Specialists in Delphi studies and sensitive data collection

Download on the App Store

Privacy Policy

Please read this privacy policy carefully. It describes the type of personal data we collect from you when you use our apps within a study and how and why we process your data. Please note that this policy does not apply if you are only browsing our website. We do not collect any personal data on our website, and our website cookie policy may be found here: Website Cookie Policy

Data collection when enrolled on or participating in a study

The term ‘personal data’ describes information that is about you and from which you may be identified. Often, people cannot be identified from the data we collect. However, this privacy policy relates to those cases where we do collect personal data.

What kind of information do we collect?

We collect your responses to questionnaires that you complete when using our system. These responses might be numeric (e.g. your age), text (e.g. your experience of something, or your views on something), indications of agreement with a particular category or statement. Rarely, clients may ask us to provide hardware for a particular study and to record audio responses or written responses made from using a stylus on a screen. In these cases, your responses would not be recorded without clear indication, and beginning and ending at a time of your choosing. Information you are asked to provide will likely include information about your health, or your views on a particular subject related to health or health research.

We collect information about the time that you submit your responses, and sometimes information about the time taken to complete the questionnaire, or part of the questionnaire. We collect details of the IP address that was used to connect to our services, details of the type of operating system, and the type of browser and its version.

We use session cookies, which are small files that we store on our server to temporarily associate your session with your supplied enrol code. Session cookies are unlike typical cookies in that no data are stored on your device, and the session data is completely deleted when you finish the session.

If you use our phone or tablet app to access our services, we temporarily store data locally on your device until the data have been successfully uploaded to our server. We also store authentication tokens to your device so that you can stay in touch with the particular study. If you transfer a study from our app because you would like to use it in a browser, we collect your email address and a password.

How do we use this information?

We collect your responses to the questionnaires you complete for the purpose of securely storing them before securely transferring them to our client conducting health research, or a project, in which you have decided to participate. We may use the information about the time you submitted your responses to determine when you are due to receive a notification to remind you to complete a follow-up questionnaire if any are applicable to your study. After we have transferred your questionnaire responses to our client and our client has confirmed safe receipt we delete all of your personal data. We hold IP addresses used to access our services for one year. The IP address logs we collect are for part of our security, maintenance and/or fault finding processes and we have no means of using them to identify individual people.

We use the session cookies to associate your answers with your supplied enrol code. These session cookies are deleted when you close your browser. In the case you use our phone or tablet app and have completed a questionnaire with no internet connection, the data about your responses placed in your local storage will be uploaded to our server the next time you use our app with a connection, and these data will be cleared from local storage upon successful upload.

We only use your email address to send you notifications about any follow-up questionnaires that are due as part of the study you are involved in, or for helping you maintain your account (such as resetting your password), unless you are asked to provide your email address as part of the questionnaire you are completing. This would be very unlikely in a health research study as most researchers aim to use as little personal information as possible. We process your password into a form that masks the actual word or phrase you used, so that not even we can read it once it is stored (this is explained further below in the section entitled ‘How do we protect your personal data?’). We use it only to protect your account so that no one else can log in and submit data as you.

If you only use our services on our phone or tablet app then we do not collect an email address (unless you are asked to provide one as a questionnaire response) or a password, as we use either Apple or Google’s notification system to communicate directly with your device. For this, we store a unique identifier so that we can send you a notification when needed.

How is the information we collect shared?

We give the information we collect only to our trusted clients who are conducting the particular research study or project in which you are involved. You will always be informed/reminded about the identity of the client before you submit any data. Only if we were ordered to do so by law would we share your data with anyone other than our client. Once we have transferred your data and our client has confirmed receipt, we delete your data from our systems.

In addition to reading our privacy policy, you may wish to check how the client for whom we are collecting data will process your personal data once we have transferred it to them. If you are involved in a health research study, this information may be contained within a Patient Information Leaflet given to you by the research team, or if it is a clinical organisation, or a company, then this information should be in their privacy policy.

In order to operate our services, we use servers that are located in Europe. We use servers operated by 1&1 IONOS Limited. Without access the encryption keys of specific study data, 1&1 IONOS Limited is unable to read any of the study data stored on our servers. For hosting our website we use the company One.com A/S, whose server stores IP addresses (and browser/operating system details) of those people visiting our website. When we send email notifications we use the mail servers of either One.com A/S or 1&1 IONOS Limited. We have Data Processor Agreements with both 1&1 and One.com A/S.

How do we protect your personal data?

We use several methods to keep your data safe. These methods comprise both physical and cryptographic approaches. While the physical methods are sophisticated and robust, it is the cryptographic approaches that provide the main security and protection.

The servers we use are provided by 1&1 IONOS Limited located in a secure data centre in the UK that is ISO 27001:2013 certified. We use different types of encryption to keep your data safe. When you submit your responses to a questionnaire, your responses are first encrypted using SSL. Data stored on the server are then encrypted using public key cryptography in combination with an AES-256 algorithm. This means that even if someone were able to gain unauthorised access to our server they would still not be able to read your data without the corresponding private key. Private keys are only stored on authorised encrypted Clinvivo computers that are strictly controlled by Clinvivo employees. When your data is transferred to our client who is conducting the research or project you are involved in, we then use a different type of encryption called PGP, which permits encryption such that only we and the client conducting the research can decrypt the data.

We will only store a ‘hash’ of your password on our system. This is a one-way transformation of your password such that cannot be backward engineered. This means that even if someone gains unauthorised access to our system it would be extremely difficult for them to deduce your actual password. Even if someone could do this, they would still be unable to read your personal data.

How long do we keep your data?

Once we have confirmed with our client that they have received and verified your data, we delete it from our systems. The frequency of data transfer between us and a client varies slightly from study to study, but we would not in any case keep your data for longer than six months after the end of a study. Note it is likely that the client will intend to keep your data for a lot longer than this and information about how long the client plans to keep your data may be described on their privacy policy (or you may have received a Patient Information Leaflet from the client containing this information from if you are involved in a research study).

What is our legal basis for processing the information we collect?

In most cases we will be acting as data processors and we will be contracted by a client. More rarely, we may perform our own studies rather than studies for a client. In these cases we will be acting as a data controller rather than a data processor and our legal basis for collecting your data will be that we have your consent. When you enrol in a study, a study-specific privacy notice will be presented to you that will state our legal basis for that particular study, noting also why we are processing your data, how long we will hold your data, any other recipients of your data, whether we intend to transfer your data to another country, and whether we will use your data to do any automated decision-making or profiling.

How can you exercise your rights under GDPR?

If you are part of a health research study, you may have limited rights to access, move, change, or to erase your personal data. This is to protect the integrity of the research project you are involved in, as our clients who are conducting the research will need to use your data for analysis. Altering the data may compromise the underlying science of their research. If you withdraw from a health research study any data that we have already received as part of a health research study from before the point you withdrew will need to be transferred to our client. If our client is not doing health research, you may have the right to access, move, change, or erase your data. If we are acting as a data processor for a client then you should contact the client about exercising your rights under GDPR. If you do not know who to contact you may contact us using the details at the bottom of this privacy policy and we will provide you with details of the acting data protection officer for our client. If we are conducting the study and you would like to request to exercise any of your rights under GDPR on personal data that we are holding, please contact us using the details at the bottom of this privacy policy and we will respond to your request within 30 days of receipt.

Clinvivo’s Data Protection Officer

If you have any concerns, queries, or complaints about the way we use your personal data you may contact the Data Protection Officer:

Dr Robert Froud
Sportsman Farm
St. Michaels, Tenterden,
Kent, TN30 6SY

Date of last revision

This privacy policy was last updated on May 20, 2022.