PRIVACY POLICY

1. Introduction

My Trial Journey ("MTJ," "we," "our," or "us") is a clinical trial patient engagement platform operated by CSS (Clinical Site Services LLC). This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use the MY TRIAL JOURNEY mobile application (available on Android and iOS), the MY TRIAL JOURNEY web portal (mytrialjourney.com), the Site Coordinator Portal, or the Admin Portal (collectively, the "Services").

We process your personal information on the legal bases described in Section 6 of this Policy. Where we rely on your consent to process special category health data, you have the right to withdraw that consent at any time by contacting us at [email protected]. If you do not agree with this Policy, please do not access or use our Services.

2. Information We Collect

2.1 Personal Information Provided by You

When you register, enroll in a clinical trial, or use our Services, we may collect: full name (first name, last name, middle initial); date of birth and age; email address; phone number; profile avatar or image; and account credentials (email and password, secured via OTP authentication).

2.2 Clinical Trial and Health-Related Information

In connection with your participation in clinical trials, we may collect: study and site enrollment information (study name, site name, project number); visit and appointment schedules (past and upcoming); patient status and origination data; medical records references; mood check-in responses; chat messages exchanged with site coordinators; and form submissions and consent records.

2.3 Technical and Usage Information

We automatically collect certain information when you use our Services, including: device type, operating system, and app version; browser type (for web portal access); log data and usage analytics; push notification tokens; and IP address.

2.4 Information from Third-Party Integrations

We may receive information from integrated Clinical Trial Management Systems (CTMS) such as Real Time CTMS (Empathix/Elixir) to synchronize patient and site data as authorized by the clinical trial sponsor.

3. How We Use Your Information

We use the information we collect to:

• facilitate your enrollment and participation in clinical trials;
• manage study site assignments and visit schedules;
• enable secure communication between patients and site coordinators via in-app chat;
• send system-generated notifications (e.g., appointment reminders, OTP codes) via our no-reply email ([email protected]);
• respond to support requests submitted through [email protected];
• provide site coordinators and administrators with patient management dashboards;
• synchronize patient data bidirectionally with authorized CTMS platforms;
• perform quality assurance testing and bug resolution;
• improve and optimize our Services; and
• comply with legal and regulatory requirements, including GDPR, HIPAA, and ICH-GCP guidelines.

4. How We Share Your Information

We do not sell your personal information. We may share your information with the following parties:

5. Data Storage and Security

5.1 Infrastructure

Your data is stored on secure Amazon Web Services (AWS) infrastructure. We implement industry-standard security measures, including:

• encryption of data in transit and at rest;
• network security controls (VPC, security groups, network ACLs) monitored via AWS Config rules aligned with GDPR Article 32(1)(a);
• AWS GuardDuty for threat detection;
• CloudWatch monitoring and GDPR-specific audit logging for data access, sessions, errors, and exports/downloads;
• SQL Server security, performance, and connection monitoring; and
• regular penetration testing and disaster recovery testing.

5.2 Access Controls

Role-based access controls within the Admin Portal restrict data visibility based on user roles. Site coordinators can only view patients and data associated with their assigned sites. Administrative access is limited to authorized personnel.

5.3 OTP Authentication

Account access is secured via One-Time Password (OTP) codes delivered through a dedicated no-reply email address. This email is used exclusively for authentication and system notifications and does not accept inbound messages.

6. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract – processing necessary to provide the Services you have enrolled in;
• Legal Obligation – processing required to comply with applicable laws, including GDPR, HIPAA, and ICH-GCP guidelines;
• Explicit Consent – for the processing of special category health data under GDPR Article 9(2)(a), we rely on your explicit consent provided at enrolment;
• Legitimate Interests – for analytics, platform security, and service improvement where these interests are not overridden by your rights.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected].

7.1 GDPR Rights (EU/UK Users)

You have the right to:

• access a copy of your personal data (Art. 15);
• rectify inaccurate data (Art. 16);
• request erasure where no longer necessary (Art. 17);
• restrict processing in certain circumstances (Art. 18);
• data portability in a structured, machine-readable format (Art. 20);
• object to processing based on legitimate interests (Art. 21); and
• withdraw consent at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, or the relevant EU Data Protection Authority).

7.2 HIPAA Rights (US Users)

If your information constitutes Protected Health Information (PHI) under HIPAA, you have the right to access, amend, and receive an accounting of disclosures of your PHI. Requests should be submitted to [email protected].

7.3 CCPA Rights (California Users)

California residents have the right to:

• know what personal information is collected and how it is used,
• to request deletion of personal information,
• to opt out of the sale of personal information (we do not sell personal information), and
• to non-discrimination for exercising these rights.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Policy or as required by law. Clinical trial data, including health records and consent forms, is retained for the minimum period required by the applicable clinical trial sponsor and regulatory framework (typically 15 years under ICH E6 GCP guidelines or as specified in the study protocol). Account and profile data is retained for the duration of your active account plus two years. Technical and usage logs are retained for up to 12 months. Upon request, we will delete or anonymize personal data that is no longer required, subject to any overriding legal or regulatory retention obligations.

9. Cookies and Tracking Technologies

The MY TRIAL JOURNEY web portal (mytrialjourney.com) uses essential cookies and similar technologies to support authentication (session cookies), security, and core platform functionality. We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the web portal. The mobile applications (iOS and Android) do not use web cookies but may use device identifiers and push notification tokens as described in Section 2.3.

10. Children's Privacy

Our Services are not directed to children under the age of 13 in the United States. For clinical trials that enroll participants under 18, data is collected and processed in accordance with the applicable study protocol and with the explicit consent of a parent or legal guardian, as required by applicable law and ethics regulations. If you believe we have inadvertently collected information from a child without appropriate consent, please contact us at [email protected].

11. International Data Transfers

Your personal data may be transferred to, stored, and processed in the United States and other countries where our service providers operate. If you are located in the European Economic Area (EEA) or United Kingdom, we ensure that such transfers comply with applicable data protection laws, including through the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. By using our Services, you acknowledge that your data may be transferred internationally in accordance with this Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the email address associated with your account and/or by posting a prominent notice within the app or web portal at least 14 days before the changes take effect. The updated Policy will indicate the new effective date. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy. If you do not agree with the updated Policy, you should discontinue use of the Services.

13. Contact Us and Data Protection Officer

If you have questions about this Privacy Policy, wish to exercise your rights, or have a concern about our data practices, please contact us:

For GDPR-related enquiries, our designated contact for data protection matters can be reached at the email above. EU/UK users also have the right to lodge a complaint with your local supervisory authority.