Policy for Protecting Your Online Privacy

CRFWEB is the EDC application of Clindox Ltd. Our website crfweb.com is a business to business site, providing information about our services. The following provisions, inform you about the type, scope, and purpose of the collection and use of your personal data. We have separated the information into three sections:

1. Our website and marketing channels including social media CRM systems and communication channels
2. The product/service we sell: our EDC system including our App
3. Your rights and other provisions

Personal data being defined as any information relating to an identified or identifiable natural person. This may include your name and e-mail address.

Our Roles with respect to Data Processing:

• Clindox is data controller as an employer and with respect to prospects and clients’ business information.
• Clindox is a processor for its clients and their clients and trial subjects.

If you have any questions in relation to this Privacy Policy, or wish to exercise your rights relating to it, please contact us at dpo@clindox.com

It is generally possible to use our website without providing personal data. You have no obligation to provide personal data. However, the provision of personal data is required, for example, in the case of requesting a demonstration or to contact us via any contact or call back form on this website. If you do not provide us with personal data for the purposes listed below, you may not be able to use the functions of this website or some of its services.

1. PROVIDER AND DATA PROTECTION DETAILS

Provider of this website, CRFWEB.com, and controller in the sense of data protection law is Clindox Ltd, 16/17 College Green, Dublin, Ireland, D02 V0 E-mail: info@Clindox.com

You can reach Clindox’s data protection officer at: DPO@Clindox.com

2. WEBHOSTING

Our website is self managed. Hosting is with Names.co: Namesco Limited Acton House, Perdiswell Park, Worcester, Worcestershire, WR3 7GD. Data is held on their servers in the UK

Their privacy policy is available here https://www.names.co.uk/info/terms/privacy-policy

3. DATA YOU PROVIDE DIRECTLY TO OUR WEBSITE

Webforms: We collect data directly entered via one of the forms on our website. You may choose this method to contact us with regard to requesting a demonstration of our services or asking a question.

Chat: Our website chat function uses Zendesk International Ltd.
55 Charlemont Place, Saint Kevin’s, Dublin, D02 F985 Ireland.  Their privacy policy is available here: https://www.zendesk.co.uk/company/customers-partners/privacy-policy/

4. DATA PROCESSING COOKIES AND TRACKING

Tracking tools and other services used by us are listed in the following sections. The legal basis for the processing of your data follows from Article 6 paragraph 1 F of the GDPR. Our legitimate interest then consists in improving our site experience and monitoring performance.

The cookies we use are listed in the cookie banner. Our banner gives you the option to select all cookies, or to allow any of preferences, statistical or marketing cookies. The details of the tracking tools used are identified in the following sections.

7. TRACKING TOOLS / OTHER SERVICES

7.1. Google Analytics

Our website uses the tracking tool “Google Analytics”. This is a service provided by Google Ireland Limited, a company incorporated and regulated under Irish law with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). This tracking tool helps us to make the website more interesting for you and to improve the user experience. On our behalf, Google will use the information obtained via Google Analytics to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website and internet usage.

For more information about Google Analytics, see:

https://support.google.com/analytics/answer/2790010?hl=de

Please note that Google also has independent access to your data collected via Google Analytics and can also use this data for its own purposes.

The legal basis for our processing of your data is your consent in accordance with Article 6 paragraph 1F of the GDPR. You give your corresponding consent via our cookie banner.

7.2. Google Ads and Conversion Tracking

In order to advertise our products and services on external websites with the help of advertising media and to determine the success of our advertising measures, we may use the “Google Ads Conversion” service. These advertising media are delivered by Google via so-called “Ad Servers”. If you access our website via a Google Ad advertisement, Google Ads will store a cookie on your end device.

You can find more information about data privacy at Google here: https://support.google.com/google-ads/answer/93148 https://ads.google.com/intl/de_de/home/faq/gdpr/

The legal basis for our processing of your data is your consent pursuant to Article 6 paragraph 1 of the GDPR. You give your corresponding consent via our cookie banner.

7.3. YouTube

Our website may use plugins from the YouTube site operated by Google. If you choose to play a video via a YouTube plugin a connection to the YouTube servers is established. In the process, the YouTube server is informed you have visited our site. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account. The use of YouTube is based on your consent in accordance with Article 6 paragraph 1F of the GDPR. You give your corresponding consent via our cookie banner.

For more information on the handling of user data, please refer to Youtube’s privacy policy at: https://www.google.de/intl/de/policies/privacy

7.4. LinkedIn Insight-Tag

On our website we may use the conversion tool “LinkedIn Insight-Tag” of LinkedIn Ireland. This tool creates a cookie in your web browser, which enables the collection of, among other things, the following data: IP address, device and browser properties and page events (e.g. page views). LinkedIn Ireland does not transmit any personal data to us, but provides anonymized reports on website audience and viewing performance. In addition, LinkedIn Ireland offers the possibility of retargeting via the Insight-Tag. With the help of this data, we can display targeted advertising outside our website without identifying you as a user of the website. Our legal basis for processing your data is your consent pursuant to Article 6 paragraph 1F GDPR. You give your corresponding consent via our cookie banner.

For more information about the LinkedIn Insight-Tag, please see the following link. For more information about privacy at LinkedIn Ireland, please see the LinkedIn Ireland Privacy Policy.

7.5. Google reCAPTCHA

We use Google reCAPTCHA (“reCAPTCHA”) on our website. This is a service of the provider Google. reCAPTCHA is used to check whether the data entry on our website (e.g. when registering for a newsletter) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor calls up or enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyses run completely in the background. You will not be informed separately that an analysis is taking place.

For more information about reCAPTCHA and Google’s privacy policy, please see the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

7.6. Google Tag Manager

We may use Google Tag Manager. Through this service from Google, website tags can be managed via an interface. However,  Google Tag Manager only implements tags. In this respect, no cookies are used and no personal data is collected. Google Tag Manager merely triggers other tags, which in turn may collect data. However, Google Tag Manager does not access this data. The data is analyzed exclusively in the respective tool (see the aforementioned explanations in section 7).

7.7 Database, CRM and Office Tools

Customer Database. We use Jira by Atlassian to hold contact data on clients and prospects.

The legal basis for the processing of your data is your consent pursuant to Article 6 paragraph 1 of the GDPR. Please note Atlassian is an Australian Company. We will only hold data about you where you have expressed an interest in our products/services. You may opt-out of receiving information from us at any time by emailing optout@clindox.com

https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers

8. SOCIAL MEDIA PRESENCE

8.1. Links to social networks

Our website contains links to a number of social networks (Facebook, LinkedIn and Twitter). These websites are operated exclusively by third parties. If you follow the links, the respective provider may process personal data about you. Please note the data protection information of the provider in this regard.

8.2. Data processing by Clindox and legal basis

Our social media presences and links to third-party providers (Facebook, LinkedIn and Twitter) serve the purpose of informing you about Clindox as well as new developments, services and products of Clindox. Depending on the services of the respective providers, you have the possibility of different interaction (comments, recommendations etc.) Interaction of users is important to us in order to carry out our marketing. For example, we can determine which posts/articles are read most. We may use the statistics determined by the providers in this regard for our own purposes, the legal basis for this is Article 6 paragraph 1F of the GDPR.

8.3. Joint responsibility

In some cases, we may be jointly responsible with the social media providers for processing your personal data. In this case you can assert your rights (see section 14) generally either against us or against the social media provider. However, the social media provider is the first point of contact.

With regard to the storage period of the data we process from you for our own purposes, please refer to our explanations under section 12. Otherwise, please observe the data protection provisions of the respective social media provider.

9. TELEPHONE AND VIDEO CONFERENCES VIA TEAMS or Zoom or SKYPE

We use the online platforms Microsoft Teams or Skype and Zoom for interactive communication.

Teams and Skype are services provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, based in the USA (“Microsoft“).

Zoom is a service provided by Zoom Video Communications Inc. Their European representatives can be contacted here: Lionheart Squared Ltd, Attn: Data Privacy, 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, DO2 EK84, Republic of lreland. mail: zoom@LionheartSquared.eu

If you access either Teams or Skype or Zoom, you may download their apps or access via your browser. The respective video conference provider is responsible for the data processing. You can access our meetings if you enter the respective meeting ID or follow a link provided.

We use Microsoft Teams or Skype or Zoom to conduct telephone conferences and/or video conferences, particularly in connection with online meetings and demos for prospects and clients.

When using online meetings, various types of personal data are processed. For further details on data processing for the video conferencing platforms we use, please refer to  Microsoft, https://privacy.microsoft.com/en-gb/privacystatement or https://privacy.microsoft.com/en-us/privacystatement or Zoom, https://zoom.us/privacy

10. WEBSITE DATA SECURITY

To protect your personal data on this website, we use a secure online transmission procedure, the so-called “Secure Socket Layer” (SSL) transmission. You can recognize this by the fact that a closed padlock symbol is displayed on the address https://. By clicking on the symbol, you will receive information about the SSL certificate used. The display of the symbol depends on the browser version you are using. The SSL encryption guarantees the encrypted and complete transmission of your data.

11. THIRD PARTY SITES:

Pages within our website and software service may contain links to other websites. We are not responsible for the privacy practices or the content of these other websites. When visiting these sites, you will need to check the policy of these others web sites to understand their policies. When accessing a linked site, you may be disclosing your private information. It is your responsibility to keep such information private and confidential.

12. DATA COLLECTED WHEN USING OUR EDC SERVICES

12.1 SUBJECT DATA

As required during the course of providing EDC services for our clients to conduct and store clinical trial data, we will only collect and store data in accordance with the protocols provided by the data controller(s) of the trial. This data typically involves pseudo-anonymised subject data with respect to a clinical study or trial. Depending on the trial protocol there may also be a requirement to upload or hold images or documents relevant to the protocol of the trial. We will keep the data for the period of time specified by the controller of the study. Any subject wishing to have their data removed should contact the controller of the study but may also contact our data privacy officer via DPO@clindox.com and we will refer the request to the controller.

Unless agreed to the contrary with the Data Controller of the trial, this data will be held via our sub-processor Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210

on servers within the EU.

https://aws.amazon.com/privacy/

Our EDC services can be accessed via web browser or via the CRFWEB app, depending on the agreement with the Trial data controller.

If using the CRFWEB App, it can be downloaded in IOS version from the Apple App Store or in Android version from the Google Play Store. Their respective privacy policies can be found here:

https://www.apple.com/legal/privacy/en-ww/governance/

https://policies.google.com/privacy?hl=en-US

Depending on the study in question, there may be a requirement to use the notifications feature of your device and also to collect images or documents held on your device. Please contact your study provider/controller for details.

Information collected by the app is required for the security and smooth running of the app and to enable the appropriate data to be collected for the requirements of the clinical trial. Our legal justification for this is Article 6 paragraph 1F of the GDPR

12.2 APP SPECIFIC DATA

Depending on the specific of the study, the app will/may collect/process all or some of the following from the users device:

Health and Fitness data (only as directly entered by the user)

User content (potential attachments/images as per requirements of study)

Access to camera to take images (as required by specific study)

Sensitive Info (only as directly entered by subject, as per requirements of study)

Contact Info (app login info)

Identifiers (subject study ID)

Wifi connection

Network Connection

Date:time functionality

Diagnostics (crash info)

Data when submitted will be stored on our servers for the duration of the trial. A copy will also be held locally on the device until the app is deleted.

12.3 CLIENT/USER DATA WITH RESPECT TO OUR EDC SERVICES

In order to use the Clindox EDC services, it will be necessary for client data and potentially our clients’ client’s (e.g. researchers/research sites) data to be held by us for the necessary functioning of a clinical trial. Users of our EDC system will be allocated roles, and will need to provide their name and email address. Their role may dictate receiving notifications during the course of the study in order to fulfil their role. This is a necessary requirement for secure access to control, manage or enter data in a clinical trial. Our legal justification is Article 6 paragraph 1F of the GDPR. This client/user data will be held by us for the duration of the trial or until such time as that data is removed by the client. The client will have full responsibility for adding this data, removing this data and for ensuring all permissions to use that data have been obtained.

13. YOUR RIGHTS

Data protection law provides you with a number of rights that Clindox is committed to supporting you with;

13.1 Right of Access

You have the right to obtain:

• Confirmation that your information is being used, stored or shared by Clindox
• A copy of information held about you. We will respond to your request within one month of receipt or we will tell you when it might take longer.

We are required to validate your identity or the identity of someone making a request on your behalf.

13.2 Right to Object or Withdrawn Consent

• We collect, use, store and share your information because you have consented for us to do so, but you have a right under common law to object to us doing this, and you may withdraw your consent at any time.
• When you make such a request, the data will be anonymised (anything that identifies you will be removed) to ensure it is no longer personal data
• We will then only use the anonymised data for technical, quality and business purposes.
• Our Data Protection Officer will be happy to speak with you about any concerns you may have

13.3 Right to Rectification

• If information about you is incorrect, you are entitled to request that we consider and correct it (if applicable).
• There may be occasions, where we are required by law to maintain the original information. Our Data Protection Officer will talk to you about this and you may request that the information is not used during this time.
• We will respond to your request within one month of receipt or we will tell you when it might take longer

13.4 Restriction

• When you are making requests for correction or objecting to processing, you have a right to request that we do not further share the information whilst we process your request.
• We will let you know once we are no longer restricting the information.

13.5 Portability

• You have a right to request that we send you a copy of the personal data you have provided to us via Clindox. You may do this by emailing us to make a request.

13.5 Third Parties

• Where we process your data in joint controllership with third parties within the meaning of Article 26 of the GDPR (section 8.3), the third party is centrally responsible for the exercising of all rights of the persons concerned. However, you are free to assert your rights against us as well.

Finally, we would like to draw your attention to your right of appeal to the relevant supervisory authority. Clindox is an Irish-based company and the data protection commission can be contacted via their website here: https://www.dataprotection.ie/

14. DATA TRANSFER

14.1 General

We only transfer your personal data to third parties or other recipients if this is necessary for the provision of our services, if you have given your consent, if there is a legal obligation or if the transfer of data is permitted by another legal basis. Where necessary, we have concluded data processing agreements with the recipients of your data, in accordance with Article 28 of the GDPR. We will only transfer your data to government bodies within the scope of legal obligations or on the basis of an official order or court decision.

14.2. Data transfer to countries outside the EU

As far as necessary for our purposes, we will also transfer your data to recipients outside the EU if you have given your consent, if there is a legal obligation or if the transfer of data is permitted on another legal basis. Your data may also be transferred to recipients based in the USA within the scope of data processing. An adequate level of data protection is generally ensured by the conclusion of the so-called EU standard contractual clauses.

Please note: according to a recent ruling of the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain circumstances your data may be processed by US authorities for control and monitoring purposes. In addition, we refer to Article 49 GDPR with regard to the legal basis for the transfer of data.

15. DURATION FOR WHICH PERSONAL DATA IS STORED / CRITERIA FOR DETERMINING THE DURATION

Your personal data will be stored by Clindox for as long as it is necessary for the aforementioned purposes of processing, subject to your rights in section 13.

16. NO AUTOMATED INDIVIDUAL DECISION

We do not use your personal data for automated individual decisions

17. AMENDMENT OF THE PRIVACY POLICY

New legal requirements, business decisions or technical developments may require changes to our privacy policy. We will adjust the privacy policy on our website as and when required. By continuing to use our site or our services or otherwise provide data after we post any such changes, you accept and agree to these terms.

Privacy Policy Date: March 2021