IVR Clinical Concepts Inc. (IVRCC)  Privacy Policy

PURPOSE
The purpose of this Privacy Policy is to outline responsibilities and procedures for ensuring privacy, confidentiality and security of all personally identifiable data and sensitive information we collect, are provided, and/or process using our electronic data collection and clinical assessment tools. IVR Clinical Concepts Inc. (“IVRCC”) strongly respects individual privacy and strives to manage personal data in line with the laws and high ethical standards of IVRCC and countries in which IVRCC does business.

IVR Clinical Concepts Inc. abides by a deep commitment to respect the privacy and the protection of any personal information submitted to, hosted and transferred by IVRCC. IVRCC respects individual privacy and holds the confidence of its customers, employees, clinical trial participants, and others in the highest regard. IVRCC endeavors to collect and shepherd personal, private and metadata information in a manner that is consistent with the laws of the countries in which IVRCC applications and activities are present. Data privacy is taken seriously and is implemented through company-wide policies and SOPs, while also taking into account regional office locations requirements.

As a condition of your use of our IVRCC website, you agree to be bound by the terms of this Policy.

INFORMATION COLLECTION, USE AND STORAGE
IVRCC refers to information that identifies an individual as “Personal Information”. In general, we collect Personal Information from users of the IVRCC website in connection with access to certain online areas or services, including during (i) registration for special communications, such as email updates, whitepapers, and newsletters; (ii) subscription registration; and (iii) user surveys. Your Personal Information is stored on IVRCC computer servers (or those of its service providers) located in the United States. We are GDPR compliant.

We may gather data about the areas of the IVRCC website you visit or access. We do not share any of this data with third parties, however we may use and share navigational data in aggregate, non-personal form to understand how our users as a group use the IVRCC website.

Below are more details about the Personal Information we, or third parties may gather from you and how we may use it.

1. Email Newsletters. IVRCC may offer email newsletters to its registered subscribers. We will use your email address to send you only the specific newsletter(s) that you signed up for. If you want to update your email address or stop receiving a newsletter, follow the procedures to unsubscribe at the bottom of any newsletter we send you.

2. Surveys and User Research. IVRCC conducts email and web-delivered surveys from time to time, to gather information about our users and sites. Taking these surveys and polls is entirely optional. You have no obligation to respond to them. We share only the aggregate results of these surveys, not Personal Information, with our partners to help them better understand our services and monitor the reach of our webpage.

3. Use of Cookies. On the Internet, a “cookie” is a piece of information (a file) that a Web site transfers to a user’s computer for record-keeping purposes. The use of cookies is common on the Internet. The process of tracking use of the IVRCC website involves cookies. Cookies also enable us to measure aggregate (total) usage and traffic to the IVRCC website and to specific offerings. This aids us in producing content that best meets our users’ preferences. To implement new services, we may use other types of cookies as well. We also may use cookies to understand better what parts of the IVRCC website you like best. You may configure your browser to reject cookies; this may interfere with some functionality of the IVRCC website.

4. Legal Authorities. We may also disclose Personal Information in cases when we reasonably believe that it is necessary to identify someone who may be violating IVRCC policies or IVRCC website “User Agreements” or other terms of use, or who may be a threat to IVRCC rights, property, or personal safety. IVRCC may disclose Personal Information to comply with valid legal processes such as a duly issued search warrant, subpoena or court order.

INFORMATION STORAGE AND SECURITY

Your Personal Information is stored on IVRCC computer servers located in the United States. We protect your Personal Information with technical, administrative and physical safeguards to protect against loss, unauthorized access, destruction, misuse, modification and improper disclosure. No computer system or information can ever be fully protected against every possible hazard, however IVRCC is committed to providing reasonable and appropriate security controls to protect our website and all Personal Information against foreseeable hazards.

Notwithstanding these security measures, please be aware that when you submit Personal Information to the IVRCC website over the Internet, the information may travel over many systems that are not under the IVRCC’s control. We take the protection of user data very seriously and to that end take reasonable safeguards to prevent interception of any Personal Information.

IVR CLINICAL CONCEPTS INC. (IVRCC) COMPLIANCE and ADHERENCE TO DPF PRINCIPLES 

IVR Clinical Concepts Inc. (“IVRCC”) complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. IVRCC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to personal data transferred from the European Union and the United Kingdom and the Swiss-U.S. DPF Principles with regard to personal data transferred from Switzerland. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

NOTICE
IVR Clinical Concepts Inc. (“IVRCC”) develops and maintains software and services to life sciences companies for use in the conduct of clinical trials and other healthcare applications throughout the world. IVRCC may collect, process, store and distribute Personal Data (e.g., subject ID, initials, email address, phone number) from clients including study sponsors, research site staff, study participants, consultants & subcontractors, and other employees involved in clients’ clinical trials. Additionally, as requested and authorized by our clients, IVRCC may collect and store Clinical Study Data, which is collected pursuant to a project-specific informed consent (IC) with clinical research subjects, and may include detailed information regarding health status, test results, medical assessments, and other data required for a particular study, in order to support clients’ trials, develop programs for their products, develop reports or other assemblages of information, and monitor progress throughout a study.

IVRCC is sub-contracted to provide interactive voice and web applications (for example, IVR/IWR “IxR”) on behalf of clients and other third-party agents for the purpose of acting as a third-party agent for our clients. Detailed contractual arrangements, SOPs and business policies govern all our work with customer data. IVRCC’s internal policies are available for audit/review by our clients, per IVRCC’s responsibility to adequately maintain these business policies and IVRCC’s technology infrastructure, while maintaining data integrity security and privacy.  IVRCC may collect, process, store and distribute Personal Data (e.g., subject ID, initials, email address, phone number) from clients including study sponsors, research site staff, study participants, consultants/subcontractors, and other employees involved in clients’ clinical trials. Additionally, as requested and authorized by our clients, IVRCC may collect and store Clinical Study Data, which is collected pursuant to a project-specific informed consent (IC) with clinical research subjects, and may include detailed information regarding health status, test results, medical assessments, and other data required for a particular study, in order to support clients’ trials, develop programs for their products, develop reports or other assemblages of information, and monitor progress throughout a study. Typically, IVRCC generates, collects, and stores investigative sites and subject ID numbers to our database with no traceability back to a specific trial patient/subject. We transfer personal information data collected for the purposes of the clinical trial, confidentially to third party electronic databases.

IVRCC informs individuals about the purposes for which it collects and uses personal information. The notice is provided in clear language in a conspicuous manner. The use of the data is limited to the purpose identified, and no more information is collected than is required to satisfy the purpose. Data used for pharmaceutical research and other purposes when using IVRCC software products is anonymized as appropriate. Any personal information that is related to the use of the IVRCC clinical trial software products or personal data collected in specific medical or pharmaceutical research studies belongs to the client. IVRCC informs individuals about the type of third party to which IVRCC discloses information if any and offers individuals the choices and means for limiting the use and disclosure of their personal information.

CHOICE
IVRCC offers individuals the option of choice as to whether their personal information is disclosed to a third party. Individuals can also choose to not have their data shared if the purpose is incompatible with the original purpose of data collection or has not been subsequently authorized by the individuals. IVRCC provides individuals with reasonable mechanisms with which to exercise their choices. Note that it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization.

For sensitive personal information, IVRCC gives individuals explicit (opt-in) choice if the information is to be disclosed to a third party or is to be used other than the purpose that was originally authorized or has been subsequently authorized. IVRCC will disclose the information only with the explicit consent of the individual. 

ACCOUNTABILITY FOR ONWARD TRANSFER
To transfer personal information to a third party acting as a controller, IVRCC comply with the Notice and Choice Principles.  Wet also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.

To transfer personal data to a third party acting as an agent, IVRCC: (i) transfers such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

SECURITY
IVRCC protects confidentiality, integrity, and availability of personal information by physical, electronic, and logical security measures. IVRCC has written procedures in place regulating the protection of confidential data from loss, misuse and unauthorized access, disclosure, alteration, and destruction.

DATA INTEGRITY
IVRCC takes reasonable steps to ensure that personal information is relevant for the purposes of its use, and that the data is accurate, complete, and current. IVRCC complies with the current data retention principle, with making individual identifiable only for as long as it serves a purpose of processing. Such processing would reasonably serve the purpose of archiving in the public interest, journalism, literature, and art, scientific or historic research and statistical analysis, while maintaining adherence to the provisions of the Principles and the Framework.

ACCESS
Upon request, individuals will be granted reasonable access to personal information that IVRCC holds about them.  In response to lawful request by public authorities, including to meet national security or law enforcement requirements, IVRCC is required to disclose personal information, per the enforcement authority which has jurisdiction over IVRCC’s compliance with the Framework. Personal/sensitive personal data is held by IVRCC as data controller, and we ensure such data is accurate and relevant for the purposes for which we collected it. IVRCC will take reasonable steps to allow individuals to correct, amend, or delete information that is found to be inaccurate or incomplete.  Exceptions could include where the burden of providing access is disproportionate to the risk to the individual’s privacy or where violation of another person’s rights would occur.  Where IVRCC is a data processor, we will direct individuals to the relevant client/sponsor third party who is the data controller of the personal/sensitive personal data.

ENFORCEMENT
IVRCC has written procedures in place that regulate regular internal compliance audits of the DPF Principles. Internal audits are conducted by the QA Department or by a third party as delegated by the QA Department. The QA Department is comprised of QA Department Head and additional company representatives, who have authority to enforce the policies that are created. The company President has the ultimate responsibility and authority of managing Quality Systems. Non-compliance issues are investigated, and rigorous corrective actions are put in place and followed up until resolution for any problems arising out of failure to comply with the Principles. Remedy actions could include disciplinary actions. The U.S. Federal Trade Commission (FTC) has jurisdiction over IVR Clinical Concepts Inc.’s compliance with the DPF Principles.

DISPUTE RESOLUTION, RECOURSE MECHANISMS, LIABILITY
Individual complaints will be investigated, and remedy actions performed in the same rigorous way as described for non-compliance detected during internal audits (see above, Enforcement). An independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved is at no cost to the individual and by reference to the Principles. IVRCC also commits to a binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.

IVRCC has a responsibility for the processing of personal information we receive under the EU-U.S. DPF and subsequently transfer to a third party acting as an agent on its behalf. IVRCC would remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless IVRCC proves that it is not responsible for the event giving rise to the damage.

IVRCC has committed to cooperating with data protection authorities (DPAs) by declaring our self-certification submission to the Department of Commerce.

In compliance with the Data Privacy Framework Principles, IVR Clinical Concepts Inc. (“IVRCC”) commits to resolve complaints about our collection or use of your personal information.  European Union, UK and Swiss or other individuals with inquiries or complaints regarding our adherence to DPF Principles should first contact IVR Clinical Concepts Inc. at:

IVR Clinical Concepts Inc.
Attention: Compliance Department
358 Broadway, Suite 201
Saratoga Springs, NY 12866

Email address:  john@ivrcc.com
Phone: (518) 583-0095
Fax: (518) 583-0394

Per the Data Privacy Framework, IVRCC will respond to all complaints within 45 days of receipt of a complaint related to an individuals’ personal data.

For any Data Privacy Framework complaints or questions that cannot be resolved with IVRCC directly, we commit to cooperate with the panel established by EU data protection authorities (DPAs), and the UK Information Commissioner’s Office (ICO) or the Swiss Federal FDPIC to comply with the advice given by the panel regarding data transferred from the EU, UK or Switzerland.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, IVR Clinical Concepts Inc. (“IVRCC”) commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs or thSwiss Federal Data Protection and Information Commissioner (FDPIC) for more information or to file a complaint.

Note that an individual also has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding EU/UK DPF or Swiss DPF Principles not resolved by any of the other DPF mechanisms.

For additional information:  https://www.dataprivacyframework.gov

NOTIFICATION OF POLICY CHANGES
If major content changes are made to this IVRCC Privacy Policy, we will outline and post the changes along with the new version on this Web site. The effective date of the revised Privacy Policy will be set forth in this paragraph. This Privacy Policy was last updated on December 26, 2023 and is effective as of that date.