Effective May 22, 2018
When we refer to “OpenClinica,” “we,” or “us” in this policy, we mean OpenClinica, LLC. OpenClinica provides software tools for conducting clinical research studies. We also own and operate a number of websites and offer related services, such as support. We refer to all these products, together with our other services and websites as “Services” in this policy.
Notice to end users
Our products are intended for use by our customers which are organizations. Where the Services are made available to you through an organization (e.g. your employer, research sponsor, or data management service provider), that organization is the administrator of the Services and is responsible for the end-users and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to that organization’s policies. We are not responsible for the privacy or security practices of an administrator’s organization, which may be different than this policy.
Information we collect about you
We collect the following information about you when you specifically provide it to us, or make use of our Services.
Information you provide to us
We collect information about you when you input it into the Services or otherwise provide it directly to us.
- Account and profile information. We collect information about you when you register for an account, create or modify your profile, set preferences, sign-up for or make purchases through the Services. For example, you may register on one of our websites in order to access certain resources, or purchase a product/service and enter your contact or billing information.
- Information you provide by using our products. The Services include any OpenClinica software products you use, where we collect and store information that you add, upload, send, receive and share. This includes any information about you that you may choose to include, and information our customers choose to include in their clinical studies.
- Information you provide through our website. The Services include websites we either own or operate. For example, when submit a form on one of these websites, we may require you to provide us with contact information such as your name, company name, job title, address, phone number, and email address.
- Information you provide through our support channels. The Services also include customer support, where you may choose to submit information regarding a problem or question related to the Services. When you engage with our support team we obtain information, including your contact information. For example, you may submit a ticket or telephone our help desk to describe a problem you are experiencing, submit supporting documentation such as screenshots, etc.
- Billing and payment information. In order to provide the Services we collect payment and billing information. For example, you may provide us with a billing contact for invoicing purposes, or provide us with your payment card details via a secure payment processing service.
Information we collect automatically when you use our Services
We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.
- Your use of the Services. We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use, links you click, search terms entered, the types and sizes of files uploaded, and the types, quantities, sizes, and status of studies, sites, forms, events, rules, study subjects, and data extracts.
- Device and connection information. We collect information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you access, update, or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services.
Information we receive from other sources
- Other users of the Services. Other users of our Services may provide information about you when they submit content through the Services. For example, you may be mentioned by someone else on a support ticket, or in using our collaboration features. We also receive your email address from other Service users when they provide it in order to invite you to the Services.
- OpenClinica partners. We work with partners globally who provide implementation, training, consulting, and other services around our products. Some of these partners also help us to market and promote our products, generate leads for us, and resell our products. We receive information from these partners, such as billing information, billing and technical contact information, company name, what products you have purchased or may be interested in, evaluation information you have provided, what events you have attended, and what country you are in.
We also receive information about you form advertising and market research partners who provide us with information about your interest in, and engagement with, our Services and online advertisements.
How we use information we collect
How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you.
- To provide the Services and personalize your experience. We use information about you to provide the Services to you, including to procure and configure the Services, authenticate you when you log in, tailor content you have access to, provide customer support, and operate and maintain the Services. For example we use the name you provide in your account to identify you to other Service users, or to show you a list of data queries requiring your attention.
- For research and development. Customer feedback and usage data (such as activity, patterns, trends, and metadata) is essential to making our Services as useful as possible. This information helps us troubleshoot problems and informs our product design and roadmap.
- To communicate with you about the Services. We use your contact information to send transactional communications via email and within the Services, including confirming your purchases, reminding you of subscription expirations, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages. We also use your contact information to provide you with tailored communications based on your system preferences and usage. For example, an action you take in the Services may automatically trigger an email notification to automatically provide you with an updated study report.
- To market, promote, and drive engagement with the Services. We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, and by displaying OpenClinica ads on other companies’ websites. These communications are aimed at driving engagement and maximizing what you get out of the Services, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you about new product offers, promotions and contests. You can control whether you receive these communications as described below under “Opt-out of communications.”
- Customer support. We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services. Where you give us permission to do so, and if necessary in order to troubleshoot a technical issue, we may access your clinical data.
- For security and regulatory compliance. We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies. We also use information about you to meet the requirements of regulations and guidelines which pertain to clinical research, such as ICH GCP and 21 CFR Part 11.
- To protect our legitimate business interests and legal rights. Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
- Other purposes. We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.
- Legal bases for processing (for EEA users). If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:
- We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- We need to process your data to comply with a legal obligation.
If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g. your employer, the clinical trial sponsor) have a legitimate interest to do so, you have the right to object to that use, though in some cases, this may mean no longer using the Services.
How we share information we collect
We recognize that your clinical research data is a critical asset and take privacy and security of this data very seriously. We do not share your clinical research data with any third-party unless we are specifically authorized to do so.
Certain other information you provide to us may be shared in the ways described below:
- Community forums. We operate some publicly accessible websites such as blogs, forums, and bug trackers. You should be aware that any information you provide in these websites – including profile information associated with the account you use to post the information – may be read, collected, and used by any member of the public who accesses websites. Your posts and certain profile information may remain even after you terminate your account. You should therefore consider the sensitivity of any information you input into these Services. To request removal of your information from publicly accessible websites operated by us, please contact us as provided below. In some cases, we may not be able to remove your information, in which case we will let you know if we are unable to and why.
- Service providers. We work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, billing, collections, and other services for us, which may require them to access or use information about you. If a service provider needs to access information about you to perform services on our behalf, they do so under instruction from us, including abiding by policies and procedures designed to protect your information.
- OpenClinica partners. We work with third parties who provide consulting, sales, support and technical services to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to enable the delivery of the OpenClinica products and services you have purchased. If a partner needs to access information about you to perform services on our behalf, they do so under instruction from us, including abiding by policies and procedures designed to protect your information.
- Compliance with enforcement requests and applicable laws; enforcement of our rights. In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect OpenClinica, our customers or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
Security and Storage
We take the security of your information seriously and have numerous measures in place to protect against the loss, misuse, and alteration of information under our control. While we implement technical and procedural safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.
We use data hosting service providers in the United States, the European Union, and other locales to host the information we collect. How long we keep information we collect about you depends on the type of information. For example:
- If you are a customer, and cease being a customer, we will delete your clinical data. Your data that we store on our routine back-up systems will remain on those back-up systems and overwritten in the ordinary course of reuse of those system-backup media.
- If the Services are made available to you through one of our customers (e.g., your employer), we retain your information as long as required by our customer.
- If you have elected to receive marketing emails from us, we retain information about your marketing preferences unless you specifically ask us to delete such information.
- We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations and to continue to develop and improve our Services.
How to access and control your information
You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format. Below, we describe the tools and processes for making these requests. You can exercise some of the choices by logging into the Services and using features available from within the Services. Where the Services are administered for you by an administrator (see “Notice to End Users” above), you may need to contact your administrator to assist with your requests first. For all other requests, you may contact us as provided in the Contact Us section below to request assistance.
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we or your administrator are permitted by law or have compelling legitimate interests to keep. Where you have asked us to share data with third parties, you will need to contact those third-party service providers directly to have your information deleted or otherwise restricted. If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.
Outside of the context of a specific clinical research study being conducted by our customers, for which research subjects have been appropriately consented, our Services are not intended for, or designed to attract, individuals under the age of 16. We do not collect personally identifiable information from any person we actually know is an individual under the age of 16.
Links to Independent Websites
Our Services may contain links to third party websites. The policies and procedures described here do not apply to those sites. We suggest contacting those sites directly for information on their privacy, security, data collection, and distribution policies.
Privacy Shield Notice
Under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, we are responsible for the processing of information about you we receive from the EU and Switzerland and onward transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for such onward transfers and remain liable in accordance with the Privacy Shield Principles if third-party agents that we engage to process such information about you on our behalf do so in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.
To learn more about the Privacy Shield Program, and to view our certification, please visit our public Privacy Shield listing.
We encourage you to contact us as provided below should you have a Privacy Shield-related (or general privacy-related) complaint. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge). Through this third-party dispute resolution provider, we have also committed to cooperating and complying with the information and advice provided by an informal panel of data protection authorities in the European Economic Area and/or the Swiss Federal Data Protection and Information Commissioner (as applicable) in relation to unresolved complaints (as further described in the Privacy Shield Principles). You may also contact your local data protection authority within the European Economic Area or Switzerland (as applicable) for unresolved complaints.
Under certain conditions, more fully described on the Privacy Shield website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration.
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Updates to this policy
If you have questions or concerns about how your information is handled, please direct your inquiry to:
460 Totten Pond Road, Suite 200
Waltham, MA 02451 USA