Privacy Policy
This Privacy Policy describes how PharmaTrialsCortex, Inc. (“PharmaTrialsCortex,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you access or use our websites, applications, and clinical trial technology services (collectively, the “Services”). This includes our SmartEDC electronic data capture platform, TMFEye.ai trial master file management system, eCTMS clinical trial management system, and any associated APIs, documentation portals, or support channels.
PharmaTrialsCortex is the data controller for personal data processed through our marketing website and account management systems. For clinical trial data processed through our platform applications, PharmaTrialsCortex acts as a data processor on behalf of our customers (the data controllers), as further described in our Data Processing Agreement.
Information We Collect
Information You Provide Directly
We collect personal data that you voluntarily provide when interacting with our Services:
- Account Information: Name, email address, organizational affiliation, job title, and role when you create a PharmaTrialsCortex account.
- Contact Information: Name, email address, phone number, and organizational details when you request a demo, contact sales, or submit a support request.
- Payment Information: Billing address and payment method details (processed by our payment processor; we do not store full payment card numbers).
- Communications: Content of messages you send to us, including support tickets, feedback, and community forum posts.
- Newsletter and Marketing: Email address and communication preferences when you subscribe to our newsletter or marketing communications.
- Job Applications: Resume, cover letter, and professional information if you apply for a position.
Information Collected Automatically
When you access our Services, we automatically collect certain technical and usage data:
- Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
- Usage Data: Pages viewed, features used, clickstream data, session duration, referral source, and search queries within our documentation.
- Log Data: Server logs including access times, HTTP status codes, and request parameters (with clinical data redacted).
- Cookie and Tracking Data: Information collected through cookies, web beacons, and similar technologies as described in our Cookie Policy.
Clinical Trial Data
When our customers use PharmaTrialsCortex platform applications (SmartEDC, TMFEye.ai, eCTMS), clinical trial data may include:
- Pseudonymized Participant Data: Subject identifiers, visit dates, clinical observations, laboratory results, adverse event reports, and informed consent records.
- Protected Health Information (PHI): When applicable, certain data elements may constitute PHI under HIPAA, including dates of service and medical record numbers.
- Audit Trail Data: Immutable records of all data access, modifications, and electronic signatures as required by 21 CFR Part 11.
Clinical trial data is processed by PharmaTrialsCortex as a data processor. The sponsoring organization or research institution is the data controller and is responsible for ensuring an appropriate legal basis for processing participant data.
How We Use Information
We process personal data for the following purposes and legal bases (under GDPR Article 6):
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and maintaining our Services | Performance of contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Customer support and communication | Performance of contract (Art. 6(1)(b)) |
| Billing and payment processing | Performance of contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| Clinical trial data processing | Legitimate interest / Contract with controller |
Where we rely on legitimate interest, we have conducted balancing tests and determined that our interests do not override the rights and freedoms of data subjects. You may request details of these assessments by contacting our Data Protection Officer.
Data Sharing
We do not sell personal data. We share personal data only in the following circumstances:
Service Providers (Subprocessors)
We engage third-party service providers to assist in delivering our Services. These providers are contractually bound to process data only on our instructions and in accordance with applicable data protection law. See our Subprocessor List for a current list.
Legal Requirements
We may disclose personal data if required by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements.
Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of the transaction. We will provide notice before personal data becomes subject to a different privacy policy.
With Your Consent
We may share personal data with third parties when you have provided explicit consent for a specific purpose.
Aggregated and De-identified Data
We may share aggregated or de-identified data that cannot reasonably be used to identify you, for purposes such as industry benchmarking, research publications, and product improvement.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of account + 1 year | Contract performance and reactivation |
| Clinical trial data | As directed by data controller (typically 25 years) | Regulatory requirements (ICH-GCP, 21 CFR Part 11) |
| Audit trail data | As directed by data controller (typically 25 years) | 21 CFR Part 11 compliance; immutable by design |
| Marketing preferences | Until consent withdrawal | GDPR Article 7(3) |
| Support tickets | 3 years after resolution | Service improvement and dispute resolution |
| Server logs | 90 days | Security monitoring |
| Payment records | 7 years | Tax and financial reporting obligations |
When data is no longer needed, it is securely deleted or anonymized using industry-standard methods. Clinical trial data subject to regulatory retention requirements is archived in encrypted, access-controlled storage.
Your Rights (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:
- Right of Access (Article 15): You may request a copy of the personal data we hold about you.
- Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
- Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations. Note: clinical trial data subject to regulatory retention may be anonymized rather than deleted.
- Right to Restriction of Processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances.
- Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, and machine-readable format.
- Right to Object (Article 21): You may object to processing based on legitimate interests. You have an absolute right to object to direct marketing.
- Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, contact our Data Protection Officer at dpo@pharmatrialscortex.com. We will respond within 30 days. We may request identity verification before fulfilling your request.
For clinical trial participants: your data rights are managed by the sponsoring organization (data controller). Please contact your study site or sponsor directly. PharmaTrialsCortex will support the controller in fulfilling your requests as required by our Data Processing Agreement.
Your Rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources and purposes of collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions (including legal and regulatory retention obligations).
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: PharmaTrialsCortex does not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us at privacy@pharmatrialscortex.com or call our toll-free number. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.
Categories of Personal Information Collected (per CCPA Section 1798.100): Identifiers, commercial information, internet or electronic network activity information, geolocation data (coarse), and professional or employment-related information.
HIPAA
When PharmaTrialsCortex processes Protected Health Information (PHI) on behalf of a covered entity or business associate, we do so in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act:
- Business Associate Agreement (BAA): We execute a BAA with each customer whose use of our Services involves PHI. The BAA specifies permitted uses and disclosures of PHI and our obligations as a business associate.
- Administrative Safeguards: Designated security and privacy officers, workforce training, access management policies, and contingency planning.
- Physical Safeguards: Infrastructure hosted in SOC 2 Type II certified cloud data centers (e.g., AWS, Azure, GCP) with physical access controls, environmental protections, and redundancy.
- Technical Safeguards: AES-256 encryption at rest, TLS 1.3 in transit, unique user identification, automatic logoff after 15 minutes of inactivity, audit controls, and integrity controls.
- Minimum Necessary Standard: Access to PHI is limited to the minimum necessary for each workforce member’s job function, enforced through role-based access controls.
- Breach Notification: In the event of a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and no later than 60 days after discovery, as required by 45 CFR Part 164, Subpart D.
International Transfers
PharmaTrialsCortex is headquartered in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the United States or other countries, we ensure adequate protection through the following mechanisms:
- EU-U.S. Data Privacy Framework: Where applicable, we rely on the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework as certified by the U.S. Department of Commerce.
- Standard Contractual Clauses (SCCs): For transfers not covered by an adequacy decision, we use the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor; Module 3: Processor to Processor) as adopted by Commission Implementing Decision (EU) 2021/914.
- Supplementary Measures: We implement technical (encryption, pseudonymization), organizational (access controls, training), and contractual measures to ensure the level of protection required by EU law.
- Transfer Impact Assessments: We conduct and maintain transfer impact assessments for each transfer mechanism, evaluating the legal framework of the recipient country and the effectiveness of supplementary measures.
You may obtain a copy of the applicable transfer mechanism by contacting privacy@pharmatrialscortex.com.
Cookies
We use cookies and similar tracking technologies on our websites and applications. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.
In summary:
- Strictly Necessary Cookies: Required for the operation of our website and cannot be disabled.
- Functional Cookies: Remember your preferences and settings.
- Analytics Cookies: Help us understand how visitors interact with our website (subject to your consent where required).
We do not use advertising or behavioral tracking cookies on our clinical trial platform applications.
Children
Our Services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@pharmatrialscortex.com.
In the context of clinical trials involving pediatric participants, all data is processed under the authority of the study sponsor (data controller) and is subject to applicable regulations governing pediatric research, including appropriate informed consent and assent procedures.
Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:
- We will update the “Last Updated” date at the top of this page.
- We will provide notice through our website, email notification, or in-app notification, as appropriate.
- For changes affecting clinical trial data processing, we will notify affected customers at least 30 days in advance.
We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes are posted constitutes acceptance of the updated policy.
Contact
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
PharmaTrialsCortex, Inc.
- General Privacy Inquiries: privacy@pharmatrialscortex.com
- Data Protection Officer: dpo@pharmatrialscortex.com
- Security Concerns: security@pharmatrialscortex.com
- General Support: support@pharmatrialscortex.com
For EU/EEA residents, you also have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members.