Arbor Research Collaborative for Health
Privacy Statement
Who we are
Arbor Research Collaborative for Health conducts major
studies in epidemiology and public health and provides expertise to assist
others in this shared mission. We collaborate closely with faculty and
researchers from other major research organizations in the United States and
around the world on new discoveries that affect clinical practice, policy
development, and medical payment systems. Arbor Research is a non-profit
research organization located at 3700 Earhart Road, Ann Arbor, Michigan 48105. To
learn more about who we are, please go to www.arborresearch.org.
Personal data we collect
Your privacy, and our transparency about it, is important
to Arbor Research Collaborative for Health. This Data Privacy Statement (Privacy
Statement) informs you (you/your) what personal information may be collected, and
how it is used, by Arbor Research Collaborative for Health (Arbor
Research/we/us) and pertains to data collected about the usage and users of
this website. Collectively, this website and any software provided are referred
to herein as “Services”. Arbor Research maintains these Services for study
management, data collection, and business process management. Protection of the
data used in these applications, such as study subjects, is described in each
study’s contractual, protocol, and consent documents.
This Privacy Statement is a part of and incorporated into
the Terms of Use Agreement (“Terms of Use”) for Arbor Research Services. Any
term capitalized herein but not defined shall have the meanings assigned to
such term in the applicable Terms of Use. Agreement to this Privacy Statement is
incorporated into the terms of use of this website and your continued use
indicates your agreement. To provide the Services, we may process information
about you. The types of information we collect depend on how you use our Services.
Please read the user-specific details in this Privacy Statement, which provide
additional relevant information.
Website Users
Anonymous
You can visit Arbor Research’s websites without disclosing
any identifiable personal or sensitive information like your name or address.
Contact Information
In addition to the above, you may provide identifiable personal
information to us through actions such as direct email, subscriptions to
newsletters, feeds, “contact us” buttons, or support requests. We may receive your
name, phone number, e-mail address, country, and other details to enable us to
respond to your communication. It is our intent to inform you before we collect
this personal information but your voluntary submission of your personal
information indicates your consent for us to receive it.
Information we collect about all Website Users
We keep track of certain
information about your data usage when you visit and interact with any of our
Services. Even if you do not supply any personal information, we collect the
actions you take within the Services, and use it to improve the quality of the
Services.
What we collect
Device
We collect information about the device (computer, phone,
tablet, etc.) you use to connect to our Services. This includes your connection
type, operating system, browser type, Internet Protocol (IP) address, device
identifiers, and crash data.
Cookies
Cookies are text files placed on your computer to collect
standard Internet log information and visitor behavior information. When you
visit our websites, we may collect information from you automatically through
cookies or similar technology.
We use these functional cookies so that we recognize you
on our website and remember your previously selected preferences. These could
include what language you prefer and location you are in. We never use cookies
for advertising purposes. You can set your browser not to accept cookies, and
the website below tells you how to remove cookies from your browser. However,
in a few cases, some of our website features may not function as a result. For
further information about cookies, visit allaboutcookies.org.
Site traffic analytics – Google Analytics
We use third-party software, specifically Google
Analytics, to help us track activity and improve the user experience for our
public-facing websites. (This does not include web-based applications that
require authentication as a registered user, such as ArborLink data capture.)
Google Analytics is a web analytics service offered by
Google that tracks and reports website traffic. Google uses the data collected
to track and monitor the use of our Service. This data is shared with other
Google services. Google may use the collected data to contextualize and
personalize the ads of its own advertising network.
You can opt-out of having made your activity on the
Service available to Google Analytics by installing the Google Analytics
opt-out browser add-on. The add-on prevents the Google Analytics JavaScript
(ga.js, analytics.js, and dc.js) from sharing information with Google Analytics
about visits activity.
For more information on the privacy practices of
Google, please visit the Google Privacy & Terms web page: www.google.com/intl/en/policies/privacy/
Do Not Track Signals
We do not respond to
web browser “do not track” signals or other mechanisms that provide you control
over information collected over time and across different web sites following
your visit to one of our Services.
How we use Website User information
We use the information to operate the Services and respond
to your requests. Your feedback and usage data (such as activity, patterns,
trends, and metadata) are essential to making our Services as useful as
possible. We may connect the information in this section to information that
identifies you as a user only when you supply that identifying
information, such as on a feedback, service request, or account registration
form.
Authenticated Users
Your use of our Services may include access to Services
that require user account registration and/or authentication. These include
Services such as electronic data capture and study management applications (i.e.,
ArborLink), business process support applications, or access to proprietary or
personalized content.
There are two types of users of these Services: “Registered
Account Users” and “Non-registered Authenticated Users”.
Registered Account Users
Registered Account Users are those that create permanent
accounts, supplying contact information, for performing tasks as study site
users, investigators, study coordinators, pathologists, etc. These users use our
Services related to study management, data collection, or business processes.
In this context, we collect and maintain information about you in order to
support your use of the Services. This information may be combined with
information supplied by your organization or contractual obligations related to
our Services.
What we collect
Personal Information about you
We collect and use personal information about you to
create an account as a registered user for the Services. Where the Services are
made available to you through an organization (e.g. your employer or research
sponsor), that organization is the administrator of the Services and is
responsible for the end-users it authorizes. If this is the case, please direct
your data privacy questions to your administrator, as your use of the Services
is subject to your organization’s policies/statements. We are not responsible
for the privacy or security practices of an administrator’s organization, which
may be different than this Privacy Statement.
Personal Information you provide about other individuals
As a registered user within the Services, the personal
information you add, upload, send, receive and share about other individuals is
authorized and governed by separate contract and/or consent and not covered
within this Privacy Statement. Please refer to those documents and our Terms
of Use.
How we use Registered Account User Information
Customer Support
We use your contact information
to communicate with you about the Service for which you have registered. This
includes responding to your comments, questions and requests, providing
customer support, and sending you technical notices, updates, security alerts, study
or business process progress alerts, and administrative messages.
Security and regulatory compliance
We use information about you and your use of the Services
to verify accounts and activity, to monitor suspicious or fraudulent activity
and to identify violations of Service policies. We also use information about
you to meet the requirements of regulations and guidelines which pertain to
clinical research, such as ICH GCP and 21 CFR Part 11.
Non-registered Authenticated Users
In some cases, individual users may authenticate to use a
Service without registering or supplying contact information. For
example, you may be a participant in a study, and through your use of the
Service you may supply personal and sensitive information about you that will
be combined with other information about you, as described in your study
consent documents. You may also be a recipient of a secure and encrypted link
to access content intended only for you, with or without additional
authentication steps depending on the sensitivity of the content.
What we collect
Through your direct use of the Services, we collect “Personal
Information” and “Sensitive Information”.
Personal Information
Personal information is information that identifies an
individual or relates to an identified individual.
Sensitive Personal Information
Sensitive personal Information refers to personal information
regarding more sensitive areas, such as medical or health information,
financial information, gender, marriage status, race/ethnicity, or veteran or
disability status.
How we collect your personal and/ sensitive information
In contexts such as study data collection, we may send you
a personalized link to access our Services to complete questionnaires. The type
of data that is collected in this case depends on the study. Conditions of
participation are described in the study consent forms.
How we use your personal and/ sensitive information
The data we collect about you
will only be used for the purpose for which you have given your consent, except
where otherwise provided by law. This includes data that we receive directly
from you or from other sources. For studies and business processes, use is authorized
and governed by separate contract and/or consent, and is not covered within
this Privacy Statement. Please refer to the study consent document you signed
or contact your study coordinator for more information.
How we use all collected information
To provide the Services
We use information about you to provide the Services
within our organization, to our business customers and you. Our uses include
using information about you where you have given us consent to do so for a specific
purpose not listed in this section.
To protect our legitimate business interests and legal rights
Where required by law or where we believe it is necessary
to protect our legal rights, interests and the interests of others, we use
information about you in connection with legal claims, compliance, regulatory,
and audit functions, and disclosures in connection with the acquisition, merger
or sale of a business.
Legal bases for processing General Data Protection Regulation users
If you are an
individual subject to the General Data Protection Regulation (GDPR), we collect
and process information about you only where we have legal bases for doing so
under applicable laws. The legal bases depend on the Services you use and how
you use them. This means we collect and use your information only where:
·
Consent. You give us consent to do so for a specific purpose;
or
·
Contract. We need it to provide you the Services, including to
operate the Services, provide customer support and personalized features and to
protect the safety and security of the Services; or
·
Legitimate Interest. Our use satisfies a legitimate interest (which is not
overridden by your data protection interests), such as for research, and to
protect our legal rights and interests; or
·
Legal Obligation. We need to process your data to comply with a legal
obligation.
How we share information we collect
We share information about you only for the purposes
described above. We never use, sell, or share your information for marketing
purposes. Certain other information you provide to us may be shared in
the ways described below:
Arbor Research partners
We work with third parties who provide consulting, support
and technical services to deliver and implement customer solutions around the
Services. We share your information with these third parties in connection with
their services, only to the extent necessary to enable the delivery of our
Services. If a partner needs to access information about you to perform
services on our behalf, they do so under contract with us, including abiding by
policies and procedures designed to protect your information.
Service providers
We work with third-party service providers to provide
website and application development, hosting, maintenance, backup, storage,
virtual infrastructure, and other services for us, which may require them to
access or use information about you. If a service provider needs to access
information about you to perform services on our behalf, they do so under contract
with us, including abiding by policies and procedures designed to protect your
information.
Business transfers
We may share or transfer information we collect under this
Privacy Statement in connection with any merger, sale of company assets,
financing, or acquisition of all or a portion of the Arbor Research business to
another company.
Third-Party apps
You may utilize third-party apps to extend the
functionality of the Services. Doing so may give third-party apps access to
your account and information about you like your name and email address, and
any content you choose to use in connection with those apps. Third-party app
policies and procedures are not controlled by us, and this Privacy Statement
does not cover how third-party apps that you choose to install use your
information. We encourage you to review the privacy policies/statements of
third parties before connecting to or using their applications or services to
learn more about their privacy and information handling practices. If you
object to information about you being shared with these third parties, please
disable the third-party app.
Compliance with enforcement requests and applicable laws
In exceptional circumstances, we may share information
about you with a third party if we believe that sharing is reasonably necessary
to (a) comply with any applicable law, regulation, legal process or
governmental request, including to meet national security requirements, (b)
enforce our agreements, policies and terms of service, (c) protect the security
or integrity of our Services, and (d) protect Arbor Research, our business
partners or the public from harm or illegal activities.
Security, Storage, Data Hosting Location
We have reasonable and appropriate safeguards in place to
help protect the information collected from loss, misuse, and unauthorized
access, disclosure, alteration, and destruction. There remains some residual
risk of compromise of individual information, despite implementation of
industry best practices for security.
How long we will keep your data
We will retain your information as needed to fulfill the
purposes for which it was collected. We will retain and use your data as
necessary to comply with our business requirements, legal obligations, protect
our assets, and enforce our agreements. Your data will be securely deleted when
no longer needed for the purpose(s) for which it was collected.
How to access, delete and control your information
You may access the personal data we have collected about you
to the extent required by law to review, update, and correct inaccuracies. Upon
request made to the contact information under the section titled “Contact Us,” we
will provide you with reasonable access to the personal data we have collected
about you. Your ability to access, delete, and control your data may be limited
in certain cases. For example, if you ask us to delete information which we are
permitted by law or have compelling legitimate interests to keep, we may not be
required to delete. If you have asked us to share data with third parties or
permitted a third-party to share data with us, you will need to contact the
third-party directly to have your information deleted or otherwise restricted.
If you have consented to the use of your personal
information for a study, please see the section titled “Consent and Consent
Revocation”. If you have unresolved concerns after we respond, you may have the
right to make a complaint to the data protection authority in the country where
you live, where you work, or where you feel your rights were infringed.
Consent and Revocation of Consent
For users of our services who are participants in data
collection studies, conditions of consent revocation or withdrawal are included
in the study consent documents. Generally, if you have consented to our collection
and use of your personal information for a specific purpose, you have the right
to change your mind at any time, but this will not affect any processing that
has already taken place. Where we are using your information because we or a
third-party (e.g., your employer or clinical trial sponsor) have a legitimate
interest to do so, you have the right to withdraw permission for that use,
though in some cases, this may mean no longer using the Services or
participating in a study.
Children’s Privacy
Outside of the context of a specific clinical research
study being conducted, for which research subjects have appropriately
consented, our Services are not intended for, or designed to attract,
individuals under the age of 13. We do not collect personally identifiable
information from any person we know to be under the age of 13.
Links to Independent Websites
Our Services contain links to third party websites. This
Privacy Statement does not apply to those sites. We suggest contacting those
sites directly for information on their privacy, security, data collection, and
distribution policies. We also maintain profiles and/or pages on various social
media sites including Facebook, Twitter, YouTube and LinkedIn. If you choose to
“Like” Arbor Research on Facebook, “Follow” us on Twitter, YouTube or LinkedIn,
or take any similar action on another social media site, you are providing your
consent to receive information updates from us. To stop receiving this
information on a social media site, you must follow the procedure established
by the social media site.
Privacy Notice for GDPR
This Privacy Statement applies to our United States location
and covers our processing activities as a data controller. We maintain the
Services in the United States, and the Services are not intended to subject Arbor
Research or any affiliated entity to the laws or jurisdiction of any state,
country or territory other than that of the United States. We do not represent
or warrant that the Services, or any part thereof, are appropriate or available
for use in any particular jurisdiction. Those who choose to access the
Services, do so on their own initiative and at their own risk. Regardless of
where you are located, by using the Services you consent to the transfer and
processing of your information to and in the United States, which may not
provide the same level of protection for your personal information as your home
country. You are responsible for complying with all local laws, rules and
regulations when you use our Services.
Arbor Research adheres to this Privacy Statement regarding
the collection, use, and retention of information about you that is transferred
from the countries that are subject to the GDPR. We ensure that our Privacy Statement
applies to all information about you that is subject to the GDPR. We are
responsible for the processing of information about you that we receive from GDPR
countries and onward transfers to a third party acting as an agent on our
behalf. We implement EU standard contractual clauses when necessary in our written
agreements and we will comply with our Privacy Statement for such onward
transfers. Arbor Research commits to resolve complaints about our collection or
use of your personal information. Individuals subject to GDPR with inquiries or
complaints regarding our Privacy Statement should first contact us or you may
also contact your local data protection authority for unresolved complaints.
Under GDPR Article 33, if
we are required to notify any affected users of a data breach, we will notify the
affected users after becoming aware of a personal data breach. However, we do
not have to notify affected users if their anonymized data is breached or if
the breach is unlikely to result in a risk to the rights and freedoms of the
affected user. Specifically, a breach notice
is not required if we have implemented one of the conditions under GDPR Article
34.
Updates to this Privacy Statement
We may change this Privacy Statement from time to time. We
will post any Privacy Statement changes on this page and, if the changes are
significant, we will provide a more prominent notice by adding a notice on the
Services homepages, login screens, or by sending you an email notification. We
will also keep prior versions of this Privacy Statement in an archive for your
review. We encourage you to review our Privacy Statement whenever you use the
Services to stay informed about our information practices and the ways you can
help protect your privacy.
Contact Us
If you have questions or concerns about how your
information is handled, please direct your inquiry to:
Privacy Officer
Privacy@ArborResearch.org
734-665-4108
3700 Earhart Road, Ann Arbor,
Michigan 48105