Privacy Policy

1. Information We Collect

1.1 Information from Platform Users (Authorized Users)

When clinical trial professionals register for and use the Platform, we collect:

1. Account Information: Full name, professional email address, job title, institutional affiliation, professional role (e.g., Principal Investigator, Clinical Research Coordinator, Data Manager), and contact information (phone number, office address).
2. Authentication Data: Encrypted password, multi-factor authentication tokens, session tokens, and login history (timestamps, IP addresses, device identifiers).
3. Usage Data: Platform activity logs including pages visited, features used, data entry events, query responses, form submissions, time spent on activities, and system interactions.
4. Audit Trail Data: All data entry, modification, and deletion events with associated timestamps, user identifiers, and reason-for-change annotations, as required by ICH GCP and 21 CFR Part 11.

1.2 Clinical Trial Data (Processed on Behalf of Customers)

In the course of providing the Platform, Clincove processes Clinical Trial Data on behalf of Customers. This data may include:

1. Patient/Subject Data: Subject identifiers (which may include pseudonymized IDs), demographic information, medical history, diagnosis information, vital signs, laboratory results, adverse event data, concomitant medications, and other clinical observations entered into electronic case report forms (eCRFs).
2. Source Medical Records: Original medical records, laboratory reports, imaging results, pathology reports, and other source documents uploaded to the Platform for source data verification purposes.
3. Trial Management and Regulatory Data: Study protocols, investigator brochures, informed consent forms, regulatory submissions, correspondence, site qualification documents, training records, monitoring visit reports, trial master file (TMF) contents, and investigator site file (ISF) contents.

1.3 Website Visitor Information

When you visit our Website, we may collect:

1. Browser and Device Information: Browser type, operating system, device type, screen resolution, and language preferences.
2. Connection Information: IP address, internet service provider, and approximate geographic location (city/region level).
3. Interaction Data: Pages visited, links clicked, time spent on pages, referring URLs, and search queries used to reach our Website.
4. Cookie Data: Information collected through cookies and similar technologies as described in Section 8.
5. Inquiry Information: Name, email address, company, and message content when you submit a contact form, request a demo, or sign up for communications.

2. How We Use Information

2.1 Platform Operations

We use information collected from Authorized Users to:

1. Provide, maintain, and improve the Platform and its features;
2. Authenticate users and enforce role-based access controls;
3. Generate and maintain audit trails as required by regulatory standards;
4. Provide technical support and respond to support requests;
5. Monitor system performance, uptime, and security;
6. Detect, prevent, and respond to security incidents and fraud;
7. Conduct platform analytics to identify usage patterns and improve user experience;
8. Fulfill our obligations under applicable Order Forms and service agreements; and
9. Comply with legal obligations, including regulatory retention requirements.

2.2 Clinical Trial Data Processing

We process Clinical Trial Data exclusively in accordance with the Customer's instructions as documented in the applicable Data Processing Agreement, Order Form, and these Terms. We do not access, use, or disclose Clinical Trial Data except as necessary to provide the Platform services, respond to Customer instructions, or comply with applicable law.

2.3 Website and Marketing

We use Website visitor information to:

1. Operate and improve the Website;
2. Respond to inquiries, demo requests, and support questions;
3. Send marketing communications (with consent where required by law);
4. Analyze Website traffic and user behavior to improve content and user experience; and
5. Ensure Website security and prevent abuse.

2.4 Derived Data — Creation, Use, and Commercialization

Clincove creates Derived Data by aggregating, de-identifying, and anonymizing Clinical Trial Data and Platform usage data such that it cannot reasonably be used to identify any individual, patient, or research subject. Clincove owns all Derived Data and may use it without restriction, including for:

1. Product development, improvement, and optimization;
2. Creation and sale of industry benchmarking reports, analytics products, and datasets to third parties;
3. Research, statistical analysis, and publication;
4. Training and improvement of machine learning models and algorithms;
5. Marketing and business development; and
6. Licensing or sale to pharmaceutical companies, research institutions, and other commercial entities.

All de-identification processes comply with HIPAA Safe Harbor (45 CFR § 164.514(b)) or Expert Determination (45 CFR § 164.514(a)) methods and GDPR anonymization standards (Recital 26). For the avoidance of doubt, Derived Data does not constitute personal data or PHI and is not subject to the data subject rights described in Section 6. Customers acknowledge and consent to this use of Derived Data by accepting our Terms and Conditions.

3. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal bases under the GDPR:

4. How We Share Information

4.1 Service Providers and Sub-Processors

We share information with trusted third-party service providers who assist in operating the Platform, subject to contractual data protection obligations at least as protective as those in this Policy. Categories of sub-processors include:

1. Cloud infrastructure providers (hosting, storage, compute);
2. Security and monitoring services;
3. Customer support tools;
4. Email and communication services; and
5. Analytics and performance monitoring tools.

A current list of sub-processors is available upon request and is provided to Customers as part of the Data Processing Agreement. Clincove will notify Customers of material changes to sub-processors with at least thirty (30) days' prior notice.

4.2 Customer Access

Clinical Trial Data is accessible to the Customer and its designated Authorized Users in accordance with the role-based access controls configured by the Customer. Clincove does not independently determine who within the Customer's organization may access specific data.

4.3 Regulatory and Legal Disclosures

We may disclose information when required to do so by law, regulation, court order, or governmental request, including but not limited to:

1. Regulatory authority inspections and audits (e.g., FDA, EMA, MHRA, NMPA);
2. Responses to valid subpoenas, court orders, or legal process;
3. Compliance with HIPAA breach notification requirements; and
4. Cooperation with law enforcement where legally compelled.

Where legally permissible, we will notify the affected Customer before disclosing their data and cooperate with any effort to obtain protective treatment.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, information may be transferred as part of the transaction. We will provide notice to affected Customers and ensure that the acquiring entity is bound by equivalent data protection obligations.

4.5 No Sale of Personal Data

Clincove does not sell, rent, or trade personal data or Clinical Trial Data to any third party for marketing, advertising, or any other commercial purpose. Clincove does not engage in data brokering.

5. HIPAA Compliance

5.1 Business Associate Relationship

When Clincove processes Protected Health Information (PHI) on behalf of a Customer that is a Covered Entity or Business Associate under HIPAA, Clincove acts as a Business Associate. Clincove executes a Business Associate Agreement (BAA) with each such Customer prior to receiving PHI.

5.2 PHI Safeguards

Clincove maintains the following safeguards for PHI in compliance with the HIPAA Security Rule:

1. Administrative Safeguards: Designated security officer, workforce training, access management policies, contingency planning, and regular risk assessments.
2. Physical Safeguards: Data center access controls, workstation security policies, and device and media disposal procedures.
3. Technical Safeguards: Access controls with unique user identification, encryption (AES-256 at rest, TLS 1.2+ in transit), audit logging, integrity verification, and transmission security.

5.3 Minimum Necessary Standard

Clincove applies the HIPAA minimum necessary standard when accessing PHI, limiting access to the minimum amount of information necessary to fulfill the intended purpose. Clincove personnel access PHI only when required for Platform operation, technical support, or incident response, and all access is logged and auditable.

5.4 Breach Notification

In the event of a breach of unsecured PHI, Clincove will notify the affected Customer without unreasonable delay and no later than sixty (60) days after discovery, providing all information required under 45 CFR § 164.410 to support the Customer's breach notification obligations.

6. Data Subject Rights

6.1 GDPR Data Subject Rights

Individuals in the EEA, UK, and Switzerland have the following rights with respect to their personal data:

1. Right of Access (Article 15): The right to obtain confirmation of whether personal data is being processed and a copy of such data.
2. Right to Rectification (Article 16): The right to correct inaccurate personal data.
3. Right to Erasure (Article 17): The right to request deletion of personal data, subject to legal retention obligations.
4. Right to Restriction (Article 18): The right to request restriction of processing in certain circumstances.
5. Right to Data Portability (Article 20): The right to receive personal data in a structured, commonly used, machine-readable format.
6. Right to Object (Article 21): The right to object to processing based on legitimate interests.
7. Right Not to Be Subject to Automated Decision-Making (Article 22): The right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
8. Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing.

6.2 Exercising Rights — Platform Users

Authorized Users may exercise their rights by contacting us at compliance@clincove.com. We will respond within thirty (30) days, or the timeframe required by applicable law.

6.3 Exercising Rights — Clinical Trial Subjects

Clincove processes Clinical Trial Data as a data processor on behalf of our Customers. If you are a clinical trial participant and wish to exercise your data protection rights regarding data processed through the Platform, please contact the clinical trial sponsor or site directly. Upon receiving a verified request from the Customer, Clincove will assist in fulfilling data subject requests in accordance with our Data Processing Agreement.

6.4 PIPL Data Subject Rights (China)

Individuals whose personal information is processed under China's Personal Information Protection Law (PIPL) have additional rights including the right to know and decide about processing, the right to restrict or refuse processing, the right to access and copy personal information, the right to portability, and the right to request explanation of processing rules. Requests should be directed to the clinical trial sponsor or site that serves as the personal information processor. Clincove supports Customers in fulfilling these obligations.

6.5 U.S. State Privacy Rights

Residents of certain U.S. states (including California under the CCPA/CPRA, Virginia, Colorado, Connecticut, and others) may have additional rights regarding their personal information, including the right to know, delete, and opt-out of the sale of personal information. Clincove does not sell personal information. To exercise any state-specific privacy rights, contact us at compliance@clincove.com.

7. Data Retention

7.1 Retention Periods

7.2 Deletion and Destruction

Upon expiration of the applicable retention period, data is securely deleted using methods consistent with NIST SP 800-88 guidelines. For Clinical Trial Data, Clincove provides written certification of deletion upon Customer request. Where immediate deletion is not technically feasible (e.g., backup media), Clincove will isolate the data and apply protections until deletion is possible.

8. Cookies and Tracking Technologies

8.1 Types of Cookies

8.2 Cookie Consent

For Website visitors in the EEA, UK, and other jurisdictions where consent is required, we present a cookie consent banner that allows you to accept or reject non-essential cookies. Strictly necessary cookies cannot be disabled as they are required for the Website and Platform to function. You may modify your cookie preferences at any time through the cookie settings link in the Website footer.

8.3 Do Not Track

The Platform does not respond to Do Not Track (DNT) browser signals, as there is no uniform industry standard for DNT compliance. However, you may control tracking through your cookie preferences and browser settings.

9. International Data Transfers

9.1 Transfer Mechanisms

Clincove may transfer personal data outside of the country where it was originally collected. For transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the European Commission, Clincove relies on the following transfer mechanisms:

1. Standard Contractual Clauses (SCCs): Clincove enters into the European Commission's Standard Contractual Clauses (as updated June 2021) with Customers and sub-processors, including the UK International Data Transfer Addendum where applicable.
2. Supplementary Measures: Clincove implements supplementary technical and organizational measures including encryption, pseudonymization, access controls, and data minimization to ensure an essentially equivalent level of protection.
3. Transfer Impact Assessments: Clincove conducts transfer impact assessments for each destination country to evaluate the legal framework and risks, and implements additional safeguards where necessary.

9.2 China (PIPL) Cross-Border Transfers

For transfers of personal information out of the People's Republic of China, Clincove supports compliance with PIPL requirements including conducting Personal Information Protection Impact Assessments (PIPIAs), entering into standard contracts prescribed by the Cyberspace Administration of China (CAC), supporting security assessments where required, and obtaining separate consent from data subjects where applicable.

9.3 Data Localization

Where data localization requirements apply (e.g., for certain categories of data under PIPL or national clinical trial regulations), Clincove provides data residency options to ensure that data is stored and processed within the required jurisdiction. Specific data localization arrangements are documented in the applicable Order Form.

10. Children's Privacy

The Platform is not directed to individuals under the age of 18. Clincove does not knowingly collect personal data from children. The Platform is designed for use by licensed healthcare professionals and clinical research personnel in their professional capacity. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly.

Clinical Trial Data relating to pediatric research subjects may be processed through the Platform on behalf of Customers. The lawfulness of such processing is the responsibility of the Customer as data controller, including ensuring that appropriate parental/guardian consent has been obtained in accordance with applicable regulations.

11. Data Security

11.1 Security Program

Clincove maintains a comprehensive information security program that includes:

1. Encryption of all data at rest (AES-256) and in transit (TLS 1.2 or higher);
2. Multi-factor authentication (MFA) for all Platform users;
3. Role-based access controls with least-privilege enforcement;
4. Regular vulnerability assessments, penetration testing, and code reviews;
5. Intrusion detection and prevention systems with 24/7 monitoring;
6. Regular backups with encryption and geographic redundancy;
7. Disaster recovery and business continuity planning;
8. Regular independent security assessments;
9. Employee background checks, security training, and acceptable use policies;
10. Incident response plan with defined roles, escalation procedures, and communication protocols; and
11. Vendor risk management program for third-party service providers.

11.2 No Absolute Security

While Clincove employs industry-leading security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. Clincove cannot guarantee absolute security and is not responsible for security breaches caused by factors outside its reasonable control, including Customer-side security failures.

12. Changes to This Privacy Policy

Clincove may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify Platform users and Customers of material changes by email to the Customer's designated administrator at least thirty (30) days before the changes take effect. The "Last Updated" date at the top of this Policy indicates when the most recent revision was made. We encourage you to review this Policy periodically.

13. Data Protection Officer

Clincove has appointed a Data Protection Officer (DPO) who can be contacted for any inquiries regarding this Privacy Policy, data protection practices, or to exercise data subject rights:

Data Protection Officer
Clincove, Inc.
Email: compliance@clincove.com
1209 Orange St., Wilmington, DE 19801

14. Supervisory Authority

If you are located in the EEA or UK and believe that Clincove has not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For the UK, contact the Information Commissioner's Office (ICO).

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Clincove, Inc.
Attn: Compliance Team
Email: compliance@clincove.com
Website: clincove.com
1209 Orange St., Wilmington, DE 19801

For service-related inquiries: support@clincove.com
For security incidents: security@clincove.com