Privacy Policy

1. WHAT INFORMATION DO WE COLLECT?

We collect different types of personal information from various sources, depending on your relationship with us. Appendix A provides a detailed summary of these data categories and their sources.

• Trial Participants: We collect Protected Health Information (PHI) and related personal data necessary to conduct clinical trials. This includes:

  • Identifiers: Name, address, email, phone number, government IDs.
  • Contact and Demographic Data: Age, date of birth, gender, race, ethnicity.
  • Health and Medical Information: Medical history, diagnoses, prescriptions, lab results, clinical assessments, biometrics, genetic and genomic data, data from health trackers, and medical images.
  • Payment/Insurance Information.
  • Sources: This information comes from participants themselves (via forms, surveys, interviews, wearable devices, mobile apps), healthcare providers, clinical labs, and connected medical devices.

• Site Staff: We collect information about clinical site personnel (e.g., study coordinators, nurses, administrative staff) to manage their involvement. This includes:

  • Identifiers: Name, email, work address, phone number.
  • Employment Details: Job title, department, credentials, certifications.
  • System Data: Login credentials and access logs for our platform.
  • Sources: This information comes from the staff members themselves (when registering on our platform), their employer or credentialing bodies, and automated systems (e.g., user activity logs).

• Investigators: We collect data on study investigators (principal investigators, sub-investigators). This includes:

  • Identifiers and Professional Details: Name, contact information, professional licenses, certificates, education and experience, CVs or resumes.
  • Sources: This information comes from the investigators themselves and their affiliated institutions.

• Visitors: This includes visitors to our websites or those seeking general information.

  • Voluntarily Provided Information: Contact details (name, email, organization) provided through contact forms or newsletter sign-ups.
  • Automatically Collected Information: Technical data such as IP addresses, browser type, cookies and similar tracking data, and pages viewed.
  • No sensitive health data is collected from general website visitors.

2. HOW DO WE PROCESS YOUR INFORMATION?

We use collected information for legitimate business purposes related to clinical research, compliance, and service improvement:

• To Operate and Manage Clinical Trials: We use participants’ PHI for Treatment, Payment, and Health Care Operations (TPO) as permitted by HIPAA. This includes enrolling participants, coordinating care, monitoring health status, collecting study data, analyzing results for safety and efficacy, and managing billing.
• For Scientific Research: To analyze trial data to evaluate the safety and efficacy of the treatment or device being studied. Data used for research is pseudonymized or de-identified whenever possible to protect your identity.
• To Manage User Accounts & Communication: We use identifiers and contact data to create and manage accounts for staff and investigators, verify identities, and communicate important information (e.g., appointment reminders, study notifications, system updates).
• To Improve Our Platform and Services: We use technical and usage data (including cookies and analytics) to understand how users interact with our website and applications. This helps us improve our services, troubleshoot issues, and customize the user experience.
• To Fulfill Regulatory and Legal Obligations: We use personal data to comply with laws and regulations governing clinical trials, such as reporting to the U.S. Food and Drug Administration (FDA), the European Medicines Agency (EMA), Institutional Review Boards (IRBs), and other global regulatory bodies.
• For Safety, Security, and Fraud Prevention: We analyze collected information to protect our Services, ensure the integrity of clinical trial data, detect and prevent fraud or improper access, and enforce our policies.
• For Aggregated or De-identified Use: We may use or share aggregated or de-identified data (from which personal identifiers have been removed). Such data cannot reasonably identify you, is not subject to most privacy regulations, and is used for research, analytics, and service improvement.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

Your trust is paramount. We do not sell or rent your personal information. We only share personal data in the following specific situations and with the following parties under strict confidentiality agreements:

• Clinical Trial Sponsors & Partners: We share information with the sponsor of the clinical trial you are participating in, as necessary for them to conduct the research and seek regulatory approval.
• Contract Research Organizations (CROs): We may share data with CROs who help us manage trial operations.
• Healthcare Providers and Regulators: For trial participants, we share PHI with your healthcare providers, Institutional Review Boards (IRBs), safety monitoring boards, and government agencies (e.g., FDA, EMA) as required for treatment and regulatory compliance.
• Service Providers: We use third-party companies for services like secure cloud hosting, data analysis, and security. We require these service providers to enter into contracts (or Business Associate Agreements under HIPAA) that include strict confidentiality obligations and require appropriate safeguards. A list of vendor categories is available in Appendix C.
• Within the DecenTrialz Organization: Authorized DecenTrialz employees may access personal data as needed to perform their roles (e.g., clinical staff, IT, compliance). Access is restricted by role.
• Legal Requirements: We may disclose information in response to legal requests (e.g., court orders, subpoenas) or as otherwise required by law.
• De-identified Data for Research: We may share de-identified or aggregated data with the broader scientific community for research purposes.
• Business Transfers: In the event of a merger or acquisition of our company, your information may be transferred to the new owner under the same privacy commitments.

5. DATA SECURITY AND INTERNAL SAFEGUARDS

We have implemented a comprehensive information security program with robust administrative, technical, and physical safeguards designed to protect the security of any personal information we process, as required by HIPAA and industry best practices. These include:

• Access Controls and Authentication: We enforce role-based access control (RBAC) so that only authorized personnel can access PHI on a need-to-know basis. We use unique user credentials and multi-factor authentication where appropriate and regularly review access rights to ensure "least privilege" enforcement.
• Audit Logging and Monitoring: All systems containing PHI record detailed audit logs. We monitor and review these logs to detect unauthorized access or anomalies, as required by HIPAA.
• Encryption: Data is encrypted both at rest (e.g., using AES-256) and in transit (e.g., using TLS 1.2+). We follow NIST guidelines for encryption to render electronic PHI unusable to unauthorized users.
• Secure Software Development: Our development lifecycle includes security testing, code reviews, vulnerability scans, and penetration tests. We align with security frameworks like ISO 27001.
• Data Minimization: We only collect and process data that is necessary for each purpose, consistent with HIPAA’s minimum necessary principle.
• Physical Security: Physical facilities and servers are secured with industry-standard controls. Paper records are kept in locked, secure locations and are securely destroyed when no longer needed, following HHS guidance.
• Employee Training and Policies: All employees and contractors undergo regular privacy and security training. We maintain written policies, an incident response plan, and enforce sanctions for policy violations.
• Certifications and Audits: We maintain appropriate certifications (e.g., ISO 27001) and undergo third-party audits and annual risk assessments to demonstrate compliance.

6. HOW LONG DO WE KEEP YOUR INFORMATION? (DATA RETENTION & DELETION)

We retain personal data only for as long as necessary for the purposes set out in this policy and to comply with our legal and regulatory obligations.

• Clinical and Medical Records: Data related to clinical trials is subject to strict regulatory retention requirements. We are legally obligated to retain this data for a long period, which can be 15 to 25 years or more after a trial is completed, depending on the jurisdiction.
• Administrative Records: HIPAA-related compliance documentation (e.g., policies, training records, audit logs) is retained for a minimum of 6 years from its creation date or last effective date.
• Staff and Investigator Data: This data is retained for the duration of the professional association and as required by employment or contractual obligations, after which it is securely deleted or anonymized.
• Website and Analytics Data: Web logs and analytics data are periodically purged or overwritten. Cookie lifetimes vary and are detailed in Appendix B.

When data is no longer needed, we dispose of it using secure methods (e.g., shredding, degaussing, secure erase) to prevent its reconstruction.

7. DO WE COLLECT INFORMATION FROM MINORS? (CHILDREN'S PRIVACY)

Our services are not targeted at children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA). Clinical trials may sometimes include participants under 18. In such cases, we will obtain explicit, informed consent from the parent or legal guardian in accordance with applicable laws and trial protocols before collecting any personal information.

Parents have the right to review their child’s personal information, refuse further collection, and request that any collected information be deleted. To exercise these rights, please contact our Privacy Officer.

8. WHAT ARE YOUR PRIVACY RIGHTS?

You have rights regarding your personal information that vary by location. To exercise any of these rights, please contact us at privacy@decentrialz.com, and we will handle your request in accordance with applicable laws.

A. Your Rights Under HIPAA (For U.S. Trial Participants)

If you are a trial participant in the U.S., your health information is likely "Protected Health Information" (PHI) under HIPAA. You have the following rights:

• Right of Access: To inspect and obtain a copy of your PHI. We will respond within 30 days.
• Right to Amend: To request a correction or amendment to your PHI if you believe it is incorrect or incomplete.
• Right to an Accounting of Disclosures: To request a list of certain disclosures of your PHI we have made in the past six years.
• Right to Restrict: To request restrictions on how we use or disclose your PHI.
• Right to Confidential Communications: To request that we communicate with you by alternative means or at alternative locations.
• Right to a Copy of this Notice: To receive a paper copy of this Privacy Policy upon request.

B. Your Rights Under State Laws (e.g., California's CCPA/CPRA)

Residents of certain U.S. states have additional rights. Information subject to HIPAA is often exempt, but to the extent your data is not covered by HIPAA, you may have the following rights:

• Right to Know (Access): To request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: To request the deletion of your personal information (subject to legal and regulatory exceptions).
• Right to Correct: To request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not "sell" your personal information or "share" it for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: To request that we limit the use of your sensitive personal information to what is necessary for the Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, submit a verifiable request to privacy@decentrialz.com. We will respond within 45 days.

C. Your Rights Under GDPR (For EEA, UK, and Swiss Residents)

• Right to Access, Rectify, Erase, Restrict, and Portability: To request access to your personal data and information about how we process it.
• Right to Withdraw Consent: You can withdraw consent at any time for data processing based on your permission.
• Right to Lodge a Complaint: You can lodge a complaint with your local data protection authority if you feel your concerns have not been adequately addressed.

9. BREACH NOTIFICATION PLAN

We maintain a formal breach response plan. In the unlikely event of a data breach involving unsecured PHI or other personal data, we will act promptly to comply with all applicable notification laws.

• HIPAA Breaches: If a breach involves unsecured PHI, we will notify affected individuals without unreasonable delay and no later than 60 days after discovery. We will also notify the HHS Office for Civil Rights (OCR) and, if applicable, prominent media outlets, in accordance with HIPAA's Breach Notification Rule.
• State Law Breaches: We will comply with all applicable state breach notification laws, notifying affected individuals and state attorneys general as required.
• Notification Content: All breach notices will include a description of the incident, the types of data involved, recommended steps individuals can take to protect themselves, and our contact information.

10. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

Yes, we use cookies and similar tracking technologies to help our website and platform function, for analytics, and to improve your experience. We use different types of cookies, including essential, performance/analytics, functional, and marketing cookies. For detailed information on the specific cookies we use, their purpose, and their retention periods, please see our Cookie Matrix in Appendix B. You can manage or delete cookies through your browser settings. Cookie Notice.

11. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this policy as necessary to stay compliant with relevant laws and to reflect any changes in our practices. The "Last Updated" date at the top of this policy will indicate the latest version. For significant changes, we will provide a more prominent notice.

12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this policy, or if you wish to exercise your privacy rights, you may contact our Data Protection Officer by email or post:

• Email: privacy@decentrialz.com
• Contact Person: Data Protection Officer

APPENDIX A. DATA CATEGORIES TABLE