SempreFit Innovations Inc.
Effective Date: 7/2022
Last Updated: 9/1/2024
1. Purpose of the Policy
This Data Protection & Privacy Policy (the “Policy”) outlines how SempreFit Innovations Inc. (“Company”) collects, uses, stores, and protects personal data in compliance with the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and the General Data Protection Regulation (GDPR) in Europe. This Policy applies to all clinical trial participants, employees, volunteers, contractors, and any other individuals whose personal data is processed by the Company.
2. Definitions
- Personal Data: Any information that can be used to identify an individual, including but not limited to names, addresses, contact details, medical records, and genetic data.
- Data Subject: Any individual whose personal data is being processed.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- Controller: The entity (SempreFit Innovations Inc.) that determines the purposes and means of processing personal data.
- Processor: Any third party that processes personal data on behalf of the Controller.
- Sensitive Data: Includes health data, genetic data, racial or ethnic data, and data concerning an individual’s sex life or sexual orientation.
3. Data Collection
3.1 Types of Data Collected
The Company may collect the following types of personal data, especially in the context of clinical trials:
- Name, contact information, and demographic data (e.g., age, gender).
- Health-related information, medical history, and test results.
- Genetic information (if applicable in clinical trials).
- Data regarding participation in clinical trials, including adverse events and treatment outcomes.
3.2 Methods of Data Collection
Personal data may be collected directly from the Data Subject through informed consent forms, questionnaires, medical records, or other clinical trial documentation.
3.3 Legal Basis for Processing
The Company processes personal data on the following legal grounds:
- Consent: The Data Subject has provided explicit consent for their data to be processed.
- Contractual Necessity: Processing is necessary for the performance of a contract, such as clinical trial agreements.
- Legal Obligation: The Company must comply with regulatory obligations.
- Legitimate Interest: The Company may process data based on legitimate business interests, provided this does not override the Data Subject’s rights.
4. Use of Data
4.1 Purpose of Processing
The personal data collected may be used for the following purposes:
- Conducting clinical trials and research.
- Ensuring patient safety, including monitoring adverse events.
- Complying with regulatory requirements and reporting obligations.
- Analyzing trial results and improving research outcomes.
4.2 Data Sharing
The Company may share personal data with the following entities:
- Regulatory bodies such as the FDA or EMA for compliance purposes.
- Contract Research Organizations (CROs) or clinical trial sites involved in the research.
- Third-party service providers (e.g., data storage services), provided they adhere to data protection standards.
- Partner organizations, provided the Data Subject has given explicit consent.
4.3 Anonymization and Pseudonymization
Where possible, personal data will be anonymized or pseudonymized to protect the privacy of Data Subjects. Identifiable data will only be used where necessary.
5. Data Protection Principles
The Company adheres to the following data protection principles in compliance with GDPR and HIPAA:
- Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner.
- Purpose Limitation: Personal data is collected for specified, legitimate purposes and not processed further in a manner incompatible with those purposes.
- Data Minimization: The data collected is limited to what is necessary for the intended purpose.
- Accuracy: Data is kept accurate and up to date.
- Storage Limitation: Data is kept only for as long as necessary to fulfill its purpose.
- Integrity and Confidentiality: Appropriate technical and organizational measures are in place to ensure data security.
6. Data Security
6.1 Security Measures
The Company employs physical, technical, and administrative security measures to protect personal data against unauthorized access, loss, or misuse. These measures include:
- Encryption: All sensitive data is encrypted both in transit and at rest.
- Access Control: Access to personal data is restricted to authorized personnel only.
- Data Backups: Regular backups are performed to ensure data integrity and availability.
6.2 Breach Notification
In the event of a data breach, the Company will notify affected Data Subjects and regulatory authorities as required by HIPAA or GDPR within [number of hours or days] of becoming aware of the breach.
7. Data Subject Rights (GDPR)
Data Subjects located in the European Union have the following rights under the GDPR:
7.1 Right to Access
Data Subjects have the right to request access to the personal data held about them by the Company.
7.2 Right to Rectification
Data Subjects may request that inaccurate or incomplete data be corrected.
7.3 Right to Erasure
Data Subjects may request that their data be deleted when it is no longer necessary for the purpose for which it was collected.
7.4 Right to Restrict Processing
Data Subjects may request that the Company restrict processing under certain circumstances, such as when the accuracy of the data is disputed.
7.5 Right to Data Portability
Data Subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
7.6 Right to Object
Data Subjects may object to the processing of their data based on legitimate interests or for direct marketing purposes.
8. Data Retention
8.1 Retention Periods
The Company retains personal data for the duration necessary to fulfill the purpose for which it was collected, or as required by regulatory or legal obligations. Data retention schedules are reviewed regularly to ensure compliance with data protection principles.
9. Data Transfers
9.1 Transfers to Third Countries
If personal data is transferred outside the European Economic Area (EEA), the Company will ensure that adequate safeguards are in place, such as the use of Standard Contractual Clauses (SCCs) or other legally approved mechanisms to protect data during transfer.
10. Regulatory Compliance
10.1 HIPAA Compliance
For Data Subjects in the U.S., the Company complies with HIPAA regulations regarding the use, storage, and disclosure of protected health information (PHI). All relevant clinical trial data is de-identified where possible, and the Company ensures that covered entities and business associates comply with HIPAA.
10.2 GDPR Compliance
For Data Subjects in the EU, the Company complies with GDPR regulations, ensuring lawful processing, protection of Data Subject rights, and implementation of appropriate security measures.
11. Amendments to This Policy
The Company may update or amend this Policy from time to time to reflect changes in legal or regulatory requirements or business practices. Any changes to the Policy will be communicated to Data Subjects and posted on the Company’s website.
12. Contact Information
For questions or concerns about this Policy, or to exercise any of your rights, please contact us at:
SempreFit Innovations Inc.
Email: david@sempre.fit
Phone: 929-423-0072
Address: 50 Linton Place, Staten Island, NY 10308