Privacy Policy

Effective February 6th, 2025

Prelude is committed to protecting the privacy and personal information of all individuals whose data is collected. This privacy policy addresses the following topics: 

  • Handling of data collected by Prelude. 
  • Our policies pertaining to the EU General Data Protection Regulation (GDPR) pertaining to data collected using Prelude in the EU. 
  • Our policies pertaining to the Health Insurance Portability and Accountability Act (HIPAA) pertaining to protected health information.
  • Our policies pertaining to the California Consumer Privacy Act (CCPA) pertaining to data collected using Prelude in California. 

To view your personal data stored on PreludeEDC.com and request the alteration, anonymization or removal of said data, please reach out to [email protected].

This policy may be amended and updated from time to time in response to changes in the regulatory environment.

Definitions

Personal Information – is any information relating to a natural person that can be used to identify that individual.

Sensitive Personal Information – Data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Data Controller – In the context of GDPR, a data controller determines the purposes and means of processing personal data.

Data Processor – In the context of GDPR, a data processor is responsible for processing personal data on behalf of a controller.

Handling of data collected through our corporate website PreludeEDC.com

Personal Information – When you request additional information about Prelude, contact us via our website, or elect to sign up to receive electronic newsletters, Prelude may require you to provide us with contact information such as your name, company name, phone number and email address. 

Prelude uses this information solely for the purpose of distributing electronic newsletters and marketing materials. This information is not shared with any third party. 

Individuals may opt out of any communications by using the “Unsubscribe” feature which is available in each electronic communication. 

When you request technical support, Prelude may require you to provide us with contact information such as your name, email, and other information that will help Prelude identify and resolve the issue.  

Prelude uses this information solely for the purpose of providing support. This information is not shared with marketing or any third party. 

Browser Data – When you visit our website, your browser sends information such as your IP address, access times and referring Web site addresses. The browser does this for every website you visit. This data does not comprise personal information and is used only for gathering high-level statistics about site usage which will be used to improve the quality of our site. It is not disclosed to any third party.

Cookies – Cookies are small pieces of data, stored in text files, that are stored on your computer or other device when websites are loaded in a browser. They are widely used to “remember” you and your preferences, either for a single visit (through a “session cookie”) or for multiple repeat visits (using a “persistent cookie”). They ensure a consistent and efficient experience for visitors, and perform essential functions such as allowing users to register and remain logged in. Cookies may be set by the site that you are visiting (known as “first party cookies”), or by third parties, such as those who serve content or provide advertising or analytics services on the website (“third party cookies”).

Both websites and HTML emails may also contain other tracking technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted. 

Visitors may wish to restrict the use of cookies or completely prevent them from being set. Most browsers provide ways to control cookie behavior such as the length of time they are stored – either through built-in functionality or by utilizing third party plugins. If you disable cookies, please be aware that some of the features of our service may not function correctly. 

To find out more on how to manage and delete cookies, visit aboutcookies.org. For more details on your choices regarding use of your web browsing activity for interest-based advertising visit youronlinechoices.eu (EU based) or optout.aboutads.info (US based). On a mobile device, you may also be to adjust your settings to limit ad tracking. 

You can opt out of Google Analytics by installing Google’s opt-out browser add-on

Compliance with the EU General Data Protection Regulation (GDPR)

Prelude has policies and procedures in place that support the protection of personal information and sensitive personal information in accordance with the GDPR. Prelude provides the Electronic Data Capture (EDC) and related products that are used by our clients to capture data during the conduct of clinical trials. In the context of GDPR, Prelude is a data processor acting on the explicit contractual direction of our clients who are data controllers. The Prelude system can be used to collect personal information as well as sensitive personal information as required for the clinical trial being conducted. 

Prelude also serves the PreludeEDC.com website, accessible to anyone with a connection to the world wide web. These policies and procedures also apply to PreludeEDC.com and its elements, affording you the same level of protection of personal information. 

On 16 July 2020 the court of Justice of the European Union declared as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.  Prelude implements within its standard MSA, privacy protections that require compliance with local laws; however, our customers that have or anticipate having EU participants in their trials may execute Standard Contractual Clauses as well as Data Processing Agreements to further ensure compliance with GDPR. 

Individual Rights – Our clients are primarily responsible for complying with the individual rights required by the GDPR, and Prelude assists in fulfilling those requests as required. All requests must be responded to within one calendar month.

  • The right to be informed (ref. Article 13 of the GDPR). Individuals have the right to be informed of the purpose for which information is being collected, the retention period, how to contact the data controller or their representative and how to object to processing. This information must be received by the individual prior to collection of any personal information.
  • The right of access (ref. Article 15 of the GDPR). Individuals have the right to access their personal data and can request access either verbally or in writing. A fee may not be charged for this access.
  • The right to rectification (ref. Article 16 of the GDPR). Individuals have the right to request that incorrect data be corrected, and incomplete data be completed.
  • The right to erasure (ref. Article 17 of the GDPR). This right does not apply to information that has already been collected during the conduct of a clinical trial since it is necessary for scientific purposes. Individuals can, however, ask that no further information be collected (see the right to object below).
  • The right to restrict processing (ref. Article 18 of the GDPR). The individual’s right to ask a data controller to stop processing personal information is not applicable to data that has already been collected for clinical trials. Individuals can, however, ask that no further information be collected. 
  • The right to portability (ref. Article 20 of the GDPR). Individuals have the right to obtain and reuse a copy of their data. This copy will be provided in a portable, electronic format.
  • The right to object (ref. Article 21 of the GDPR). Individuals have the right to object to the processing of their data. In the context of a clinical trial, this is equivalent to withdrawal of consent.
  • The right not to be subject to automated decision-making including profiling (ref. Article 22 of the GDPR). Prelude does not support any automated decision-making capabilities.

Compliance with Health Insurance Portability and Accountability Act (HIPAA)

Prelude supports the protection of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). Prelude provides Electronic Data Capture (EDC) and related products that are used by clients to collect and manage PHI during the conduct of clinical trials. As a Business Associate under HIPAA, Prelude operates on the instructions of its clients, who are the Covered Entities.

Prelude’s systems are designed with safeguards to ensure the confidentiality, integrity, and availability of PHI, including:

  • Technical safeguards: Encryption of data in transit and at rest, access controls, and audit trails.
  • Administrative safeguards: Comprehensive training for employees on HIPAA compliance, as well as regular compliance assessments.
  • Physical safeguards: Secure data centers with controlled access and environmental protections to prevent unauthorized access or data loss.

Individual Rights – Our clients are primarily responsible for the notice of privacy practices for PHI (ref. 45 CFR § 164.520) complying with the individual rights required by HIPAA, and Prelude assists in fulfilling those requests as required for the Business Associate’s duties. All requests must be responded to within one calendar month.

  • The right of access (ref. 45 CFR § 164.524). Individuals have the right to access their PHI and may request it directly from the Covered Entity or via Prelude, as directed by the client.
  • The right to amend (ref. 45 CFR § 164.526). Individuals have the right to request amendments to their PHI if inaccuracies are identified.
  • The right to an accounting of disclosures (ref. 45 CFR § 164.528). Individuals have the right to receive an accounting of certain disclosures of their PHI made by the Client or Prelude in the past six years. Individuals may request a report detailing disclosures of their PHI not related to treatment, payment, or healthcare operations.

In the event of a data breach involving PHI, Prelude will notify its clients within the timeframe mandated by HIPAA regulations. Clients are responsible for notifying affected individuals as required.

Compliance with the California Consumer Privacy Act (CCPA)  

Applicability  

This section applies only to California consumers. For purposes of this section “Personal Information” has the meaning given in the California Consumer Privacy Act (“CCPA”). It describes how we collect, use, and share California consumers’ Personal Information in our role as a business, and the rights applicable to such residents. The California Consumer Privacy Act (“CCPA”), effective January 1, 2023, requires businesses to disclose whether they sell Personal Information. Prelude does not share or sell Personal Information.  

If you are unable to access this Privacy Policy due to a disability or any physical or mental impairment, please contact us and we will arrange to supply you with the information you need in an alternative format that you can access. 

How We Collect, Use, and Share your Personal Information  

We have collected the following statutory categories of Personal Information in the past twelve (12) months: 

  • Identifiers, such as name, e-mail address and phone number. We collect this information directly from you or from third party sources.  
  • Internet or network information, such as browsing and search history. We collect this information directly from your device.  
  • Geolocation data, such as IP address. We collect this information from your device. 
  • Inferences.  
  • Other Personal Information, in instances when you interact with us online, by phone or mail in the context of receiving help through our help desks or other support channels; participation in customer surveys or contests.

The business and commercial purposes for which we collect this information are described above in this Privacy Policy. 

Your California Rights  

You have certain rights regarding the Personal Information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law. 

  • The right of access: you have the right to request that we disclose what Personal Information we have collected, used and disclosed about you in the past 12 months.  
  • The right of deletion: This right does not apply to information that has already been collected during the conduct of a clinical trial since it is necessary for scientific purposes. Individuals can, however, ask that no further information be collected  
  • The right to non-discrimination: you will not receive any discriminatory treatment when you exercise one of your privacy rights.  

Prelude does not sell Personal Information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199, also known as the California Consumer Privacy Act of 2018).  

How to Exercise your California Rights  

You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent’s identity to protect your Personal Information.  

Please use the contact details below, if you would like to:  

  • Access this policy in an alternative format; 
  • Exercise your rights; 
  • Learn more about your rights or our privacy practices; or 
  • Designate an authorized agent to make a request on your behalf. 

Data Security 

Data Breaches – Every precaution is taken to safeguard the security of the data collected by Prelude. In the unlikely event that a data breach does occur, we will notify our clients within 72 hours. It is the responsibility of our clients to subsequently notify individuals of this breach.

Data Protection Requests – To report a concern about privacy or to exercise your individual rights under the GDPR, HIPAA, or CCPA, the first step is to contact the Sponsor of the clinical trial. In the event that this cannot be done, please contact our Data Protection Officer. 

Prelude
Attn: Data Protection Officer
5725 West Highway 290
Suite 201
Austin, Texas 78735

512-476-5100
[email protected]

Join our newsletter to stay up to date

Solutions
Product Capabilities EDC ePRO eConsent RTSM
Services CRO Partnership Professional Services
Our Expertise
Therapeutic Areas Oncology Central Nervous System (CNS) Rare Disease Infectious Disease
Industries Animal Health Medical Devices Biotech & Pharmaceuticals Academia
Company
Why Prelude? About us Careers Contact Resources FAQ

© 2025 Prelude. All rights reserved.

Contact EDC User Agreement Privacy Policy