Effective as of January 4, 2021.
Individuals located in the European Union should be sure to read the important information provided below (EU-U.S Data Transfers).
SUMMARY OF OUR PRIVACY PRACTICES
- Purposes of Processing Your Information: We process information about you in order to provide our Sites and Services; to communicate with you; to comply with law and prevent fraud; and for other reasons with your consent. We may also anonymize your data – which means the data can no longer be used to identify you – in order to perform analytics to learn how to better provide our Sites and Services.
- Your Rights and Choices: Depending on your jurisdiction, you may have legal rights associated with our processing of your data, including rights to access, correct, delete, transfer, or object to the processing of your data. Regardless of where you live, we will honor your request to opt out of being contacted by us for marketing reasons.
- How to Contact Us: nPhase is the Controller of your information when it is processed in the context of our Sites and Services. Our Data Protection Officer may be contacted by emailing: [email protected]
However, please note that nPhase’s customers are the Controllers of your data when it is processed in nPhase’s platform, applications, and related services. For example, if you are a patient in a clinical trial, or an investigator who logs into our applications, your Data Controller is the Sponsor of that trial and/or the participating healthcare provider.
nPHASE’S PLATFORM, APPLICATIONS, AND CUSTOMER DATA
As part of nPhase’s platform, applications and related services, our customer’s employees and authorized users may enter information from or about their authorized users, employees, and clinical trial subjects (collectively, “Customer Data”), into their instances on our servers.
Our use of Customer Data is subject to the written agreement between nPhase and the customer. nPhase’s responsibility under that agreement is the obligation to keep Customer Data safe and secure.
To learn about how a particular customer handles your personal information, we encourage you to read that customer’s privacy statement or contact that customer.
nPhase has no control or ownership of Customer Data. Please direct any questions regarding Customer Data to the customer for which you work, or who collected your information in an nPhase platform or application.
PERSONAL INFORMATION WE COLLECT
We collect personal information about you in the following ways:
- Information you give us. Personal information that you may provide through the Services or otherwise communicate with us includes:
- Personal and Business Contact information, such as your first name, last name, postal address, email address, telephone number, job title, and employer name.
- Profile information, such as your username and password, industry, interests, and preferences.
- Feedback and correspondence, such as information you provide in your responses to surveys, when you participate in market research activities, report a problem with the Sites, receive customer support or otherwise correspond with us.
- Transaction information, such details about any purchases you make through the Sites, event registrations you make through the Sites, and billing details.
- Usage information, such as information about how you use the Sites and interact with us.
- Marketing information, such your preferences for receiving marketing communications and details about how you engage with them.
We may combine other publicly available information, such as information related to the organization for which you work, with the personal information that you provide to us through our Sites or Services.
Information automatically collected
We may collect an IP address from visitors to our Sites. We use IP addresses to help diagnose problems with our server(s), to administer the Sites, and to monitor activities on and interactions with our Sites.
We may also automatically log information about you and your computer or mobile device when you access our Sites. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our Sites. We collect this information about you using cookies. Please refer to the Cookies and Similar Technologies section for more details.
Changes to your personal information
It is important that the personal information we hold about you is accurate and current. Please let us know if your personal information changes during your relationship with us by updating your registration profile or emailing us at [email protected].
HOW WE USE YOUR PERSONAL INFORMATION
To provide our Services
If you have a nPhase account or use our Sites, we use your personal information to:
- Operate, maintain, administer, and improve the Sites.
- Manage and communicate with you regarding your nPhase account, if you have one, including by sending you service announcements, technical notices, updates, security alerts, and support and administrative messages.
- Process and manage registrations you make through the Sites, including to track and administer trainings or events you have registered for and attended, and to subscribe you to our Developer Central community forum.
- Better understand your needs and interests, and personalize your experience with the Sites; and
- Provide support and maintenance for the Sites and our Services.
- Respond to your service-related requests, questions, and feedback.
To communicate with you
If you request information from us, register on the Sites, or participate in our surveys, promotions, or events, we may send you nPhase-related marketing communications as permitted by law. You will have the ability to opt out of such communications.
To comply with law
We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.
With your consent
We may use or share your personal information with your consent, such as when you consent to let us post your testimonials or endorsements on our Sites, you instruct us to take a specific action with respect to your personal information, or you opt into marketing communications.
To create anonymous data for analytics
We may create anonymous data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by excluding information that makes the data personally identifiable to you, so that it is no longer reasonably possible to ever use the data to identify you. We use this anonymized data for lawful business purposes, such as improving our Sites and Services.
For compliance, fraud prevention and safety
We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our Services.
(b) protect our rights, privacy, safety, or property, and/or that of you or others; and
(c) protect, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity.
HOW WE SHARE YOUR PERSONAL INFORMATION
- Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.
- Compliance with Laws and Law Enforcement; Protection and Safety. nPhase may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our Services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity;
You may opt out of marketing-related emails by clicking on a link at the bottom of each such email, or by contacting us at [email protected]. You may continue to receive service-related and other non-marketing emails.
If you gave us consent to post a testimonial on our Sites, but wish to update or delete it, please contact [email protected].
Choosing not to share your personal information
Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Services to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with the Services and may need to close your account. We will tell you what information you must provide to receive the Services by designating it as required in our Sites and Services or through other appropriate means.
The security of your personal information important to us. We take a number of organizational, technical, and physical measures designed to protect the personal information we collect, both during transmission and once we receive it. However, no security safeguards are 100% secure and we cannot guarantee the security of your information.
nPhase is headquartered in the United States and has affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.
European Union users should read the important information provided below (EU-U.S Data Transfers) about transfer of personal information outside of the European Economic Area.
OTHER SITES AND SERVICES
This Site may contain links to other websites and services. These links are not an endorsement, authorization, or representation that we are affiliated with that third party. We do not exercise control over third party websites or services and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.
USER GENERATED CONTENT
We may make available on our Sites, or link to, features that allow you to share information online (e.g., on message boards, in chat areas, in file uploads, through events, etc.). Please be aware that whenever you voluntarily disclose personal information online, that information becomes public and can be collected and used by others. We have no control over, and take no responsibility for, the use, storage, or dissemination of such publicly disclosed personal information. By posting personal information online in public forums, you may receive unsolicited messages from other parties.
Attn: Data Privacy Officer
533 2nd Street, Suite 500
Encinitas, CA 92024
ADDITIONAL INFORMATION FOR EUROPEAN UNION USERS YOUR RIGHTS and CHOICES UNDER EU GENERAL DATA PROTECTION REGULATIONS (GDPR)
Controller and Data Protection Officer
nPhase, Inc. is the data controller of your personal information for the purposes of European data protection legislation. Our Data Protection Officer can be reached at [email protected]. See the “Contact Us” section above for additional contact details.
Legal bases for processing
We only use your personal information as permitted by law. We are required to inform you of the legal bases of our processing of your personal information, which are described in the list below. If you have questions about the legal basis of how we process your personal information, contact us at [email protected].
- To provide the Services. Processing is necessary to perform the contract governing our provision of the Services or to take steps that you request prior to signing up for the Services.
- To communicate with you; To create anonymous data for analytics; and for compliance, fraud prevention and safety. These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- To comply with law. Processing is necessary to comply with our legal obligations.
- With your consent. Processing is based on your explicit consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated in the Service or by contacting us at [email protected].
Use for new purposes
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Information) for seven years after they cease being customers for financial and tax purposes.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.
European data protection laws give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:
- Opt-out. Stop sending you direct marketing communications. You may continue to receive service-related and other non-marketing emails.
- Access. Provide you with information about our processing of your personal information and give you access to your personal information.
- Correct. Update or correct inaccuracies in your personal information.
- Delete. Delete your personal information.
- Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
- Restrict. Restrict the processing of your personal information.
- Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.
You can submit these requests by email to [email protected] or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction.
Cross-Border Data Transfer
Whenever we transfer your personal information out of the EEA to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on one of the following safeguards recognized by the European Commission as providing adequate protection for personal information, where required by EU data protection legislation:
- Contracts approved by the European Commission which impose data protection obligations on the parties to the transfer. For further details, see European Commission Model contracts for the transfer of personal information to third countries.
- For transfers to third parties in the United States, ensuring they participate in the EU-US Privacy Shield Framework.
- Explicit Consent (see below EU-US Data Transfers)
Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA.
EU-U.S. Privacy Shield and Swiss-US Privacy Shield
In compliance with the US-EU and Swiss-US Privacy Shield Principles, nPhase commits to resolve complaints about our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding our Private Shield policy should first contact nPhase at: [email protected].
nPhase has selected a third party to serve as its independent recourse mechanism (IRM) for dispute resolution arising from certain transfers or processing of Personal Information (non-HR data) under Privacy Shield. nPhase has further committed to refer unresolved Privacy Shield complaints under the EU-US and Swiss-US Privacy Shield Principles to the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit the CBBB at https://bbbprograms.org/privacy-shield-complaints/ for more information or to file a complaint. The services of CBBB are provided at no cost to you. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
EU-US Data Transfers
On 16 July 2020, the European Court of Justice (ECJ) struck down the Privacy Shield that secured unrestricted EU-US data flow on the grounds that personal data transferred to, and stored in, the US could not be guaranteed an adequate level of data protection as that under the GDPR.
Consequently, as personal data such as that collected on the REDCap Cloud website (www.redcapcloud.com) i.e. personal data necessary to respond to requests for a demo or a trial is sent to the USA for processing, and as the USA does not now currently have an EU adequacy agreement, in order for REDCap Cloud to process your request, we need your explicit consent to transfer the data in order do so.
You should be aware as to the possible risks of the of data transfer to a country (USA) that CJEU has determined does not currently provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.
However, you should also be aware that REDCap Cloud is currently certified as compliant with ISO / IEC 27001 (2013) the international standard for an ISMS (information security management system) which specifies the requirements for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system). This is based on the requirements, control objectives and controls in ISO 27001, and extended by a set of privacy-specific requirements, control objectives and controls.
Access, Update, Correct or Delete Your Information
Under Article 15 of GDPR, an EU resident individual has the right to obtain from the Controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information.
For legitimate requests, we will provide the following information: –
- the purposes of the processing
- the categories of personal data concerned
- the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed
- If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used)
- the envisaged period for which the personal data will be stored (or the criteria used to determine that period)
- where the personal data was not collected directly from the individual, any available information as to its source
How To Make a Subject Access Request (SAR)?
A Subject Access Request (SAR) is a request for access to the personal information that nPhase holds about you, which we are required to provide under GDPR (unless an exemption applies). You can submit your access request electronically using the Subject Access Request Form (link here).
What We Do When We Receive An Access Request
Subject Access Requests (SAR) are passed to the Compliance Office as soon as they are received, and a record of the request is made. We will use all reasonable measures to verify the identity of the individual making the access request and we will utilise the request information to ensure that we can verify your identity. Where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.
If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning the any request.
If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.
Once we have collated all the personal information held about you, we will send this to you in a concise, transparent, intelligible, and easily accessible format, using clear and plain language.
Response Timeframes & Fees
We aim to complete all access requests within 30-days and provide the information free of charge. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons.
Whilst we provide the information requested without a fee, further copies requested by you may incur a charge to cover our administrative costs.
Your Other Rights
Under GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reason(s). We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Supervisory Authority and to seek a judicial remedy.
In certain circumstances, you may also have the right to request the erasure of personal data or to restrict the processing of personal data where it concerns your personal information, as well as the right to object to such processing. You can use the contact details above (CONTACT US) to make such requests.
Exemptions and Refusals
GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your Subject Access Request or where the Company does not act upon the request, we shall inform you at the earliest convenience, or at the latest, within one month of receipt of the request.
Where possible, we will provide you with the reasons for not acting and any possibility of lodging a complaint with the Supervisory Authority and your right to seek a judicial remedy. Details of how to contact the Supervisory Authority are laid out above.
Submission & Lodging a Complaint
If you have any questions or if you are unsatisfied with our actions or wish to make an internal complaint, you can contact us at [email protected].