Last Updated Date: November 20, 2023
II. WHAT WE MEAN BY “PERSONAL INFORMATION”
(1) Information You Provide to Us
When you use the Site or otherwise communicate or interact with us through the Services, we collect information that you provide to us directly. For example, we collect information in the following circumstances: when you contact us; when you register for and engage with our Services; and when you otherwise communicate with us. Occasionally, you may choose whether or not to provide or disclose Personal Information in connection with your use of the Services. If you choose not to provide the Personal Information we request, you may still visit and use parts of the Site, but may be unable to access or use certain features, options, programs, and services of the Site. In addition, as we need certain Personal Information for the performance of the Services, the consequence of not providing such information might be that the Services cannot be provided as requested.
The Personal Information you provide to us may include the following:
- Information you provide via email, through our ‘Contact’ section, or using contact details listed on various parts of the Site, including your name, e-mail, phone number, and any other information you decide to provide;
- In connection with the Services, information you provide in order to sign up for clinical trial matching, including your name, age, e-mail address, health conditions relevant to the clinical trial opportunities, or any other information you decide to provide to us in connection with the Services;
- If you are one of our customers, suppliers, or prospects, or interested in serving as an investigator of a clinical trial, we may collect or process limited Personal Information in the course of our business relations with you. For example, when you engage us for our Services, sign up for a webcast, request a demo, or the like. Such Personal Information may include your name, company, title, order details, and business contact details (e-mail address, telephone number, address); and
- We may also collect any other information you may want to share with us. Moreover, if you contact us, a record of such correspondence may be kept.
A subset of personal information we may collect “sensitive personal information,” as defined by applicable law, and includes health conditions and other medical record information relevant to the clinical trial opportunities. The business or commercial purpose for which it is collected is for our operational purposes and performing services you request. When applicable, we will obtain your consent or authorization before accessing such information, in accordance with applicable law.
In addition, where you decide to participate in a clinical trial, then any information you provide as a participant in that trial is subject to the informed consent form that you complete.
(2) Information Collected Automatically
- Log Files On the Site. The information inside the log files includes internet protocol (“IP”) addresses, type of browser, Internet Service Provider (“ISP”), date/time stamp, referring/exit pages, clicked pages and other information your browser may send to us about your use of the Site.
|Type of Cookies||Description||Managing Settings|
|Targeting or Advertising cookies|
- Analytics. The Site also uses Google Analytics. By using cookies, Google Analytics collects and stores data such as time of visit, pages visited, time spent on each page of the Site, the IP address, and the type of operating system used in the devices used to access the Site. By using a browser plugin available at http://www.google.com/ads/preferences/plugin/ provided by Google, you can opt out of Google Analytics.
(3) Do-Not-Track Signals
Some browsers have a “Do-Not-Track” feature that lets you tell websites that you do not want to have your online activities tracked. When you choose to turn on the Do-Not-Track setting in your browser, your browser sends a signal to websites, analytics companies, ad networks, plug-in providers, and other web services that you may encounter while browsing the Internet, instructing them to stop tracking your activity via cookies or other online tracking technologies. While we continue to evaluate this evolving technology to implement such capabilities, the Site does not currently respond to browser based Do-Not-Track signals. For information regarding Do-Not-Track and how to enable this setting if available on your devices, please see https://allaboutdnt.com.
(4) Information Received from Third Parties
We may also obtain data from third-party sources such as a registrant’s authorized representative or guardian, our customers or vendors such as data providers.
(1) General Uses
We may use Personal Information obtained through the Services in the following ways:
- To provide the Services;
- To provide, analyze, administer, develop, and improve the Site or our Services;
- To contact you in connection with the Site, our Services, and notifications, services, programs or offerings for which you may have registered;
- To send you updates and promotional materials for which you have registered;
- To assess whether a clinical trial is suited for you, to contact you when a potential clinical trial is identified, and to bring you in contact with principal investigators, clinical research sites or clinical trial service providers, using solely for these purposes the health information that is provided to us based on your consent;
- To contact you regarding other treatment options, refer you to other trial sites and other related purposes;
- To identify and authenticate your access to the parts of the Site and Services that you are authorized to access;
- For our legitimate interests of documenting and managing our internal administration;
- To protect the rights and/or our property and to ensure the technical functionality and security of the Site or Services; and
- To comply with applicable laws and for our legitimate purposes of protecting our legal rights, in connection with legal claims or enforcement of contracts, and for compliance, regulatory, and investigative purposes. This may include sharing the Personal Information with third parties, such as governmental authorities or law enforcement officials, subject to applicable law.
(2) Registered Users
If you register for our Services, SubjectWell uses algorithms that enforce criteria to select the clinical trial most suitable to you, which is the service that you (as the data subject) request from SubjectWell. The decision on the clinical trial matching is therefore necessary for the performance of the contract between you and SubjectWell. Furthermore, our patient recruitment marketplace is voluntary and when you choose to participate and disclose your information to us, you also provide your explicit consent, which is freely given and can be withdrawn at any time by contacting us through the contact details further below.
The logic that is used for the decision-making is created by SubjectWell employees reviewing study protocols that define inclusion/exclusion criteria for study eligibility. The SubjectWell systems then enforce these criteria based on the responses collected during the phone screening process. The most important consequences of the automated decisions in question is that you will or will not have the opportunity to participate in a clinical trial.
In order to safeguard your rights and freedoms and legitimate interests, you have the right to obtain human intervention on the part of SubjectWell, to express your point of view and to contest the decision.
Also note that we only provide clinical trial participant recruitment services and are not involved in clinical trials or informed about the results. Therefore, SubjectWell does not determine the purposes or means of the further processing of your Personal Information, including your health information, by principal investigators, clinical research sites or clinical trial service providers once you are brought in contact with them.
We may disclose Personal Information you provide to us or that we collect automatically on the Site or in and through the Services with the following categories of third parties:
- Service providers, such as data storage service providers, marketing service providers, and communications service providers that help us operate our business or provide services on our behalf;
- If you would like to participate in a clinical trial and there are matching clinical trials, we may share Personal Information about you with principal investigators, clinical research sites, and clinical trial service providers that are relevant to you;
- If you are matched to a clinical trial, your Personal Information may be de-identified/pseudonymized/ anonymized and shared with sponsors of the potentially matching clinical studies.
- Public authorities, such as law enforcement, if we are legally required to do so or if we need to for national security or to protect our rights or the rights of third parties;
- Our subsidiaries and affiliates for our business operations; and
VI. COMMUNICATION PREFERENCES
Once you register for our Services, if you have opted in to certain communications, you may be contacted at the phone number you provide including wireless number (if provided), by a representative of SubjectWell or its database administrator. You may opt out of these calls or texts at any time by sending an email to firstname.lastname@example.org or by calling (844) 612-6317. If you would like to stop receiving text messages, you may text STOP in reply to any messages that you receive.
With your consent (unless otherwise permitted by applicable law) we use the Personal Information you provide us to send you information on our products and Services and other information based on the interests that you have indicated to us. You have the right to opt out of getting those messages. If you do not wish to receive these messages, click the unsubscribe link in your email. Please note that these selections are not permanent; they may be changed in the event you register for other Services or communications and consent to receive marketing messages. Please also note that even if you unsubscribe from commercial email messages, we may still email you non-marketing emails related to your account or the Services for which you have registered. You may also email us at email@example.com for assistance.
VII. THIRD-PARTY PRACTICES
VIII. NOTICE TO CALIFORNIA RESIDENTS
(1) How We Collect and Use Personal Information
In accordance with the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), this section describes the Personal Information we collected about California residents in the last 12 months, the sources of that information, our business or commercial purposes for collecting the information, and the third parties with whom we shared that information.
We collected the information listed in the table below from the following sources: directly from you, your authorized personal representative, or from third parties (such as medical providers or other entities you have authorized to share your Personal Information with us).
In some cases, we may share your information with our service providers or contractors that help us operate our business such as data storage or IT providers. We may also share your information with third parties, such as when required by law, to provide information or services you request, and pursuant to you consent or authorization.
The categories of third parties with whom we may share your Personal Information for business purposes include: law enforcement or other governmental authorities or agencies, and clinical trial investigators and sites when applicable to your engagement with our services.
In the last 12 months, we have collected and, disclosed for a business purpose each of the categories of Personal Information noted in the table below, to the categories of recipients listed. We do not share your personal information for cross-context behavioral advertising or sell your personal information for monetary or other consideration and have not done so in the last 12 months.
|Category of Personal Information||Categories of Recipients to Whom Personal Information Is Disclosed for Business Purposes|
|Identifiers, such as name, email address and other information.||Service providers and contractors, law enforcement, governmental authorities or agencies, clinical trial investigators and sites or their staff and agents|
|California Customer Records (Cal. Civ. Code § 1798.80(e)), such as birthdate and Payment Information.||Service providers and contractors, law enforcement, governmental authorities or agencies, clinical trial investigators and sites or their staff and agents|
|Protected Classification Characteristics, such as age, ethnicity and gender.||Service providers and contractors, law enforcement, governmental authorities or agencies, clinical trial investigators and sites or their staff and agents|
|Commercial Information, such as Shopping History and other information relating to your hobbies, interests and shopping behavior.|
|Biometric Information, such as behavioral characteristics used to identify you; imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings from which an identifier such as a faceprint can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; and sleep, health or other exercise data that contains identifying information.|
|Internet/Network Information, such as IP address, Device Information, and Log and Analytics Data.|
|Geolocation Data, such as Location Information from your device or estimated based on your IP address.|
|Sensory Information, such as audio, electric, visual, thermal, olfactory, call recordings, or similar information.|
|Other Personal Information, such as information you post on our Platform or on social media pages, and information you submit to us.|
|Inferences, such as predictions about your interests and preferences.|
|Sensitive Personal Information, such as: Social Security number, driver’s license number, state identification card, or passport; account log-in credentials; financial account, debit or credit card number with any required PIN or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; content of mail, email or text messages where we are not the recipient; genetic data; information concerning a consumer’s health, sex life or sexual orientation.|
(2) Your Rights and How to Exercise Them
Under the CCPA, California residents have certain rights with regard to their Personal Information. Those rights may only apply in certain circumstances and may be subject to limitations or exceptions. A summary of those rights is provided below as well as information on how to exercise your rights. Please note that we will require certain identifying information about you as necessary for us to verify your request in accordance with applicable law.
- Right to Know: You have the right to ask us to tell you the categories of Personal Information we collected, the purposes for which we collected, sold or disclosed that information, and the categories of third parties to whom we disclosed the information in the last 12 months. To exercise this right, please complete our online form available here and select “Info Request” or email your request to firstname.lastname@example.org and include “Disclosure Request” in the subject line of your message.
- Right to Access: You have the right to request access to the specific pieces of Personal Information we collected, used, disclosed and/or sold about you in the last 12 months. To exercise this right, please complete our online form here and select “Data Portability” or email your request to email@example.com and include “Access Request” in the subject line of your message.
- Right to Delete: You have the right to request us to delete the Personal Information we have collected or maintain about you. Please note that certain exceptions may apply to your right to delete information, such as when we must retain Personal Information as required or permitted by law and we will maintain a copy of your deletion request. We will notify you if any such exceptions apply to your request. To exercise this right, please complete our online form available here and select “Data Deletion” or email us at firstname.lastname@example.org and include “Deletion Request” in the subject line of your message.
- Right to Opt Out of Sale or Sharing: You have the right to opt out or ask us not to sell or share your Personal Information. Please note that we do not sell or share your Personal Information. However, please note that we do use and share your information in order to help match you with clinical trials and provide our Services per your request.
- Right to Correct: You have the right to request that we correct any inaccurate Personal Information that we maintain about you. To exercise this right, please complete our online form available here and select “Update Data” or email us at email@example.com and include “Correction Request” in the subject line of your message.
We will not discriminate against you for exercising any of the rights noted above. However, we may offer certain financial incentives, charge reasonable fees related to your requests, or deny your right to know, right to access, or right to deletion in accordance with applicable law.
You can exercise these rights yourself or you can designate an authorized agent to make a request on your behalf. If you would like an authorized agent to submit a request on your behalf, please send us an email at firstname.lastname@example.org for instructions and details on proof and information required for use of an authorized agent or select “Authorized Agent” when submitting the online form.
(3) How We Disclose Information
- We do not sell or share your Personal Information or the personal information of minors under age 16.
- We did not sell or share any Personal Information to third parties for their business or commercial purposes during the last 12 months.
- We did not use or disclose any Sensitive Personal Information for purposes other than those specified in section 7027(m) of the CPRA regulations.
(4) Third-Party Marketing Disclosure
IX. NOTICE TO VIRGINIA RESIDENTS
The information in this section applies to residents of Virginia. This section addresses additional rights to Virginia residents.
(1) How We Collect and Use Personal Information
In accordance with the Virginia Consumer Data Protection Act (“VCDPA”), this section describes the Personal Information we collect about Virginia residents. Please refer to the corresponding sections of this policy above for details on the following:
- WHAT PERSONAL INFORMATION DO WE COLLECT: This section describes the categories of Personal Information we collected and the categories of sources from which the information was collected.
- PURPOSES FOR OUR COLLECTION AND USE OF PERSONAL INFORMATION: This section describes the business or commercial purposes for which we collected the information.
- WHO DO WE SHARE PERSONAL INFORMATION WITH: This section lists the categories of third parties with whom we shared Personal Information.
(2) Your Rights and How to Exercise Them
Under the VCDPA, Virginia residents have certain rights with regard to their Personal Information. Those rights may only apply in certain circumstances and may be subject to limitations or exceptions. A summary of those rights is provided below as well as information on how to exercise your rights. Please note that we will require certain identifying information about you as necessary for us to verify your request in accordance with applicable law.
- Right to Know: You have the right to confirm whether or not we process your Personal Information and to access such Personal Information. To exercise this right, please complete our online form available hereand select “Info Request” or email your request to email@example.com and include “Disclosure Request” in the subject line of your message.
- Right to Portability: You have the right to obtain a copy of your Personal Information that you previously provided to us in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the Personal Information to another business without hindrance, where the processing is carried out by automated means. To exercise this right, please complete our online form here and select “Data Portability” or email your request to firstname.lastname@example.org and include “Access Request” in the subject line of your message.
- Right to Correct: You have the right to request that we correct any inaccurate Personal Information that we maintain about you. To exercise this right, please complete our online form available here and select “Update Data” or email us at email@example.com and include “Correction Request” in the subject line of your message
- Right to Delete: You have the right to request us to delete the Personal Information we have collected or maintain about you. Please note that certain exceptions may apply to your right to delete information, such as when we must retain Personal Information as required or permitted by law and we will maintain a copy of your deletion request. We will notify you if any such exceptions apply to your request. To exercise this right, please complete our online form available here and select “Data Deletion” or email us at firstname.lastname@example.org and include “Deletion Request” in the subject line of your message
- Right to Appeal: If we refuse to take action on a request, you have the right to appeal our decision within a reasonable time. To exercise this right, please complete our online form here or email your request to email@example.com and include “Appeal Request” in the subject line of your message. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation for the decisions.
You can exercise these rights yourself or you can designate an authorized agent to make a request on your behalf. If you would like an authorized agent to submit a request on your behalf, please send us an email at firstname.lastname@example.org for instructions and details on proof and information required for use of an authorized agent.
X. INDIVIDUAL RIGHTS – USERS IN THE EEA OR SWITZERLAND
Where we process Personal Information pertaining to individual located in the European Economic Area (“EEA”) or Switzerland, those individuals are entitled to ask us for an overview of the Personal Information we have about them and also to access, correct or delete certain Personal Information, restrict processing of their Personal Information, or to ask us to transfer Personal Information to other organizations. Certain individuals can also object to some processing of their Personal Information and, where we have asked for their consent, they can withdraw their consent at any time. Insofar as Personal Information about them is processed, certain individuals also have a right to know more about the protection we apply when transferring Personal Information to areas outside the EEA.
Note that we are not legally obligated to agree to such requests in all circumstances, and in certain circumstances, agreeing to a request may be infeasible – for example, a deletion request when we are required by law to maintain the Personal Information. Please also note that we are not able to act on any of the above requests if we are not in a position to identify an individual filing such request.
Where applicable, these rights can be exercised by completing the request form available here or by sending us an email through the contact details further below. Depending on where you live, you may have a right to lodge a complaint with a supervisory authority or other regulatory agency if you believe that we have violated any of the rights concerning your Personal Information. We encourage you to first reach out to us at email@example.com so we have an opportunity to address your concerns directly before you do so. We are committed to compliance with the General Data Protection Regulation (“GDPR”) where applicable, so please contact us through the details listed below if you have any questions about these rights.
XI. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
XII. TRANSFERS OF PERSONAL INFORMATION FROM THE EEA, UK OR SWITZERLAND TO THE UNITED STATES
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Subject Well, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us via email at: firstname.lastname@example.org.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Subject Well, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
These recourse mechanisms are available at no cost to you. Damages may be awarded in accordance with applicable law. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Data Privacy Framework Panel. Pursuant to the Data Privacy Framework, SubjectWell remains potentially liable for the transfer of Personal Information to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
In cases of onward transfer to third parties of Personal Information of individuals in the EEA or Switzerland received pursuant to the EU-U.S. and Switzerland-U.S. Data Privacy Framework, SubjectWell is potentially liable.
The Federal Trade Commission has jurisdiction over Subject Well, Inc.’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
XIII. DATA RETENTION
We keep Personal Information for as long as it is needed to fulfill the purposes for which it was collected, to provide our Services, to deal with possible legal claims, to comply with our business interests and/or to abide by all applicable laws. If you register for our Services, we keep your Personal Information for ten (10) years from the point of collection in order to match you to a clinical trial. Thereafter, we either delete Personal Information about you or de-identify it. Please note that even if you request the deletion of Personal Information about you, we may be required (by law or otherwise) to retain the Personal Information and not delete it. However, once those requirements are removed, we will delete Personal Information about you in accordance with your request.
XIV. DATA SECURITY
We follow generally accepted industry standards to protect the Personal Information we collect or process through the Platforms. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect Personal Information, we cannot guarantee its absolute security.
The Site is not intended for children under the age of 13. Accordingly, we do not intend to collect Personal Information from anyone we know to be under 13 years of age through the Site. If we become aware that a child under age 13 has provided Personal Information through the Site, we will delete such information from our files.
XVII. CONTACT US
Address: 8300 N MoPac Expressway
Austin, TX 78759
You can also contact our representatives in the European Union and United Kingdom:
European Data Protection Office (EDPO):
EDPO online request form: https://edpo.com/gdpr-data-request/
In writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
UK General Data Protection Regulation (GDPR) – UK Representative:
EDPO online request form: https://edpo.com/uk-gdpr-data-request/
In writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.