This policy applies to Ora and for all purposes discussed herein the data Controller is Ora.
Much of the personal data we process is collected from you directly. However, depending on your relationship with our company, we may process data about you received from other sources such as conference/event hosts, recruiting partners, and information you’ve made publicly available.
During the processes of screening/recruiting prospective patients for clinical trials, operating and maintaining our website, conducting marketing activities, collecting information from our prospective customers, employees, contractors, and collaborators, Ora may collect the following PI (without limitation):
Sensitive or Special Data
Ora collects and processes PI under the following circumstances:
Access to PI will at all times be restricted to only those individuals who require access to perform a necessary job function in accordance with the original purpose of collection (Principle of Least Privilege). Ora may share your PI with third parties that process information on its behalf. These may include (without limitation):
Any such third parties receiving PI are required to sign confidentiality agreements or provide assurance agreeing to handle all confidential information containing personal data in accordance with applicable law. Additionally, Ora will validate that any third party involved in the processing of PI will have the proper technical and organizational measures in place to protect PI.
Except as described above, we will not otherwise use or disclose any of your PI, except to the extent reasonably necessary: (i) to correct technical problems and malfunctions and to technically process your information; (ii) to protect the security and integrity of our Web site; (iii) to protect our rights and property and the rights and property of others; (iv) to take precautions against liability; (v) to the extent required by law or to respond to judicial process; or (vii) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety, as applicable.
When sharing PI with third parties (including any international transfers of data that may occur) Ora will take all necessary steps to ensure the protection of this information by implementing appropriate safeguards relative to the risk and sensitivity of the information being shared. Ora may also transfer information across international borders when necessary. When international transfers do occur, Ora implements a GDPR compliant transfer method as follows:
|International Transfer||Compliant Transfer Method|
|Collecting and processing PI from prospective customers, collaborators, Investigators around the world involves transferring information internationally.||Model Contractual Clauses|
|Collecting and processing PI from prospective employees from around the world involves transferring information internationally.||Model Contractual Clauses|
Ora maintains a high level of security, particularly in relation to PI. Computer equipment, networks, programs, data and documentation is maintained to a high standard, and access to data and equipment is at all times restricted to appropriate staff. Ora’s security framework is designed to ensure that holistic and effective security practices are maintained to protect PI that Ora collects and processes.
Ora will retain PI only for as long as is necessary for the purpose(s) for which it was collected and in accordance with any applicable consent given in relation to such PI and any applicable laws.
Data will be securely destroyed upon request by a data subject (when applicable), or the data is no longer needed for the purpose(s) it was collected for.
Individuals have the following rights in relation to their PI*. Ora will not discriminate against individuals for exercising their rights under applicable data privacy laws.
*Not all rights are guaranteed. Legal basis for collection/processing, the requirement of disproportionate effort, legal requirements, and other factors can have an impact on data subject rights.
No automated decision making is used to process PI.
The services and personal data processing activities for which Ora is a data controller, as described under this policy, are not intended for individuals 15 years of age or younger.
Ora’s website does not respond to ‘Do Not Track’ signals from your browser.
This policy was last updated in December 2022.
If Ora should ever file for bankruptcy or be acquired by a third party, merge with a third party, sell all or part of our assets, or otherwise transfer substantially all of our relevant assets to a third party, Ora is entitled to share the PI to potential and subsequent business and merger partners.
Ora makes no representations about the content of the information found on this Web site. The information presented on this Web site is provided to you “AS IS,” WITHOUT ANY WARRANTY, IMPLIED OR EXPRESSED, INCLUDING BY WAY OF EXAMPLE BUT WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR OTHERWISE. Under no circumstances shall Ora assume liability for the use or interpretation by you of information found on this Web site; rather, this will be your responsibility. Ora expressly disclaims liability for any direct, indirect, incidental, consequential or special damages arising out of your visit to this Web site and/or the information contained on this Web site, even if Ora is proven negligent.
The following definitions apply to terms used throughout this policy:
Personal Information (PI):
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
All communications, questions or concerns about these privacy policies should be addressed to Ora’s Data Protection Officer at: OraDPO@oraclinical.com
Please note that in instances where Ora is acting as the clinical research organization (CRO) for one or more of its customers (clinical sponsors) in its capacity of managing clinical trials, Ora’s customer is the data Controller and Ora is the data processor.