Clinical Research IO’s Privacy Statement: Effective as of 9 December, 2020
Information we collect
We collect Personal Information including:
- Email address
- Phone number
- Organization (including mailing address)
- Credit card or financial information
in order to provide our clinical research software and services (the “Services”).
If you purchase a product or service from us, we request certain Personal Information from you on our order form. Per our contract, you must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date) for the agreed upon duration.
From time to time we post testimonials on our website and other marketing collateral. We receive consent to post testimonials prior to posting testimonials with Personal Information.
Part of the Services relies on users providing us with Personal Information, including the special category of health data, about individual patients participating in research (“Data”). As directed by research sponsors and as implemented by research sites, we process such Data solely for the purpose of tracking clinical trial results on behalf of those sponsors and sites and for a term specified by contract (and informed by regulation). We do not use Data to contact patients directly or for purposes over which CRIO exercises control.
Because of the nature of our business, CRIO does not sell products or provide services for purchase by minors, nor do we market to minors. Should the company become aware that Personal Information under CRIO’s control is from a minor, the Personal Information will be expunged. CRIO may, however, process the Personal Information of minors involved in research on behalf of research sponsors and/or sites.
How we use the information
When we ask you for information, we will tell you – or it will be clear – what we need to know to fulfill your request and how the information you provide to us will be used. For example, if you register to use the Services, we will ask you for your name, your organization name, e-mail address, password and other contact information. At the time you express interest in attaining additional information, or when you register for the Services, we may also ask for additional Personal Information, such as your title, mailing address, phone number, fax number or additional organization information related to you. You can choose not to provide this additional information by not entering it when asked. You can update or remove your Personal Information including email address at any time by logging into the website and editing your Personal Information. You can view your updated profile to confirm that your edits have been made.
We use the information that we collect to set up Services for you and your organization, for performance of our contract. We use contact and financial information to fill your orders. Financial information is processed and stored through our third party payment processor. If we have trouble processing an order, we will use this information to contact you.
We may also, on the basis of legitimate interest—namely marketing—use your information to tell you about products or services we think might interest you, to send you email newsletters or to invite you to participate in product or service-related surveys, webinars or other events. We keep this Personal Information indefinitely. You can opt out of being contacted by us, or receiving an email newsletter or other information from us, at any time by sending an email to firstname.lastname@example.org. You may also opt-out by following the unsubscribe instructions included in promotional email.
We do not share Personal Information with anyone outside of CRIO for their marketing or promotional use (see “Our Relationships with Third Parties”).
We will not review, share, distribute, print, or reference any of your Data except as provided in our contract with you or your organization, or as may be required by law. Individual records may at times be viewed or accessed only for the purpose of resolving a problem, support issue, quality concern or suspected breach of CRIO’s contract with you or your organization, or as may be required by law. Of course, you are responsible for maintaining the confidentiality and security of your user registration and password.
We may also collect certain information from visitors to and customers of our website, such as Internet addresses. This information is logged to help diagnose technical problems, and to administer our website in order to constantly improve the quality of the Service. These log files are not tied to Personal Information. We may also track and analyze non-identifying and aggregate usage and volume statistical information from our visitors and customers and provide such information to third parties.
Personal Information that we process is not kept for longer than necessary to accomplish the purpose of that processing.
How we use Web technologies
We use a variety of technologies on our website to process Personal Information that is retained indefinitely for the legitimate interest of monitoring and improving our website and services. Among these are cookies, which are pieces of information that our website provides to your browser. Cookies allow us to track overall site usage and determine areas users prefer. Certain types of cookies also allow us to customize your visit to our website by recognizing you when you return. For this purpose, your Personal Information may be tied to our cookies, and, where required by law, CRIO obtains consent for this activity. You can choose to decline cookies at any time while at our website, however, this may limit your ability to access certain areas of our website. Most browsers accept and maintain cookies by default. Check your browser’s “Help” menu to learn how to change your cookie preference.
When we track activity on our website, we collect information such as your IP address, browser type and version, and pages you view. We also keep track of how you get to our website and any links you click on to leave our website. We do not track URLs that you type into your browser, nor do we track you across the Internet once you leave our sites. We use your website activity to assist you by reducing the need to re-enter your data and to help us resolve technical support issues. We may also use this information to offer you a personalized web experience and to tailor our offerings to you.
We may access and set cookies using Web beacons, also known as pixel tags, which are invisible graphical images. These Web beacons tell us useful information regarding our website such as which pages users access. When we send e-mails, we may include a single-pixel GIF to determine the number of people who open our e-mails. When you click on a link in an e-mail, we record this individual response to allow us to customize our offerings to you.
Once collected, we retain this information indefinitely, or where applicable, until you withdraw consent.
Our relation with third parties
We contract with third parties to assist us in servicing you. Our contracts with third parties outline the appropriate use and handling of your information and prohibit third parties (such as our credit card processors and email service provider) from using any of your Personal Information for purposes unrelated to the product or service for which they’ve been contracted including their own marketing purposes. Vendors are required to maintain the confidentiality of the information we provide to them.
We may disclose or report Personal Information in limited circumstances where we believe in good faith that disclosure is required under the law. For example, we may be required to disclose Personal Information to cooperate with regulators or law enforcement authorities to comply with a legal process such as a court order, subpoena, search warrant or a law enforcement request.
We may have partners that provide services; these partner services and websites are clearly identified. When you request any of these products or services, you are permitting us to provide your Personal Information to the partner to fulfill your request. Our website may provide links to third party sites, such as those of our business partners and online advertisers. Because we do not control the information policies or practices of these third parties, you should review their privacy policies to learn more about how they collect and use Personal Information.
Should we sell, merge or transfer any part of our business, part of the sale may include your Personal Information. If so, you will have the opportunity to not to receive promotional information following any change of control.
We may use sources outside of CRIO to supplement the information you give us. For example, we may validate your address using other sources. We use this data for the legitimate interest of helping us maintain accuracy and provide you with better service.
We protect your information
We work to protect your Personal Information and your Data including email address from loss, misuse or unauthorized alteration by using industry-recognized security safeguards such as firewalls. Our employees and agents are trained and required to safeguard your information. Using physical, electronic and procedural safeguards, we restrict access to Personal Information, including Data, to those employees and agents for business purposes only. Additionally, we use internal and external resources to review the adequacy of our security procedures.
CRIO software runs on servers that are hosted at a highly secure data center that is closely monitored. Our backend database is encrypted with 256-bit AES encryption and our backend servers are hosted in a private network with no direct access from outside. All access to our servers is restricted by firewall. All communications between your computers and our servers are secured with the same technology used in electronic filing and electronic banking (RSA/AES 256-bit SSL/Secure Sockets layer encryption). We use a Comodo SSL Certificate and server-gated cryptography for strong encryption of all communication to and from our application services. We host our website at SOC 2 compliant data centers located in the United States, Canada, Germany, or Australia, depending on our client’s location.
We require you to enter your username and password each time you login.
We do not share Personal Information with anyone other than our authorized partners, each of with whom we have entered into a written agreement addressing, among other things, the types of information to be shared and the level of protection such information shall receive in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Privacy Shield Principles (see “Privacy Shield”), and other laws.
These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Personal Information, including Data.
While we continue to maintain the commitments above, as of July 16, 2020, we do not rely on the EU-U.S. or Swiss-U.S. Privacy Shield as the basis to transfer Personal Information that originated in the EEA, Switzerland, or the UK to the U.S. Instead, the European Commission has approved the use of standard contractual clauses as a means of ensuring adequate protection when transferring Personal Information outside of the EEA. CRIO relies on these model clauses and appropriate safeguards, incorporated into contracts between the parties transferring Personal Information, for such transfers.
We give you choice and control
We may use your contact information to tell you about other products or services that we think might interest you. However, if you don’t want us to contact you for promotional purposes, you can tell us when you provide the information or anytime thereafter. Your contact preferences only apply to marketing contact. We may need to communicate with you regarding the Services (such as service messages, subscription renewal notices, critical notices, or legally mandated notices.) You may not opt-out of these types of transactional messages.
When you wish to exercise your opt out right for marketing activities conducted pursuant to CRIO’s legitimate interest or to withdraw consent, you may contact us at: email@example.com.
You can update or correct your contact information including email address relating to your CRIO account by using the “My Account” page of our website.
Furthermore, CRIO takes reasonable steps to ensure that the Personal Information the company processes is accurate, complete, and current. This generally may include the right not to be subject to automated decision making, to object, or to request access, rectification, erasure, restriction, and data portability. Where appropriate, CRIO provides reasonable access to the Personal Information CRIO maintains. CRIO also provides a reasonable opportunity to correct, amend, or delete Personal Information where it is inaccurate or has been processed in a purported violation of law, as appropriate. CRIO may limit or deny access to Personal Information where the burden or expense of providing access would be disproportionate to the privacy risks in the case in question, or where the rights and freedoms of others would be adversely affected.
A natural person may exercise applicable rights, including a request for access to their Personal Information, by contacting CRIO as indicated in this Policy.
In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your Personal Information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at:
177 Huntington Ave., Suite 1703
Boston, MA 02115-3153
Our Data Protection Officer is Zoe DeStories, who may be reached at firstname.lastname@example.org.
Our EU representative is Data Protection Representative Limited (trading as ‘DPR Group’), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 1-2 Marino Mart, Fairview, Dublin 3, Ireland.
We have agreed to be bound by the authority of JAMS in addressing and resolving any dispute relating to your privacy or this policy. This dispute resolution mechanism is available to you at no cost. To learn more about this service, go to:
The Federal Trade Commission has jurisdiction over our compliance with this Policy, the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework. In cases of onward transfer to third parties of Personal Information of EU or Swiss individuals received pursuant to the EU-U.S. Privacy Shield Framework or the Swiss-U.S. Privacy Shield Framework, we are potentially liable.
Under certain conditions, you may invoke binding arbitration for complaints not resolved by the mechanisms described above. For more information about this, go to https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Read about CRIO’s Security & Compliance.