Privacy Policy

1. Introduction & Scope

Welcome to Clinivance EDC, an electronic data capture platform (the “Service”) offered by Clinivance Inc. (“Clinivance,” “we,” “us,” or “our”). Clinivance is incorporated and operates under the laws of Quebec, Canada.

This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our Service. It applies to:

• Researcher Data: Personal information we collect from researchers (“Researchers,” “you,” “your”) when you sign up for, use, or interact with our Service or website.
• Participant Data: Data related to research participants (“Participants”) that Researchers enter into the Service (“Participant Data” or “Study Data”). Clinivance acts as a data processor for Participant Data on behalf of and under the direction of the Researcher, who is the data controller (“Data Controller”).
• Technical Data: Information collected automatically when you use our Service.

2. Information We Collect

2.1. Researcher Data (Information You Provide to Us)

• What we collect:
  • Name
  • Email address
  • Institutional affiliation
  • Payment information
• How we collect it: Via online forms when you register for an account, update your profile, or make payments.
• Purpose of use:
  • To create and manage your account.
  • To provide, operate, and maintain the Service.
  • For billing and payment processing.
  • To provide technical support and customer service.
  • To send you service-related communications, including updates, security alerts, and administrative messages.
  • To comply with legal obligations.

2.2. Participant Data (Information Researchers Enter into the Service)

• Clinivance’s Role: Clinivance does not own, control, or make decisions about Participant Data. We process Participant Data strictly as necessary to provide the Service to Researchers and store it securely on their behalf. We do not see, access, use, share, or otherwise process identifiable Participant Data for any purpose other than making the Service available to authorized Researchers of a specific study, and for essential operational functions like storage, backup, and security.
• Types of Data Researchers May Enter: Researchers may enter various types of data, including but not limited to demographic information, clinical research data, and genomic data, as determined by their research protocols and ethics approvals.
• De-identification/Pseudonymization: The responsibility for de-identifying or pseudonymizing Participant Data before or upon entry into the Service rests solely with the Researcher, in accordance with their ethical and regulatory obligations. The Service does not currently offer built-in, mandatory de-identification features prior to storage.
• Our Commitment: We do not use Participant Data for any purpose other than providing and maintaining the Service as directed by the Researcher.

2.3. Automatically Collected Technical Data

• What we collect: When you use our Service or visit our website, we may automatically collect technical information such as:
  • IP addresses
  • Browser type and version
  • Operating system
  • Access times and dates
  • Pages viewed
  • Device identifiers (where applicable)
  • Crash reports (if any)
  • Login attempts (for audit trails)
• Purpose of use:
  • To monitor and enhance the security of our Service.
  • To improve service performance, stability, and functionality.
  • For debugging and troubleshooting.
  • To maintain audit logs for security and compliance purposes.

3. Data Sharing and Disclosure

3.1. Participant Data

• Participant Data entered into a specific study within the Service is accessible only to Researchers and other users who have been explicitly authorized by the lead Researcher(s) for that study.
• Clinivance will not disclose Participant Data to any third party, except as strictly necessary for providing the hosting and storage infrastructure or as required by law.

4. Data Security

Clinivance is committed to protecting the security of all data hosted on the Service. We implement and maintain appropriate technical and organizational security measures designed to protect data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:

• Encryption: Participant Data and sensitive Researcher Data are encrypted at rest using industry-standard algorithms (e.g., AES-256). Data is also encrypted in transit using TLS/SSL.
• Access Controls: We implement strict access controls to ensure that Researchers only have access to the data relevant to their specific studies.
• Authentication: Secure authentication mechanisms, such as JSON Web Tokens (JWTs) derived from robust credentialing processes, are used to verify user identities and authorize access to the Service.
• Audit Logs: We maintain detailed audit logs of system access, administrative actions, and data access events for security monitoring and forensic purposes.
• Data Segregation: We implement logical data segregation within our multi-tenant architecture, ensuring that data from one research study is isolated and accessible only to authorized users of that specific study through robust permission systems.
• Security Assessments: We conduct regular internal security reviews and may engage in periodic vulnerability assessments to identify and address potential security weaknesses.
• Data Backup and Recovery: We maintain regular data backups and have disaster recovery procedures in place to ensure data availability and integrity.
• Infrastructure: Our Service is hosted on Amazon Web Services (AWS), which provides a secure and resilient infrastructure with its own comprehensive security measures.

5. Data Breach Notification

In the event of a data breach that affects Researcher Data or Participant Data stored on the Service, Clinivance will:

• Promptly investigate the incident.
• Notify affected Researchers without undue delay after becoming aware of a breach.

6. Data Retention and Deletion

6.1. Researcher Data

• We retain Researcher Data for as long as your account is active or as needed to provide you with the Service.
• Upon closure of your account or termination of your contract, we will delete your Researcher Data within thirty (30) days, unless retention is required for legal or legitimate business purposes (e.g., financial records, audit trails).

6.2. Participant Data

• The retention period for Participant Data is primarily determined by the Researcher, in line with their research protocols, ethics approvals, and regulatory requirements.
• Researchers can delete Participant Data from their studies within the Service at any time.
• Upon the closure of a Researcher’s account or termination of their contract, all Participant Data associated with that account and its studies will be permanently deleted from our active systems within thirty (30) days. Backups may be retained for a limited, additional period according to our backup cycle, after which they will also be deleted.
• Data Export: Researchers can export their study data from the Service at any time in standard formats such as CSV (Comma Separated Values) or other supported formats.

7. Participant Rights (regarding Participant Data)

Clinivance acts as a data processor for Participant Data on behalf of Researchers. Therefore, research participants who wish to exercise their rights regarding their data (e.g., access, correction, deletion) should direct their requests to the Researcher or institution conducting the study (the Data Controller). Clinivance will assist Researchers in responding to such requests as appropriate and as instructed by the Researcher.

8. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify you by email (sent to the email address specified in your account) or by means of a notice on our Service prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.