Privacy Policy

Effective February 12th, 2026

Prelude is committed to protecting the privacy and personal information of all individuals whose data is collected. This privacy policy addresses the following topics: 

  • Handling of data collected by Prelude. 
  • Our policies pertaining to the EU General Data Protection Regulation (GDPR) pertaining to data collected using Prelude in the EU. 
  • Our policies pertaining to the Health Insurance Portability and Accountability Act (HIPAA) pertaining to protected health information.
  • Our policies pertaining to the California Consumer Privacy Act (CCPA) pertaining to data collected using Prelude in California. 

To view your personal data stored on PreludeEDC.com and request the alteration, anonymization or removal of said data, please reach out to [email protected].

This policy may be amended and updated from time to time in response to changes in the regulatory environment.

Definitions

Personal Information – is any information relating to a natural person that can be used to identify that individual.

Sensitive Personal Information – Data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Data Controller – In the context of GDPR, a data controller determines the purposes and means of processing personal data.

Data Processor – In the context of GDPR, a data processor is responsible for processing personal data on behalf of a controller.

Handling of data collected through our corporate website PreludeEDC.com

Personal Information – When you request additional information about Prelude, contact us via our website, or elect to sign up to receive electronic newsletters, Prelude may require you to provide us with contact information such as your name, company name, phone number and email address. 

Prelude uses this information solely for the purpose of distributing electronic newsletters and marketing materials. This information is not shared with any third party. 

Individuals may opt out of any communications by using the “Unsubscribe” feature which is available in each electronic communication. 

When you request technical support, Prelude may require you to provide us with contact information such as your name, email, and other information that will help Prelude identify and resolve the issue.  

Prelude uses this information solely for the purpose of providing support. This information is not shared with marketing or any third party. 

Browser Data – When you visit our website, your browser sends information such as your IP address, access times and referring Website addresses. The browser does this for every website you visit. This data does not comprise personal information and is used only for gathering high-level statistics about site usage which will be used to improve the quality of our site. It is not disclosed to any third party.

Cookies – Cookies are small pieces of data, stored in text files, that are stored on your computer or other device when websites are loaded in a browser. They are widely used to “remember” you and your preferences, either for a single visit (through a “session cookie”) or for multiple repeat visits (using a “persistent cookie”). They ensure a consistent and efficient experience for visitors, and perform essential functions such as allowing users to register and remain logged in. Cookies may be set by the site that you are visiting (known as “first party cookies”), or by third parties, such as those who serve content or provide advertising or analytics services on the website (“third party cookies”).

Both websites and HTML emails may also contain other tracking technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted. 

Visitors may wish to restrict the use of cookies or completely prevent them from being set. Most browsers provide ways to control cookie behavior such as the length of time they are stored – either through built-in functionality or by utilizing third party plugins. If you disable cookies, please be aware that some of the features of our service may not function correctly. 

To find out more on how to manage and delete cookies, visit aboutcookies.org. For more details on your choices regarding use of your web browsing activity for interest-based advertising visit youronlinechoices.eu (EU based) or optout.aboutads.info (US based). On a mobile device, you may also be to adjust your settings to limit ad tracking. 

You can opt out of Google Analytics by installing Google’s opt-out browser add-on

Compliance with the EU General Data Protection Regulation (GDPR)

Prelude has policies and procedures in place that support the protection of personal information and sensitive personal information in accordance with the GDPR. Prelude provides the Electronic Data Capture (EDC) and related products that are used by our clients to capture data during the conduct of clinical trials. In the context of GDPR, Prelude is a data processor acting on the explicit contractual direction of our clients who are data controllers. The Prelude system can be used to collect personal information as well as sensitive personal information as required for the clinical trial being conducted. 

Prelude also serves the PreludeEDC.com website, accessible to anyone with a connection to the world wide web. These policies and procedures also apply to PreludeEDC.com and its elements, affording you the same level of protection of personal information. 

On 16 July 2020 the court of Justice of the European Union declared as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.  Prelude implements within its standard MSA, privacy protections that require compliance with local laws; however, our customers that have or anticipate having EU participants in their trials may execute Standard Contractual Clauses as well as Data Processing Agreements to further ensure compliance with GDPR. 

Individual Rights – Our clients are primarily responsible for complying with the individual rights required by the GDPR, and Prelude assists in fulfilling those requests as required. All requests must be responded to within one calendar month.

  • The right to be informed (ref. Article 13 of the GDPR). Individuals have the right to be informed of the purpose for which information is being collected, the retention period, how to contact the data controller or their representative and how to object to processing. This information must be received by the individual prior to collection of any personal information.
  • The right of access (ref. Article 15 of the GDPR). Individuals have the right to access their personal data and can request access either verbally or in writing. A fee may not be charged for this access.
  • The right to rectification (ref. Article 16 of the GDPR). Individuals have the right to request that incorrect data be corrected, and incomplete data be completed.
  • The right to erasure (ref. Article 17 of the GDPR). This right does not apply to information that has already been collected during the conduct of a clinical trial since it is necessary for scientific purposes. Individuals can, however, ask that no further information be collected (see the right to object below).
  • The right to restrict processing (ref. Article 18 of the GDPR). The individual’s right to ask a data controller to stop processing personal information is not applicable to data that has already been collected for clinical trials. Individuals can, however, ask that no further information be collected. 
  • The right to portability (ref. Article 20 of the GDPR). Individuals have the right to obtain and reuse a copy of their data. This copy will be provided in a portable, electronic format.
  • The right to object (ref. Article 21 of the GDPR). Individuals have the right to object to the processing of their data. In the context of a clinical trial, this is equivalent to withdrawal of consent.
  • The right not to be subject to automated decision-making including profiling (ref. Article 22 of the GDPR). Prelude does not support any automated decision-making capabilities.

Compliance with Health Insurance Portability and Accountability Act (HIPAA)

Prelude supports the protection of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). Prelude provides Electronic Data Capture (EDC) and related products that are used by clients to collect and manage PHI during clinical trials. When processing PHI, Prelude acts as a Business Associate and processes PHI solely in accordance with applicable Business Associate Agreements and client instructions.

Prelude’s systems are designed with safeguards to ensure the confidentiality, integrity, and availability of PHI, including:

  • Technical safeguards: Encryption of PHI in transit and at rest, and role-based access controls, unique user identification and authentication mechanisms, and logging and monitoring.
  • Administrative safeguards: Risk management process including risk analysis, documented policies and procedures, contingency planning including data backup and disaster recovery, and incident management.
  • Physical safeguards: Restricted access to facilities and secure data handling, storage, and disposal.

Individual Rights Covered Entities are responsible for providing Notices of Privacy Practices and for responding to individual rights requests under HIPAA. Individuals seeking to exercise their rights (including access, amendment, or accounting of disclosures) should contact their healthcare provider or applicable Covered Entity directly. Prelude supports its clients in fulfilling these obligations as required under applicable agreements.

Breach Notification In the event of a breach of unsecured PHI, Prelude will notify the applicable client without unreasonable delay and in accordance with the HIPAA Breach Notification Rule and the terms of the applicable Business Associate Agreement. Clients are responsible for notifying affected individuals as required by law.

Compliance with the California Consumer Privacy Act (CCPA)   

Applicability  

This section applies solely to individuals who are residents of California. For purposes of this section, “Personal Information” has the meaning given in the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), effective January 1, 2026.  

Prelude generally collects and processes Personal Information in a business-to-business context and, in many cases, acts as a service provider or contractor to its customers. In those situations, we process Personal Information solely on behalf of and pursuant to agreements with our customers. 

How We Collect, Use, and Share your Personal Information  

In the preceding twelve (12) months, we have collected the following categories of Personal Information: 

  • Identifiers, such as name, e-mail address, phone number, IP address, and online identifiers.  
  • Internet or other electronic network activity information, such as browsing activity on our website.  
  • Geolocation data, such as approximate location derived from IP address. 
  • Professional or employment-related information, such as job title and company affiliation
  • Inferences, such as preferences derived from interactions with our website or services.
  • Sensitive Personal Information (limited), such as account credentials used to access our systems.

We collect this information directly from you, automatically through your interaction with our website, or from business partners and service providers. 

Purposes for Collection and Use

We collect and use Personal Information for the following business purposes:

  • To provide, operate, and improve our products and services
  • To communicate with customers and prospective customers
  • To respond to inquiries and provide support
  • To maintain security, integrity, and availability of our systems
  • To comply with legal and regulatory obligations
  • To conduct internal research, analytics, and quality assurance

We use Sensitive Personal Information only for purposes permitted under the CCPA, including providing services, ensuring security, and preventing fraud. We do not use Sensitive Personal Information to infer characteristics about individuals.

Disclosure of Personal Information

In the preceding twelve (12) months, we have disclosed the categories of Personal Information listed above for business purposes to:

  • Service providers and contractors that assist with hosting, security, analytics, communications, and operational support
  • Professional advisors (such as legal and audit providers)
  • Regulatory authorities or other parties as required by law

We require service providers and contractors to use Personal Information only for specified business purposes and to provide appropriate protections consistent with applicable law.

California Privacy Rights  

Subject to certain exceptions, California residents have the following rights under the California Consumer Privacy Act, as amended (CA Civil Code §§ 1798.100–1798.199.100):

  • Right to Know (CA Civil Code §§ 1798.100(a), 1798.110, 1798.115): The right to request disclosure of the categories and specific pieces of Personal Information collected about you, including categories sold, shared, or disclosed for business purposes.
    • Right to Data Portability (CA Civil Code § 1798.100(d)): When exercising your Right to Request to Know, you have the right to receive your Personal Information in a portable and, to the extent technically feasible, readily usable format.
  • Right to Delete (CA Civil Code § 1798.105): The right to request deletion of Personal Information collected from you, subject to statutory exceptions.
  • Right to Correct (CA Civil Code § 1798.106): The right to request correction of inaccurate Personal Information maintained about you.
  • Right to Limit Use and Disclosure of Sensitive Personal Information (CA Civil Code § 1798.121): The right to request that a business limit the use and disclosure of Sensitive Personal Information to purposes permitted by law.
  • Right to Opt-Out of Sale or Sharing (CA Civil Code § 1798.120): The right to direct a business to stop selling or sharing Personal Information. Prelude does not sell or share Personal Information as defined under the CCPA.
  • Right to Non-Discrimination (CA Civil Code § 1798.125): The right not to receive discriminatory treatment for exercising CCPA rights.

Clinical Trial and Research Data

Certain Personal Information processed in connection with clinical trials or biomedical research may be exempt from certain CCPA rights where required to maintain research integrity, comply with regulatory obligations, or where otherwise permitted by law. In many cases, Prelude processes such information solely as a service provider to research sponsors or healthcare entities

How to Exercise Your California Rights  

You may submit a request to exercise your California privacy rights by contacting us using the information provided below.

You may designate an authorized agent to make a request on your behalf. We will take reasonable steps to verify your identity and the authority of your authorized agent before responding to a request.

If you are unable to access this notice due to a disability, please contact us to request this information in an alternative format. 

Data Security                 

Prelude implements appropriate administrative, technical, and physical safeguards designed to protect personal data and Protected Health Information in accordance with applicable data protection and privacy laws.

Data Breaches – In the event of a confirmed data breach involving personal data or Protected Health Information, Prelude will notify the applicable client without undue delay and in accordance with applicable law and the terms of the relevant agreement. Clients are responsible for assessing notification obligations to individuals, regulators, or other authorities, where required.

Data Protection Requests – Where Prelude processes personal data or Protected Health Information on behalf of a clinical trial sponsor, healthcare entity, clinical research organization, or other client, such client is responsible for responding to individual rights requests under applicable laws, including GDPR and HIPAA. Individuals should contact the relevant sponsor, healthcare provider, or data controller directly.

If your request relates to Personal Information collected directly by Prelude (for example, through our website or business interactions), you may contact our Data Protection Officer using the contact details provided below. 

Prelude
Attn: Data Protection Officer
5316 West Highway 290
Suite 320
Austin, Texas 78735

512-476-5100
[email protected]

Join our newsletter to stay up to date

Solutions
Product Capabilities EDC ePRO eConsent RTSM
Services CRO Partnership Professional Services
Our Expertise
Therapeutic Areas Oncology Central Nervous System (CNS) Rare Disease Infectious Disease
Industries Animal Health Medical Devices Biotech & Pharmaceuticals Academia
Company
Why Prelude? About us Careers Contact Resources FAQ

© 2026 Prelude. All rights reserved.

Contact EDC User Agreement Privacy Policy Cookie Settings