How PhaseFolio handles your data.

PhaseFolio is a financial-modeling platform for biotech assets, operated by Tamal Adebisi. The product computes risk-adjusted net present value (rNPV) for clinical-stage drug pipelines, surfaces competitive landscape data, and issues signed export artifacts that counterparties can verify.

This Privacy Policy explains what information PhaseFolio collects, how it is used, and the choices you have. It applies to phasefolio.com, app.phasefolio.com, the public REST and MCP API surfaces, and the downloadable client packages distributed under @phasefolio/mcp.

PhaseFolio collects only what is needed to operate the service:

• Account data. Email address, display name, and authentication metadata, handled by our identity provider Clerk. We never see or store passwords.
• Organization data. Team and organization names you create, role assignments, and invitation records.
• Billing data. Subscription status and Stripe customer identifiers. Card numbers and bank details are handled directly by Stripe; PhaseFolio never receives or stores them.
• Project and scenario data. The clinical-asset metadata you enter — indication, modality, biomarker, stage durations, costs, probability-of-success assumptions, peak-sales projections. This is not patient data. PhaseFolio does not collect, process, or store Protected Health Information (PHI), and you should not enter PHI into the product.
• Evidence register entries. Citations, source URLs, and notes you attach to scenarios.
• Usage and diagnostic data. Standard server logs (IP address, user agent, request paths and timings) and error reports collected by our hosting providers for security and reliability purposes.
• Cookies. Session cookies for authentication (Clerk), checkout cookies for billing (Stripe), and a small number of strictly-necessary cookies for the product itself. PhaseFolio does not run advertising or third-party analytics trackers.

Information is used for:

• Operating the rNPV engine, landscape, dossier, and export features.
• Authenticating users and enforcing organization-scoped access.
• Processing subscriptions and renewals through Stripe.
• Providing customer support and responding to inquiries.
• Generating signed exports that embed engine, methodology, and benchmark version stamps so counterparties can verify provenance.
• Detecting abuse and securing the service (rate limiting, intrusion detection, audit logging).
• Improving the product through aggregate usage telemetry. PhaseFolio does not sell personal data.

PhaseFolio relies on a small number of vetted processors to operate the service. Each processes only what is required for its function:

• Clerk — authentication and identity management
• Stripe — payment processing and subscription billing
• Supabase — managed PostgreSQL database hosting
• Vercel — application hosting, edge serving, and observability

Public data sources (ClinicalTrials.gov, FDA Drugs@FDA) are queried one-way for research data; no PhaseFolio user data is sent to them.

PhaseFolio does not share your project data, evidence register, or dossier content with other organizations. The optional Network Benchmarks contribution (currently disabled by default) only releases anonymized aggregate statistics — never your individual scenarios or identities.

PhaseFolio may disclose information when required by law, when responding to a valid legal process, or to protect the safety and integrity of the service. We will give notice where lawful and practical.

Data is encrypted in transit via TLS and at rest at the database layer. Access is scoped per organization through row-level security policies. Production secrets are managed through Vercel and Supabase environment vaults; no credentials are committed to source control. Signed export artifacts are produced with an offline-rotatable signing key whose public component is published at /.well-known/phasefolio-signing.pem.

No system is perfectly secure. If you discover a vulnerability, please report it to contact@phasefolio.com rather than disclosing it publicly.

• Account and project data is retained while your account is active and deleted within 30 days of account deletion, except where a longer period is required for legal or accounting purposes.
• Billing records are retained as long as required by tax and accounting law (typically 7 years).
• Server logs are retained for up to 30 days for diagnostic and security purposes.
• Signed export records persist indefinitely so signatures issued in the past remain verifiable. These records contain only the content hash, signing timestamp, and version metadata — not the export contents themselves.
• Anonymized network benchmark contributions (when explicitly opted into) persist after anonymization with no link back to the contributing user or organization.

You have the following rights with respect to your data:

• Access. Request a copy of your account, project, and scenario data.
• Correction. Update inaccurate or incomplete information through the product or by contacting us.
• Deletion. Delete your account and associated data; we will honor the deletion within 30 days, subject to legal-retention exceptions.
• Portability. Export your projects, scenarios, and dossiers in machine-readable formats (JSON, Excel, PDF) at any time.
• Withdraw consent. Disable any optional data collection (such as network benchmark contributions) at any time.
• Complaint. Lodge a complaint with your local data-protection authority. EU/UK residents may contact their relevant supervisory authority.

To exercise any of these rights, email contact@phasefolio.com. We will respond within 30 days.

PhaseFolio is intended for professional and academic users and is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided information to PhaseFolio, contact contact@phasefolio.com and we will delete it.

PhaseFolio is operated from the United States. Data is processed in US regions of our hosting providers (Vercel, Supabase). If you access the service from outside the US, your information will be transferred to and processed in the US. Where applicable, transfers from the EU, UK, or Switzerland rely on the standard contractual clauses entered into by our processors.

We may update this Privacy Policy as the product or applicable law evolves. Material changes will be communicated by email to active account holders and posted in the product at least 14 days before they take effect. The effective date at the top of this page always reflects the current version.

Questions about this policy or about how PhaseFolio handles data should go to contact@phasefolio.com. We aim to respond within one business day.