How Clinical Vendor Compare handles your personal data.

1. Who we are

Clinical Vendor Compare Ltd is a company registered in England and Wales (company number 17135935). We operate the website clinicalvendorcompare.com and related services.

For the purposes of UK GDPR, Clinical Vendor Compare Ltd is the data controller responsible for your personal data.

Contact details:
Email: privacy@clinicalvendorcompare.com

2. What personal data we collect

We may collect the following categories of personal data:

• Account information: Name, email address, job title, company name, and password when you create an account.
• Review submissions: Your name (or chosen display name), job title, company, and the content of reviews you submit about clinical trial vendors.
• Contact form data: Name, email, company, and message content when you contact us via sponsor or vendor contact forms.
• RFP submissions: Name, email, company, trial details, and vendor requirements submitted through our Request for Proposal forms.
• Usage data: Pages visited, time spent, click patterns, device type, browser type, IP address, and referring URL. Collected via cookies and similar technologies.
• Communication data: Records of correspondence when you contact us or we contact you.

3. How we use your personal data

We use your personal data for the following purposes:

• Service delivery: To operate the platform, display vendor profiles, process reviews, and deliver comparison tools.
• Account management: To create and manage your account, verify your identity, and provide customer support.
• Review moderation: To verify, moderate, and publish reviews in accordance with our Review Policy.
• RFP processing: To connect sponsors with appropriate vendors based on submitted requirements.
• Platform improvement: To analyse usage patterns, fix bugs, and improve the user experience.
• Communication: To respond to enquiries, send service notifications, and (where opted in) marketing communications.
• Legal compliance: To meet our legal obligations, resolve disputes, and enforce our terms.
• Security: To protect against fraud, unauthorised access, and other illegal activities.

4. Lawful basis for processing

We process your personal data on the following lawful bases under UK GDPR Article 6:

• Consent (Article 6(1)(a)): When you consent to cookies, marketing communications, or optional data processing. You can withdraw consent at any time.
• Contract (Article 6(1)(b)): When processing is necessary to perform our contract with you — for example, providing access to the platform, processing your reviews, or fulfilling RFP requests.
• Legitimate interests (Article 6(1)(f)): For platform improvement, security, fraud prevention, and analytics — where our interests do not override your rights and freedoms.
• Legal obligation (Article 6(1)(c)): Where we are required by law to process your data, such as record-keeping obligations.

5. Data sharing and recipients

We do not sell your personal data. We may share your data with:

• Cloud service providers: Cloudflare, Inc. (US) for website hosting, security, and performance services. Data transfers to the US are subject to the EU-US Data Privacy Framework or standard contractual clauses.
• Service partners: Trusted third parties who help us operate the platform (e.g., email delivery, analytics), subject to data processing agreements.
• Legal authorities: Where required by law, regulation, or legal process.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

Vendors named on the platform do not receive reviewer personal data beyond what is publicly displayed on their review. Vendor profile data is sourced from publicly available information and vendor submissions.

6. International data transfers

Our website is hosted by Cloudflare, Inc., which processes data in the United States and other countries. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• The UK Extension to the EU-US Data Privacy Framework (where applicable)
• Standard contractual clauses approved by the UK Secretary of State
• Adequacy decisions recognised by the UK Government

7. Data retention

We retain your personal data only for as long as necessary:

• Account data: Retained while your account is active and for up to 12 months after deletion, unless a longer period is required by law.
• Review content: Retained for the lifetime of the platform or until you request removal, subject to our Review Policy.
• Contact and RFP data: Retained for up to 24 months from submission, or until the purpose is fulfilled.
• Cookie data: As specified in our Cookie Policy Manage cookies.
• Usage/analytics data: Aggregated and anonymised where possible. Raw data retained for up to 26 months.

8. Vendor submissions and business data

Vendors who submit information through our vendor contact forms, vendor RFP forms, profile claim processes, or subscription sign-up are providing both personal data (e.g., contact name, email) and business data (e.g., company details, service descriptions, pricing, capabilities).

• Personal data from vendor contacts: Processed under the same lawful bases as other personal data on this platform (see Section 4). Used to manage the vendor relationship, respond to enquiries, and deliver vendor-side services.
• Business data (company information, service details, pricing): Used to build and maintain vendor profiles on the platform. This data may be publicly displayed in vendor directory listings and comparison tools. Vendors consent to this display by submitting the data through our platform forms.
• Vendor RFP responses: When vendors respond to sponsor RFPs, the response content (including pricing, approach, and timelines) is shared with the sponsoring organisation. Retained for up to 24 months or until the RFP process concludes.
• Profile claim data: When a vendor claims their profile, any information they submit (corrected details, updated capabilities) replaces or supplements existing publicly-sourced data. Claimed profile data is treated as vendor-submitted business data.

Vendors may request correction or removal of their submitted business data by contacting privacy@clinicalvendorcompare.com. However, where profile data has been sourced from publicly available information, CVC reserves the right to maintain accurate public-source listings independently of vendor submissions.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right of access (Article 15): Request a copy of the personal data we hold about you.
• Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Article 17): Request deletion of your personal data, subject to legal exceptions.
• Right to restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Article 20): Receive your data in a structured, machine-readable format.
• Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent (Article 7): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@clinicalvendorcompare.com. We will respond within one month. If we cannot comply with your request, we will explain why.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

• SSL/TLS encryption for all data in transit (HTTPS)
• Secure infrastructure provided by Cloudflare with DDoS protection and web application firewall
• Access controls limiting data access to authorised personnel only
• Regular security reviews and vulnerability assessments

While we strive to protect your data, no system is completely secure. We encourage you to use strong, unique passwords and to contact us immediately if you suspect unauthorised access.

11. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals directly without undue delay (Article 34).

12. Children's privacy

Our platform is intended for professionals in the clinical trials industry. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a child, we will delete it promptly.

13. Automated decision-making

We use algorithmic tools to generate vendor scores, comparisons, and recommendations. These tools process vendor data — not your personal data — to produce platform content. We do not use automated decision-making that produces legal or similarly significant effects on individuals without human oversight and your explicit consent.

14. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by posting a notice on the website or by contacting you directly. Your continued use of the platform after changes take effect constitutes acceptance of the updated policy.

15. Contact

For any questions about this privacy policy or our data practices, contact our Data Protection lead:

Clinical Vendor Compare Ltd
Email: privacy@clinicalvendorcompare.com

If you wish to exercise your data protection rights, please email the address above with "Data Subject Request" in the subject line and include sufficient information to verify your identity.