Privacy Policy

Updated: June 26, 2025
PRIVACY NOTICE
Processing & Protection of Personal Data

1.0 Objective

This document aims to implement Personal Data processing and protection legislation requirements and to protect the rights and freedoms of individuals when CluePoints processes their Personal Data.

This Document has been drawn up in compliance with the requirements established in the General Data Protection Regulation and other legislation regulating processing and protection of Personal Data.

2.0 Scope

This document applies to processing and protection of Personal Data at CluePoints. This Document is applicable to all Personal Data received or collected by CluePoints from customers, business partners, and other individuals, in any format, as part of CluePoints’ business operations.

Out of scope: HR Personal Data of CluePoints employees, which is covered by another Privacy Notice.

3.0 Definitions & Abbreviations

3.1 Terms & Acronyms

  • Availability – Making sure that information is available when and where it is rightly needed.
  • Clinical Data – Defined in section 4.1
  • Confidentiality – Protection of information from unauthorized access.
  • Data Subject – Any person whose Personal Data is being collected, held or processed.
  • Integrity – Making sure that information is kept accurate and consistent unless authorized changes are made.
  • Marketing Data – Defined in section 4.1
  • Personal Data – Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Sensitive Personal Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
  • User – any person who owns an account on CluePoints’ system.
  • Users Data – Defined in section 4.1

 

Acronyms

  • DPF – Data Privacy Framework
  • DPAs – Data Protection Authorities
  • GDPR – General Data Protection Regulation
  • HR – Human Resource

 

4.0 Protecting & Processing Personal Data

4.1 Data Processed 

The collection, processing, storage and use of Personal Data is essential in the context of many of CluePoints’ business functions.

CluePoints may process the following Personal Data as a controller:

  • User Data
    • Data required for user account creation, and access to the CluePoints Operational Environment (hereinafter defined). This information is provided by the customer and will include the following information: Full name, company name and email address.
    • Data collected when a user interacts with our helpdesk service. When a user enters a request on our helpdesk service, the user is asked to provide the following information: Full name, company name and email address.
    • Data collected when a user requests product updates. When a user registers for product or service status updates, the user is asked to provide the following information: email address.
    • Data collected automatically when a user accesses or interacts with the CluePoints website or CluePoints platform in any operational context or environment (“Operational Environment”). This includes IP address.
    • When users navigate and interact with the CluePoints platform, they may submit information, such as comments, queries and requests, about their use of the platform.
  • Marketing Data
    • Data collected from visitors of our corporate website, such as information provided by filling in forms on the website (First Name, Last Name, Company and Email Address) or information automatically collected from website visitor’s device or web browser when interacting with our website. When a website visitor visits our website we place cookies in its browser, which allows us, by using the IP address, to track which pages the visitor views on our website and when.

CluePoints processes the following Personal Data as a processor:

  • Clinical Data
    • Clinical data provided by CluePoints’ customers. These data may comprise Patient ID number, gender, age, date of birth, ethnic origin and patient health related data. These data are considered as pseudonymized sensitive Personal Data. As noted above, if you have questions about the processing of your clinical data, you should contact the relevant CluePoints customer in the first instance.

4.2 Purpose of Data Processing

CluePoints uses Personal Data only in ways that are compatible with the purposes for which it was collected.

  • Users Data

    We collect first name, last name and Email address of users on our web application, for the purpose of accounts creation and to secure our Operational Environment.

    We require users to submit their name, e-mail address, the name of their organization, and the country in which they are based on our helpdesk service, so we may send the material the users have requested and to enable us to reply to users’ request.

    We require users who request product or service updates to submit their email address so we may send the requested updates.

    We collect comments, queries and other feedback submitted by users within our Operational Environment for the purposes of responding to those requests, as well as for product development and improvement.

  • Marketing Data

    We use the information website visitors give by filling in forms on our website to provide them with commercial and company news messages via email relating to CluePoints and its products and services.

    We use the information we collect from website visitors’ devices to track the pages that they read on our website for marketing purposes, in order to identify their key areas of interest to send them relevant communications.

  • Clinical Data

    We use clinical data received from our customer to assess the efficacy and risks of certain drugs for evaluating the quality, accuracy, and integrity of clinical trial data.

    Clinical Data and Users Data will be maintained for a period of time needed to fulfill legitimate and lawful business purposes in accordance with our records retention policies and applicable laws and regulations. Marketing Data will be maintained for an undefined period of time in accordance with applicable laws and regulations. Data subjects may exercise their rights defined in section 4.7 at any time.

4.3 Lawfulness & Fairness

4.3.1 Processing of Personal Data

We only collect data for specified, explicit and legitimate purposes and will only process data on lawful and fair grounds.

We rely on following legal aspects to collect and process Personal Data:

  • Clinical Data

    For Scientific Research and Legitimate Interests: The Belgian Data Protection Authority has adopted the view that the legal basis for the processing of (sensitive) health data in the context of clinical trials is to be found in a combination of Article 6(1)(f) GDPR (“legitimate interest”), and Article 9(2)(j) GDPR (“scientific research or statistical purposes”).

  • User Data

    For legitimate business purposes: Where we or a third party have a legitimate interest in processing your Personal Data, we may do so provided that our interest is not overridden by your rights and interests. We may rely on this legal basis to, for example, provide product and service updates when requested by a user, keep business records, respond to unsolicited communications from you, assert our legal rights or obtain professional advice.

    To perform a contract to which the data subject is a party: We require user Personal Data to create an account on our web application or to allow our helpdesk to answer the user.

    To comply with our legal obligations: We may also use your Personal Data to comply with our legal obligations, for example to comply with tax and accounting obligations. 

    Based on your consent: We may also process your Personal Data on the basis of consent in some circumstances.

  • Marketing Data

    For legitimate business purposes: information collected through website visitors’ use of our corporate website is useful for us to better understand their needs and how we can improve our products and services.

    We will only process the data for a purpose compatible with the purpose for which the Personal Data is initially collected. In case the purpose of collecting, processing and using the Personal Data is changed from the original purpose, the new processing will be done in accordance with a lawful ground and we will provide the data subjects with information on that other purpose prior to that further processing.

4.3.2 Processing of Sensitive Personal Data

Sensitive data are limited to Clinical Data. The processing of sensitive data is performed in scope of CluePoints operations. Ethnical origin and clinical data concerning health are required for our operational activities. Processing of sensitive Personal Data is allowed pursuant to the legal basis described in section 4.3.1.

4.4 Data Protection

CluePoints takes the appropriate and necessary organizational and technical security measures to protect the data and privacy of data subjects from whom data have been collected, in order to prevent the loss, disclosure, unauthorized use, alteration or destruction of information we receive.

4.4.1 Pseudonymisation

The principle of pseudonymization is applied for clinical data. CluePoints customers are informed that they cannot upload patient personally identifiable information such as name, social number or biometric data on the CluePoints web application. Patient identifiers are used and CluePoints does not own the key that link a patient identifier to a patient name.

4.4.2 Anonmymization 

We may further process certain Personal Data to anonymize the data in order to be used for product testing and development. Anonymization refers to complete redaction or masking of information and data, where all identifying characteristics are deleted. After the transformation process, it is not possible to retrieve or re-identify the data subject. Anonymized data no longer falls within the scope of GDPR.

4.4.3 Minimisation

We make sure that the principle of data minimization is applied in all our activities.

  • All clinical data collected for the operational activities are relevant, adequate and necessary for evaluating the quality, accuracy, and integrity of clinical trial data.
  • Data collected for the creation of user on our web application is strictly limited to what is necessary.

 

4.4.4 Retention

We take measures to delete your Personal Data or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we need to retain certain information as required by law, including to comply with tax requirements, or for as long as is reasonably necessary to meet regulatory requirements, resolve disputes, prevent fraud and abuse or enforce our terms and conditions. When determining the specific retention period, we take into account various criteria, such as the type of service provided to you, the nature and length of our relationship with you, and mandatory retention periods provided by law and the relevant statute of limitations.

4.4.5 Organizational Measures

We have implemented organizational measures to ensure protection of Personal Data:

  • Logical access control and principle of least privileges and separation of duties: Personal Data are stored and processed on secured servers and only made accessible to authorized personnel.
  • Training: to ensure any CluePoints’ employee who has access to Personal Data is kept up to date on necessary skills and knowledge (i.e. technical, scientific, computer, quality, regulatory, others) required for his/her job and will only process Personal Data according to appropriate instructions.

All CluePoints employees must sign a confidentiality agreement when joining the company.

We have implemented a Backup and Restore process to ensure that the integrity and availability of the data is preserved in case of accidental deletion, corruption of data or system failure. We have therefore the ability to restore access to Personal Data in the event of an incident.

4.4.6 Organizational Measures

We have set technical measures to ensure protection of Personal Data. Such measures may include, but are not limited to network monitoring, the encryption of communications via SSL, encryption of information while it is in storage, firewalls, access controls, and similar security protocols.

4.5 Third Parties Sharing

When we act as a controller, we may transmit the information we collect from and about data subjects to third-parties in the following circumstances:

  • Vendors and service providers. We may disclose any information we receive to vendors and service providers retained in connection with the provision of our services. This may include, for example, third party hosting companies that we engage to provide technical infrastructure, as well as
  • Third-party AI service providers. We may disclose information to third-party AI service providers which we use internally to assist our employees with operational tasks. 
  • Analytics partners. We may use your Personal Data to assist third party analytics services in understanding our users’ interests, habits, and usage patterns for certain programs, content, services, advertisements, promotions, or functionality available through the services.
  • As required by law and similar disclosures. We may disclose your Personal Data to third parties if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies. We also reserve the right to disclose your Personal Data that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of our services and any facilities or equipment used to make our services available, or (v) protect our property or other legal rights, including to enforce our agreements, or the rights, property, or safety of others.
  • Merger, sale, or other asset transfers. We may disclose or otherwise transfer Personal Data to an acquirer, successor or assignee as part of the consideration, negotiation, or completion of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
  • We may also disclose Personal Data with your permission. No information is disclosed to our hosting provider. Our hosting provider only maintain data in an encrypted state and does not have access to data. Users’ name, e-mail address, name of their organization, and the country in which they are based are disclosed to our helpdesk service.

Where CluePoints acts as a processor on behalf of its customers and engages another processor for carrying out specific processing activities, the same data protection obligations are imposed. This is ensured by contracts and assessments/audits. In case the new processor has access to Personal Data, the clients need to be informed and consulted about the intention to outsource the processes/services.

CluePoints has contracts in place with all sub-contractors to define the acceptable use policy and the service level agreement and to set forth the terms and conditions of any works or services performed by the sub-contractors.

In cases of onward transfers of data, received pursuant to the EU Standard Contractual Clauses (SCC) or other approved transfer mechanism, CluePoints is potentially liable.

In addition, we may disclose personal data as required by law or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

4.6 Transfer of Personal Data

In the normal course of performing our activities, Personal Data may be transmitted to our other affiliates located in the United States, the United Kingdom, and certain subcontractors. Our affiliates and subcontractors are required to treat Personal Data in accordance with this Privacy Notice and our data protection policy.

CluePoints adheres to the European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers that operate in the European Union and the United Kingdom, and other international transfers of Personal Data.

CluePoints, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.  CluePoints, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  CluePoints, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In certain situations, CluePoints, Inc. may be required to disclose Personal Data in response to lawful requests from public authorities, including to meet national security or law enforcement requirements. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

4.7 Data Subject Rights

We commit to allow any person for whom we possess Personal Data to access their Personal Data, to rectify their Personal Data and to limit use and disclosure of their Personal Data. We also commit to assist our customers to respond to a request for exercising the data subject’s rights where feasible.

4.7.1 Right to Rectification, Erasure & Restriction of Processing

Data subjects for whom CluePoints holds Personal Data can at any time make a request for rectification. In the same way, data subjects can request at any time the restriction of the processing of their data (including, but not limited to opting out of disclosure to third parties or if data is being used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized) or the erasure of their Personal Data. In case Personal Data are rectified, modified or in case processing of Personal Data is restricted, CluePoints will make sure to communicate the information to each recipient to whom Personal Data have been disclosed.

To record a Personal Data rectification or erasure or the restriction of processing, data subject can contact us as indicated in the “Contact Detail” section of this Privacy Notice. We will respond to such requests within a reasonable timeframe.

Where we rely on consent to process your data, you may withdraw any consent you previously provided to us regarding the processing of your Personal Data, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before you withdrew your consent. In some circumstances, a request for data rectification, erasure or restriction of processing may be rejected by CluePoints. In the case of the latter, the reason for rejection will be communicated to the concerned data subject.

4.7.2 Right to Access

Data subjects for whom CluePoints owns Personal Data can request at any time access to their Personal Data. In case of a Personal Data request, CluePoints commits to transmit Personal Data in structured, commonly used and machine-readable formats. A secured method must be used while transmitting data.

To record a Personal Data rectification or erasure or the restriction of processing, data subject can contact us as indicated in the “Contact Detail” section of this Privacy Notice. We will respond to such requests within a reasonable timeframe.

4.8 Contact Details

CluePoints commits to replying to any question, handling any request or resolving any complaint about our collection or use of Personal Data. European Union individuals with inquiries or complaints regarding our Privacy Notice should first contact CluePoints at: [email protected].

4.9 Right To Lodge A Complaint

If you are not satisfied with our response to your complaint or if you believe that the processing of your personal data does not comply with data protection laws, you can lodge a complaint with a data protection authority. We would, however, appreciate the chance to deal with your concerns before you approach a supervisory authority, so please contact us in the first instance.

Any person has the right to lodge a complaint to the Data Protection Authorities if they believe that CluePoints has not complied with the requirements of the GDPR or EU-U.S. DPF with regard to their Personal Data. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF  CluePoints commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

To lodge a complaint data subjects can contact their country-specific data protection authority or CluePoints’ lead data protection supervisory authority:

Data Protection Authority (Autorité de protection des données) 
Rue de la Presse 35
1000 Bruxelles
Tel. +32 2 274 48 00 
Fax +32 2 274 48 35
e-mail: [email protected]
Website: http://www.dataprotectionauthority.be/

To lodge a complaint related to UK processing of Personal Data and individual can contact the UK Information Commissioner’s Office:

                             UK Information Commissioner’s Office

                             Tel. +44 0303 123 1113

                             Website https://ico.org.uk/make-a-complaint/

UK Extension to the EU-US Data Privacy Framework complaints tool: https://ico.org.uk/make-a-complaint/uk-extension-to-the-eu-us-data-privacy-framework-complaints-tool/

Under certain circumstances, a data subject may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means. Information can be found here: https://go.adr.org/dpfeufiling.html

Linkedin-in Facebook-f X-twitter Youtube
Who We Are
What We Do
Who We Work With
resources
Contact
© 2025 CluePoints. All Rights Reserved.
Privacy Policy
© 2025 CluePoints. All Rights Reserved. Privacy Policy
If Critical,

It’s Covered.
Join us virtually on September 25th for the premier RBQM industry event.
Learn More