1. Introduction

This Privacy Policy explains how we collect, use, share, and protect your personal data in compliance with applicable laws and regulations, such as the General Data Protection Regulation (GDPR) and other relevant frameworks.

This policy describes:

• The types of personal data we collect.
• How we use and share this data.
• Your rights as a user.
• The measures we take to ensure the security of your personal data.

At ClinInfo, we are committed to handling your data with transparency, integrity, and in compliance with applicable laws and privacy regulations.

2. Data Collected and Purposes of Data Processing

Because ClinInfo is acting as data processor, ClinInfo's clients determine the data collected by our applications in accordance with the provisions of the contract established between ClinInfo and our clients. The processed data may include information about authorized users, our clients' employees, and clinical trial patients, such as:

• Identification data: Name, surname, company, email address, phone number, postal address
• Health data: Health information, demographic data, or other information necessary for conducting the study
• Technical data: Data related to application usage, such as IP address, browser type, and browsing data

We provide online applications to our clients to help them manage certain aspects of their activities.
We process this data according to our clients' instructions and guidelines, without controlling or owning it. These instructions may include using or processing personal data for the following purposes:

• Providing secure access to our applications
• Collecting, processing, and storing clinical, medical, or operational data for planning and conducting medical projects and clinical studies
• Resolving technical issues related to the service and responding to support requests
• Complying with legal obligations

Any user can contact the project coordination team (see the "contact" section of the eCRF) for any questions or to obtain details about the collected data and its purposes within a specific project or study.

3. Data Sharing and Transfers

We do not share or disclose your personal data with third parties except under specific and controlled circumstances, in compliance with our contractual obligations:

• Third-party service providers: Only with our clients' approval and for the execution of services on our behalf, such as data hosting in a secure data center or sending phone messages
• Legal or regulatory authorities: When required by law or within the framework of legal proceedings

4. Notifications and Automated Messages

Please be aware that by using our services, you may receive emails or phone messages, particularly for two-factor authentication and/or project-related information from our client, such as invitations or reminders. These notifications will be sent at varying frequencies, subject to your prior consent obtained by our client or directly via our application.

Please note as well that messages and data rates may apply. If you need assistance, please feel free to reach the project team, whose contact details are available in the "contact" section of the eCRF.

For phone messages, reply HELP for help/support or STOP to cancel.

5. Data Retention

Your personal data is retained for the duration of the project as contractually determined by our clients. At the end of this period, and with the client's approval, the data will be deleted unless otherwise required by law.

6. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. These measures include:

• Data center certifications: ISO27001 and HDS for our EU data center, SOC 1 and 2 (Type II) for our US data center
• Encryption: Data encryption in transit and at rest
• Strong user authentication
• Physical and logical security of data centers.
• Regular data backups
• Continuous monitoring and 24/7 supervision by dedicated teams and automated tools
• Regular security audits of our applications by an external specialized company

7. Your Rights

As a data subject, you have the following rights:

• Right of access: You can request a copy of the personal data we hold about you
• Right to rectification: You can correct inaccurate or incomplete information
• Right to erasure: You can request the deletion of your personal data, except where processing is required by law
• Right to data portability: You can receive your data in a structured, machine-readable format
• Right to object: You can object to the processing of your data for direct marketing purposes
• Right to restriction of processing: You can request a temporary limitation of data processing under certain circumstances

To exercise your rights, requests must be addressed directly to our clients (see the “contact” section of the eCRF). We will assist our clients in responding to these requests.

8. Cookies

We use cookies to enhance your experience on our applications. These cookies only collect your language preference.

9. Policy Updates

We reserve the right to modify this data privacy policy to reflect legal, technological, or organizational changes. Any modifications will be updated in this document and published on the relevant applications.

10. Contact

For any questions regarding a project using our applications, please contact the team responsible for the project. Their contact details are available in the "contact" section of the eCRF.

For any questions related to this policy, you can contact our Data Protection Officer at the following address: dpo@clininfo.fr