Trialflare (the “service”, etc.) is provided by Seastorm Limited. Seastorm Limited ("Seastorm", "we", "us", etc.) considers your privacy to be very important. We will therefore process and use your data in a secure manner in accordance with the General Data Protection Regulations (GDPR) and other applicable laws and regulation. In this document we set out how and why we use your information.
Seastorm Seastorm is a limited company registered in England and Wales, with company number 11867862. Our address is 141 Albany Road, Cardiff, CF24 3NT. You can contact us on hello@seastorm.co with any questions or concerns.
This policy applies to all users and participants of the Trialflare service. This includes usage of our web and mobile apps, and any other approved clients.
This policy also applies to visitors to our website (https://trialflare.com or its subdomains), even if the visitor is not a Trialflare user or participant.
This policy does not apply if you contact us (e.g. via email or otherwise), engage with us in any project or consultancy agreement, engage with us for billing or payment, for any marketing or sales activity, or for anything else not directly related to Trialflare. In these cases, our general Seastorm Limited privacy policy applies, which can be found at https://www.seastorm.co/privacy.
This policy also does not apply if you follow links to any resources outside of our control or services.
For the purposes of relevant data protection regulation, we act as data processor for all users, data and participants on behalf of the host organisation (i.e. the licence-holding organisation or the organisation running a trial), who is the data controller.
Our website does not use cookies to track visitors to the site. However, cookies are used by our live chat technology in order to remember your chat for the next time you visit. We do not use cookies to otherwise track you or your activity — they are for utility only.
You can use your browser’s settings to disable our use of cookies if preferred.
Our web platform (accessible by both Trialflare users and participants) stores small pieces of data in your browser’s local storage. This is done to allow you to login and maintain a login “session” and we cannot provide our services to you without this.
In this section we identify the key points at which we collect data, and the purpose for the
collection.
When you visit our website(s) or web application(s) using a web browser, we collect some data about your computer and the way our services are used by you, even if you don't have an account. We do not collect your name or other personal details about you at this stage, but we may process information such as your computing device’s country and details about your browser and where you arrived from. We do this for observing aggregated usage of our services, so that we can better understand how to improve our services for their audiences. The legal basis for processing this data is a legitimate interest in recording aggregated analytics data for improvement purposes and to see how often people visit our website.
The service allows you to register for an account. This is the primary way by which we collect personal data from you, since such data is needed in order to identify you when you want to login and use these services. We may also use your email address to update you on platform updates and notifications, which you can control. When signing-up we collect your email address, name, and password.
We ask you for consent to this policy when you create or enrol an account, and the legal basis for processing this data is a legitimate interest in being able to provide services to you and to also to enable us to deliver contracted services as a supplier to your (or the host) organisation.
As you continue to use Trialflare, key actions you take are logged for audit and compliance purposes with your host organisation. This audit log data may include your IP address and browser information and is collected for the purposes of compliance and legal record-keeping duties.
We do not ask for or collect any additional personal data (further to the items above) as you use our services as a logged-in user. We do collect data relating to trials, configurations, and settings, and other information you wish to provide.
You can modify your account details (including personal data) using your account settings.
The service allows you to “login” to a trial as a participant, however we do not ask for or collect personal data relating to participants as part of usual operation. When you login to a trial, we collect a participant ID and trial code for the purposes of granting you access to the trial, however your participant ID should not contain any personally-identifiable information.
As a participant, the data you provide (including any personal data) is protected by the privacy policy or the terms of the host organisation (i.e. the organisation running the trial), and you will have the opportunity to read these terms before you agree to join the trial. The host organisation may maintain “deblinding” information, which enables them to determine who a particular participant is from their ID. It is that organisation’s responsibility to ensure that this deblinding information and process is kept safe and secure.
As you submit data for the study, Trialflare may collect your IP address and browser/device information. This is done for audit and compliance purposes, and the legal basis for collecting this data is for legal record-keeping duties.
If you are a participant and make use of the additional “eConsent” feature when joining a trial, you may be required to provide a mixture of your name, email address, and phone number (depending on the compliance needs of the study). We collect this data in order to complete the eConsent verification process and for compliance purposes in accordance with the host organisation needs and ethical requirements, or to enable you to receive important communications related to the study via email, SMS or WhatsApp.
In some cases, trial administrators may also associate your personal details (such as your name, email address and phone number) directly with your Trialflare participant record in the study (for example, if you attend a study centre to register as a participant, or remotely). This could be to ensure you can receive notifications, reminders, or other information during the course of the study, or in case if emergency. The host organisation should make this processing clear to you at the point at which this data is collected, and should supply their own privacy policy to describe how this data will be safeguarded.
All participant personal information that is collected as described above is processed securely by us on behalf of the host organisation, who remain the data controller of such data.
During a trial, you will be asked to provide information in relation to the trial. We collect this data for the purposes of running the trial. This data is protected by the privacy policy or terms of the host organisation, to which you would have agreed during the login process and should be available on-request to the host organisation.
We work with selected subprocessors to help run our services, as described below.
Amazon Web Services (AWS): We use AWS to host and run our services.
Mailgun: We use Maligun for the purposes of sending emails to registered users (for example, password reset emails or notifications, or during the eConsent verification process or as study participant reminders). To send the mail, we provide this subprocessor with your email address.
Twilio: We use Twilio for the purposes of sending SMS (text messages) and WhatsApp messages (for example, during the eConsent verification process or to receive study reminders and information). To send the SMS or WhatsApp messages, we provide this subprocessor with your phone number.
As a Trialflare user, Seastorm staff responsible for managing or maintaining your organisational account can view your account and its data, with the exception of passwords, which are fully encrypted. Other users in your team may be able to view your profile information (such as your name or email) if they have the appropriate permissions (e.g. they are administrators).
As a study participant, the data you provide as part of eConsenting, accessing or participating in a trial can be viewed by relevant staff in your trials’ host organisation(s), as determined by their own privacy policy. Seastorm administrators and staff can also access this data.
We may be required to provide data to legal authorities if we receive such a request or warrant. If Seastorm is purchased or otherwise has its control transferred to another organisation or body, then data we hold will also be transferred to the new business controller. However your data will still only be used for the same purpose for which it was originally supplied to us. In any case, we act and will take steps with the aim of ensuring your privacy is protected.
As a Trialflare user, we keep your account data (e.g. name and email address) for as long as your account is active. You can fully and irreversibly delete your account at any time from within your account settings. Content created by you or your organisation (e.g. trials and data types) will be kept until they are deleted by someone with the correct permissions (e.g. the person who created it, or an administrator).
As a participant, retention of your data is controlled by your trials’ host organisation(s). You should reach out to a trial administrator or the Trialflare team for more information on this or to request that your data is updated and/or deleted.
When a licence ends (and is not due to be renewed), we work with the organisation to off board data in-line with a pre-agreed plan. All data will then be deleted from Trialflare systems.
When data is deleted from Trialflare systems, the deletion is done securely such that the data is non-recoverable (we do not use “deletion flags”).
Please note that data held in backup systems may be held for up to an additional 30 days after it is deleted from our services.
We store and process all user, participant, and study data within our UK data centres, and this includes backups.
When sending communications (e.g. emails, SMS and WhatsApp messages) we use Mailgun’s EU servers for transmitting email. Twilio’s services are based in the EU and the US.
Your data is well-protected. We use industry grade practices to help prevent against unauthorised access. This includes fully encrypting data in-transit (e.g. between your device and our servers, and between our servers) and at-rest (e.g. when it is saved onto the hard disks of our database servers).
We use data centres that practice advanced protection mechanisms to prevent unauthorised access.
Children under the age of 16 are not allowed to use our services or to directly provide us with personal data. As such, we do not knowingly store or process personal data relating to children under the age of 16.
As an individual, you have rights with regard to personal data processed by us. Should you wish to exercise any of these rights then please get in touch with the email address shown on this policy. We will endeavour to action any rights within one business week.
At any time you have the right to know about any personal data we hold about you.
You have the right to have your personal data corrected or updated or deleted.
You have the right to object to us processing your data.
You have the right to request your data in a sensible format such that it can be transferred to a different provider or system.
If you feel you are being affected by us carrying out actions as a result of an automated process, to which you object to, you can object. We do not use automated decision making in a way that will affect an individual.
If you have provided consent for us to process your personal data, you can withdraw this consent at any time. This can be achieved by deleting your account, or by reaching out to us.
If you would like to complain about the way in which we have handled your personal data, or about this policy, then please get in touch with us using the details in this policy.
You may also get in touch with the Information Commissioner's Office (https://ico.org.uk) to raise a complaint.
