regulatory advice. Users must consult with qualified professionals for specific compliance guidance.

13. CHANGES TO THIS POLICY: We may modify this Policy at any time. Material changes will be communicated by updating the “Last Updated” date below. Your continued use of the Platform after changes constitutes acceptance.

 

CONTACT US

ERMA Systems, Inc.
360 NW 27th Street Miami, FL 33127
support@ermasystems.com
Last Updated: March 2, 2026