Privacy Statement
This Privacy Policy is provided to you by Pregistry, LLC (“Pregistry”, “we”, “our”). If you are reading this, it means that you are on one of our websites.
About us
We are a global company. Our headquarters are in the United States. You can find all our details here. Your protection is important to us. This Policy explains how we deal with your data, how we protect them and how we interact with you. There is some important information about your Personal Data and your rights in this Policy, so please take the time to read and understand it.
This Privacy Policy describes how Pregistry processes the Personal Data relating to individuals who have enrolled in our studies as participants as well as to visitors to our websites. When we refer to Personal Data, this includes personal information and health information. Processing includes how such data are collected, stored, accessed, processed, shared and disposed of.
Updating this Privacy Policy
Pregistry reserves the right to modify this Privacy Policy at any time by posting updated versions on its websites. Such versions shall take effect from the date of posting.
What laws do we comply with?
This Privacy Policy is provided to you in accordance with the following applicable Personal Data Protection laws:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (the GDPR).
• Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, also known as the ePrivacy Directive, Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
• The California Consumer Privacy Act 2018 (CCPA) as amended by the California Consumer Privacy Rights Act (CPRA).
• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
• Other applicable national laws.
Why do we process your Personal Data?
Our primary reason for processing Personal Data is to allow Pregistry to identify
individuals who have voluntarily joined Pregistry’s studies as participants.
We are aware that processing Personal Data may represent a risk to you if those
data are accessed by unauthorized third parties. We have developed a set of
policies, operational processes, and mechanisms to ensure that the Personal
Data entrusted by you to Pregistry will be maintained, handled, and shared in a
manner that guarantees to the maximum possible extent having regard to the
current state of technical knowledge its security, accuracy, confidentiality, and
privacy.
Personal Data is exclusively processed under the scope and purpose of the
services described in this Privacy Policy.
Your data is under your control
Every individual maintains full control over their Personal Data (and, where applicable, that of their children), as well as over the Personal Data processing activities undertaken by Pregistry (as defined under applicable national Personal Data Protection legislation or the GDPR, whichever is stricter). If you don’t want something to be known, don’t share it!.
About the Data Controller
We are the Data Controller. We may at any one time be conducting epidemiological studies and surveys on a variety of topics about or related to pregnancy and babies. You can see a full list of our current studies here.
It is possible that participants may enroll in one or more studies simultaneously. Pharmaceutical companies that hold marketing authorizations for a particular product or products may act as financial contributors to a particular study. For full details, please visit our Partners page. However, you should know that where that is the case, the Personal Data of study participants are never shared by Pregistry with those entities.
Pregistry’s Data Protection Officer (DPO) contact information:
All questions or requests regarding the processing of the Personal Data may be addressed to Pregistry’s Data Protection Officer dpo.sm@ppd.com.
What we do and how we do it lawfully
Here we explain to you what we do (our services) and how we do it in compliance
with data protection laws (legal basis).
Pregistry’s services consist of allowing pregnant women to participate in our
studies and to provide information and support to those participants.
Our services are listed below. In respect of each we have explained the applicable
legal basis for processing your Personal Data.
Study Participation
Individuals are screened when joining a study. We ask them certain questions to
determine their eligibility for that study. If eligible, a form is then made available
for those individuals to input their data. The individual provides a name, phone
number and creates a user login (username, email and a password). After
verification of the individual by means of a one-time password, a consent form is
made available to the individual to read. If they wish to continue to join the study,
they are asked to confirm that they understand it by signing it. If you are that
individual, you should know that it is your free choice whether or not to sign this
form, join the study and become a registered user.
Registered users are then re-directed to the “Profile” stage where they are asked
to enter information related to the specific study where they may share Personal
Data.
After a profile is established, participants are asked some questions for the duration of the study. They may share Personal Data here as well.
Personal Data may consist of:
• Name
• Email 1
• Email 2 (optional)
• Enrolment ID
• Age
• Preferred Language
• Time Zone
• Phone number
• Phone number 2 (optional)
• Source
• IP Address
• Consent
• Consent name
• Login (password)
• Geolocation
• Region
• Country
• City
• Postal Code
• Medical history and details (optional)
• Race/Ethnicity
• Call recordings
The legal basis that supports this service is your explicit and informed documented consent.
Reporting Adverse Events
Study participants may report adverse events they have experienced in relation
to a particular product.
The study participant may report adverse events in scheduled questionnaire
modules or, at any time, using a button on the study website for participants.
Similarly, participants may upload their redacted medical records (and those of
their offspring), as medical records are used to improve the accuracy and validity
of the information.
We may use all of this information to determine internally whether there has
been an adverse event in relation to a particular product.
NOTE : We do NOT share those adverse events as Personal Data. Only
anonymized data is shared with third parties.
The legal basis that supports this service is a contractual obligation between
Pregistry and third parties.
Newsletters
We send out newsletters to individuals who have expressed interest in receiving
them.
The legal basis that supports this service component is legitimate interest, both
from our side in conveying information about our studies as well as yours in
being informed and aware of information related to the study that you are
participating in or other pregnancy-related information.
Processing (Treatment) of Personal Data Gathering/ Collection
We gather Personal Data directly from you at study enrollment and through
your actions and interactions with us. .
When you use a Pregistry website, a session cookie file may be placed on your
browser device.
For website visitors, Pregistry uses Cookies. Please check that you have set your
preferences in the cookie management tool. You should be aware that, in
some cases, the data collected in this way may make it possible for third parties
to identify an individual who has accessed the website. You should disable nonessential cookies if you wish to avoid this. Pregistry only uses cookies that record
information about the IT architecture and landscape of the device being used by
the visitor (e.g., browser, device, etc.). However, that visitor is never identified
personally by us. IP addresses are cross-referenced with other data for the
purpose of safeguarding both Pregistry, the study results, and the participants
from fraud attempts.
Pregistry acts under Legitimate Interest and fully informed consent with the
regards to those Personal Data processing activities.
Storing data
Pregistry is a digital company. The Personal Data we require to operate is
exclusively maintained in digital format on our IT systems hosted in the
European Union at Amazon Web Services (AWS).
Pregistry internally uses pseudonymization at the stage between the Personal
Data collection and the anonymization of data via internal unique keys.
Data in transit and at rest are encrypted. This guarantees their security and
confidentiality.
Personal Data Sharing
Pregistry only shares fully anonymized data. Pregistry never shares any identifiers that constitute Personal Data.
Recordings
In addition to interaction via the platform or by email, designated Pregistry staff
may speak with you both over the phone or video call using the software Aircall.
Due to operational reasons, the phone and video calls are recorded and stored by
Pregistry, unless you expressly refuse the recording at the beginning of the call.
You always have the option to refuse recordings.
Aircall saves fully encrypted calls in the European Union. If you wish to know
more, you should refer to Aircall’s own Privacy Policy.
You should avoid sharing any Personal Data that either do not relate to you or to
your child or that are irrelevant to the study when speaking to Pregistry staff over
the phone or video call.
Data Minimization
Pregistry takes all reasonable steps to ensure that Personal Data under its direct processing activities (as the Controller) is limited to the amount and type that is necessary for the successful execution of the studies.
Personal Data Security, Privacy, and Confidentiality Assurance
Pregistry’s IT landscape is configured and monitored under guidance provided by the strictest security market standards (e.g., ISO 27000 family, Soc2, ITIL, Privacy by Design) and we have reviewed and adopted changes to our operational processes in a manner that ensures compliance with the requirements posed under applicable Personal Data protection legislation. This is intended to ensure confidentiality and privacy under Personal Data processing activities performed by us and our partners.
Personal Data Retention
Pregistry determines the data retention period according to applicable laws and
by reference to the duration of each study. Pregistry does not hold Personal Data
for longer than strictly necessary. Additionally, Pregistry ensures that the risk of
information being deleted prior to the end of its lifecycle is minimized.
Study participant Personal Data are erased within a maximum of one month (30
days) after leaving/completing the study or one month (30 days) after receipt of a
request to erase Personal Data. However, we use our best efforts to erase the
Personal Data within 48 hours of the completion of the study or the request, as
the case may be.
Your data rights
Under applicable Personal Data Protection Legislation, you have the following
rights in respect of your personal data:
[HIPAA] The right to receive a notice of privacy practices. This Privacy Policy
and the information provided to you when requesting your consent to become a
study participant shall stand as notice of our privacy practices.
[GDPR] Right of access. The right to obtain from us confirmation as to whether your Personal Data are being processed, and, if so, to access such Personal Data as well as related information. You may exercise this right by reviewing information on the Pregistry website user account area or by submitting a request to our Data Protection Officer.
[CCPA/CPRA] Right to know and access your personal information – California residents have the right to:
• Know the categories of personal information we collect and the categories of sources from which we got the information;
• Know the business or commercial purposes for which we collect and share personal information;
• Know the categories of third parties and other entities with whom we share personal information; and
• Access the specific pieces of personal information we have collected about you.
[HIPAA] The right to access and request a copy of medical records.
[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data. Participants may directly amend existing information on the Pregistry website user account area or by submitting a request to our Data Protection Officer.
[HIPAA] The right to request an amendment to medical records.
[GDPR] Right to erasure. The right to have your Personal Data that is processed by Pregistry erased and, therefore, to have processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Pregistry from observing such right, in which case the data subject shall be duly informed. This right may be exercised by submitting a request to our Data Protection Officer.
[CCPA/CPRA] Right to deletion – California residents may, in some circumstances, ask us to delete their Personal Data. We may refuse the exercise of such right if it prevents us from exercising legal defense, if we cannot do so because of a legal obligation or there is the risk that by doing so, we cannot fulfill any current contractual obligations.
[GDPR] The right to restrict processing. This is the right to request and impose processing restrictions (in scope and purpose) for your Personal Data. This right may be exercised by submitting a request to our Data Protection Officer.
[GDPR] The right to object to processing. The right to object to processing activities that have been qualified under this Privacy Policy as arising under the legal basis of Legitimate Interest on the part of Pregistry. This right may be exercised by submitting a request to our Data Protection Officer.
[CCPA/CPRA] Right to opt out of sales – We do not sell your data, under any circumstances.
[GDPR] Right to data portability. The right to receive your Personal Data in a structured, commonly-used and machine-readable format as well as the right to transmit them to another controller without obstacle. This right may be exercised by submitting a request to our Data Protection Officer.
[GDPR] Right to be informed about a Personal Data Breach. You have the right, and it is our obligation to ensure it, to be informed of any unauthorized disclosure or potential disclosure of your Personal Data to unauthorized third parties within 72 hours of the occurrence of such disclosure or knowledge by Pregistry of potential disclosure, as the case may be.
[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding Pregistry’s processing activities in relation to Personal Data with any of the European Union Member States’ data protection Supervisory Authorities as well as your local Supervisory Authority if you are located outside of the European Union. You can find a list of the European Union Member States; data protection Supervisory Authorities here Our Members | European Data Protection Board (europa.eu).
[CCPA/CPRA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against. For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf.
You may exercise your rights under GDPR by contacting Pregistry’s Data Protection Officer through the e-mail address dpo.sm@ppd.com . Please make sure to ask for a copy of our Data Subject Access Request policy when you do so.
Version 2.0, March 23, 2023