Velocity Privacy Policy

Document Title Velocity Privacy Policy
Document # POL GEN-007
Revision # 00
Effective Date 15 Apr 2024

1. Introduction

Velocity Clinical Research Inc. ("we" or "our", “Velocity”) collects, stores, and processes Personal Data about individuals such as employees, suppliers, patients, and other third parties (“Data Subjects”) for a variety of purposes.

This policy outlines how we seek to protect such Personal Data. It helps ensure that we understand the principles governing the use of Personal Data. It also describes how we collect, handle and store Personal Data to meet our own data protection standards, and to comply with the EU General Data Protection Regulation 2016/679 (the "GDPR") and other related regulations and delegated national legislation (together "Data Protection Law").

Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

a. Scope

This policy applies to all Employees who handle the Personal Data of individuals for business purposes both inside and outside of Velocity.

b. Objective

Our objective is to protect the data subjects by obtaining, collecting, handling, and processing their Personal Data in accordance with applicable data protection law.

c. Consequences of breaching this policy

We take compliance with this policy and our obligations under Data Protection Law very seriously. A failure to do so may put our employees, others and Velocity as a whole at risk of non-compliance. Any breach of this policy may result in disciplinary action being taken, up to and including dismissal.

d. Related policies and procedures

This policy supplements our other related policies and procedures (which may be implemented or amended from time to time). They can be found stored within MasterControl, Velocity’s Quality Management System (QMS) document repository.

e. What is data protection and why is it important

All individuals have rights pertaining to the way in which their Personal Data are processed. The term "Data Protection" in this policy refers to the processing of Personal Data in such a manner as to provide and protect the corresponding rights to privacy which Data Subjects have and their legal protection surrounding Personal Data (according to applicable data protection law).

f. What are Personal Data

Personal Data means any data (or a combination of data) from which a living individual can be identified directly or indirectly. Personal Data can be factual, or it can be an opinion about an individual, their actions, and behavior.

Within Personal Data there is a sub-category: Special Categories of Personal Data. These are information related to a person's race or ethnicity, political opinions, religious, spiritual or philosophical beliefs, trade union membership, physical or mental health, sexual life, biometric data for the purpose of uniquely identifying a natural person, genetic data and data concerning a natural person's sex life or sexual orientation (according to data protection law, e.g. Art. 9 GDPR). There are even stricter conditions for processing Special Categories of Personal Data.

2. Data protection principles

There are several principles under data protection law which must be satisfied while processing Personal Data. In the following section you will find a description of how we aim to achieve compliance with these principles:

  • Accountability: We are responsible for ensuring and must be able to demonstrate that the key principles and rules of Data Protection Law are met.
  • Lawfulness, Fairness and Transparency: Personal Data may only be processed lawfully, fairly and in a transparent manner. This means we must inform Data Subjects on how and why we process their data (transparency) that the processing must match the description given to the Data Subjects (fairness) and that the processing uses one of the legal bases set forth in data protection law (lawfulness).
  • Purpose Limitation: We must specify exactly what the Personal Data we collect will be used for (prior to collecting them) and limit the processing of that Personal Data to only what is necessary to meet the specified purpose.
  • Data Minimization: The Personal Data we collect shall be adequate, relevant and limited only to what is necessary for the purposes for which they are processed.
  • Accuracy: We have processes in place to ensure that Personal Data is accurate and kept up to date.
  • Storage Limitation: Personal Data shall be kept in such a way which enables us to identify the Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.
  • Security/Integrity and Confidentiality: We use appropriate technical and organizational measures to protect the integrity and confidentiality of Personal Data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

a. Accountability

Monitoring

There are significant implications for Personal Data Breaches or non-compliance with our legal responsibilities under data protection law. It is our responsibility to process all Personal Data in accordance with our legal obligations and the principles of Data Protection.

If we do not meet the accountability requirements of data protection law, there is not only a risk of non-compliance, but also a significant risk to our reputation.

We assess compliance with this policy in two regards:

  1. Compliance in relation to the protection of Personal Data in general
  2. The effectiveness of Data Protection measures related to our operational practices

We do reviews on a regular basis and follow the rules of the PDAC Cycle (Plan-Do-Act-Check) for the control and continuous improvement of our processes. This is to establish that an adequate level of compliance is being achieved.

Personal data breach reporting

It is our responsibility to report a personal data breach to the appropriate supervisory authority within 72 hours, if required by law (this is counted from the time we became aware of the incident).

When it is suspected that a Personal Data Breach has taken place for which we are responsible (as Controllers) it must be investigated internally by the Data Protection Officer (DPO) and the incident response team. If the incident results in a risk for Data Subjects, it must be reported to the applicable supervisory authority within 72 hours of becoming aware of the incident.

Training

All Employees must complete Data Protection training relevant to their position.

The Human Resources team is responsible for ensuring that new employees are trained as part of onboarding, and all employees are retrained annually on Data Protection or whenever there is a substantial change in the law or our policy and procedure, whichever is more frequent.  Velocity Quality is responsible for maintaining training records and storing the most up-to-date training materials and documents.

Responsibility

Each Employee who handles Personal Data has a responsibility to handle and process the Personal Data in line with this policy and applicable data protection law.

There are positions in Velocity with specific areas of responsibility:

  • Company Leadership is ultimately responsible for ensuring that we meet our legal obligations.
  • The Velocity Privacy Officer has overall responsibility for ensuring compliance with Data Protection Law.
  • The Privacy Team has overall responsibility for the day-to-day implementation of this policy and for:
    • Reviewing all Data Protection procedures and policies on a regular basis
    • Arranging Data Protection training and advice for all staff members and those included in this policy
    • Responding to Data Subjects who wish to know which Personal Data are being held on them by us
    • Checking and approving with third parties that handle our Personal Data and contracts or agreements regarding Processing
    • Maintaining a Record of Processing Activities incl. regular reviews and approvals
  • The Head of Information Technology is responsible for:
    • Ensuring that all systems, services and equipment used for storing data meet acceptable security standards
    • Performing regular checks and scans to ensure security hardware and software is functioning properly
    • Evaluating any third-party services Velocity is considering using to retain or process Personal Data
Overview over processing activities

Data protection law stipulates broad requirements regarding the documentation and proof of compliance with Data Protection obligations. A key element in this regard is the overview over processing activities as set forth in data protection law. We demonstrate data protection compliance through documentation in the Foxondo application[1].

“Privacy by design”

We seek to structure internal processes to have Data Protection principles embedded into every stage of processing activities. “Privacy by design” means that, both before and during any processing activity we carry out, we must implement appropriate technical and organizational measures to integrate safeguards into the processing. This is important to protect Data Subjects and meet the requirements of data protection law.

We always aim to implement appropriate technical and organizational measures both at the time of determination of the means for processing and at the time of the processing itself to ensure the principle of Data Minimization is met.

To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, a pre–Data Protection Impact Assessment (DPIA) check must be completed before starting a project (a preliminary, shorter Data Protection Impact Assessment). Depending on the outcome, a full DPIA might be legally required.

b. Lawfulness, fairness and transparency

We are responsible for understanding the context in which the Personal Data processing occurs as part of our day-to-day operations. We want to ensure that this is done fairly and in line with the law, and that we can clearly describe this to Data Subjects. We will always process Personal Data lawfully, fairly, and transparently in accordance with the Data Subject's rights.

Our third-party suppliers/contractors that process Personal Data on our behalf also have obligations of data protection. As such, we are legally required to:

  • only engage the services of third-party suppliers/contractors who can demonstrate compliance with data privacy law, e.g. GDPR;
  • put in place prescribed contractual arrangements with third party suppliers/contractors which meet the requirements of data privacy law, e.g. GDPR; and
  • demonstrate to the data protection authorities that we have complied with these legal obligations.
Personal data collection and notification

We may only collect Personal Data where it is necessary for lawful purposes or explicitly allowed. We will only collect Personal Data from Data Subjects if one of the following statements applies:

  • We are required to do so by an obligation imposed on us by law, e.g. EU or applicable local law.
  • The processing is necessary to do so for business purposes and for our organization to enter into or perform its contractual obligations with Data Subjects.
  • The processing is in our (reasonable) legitimate interests and the data subjects do not have more important conflicting interests.
  • The individuals consented. This consent needs to be freely given and to be gathered according to applicable data protection law, e.g. Art. 7 GDPR.
  • The data processing is in the vital interest of the data subject or another person.

When we collect personal data, we provide Data Subjects with information regarding the processing of their personal data free of charge in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This includes information on third parties to which their personal data is disclosed to and the purpose for which this happens.

As far as Personal Data will be transferred from GDPR territory to the USA within the Velocity Group, this will include information that

  • Velocity is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC);
  • Velocity is obliged to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles;
  • Velocity is required to disclose personal information in response to lawful by public authorities, including to meet international security or law enforcement requirements;
  • Velocity is liable in cases of onward transfers to third parties;

 

c. Purpose limitation: Processing for limited purposes

Personal Data collected for one purpose may not usually be used for a different purpose. We aim to only process Personal Data for purposes specifically permitted under data protection law. We inform the Data Subjects of those purposes.

d. Data minimization: Adequate, relevant, and non-excessive processing

Every processing should only use as much Personal Data as is required to successfully accomplish a particular purpose. We will always seek to collect Personal Data to the extent that it is required for the specific purpose notified to the Data Subject, and do not collect Personal Data which we do not need.

e. Accuracy: Ensuring that personal data is accurate

We aim to ensure that our systems and processes for identifying inaccurate information are robust and to act quickly to update or erase any inaccurate Personal Data. We endeavor to ensure that the Personal Data we hold is accurate and kept up to date. The Data Subjects may ask that we correct inaccurate Personal Data relating to them.

f. Storage limitation: Timely processing and data retention

We aim to not keep the Personal Data of Data Subjects for any longer than is necessary in accordance with applicable law. We take all required steps to destroy or erase all Personal Data from our systems (electronic/paper-based) which is no longer required.

All employees must ensure that they are familiar with the deletion concept/retention policy.

g. Security/integrity and confidentiality: Security of personal data

We should always make sure that all Personal Data held by us are subject to a level of security that is appropriate for the potential risk. We take appropriate security measures against unlawful and unauthorized processing of Personal Data, and against the accidental loss of, or damage to, Personal Data in line with our Information Security policy. Security procedures include (but are not limited to):

  • Entry controls – Visitors cannot access facilities without assistance from employees and are not permitted in locations where personal data are stored unless escorted.
  • Secure lockable desks and cupboards – desks and cupboards are kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Access controls – Data stored on a computer is protected by strong passwords and identification technologies.
  • Retention location controls – Data is never saved directly to mobile devices such as laptops, tablets, or smartphones (but to centralized servers).
  • Methods of disposal – paper documents are disposed of in locked boxes and shredded by a licensed and bonded shredding service. Digital storage devices are wiped using a full data overwrite or physically destroyed when they are no longer required.
  • Equipment – data users ensure that individual monitors do not show confidential information to passers-by and that they log off from or lock their PC when it is left unattended.

3. Rights of the data subject

We must deal with any requests from Data Subjects exercising their rights without undue delay, and within one month of receipt. It may only take longer if exceptional circumstances are in place.

Data subjects have the following rights:

  • Right to information
  • Right to rectification (data correction)
  • Right to deletion
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not to be subject to a purely automated decision with negative effects

Data Subjects also have the right to lodge a complaint with the Data Protection supervisory authority about how we process their Personal Data.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

4. Data transfers

We sometimes transfer Personal Data to other entities. These entities can be subsidiary companies within our group but also other companies who process data on behalf of our company or provide the IT systems and services our users employ to process data.

Velocity will always ensure that these transfers are based on a legal basis. Where necessary for data transfers from the EU, Velocity will have in place Standard Contractual Clauses.

If we engage companies to process data on our behalf, we will cooperate only with processors who fulfil our requirements of providing appropriate technical and organizational measures which meet our standards and the requirements of data protection law. Before personal data is processed, data processing agreements will be in signed to bind the processor accordingly.

5. Velocity Privacy Officer and Data Protection Officer

The Velocity Privacy Officer helps facilitate our compliance with data protection law and acts as a point of contact for day-to-day issues and questions on data protection for both employees and the Data Protection Officer. The Velocity Privacy Officer has overall responsibility for managing the roll out of the various data protection law project work streams and the day-to-day implementation of this policy. These are her contact details:

          Velocity Privacy Officer: Brandi Lang - privacy@velocityclinical.com.

The Data Protection Coordinator is the main contact point for our Data Protection Officer, whose contact details are the following:

          Data Protection Officer: Alef Völkner and her team - tel. +49 22 66 - 90 15 920, DSB@fox-on.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at the above mentioned contact details.

The data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The data protection officer reports directly to the highest management level.

 

6. Revision History

Version Number Revision Date Revision Summary
00 NA Original

 

7. Glossary of Terms

Term Meaning
Employee(s)

 

All those employed or engaged in any capacity by Velocity. For the purposes of this policy, the word Employees extends to include the following categories: Board Members, Employees (full time, fixed term, part time and temporary), Contract workers, applicants and pensioners.
Controller

 

A Controller is a person or organization that determines the purposes for which, and the manner in which, any Personal Data are processed, establishing practices and implementing policies in line with applicable data protection law.
Data Protection

 

This term refers to the relationship between the processing of Personal Data, the associated expectations of privacy and the legal protection surrounding them.
Data Subject

 

The individual to whom Personal Data relates such as an employee, client, contact person with a business partner, etc.
Data Protection Authority

 

The Data Protection Commission is the supervisory authority/regulator responsible for enforcing Data Protection Law and upholding the data protection and privacy rights of Data Subjects in relation to the Processing of their Personal Data.
Personal Data

 

Personal Data means any information (or a combination of information) from which a living person can be directly or indirectly identified as well as information containing statements about a person (e.g., Name, salary information, marital status, sick leave dates)
Personal Data Breach This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Processing

 

Processing is any activity which involves the use of Personal Data. It includes i.e. obtaining, recording or holding Personal Data, or carrying out any operation or set of operations on Personal Data including organizing, amending, retrieving, using, disclosing, erasing or destroying data. Processing also includes sharing or transferring Personal Data to third parties and accessing of Personal Data held by a Controller or Processor.
Processor A Processor is any organization or external person that processes Personal Data on behalf of and/or on instruction of a Controller.
Special Categories of Personal Data As defined in data protection law, e.g. Art. 9 GDPR: Personal Data that are related to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or sexual life/orientation, biometric data for the purpose of uniquely identifying a natural person and/or genetic data.

 

Document Title Privacy Notice - HR -- Employee
Document # FORM GEN-001
Revision # 00
Effective Date 15 Apr 2024

Privacy Notice for Employees

This document informs you about the processing of your personal data by your employer, Velocity Clinical Research. Velocity Clinical Research is the Data Controller of your personal data.

Purposes of the data processing, personal data and legal basis

We process your personal data solely for employment (onboarding, throughout employment, and during termination) related to your role and function in our company and for our legitimate business interests. These include:

Purpose Personal data categories Legal basis
Personnel management (e.g. maintenance of employee files), onboarding, external communication Basic employee data (e.g. name, gender, nationality, private address and contact information, employee number and IDs, position, information on work equipment, contract data, social security number, work permits, insurance data)

 

Performance of (temporary or permanent) employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or Art. 6 (1) (b) GDPR)
Quality management and tracking of personnel actions Basic employee data, information on specific actions (e.g. participation in internal processes, actions taken in clinical studies, shift planning) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or or Art. 6 (1) (b) GDPR); legitimate interests of keeping high quality standards in the company (in the EU: Art. 6 (1) (f) GDPR)

 

Payments and accounting (including payroll accounting, payment of wages and salaries, financial accounting, tax withholdings, personnel cost planning and budgeting)

 

Basic employee data, payment data (e.g. salary and payments, loans and advances, bonuses, national insurance number, banking data, travel expense data) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or Art. 6 (1) (b) GDPR)
Pensions management

 

Name, contract data (e.g. on termination of employment, position), pension and social security data (e.g. salary, special payments, absences).

 

Fulfilment of legal duties (in the EU: Art. 6 (1) (c) GDPR).
Employee time management (including organization of absences, planning and recording of working hours and vacation time, parental leaves)

 

Basic employee data and time management data (e.g. working hours, holiday and other absences, parental leave, sick leave, family medical leave) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act)
Performance reviews, internal talent management Basic employee data and performance data (e.g. training data, performance reviews, metrics, roles, supervisor name) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act); internal talent acquisition is based on legitimate interests to keeping high quality standards in the workforce

 

Training and development Basic employee data and training data (e.g. training events, training history, skills assessment results) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act)

 

Recording work incapacity Basic employee data and incapacity data (e.g. on work accidents, examinations, emergency contact information) Fulfilment of employment-related duties (e.g. in Germany: Sec. 26 (3) of the Federal Data Protection Act)

 

IT security and improvement Name, technical data (e.g. employee ID, laptop ID and configuration, laptop security alerts, login data) Legitimate interests in keeping the IT infrastructure secure (e.g. in the EU: Art. 6 (1) (f) GDPR)

 

Legal claims and disputes management Name, claims-related information (e.g. information on disciplinary actions, breaches, warnings) Legitimate interests (in the EU: Art. 6 (1) (f) GDPR, or in case of special categories of personal data: Art. 9 (2) (f) GDPR

In limited cases, we will rely on your consent, e.g. for publication of your photo or keeping lists on anniversaries and birthdays (in the EU: Art. 6 (1) (a) GDPR).

Recipients

We only transfer data to third parties if this is necessary or if there is a legal basis.  Categories of third parties that may receive or be able to access your data include:

  • Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
  • Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU employee data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
  • Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private.  

 

Source and categories of data

We process the data you provide us. We may also receive data about you from third parties:

  • Via the tax office: wage tax-relevant data (such as: marital status, child allowances)
  • Via your health insurance company (electronic certificate of incapacity for work, if applicable, information on children's sick pay or maternity protection)
  • Courts/creditors (in the case of garnishments or legal inquiries)

Retention periods

The data we collect about you will be deleted as soon as it is no longer required for the performance of the employment relationship, or the employment relationship has been terminated and there are no statutory retention periods to the contrary. Retention periods result from tax law, labour law and social security law regulations and generally extend up to 10 years.

Provision of data

You must provide us with the personal data that is necessary for us to be able to perform the contract with you and which we are legally obliged to collect. Without providing this mandatory information, we may not be able to enter into or maintain an employment relationship with you.

Your rights as a data subject

As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right not to be subject to an automated decision, Art. 22 GDPR

If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

If you have any questions about your rights and how to exercise them, please contact Human Resources or Velocity Clinical’s Privacy Officer at privacy@velocityclinical.com.

Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities is responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany

Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com

1. Revision History

This data protection notice is updated from time to time. You will always find the latest version on our intranet.

Version Number Revision Date Revision Summary
00 15 APR 2024 Original
Document Title Privacy Notice - Non HR - Data protection information for business partners or contact persons at our business partners
Document # FORM GEN-002
Revision # 00
Effective Date 15 Apr 2024

Privacy Notice for business partners or contact persons at our business partners

Purpose of the data processing

We process your personal data for the following purposes:

  • Establishment of professional contact and communication
  • Maintaining business relations and implementing contracts between us and your employer or client

Legal basis

We process your data for our legitimate interests as stated above (Art. 6 Para. 1 Letter f GDPR). These are the performance of the contract and the maintenance of the business relationship with you or your employer/client. Insofar as we process personal data beyond this, this is based on your consent (Art. 6 Para. 1 Letter a GDPR).

Categories and sources of personal data

We process the following information about you: Name, gender, title, professional contact data, professional position, employer, financial data, information on previous communication. If you have voluntarily provided us with additional data, we may also have stored this data. If you have not provided us with your data yourself, we have received it from your employer or another business partner.

Recipients

We only transfer data to third parties if this is necessary or if there is a legal basis.  Categories of third parties that may receive or be able to access your data include:

  • Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
  • Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
  • Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private. 

Source and categories of data

We process the data you provide us. We may also receive data about you from third parties:

  • Your employer when we are in business contact.

Retention periods

The personal data are stored for as long as they are necessary for the above-mentioned purposes. If your contact details are processed in connection with invoices, we will store them in accordance with the statutory retention periods.

Your rights as a data subject

As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right not to be subject to an automated decision, Art. 22 GDPR

If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities is responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany

Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com

1. Revision History

This data protection notice is updated from time to time. You will always find the latest version on our intranet.

Version Number Revision Date Revision Summary
00 15 APR 2024 Original
Document Title Privacy Notice - Non HR -- Patients Recruitment Database
Document # FORM GEN-003
Revision # 00
Effective Date 15 Apr 2024

Privacy Notice for Patient Recruitment

Purpose of the data processing

We process your personal data for the following purposes:

  • building up and maintaining a database of potential participants for future studies
  • information of potential participants about studies that might be relevant for them

Legal basis

We process your personal data with your consent (Art. 6 para. 1 letter a GDPR) and to comply with legal and official requirements (Art. 6 para. 1 letter c GDPR).

Categories of personal data

We process the following data about you: Name, address, gender, contact data, date of birth, marital status, health data.

Recipients

We only transfer data to third parties if this is necessary or if there is a legal basis.  Categories of third parties that may receive or be able to access your data include:

  • Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
  • Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
  • Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private. 

Retention periods

The personal data are stored for as long as they are necessary for the above-mentioned purposes. If your contact details are processed in connection with invoices, we will store them in accordance with the statutory retention periods.  We will only store your data for as long as you do not revoke your consent. As soon as you withdraw your consent, we will delete this data from our patient database.

Your rights as a data subject

As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right not to be subject to an automated decision, Art. 22 GDPR

If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany

Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com

1. Revision History

This data protection notice is updated from time to time. You will always find the latest version on our intranet.

Version Number Revision Date Revision Summary
00 15 APR 2024 Original
Document Title Privacy Notice for web page visitors
Document #
Revision #
Effective Date

Privacy Notice for Web Page Visitors

Introduction

Velocity Clinical Research Inc. ("Velocity" or "We" ) respects your privacy and is committed to protecting it through our compliance with this policy.

This policy describes the types of information we may collect from you or that you may provide when you visit this website (our "Website") and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies to information we collect:

  • On this Website.
  • In email, text, and other electronic messages between you and this Website. It does not apply to information collected by:
    • Us offline or through any other means, including on any other website operated by Velocity or any third party (including our affiliates and subsidiaries); or
    • Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or on the Website

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Children Under the Age of 16

Our Website is not intended for children under 16 years of age. No one under age 16 may provide any information to or on the Website. We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information on this Website or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at info@velocityclinical.com.

California residents under 16 years of age may have additional rights regarding the collection and sale of their personal information. Please see Your California Privacy Rights for more information.

Information We Collect About You and How We Collect It

We collect several types of information from and about users of our Website, including information:

  • By which you may be personally identified, such as name, postal address, e-mail address, and telephone number ("personal information");
  • That is about you but individually does not identify you, and/or
  • About your internet connection, the equipment you use to access our Website, and usage details.

We collect this information:

  • Directly from you when you provide it to us, such as by submitting an online form or sending us email.
  • Information collected automatically may include usage details (e.g., engagement and discontinuation of use), IP addresses, and information collected through cookies, web beacons, and other tracking technologies.

Information You Provide to Us

The information we collect on or through our Website may include:

  • Information that you provide by filling in forms on our Website. This includes information provided at the time you submit a contact us or please provide more information form. We may also ask you for information when you report a problem with our Website.
  • Records and copies of your correspondence (including email addresses), if you contact us.

Information We May Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

  • Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). Click here. for information on how you can opt out of behavioral tracking on this website and how we respond to web browser signals and other mechanisms that enable consumers to exercise choice about behavioral tracking.

The information we collect automatically may be only statistical data and not include personal information, or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

  • Estimate our audience size and usage patterns.
  • Store information about your preferences, allowing us to customize our Website according to your individual interests.
  • Speed up your searches.
  • Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

  • Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.
  • Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies. For information about managing your privacy and security settings for Flash cookies, see Choices About How We Use and Disclose Your Information.
  • Web Beacons. Pages of our the Website [and our e-mails] may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Velocity, for example, to count users who have visited those pages or [opened an email] and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

We do not collect personal information automatically, but we may tie this information to personal information about you that we collect from other sources or you provide to us.

Third-Party Use of Cookies and Other Tracking Technologies

Some content or applications on the Website are served by third-parties, including possibly advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

For example, we may use third-party analytics companies, such as Google Analytics, to evaluate use of our Website. We or our service providers use these tools to help us understand use of, and to improve, our Website, performance, and user experiences. These entities may use cookies and other tracking technologies, such as web beacons or local storage objects (LSOs), to perform their services.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information. By clicking here, you can learn more about Google Analytics.

Pixels are small files that deliver data to third parties when loaded, and are used to identify repeat visitors to our site, as well as to track and target the interests of our users to enhance the experience on our site. The following cookies and pixels are used on our website for the following purposes:

  • Google Analytics
    • Website Analytics
  • Google Ads
    • Conversion Tracking
  • Facebook Pixel
    • Website Analytics
    • Conversion Tracking
    • Remarketing
  • Instagram Pixel
    • Website Analytics
    • Conversion Tracking
    • Remarketing
  • Stackadapt Pixel
    • Conversion Tracking
    • Remarketing

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google") which uses cookies to help the web team analyze how users use the site. The information generated by the cookies about your use of the website (including your IP address) will be transmitted to and stored by Google under their privacy policies. You may opt-out of Google’s use of cookies by visiting the Google advertising opt-out page. You may also refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of your information by Google in the manner and for the purposes set out above. In accordance with Google’s guidelines, Velocity may use remarketing to advertise new studies across other websites that users visit. In such cases, Google and other third-party vendors, may show Velocity ads on websites you visit after visiting this website You may opt out of this remarketing campaign through the Google Ad Settings page.

To learn more, visit: https://support.google.com/analytics/answer/6004245?hl=en&ref_topic=2919631

Facebook

We use the “visitor action pixels” from Facebook Inc (1 Hacker Way, Menlo Park, CA 94025, USA (“Facebook”)) on our website.

This allows user behavior to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, which is why we are informing you, based on our knowledge of the situation. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes.

You can object to the collection of your data by Facebook pixel, or to the use of your data for the purpose of displaying Facebook ads by contacting the following address: https://www.facebook.com/settings?tab=ads.

reCAPTCHA

We use the reCAPTCHA service (v3) provided by Google Inc. (Google) to protect your submissions via internet submission forms on this site.  By using the reCAPTCHA service, you consent to the processing of data about you by Google, subject to the Google Privacy Policy and Terms of Use.

Links to Other Websites

This website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects personally identifiable information.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

  • To present our Website and its contents to you.
  • To provide you with information or services that you request from us.
  • To fulfill any other purpose for which you provide it.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
  • To notify you about changes to our Website or any services we offer or provide though it.
  • In any other way we may describe when you provide the information.
  • For any other purpose with your consent.

We may also use your information to contact you about services that may be of interest to you. If you do not want us to use your information in this way, please check the relevant box located on the form on which we collect your data. For more information, see Choices About How We Use and Disclose Your Information.

We may use the information we have collected from you to enable us to display advertisements to our advertisers' target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

Disclosure of Your Information

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

  • To our subsidiaries and affiliates.
  • To contractors, service providers, and other third parties we use to support our business.
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Velocity’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Velocity about our Website users is among the assets transferred.
  • To fulfill the purpose for which you provide it.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.

We may also disclose your personal information:

  • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • To enforce or apply our agreements.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Velocity, its subsidiaries or affiliates, any of our customers, or others.

Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

  • Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe's website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.
  • Promotional Offers from the Velocity. If you do not wish to have your contact information used by the Velocity to promote our services, you can opt-out by checking the relevant box located on the form on which we collect your data, by sending us an email stating your request to: info@velocityclinical.com. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions. This opt out does not apply to information provided to Velocity as a result of a purchase, warranty registration, service experience or other transactions.

We do not control third parties' collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website.

California residents may have additional personal information rights and choices. Please see Your California Privacy Rights for more information.

Your California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information.

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to: info@velocityclinical.com.

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

Changes to Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we treat our users' personal information, we will notify you through a notice on the Website home page. The date the privacy policy was last revised is identified at the top of the page. You are responsible for periodically visiting our Website and this privacy policy to check for any changes.

Contact Information

To ask questions or comment about this privacy policy and our privacy practices, contact us at:

info@velocityclinical.com

Document Title Velocity Privacy Notice for California Residents
Document # FORM GEN-012
Revision # 00
Effective Date 06 Sep 2024

VELOCITY PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

This Privacy Notice for California Residents (“Notice”) supplements the information contained in the Velocity Clinical Research, Inc. (“Velocity”) privacy policy and applies to visitors and users who reside in the State of California (“consumers” or “you”).  We provide this notice in compliance with the California Consumer Privacy Act of 2018 (CCPA).  Certain terms in this Notice are defined by the CCPA and their meanings may differ from the meanings that apply elsewhere on our websites.

Notice Scope  

This Notice applies to your use of publicly available Velocity resources available via the internet, which include but are not limited to: VelocityClinicalTrials.com; Vision Engage; Vision Recruit; (each item is a “Velocity Website or Application”).

 

Personal Information Velocity May Collect

By using a Velocity Website or Application, you may provide Velocity with information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you, your household, or your device (“personal information”).  Please review the privacy policy associated with the Velocity Website or Application you use to review the personal information you may provide to Velocity during your use.

In particular, Velocity has received the following categories of personal information from users of Velocity Websites or Applications within the last 12 months.

 

Categories of Personal Information Specific Types of Personal Information Collected
Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers) -          Real name

-          Alias

-          Postal address

-          Internet Protocol Address

-          Email address

 

Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. -          Name

-          Signature

-          Social security number

-          Physical characteristics

-          Driver’s license

-          Telephone number

-          Education

-          Employment

-          Employment history

-          Gender

-          Language

-          Race

-          Ethnicity

Characteristics of protected classifications under California or federal law. -          Sex

-          Race

-          Age

-          Ethnicity

-          Sexual Orientation

-          Marital Status

-          National Origin

Biometric information -          Fingerprint

-          Face ID

Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement) -          Browser history

-          Search history

Geolocation data -          Geolocation data
Audio, electronic, visual, thermal, olfactory, or similar information -          Text messages

-          Emails

-          Phone messages

Professional or employment-related information -          Employer

-          Profession

Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes -          Behavioral Tracking

-          Pixels/cookies/beacons

Racial or ethnic origin, religious or philosophical beliefs, or union membership -          Race

-          Ethnicity

Processing of biometric information for the purpose of uniquely identifying a consumer -          Fingerprint ID

-          Facial Recognition

Health information -          Health history

-          Immunization history

-          X-rays and imaging

-          Medical Conditions

-          Current Medications

-          Primary Care Physician

-          Height and weight

-          Birth control methods

Sex life or sexual orientation -          Sexual orientation

 

Potential Sources of Personal Information

How Your Personal Information is Collected. We collect personal information from the following categories of sources:

  • You, directly in person, by telephone, text, or email and/or via our website and apps
  • Third party with your consent (e.g., your bank)
  • Advertising networks
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating systems and platforms
  • Social networks
  • Data brokers
  • Publicly accessible sources (e.g., property records)
  • Cookies on our website
  • Our IT and security systems, including:
  • Door entry systems and reception logs
  • Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email, and instant messaging systems

How and Why We Use Your Personal Information. Under data protection laws, we can only use your personal information if we have a proper reason for doing so, for example:

  • To comply with our legal and regulatory obligations
  • For the performance of our contract with you or to take steps at your request before entering into a contract, if applicable
  • For our legitimate interests or those of a third party –or–
  • Where you have given consent

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal information for and our reasons for doing so:

What we use your personal information for Our reasons
To provide services to you For the performance of our contract with you or to take steps at your request before entering into a contract, if applicable
To prevent and detect fraud against you or Velocity Clinical Research, Inc. For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
Other processing necessary to comply with professional, legal, and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator To comply with our legal and regulatory obligations
Gathering and providing information required by or relating to audits, inquiries or investigations by regulatory bodies To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you
Ensuring the confidentiality of commercially sensitive information For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information

To comply with our legal and regulatory obligations

Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you
Preventing unauthorized access and modifications to systems For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you

To comply with our legal and regulatory obligations

Updating and enhancing clients and participants’ records For the performance of our contract with you or to take steps at your request before entering into a contract, if applicable

To comply with our legal and regulatory obligations

For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our participants about existing orders and new products

Statutory returns To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments To comply with our legal and regulatory obligations

For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

Marketing our services and those of selected third parties to:

  • Existing and former clients and participants
  • Third parties who have previously expressed an interest in our services
  • Third parties with whom we have had no previous dealings
For our legitimate interests or those of a third party, i.e., to promote our business to existing and former clients and participants
External audits and quality checks, e.g., Sponsor audits; financial audits For our legitimate interests or a those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards

To comply with our legal and regulatory obligations

Who We Share Your Personal Information With. We routinely share personal information with:

  • Our affiliates, including companies within the Velocity Clinical Research, Inc.’s group
  • Service providers we use to help deliver our services to you, such as payment service providers, warehouses, and delivery companies
  • Other third parties we use to help us run our business, such as marketing agencies or website hosts
  • Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers
  • Credit reporting agencies
  • Our insurers and brokers
  • Our bank

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

Beyond the data collection and use as specifically set forth herein, Velocity does not sell data to third parties.

Categories of Personal Information We Disclosed for a Business Purpose. In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

  • Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers)
  • Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
  • Characteristics of protected classifications under California or federal law
  • Biometric information
  • Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement)
  • Geolocation data
  • Audio, electronic, visual, or similar information
  • Professional or employment-related information
  • Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes –and–
  • Sensitive personal information

 

You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You You have the right to know, and request disclosure of:

  • The categories of personal information we have collected about you, including sensitive personal information
  • The categories of sources from which the personal information is collected
  • The categories of third parties to whom we disclose personal information, if any –and–
  • The specific pieces of personal information we have collected about you

Please note that we are not required to:

  • Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained
  • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information –or–
  • Provide the personal information to you more than twice in a 12-month period
Disclosure of Personal Information Sold, Shared, or Disclosed for a Business Purpose In connection with any personal information we may sell, share, or disclose to a third party for a business purpose, you have the right to know:

  • The categories of personal information about you that we shared and the categories of third parties to whom the personal information was sold or shared –and–
  • The categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose

You have the right to opt-out of the sharing of your personal information for the purpose of targeted behavioral advertising. If you exercise your right to opt-out of the sharing of your personal information, we will refrain from sharing your personal information, unless you subsequently provide express authorization for the sharing of your personal information.

To opt-out of the sharing of your personal information, visit our homepage and click on the Do Not Share My Personal Information link here: https://velocityclinicaltrials.com/opt-out-preferences/

Right to Limit Use of Sensitive Personal Information You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to:

  • Perform the services reasonably expected by an average consumer who requests those services
  • To perform the following services: (1) Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes; (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business; (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business –and–
  • As authorized by further regulations

You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes.

To limit the use of your sensitive personal information, visit our homepage and click on the "Limit the Use of My Sensitive Personal Information" link here: https://velocityclinicaltrials.com/opt-out-preferences/

Right to Deletion Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

  • Delete your personal information from our records –and–
  • Delete your personal information from our records –and–
  • Direct third parties to whom the business has shared your personal information to delete your personal information unless this proves impossible or involves disproportionate effort

Please note that we may not delete your personal information if it is reasonably necessary to:

  • Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us, if applicable
  • Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes
  • Debug to identify and repair errors that impair existing intended functionality
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law
  • Comply with the California Electronic Communications Privacy Act
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us
  • Comply with an existing legal obligation –or–
  • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information
Right of Correction If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information.
Protection Against Retaliation You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things:

  • Deny services to you
  • Charge different prices or rates for services, including through the use of discounts or other benefits or imposing penalties
  • Provide a different level or quality of services to you –or–
  • Suggest that you will receive a different price or rate services or a different level or quality services

Please note that we may charge a different price or rate or provide a different level or quality of services To you, if that difference is reasonably related to the value provided to our business by your personal information. We may also offer loyalty, rewards, premium features, discounts, or club card programs consistent with these rights or payments as compensation, for the collection of personal information, the sale of personal information, or the retention of personal information.

How to Exercise Your Rights. If you would like to exercise any of your rights as described in this Privacy Policy, you can do so here: https://velocityclinicaltrials.com/opt-out-preferences/ You may also contact us via email at info@velocityclinical.com.

  • Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.
  • If you choose to contact us directly by email you will need to provide us with:
  • Enough information to identify you (e.g., your full name, address and customer or matter reference number)
  • Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill) –and–
  • A description of what right you want to exercise and the information to which your request relates
  • We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information or is someone authorized to act on such person's behalf.
  • Any personal information we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification.
  • We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
    • Complete a transaction for which we collected the personal information, provide something that you requested, take actions reasonably anticipated within the context of our ongoing relationship with you, or fulfill any legal obligations we may have.
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
    • Debug products to identify and repair errors that impair existing intended functionality.
    • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
    • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
    • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
    • We do not provide these deletion rights for personal information (including health information) that is stored or otherwise used by healthcare systems or other Covered Entities (as that term is defined in HIPAA). Contact your healthcare system(s) if you have questions about these rights with respect to information about you that is stored or otherwise used by them.

How to Contact Us. Please contact us or our Data Protection Officer by post, email or telephone if you have any questions about this privacy policy or the information we hold about you.

Our contact details are shown below:

Our contact details Brandi Lang, Privacy Officer
contact address 300 E. Main Street, Suite 300

Durham, NC 27701

 

contact email address privacy@velocityclinical.com
contact telephone number 919-926-1804