Privacy policy CRIO

Privacy Policy

Clinical Research IO’s Privacy Statement: Effective as of 9 December, 2020

At CRIO, we respect and protect the privacy and the security of the information that you entrust to us as though it were our own. We greatly value our relationship with you and we want you to understand the standards that govern our information and privacy practices, the types of personal data we process, the purposes for and bases upon which we process that personal data, the retention periods, your rights and choices with respect to the processing of that personal data, and the types of third parties to which CRIO may disclose personal data in the course of providing our services, including through our website. Throughout this Privacy Policy, we refer to information that personally identifies you or others as “Personal Information.” This Privacy Policy is available on our website, at  Additional information may be requested using the contact information listed at the end of this policy. By using our system, you accept the terms of this Privacy Statement.

Information we collect

We collect Personal Information including:

  • Name
  • Email address
  • Phone number
  • Address
  • Organization (including mailing address)
  • Credit card or financial information

in order to provide our clinical research software and services (the “Services”).

If you purchase a product or service from us, we request certain Personal Information from you on our order form. Per our contract, you must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date) for the agreed upon duration.

From time to time we post testimonials on our website and other marketing collateral. We receive consent to post testimonials prior to posting testimonials with Personal Information.

Part of the Services relies on users providing us with Personal Information, including the special category of health data, about individual patients participating in research (“Data”). As directed by research sponsors and as implemented by research sites, we process such Data solely for the purpose of tracking clinical trial results on behalf of those sponsors and sites and for a term specified by contract (and informed by regulation). We do not use Data to contact patients directly or for purposes over which CRIO exercises control.


Because of the nature of our business, CRIO does not sell products or provide services for purchase by minors, nor do we market to minors. Should the company become aware that Personal Information under CRIO’s control is from a minor, the Personal Information will be expunged.  CRIO may, however, process the Personal Information of minors involved in research on behalf of research sponsors and/or sites.

How we use the information

When we ask you for information, we will tell you – or it will be clear – what we need to know to fulfill your request and how the information you provide to us will be used. For example, if you register to use the Services, we will ask you for your name, your organization name, e-mail address, password, and other contact information. At the time you express interest in attaining additional information, or when you register for the Services, we may also ask for additional Personal Information, such as your title, mailing address, phone number, fax number, or additional organization information related to you. You can choose not to provide this additional information by not entering it when asked. You can update or remove your Personal Information including your email address at any time by logging into the website and editing your Personal Information. You can view your updated profile to confirm that your edits have been made.

We use the information that we collect to set up Services for you and your organization, for the performance of our contract. We use the contact and financial information to fill your orders. Financial information is processed and stored through our third-party payment processor. If we have trouble processing an order, we will use this information to contact you.

We may also, on the basis of legitimate interest—namely marketing—use your information to tell you about products or services we think might interest you, to send you email newsletters, or to invite you to participate in product or service-related surveys, webinars, or other events. We keep this Personal Information indefinitely.  You can opt-out of being contacted by us or receiving an email newsletter or other information from us, at any time by sending an email to You may also opt-out by following the unsubscribe instructions included in a promotional email.

We do not sell, rent or share Personal Information to anyone except as described in this privacy policy and as permitted by HIPAA and other laws (see “Our Relationships with Third Parties”).

We do not share Personal Information with anyone outside of CRIO for their marketing or promotional use (see “Our Relationships with Third Parties”).

We will not review, share, distribute, print, or reference any of your Data except as provided in our contract with you or your organization, or as may be required by law. Individual records may at times be viewed or accessed only for the purpose of resolving a problem, support issue, quality concern, or suspected breach of CRIO’s contract with you or your organization, or as may be required by law. Of course, you are responsible for maintaining the confidentiality and security of your user registration and password.

We may also collect certain information from visitors to and customers of our website, such as Internet addresses. This information is logged to help diagnose technical problems, and to administer our website in order to constantly improve the quality of the Service. These log files are not tied to Personal Information. We may also track and analyze non-identifying and aggregate usage and volume statistical information from our visitors and customers and provide such information to third parties.

Personal Information that we process is not kept for longer than necessary to accomplish the purpose of that processing.

How we use Web technologies

We use a variety of technologies on our website to process Personal Information that is retained indefinitely for the legitimate interest of monitoring and improving our website and services. Among these are cookies, which are pieces of information that our website provides to your browser. Cookies allow us to track overall site usage and determine areas users prefer. Certain types of cookies also allow us to customize your visit to our website by recognizing you when you return. For this purpose, your Personal Information may be tied to our cookies, and, where required by law, CRIO obtains consent for this activity. You can choose to decline cookies at any time while at our website, however, this may limit your ability to access certain areas of our website. Most browsers accept and maintain cookies by default. Check your browser’s “Help” menu to learn how to change your cookie preference.

When we track the activity on our website, we collect information such as your IP address, browser type and version, and pages you view. We also keep track of how you get to our website and any links you click on to leave our website. We do not track URLs that you type into your browser, nor do we track you across the Internet once you leave our sites. We use your website activity to assist you by reducing the need to re-enter your data and to help us resolve technical support issues. We may also use this information to offer you a personalized web experience and to tailor our offerings to you.

We may access and set cookies using Web beacons, also known as pixel tags, which are invisible graphical images. These Web beacons tell us useful information regarding our website such as which pages users access. When we send e-mails, we may include a single-pixel GIF to determine the number of people who open our e-mails. When you click on a link in an e-mail, we record this individual response to allow us to customize our offerings to you.

Once collected, we retain this information indefinitely, or where applicable, until you withdraw consent.

Our relation with third parties

We contract with third parties to assist us in servicing you. Our contracts with third parties outline the appropriate use and handling of your information and prohibit third parties (such as our credit card processors and email service provider) from using any of your Personal Information for purposes unrelated to the product or service for which they’ve been contracted including their own marketing purposes. Vendors are required to maintain the confidentiality of the information we provide to them.

We may disclose or report Personal Information in limited circumstances where we believe in good faith that disclosure is required under the law. For example, we may be required to disclose Personal Information to cooperate with regulators or law enforcement authorities to comply with a legal process such as a court order, subpoena, search warrant or a law enforcement request.

We may have partners that provide services; these partner services and websites are clearly identified. When you request any of these products or services, you are permitting us to provide your Personal Information to the partner to fulfill your request. Our website may provide links to third-party sites, such as those of our business partners and online advertisers. Because we do not control the information policies or practices of these third parties, you should review their privacy policies to learn more about how they collect and use Personal Information.

Should we sell, merge or transfer any part of our business, part of the sale may include your Personal Information. If so, you will have the opportunity to not to receive promotional information following any change of control.

We may use sources outside of CRIO to supplement the information you give us. For example, we may validate your address using other sources. We use this data for the legitimate interest of helping us maintain accuracy and provide you with better service.

We protect your information

We work to protect your Personal Information and your Data including your email address from loss, misuse, or unauthorized alteration by using industry-recognized security safeguards such as firewalls. Our employees and agents are trained and required to safeguard your information. Using physical, electronic, and procedural safeguards, we restrict access to Personal Information, including Data, to those employees and agents for business purposes only. Additionally, we use internal and external resources to review the adequacy of our security procedures.

CRIO software runs on servers that are hosted at a highly secure data center that is closely monitored. Our backend database is encrypted with 256-bit AES encryption and our backend servers are hosted in a private network with no direct access from outside. All-access to our servers is restricted by a firewall. All communications between your computers and our servers are secured with the same technology used in electronic filing and electronic banking (RSA/AES 256-bit SSL/Secure Sockets layer encryption). We use a Comodo SSL Certificate and server-gated cryptography for strong encryption of all communication to and from our application services. We host our website at SOC 2 compliant data centers located in the United States, Canada, Germany, or Australia, depending on our client’s location.

We require you to enter your username and password each time you log in.

We do not share Personal Information with anyone other than our authorized partners, each of with whom we have entered into a written agreement addressing, among other things, the types of information to be shared and the level of protection such information shall receive in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Privacy Shield Principles (see “Privacy Shield”), and other laws.

These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Personal Information, including Data.

Privacy Shield

Whenever in the course of providing Services we transfer Personal Information outside of the European Economic Area (EEA) and other regions with comprehensive data protection laws, we will ensure that the information is transferred in accordance with this Privacy Policy and as permitted by the applicable laws on data protection.

We comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and Switzerland to the United States. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit We will not disclose Personally Information to any agent unless we first either ascertain that the agent adheres to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework or is subject to the EU General Data Protection Regulation or adequacy finding or enter into a written agreement with such agent requiring that the agent provides at least the same level of privacy protection as is required by the relevant Privacy Shield Principles.

While we continue to maintain the commitments above, as of July 16, 2020, we do not rely on the EU-U.S. or Swiss-U.S. Privacy Shield as the basis to transfer Personal Information that originated in the EEA, Switzerland or the UK to the U.S.  Instead, the European Commission has approved the use of standard contractual clauses as a means of ensuring adequate protection when transferring Personal Information outside of the EEA. CRIO relies on these model clauses and appropriate safeguards, incorporated into contracts between the parties transferring Personal Information, for such transfers.

We give you choice and control

We may use your contact information to tell you about other products or services that we think might interest you. However, if you don’t want us to contact you for promotional purposes, you can tell us when you provide the information or anytime thereafter. Your contact preferences only apply to marketing contact. We may need to communicate with you regarding the Services (such as service messages, subscription renewal notices, critical notices, or legally mandated notices.) You may not opt out of these types of transactional messages.

When you wish to exercise your opt-out right for marketing activities conducted pursuant to CRIO’s legitimate interest or to withdraw consent, you may contact us at:

You can update or correct your contact information including the email address relating to your CRIO account by using the “My Account” page of our website.

Your Rights

Furthermore, CRIO takes reasonable steps to ensure that the Personal Information the company processes is accurate, complete, and current.  This generally may include the right not to be subject to automated decision making, to object, or to request access, rectification, erasure, restriction, and data portability.  Where appropriate, CRIO provides reasonable access to the Personal Information CRIO maintains. CRIO also provides a reasonable opportunity to correct, amend, or delete Personal Information where it is inaccurate or has been processed in a purported violation of law, as appropriate. CRIO may limit or deny access to Personal Information where the burden or expense of providing access would be disproportionate to the privacy risks in the case in question, or where the rights and freedoms of others would be adversely affected.

A natural person may exercise applicable rights, including a request for access to their Personal Information, by contacting CRIO as indicated in this Policy.


In compliance with the Privacy Shield Principles, we commit to resolving complaints about our collection or use of your Personal Information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at:


177 Huntington Ave., Suite 1703

PMB 32876

Boston, MA 02115-3153

Tel: 617-302-9845


Our Data Protection Officer is Zoe DeStories, who may be reached at

Our EU representative is Data Protection Representative Limited (trading as ‘DPR Group’), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 1-2 Marino Mart, Fairview, Dublin 3, Ireland.

We have agreed to be bound by the authority of JAMS in addressing and resolving any dispute relating to your privacy or this policy. This dispute resolution mechanism is available to you at no cost. To learn more about this service, go to:

The Federal Trade Commission has jurisdiction over our compliance with this Policy, the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework. In cases of onward transfer to third parties of Personal Information of EU or Swiss individuals received pursuant to the EU-U.S. Privacy Shield Framework or the Swiss-U.S. Privacy Shield Framework, we are potentially liable.

Under certain conditions, you may invoke binding arbitration for complaints not resolved by the mechanisms described above.  For more information about this, go to  

Changes in this Privacy Policy

If we decide to change our privacy policy, we will post those changes to this privacy policy, the home page, and other places we deem appropriate so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

We reserve the right to modify this privacy policy at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by email, or by means of a notice on our home page.

Read about CRIO’s Security & Compliance.

Learn More About CRIO