Privacy Notice

Last Updated: October 8, 2025

CliniRx Research Private Limited together with its affiliates and subsidiaries (“CliniRx”, “we”, “us” or “our”) is committed to protecting the privacy and security of your personal information. This privacy notice explains how we collect, use, disclose and protect your personal data in accordance with the EU and UK General Data Protection Regulation (GDPR). Please ensure you read this notice carefully, along with any other information we may provide at the time of collecting or processing your personal data (e.g. study-specific notices, patient information sheets).

Data Controller and Contact Details

Unless otherwise stated, the data controllers for the purposes of this Privacy Notice are CliniRx Research Private Limited together with its affiliates and subsidiaries listed in our Contact Us – Our Global Offices page on our Website https://www.clinirx.com/our-office-locations. Depending on your interaction with us, these entities may act independently or jointly as data controllers.

You can contact the relevant CliniRx entity acting as data controller of your personal data through our Privacy Office at privacy@clinirx.com. We will ensure your query reaches the appropriate entity. You may also find direct contact details of all CliniRx entities in our Contact Us – Our Global Offices page on our Website .

If applicable, you may also contact our Data Protection Officer (DPO) at: gdpr@clinirx.com.

In circumstances where CliniRx acts only on a third party’s instructions (i.e. acting as a data processor), that third party is the data controller of your personal data, and their privacy notice will apply to you instead of this one.

What Data We Collect, Why We Use It, and Our Legal Basis

We collect and process different types of personal data depending on our relationship with you and your interaction with our business. The table below outlines the main categories of data, the purposes of processing, and the lawful basis.

Purpose of Processing  Data Subjects  Types of Personal Data  Legal Basis 
Supporting the conduct and management of clinical studies in our capacity as a Clinical Research Organisation (CRO). This includes a range of services such as project and site management, data management, biostatistics, pharmacovigilance, medical monitoring, and regulatory support, depending on the study and sponsor requirements.  Patients, Healthcare Professionals (HCPs), Study Staff, Business Partners  Personal details, Professional Data (of HCPs), Employment and Business details, Communications content, Health and medical records, Photographs and medical images, Physiological and Physical Data (of Patients).  CliniRx acts as a data processor on behalf of the sponsor, who is the data controller. The sponsor is responsible for ensuring that a valid legal basis exists for the processing and for providing data subjects with the required privacy information, including the applicable legal basis, typically through a Patient Information Sheet or Informed Consent Form 
Managing medical affairs, including the organisation of advisory boards, scientific communication, and engagement with healthcare professionals and patient groups. These activities may be carried out either independently by CliniRx or on behalf of the study sponsor  HCPs, Patients, Patient Advocates, Business Partners  Personal details, Professional Data (of HCPs), Employment and Business Details, Financial details, Communications content, Health and medical records, Photographs and medical images, Physiological and Physical Data (of patients).  When CliniRx acts as a data controller, the legal basis is our legitimate interests in maintaining and improving relationships within the medical and research community. Where required by law, we rely on your consent (e.g. for communications or where special category data is involved). When acting as a data processor on behalf of a sponsor, the sponsor is responsible for identifying the legal basis and informing data subjects. 
Managing contracts and payments to individuals (e.g. advisors, investigators, oversight committee members).  HCPs, Committee Members, Consultants  Personal and financial information, communication records 

Where CliniRx contracts directly with individuals, it acts as a data controller. In these cases, the legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR), and where applicable, compliance with a legal obligation (e.g. for tax or accounting purposes) under Article 6(1)(c). We may also rely on our legitimate interests (Article 6(1)(f)) in managing our business relationships and fulfilling our responsibilities under clinical research frameworks.

Where CliniRx manages these activities on behalf of a sponsor, it acts as a data processor. In such cases, the study sponsor is the data controller, and is responsible for determining the appropriate legal basis and informing data subjects accordingly 

Managing our business, site and services. 

Investigating any emails, information, enquiries or complaints received from you or from others, about our website or our products or our activities.* 

 Website visitors, general public, HCPs, collaborators  Personal details, Professional data, Employment and Business details, Communications Content, Technical and Usage data 

For these purposes, we will rely on our legitimate interest in evaluating, conducting and promoting our business and business activities. In some circumstances, where required by law, we will collect your consent, for example to place cookies on our website. 

More details on our use of cookies are included in our separate Cookie Policy, available on our website 
Ensuring physical and site security (e.g. office visitor logs)  Visitors to CliniRx premises  Name and basic personal details  We have a legitimate interest in ensuring everyone that accesses our premises or business events is kept safe and that we maintain security across our offices. 
Recruitment activities  Job applicants  Refer to our job applicant privacy notice 
Managing internal operations including HR, contracting, administration, and business management activities. This includes, but is not limited to, onboarding, payroll, performance management, regulatory compliance, and communication with staff  CliniRx employees, contractors, consultants, and staff engaged via Employer of Record (EOR) arrangements  Personal details, contact information, employment or contractual data, identification documents, financial information, communications, and compliance records. Where relevant, we may also process health-related information, for example in the context of sick leave or reasonable adjustments.  The legal basis for processing includes the performance of a contract (Article 6(1)(b)), compliance with legal obligations (e.g. tax, employment law) under Article 6(1)(c), and legitimate interests (Article 6(1)(f)) in operating and managing its workforce. Please refer to our separate internal Employee and Contractor Privacy Notice for further details. 

* Note that any sensitive data you voluntarily provide through our website will be handled in accordance with our data protection practices and, unless required otherwise, will be deleted once we have responded to your inquiry.

How We Collect Your Data

We may collect your personal data directly from you or through the following sources, depending on the nature of our relationship with you:

  • Study sponsors and clients, where CliniRx is acting as a Clinical Research Organisation (CRO)
  • Clinical trial documentation, such as Informed Consent Forms, when provided or authorised by the sponsor of the study
  • Third parties we work with, including business partners, sub-contractors, vendors, recruitment agencies, and Clinical Research Organisations (CROs)
  • Publicly available sources, such as professional directories or LinkedIn
  • Organisations you are affiliated with, such as your employer or academic institution
  • Other organisations or services where you have provided consent for your information to be shared with us
  • Our own website, contact forms, and email or other business communications

Sharing Your Personal Data

We will only share your personal data as necessary to achieve the purposes set out in this privacy notice. The recipients may differ depending on whether CliniRx is acting as a data controller or a data processor on behalf of a sponsor.

When CliniRx acts as a data controller, we may share your data with:

  • Companies who provide services to us or on our behalf, including IT service providers, recruitment agencies, auditors, and payroll processors
  • Business partners, suppliers, and sub-contractors for the performance of any contract we enter into with them or with you
  • External advisors, including legal, tax, audit, or compliance professionals
  • Regulatory or government authorities, courts, or law enforcement, where required to comply with legal obligations or in response to valid requests
  • Third parties involved in audits, investigations, or to address complaints or security incidents
  • A new entity or purchaser, in the case we merge with or are acquired by another organisation. In such cases, your data may be transferred to that new entity and/or their professional advisors
  • To protect the rights, property, or safety of CliniRx, its employees, or others

When CliniRx acts as a data processor

(e.g. in clinical research settings), we may share personal data:

  • Strictly on the instructions of the sponsor, who is the data controller.
    We will use such information in accordance with the privacy notices provided by the sponsor or other relevant controller, and in line with the choices made by the individuals to whom the personal data relates (such as consents given in Informed Consent Forms)
  • With parties such as investigators, healthcare professionals, study sites, Clinical Research Organisations (CROs), labs, or universities, where necessary for the study
  • With regulatory authorities and ethics committees, where the sponsor instructs us to do so

We do not sell your personal data to third parties or use it for third-party direct marketing purposes. We do not permit our third-party service providers to use your data for their own purposes, and we require them to process it only for specified purposes in accordance with our instructions and applicable data protection agreements.

International Data Transfers

CliniRx is headquartered in India and may process personal data in countries outside the United Kingdom (UK) and the European Economic Area (EEA), including in jurisdictions that may not offer the same level of data protection as under UK or EU law.

Where we act as a data processor (e.g. in clinical research), we process personal data on behalf of the study sponsor, who is the data controller. In such cases:

  • We only transfer personal data across borders on the documented instructions of the sponsor
  • We do so in accordance with the sponsor’s selected transfer mechanism, such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA)
  • We will handle personal data in line with the privacy notices and consents provided by the sponsor, and in accordance with the choices made by the individuals to whom the data relates

Where CliniRx acts as a data controller (for example, in managing its own staff, business communications, or service providers), we implement appropriate safeguards to ensure your personal data is protected when transferred outside the UK or EEA. These safeguards may include:

  • Transferring to countries deemed adequate by the UK or EU
  • Entering into approved Standard Contractual Clauses (SCCs) or using the UK IDTA
  • Implementing supplementary technical and organisational measures, where necessary

You may contact us to obtain more information about the transfer mechanisms and safeguards we use.

How We Protect Your Personal Data

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with applicable data protection laws including the GDPR. These measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

  • Our security controls include, but are not limited to:
  • Role-based access control and access logging
  • Encryption of data in transit and at rest
  • Firewalls, intrusion detection systems, and anti-malware protection
  • Regular vulnerability scanning, patch management, and system monitoring
  • Enforced data minimisation, retention, and backup policies

We limit access to personal data to authorised personnel who have a business need to access it and are bound by confidentiality obligations. We also ensure that any third-party service providers we engage are contractually required to implement appropriate security measures and to process personal data only in accordance with our instructions.

We maintain procedures to detect, assess, and respond to personal data breaches. Where required, we will notify the relevant supervisory authority and affected individuals in accordance with data protection laws.

How Long We Keep Your Personal Data

The length of time we retain personal data depends on the context in which it was collected and the purposes for which it is processed

When CliniRx acts as a data controller, we will retain your personal data for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law. Where we process personal data to meet legal requirements, we hold this for as long as the law requires. After we achieve the purpose for which your personal data was collected, we erase or dispose of it appropriately or anonymise it so that it can no longer identify an individual, based on our rules for processing your personal data.

Where we process personal data with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your request). We also keep a record of the fact that you have asked us not to process your data indefinitely so that we can respect your request in the future.

When CliniRx acts as a data processor, such as in the context of clinical studies, we retain and dispose of personal data in accordance with the instructions of the study sponsor, who is the data controller. This includes returning, deleting, or securely transferring the data at the end of the engagement, as required by the relevant agreement or applicable law.

Your Rights

Depending on how we process your personal data and the role we play, you may have certain rights under the UK and EU General Data Protection Regulation (GDPR).

When CliniRx is the data controller

Where we determine the purposes and means of processing (for example, when managing our business relationships, personnel, or website communications), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request erasure of your data where there is no legal basis for us to continue processing it
  • Object to processing carried out on the basis of our legitimate interests
  • Request restriction of processing in specific circumstances
  • Request the transfer of your data to another service provider (data portability)
  • Withdraw your consent where we rely on consent as the legal basis

To exercise any of these rights, please contact us using the contact details provided at the end of this Privacy Notice. We may ask you to verify your identity before responding to ensure we are communicating with the correct individual.

Please note that these rights are not absolute and may be subject to legal or regulatory exemptions. Where we are unable to comply with your request, we will explain the reason why.

When CliniRx is the data processor

In many situations, particularly in the context of clinical trials, we act solely as a data processor on behalf of the study sponsor or another controller. In these cases, we do not make decisions about your personal data and are not permitted to respond directly to your rights requests. Instead, you should contact the sponsor or the organisation that provided you with the original privacy information (e.g. Patient Information Sheet or Informed Consent Form).

Where appropriate, we will support the data controller in responding to your request, in accordance with our contractual obligations and applicable data protection law.

Complaints

If you have concerns about how we process your personal data, we encourage you to contact us so we can try to resolve the issue directly. You can reach us using the contact details provided at the end of this Privacy Notice.

You also have the right to lodge a complaint with a data protection authority. If you are located in the United Kingdom, you can contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint.

If you are located in the European Union, you can raise your concern with your local supervisory authority, whose contact details are available at: https://edpb.europa.eu/about-edpb/board/members_en.

How to Contact Us

If you have any questions about this Privacy Notice or how we handle your personal data, or if you would like to exercise your data protection rights, you can contact us at:

CliniRx Research Private Limited

Patriot House, 4th Floor
3 Bahadur Shah Zafar Marg
New Delhi – 110002, India

Phone: +91 11 30179797

Email: info@clinirx.com or privacy@clinirx.com

Or if you wish to contact our Data Protection Officer (DPO), please email: gdpr@clinirx.com

Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or other operational needs. Any updates will be posted on this page with a revised “Last Updated” date at the top.

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your personal data.

RFI form

Please submit your RFI/RFP here. Our team will revert at the earliest