Privacy Notice

Last updated: 5/27/2026
Version: 1.0

1. About this notice

Our Service is a private, account-only system used by clinical trial site managers, clinicians, and dieticians to place orders for nutritional products used in clinical trials. Accounts are provisioned by us at the request of trial sponsors. The Service is not publicly accessible and is not intended for use by patients or members of the public.

This notice applies to all users of the Service and to anyone whose personal data is processed through it.

2. Our role: controller and processor

Depending on the data, we act in two different roles under GDPR:

Controller
For your user account data (name, work email, work address, login activity) we are the controller. We decide how this data is collected and used to provide the Service.
Processor
For purchase order data that includes trial participant identifiers, we act as a processor on behalf of the clinical trial sponsor, who is the controller. We process this data only on the sponsor's documented instructions, under a written Data Processing Agreement.

3. What personal data we process

3.1 User account data (as controller)

  • Name and job title
  • Work email address
  • Work address and clinical site affiliation
  • Telephone number (if provided)
  • Authentication data (hashed password, multi-factor authentication settings)
  • Login activity, IP address, browser and device information
  • Audit logs of actions you perform in the Service

3.2 Purchase order data (as processor)

  • Trial participant identifier (a pseudonymous reference number; we do not hold the key linking it to a real person)
  • Clinical trial and site reference
  • Nutritional product, quantity, and delivery instructions
  • Name of the site manager the shipment is addressed to
  • Site shipping address
  • Order history and order status

We do not collect patient names, contact details, home addresses, medical records, diagnoses, or any data that directly identifies a trial participant. The participant identifier is meaningful only to clinical staff at the trial site, who hold the linking information separately.

4. Why we process it and our legal basis

Purpose Data used Legal basis (GDPR)
Providing access to the Service (account creation, authentication, session management) User account data Article 6(1)(b) – performance of a contract; Article 6(1)(f) – legitimate interests in securing the Service
Processing and fulfilling purchase orders Purchase order data, user account data Article 6(1)(b) – performance of a contract; processed on sponsor's instructions where we act as processor
Security monitoring, audit logging, fraud and abuse prevention User account data, login activity, audit logs Article 6(1)(f) – legitimate interests in protecting the Service and its users; Article 6(1)(c) – legal obligation for clinical trial audit trails
Service operation and improvement (error monitoring, performance diagnostics) Server-side technical telemetry Article 6(1)(f) – legitimate interests in operating a reliable Service
Complying with our legal and regulatory obligations As required Article 6(1)(c) – legal obligation

Where we act as processor on behalf of a trial sponsor, the sponsor is responsible for establishing the legal basis under Articles 6 and 9 of GDPR (which typically includes the trial participant's informed consent and the public interest in scientific research). You can request details of the relevant sponsor from us.

5. Where we get your data from

We collect personal data from the following sources:

  • From you, when you use the Service or contact us.
  • From your employer or the trial sponsor, when an account is provisioned for you.
  • From your clinical site, when orders are placed on the system.
  • Automatically, through your use of the Service (login activity, audit logs, technical telemetry).

6. Who we share data with

We share personal data only with:

  • Clinical trial sponsors for whom we process purchase order data.
  • Fulfilment partners who deliver the nutritional products to the trial site.
  • Service providers (sub-processors) who help us operate the Service. Our current sub-processors include:
    • Microsoft Azure (cloud hosting, database, application monitoring) — EU region
    All sub-processors are bound by written contracts that include GDPR-compliant data protection terms.
  • Regulators, auditors, and law enforcement where required by law or in connection with a clinical trial inspection.

We do not sell personal data, share it for advertising, or use it for any marketing purpose.

7. International transfers

Our application servers and databases are hosted in West Europe (Netherlands). Personal data is stored and processed within the European Economic Area (EEA).

In limited circumstances — for example, when a sub-processor provides global technical support — personal data may be accessed from outside the EEA. Where this happens, transfers are protected by Standard Contractual Clauses approved by the European Commission and by additional technical safeguards (such as encryption and access controls). You can request a copy of the relevant safeguards by contacting us.

8. How long we keep data

We retain personal data for the following periods:

Data Retention period
Active user accounts For as long as you have an active account, plus 6 months after deactivation
Purchase order records Up to 25 years after the end of the relevant clinical trial, in line with the EU Clinical Trials Regulation and ICH-GCP archival requirements, or as instructed by the sponsor
Authentication and security logs 3 months
Audit logs of user actions For the duration required by the trial sponsor (typically aligned with trial records)
Technical telemetry (errors, performance) 7 days

When retention periods end, we delete or irreversibly anonymise the data.

9. How we protect data

We use technical and organisational measures appropriate to the risk, including:

  • Encryption of data in transit (TLS) and at rest
  • Hosting in EU Azure regions with platform-level security controls
  • Multi-factor authentication for user accounts
  • Role-based access control and the principle of least privilege
  • Audit logging of access to and changes in records
  • Regular security reviews, patching, and vulnerability management
  • Staff training on data protection and confidentiality
  • A documented incident response and breach notification process

10. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data deleted, in certain circumstances
  • Restrict or object to processing, in certain circumstances
  • Receive your data in a portable format, in certain circumstances
  • Withdraw any consent you have given, without affecting prior lawful processing
  • Lodge a complaint with a supervisory authority

For data we process as a processor on behalf of a sponsor, requests are forwarded to the relevant sponsor, who is responsible for responding. We will help you identify the right contact.

To exercise your rights, contact us using the details in section 13. We will respond within one month, unless the request is complex, in which case we may extend by up to two further months and will tell you.

You also have the right to lodge a complaint with your national data protection authority. A list of EU authorities is available at edpb.europa.eu.

11. Cookies and similar technologies

The Service uses only strictly necessary cookies required to operate the site and keep you signed in securely. These cookies do not require your consent under EU law, but we list them here for transparency:

Cookie Purpose Lifetime
.AspNetCore.Session / .AspNetCore.Cookies/ .AspNetCore.Identity Maintains your authenticated session Session / 14 Days
.AspNetCore.Antiforgery.* Protects against cross-site request forgery attacks Session

We do not use cookies or trackers for advertising, marketing, social media, or third-party analytics. Server-side performance and error monitoring is performed without setting cookies on your device.

12. Changes to this notice

We may update this notice from time to time. When we make material changes, we will notify users through the Service and update the "Last updated" date at the top. Continued use of the Service after a change indicates you have read the updated notice.

13. Contact us

For any questions about this notice or to exercise your rights, contact:

Data Protection Contact
Alex Weil / Anagram+Epicured Coordinator
Email
alex@getepicured.com
Postal address
Epicured Inc.
65 Sea Cliff Ave
Glen Cove, NY 11542
United States

Print this notice

©Epicured Inc.