True North Contract Research Organization Privacy Policy

At True North Contract Research Organization, we care about your privacy. This policy describes how we collect, use, share, and protect personal data, including personal data transferred from the European Union (EU), the United Kingdom (UK), and Switzerland to the United States.

1. What This Covers

This policy describes how True North CRO handles personal data collected and processed in the following contexts:

  • Clinical Research: Personal data collected during clinical trials conducted on behalf of our sponsors.
  • Client Relationships: Personal data relating to our interactions with clients.
  • Website Communications: Personal data collected from visitors to our website, www.truenorthcro.com.
    • When completing a contact form, we collect:
      • First and Last Name
      • Email Address
      • Company Name
      • IP Address

Your information is never sold or distributed to anyone outside of the organization and is not used for marketing/advertising. Data collected when using the ‘Contact Us’ form is stored only to fulfill the purpose for which it was collected, or as otherwise required by applicable law. You may request deletion at any time.

When visiting our site we collect the following information: (website user data is retained for 14 months and resets on new user activity).

  • City
  • Browser Minor Version
  • Browser User-Agent String
  • Device Brand
  • Device Model
  • Device Name
  • Operating System Minor Version
  • Platform Minor Version
  • Screen Resolution

2. Our Commitment

True North Contract Research complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. True North Contract Research has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. True North Contract Research has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

3. Detailed Description of Personal Data Collected

We collect and process the following categories of personal data:

  • Clinical Research Data: When we conduct clinical research on behalf of sponsors, we may process personal data including, but not limited to, patient name, contact information, medical history, laboratory results, adverse event data, demographic information (age, gender), and data collected while monitoring activities. The legal basis for processing this data is typically the consent of the study participant or as required by the clinical trial agreement with the sponsor.
  • Client Relationship Data: When we interact with clients, we may process personal data including contact information, professional title, company affiliation, billing information, and communication records. The legal basis for processing this data is our contractual obligation to provide services to our clients and our legitimate interest in managing our business relationships.
  • Website Data: When you visit our website, we may collect technical information such as your IP address, browser type, and device information. If you contact us through our website, we may collect your name, email address, and any other information you provide in your inquiry. The legal basis for processing this data is our legitimate interest in operating and improving our website and responding to your inquiries, and your consent when you provide information through a contact form.

4. Purpose of Data Collection and Use

We use personal data for the following:

  • Clinical Research: Personal data collected for clinical research is used to conduct clinical trials, monitor patient safety, collect and analyze research data, ensure compliance with the clinical trial protocol, and comply with applicable regulatory requirements. We retain clinical trial data as specified in the study protocol and in accordance with regulatory obligations.
  • Client Relationships: Personal data collected in the context of client relationships is used to manage contracts, provide our services to clients, communicate with clients, process payments, and maintain our business records. We retain client data for the duration of the contractual relationship and as required by applicable law.
  • Website Communications: Personal data collected through our website is used to respond to your inquiries, provide you with information upon request, improve our website, and for other purposes described at the time of collection. We retain website data for as long as necessary to fulfill the purpose for which it was collected and as required by applicable law.

5. Role as Data Processor

In certain circumstances, True North CRO acts as a data processor. Specifically, when we conduct clinical research on behalf of clinical trial sponsors, we process personal data according to the sponsor’s documented instructions. The sponsor is the data controller and is responsible for determining the purposes and means of processing personal data, including obtaining any necessary consent from study participants. True North CRO will assist the sponsor in meeting its obligations under the DPF.

6. Sharing Data with Others

We may share personal data with the following categories of third parties:

  • Clinical Trial Sponsors: We may share clinical trial data with the sponsors of the clinical trials we conduct.
  • Service Providers: We may share data with third-party service providers who assist us with data analysis, data storage, and other business operations.
  • Regulatory Authorities: We may disclose personal data to regulatory authorities as required by law.
  • Choice: If we use your personal data for a new purpose that’s significantly different from why it was originally collected—or if we plan to share it with a third party not acting as our agent—we will give you the choice to opt out before we do so.
  • Personal and sensitive data—includes information about health, race or ethnicity, political views, or religious beliefs. We would only use this type of data for a new purpose, or share it with others, if you give us clear, affirmative permission (opt-in).

We enter contracts with these third parties that require them to protect the confidentiality and security of personal data and to process it only for specified purposes and in accordance with the DPF Principles. Under the DPF, we are liable for onward transfers to third parties that process personal data in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

7. Your Rights

If you’re in the EU, UK, or Switzerland, you have the right to:

  • Ask to see the data we have about you
  • Ask us to correct or delete it
  • Ask us to limit how we use or share it

8. Questions or Complaints?

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, True North Contract Research commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact True North Contract Research at:

Email: truenorth@truenorthcro.com

Mail:

True North Contract Research Organization

3220 W 57th St, Suite 100A

Sioux Falls, SD, 57108, USA

If you have a concern and have contacted us first, and we were unable to resolve it, you can file a free complaint with JAMS, an independent service. You can file a complaint with JAMS here: https://www.jamsadr.com/DPF-Dispute-Resolution

In some cases, you may also be able to request binding arbitration. For more information about binding arbitration under the DPF, including its availability and eligibility requirements, please visit the official DPF website: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

9. Data Security

We implement reasonable and appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. These measures include, but are not limited to, encryption, access controls, regular security assessments, employee training, and data minimization principles.

10. Data Integrity and Purpose Limitation

We collect only the personal data that is relevant to the purposes for which it is processed. We use personal data only for the purposes for which it was collected, as described in this Privacy Notice. We take reasonable steps to ensure that the personal data we process is accurate, complete, and current.

11. U.S. Regulatory Oversight

We’re regulated by the U.S. Federal Trade Commission.