Effective as of August 18, 2022.

This “Privacy Policy” describes the privacy practices of nPhase, Inc. (nPhase”). This Privacy Policy describes how we collect, use, disclose and otherwise process personal information in connection with our websites, mobile apps, and other services, and explains the rights and choices available to individuals with respect to their information. For convenience, our website and mobile apps are collectively referred to as the “Sites,” and, together with our other services, collectively referred to as the “Services.” This Privacy Policy governs any of the Services on which the Privacy Policy is posted.

Individuals located in the European Union should be sure to read the important information provided below (EU-US Data Transfers).

Summary of Our Privacy Practices

  • The Types of Information We Collect About You: We collect information that you provide to us, such as your contact details, as well as information that is automatically collected by our Sites, such as your IP address and information collected by our use of Cookies.
  • Purposes of Processing Your Information: We process information about you in order to provide our Sites and Services; to communicate with you; to comply with law and prevent fraud; and for other reasons with your consent. We may also anonymize your data – which means the data can no longer be used to identify you – in order to perform analytics to learn how to better provide our Sites and Services.
  • Your Rights and Choices: Depending on your jurisdiction, you may have legal rights associated with our processing of your data, including rights to access, correct, delete, transfer, or object to the processing of your data. Regardless of where you live, we will honor your request to opt out of being contacted by us for marketing reasons.
  • How to Contact Us: nPhase is the Controller of your information when it is processed in the context of our Sites and Services. Our Data Protection Officer may be contacted by emailing: [email protected].

However, please note that nPhase’s customers are the Controllers of your data when it is processed in nPhase’s platform, applications, and related services. For example, if you are a patient in a clinical trial, or an investigator who logs into our applications, your Data Controller is the Sponsor of that trial and/or the participating healthcare provider.

nPhase’s Platform, Applications, and Customer Data

As part of nPhase’s platform, applications and related services, our customer’s employees and authorized users may enter information from or about their authorized users, employees, and clinical trial subjects (collectively, “Customer Data”), into their instances on our servers.

This Privacy Policy does not apply to Customer Data, and we are not responsible for our customers’ handling of Customer Data. nPhase has no control or ownership of Customer Data. Our customers have their own policies regarding the collection, use and disclosure of your personal information.

Please direct any questions regarding Customer Data to the customer for which you work, or who collected your information in an nPhase platform or application.

Our use of Customer Data is subject to the written agreement between nPhase and the customer. nPhase’s responsibility under that agreement is the obligation to keep Customer Data safe and secure.

To learn about how a particular customer handles your personal information, we encourage you to read that customer’s privacy statement or contact that customer.

Personal Information We Collect

We collect personal information about you in the following ways:

Information you give us.

Personal information that you may provide through the Services or otherwise communicate with us includes:

  • Personal and Business Contact information, such as your first name, last name, postal address, email address, telephone number, job title, and employer name.
  • Profile information, such as your username and password, industry, interests, and preferences.
  • Feedback and correspondence, such as information you provide in your responses to surveys, when you participate in market research activities, report a problem with the Sites, receive customer support or otherwise correspond with us.
  • Transaction information, such details about any purchases you make through the Sites, event registrations you make through the Sites, and billing details.
  • Usage information, such as information about how you use the Sites and interact with us.
  • Marketing information, such your preferences for receiving marketing communications and details about how you engage with them.

We may combine other publicly available information, such as information related to the organization for which you work, with the personal information that you provide to us through our Sites or Services.

 Information automatically collected

  • We may collect an IP address from visitors to our Sites. We use IP addresses to help diagnose problems with our server(s), to administer the Sites, and to monitor activities on and interactions with our Sites.
  • We may also automatically log information about you and your computer or mobile device when you access our Sites. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our Sites. We collect this information about you using cookies. Please refer to the Cookies and Similar Technologies section for more details.

Changes to your personal information

It is important that the personal information we hold about you is accurate and current. Please let us know if your personal information changes during your relationship with us by updating your registration profile or emailing us at [email protected].

How We Use Your Personal Information

To provide our Services

If you have a nPhase account or use our Sites, we use your personal information to:

  • Operate, maintain, administer, and improve the Sites.
  • Manage and communicate with you regarding your nPhase account, if you have one, including by sending you service announcements, technical notices, updates, security alerts, and support and administrative messages.
  • Process and manage registrations you make through the Sites, including to track and administer trainings or events you have registered for and attended, and to subscribe you to our Developer Central community forum.
  • Provide support and maintenance for the Sites and our Services.
  • Respond to your service-related requests, questions, and feedback.
  • To personalize your experience on our Website
  • Better understand your needs and interests, and personalize your experience with the Sites; and

To communicate with you

If you request information from us, register on the Sites, or participate in our surveys, promotions, or events, we may send you nPhase-related marketing communications as permitted by law. You will have the ability to opt out of such communications.

To comply with law

We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.

With your Consent

We may use or share your personal information with your consent, such as when you consent to let us post your testimonials or endorsements on our Sites, you instruct us to take a specific action with respect to your personal information, or you opt into marketing communications.

 To use de-identified & aggregated data for data analytics purposes

We may create de-identified/aggregated data from your personal information and other individuals whose personal information we collect. We make personal information into de-identified/aggregated data by excluding information that makes the data personally identifiable to you, so that it is no longer reasonably possible to ever use the data to identify you. We use this aggregated data for lawful business purposes, such as:analyzing how you interact with our website, its content, and its functionalities to improve our website, services and its functionalities

For compliance, fraud prevention and safety

We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our Services.

(b) protect our rights, privacy, safety, or property, and/or that of you or others; and

(c) protect, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity.

How We Share Your Personal Information

Except as described in this Privacy Policy, we do not share the personal information that you provide to us with other organizations. We disclose personal information to third parties under the following circumstances:

  • Affiliates. We may disclose your personal information to our corporate affiliates for purposes consistent with this Privacy Policy.
  • Service Providers. We may employ third party companies and individuals to administer and provide the Services on our behalf (such as training, customer support, hosting, email delivery and database management services). These third parties may use your information only as directed by nPhase and in a manner consistent with this Privacy Policy and are prohibited from using or disclosing your information for any other purpose.
  • Professional Advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.
  • Compliance with Laws and Law Enforcement; Protection and Safety. nPhase may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our Services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity;
  • Business Transfers. nPhase may sell, transfer or otherwise share some or all of its business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy, in which case we will make reasonable efforts to require the recipient to honor this Privacy Policy.

Marketing Communications

You may opt out of marketing-related emails by clicking on a link at the bottom of each such email, or by contacting us at [email protected]. You may continue to receive service-related and other non-marketing emails.

Testimonials

If you gave us consent to post a testimonial on our Sites, but wish to update or delete it, please contact [email protected].

Choosing not to share your personal information

Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Services to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with the Services and may need to close your account. We will tell you what information you must provide to receive the Services by designating it as required in our Sites and Services or through other appropriate means.

Security

The security of your personal information important to us. We take a number of organizational, technical, and physical measures designed to protect the personal information we collect, both during transmission and once we receive it. However, no security safeguards are 100% secure and we cannot guarantee the security of your information.

International Transfer

nPhase is headquartered in the United States and has affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country, or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.

European Union users should read the important information provided below (EU-US Data Transfers) about transfer of personal information outside of the European Economic Area.

Other Sites And Services

This Site may contain links to other websites and services. These links are not an endorsement, authorization, or representation that we are affiliated with that third party. We do not exercise control over third party websites or services and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.

User Generated Content

We may make available on our Sites, or link to, features that allow you to share information online (e.g., on message boards, in chat areas, in file uploads, through events, etc.). Please be aware that whenever you voluntarily disclose personal information online, that information becomes public and can be collected and used by others. We have no control over, and take no responsibility for, the use, storage, or dissemination of such publicly disclosed personal information. By posting personal information online in public forums, you may receive unsolicited messages from other parties.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. We encourage you to periodically review this page for the latest information on our privacy practices. If we make material changes to this Privacy Policy, you will be notified via the contact information you have provided to us or another manner that we believe reasonably likely to reach you. This may include posting a specific announcement on our Sites.

Any modifications to this Privacy Policy will be effective upon our posting of the new terms and/or upon implementation of the new changes in the Service (or as otherwise indicated at the time of posting). In all cases, your continued use of the Sites and Services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

Contact Us

If you have any questions or concerns at all about our Privacy Policy, please feel free to email us at [email protected], or write to us at:

nPhase, Inc.

Attn: Data Privacy Officer

533 2nd Street, Suite 500

Encinitas, CA 92024

United States

Additional Information for European Union Users Your Rights and Choices Under EU General Data Protection Regulations (GDPR)

Personal information

References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European data protection legislation – GDPR, effective May 2018.

Controller and Data Protection Officer

nPhase, Inc. is the data controller of your personal information for the purposes of European data protection legislation. Our Data Protection Officer can be reached at [email protected]. See the “Contact Us” section above for additional contact details.

Legal bases for processing

We only use your personal information as permitted by law:

  • To communicate with you
  • To provide our Services to you. Processing is necessary to perform the contract governing our provision of the Services or to take steps that you request prior to signing up for the Services.
  • For compliance, fraud prevention and safety.
  • To create anonymous data for analytics

These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 

We are required to inform you of the legal bases of our processing of your personal information, which are described in the list below.

  • With your consent. Processing is based on your explicit consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated in the Service or by contacting us at [email protected].

Otherwise, the legal bases we rely on for processing data is:

  • We have Legitimate Interests, or
  • To Comply with the Law and processing is necessary to comply with our legal obligations, or

 

Legal basis we rely on Purposes Categories of personal data collected
Legitimate interests To provide our services, to communicate with you, To enable you to use our services, to market our products and services to you via email marketing Your contact details such as your name, business email, address, affiliated organisation
Legal Obligation nPhase may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our Services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity;

 

Your contact details

 

If you have questions about the legal basis of how we process your personal information, contact us at [email protected].

Use for new purposes

We may use your personal information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.

Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Information) for seven years after they cease being customers for financial and tax purposes.

In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.

Your Rights

European data protection laws give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:

  • Opt-out. Stop sending you direct marketing communications. You may continue to receive service-related and other non-marketing emails.
  • Access. Provide you with information about our processing of your personal information and give you access to your personal information.
  • Correct. Update or correct inaccuracies in your personal information.
  • Delete. Delete your personal information.
  • Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal information.
  • Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.

You can submit these requests by email to [email protected] or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction.

Cross-Border Data Transfer

Whenever we transfer your personal information out of the EEA to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on one of the following safeguards recognized by the European Commission as providing adequate protection for personal information, where required by EU data protection legislation:

  • Contracts approved by the European Commission which impose data protection obligations on the parties to the transfer. For further details, see European Commission Model contracts for the transfer of personal information to third countries.
  • Explicit Consent (see below EU-US Data Transfers)

Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA.

EU-US Data Transfers

On 16 July 2020, the European Court of Justice (ECJ) struck down the Privacy Shield that secured unrestricted EU-US data flow on the grounds that personal data transferred to, and stored in, the US could not be guaranteed an adequate level of data protection as that under the GDPR.

Consequently, as personal data such as that collected on the REDCap Cloud website (www.redcapcloud.com) i.e. personal data necessary to respond to requests for a demo or a trial is sent to the USA for processing, and as the USA does not now currently have an EU adequacy agreement, in order for REDCap Cloud to process your request, we need your explicit consent to transfer the data in order do so.

Accordingly, by agreeing to this Privacy Policy, you are providing your explicit consent for the particular data transfer to take place for the purpose(s) for which it was provided.

You should be aware as to the possible risks of the of data transfer to a country (USA) that CJEU has determined does not currently provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.

However, you should also be aware that REDCap Cloud is currently certified as compliant with ISO / IEC 27001 (2013) the international standard for an ISMS (information security management system) which specifies the requirements for establishing, implementing, maintaining, and continually improving – a PIMS (privacy information management system). This is based on the requirements, control objectives and controls in ISO 27001, and extended by a set of privacy-specific requirements, control objectives and controls.

Access, Update, Correct or Delete Your Information

Under Article 15 of GDPR, an EU resident individual has the right to obtain from the Controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information.

For legitimate requests, we will provide the following information: –

  • the purposes of the processing
  • the categories of personal data concerned
  • the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed
  • If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used)
  • the envisaged period for which the personal data will be stored (or the criteria used to determine that period)
  • where the personal data was not collected directly from the individual, any available information as to its source

How To Make a Subject Access Request (SAR)?

A Subject Access Request (SAR) is a request for access to the personal information that nPhase holds about you, which we are required to provide under GDPR (unless an exemption applies). You can submit your access request electronically using the Subject Access Request Form which will be provided to you if you email [email protected].

What We Do When We Receive An Access Request

Identity Verification

Completed Subject Access Requests (SAR) are processed by the Compliance Office as soon as they are received, and a record of the Request is made.

We will use all reasonable measures to verify the identity of the individual making the access request and we will utilise the request information to ensure that we can verify your identity. Where we are unable to do so, we may contact you for further information, or ask you to provide some appropriate documentation to confirm your identity prior to actioning any request. This is to protect your information and rights.

If a third party, relative or representative is requesting the information on your behalf this can be handled and satisfied if it can be proven the agent submitting the request is authorised to do so.

Information Gathering

If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.

Information Provision

Once we have collated all the personal information held about you, we will send this to you in a concise, transparent, intelligible, and easily accessible format, using clear and plain language.

Response Timeframes & Fees

We aim to complete all access requests within 30-days and provide the information free of charge. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons.

Whilst we provide the information requested without a fee, further copies requested by you may incur a charge to cover our administrative costs.

Your Other Rights

Under GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reason(s). We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.

If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Supervisory Authority and to seek a judicial remedy.

In certain circumstances, you may also have the right to request the erasure of personal data or to restrict the processing of personal data where it concerns your personal information, as well as the right to object to such processing. You can use the contact details above to make such requests.

Exemptions and Refusals

GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your Subject Access Request or where the Company does not act upon the request, we shall inform you at the earliest convenience, or at the latest, within one month of receipt of the request.

Where possible, we will provide you with the reasons for not acting and any possibility of lodging a complaint with the Supervisory Authority and your right t to seek a judicial remedy. Details of how to contact the Supervisory Authority are laid out above.

How do we delete your data?

We may use the following methods to erase your data:

– Overwriting

– Deletion

– Reformatting

Submission & Lodging a Complaint

If you have any questions or if you are unsatisfied with our actions or wish to make an internal complaint, you can contact us at [email protected]

How to Lodge a Complaint with Supervisory Authorities

If you live in the EU or UK, you can submit a complaint to the competent Data Protection Authority in your country of residence. For example, if you reside in the UK, you can contact the UK Data Protection Authority via Submission by Post: The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline Number:  0303 123 1113
ICO Website:  https://www.ico.org.uk