Bridge Analytics Privacy Policy

Website, Bridge Analytics Environment, and Research Data

Effective Date: June 30, 2026  ·  Version 1.0

Bridge Analytics Data & Science Services, Inc. ("Bridge," "Bridge Analytics," "we," "us," or "our") respects privacy and is committed to handling personal information responsibly, transparently, and in accordance with applicable law. This Privacy Policy describes how Bridge collects, uses, discloses, retains, and protects personal information in connection with our websites, communications, services, and the Bridge Analytics Environment, also referred to as "BAE" or the "Platform."

This Privacy Policy applies to personal information we collect when you visit our websites, communicate with us, submit an inquiry or application, participate in Bridge programs or governance activities, apply for or use BAE, interact with Bridge as a researcher, institutional representative, data provider, collaborator, reviewer, or other user, or otherwise use a service that links to this Privacy Policy.

This Privacy Policy also addresses the Research Data processed through BAE. Research Data is subject to distinct legal, ethical, contractual, and governance controls, and because Bridge receives Research Data without direct identifiers, it is not in a position to identify individual research participants.

1. Personal Information We Collect About Website Visitors and BAE Users

The personal information we collect depends on how you interact with Bridge.

1.1 Website, Inquiry, and Communication Information

When you visit our websites or communicate with us, we may collect personal information such as your name, email address, phone number, organization, institution, title, role, department, area of interest, message content, inquiry details, communication preferences, event or newsletter preferences, and any other information you choose to provide.

We may collect this information when you submit a contact form, request information, register for updates, communicate with Bridge personnel, participate in events or surveys, submit support requests, or otherwise interact with Bridge.

1.2 Researcher, Applicant, and Platform Account Information

If you apply for, register for, or use BAE, we may collect personal information and Platform-related information about you, including but not limited to your name, email address, institutional affiliation, title, role, department, professional status, account information, username, institutional email address, researcher identifiers, approved project or research purpose, requested or approved datasets, Data Access Application information, collaborator information, authorization status, access permissions, account status, training or certification records, policy acknowledgments, signed agreements, support requests, and communications with Bridge.

We may also collect information about your institution, employer, sponsoring organization, principal investigator, supervisor, collaborators, institutional officials, or other representatives where relevant to access review, eligibility, approval, compliance, security, governance, or administration of BAE.

1.3 Researcher Profile, Dataset Interest, and Platform Use Information

Bridge may collect and maintain information about your researcher profile, institutional affiliation, approved research purpose, dataset requests, dataset access, Platform use, workspace activity, compute use, export requests, support requests, compliance status, audit findings, publication-related information, and other information relating to your use of BAE.

This may include information about datasets you request, datasets you are approved to access, dates or periods of access, Platform features or tools used, analyses conducted within the Platform, export requests or approvals, compliance certifications, and records relating to Bridge or data-provider requirements.

1.4 Identity, Authentication, Security, and Compliance Information

We may collect information used to verify identity, administer accounts, secure BAE, and comply with legal, contractual, ethical, security, and data-governance requirements. This may include usernames, account IDs, institutional email addresses, authentication records, multi-factor authentication information, login and logout records, failed login attempts, IP addresses, approximate location derived from IP address, device and browser information, operating system, access permissions, account status, security alerts, risk signals, administrative actions, compliance records, and investigation records.

Where necessary for compliance, security, export-control, sanctions, country-of-concern, geographic-access, or data-provider requirements, we may collect information relating to your country of residence, country of access, institutional location, citizenship or nationality, work location, or other eligibility-related information.

1.5 Platform Logs, Monitoring, Audit, and Usage Information

When you access or use BAE, Bridge may collect and generate Platform logs and usage records. These may include login events, session information, access records, datasets accessed, files or workspaces accessed, tools used, code or notebooks executed, queries run, compute resources used, upload attempts, download attempts, export requests, clipboard or copy/paste activity, printing attempts, screenshot attempts, interactions with Platform controls, security events, policy violations, anomaly flags, audit findings, incident records, and other information reasonably necessary to operate, secure, monitor, audit, improve, and enforce BAE.

Bridge may log, monitor, and audit user activity, including by automated means, within BAE to protect Research Data, enforce Bridge policies, satisfy data-provider requirements, investigate suspected misuse, prevent unauthorized access or disclosure, evaluate export requests, detect possible exfiltration or re-identification risk, and comply with legal, contractual, ethical, and governance obligations.

1.6 Uploaded Content, External Data, and Researcher-Generated Materials

If permitted by Bridge and applicable policies, users may upload or create materials within BAE, such as code, notebooks, annotations, documentation, metadata, external datasets, derived outputs, summary statistics, figures, tables, models, model artifacts, reports, manuscripts, or other research materials.

Users must not upload identifiable personal information, protected health information, participant-identifying data, or other restricted information into BAE unless expressly permitted by Bridge and consistent with applicable law, data-provider requirements, IRB or ethics approvals, participant consent restrictions, and Bridge policies. Users also must not upload data that would make it possible to re-identify individuals whose data are included in Research Data. Bridge may, but is not obligated to, scan, retain, analyze and review uploads for PHI/PII, malware, secrets/API keys, contractual violations, or re-identification risk.

1.7 Automatically Collected Website and Device Information

When you visit our websites or interact with our online services, we may automatically collect information such as IP address, browser type, device type, operating system, referring and exit pages, pages viewed, links clicked, date and time of visit, session information, approximate location derived from IP address, cookie identifiers, and similar technical or usage information.

We may use cookies, web beacons, pixels, log files, analytics tools, and similar technologies to operate the website, understand usage, improve user experience, maintain security, troubleshoot technical issues, and evaluate the effectiveness of content and communications.

1.8 Sensitive Personal Information About Users

Some information we collect about website visitors, researchers, applicants, or Platform users may be considered sensitive personal information under certain laws, such as account credentials, government identifiers, precise geolocation, citizenship or immigration information, biometric information, demographic information, or other legally protected categories.

Bridge does not intend to collect sensitive personal information about users unless reasonably necessary for disclosed purposes, such as identity verification, account security, Platform access, legal compliance, export-control or sanctions screening, research-governance administration, fraud prevention, incident response, or other permitted purposes.

2. How We Collect Personal Information

We may collect personal information directly from you, from your institution or representatives, from data providers or governance participants, from service providers and contractors, from public sources, and automatically through cookies, logs, analytics tools, security tools, and Platform monitoring systems.

Examples of third-party or indirect sources include your employer, institution, sponsor, principal investigator, supervisor, collaborators, authorized institutional officials, data providers, data coordinating centers, Data Access Committees, Steering Committees, publication committees, ethics bodies, scientific reviewers, identity or compliance vendors, and public professional or publication databases.

3. How We Use Personal Information

Bridge may use personal information about website visitors, researchers, applicants, Platform users, institutional representatives, data-provider personnel, governance participants, and other contacts for the purposes described below.

3.1 Website and Communications

We use personal information to operate and improve our websites, respond to inquiries, provide requested information, manage communications, send administrative notices, support events or newsletters, and otherwise interact with individuals who contact Bridge.

3.2 BAE Access and Research Governance

We use personal information to evaluate eligibility for BAE access, process Data Access Application, verify institutional affiliation, administer account creation, manage user permissions, document approved research purposes, support Data Access Committee or equivalent review, apply dataset-specific restrictions, manage training and certification requirements, and administer Bridge agreements and policies.

3.3 Data-Provider Reporting, Research Engagement, and Dataset Discovery

Bridge may use researcher personal information and Platform-related information to support data-provider reporting, research engagement, dataset discovery, provider communications, publication and attribution workflows, compliance review, audit, security, incident response, and enforcement of Bridge and data-provider requirements.

For example, Bridge may use your name, email address, institutional affiliation, title or role, approved research purpose, requested or approved datasets, access status, dates or periods of access, Platform usage information, dataset usage information, export requests, publication or attribution information, compliance certifications, audit findings, suspected policy violations, incident-related information, and related information to communicate with applicable data providers or governance participants.

Bridge may also use and share this information to enable research-related communications from data providers regarding datasets, data initiatives, research opportunities, scientific collaborations, publication obligations, provider-sponsored research activities, or related opportunities outside the Bridge ecosystem. You may submit a request to opt-out of Bridge sharing your information for outreach opportunities outside of the Bridge ecosystem by emailing privacy@bridgeanalytics.org. Bridge does not use Research Data for targeted advertising and does not disclose researcher personal information to data providers for unrelated third-party advertising or cross-context behavioral advertising.

3.4 Monitoring, Security, Audit, and Enforcement

We use personal information and Platform Data to authenticate users, secure BAE, monitor and audit activity, detect unauthorized access, prevent improper disclosure or exfiltration, evaluate export requests, investigate suspected re-identification attempts, enforce Bridge policies, comply with data-provider restrictions, respond to incidents, maintain audit records, and protect Bridge, data providers, research participants, institutions, and users.

3.5 Publication, Attribution, Intellectual Property, and Research Outputs

We may use personal information, Platform Data, and researcher-generated materials to administer publication requirements, attribution requirements, open-access expectations, data-versioning requirements, intellectual property restrictions, export review, and dataset-specific provider terms. This may include processing information about publications, presentations, figures, tables, summary statistics, derived results, model artifacts, manuscripts, abstracts, posters, or other research outputs generated through use of BAE.

3.6 Service Improvement and Analytics

We may use information to maintain, test, improve, and develop our websites, BAE, documentation, support workflows, security controls, governance workflows, and Platform functionality. We may create aggregated or de-identified statistics regarding website use, Platform use, dataset interest, compute activity, support requests, or other operational metrics.

3.7 Legal, Contractual, and Governance Compliance

We may use personal information to comply with applicable laws, regulations, legal processes, governmental requests, export-control or sanctions obligations, contractual obligations, data-provider requirements, consent-based restrictions, IRB or ethics requirements, security requirements, audit obligations, and other legal or governance obligations.

4. How We Disclose Personal Information

Bridge may disclose personal information about website visitors, researchers, applicants, Platform users, institutional representatives, data-provider personnel, governance participants, and other contacts as described below.

4.1 Service Providers and Contractors

We may disclose personal information to service providers and contractors that perform services on our behalf, such as cloud hosting, infrastructure, identity and access management, multi-factor authentication, security monitoring, logging, analytics, email, CRM, e-signature, support ticketing, compliance, legal, accounting, payment processing, and professional services. These service providers and contractors are expected to use personal information only as necessary to provide services to Bridge or as otherwise permitted by applicable law and contract.

4.2 Data Providers and Research-Governance Participants

We may disclose researcher personal information and Platform-related information to data providers, data contributors, data coordinating centers, Data Access Committees, Steering Committees, publication committees, institutional officials, ethics bodies, scientific reviewers, and other research-governance participants where reasonably necessary to operate BAE, administer access to Research Data, comply with provider requirements, support research engagement, monitor compliance, respond to incidents, conduct audits, support publication or attribution obligations, or enforce Bridge or data-provider requirements.

The information we disclose may include name, email address, institutional affiliation, title or role, department, approved project or research purpose, requested or approved datasets, access status, dates or periods of access, Platform usage information, dataset usage information, export requests, publication or attribution information, compliance certifications, audit findings, suspected policy violations, incident-related information, and other information reasonably necessary for data-access administration, provider reporting, compliance, security, audit, publication review, enforcement, or related research-collaboration purposes.

Bridge may also disclose researcher contact information and Platform-related information to applicable data providers so that they may communicate with researchers about datasets, dataset updates, research initiatives, scientific collaborations, publication obligations, provider-sponsored research activities, or other research opportunities related to Bridge, BAE, or the applicable Research Data.

Bridge does not disclose Research Data or researcher personal information to data providers for unrelated third-party advertising or cross-context behavioral advertising. Bridge does not sell Research Data.

4.3 Institutions, Employers, Sponsors, and Authorized Representatives

We may disclose personal information to your institution, employer, sponsor, principal investigator, supervisor, collaborators, authorized institutional officials, or other representatives where relevant to verifying eligibility, confirming authorization, administering BAE access, managing institutional responsibility, investigating suspected misuse, responding to incidents, enforcing agreements or policies, or satisfying legal, contractual, or governance obligations.

4.4 Legal, Compliance, Security, and Enforcement Disclosures

We may disclose personal information where we believe disclosure is necessary or appropriate to comply with law, regulation, subpoena, court order, legal process, governmental request, export-control or sanctions requirement, contractual obligation, data-provider requirement, or research-governance obligation. We may also disclose personal information to investigate, prevent, or respond to security incidents, privacy incidents, unauthorized access, improper disclosure, re-identification attempts, exfiltration, misuse, fraud, policy violations, or other conduct that may violate applicable law, agreements, or Bridge policies.

4.5 Business Transactions and Aggregated Information

We may disclose or transfer personal information in connection with an actual or potential merger, acquisition, financing, restructuring, reorganization, bankruptcy, dissolution, sale, transfer, or other disposition of all or part of our business or assets, subject to appropriate protections where required by law. We may also disclose aggregated, statistical, or de-identified information that does not reasonably identify an individual, including aggregated website metrics, Platform metrics, dataset interest metrics, usage reports, operational reports, funder reports, data-provider reports, or research-program metrics.

5. Research Data Processed Through BAE

This section addresses Research Data separately from website visitor information, researcher account information, and other operational personal information about BAE users. Bridge processes Research Data through BAE under the appropriate legal frameworks, including as a controller under the GDPR where Bridge determines the purposes and means of processing within BAE, such as the Platform access model, security controls, permitted-use framework, monitoring and audit practices, export controls, publication controls, and data-governance requirements.

Research Data may include coded, pseudonymized, de-identified, or otherwise privacy-protected human research data, including genomic data, clinical or health-related data, biomedical data, omics data, imaging-derived data, phenotypic data, demographic or cohort-level variables, study metadata, sample metadata, diagnosis or treatment-related variables, longitudinal research variables, and other data made available through BAE for approved scientific, biomedical, translational, educational, product-development, research-governance, or related purposes.

Bridge generally receives Research Data without direct identifiers. Bridge does not receive the participant names, contact information, medical record numbers, or other direct identifiers needed to identify individual research participants, unless expressly stated in a dataset-specific agreement or governance approval. Bridge also does not maintain the re-identification keys or linkage files held by data providers, source institutions, data coordinating centers, or other parties. Accordingly, although certain Research Data may remain personal data under the GDPR because individuals may be identifiable indirectly by another party or in context, Bridge is generally not in a position to identify individual participants from the Research Data it receives.

5.1 Bridge’s Role and Relationship to Data Providers

Bridge acts as a controller for Research Data processed within BAE where Bridge determines the purposes and means of Platform processing. Data providers, research institutions, data coordinating centers, sponsors, or other contributors may act as separate controllers, independent controllers, processors, or other legally recognized roles for their own processing of Research Data before transfer to Bridge or outside BAE. Those roles may be further described in applicable Data Transfer Agreements, Data Use Agreements, data-provider terms, participant consent documents, institutional approvals, or other governance documents.

This Privacy Policy describes Bridge’s processing of Research Data within BAE. It does not replace privacy notices, consent forms, HIPAA authorizations, research authorizations, institutional notices, or other disclosures provided by data providers, research institutions, sponsors, investigators, or other parties involved in collecting, generating, coding, pseudonymizing, transferring, or governing the Research Data before it is made available through BAE.

5.2 Purposes for Processing Research Data

Bridge processes Research Data to operate BAE and support responsible research access and analysis. These purposes include:

  • providing controlled access to approved researchers and authorized users through BAE;
  • supporting scientific investigation, scholarship, teaching, translational research, product development, and related approved research activities consistent with applicable participant consents, ethics approvals, legal requirements, and data-provider restrictions;
  • administering Data Access Applications, approved research purposes, dataset-specific restrictions, access controls, and user permissions;
  • maintaining technical, administrative, and organizational safeguards for Research Data;
  • monitoring, auditing, and enforcing compliance with DUAs, Bridge policies, data-provider requirements, and applicable law;
  • reviewing export requests, derived outputs, publications, figures, tables, summary statistics, model artifacts, and other research outputs for compliance with applicable restrictions and re-identification risk;
  • investigating and responding to suspected unauthorized access, misuse, improper disclosure, re-identification attempts, exfiltration, security incidents, legal requests, or policy violations;
  • maintaining data provenance, versioning, lineage, access, audit, and compliance records;
  • supporting responsible research collaboration, reproducibility, publication, attribution, open-science objectives, and data-provider reporting; and
  • generating aggregated, de-identified, or statistical information about Platform use, dataset use, research activity, and governance operations.

5.3 GDPR Legal Bases and Special-Category Conditions

Where GDPR applies and Bridge acts as controller for Research Data, Bridge processes Research Data only where it has an appropriate legal basis. Depending on the dataset, research context, source documentation, and applicable governance framework, Bridge’s legal bases may include legitimate interests pursued by Bridge or third parties, performance of a task carried out in the public interest, compliance with legal obligations, or consent where the relevant research and governance documentation relies on consent.

To the extent Research Data includes special categories of personal data, such as health, genetic, biometric, or other sensitive research data, Bridge relies on an applicable GDPR Article 9 condition. Depending on the context, this may include processing necessary for scientific research purposes with appropriate safeguards, explicit consent where applicable, or another condition available under GDPR or Member State law.

5.4 Research Safeguards

Bridge applies technical and organizational safeguards designed to protect Research Data and support research safeguards under GDPR Article 89 where applicable. These safeguards may include controlled-access review, user authentication, role-based access controls, least-privilege permissions, Platform-based analysis, restrictions on external downloads and exfiltration, logging, monitoring, audit controls, export review, dataset-specific restrictions, publication controls, prohibition on re-identification, prohibition on contacting participants, restrictions on unapproved AI tools and external systems, incident reporting, and contractual commitments from researchers and institutions.

Bridge also uses data minimization and access-limitation principles designed to make Research Data available only to approved users for approved purposes and to limit disclosure of participant-level Research Data outside BAE except as expressly permitted.

5.5 Participant Rights Requests and Identification Limitations

Where GDPR or other data protection laws apply, individuals whose personal data is included in Research Data may have rights such as access, rectification, erasure, restriction, objection, or other rights under applicable law. However, Bridge generally cannot directly verify, locate, access, correct, delete, or otherwise respond to participant-level rights requests for Research Data because Bridge receives Research Data without direct identifiers and does not maintain the re-identification keys or linkage information needed to identify an individual participant in the datasets.

The purposes for which Bridge processes Research Data generally do not require Bridge to identify individual participants. Bridge is not required to acquire, request, create, or process additional identifying information solely to identify a data subject for the purpose of responding to a rights request where applicable law does not require it. If Bridge is not in a position to identify the individual in the Research Data, Bridge will inform the requester accordingly where possible.

If Bridge receives a request from an individual who believes their personal data may be included in Research Data, Bridge may, where appropriate and consistent with law and applicable agreements, refer the requester to the relevant data provider, research institution, sponsor, investigator, or data coordinating center that maintains the identifiers or linkage information needed to authenticate the individual and evaluate the request. Bridge may also coordinate with the relevant data provider or institution if the request is forwarded to Bridge through an appropriate verified channel.

Any response involving Research Data will be evaluated in light of applicable law, participant consent terms, ethics approvals, data-provider requirements, research-governance obligations, available identifiers, scientific-research safeguards, security obligations, and whether fulfilling the request would seriously impair or render impossible the achievement of research purposes.

5.6 Recipients of Research Data

Bridge may make Research Data available to approved researchers and authorized users through BAE, subject to applicable Data Access Applications, DUAs, Bridge policies, data-provider restrictions, and access controls. Bridge may also disclose or make Research Data or related information available to service providers, contractors, security providers, cloud infrastructure providers, professional advisors, data providers, governance bodies, institutions, regulators, or other recipients where necessary to operate BAE, maintain security, comply with law, administer data-governance obligations, investigate incidents, enforce applicable agreements, or protect rights and interests in Research Data.

Bridge does not sell Research Data and does not disclose Research Data for targeted advertising.

5.7 International Transfers of Research Data

Bridge is based in the United States, and Research Data and related personal data may be transferred to, stored in, or processed in the United States or other jurisdictions. Where GDPR or similar laws apply to such transfers, Bridge relies on appropriate transfer mechanisms and safeguards, which may include Standard Contractual Clauses, the UK Addendum or other UK transfer mechanism, supplementary safeguards, transfer impact assessments, data-provider agreements, and technical and organizational protections appropriate to the nature of the Research Data.

5.8 Retention of Research Data

Bridge retains Research Data for as long as reasonably necessary to support approved research access, maintain BAE, comply with data-provider agreements, participant consent and ethics requirements, legal obligations, audit and security requirements, research-integrity obligations, publication and reproducibility needs, and applicable governance requirements. Retention periods may vary by dataset and may be governed by applicable Data Transfer Agreements, Data Use Agreements, data-provider requirements, consent restrictions, IRB or ethics requirements, or Bridge policies. At the end of the applicable retention period, Bridge may delete, return, archive, de-identify, aggregate, or otherwise dispose of Research Data in accordance with applicable agreements, law, and governance requirements.

6. Cookies and Tracking Technologies

Bridge may use cookies, web beacons, pixels, log files, analytics tools, and similar technologies on our websites and online services. These technologies help us operate the website, understand usage, improve content, maintain security, remember preferences, diagnose technical issues, and evaluate communications.

You may be able to set your browser to refuse or disable cookies or to alert you when cookies are being used. Some website features may not function properly if cookies are disabled. Some browsers offer “Do Not Track” signals. Because there is not a uniform industry or legal standard for responding to such signals, our websites may not respond to all “Do Not Track” signals. Where required by applicable law, Bridge will honor legally recognized opt-out preference signals for applicable processing.

7. No Sale of Research Data; Advertising and Marketing

Bridge does not sell Research Data. Bridge does not use Research Data for targeted advertising.

Bridge does not sell researcher personal information or share researcher personal information for cross-context behavioral advertising. Bridge may, however, disclose researcher personal information and Platform-related information to applicable data providers and research-governance participants for the research, governance, compliance, security, audit, provider-reporting, dataset-discovery, and research-collaboration purposes described in this Privacy Policy.

Bridge may use personal information to send Bridge-related communications, such as service messages, administrative notices, policy updates, research opportunities, dataset updates, event information, newsletters, or other communications related to Bridge, BAE, or the Bridge research ecosystem. You may opt out of non-essential promotional communications by following the unsubscribe instructions in the communication. We may still send administrative, security, legal, transactional, or Platform-related communications where permitted by law.

8. Your Privacy Choices and Rights

Depending on where you live and subject to applicable law and exceptions, you may have certain rights regarding personal information Bridge maintains about you as a website visitor, researcher, applicant, Platform user, institutional representative, data-provider contact, or other identifiable individual. These rights may include the right to request access to personal information we maintain about you, request correction of inaccurate personal information, request deletion of personal information, request a copy of certain personal information, withdraw consent where processing is based on consent, or opt out of certain uses or disclosures where applicable.

Bridge may consider privacy-related requests even where it is not legally required to honor a particular request, but any response will be subject to applicable law, contractual obligations, security requirements, data-provider obligations, research-governance requirements, audit and compliance needs, Platform-integrity requirements, and the need to protect the rights and safety of Bridge, users, institutions, data providers, research participants, and others.

We may deny, limit, or defer requests where permitted by law, including where fulfilling the request would interfere with security, audit logs, legal obligations, contractual obligations, data-provider requirements, research-governance records, incident investigations, enforcement of agreements or policies, or the rights and freedoms of others.

To submit a privacy request relating to your own website, account, application, Platform-user, or contact information, contact us at privacy@bridgeanalytics.org. We may need to verify your identity before responding to a request. For Platform users, we may verify requests through your BAE account, institutional email address, account credentials, or other appropriate verification method.

Participant-level requests relating to Research Data are addressed separately in Section 5.5 because Bridge generally receives Research Data without direct identifiers and is not in a position to identify individual research participants.

9. International Users and Cross-Border Transfers

Bridge is based in the United States, and BAE and related services may be operated from the United States. If you access our websites or services from outside the United States, your personal information may be transferred to, stored in, or processed in the United States or other jurisdictions that may not provide the same level of data protection as your home jurisdiction.

Where required, Bridge will use appropriate safeguards for cross-border transfers of personal information, such as contractual protections, Standard Contractual Clauses, the UK Addendum or other UK transfer mechanisms, transfer impact assessments, data-processing terms, or other lawful mechanisms.

10. Security

Bridge uses administrative, technical, and physical safeguards designed to protect personal information, Platform Data, and Research Data from unauthorized access, use, disclosure, alteration, or destruction. These safeguards may include access controls, role-based permissions, multi-factor authentication, encryption, logging, monitoring, vulnerability management, secure cloud infrastructure, incident-response processes, personnel controls, vendor controls, and other measures appropriate to the nature of the information and the services.

No website, Platform, system, transmission, or storage environment is completely secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials, using approved access methods, complying with Bridge policies, and promptly notifying Bridge of suspected unauthorized access, misuse, or security incidents.

11. Incident Reporting

If you are a Platform user, you must promptly report suspected or actual unauthorized access, improper disclosure, re-identification, attempted re-identification, exfiltration, loss of credentials, security incident, privacy incident, or legal or governmental request involving Research Data, Platform Data, Bridge systems, or BAE within 24 hours to security@bridgeanalytics.org.

Bridge may use and disclose relevant personal information, Platform Data, audit logs, and related records to investigate and respond to incidents or requests, notify appropriate parties, comply with legal or contractual obligations, enforce policies, and protect Bridge, data providers, research participants, institutions, users, and others.

12. Retention

Bridge retains personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to operate and secure our websites and services, administer accounts, evaluate and document access, maintain audit and compliance records, satisfy legal and contractual obligations, comply with data-provider and research-governance requirements, resolve disputes, enforce agreements and policies, support incident response, and maintain appropriate business records.

Retention periods may vary depending on the category of information, the nature of the relationship, applicable legal or contractual obligations, security needs, audit requirements, data-provider requirements, and whether information is needed for investigation, enforcement, litigation, or compliance. At the end of the applicable retention period, Bridge may delete, de-identify, aggregate, archive, or otherwise dispose of personal information in accordance with applicable law and Bridge policies.

Retention of Research Data is addressed separately in Section 5.8.

13. Children’s Privacy

Bridge’s websites and BAE are not intended for children under 16, and we do not knowingly collect personal information directly from children under 16. If we learn that we have collected personal information directly from a child under 16 without appropriate authorization, we will take reasonable steps to delete it.

BAE is intended for approved researchers, institutional users, data-provider personnel, governance participants, and other authorized adults.

14. Changes to This Privacy Policy

Bridge may update this Privacy Policy from time to time. The “Last Updated” date indicates when this Privacy Policy was last revised. If we make material changes to how we process personal information, we will provide notice as required by law, which may include posting a notice on our website, providing notice through BAE, sending an email, requiring renewed acknowledgment, or using another legally appropriate method.

Material changes generally apply prospectively unless otherwise permitted by law or with appropriate notice or consent.

15. Contact Us

To ask questions about this Privacy Policy, submit a privacy request, report a concern, or contact us about our privacy practices, please contact:

Bridge Analytics Data & Science Services, Inc.
Email: privacy@bridgeanalytics.org

For suspected Platform security incidents, unauthorized access, improper disclosure, re-identification, attempted re-identification, or misuse of Research Data or BAE, contact: security@bridgeanalytics.org.

Contact Us
Reach out to us here and someone will get back to you as soon as possible.