Privacy Policy

Privacy Policy

Frontage Laboratories, Inc. is a leading global Contract Research Organization in the United States.

This privacy policy applies to the Company and its affiliates and subsidiaries in the United States (hereinafter collectively referred to as the “Company,” “we,” “us” or “our”). 

The Company has certified its compliance with the EU-U.S. Data Privacy Framework Principles and the Swiss-U.S. Data Privacy Framework Principles. The Company is committed to subjecting, and does subject, all personal data received from the European Economic Area (EEA or Switzerland), in reliance on the Data Privacy Framework, to the Framework’s applicable Principles. To learn more about the Data Privacy Framework, visit the U.S. Department of Commerce’s Data Privacy Framework List: https://www.dataprivacyframework.gov/list.

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, the Company commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF.

US residents using our website or services may have further protections under State specific Privacy regulations.

The Company is a global company with affiliates, varied business processes, management structures, and technical systems that cross borders. Information collected by the Company or on our behalf may be stored on our servers and may be transferred to, accessed from, or stored and processed in, the United States and other countries or regions including but not limited to the EU and China, and any other country where the Company or its service providers maintain facilities. This policy will be adhered to at all times regardless of your jurisdiction and we will endeavor to protect your privacy rights at all times regardless of the location of our processing.

This privacy policy outlines our general policy and practices for implementing the principles, including the types of information we gather, how we use it, notify, and confirm with affected individuals regarding our use of information, and their ability to correct that information. This privacy policy applies to all personal information received by the Company whether in electronic, paper or verbal format

The details of the Company’s privacy policy are below. This policy applies to all aspects of the Company’s operations. If you have questions about our privacy policy, please email privacy@frontagelab.com.

PP.1.1. Overview of the Company’s Services

The Company is a leading contract research organization specializing in collaborations with pharmaceutical & biotech companies to help them bring drug candidates to market. All service offerings are supported by computerized systems which, dependent on their applicability are compliant with the International Conference on Harmonization (ICH), Good Clinical Practices (GCP) E6(R2), and 21 CFR Part 11 Electronic Records and Signatures and are, by design, not intended to process unblinded personal information.

PP.1.2. Alignment with Privacy Regulations and Statutory requirements

The Company is committed to ensuring the privacy of our website visitors, our customers, and the patients whose data we process. In order to transparently do so, our alignment with major domestic and international privacy is described below. Broadly and regardless of jurisdiction or country of residency, privacy inquiries specific to our use or processing of your data are welcomed via privacy@frontagelab.com. We will require verification of identity before processing a query or complaint.

PP.1.3. EU-U.S.& Swiss-U.S. Data Privacy Framework

The Company’s Privacy Policy describes the types of personal data the Company may process, the types of third parties to which it discloses personal data and the purposes for which it does so. Residents of the EEA or Switzerland have the right to access the personal data that the Company maintains and, in some cases, may have the right to correct or amend information that is inaccurate or has been processed in violation of the Data Privacy Framework Principles, to the extent allowed by law. To exercise this right, contact us at privacy@frontagelab.com.

The Company complies with the EU-U.S. Data Privacy Framework and the Swiss – U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. The Company has certified to the Department of Commerce that it adheres to the Date Privacy Framework Principles. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Company is responsible for the processing of personal data it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. The Company complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EEA or Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Data Privacy Framework, the Company is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, the Company may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Residents of the EEA or Switzerland with inquiries or complaints regarding this Privacy Policy should first contact the Company Data Protection Officer via the contact information listed in the Website Privacy Policy below. If your privacy concern is not resolved satisfactorily, please contact the Data Protection Authority in your country of origin. Under certain conditions, more fully described on the Data Privacy Framework Program website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

PP.1.4. Legal Basis of Processing Data

We may process Personal Data under the following conditions:

• Consent: You have given Your consent for processing Personal Data for one or more specific purposes.
• Participation in a Clinical Study: You have given consent to be an active participant in a clinical study which may be listed on https://clinicaltrials.gov/
• Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
• Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
• Vital interests: Processing Personal Data is necessary to protect your vital interests or of another natural person.
• Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
• Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.

Under all conditions and at the request of an impacted data subject the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

PP.1.5. Data Collection & Use

You may exercise Your rights of access, rectification, cancellation, and opposition by contacting frontage.privacy@promedim.com. Please note that we may ask you to verify your identity before responding to such requests, and further by making your request you are consenting for the personally identifiable information that you have provided to be used in the course of our internal response to your query or complaint.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, if You are in the European Economic Area (EEA or Switzerland), please contact your local data protection authority in the EEA or Switzerland.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation will not be collected unless:

a. You have given explicit consent to the processing of those personal data for one or more specified purposes, most commonly as a participant in a clinical study or analysis that the Company is performing on behalf of a study sponsor or a health care professional under whose care you currently reside;

b. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; or

c. An additional exception rule of GDPR Article 9 is met.

PP.1.6. Choice

When possible, the Company will offer individuals the opportunity to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, the Company will give individuals the opportunity to affirmatively or explicitly (opt out) consent to the disclosure of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. The Company shall treat as Sensitive Personal Information any information received from an individual where the individual would treat and identify it as Sensitive Personal Information.

PP.1.7. Data Sharing: Personally, Identifiable Information

The Company will not rent or sell your personally identifiable information to others. We may store personal information in locations outside the direct control of the Company (for instance, on servers or databases co-located with hosting providers). Any personally identifiable information you elect to make publicly available on our website or social media channels such as posting comments on our twitter feed, will be available to others. If you remove information that you have made public on our website or social media channels, copies may remain viewable in cached and archived pages of our website, or if other users have copied or saved that information. Our twitter feed, LinkedIn page and YouTube channel are managed by third-party applications that may require you to register to post a comment. You will need to contact or login into the third-party application if you want the personal information that was posted to the site in question removed. To learn how the third-party application uses your information, please review their privacy policy.

PP.1.8. Data Sharing: Non-Personally Identifiable Information

We may share non-personally identifiable information (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with interested third parties to help them understand the usage patterns for certain the Company services and those of our partners. Such data consists solely of non-personally identifiable information. If you choose to publish any personally identifiable information during an interaction with a Company service or member of personnel you understand and agree that this information, along with any personally identifiable information you choose to make available in connection with such results, may be made publicly available. If you remove information that you have made public on the website, copies may remain viewable in cached and archived pages of the website, or if other users have copied or saved that information, this is inclusive of social media postings. Non-personally identifiable information may be stored indefinitely.

PP.1.9. Legal Requirements

We may disclose such data in response to subpoenas, court orders, or other legal processes, or to establish or exercise our legal rights and obligations or defend against legal claims.

PP.1.10. Children

Our services and this website are not intended for children under the age of 16, and we do not knowingly collect information from children under the age of 16. If you are concerned that such information has been collected inadvertently or otherwise, please contact privacy@frontagelab.com.

PP.1.11. Personal Data Protection Rights

Citizens of the EEA or Switzerland have full rights to access, update, object to, restrict, or request deletion of personal data or make use of data portability. If you wish to do so, contact us at privacy@frontagelab.com stating that request. We will respond within 96 hours of your request.

PP.1.12. EEA/Swiss Citizens Rights under the GDPR

The Company undertakes to respect the confidentiality of your Personal Data and to guarantee you can exercise your rights.

You have the right under this Privacy Policy, and by law if you are within the EEA or Switzerland, to:
• Request access to your Personal Data: The right to access, update or delete the information that we hold about you. Whenever made possible, you can access, update or request deletion of your personal data by making a request via privacy@frontagelab.com.
• Request correction of the Personal Data that we hold about you: You have the right to have any incomplete or inaccurate information we hold about you corrected.
• Object to processing of your Personal Data: This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation which makes you want to object to our processing of your Personal Data on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes (not a Company business practice).
• Request erasure of your Personal Data: You have the right to ask us to delete or remove Personal Data when at the conclusion of our data processing activities.
• Request the transfer of your Personal Data: We will provide to you, or to a third-party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for and does not apply to deidentified or blinded clinical study data that we have processed.
• Allow the Company, by your own consent, to process your data in conjunction with our contracted business practices.
• Withdraw your consent: you have the right to withdraw your consent on using your Personal Data. If you withdraw your consent, the Company will be unable to perform the contracted services we are engaged in, on your behalf.

PP.1.13. Voluntarily Submitted Information on our Websites

This privacy policy applies to our corporate websites and explains how the Company collects, uses, and share information on the website that links to this policy (collectively “Website”). By using the Website, you agree to the terms of this Privacy Policy. 

PP.1.14. Information Collection & Use

When you use the Website, you may encounter areas that allow you to voluntarily enter personal data, which includes your name, email address, telephone number and mailing address.

You may provide this information to us when you sign up for our newsletter, request information about products, apply for a job, fill out surveys, or otherwise provide personal data to us.

PP.1.15. Website Usage Information

When you browse our Website, we may collect various types of usage information, including, but not limited to, IP address, web pages visited, links clicked, your operating system and browser type and your mobile device identifier. Such information is used for the purposes of operating and improving our Website, analyzing demographic and statistical research about website usage, customizing offers and monitoring the Website for compliance with our terms of service and the law, as well as other purposes.

This usage information may be collected through various technologies, including but not limited to “cookies.”

Through interaction with our public website, we may collect various types of information, including personal data, from mobile devices using cookies, scripts, web beacons, software development kits (“SDK”), or other similar techniques. These technologies are used to collect digital actions of users that visit and use mobile websites and apps or interact with our website.

The data we collect can include a device identifier, browser and operating system type and version, device type and other data from or about a mobile device including precise location data, as well as information about users’ web viewing, app use, and demographic data collected by other parties such as gender or year of birth. This data may be collected over time across different apps, websites, browsers or devices.

We limit the use of data voluntarily shared via our website for purposes including analytics; research; reporting; attribution; Service enhancements and other business operations; predicting possible relationships among different browsers and devices; differentiating and/or associating multiple device users as well as associating devices or users with locations such as a household or workplace.

Entry of direct personal information into our website (your name, telephone number) requires your affirmative consent.

We will not sell, rent, license, trade or disclose your personal data collected through our Websites to an unaffiliated third party.

PP.1.16. Security

We follow generally accepted security standards to help protect the personal data submitted to us, both during transmission and once it is received. Data security is managed by our Information Security Management System.

PP.1.17. The Company as the Data Controller or Processor

When the Company acts as the data controller we are committed to the enforcement of all aspects of this policy. We have developed internal mechanisms for the receipt of complaints, for the communication of data breaches and for joint data processing engagements.

We are committed to adhering to the codes of conduct for patient privacy and study integrity as outlined by the International Conference on Harmonization for Good Clinical Practices E6(R2). Technical and organizational measures which are designed to implement data-protection principles, such as pseudonymization and data minimization, will be applied as necessary and required by the study protocol and with the express consent of the study participants (data subjects).

Where processing is to be carried out by the Company on behalf of a controller, we are committed to agreeing a mutually executed Data Processing Agreement. The Company shall not engage another processor without prior specific or general written authorization of the controller.

In the case of general written authorization (as codified by our Data Processing Agreement), the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

All Company associates are trained on both this policy and additional internal privacy practices that have been created in support of this policy.

PP.1.18. In the event of a Data Breach

We have developed an internal process for the identification and processing of data breaches. In the event of a personal data breach, where feasible and not later than 72 hours after having become aware of it, the Company will notify the personal data breach to the supervisory authority competent in accordance with either Article 55 for EU and Swiss subjects (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the affected person(s)) or the national or state competent authority relevant to the residence of the Data Subject.

Further, as mitigation against data breaches and as an integrated part of our Information Security Management System, we have integrated Data Protection Impact Assessments (DPIA) into our Security Risk Register.

We are additionally committed to the enforcement of The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 for US Data Subjects and the CCPA.

If you are concerned that you have been impacted by a breach as a direct result of the Company processing your data, contact our Data Protection Officer: frontage.privacy@promedim.com.

PP.1.19. For residents of US States that have enacted Privacy Regulations one or more of the following rights may apply:

• Right to access — The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or some combination of similar information.

• Right to correct — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.

• Right to delete — The right for a consumer to request deletion of personal information about the consumer under certain conditions.

• Right to opt out of certain processing — The right for a consumer to restrict a business’s ability to process personal information about the consumer.

• Right to portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.

• Right to opt-out of sales — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.

• Right to opt in for sensitive data processing — The right for a consumer to opt in before a business can process their sensitive data.

• Right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.

• Private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.

PP.1.20. Exercising Your Data Protection Rights

In order to exercise any of your rights under your individual State’s regulation, as a resident of the respective state, you can email us at privacy@frontagelab.com. The Company will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.

PP.1.21. State Privacy Regulation: Do Not Sell My Personal Information 

We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology that “sells” personal information as defined by the relevant state law. If you wish to opt out of the use of your personal information for interest- based advertising purposes and these potential sales as defined under your state of residence’ law, you may do so by following the instructions below.

Please note that any opt out is specific to the browser You use. You may need to opt out on every browser that you use.

You can opt out of receiving ads that are personalized as served by our Service Providers by following our instructions as prompted.

The opt out will place a cookie on Your computer that is unique to the browser you use to opt out. If you change browsers or delete the cookies saved by your browser, you will need to opt out again.

PP.1.22. Links to Other Websites

Our Website may contain links to other websites that are not operated by the Company. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

PP.1.23. Changes to this Privacy Policy

The Company reserves the right to update or modify this Privacy Policy at any time without prior notice. 

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

PP.1.24. Contact Us

If you have questions or queries regarding our privacy policy or practices, please contact us, at:

Frontage Laboratories, Inc
700 Pennsylvania Drive, Exton, PA 19341 (HQ)

privacy@frontagelab.com

Our Data Protection Officer can be reached at: support@privacy24.freshdesk.com

As a Data Privacy Framework registered organization, we will respond to your request within 45 days.

Last updated as of August 19, 2024.