Effective date: November 14, 2023
This Privacy Notice explains how and why Invicro, LLC, dba REALM Pharma Services, and its wholly owned subsidiaries (Imanova Limited, Molecular NeuroImaging, Inc., and Core Clinical, Inc.) (collectively, “Invicro,” “we,” “us,” and “our”), collect, processes and retains information about data subjects and users of our website, Invicro.com (“Website”).
- Data Privacy Regulations
- Data Privacy Framework
- Collection of Personal Information
- Processing of Personal Information
- Transfer of Personal Information
- Data Subject Rights
- California Consumers’ Privacy Rights
- Data Retention
- Binding Arbitration
- How to Contact Us
- Changes to this Privacy Notice
Data Privacy Regulations
Invicro is a global company and works with Sponsor organizations to ensure compliance to all applicable global and local data privacy requirements. This includes, but is not limited to, the Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), and its adoption into UK law through the Data Protection Act 2018. Additionally, Invicro recognizes the California Consumer Protection Act, as amended by the California Privacy Rights Act, (“CPPA“). Invicro is not a “Covered Entity” under the Health Insurance Portability and Accountability Act (“HIPAA”). However, Invicro may process protected health information (“PHI”) covered by HIPAA requirements through contractual agreements where Invicro acts as a “Business Associate,” as defined under HIPAA. Data privacy controls are in place throughout Invicro to ensure the applicable standards of data privacy laws are met.
Data Privacy Framework
The Federal Trade Commission has jurisdiction over Invicro’s compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”).
Invicro, LLC, dba REALM Pharma Services, and its U.S. wholly owned subsidiaries, Molecular NeuroImaging, Inc. and Core Clinical, Inc., (collectively, “Invicro US”) complies with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, as set forth by the U.S. Department of Commerce. Invicro US has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Invicro has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles”), the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Collection of Personal Information
Invicro collects personal information only when an individual provides it through registration, completion of forms or e-mails, applying for job vacancies, as part of an order for products or services, inquiries or requests about materials being ordered, volunteering for research, and similar situations in which an individual has chosen to provide the information to us. The database and its contents remain at Invicro and stay with data processors or servers acting on our behalf and responsible to us. An individual’s personal information will not be passed on by us or by our service providers for use by third parties in any form whatsoever unless we have obtained your consent or are legally required to do so.
Notice & Consent
The collection and retention of personal information at Invicro will be done according to the relevant legal basis. Notice of the relevant legal basis will be available to individuals. If that legal basis is consent, individuals will receive an appropriate level of information about the use of their personal information and have their consent to collect and retain the data documented. This consent may be withdrawn at any time, and if the legal basis for retention of data is consent, this data will no longer be retained by Invicro, except under certain circumstances. Where consent is not the legal basis, Invicro may decide that documented consent is best practice, or in the case of research subjects, a regulatory requirement, and therefore consent would also be sought from individuals. It will be explained to subjects, in this instance, that although consent is sought, data may still be used and retained by Invicro if there is an additional legal basis for these activities.
You are not required to provide personal information as a condition of using our Website, except as may be necessary to provide you with a product or service at your request. When you use our Website, personal information may be stored for various security purposes. This personal information may include the name of your internet service provider, the website that you used to link to our Website, the websites that you visit from our Website and your IP address. This data could possibly lead to your identification, but we do not use it to do so. We do use the data from time to time for statistical purposes but maintain the anonymity of each individual user. In cases when personal information is provided to others to provide you products or services that you requested or for other purposes you authorized, we rely on technical and organizational means to assure that applicable data security regulations are followed. Your IP address is utilized for security and performance measurement with a 4-week retention of this information.
Cookies are small text files that are stored in the website visitor’s local browser cache. Using such cookies, it is possible to recognize the visitor’s browser in order to optimize the website and simplify its use. Data collected via cookies will not be used to determine the personal identity of the website visitor. Most browsers are set-up to accept these cookies automatically. In addition, you can deactivate the storing of cookies or adjust your browser to inform you before the cookie is stored on your computer. For further information, read our Cookie Notice.
Invicro uses Google Analytics to analyze user activity in order to improve our Website. For example, using cookies we can look at aggregate patterns and page performance trends. We can use such analysis to gain insights about how to improve the functionality and experience of the Website.
For information on how to opt-out of Google Analytics tracking, please visit this link.
For information on how to opt-out of Hotjar tracking, please visit this link.
Processing of Personal Information
Invicro will retain control of and responsibility for the use of any personal information disclosed to us. Some of this data may be stored or processed at computers located in other jurisdictions, such as the United States, whose data protection laws may differ from the jurisdiction in which an individual lives. In such cases, Invicro will ensure that appropriate safeguards are in place to require the data processor in that country to maintain protections on the data that are equivalent to those that apply in the country in which the individual lives.
Individuals who wish to volunteer for research activities may be provided with the opportunity to register with Invicro. With the individual’s consent, Invicro may collect and maintain a database of personally identifiable information that is provided by that individual for the sole purpose of sending targets study information for volunteer recruitment. Individuals can choose to revoke their consent at any time as discussed above under Notice & Consent.
Invicro uses personally identifiable information to conduct research to improve health and care. As a research company, Invicro has a legitimate interest in using information relating to subject health and care for research studies, when subjects agree to take part in a research study. This means that Invicro will use their data, collected in the course of a research study, in the ways needed to conduct and analyze the research study. Subject’s rights to access, change or move their information are limited, as Invicro needs to manage such information in specific ways in order for the research to be reliable and accurate.
If a subject withdraws from the study, Invicro will keep the information about them that has been already obtained. To safeguard the subject’s rights, Invicro will use the minimum personally identifiable information possible. If subjects wish to raise a complaint regarding how Invicro has handled their personal information, they can contact our Data Protection Officer who will investigate the matter. If subjects are not satisfied with our response or believe we are processing personal information in a way that is not lawful, they can complain to the appropriate state or national data protection agency, e.g., Information Commissioner’s Office (ICO) in the United Kingdom or the Federal Trade Commission (FTC) in the United States.
If an individual’s contact details are provided to Invicro for direct marketing purposes, and consent is provided for us to do so, we would like to use this information to keep in touch with you regarding the latest news and information from our organization. Minimal, non-sensitive information will be retained to fulfill the requirements of this legitimate interest, and data will not be shared with third parties without notification and appropriate consent of the data subject.
Where consent or opt-in has been provided for us to do so, Invicro may consider an individual for opportunities that the individual did not specifically apply for, but which Invicro thinks might be a good fit for the individual’s skillset. Where consent to process an individual’s information has been provided for the purposes detailed above, Invicro will enter the profile data into our central recruitment database.
Invicro may also collect an individual’s details, which have been made available, from third-party sources, such as websites on which Invicro’s job vacancies may be advertised or through recruitment agencies. This information may include an individual’s name, email address, telephone number, and curriculum vitae. Invicro may do this where we identify that an individual is suitable for an available vacancy with us. Invicro may use the contact data to contact an individual to ask whether they would like to be considered for an appropriate vacancy. Invicro’s use of the contact data in these circumstances is limited to making contact with an individual to determine whether they are interested in working for us and applying for a role. The legal basis for this processing is Invicro’s legitimate interest as a business in finding an appropriate person for a particular role.
Invicro will only use and share Personal Information about individuals in a way that is consistent with the purposes for which the information was collected or subsequently authorized by those individuals. To the extent necessary for those purposes, Invicro will take reasonable steps to ensure that the information is accurate, complete, and current.
Children’s Online Privacy Protection
In light of the importance of protecting children’s privacy, we do not collect, process, or use on our website any information relating to an individual whom we know to be under 13 years old without the prior, verifiable consent of his or her legal representative. Such legal representative has the right, upon request, to view the information provided by the child and/or to request that it be deleted.
Transfer of Personal Information
Invicro will only transfer personal information to a third party consistent with the notice and consent principles stated above. If Invicro discloses personal information to a third party, Invicro will either: (i) ensure that the third party is subject to the applicable privacy principles, including, but not limited to, the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, or (ii) require the third party by contract to provide the same level of protection as required by the applicable privacy principles.
Where your personal information is transferred outside of the EEA, Invicro will ensure that either (a) the European Commission has made an “adequacy decision” with respect to the data protection laws of the country to which it is transferred or (b) Invicro has entered into a suitable data processing agreement with the third party situated in that country to ensure the adequate protection of your data, including the use of standard contractual clauses, or binding corporate rules.
For any onward transfer of your personal information, Invicro will remain responsible for the processing of that personal information and any subsequent transfers to a third party on its behalf. Invicro will also remain liable under the applicable privacy principles if the third party processes your personal information in a manner inconsistent with the applicable privacy principles, unless it proves that it not responsible for any damages arising from such an event.
Please acknowledge that personal information that you submit for publication through our Website or services may be publicly available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal information by others.
Data Subject Rights
Individuals may instruct Invicro to provide any personal information it holds belonging to the individual, provided that:
- an individual’s request not being found to be unfounded or excessive, in which case a charge may apply; and
- the supply of appropriate evidence of an individual’s identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing the individual’s current address).
Invicro may withhold personal information that an individual requests to the extent permitted by law, or where it might involve another individual’s personal information.
The rights individuals have under data protection law are:
- right to access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to object to processing;
- right to data portability;
- right to complain to a supervisory authority; and
- right to withdraw consent.
Right to Access. Individuals have the right to ask Invicro to confirm whether or not Invicro processes their personal information and to have access to the personal information and any additional information. That additional information includes the purposes for which Invicro processes their data, the categories of personal information Invicro holds and the recipients of that personal information. Individuals may request a copy of their personal information. The first copy will be provided free of charge, but Invicro may charge a reasonable fee for additional copies.
Right to Rectification. If Invicro holds any inaccurate personal information, individuals have the right to have these inaccuracies rectified. Where necessary for the purposes of the processing, individuals also have the right to have any of their incomplete personal information completed.
Right to Erasure. In certain circumstances, individuals have the right to have personal information that Invicro holds about them erased. This will be done without undue delay. These circumstances include the following:
- it is no longer necessary for Invicro to hold the personal information in relation to the purposes for which it was originally collected or otherwise processed;
- an individual withdraws consent to any processing which requires consent;
- the processing is for direct marketing purposes; and
- personal information has been unlawfully processed.
However, there are certain general exclusions of the right to erasure, including where processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation, or for establishing, exercising, or defending legal claims.
Right to Restrict Processing. In certain circumstances, individuals have the right to restrict the processing of their personal information. This is the case where:
- individuals do not think that the personal information Invicro holds about them is accurate;
- personal information is being processed unlawfully, but the individual does not want their data to be erased;
- it is no longer necessary for Invicro to hold the individual’s personal information for the purposes of processing, but an individual still requires that personal information in relation to a legal claim; and
- an individual has objected to processing and is waiting for that objection to be verified.
Where processing has been restricted for one of these reasons, Invicro may continue to store personal information. However, Invicro will only process it for other reasons, such as, with consent, in relation to a legal claim, for the protection of the rights of another natural or legal person, or for reasons of important public interest.
Right to Object to Processing. Individuals can object to Invicro processing their personal information on grounds relating to a particular situation, but only as far as our legal basis for the processing that it is necessary for the performance of a task carried out in the public interest, in the exercise of any official authority vested in Invicro, or the purposes of our legitimate interests or those of a third party. If an individual makes an objection, Invicro will stop processing their personal information, unless Invicro is able to demonstrate compelling legitimate grounds for the processing and that these legitimate grounds override the individual’s interests, rights, and freedoms; or the processing is in relation to a legal claim.
Right to Data Portability. Individuals may obtain the personal information they provided to Invicro. They will be provided their personal information in a structured, commonly used, and machine-readable format and allow it to be transmitted to another data controller without hinderance.
Right to Complain to a Supervisory Authority. If an individual thinks that Invicro’s processing of their personal information infringes data protection laws, they can lodge a complaint with a supervisory authority responsible for data protection. Individuals may do this in the EU member state of their habitual residence, place of work or the place of the alleged infringement.
Right to Withdraw Consent. To the extent that the legal basis Invicro is relying on for processing personal information is consent, individuals are entitled to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
- Direct marketing. An individual can object to us processing their personal information for direct marketing purposes. If an objection is set forth by the individual, Invicro will stop processing their personal information for this purpose.
- Statistical purposes. An individual can object to Invicro processing their personal information for statistical purposes on grounds relating to their particular situation, unless the processing is necessary for performing a task carried out for reasons of public interest.
- Automated data processing. To the extent that the legal basis Invicro is relying on for processing personal information is consent, and where the processing is automated, individuals are entitled to receive their personal information from Invicro in a structured, commonly used, and machine-readable format. However, an individual may not have this right if it would adversely affect the rights and freedoms of others.
Exercising Your Rights.
California Consumers’ Privacy Rights
CCPA does not apply to the research data collected by Invicro for the purpose of clinical trials. Instead, it does apply to personal information collected for the purposes of filling job vacancies, facilitating employment, and allowing users access to Invicro’s Website and services. California residents may exercise their rights under the CCPA by reaching out to the Data Protection Officer contact provided below or submit a form by clicking here. Since Invicro does not sell personal information, the consumer right to opt out of the “sale” of personal information is not applicable to our operations and, therefore, is not addressed in this Privacy Notice.
Right to Know – California residents have the right to request to know the following about our data collection and disclosure practices in the preceding 12 months:
- The categories of personal information we have collected about you;
- The categories of sources from which the personal information was collected;
- The categories of third parties to whom the personal information was disclosed;
- The business or commercial purpose for collecting; and
• The “specific pieces” of personal information that we have collected about you.
Right to Delete – With some exceptions, California residents have the right to request us, and our service providers, contractors, and third parties, to delete personal information we have collected from them and retained.
Right to Correct – California residents have the right to request that we “commercially reasonable efforts” to correct inaccurate personal information about them.
Right to Non-Discrimination for Exercise of Your Consumer Rights – California residents have the right not to receive discriminatory treatment by exercising your privacy rights under CCPA.
Please note that we will need to verify your identity and state of residency, such as matching the personal information you give us to our records, whenever possible, or ask for a copy of your driver’s license or identification card, before processing your request. If you are acting on behalf of another individual, we will need proof that you are authorized to make a request on that individual’s behalf, such as a signed written authorization. Absent such proof, we reserve the right to refuse to comply with your request. We aim to respond within 45 days of receipt. If additional time is needed, we may take up to 45 more days (i.e., a maximum total of 90 days) to comply with your request, and we will inform you of the reason(s) why the extension is necessary within the initial 45 days of receiving your request. Any additional information collected during this verification process will be deleted after the request has been processed.
Invicro will take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. The principle of security applies to how Invicro stores, processes, maintains, and protects personal information.
Invicro only retains Personal Information for as long as is necessary to fulfill the specific commercial or business purposes, and to allow us to comply with our legal requirements.
Invicro has put in place mechanisms to verify our ongoing adherence to the applicable privacy principles. Invicro encourages individuals covered by this Privacy Notice to raise any inquiries or complaints that they have about the way Invicro processes their personal information by contacting us below, and we will do our best to resolve them.
Invicro US has also agreed to participate in the independent dispute resolution program provided by the European Data Protection Authorities Panel, and the UK and Swiss equivalents. In compliance with the DPF Principles, Invicro US commits to resolve complaints about an individual’s privacy and Invicro US’ collection, or use of personal information transferred to the United States pursuant to DPF Principles.
EEA, United Kingdom, and Swiss individuals with DPF inquiries or complaints should first contact us at firstname.lastname@example.org. Adherence by Invicro US to these DPF Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.
In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Invicro US commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to the unresolved complaints concerning our handling of personal information received in reliance of the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
For individuals in the EU, UK, and Switzerland, under certain circumstances, you may invoke binding arbitration for complaints regarding the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, that have not been resolved through other dispute resolution procedures, as described above. This is more fully described on the Data Privacy Framework Program website found here.
How to Contact Us
In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Invicro US commits to resolve DPF Principles-related complaints about our collection and use of your Personal Information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal information in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, should first contact Invicro US at:
Data Protection Officer:
Michelle Manu, Director, Legal Operations
REALMD IDx, Inc.
Aliso Viejo, California 92656
Telephone: 44 0-800-89-0011 followed by 800-603-2869 (for UK) & 800-603-2869 (all other countries; must dial country access code first)
IT Governance Europe Limited
(Please include our company name in any correspondence you send.)
For any inquiries or complaints regarding the handling of your personal information in Quebec, Canada, you may contact:
Chief Privacy Officer:
Erika Christiansen, Chief Compliance Officer
REALM IDx, Inc.
Aliso Viejo, California 92656
Telephone: 844-470-0004 (for English in CAN) & 855-725-0002 (for French in CAN)
For all other questions or concerns, you may contact: email@example.com
Changes to This Privacy Notice
This Privacy Notice may be amended from time to time. When we do, we will also revise the “Effective Date” at the top of this document. For material changes to this Privacy Notice, we will notify individuals by placing it on this page.