Privacy Policy
This Privacy Policy explains how A2 Foundry, Inc. ("A2 Foundry," "we," "us") collects, uses, and protects your information when you use Chrona.
1. Products covered
This policy covers three Chrona products operated by A2 Foundry, Inc.:
- Chrona Enterprise — the web application at app.chronabio.ai and the enterprise-deployed Word Add-in. Used by regulatory teams at biotech companies. Reads documents from your organization's SharePoint Online via Microsoft Graph API; document content is not copied to A2 Foundry servers.
- Chrona Pro — the Word Add-in distributed via Microsoft Marketplace for individual regulatory writers. Runs entirely inside Microsoft Word's add-in sandbox. Document content never leaves Word. A2 Foundry receives only your authentication identity, your saved rule preferences, and anonymized usage telemetry.
- CTDCommons Viewer — the public reference viewer at commons.chronabio.ai. Account requires email and password only.
Where this policy refers to "Chrona" generally, it applies to all three products. Where data behavior differs, the relevant product is named.
2. What we collect
Information you provide: Email address, display name, and organization name when you create an account. For Chrona Pro and Chrona Enterprise users who sign in through Microsoft single sign-on, we receive the identity claims your organization releases (typically email, display name, and tenant identifier).
Information we collect automatically: When you use Chrona we collect usage data including pages visited, features used, browser type, and device information. We collect this through PostHog, our analytics provider, using cookies and similar technologies. The Chrona Word Add-in (both Enterprise and Pro) sends usage telemetry — which ribbon buttons you click, which checks you run, error events — to PostHog. Document content, document text, and the bodies of any rules, comments, or findings inside your document are never included in telemetry.
Information we do not collect: We do not collect or store the contents of your regulatory documents on A2 Foundry infrastructure. For Chrona Enterprise, documents remain in your organization's own storage environment, and structured excerpts are sent to your configured LLM provider at the time of analysis and are not retained by A2 Foundry. For Chrona Pro, document content stays inside the Word add-in sandbox and is not transmitted to A2 Foundry or any third party as part of normal use.
3. How we use your information
We use your information to:
- Operate and maintain your Chrona account
- Provide and improve Chrona's features
- Send you product updates and feature announcements (you can opt out at any time)
- Monitor service performance and fix issues
- Respond to your questions or requests
4. What we don't do
- We do not sell your personal information
- We do not share your information with third parties for their marketing purposes
- We do not use your information for advertising
- We do not use the content of your regulatory documents to train AI models
5. Who we share with
We share your information only with service providers that help us operate Chrona:
| Provider | Purpose | Applies to |
|---|---|---|
| Supabase | Authentication and database | All products |
| Microsoft (Entra ID / Office SSO) | Single sign-on identity | Enterprise, Pro |
| Microsoft Graph API | Reading documents from your SharePoint | Enterprise only |
| Vercel | Frontend hosting | All products |
| Railway | Backend hosting | All products |
| PostHog | Product analytics | All products |
| Your configured LLM provider | Document analysis (BYOK) | Enterprise only |
These providers access your information only to perform services on our behalf and are not permitted to use it for other purposes.
We may also disclose your information if required by law, legal process, or to protect the rights or safety of A2 Foundry, our users, or others.
6. Your LLM provider
When you use Chrona Enterprise features that perform LLM-based analysis (consistency review, abbreviation extraction, dose/unit checks, codename detection), structured excerpts of your document content are sent directly to your configured LLM provider using your own API keys (BYOK). A2 Foundry does not retain these excerpts and does not control how your LLM provider handles them. You are responsible for reviewing your provider's data handling and retention policies.
Chrona Pro does not send document content to any LLM provider at runtime. All checks and custom rules are executed locally inside the Word add-in sandbox.
7. Cookies
We use cookies and similar technologies for session management (keeping you logged in) and analytics (understanding how Chrona is used). We do not use advertising or tracking cookies.
8. Data retention
We retain your account information for as long as your account is active. If you close your account, we will delete your personal information within 30 days, except where we are required to retain it by law.
For Chrona Enterprise customers, audit trail records (findings, dismissals, sign-offs, readiness snapshots) are retained for the duration of your subscription plus the retention period required by your customer agreement, typically aligned with 21 CFR Part 11 expectations. These records are not deleted on account closure unless explicitly requested in writing and permitted by applicable regulatory retention obligations.
9. Data security
We use industry-standard security measures to protect your information, including encrypted connections (TLS), role-based access controls, and secure hosting infrastructure. Our security practices are documented in our Data Handling & Security documentation, available to customers on request.
10. Your rights
You may:
- Request a copy of the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your account and personal information
- Opt out of product communications at any time
To exercise any of these rights, email us at contact@chronabio.ai.
11. Children
Chrona is not intended for anyone under 18. We do not knowingly collect information from anyone under 18.
12. Regional rights
Depending on your location, you may have additional rights under laws such as the EU/UK GDPR or the California Consumer Privacy Act (CCPA), including rights of access, correction, portability, and deletion. We honor these rights for all users regardless of location. To exercise them, contact us at contact@chronabio.ai.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and notify you via email or in-app notice.
14. Contact
Questions about this Privacy Policy? Reach us at contact@chronabio.ai.