PRIVACY POLICY

Effective: January 1, 2024

We respect your privacy and will never sell or trade personally identifiable information (“Personal Data”) provided on this website or that is otherwise within the scope of this Privacy Policy (this “Policy”). Maintaining trust is paramount to us.

INTRODUCTION AND SCOPE

Patient Advertising Guru, Inc., d/b/a ResearchStudyRockstar.com, a New York corporation, with offices located at 95 Broadhollow Road, Melville, New York 11747 USA (“RSR”,” “we,” “us,” “our”) takes the protection of Personal Data very seriously. This Policy addresses data subjects whose Personal Data we may receive through subdomains of our websites located at www.letsrockenroll.com, www.researchstudyrockstar.com and www.patientadvertisingguru.com.

If you are a resident of the State of California, this Policy also incorporates our Privacy Notice for California Residents which includes additional information required to be provided under California law.

If you are a resident of the European Economic Area this Policy also incorporates your rights under applicable data protection laws.

CONTROLLERSHIP

In the context of this Policy, RSR acts as a data controller or data processor for the Personal Data we process, depending on our relationship with you and with our Clients. For example, when we process your Personal Data when you contact us through our website or if we return your inquiry by phone at your request, we act as a data controller. On the other hand, we generally act as a data processor in connection with services provided to our Clients.

CATEGORIES OF PERSONAL DATA

We may process the following types of Personal Data:

  • Biographical information, such as your first and last name, age, and date of birth;
  • contact information, such as your email address and phone number;
  • Location data and online identifiers, such as IP address;
  • web application usage data; and health data (sensitive personal data), such as information about medical symptoms or prescribed medications, which you voluntarily provide in order to determine your eligibility.

HOW WE RECEIVE PERSONAL DATA

You may provide us with personal data when you:

  • visit our website (by way of our cookies and other tracking technologies) or,
  • speak to a research site by phone, who may input additional data into our secure system

After you enter your name and contact information into the form on our website, a participating research site from your area will call you at the phone number you provided. During this phone call, the study representative may ask you various of questions in order to determine your eligibility to participate in the research study in which you have responded about.

We do not collect your information for any other research study opportunity other than the study you’ve inquired about, nor will we ever contact you regarding any future study opportunities. If we receive your Personal Data from a third party, we will notify you, where required by applicable laws, without undue delay.

BASIS OF PROCESSING

Where we act as a data controller within the scope of this Policy, we may rely on one or more of the following legal grounds for processing your Personal Data:

  • your explicit consent;
  • the processing is necessary for the performance of a contract with you, such as providing you with our services or to perform related pre-contractual steps at your request prior to entering into a contract;
  • the need to pursue the legitimate interests of our Clients, such as finding qualified patients to participate in clinical trials;
  • the need to comply with legal obligations; and
  • any other ground, as required or permitted by law.

Where we rely on your consent as a legal ground for processing your Personal Data, you may withdraw your consent at any time. However, if you withdraw your consent, it will not affect the lawfulness of the processing that occurred based on your consent prior to your withdrawal.

Where we receive your Personal Data directly from you for the purpose of providing you with our services, we require your Personal Data in order to perform our contractual obligations owed to you. Without the necessary Personal Data, we will not be able to provide our services to you.

Where we act as a data processor within the scope of this Policy, we will process your Personal Data based on the documented instructions of the relevant data controllers.

PURPOSES OF PROCESSING

We process Personal Data for the purposes of:

  • assisting our Clients in finding clinical trial participants;
  • providing other services to our Clients;
  • enabling the use of our website and the services we provide to potential participants in clinical trials;
  • responding to inquiries, and/or other requests or questions;
  • targeting our advertising.

USE OF COOKIES

We use cookies to store information on your device. Cookies improve your navigation on our website and enhance your user experience. We also use cookies and similar tracking technologies to serve targeted advertisements on other sites. Please review our cookie policy here. You may delete or otherwise control cookies. You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit here and here.

DATA RETENTION PERIODS

Where we act as a data controller and when the purposes of processing are satisfied, we will retain your Personal Data for up to six months, unless you request that we delete your Personal Data sooner.

Where we act as a data processor, we will delete your Personal Data within six months of receiving an instruction to do so by the relevant data controller.

SHARING PERSONAL DATA WITH THIRD PARTIES

We may share your Personal Data with other entities. Such third parties may include:

  • our Clients, in which case the transfers of your sensitive Personal Data are taking place only based on your explicit consent;
  • those providing and managing IT systems and infrastructure for PAG;
  • those providing communications software;
  • e-mail service providers;
  • customer relationship management (CRM) service providers;
  • those providing cloud storage services;
  • those providing enterprise resource planning software;
  • social media services (in order to identify other potential participants for clinical trials).

We will require that these third parties maintain at least the same level of privacy and security that we maintain for such Personal Data. RSR remains liable for the protection of Personal Data that we transfer to our service providers.

OTHER DISCLOSURE OF YOUR PERSONAL DATA

We may disclose your Personal Data:

  • to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders;
  • if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change; or
  • to our subsidiaries or affiliates only if necessary for business and operational purposes.

If we must disclose your Personal Data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your Personal Data will maintain the privacy or security of your Personal Data.

DATA INTEGRITY & SECURITY

RSR has implemented and will maintain technical, organizational, and physical security measures that are reasonably designed to help protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction.

ACCESS & REVIEW

If you are a data subject about whom we store Personal Data, you may have the right to request access to, and the opportunity to update, correct, port, or delete such Personal Data. Under certain circumstances, you may have a right to restrict or object to the processing of your Personal Data. You may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent that you have previously provided for your Personal Data to be shared with third parties, except as required by law. You also have the right to opt out if your Personal Data is used for any purpose that is materially different from, but nevertheless compatible with, the purpose(s) for which it was originally collected or subsequently authorized by you.

Where we act as a data controller, to submit such requests or raise any other questions, please contact us using the information provided in the Contact Us section of this Policy.

Where we act as a data processor, you may exercise your rights under this section by contacting the data controller who has provided your Personal Data to us.

PRIVACY OF CHILDREN

We do not knowingly collect Personal Data from anyone under 18. In the event that we learn that we process Personal Data from a child under age 13, we will delete the information that we have stored as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us using the information provided in the Contact Us section of this Policy.

CHANGES TO THIS POLICY

If we make any material change to this Policy, we will post the revised Policy to this web page and update the “Effective” date above to reflect the date on which the new Policy became effective.

DISPUTE RESOLUTION

Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Patient Advertising Guru Inc.’s internal processes, Patient Advertising Guru Inc. has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information here .

REGULATORY OVERSIGHT

RSR is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

European Commission’s Standard Contractual Clauses

RSR has implemented measures to protect your personal information, including by using the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies and between us and our third-party providers. These clauses require all recipients to protect all personal information that they process originating from the EEA in accordance with European data protection laws and regulations. Our Data Processing Agreements that include Standard Contractual Clauses can be provided upon request. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

RSR complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU), the United Kingdom (UK) and Switzerland to the United States. Although Privacy Shield is no longer considered a valid transfer mechanism for the purposes of EU and Swiss data protection law, in light of the judgment of the Court of Justice of the European Union in Case C-311/18 and opinion of the Federal Data Protection and Information Commissioner of Switzerland dated 8 September 2020, RSR will continue to comply with the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.

RSR adheres to and complies with the Privacy Shield Principles when processing personal information from the EU, UK or Switzerland. If we have received your personal information in the United States and subsequently transfer that information to a third party acting as our agent, and such third party agent processes your personal information in a manner inconsistent with the Privacy Shield Principles, we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.

With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, RSR is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have any questions or concerns relating to RSR’s Privacy Shield certification, please write to us at the contact details below. We commit to resolving any complaints or disputes about our collection and use of your personal information under the Privacy Shield. However, if you have an unresolved complaint in connection with our certification, we commit to cooperating with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner and the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by them in respect of the complaint. Click here for a list of EU DPAs.

In limited situations, EU, UK and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism. Please be sure to review the following sections of this Privacy Notice for additional details relevant to RSR participation in the EU-U.S. and Swiss-U.S. Privacy Shield:

We collect names; phone numbers; email addresses; mailing addresses; contact preferences; health information; and other similar information. We collect the names, contact details, and professional information of clinical trial investigators, study researchers, and other HCPs for the purpose of identifying and assessing suitability to assist in clinical trials and research studies and to provide services. We collect your Personal Data when you provide it to us directly, for example such as when you express or register an interest to participate in a study through our Websites, and also, either directly or indirectly, from publicly available sources, such as websites, directories and industry networks, etc. We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

In some regions, such as the European Economic Area, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

In some regions (like the European Economic Area), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

If you are a resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here.

If you are a resident in Switzerland, the contact details for the data protection authorities are available here.

EU Rights Under the General Data Protection Regulation

RSR performs as a data “processor” that processes personal data on behalf of clinical trial sponsors. Pursuant to the General Data Protection Regulation (GDPR), if you are interested in participating in a study that appears on our clinical research study website, we request that you opt-in to consent to our collection and processing of your personal data for purposes of recruitment for the relevant research study. 

These opt-in requests will be presented as check boxes under which you will have the opportunity to affirmatively indicate your consent to the processing of your personal data as described in this privacy policy and/or as described on our clinical research study website (as applicable). Under the GDPR your rights are as follows:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object; and
• the right not to be subject to automated decision-making including profiling.

You also have the right to complain to a supervisory authority in the EU Member State in which you are located if you feel there is a problem with the way we are handling your data. You can find a list of supervisory authorities here.

Privacy Notice for California Residents

This Notice applies solely to consumers who reside in the State of California, and to information that is defined by California law as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with California consumers or households (“California Personal Information”). We provide this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”).

As used in this Notice, the term “California Personal Information” does not include, and this Notice does not apply to:

  • publicly available information lawfully made available from federal, state, or local government records;
  • deidentified or aggregated consumer information; or
  • other information excluded from the CCPA’s scope, such as information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration

CALIFORNIA PERSONAL INFORMATION WE COLLECT

In the twelve (12) months prior to the “Last Reviewed” date of this Notice, we have collected the following categories of California Personal Information:

  • Identifiers such name, email address, telephone number, mailing address, online identifiers, or other similar identifiers.
  • Certain Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as physical characteristics.
  • Characteristics of protected classifications under California of federal law, such as age, race, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
  • Internet or other electronic network activity information, such as information concerning individuals’ interactions with our websites, applications, or advertisements.
  • In respect of our employees and job applicants, professional or employment-related information, including current or past job history or performance evaluations.
  • Inferences drawn from any of the above information to create a profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

SOURCES OF CALIFORNIA PERSONAL INFORMATION

We collect the categories of California Personal Information listed above from the following categories of sources:

  • Directly from you, including when you provide information to us;
  • Indirectly from you, such as when we automatically collect technical and usage information when you use the Services;
  • Our third-party data partners;
  • Public sources; and
  • Third-party websites and other online services, such as social media sites and online advertisements.

PURPOSES FOR WHICH WE COLLECT AND USE CALIFORNIA PERSONAL INFORMATION

We may use the California Personal Information listed above for the following business and commercial purposes:

  • To provide our clinical trial recruitment, enrollment, and retention services to our clients, including maintaining and updating our patient database, identifying and notifying prospective patients of clinical trials in which they may be interested, evaluating prospective patients for qualification in clinical trials, and referring patients to clinical trial sites;
  • To respond to your inquiries;
  • To contact you regarding changes or updates to the Services, updates related to our service offerings, or new clinical trials;
  • To provide, support, personalize, and develop our website, applications, and product or service offerings;
  • To prevent malicious, deceptive, fraudulent, or illegal activity, and participating in any prosecution or enforcement of laws or agreements meant to prevent or punish such activity;
  • To maintain the safety, security, and integrity of the Services, other technology assets, and our business, including the detection of security incidents;
  • To debug, identify, or repair errors or effectuate similar functional enhancements in connection with the Services;
  • To develop, improve, and deliver marketing and advertising;
  • For internal operational uses such as research, analytics, development, audits, and security;
  • For legal and operational compliance purposes, such as monitoring whether our operations are effectively implementing this policy;
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding
  • To engage in or enable internal uses consistent with our relationship with you, or compatible with the context in which you provided the information, such as internal research and development; and
  • For any other purpose described to you when collecting your California Personal Information before or at the time of collection.

SHARING OF CALIFORNIA PERSONAL INFORMATION

We may share California Personal Information with the following categories of third parties:

  • Our Affiliated Companies;
  • Our Service Providers;
  • Clinical Trial Sites;
  • Other third parties to protect our legal rights or comply with legal requirements;
  • Other third parties as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
  • Other third parties involved in a merger, sale, joint venture or other transaction involving a transfer of our business or assets; and
  • Other third parties with your prior consent.

In the twelve (12) months prior to the “Last Reviewed” date of this Notice, we have disclosed the following categories of California Personal Information, which are described in more detail above, for a business purpose:

  • Identifiers
  • Personal information categories listed in the California Customer Records statute;
  • Characteristics of protected classifications under California of federal law;
  • Internet or other electronic network activity information;
  • Inferences drawn from any of the above information.

Our purposes for sharing this information are described in the “How We Share Your Personal Information” section of our Privacy Policy.

SALES OF CALIFORNIA PERSONAL INFORMATION

In the twelve (12) months prior to the “Last Reviewed” date of this Notice, we have disclosed certain California Personal Information to our data partners, including:

  • certain Identifiers; and
  • certain California Customer Records personal information categories.

The CCPA defines “sale” very broadly. According to this broad definition, some of this past data sharing with our data partners qualified as a “sale” under the CCPA.

As of the effective date of this Notice, however, Patient Advertising Guru does not and will not sell California Personal Information.

YOUR RIGHTS AND CHOICES WITH RESPECT TO CALIFORNIA PERSONAL INFORMATION

The CCPA provides California residents with specific rights regarding California Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

ACCESS AND DATA PORTABILITY RIGHTS

You have the right to request that we disclose certain information to you about our collection and use of your California Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section below on Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

  • The categories of California Personal Information we collected about you.
  • The categories of sources for the California Personal Information we collected about you
  • Our business or commercial purpose for collecting or selling that California Personal Information.
  • The categories of third parties with whom we share that California Personal Information
  • The specific pieces of California Personal Information we collected about you (also called a data portability request).
  • If we sold or disclosed your California Personal Information for a business purpose, two separate lists disclosing
    • disclosures for a business purpose, identifying the California Personal Information categories disclosed; and
    • sales, identifying the California Personal Information categories sold and that each category of recipient purchased.

DELETION REQUEST RIGHTS

You have the right to request that Patient Advertising Guru delete any of your California Personal Information, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your California Personal Information from our records, unless an exception under CCPA applies.

EXERCISING ACCESS, DATA PORTABILITY, AND DELETION RIGHTS

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your California Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected California Personal Information, or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with your California Personal Information if we cannot verify your identity or authority to make the request and confirm the California Personal Information relates to you.

Making a verifiable consumer request does not require you to create an account with us.

We will only use California Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Any disclosures we provide in response to a request will only cover the 12-month period preceding the request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your California Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

YOUR RIGHT TO ASSIGN AN AUTHORIZED AGENT

You may appoint an authorized agent to exercise your rights on your behalf. You should appoint such agent via written permission or a power of attorney pursuant to Probate Code sections 4000 to 4465 (if you are reside in the State of California) or the applicable rules for authorizing somebody else to exercise your rights in your country of residence.

To verify that your authorized agent acts on your behalf, we will ask for this written permission from your agent or for the power of attorney. In case you provided your authorized agent with a written permission, we will require that you also verify your identity.

HOW WE WILL VERIFY YOUR IDENTITY

Bear in mind that to evaluate your privacy rights requests, we need to be sure it was you who made the request. We will verify your identity via the following methods:

  • we will send you an email requesting that you confirm certain personal data that we have in our records; OR
  • we will call you at the number you provided when you submitted a request relating to your privacy rights and will request that you confirm certain personal data that we have in our records.

To carry out the verification, we may ask you for information you provided to us previously, such as your contact number, email address, date of birth, your zip code, or the date that you last received a call/communication from us.

Please note that you may only make a consumer request to know or a data portability request twice within a 12-month period.

We will confirm the receipt of your request within ten (10) days and, in that communication, we will also describe our identity verification process and when you should expect a response, except when we have already granted or denied the request.

Please allow us up to 30 days to reply to your requests from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will send our written response by mail or electronically, at your option.

Consider that we will only cover the twelve-month period preceding the moment we receive the request in any disclosures we provide you with.

If we cannot satisfy your request, we will also explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision, and we reserve the right to either refuse to act on your request or charge you a reasonable fee to complete your request if it is excessive, repetitive, or manifestly unfounded.

NON-DISCRIMINATION

You have a right to not receive discriminatory treatment for exercising your CCPA rights, and we will not discriminate against you for exercising any of your CCPA rights.

CHANGES TO THIS NOTICE.

We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated notice to the Services and update the notice’s date.

CONTACT US

If you have any questions about this Policy or our processing of your Personal Data, please write to privacy@patientadvertisingguru.com or by postal mail at:

Patient Advertising Guru, Inc.

Privacy Officer

95 Broadhollow Road

Melville, New York 11747 USA