Privacy Notice
1. About this notice
Our Service is a private, account-only system used by clinical trial site managers, clinicians, and dieticians to place orders for nutritional products used in clinical trials. Accounts are provisioned by us at the request of trial sponsors. The Service is not publicly accessible and is not intended for use by patients or members of the public.
This notice applies to all users of the Service and to anyone whose personal data is processed through it.
2. Our role: controller and processor
Depending on the data, we act in two different roles under GDPR:
- Controller
- For your user account data (name, work email, work address, login activity) we are the controller. We decide how this data is collected and used to provide the Service.
- Processor
- For purchase order data that includes trial participant identifiers, we act as a processor on behalf of the clinical trial sponsor, who is the controller. We process this data only on the sponsor's documented instructions, under a written Data Processing Agreement.
3. What personal data we process
3.1 User account data (as controller)
- Name and job title
- Work email address
- Work address and clinical site affiliation
- Telephone number (if provided)
- Authentication data (hashed password, multi-factor authentication settings)
- Login activity, IP address, browser and device information
- Audit logs of actions you perform in the Service
3.2 Purchase order data (as processor)
- Trial participant identifier (a pseudonymous reference number; we do not hold the key linking it to a real person)
- Clinical trial and site reference
- Nutritional product, quantity, and delivery instructions
- Name of the site manager the shipment is addressed to
- Site shipping address
- Order history and order status
We do not collect patient names, contact details, home addresses, medical records, diagnoses, or any data that directly identifies a trial participant. The participant identifier is meaningful only to clinical staff at the trial site, who hold the linking information separately.
4. Why we process it and our legal basis
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Providing access to the Service (account creation, authentication, session management) | User account data | Article 6(1)(b) – performance of a contract; Article 6(1)(f) – legitimate interests in securing the Service |
| Processing and fulfilling purchase orders | Purchase order data, user account data | Article 6(1)(b) – performance of a contract; processed on sponsor's instructions where we act as processor |
| Security monitoring, audit logging, fraud and abuse prevention | User account data, login activity, audit logs | Article 6(1)(f) – legitimate interests in protecting the Service and its users; Article 6(1)(c) – legal obligation for clinical trial audit trails |
| Service operation and improvement (error monitoring, performance diagnostics) | Server-side technical telemetry | Article 6(1)(f) – legitimate interests in operating a reliable Service |
| Complying with our legal and regulatory obligations | As required | Article 6(1)(c) – legal obligation |
Where we act as processor on behalf of a trial sponsor, the sponsor is responsible for establishing the legal basis under Articles 6 and 9 of GDPR (which typically includes the trial participant's informed consent and the public interest in scientific research). You can request details of the relevant sponsor from us.
5. Where we get your data from
We collect personal data from the following sources:
- From you, when you use the Service or contact us.
- From your employer or the trial sponsor, when an account is provisioned for you.
- From your clinical site, when orders are placed on the system.
- Automatically, through your use of the Service (login activity, audit logs, technical telemetry).
6. Who we share data with
We share personal data only with:
- Clinical trial sponsors for whom we process purchase order data.
- Fulfilment partners who deliver the nutritional products to the trial site.
-
Service providers (sub-processors) who help us operate the Service. Our
current sub-processors include:
- Microsoft Azure (cloud hosting, database, application monitoring) — EU region
- Regulators, auditors, and law enforcement where required by law or in connection with a clinical trial inspection.
We do not sell personal data, share it for advertising, or use it for any marketing purpose.
7. International transfers
Our application servers and databases are hosted in West Europe (Netherlands). Personal data is stored and processed within the European Economic Area (EEA).
In limited circumstances — for example, when a sub-processor provides global technical support — personal data may be accessed from outside the EEA. Where this happens, transfers are protected by Standard Contractual Clauses approved by the European Commission and by additional technical safeguards (such as encryption and access controls). You can request a copy of the relevant safeguards by contacting us.
8. How long we keep data
We retain personal data for the following periods:
| Data | Retention period |
|---|---|
| Active user accounts | For as long as you have an active account, plus 6 months after deactivation |
| Purchase order records | Up to 25 years after the end of the relevant clinical trial, in line with the EU Clinical Trials Regulation and ICH-GCP archival requirements, or as instructed by the sponsor |
| Authentication and security logs | 3 months |
| Audit logs of user actions | For the duration required by the trial sponsor (typically aligned with trial records) |
| Technical telemetry (errors, performance) | 7 days |
When retention periods end, we delete or irreversibly anonymise the data.
9. How we protect data
We use technical and organisational measures appropriate to the risk, including:
- Encryption of data in transit (TLS) and at rest
- Hosting in EU Azure regions with platform-level security controls
- Multi-factor authentication for user accounts
- Role-based access control and the principle of least privilege
- Audit logging of access to and changes in records
- Regular security reviews, patching, and vulnerability management
- Staff training on data protection and confidentiality
- A documented incident response and breach notification process
10. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data deleted, in certain circumstances
- Restrict or object to processing, in certain circumstances
- Receive your data in a portable format, in certain circumstances
- Withdraw any consent you have given, without affecting prior lawful processing
- Lodge a complaint with a supervisory authority
For data we process as a processor on behalf of a sponsor, requests are forwarded to the relevant sponsor, who is responsible for responding. We will help you identify the right contact.
To exercise your rights, contact us using the details in section 13. We will respond within one month, unless the request is complex, in which case we may extend by up to two further months and will tell you.
You also have the right to lodge a complaint with your national data protection authority. A list of EU authorities is available at edpb.europa.eu.
11. Cookies and similar technologies
The Service uses only strictly necessary cookies required to operate the site and keep you signed in securely. These cookies do not require your consent under EU law, but we list them here for transparency:
| Cookie | Purpose | Lifetime |
|---|---|---|
.AspNetCore.Session / .AspNetCore.Cookies/ .AspNetCore.Identity |
Maintains your authenticated session | Session / 14 Days |
.AspNetCore.Antiforgery.* |
Protects against cross-site request forgery attacks | Session |
We do not use cookies or trackers for advertising, marketing, social media, or third-party analytics. Server-side performance and error monitoring is performed without setting cookies on your device.
12. Changes to this notice
We may update this notice from time to time. When we make material changes, we will notify users through the Service and update the "Last updated" date at the top. Continued use of the Service after a change indicates you have read the updated notice.
13. Contact us
For any questions about this notice or to exercise your rights, contact:
- Data Protection Contact
- Alex Weil / Anagram+Epicured Coordinator
- alex@getepicured.com
- Postal address
- Epicured Inc.
65 Sea Cliff Ave
Glen Cove, NY 11542
United States