Who we are
Arbor Research conducts major studies in epidemiology and public health and provides expertise to assist others in this shared mission. We collaborate closely with faculty and researchers from other major research organizations in the United States and around the world on new discoveries that affect clinical practice, policy development, and medical payment systems. Arbor Research is a non-profit research organization located at 3989 Research Park Drive, Ann Arbor, Michigan 48108. To learn more about who we are, please go to www.arborresearch.org

Personal data we collect
Your privacy, and our transparency about it, is important to Arbor Research Collaborative for Health. This Data Privacy Statement (Privacy Statement) informs you (you/your) what personal information may be collected, and how it is used, by Arbor Research and pertains to data collected about the usage and users of this website. Collectively, this website and any software provided are referred to herein as “Services”. Arbor Research maintains these Services for study management, data collection, and business process management. Protection of the data used in these applications, such as data about study subjects, is described in each study’s contractual, protocol, and consent documents.

This Privacy Statement is a part of and incorporated into the Terms of Use Agreement (“Terms of Use”) for Arbor Research Services. Any term capitalized herein but not defined shall have the meanings assigned to such term in the applicable Terms of Use. Agreement to this Privacy Statement is incorporated into the terms of use of this website and your continued use indicates your agreement. To provide the Services, we may process information about you. The types of information we collect depend on how you use our Services. Please read the user-specific details in this Privacy Statement, which provide additional relevant information.

Information we collect about all Website Users
We keep track of certain information about your data usage when you visit and interact with any of our Services. Even if you do not supply any personal information, we collect the actions you take within the Services, and use it to improve the quality of the Services.

What we collect – general user collection
Device
We collect information about the device (computer, phone, tablet, etc.) you use to connect to our Services. This includes your connection type, operating system, browser type, Internet Protocol (IP) address, device identifiers, and crash data.

Cookies
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.

We use these functional cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. We never use cookies for advertising purposes. You can set your browser not to accept cookies, and the website below tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result. For further information about cookies, visit allaboutcookies.org.

Site traffic analytics
We use third-party software to help us track activity and improve the user experience for our public-facing websites. This information is stored within the Arbor Research security boundary and not shared.

Do Not Track Signals
We do not respond to web browser “do not track” signals or other mechanisms that provide you control over information collected over time and across different web sites following your visit to one of our Services

How we use Website User information
We use the information to operate the Services and respond to your requests. Your feedback and usage data (such as activity, patterns, trends, and metadata) are essential to making our Services as useful as possible. We may connect the information in this section to information that identifies you as a user only when you supply that identifying information, such as on a feedback, service request, or account registration form.

Authenticated Users
Your use of our Services may include access to Services that require user account registration and/or authentication. These include Services such as electronic data capture and study management applications (i.e., ArborLink), business process support applications, or access to proprietary or personalized content. There are two types of users of these Services: “Registered Account Users” and “Non-registered Authenticated Users”.

Registered Account Users
Registered Account Users are those that create permanent accounts, supplying contact information, for performing tasks as study site users, investigators, study coordinators, pathologists, etc. These users use our Services related to study management, data collection, or business processes. In this context, we collect and maintain information about you in order to support your use of the Services. This information may be combined with information supplied by your organization or contractual obligations related to our Services.

What we collect – registered account user

Personal Information about you
 We collect and use personal information (defined as any information relating to an identified or identifiable individual) about you to create an account as a registered user for the Services. Where the Services are made available to you through an organization (e.g. your employer or research sponsor), that organization is the administrator of the Services and is responsible for the end-users it authorizes. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to your organization’s policies/statements. We are not responsible for the privacy or security practices of an administrator’s organization, which may be different than this Privacy Statement.

Personal Information you provide about other individuals
As a registered user within the Services, the personal information you add, upload, send, receive and share about other individuals is authorized and governed by separate contract and/or consent and not covered within this Privacy Statement. Please refer to those documents and our .

How we use Registered Account User Information

Customer Support
We use your contact information to communicate with you about the Service for which you have registered. This includes responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, study or business process progress alerts, and administrative messages.

Security and regulatory compliance
We use information about you and your use of the Services to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies. We follow security requirements for use of information about you to meet the requirements of regulations and guidelines which pertain to clinical research, including the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) Good Clinical Practice Guidelines (GCP) and 21 CFR Part 11.

Non-registered Authenticated Users
In some cases, individual users may authenticate to use a Service without registering or supplying contact information. For example, you may be a participant in a study, and through your use of the Service you may supply personal and sensitive information about you that will be combined with other information about you, as described in your study consent documents. You may also be a recipient of a secure and encrypted link to access content intended only for you, with or without additional authentication steps depending on the sensitivity of the content.

What we collect
Through your direct use of the Services, we collect “Personal Information” and “Sensitive Information”.

Personal Information
Personal information is information that identifies an individual or relates to an identified individual.

Sensitive Personal Information
Sensitive personal Information refers to personal information regarding more sensitive areas, such as medical or health information, financial information, gender, marriage status, race/ethnicity, or veteran or disability status.

How we collect your personal and/ sensitive information
In contexts such as study data collection, we may send you a personalized link to access our Services to complete questionnaires. The type of data that is collected in this case depends on the study. Conditions of participation are described in the study consent forms.

How we use your personal and/ sensitive information
The data we collect about you will only be used for the purpose for which you have given your consent, except where otherwise provided by law. This includes data that we receive directly from you or from other sources. For studies and business processes, use is authorized and governed by separate contract and/or consent, and is not covered within this Privacy Statement. Please refer to the study consent document you signed or contact your study coordinator for more information

How we use all collected information

To provide the Services
We use information about you to provide the Services within our organization, to our business customers and you. Our uses include using information about you where you have given us consent to do so for a specific purpose not listed in this section.

To protect our legitimate business interests and legal rights
Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

Legal bases for processing General Data Protection Regulation users
If you are an individual subject to the General Data Protection Regulation (GDPR), we collect and process information about you only where we have legal bases for doing so under applicable laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

  • Consent. You give us consent to do so for a specific purpose; or
  • Contract. We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services; or
  • Legitimate Interest. Our use satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research, and to protect our legal rights and interests; or
  • Legal Obligation. We need to process your data to comply with a legal obligation.


How we share information we collect
We share information about you only for the purposes described above. We never use, sell, or share your information for marketing purposes. Certain other information you provide to us may be shared in the ways described below:

Arbor Research partners
We work with third parties who provide consulting, support and technical services to deliver and implement customer solutions around the Services. We share your information with these third parties in connection with their services, only to the extent necessary to enable the delivery of our Services. If a partner needs to access information about you to perform services on our behalf, they do so under contract with us, including abiding by policies and procedures designed to protect your information.

Service providers
We work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, and other services for us, which may require them to access or use information about you. If a service provider needs to access information about you to perform services on our behalf, they do so under contract with us, including abiding by policies and procedures designed to protect your information.

Business transfers
We may share or transfer information we collect under this Privacy Statement in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of the Arbor Research business to another company.

Third-Party apps
You may utilize third-party apps to extend the functionality of the Services. Doing so may give third-party apps access to your account and information about you like your name and email address, and any content you choose to use in connection with those apps. Third-party app policies and procedures are not controlled by us, and this Privacy Statement does not cover how third-party apps that you choose to install use your information. We encourage you to review the privacy policies/statements of third parties before connecting to or using their applications or services to learn more about their privacy and information handling practices. If you object to information about you being shared with these third parties, please disable the third-party app

Compliance with enforcement requests and applicable laws
In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our Services, and (d) protect Arbor Research, our business partners or the public from harm or illegal activities.

Security, Storage, Data Hosting Location
We have reasonable and appropriate safeguards in place to help protect the information collected from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. There remains some residual risk of compromise of individual information, despite implementation of industry best practices for security.

How long we will keep your data
We will retain your information as needed to fulfill the purposes for which it was collected. We will retain and use your data as necessary to comply with our business requirements, legal obligations, protect our assets, and enforce our agreements. Your data will be securely deleted when no longer needed for the purpose(s) for which it was collected.

How to access, delete and control your information
You may access the personal data we have collected about you to the extent required by law to review, update, and correct inaccuracies. Upon request made to the contact information under the section titled “Contact Us,” we will provide you with reasonable access to the personal data we have collected about you. Your ability to access, delete, and control your data may be limited in certain cases. For example, if you ask us to delete information which we are permitted by law or have compelling legitimate interests to keep, we may not be required to delete. If you have asked us to share data with third parties or permitted a third-party to share data with us, you will need to contact the third-party directly to have your information deleted or otherwise restricted.

If you have consented to the use of your personal information for a study, please see the section titled “Consent and Consent Revocation”. If you have unresolved concerns after we respond, you may have the right to make a complaint to the data protection authority in the country where you live, where you work, or where you feel your rights were infringed.

Consent and Revocation of Consent
For users of our services who are participants in data collection studies, conditions of consent revocation or withdrawal are included in the study consent documents. Generally, if you have consented to our collection and use of your personal information for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third-party (e.g., your employer or clinical trial sponsor) have a legitimate interest to do so, you have the right to withdraw permission for that use, though in some cases, this may mean no longer using the Services or participating in a study.

Children’s Privacy
Outside of the context of a specific clinical research study being conducted, for which research subjects have appropriately consented, our Services are not intended for, or designed to attract, individuals under the age of 13. We do not collect personally identifiable information from any person we know to be under the age of 13.

Links to Independent Websites
Our Services contain links to third party websites. This Privacy Statement does not apply to those sites. We suggest contacting those sites directly for information on their privacy, security, data collection, and distribution policies. We also maintain profiles and/or pages on various social media sites. If you choose to “Like” (or similar) Arbor Research, you are providing your consent to receive information updates from us. To stop receiving this information on a social media site, you must follow the procedure established by the social media site.

Privacy Notice for GDPR
This Privacy Statement applies to our United States location and covers our processing activities as a data controller. We maintain the Services in the United States, and the Services are not intended to subject Arbor Research or any affiliated entity to the laws or jurisdiction of any state, country or territory other than that of the United States. We do not represent or warrant that the Services, or any part thereof, are appropriate or available for use in any particular jurisdiction. Those who choose to access the Services, do so on their own initiative and at their own risk. Regardless of where you are located, by using the Services you consent to the transfer and processing of your information to and in the United States, which may not provide the same level of protection for your personal information as your home country. You are responsible for complying with all local laws, rules and regulations when you use our Services.

Arbor Research adheres to this Privacy Statement regarding the collection, use, and retention of information about you that is transferred from the countries that are subject to the GDPR. We ensure that our Privacy Statement applies to all information about you that is subject to the GDPR. We are responsible for the processing of information about you that we receive from GDPR countries and onward transfers to a third party acting as an agent on our behalf. We implement EU standard contractual clauses when necessary in our written agreements and we will comply with our Privacy Statement for such onward transfers. Arbor Research commits to resolve complaints about our collection or use of your personal information. Individuals subject to GDPR with inquiries or complaints regarding our Privacy Statement should first contact us or you may also contact your local data protection authority for unresolved complaints.

Under GDPR Article 33, if we are required to notify any affected users of a data breach, we will notify the affected users after becoming aware of a personal data breach. However, we do not have to notify affected users if their anonymized data is breached or if the breach is unlikely to result in a risk to the rights and freedoms of the affected user. Specifically, a breach notice is not required if we have implemented one of the conditions under GDPR Article 34(3).

Updates to this Privacy Statement
We may change this Privacy Statement at any time. We will post any Privacy Statement changes on this page and, if the changes are significant, we will provide a more prominent notice by adding a notice on the Services homepages, login screens, or by sending you an email notification. We will also keep prior versions of this Privacy Statement in an archive for your review. We encourage you to review our Privacy Statement whenever you use the Services to stay informed about our information practices and the ways you can help protect your privacy.

Contact Us
If you have questions or concerns about how your information is handled, please direct your inquiry to:

Privacy Officer
Privacy@ArborResearch.org
734-665-4108
3989 Research Park Drive, Ann Arbor, Michigan 48108