Patient Privacy Statement

Version: 1.0
Date: March 25, 2026

At Castor (Ciwit B.V. and Castor Research, Inc.), we believe that health research should be transparent and that your privacy is a fundamental right. This Patient Privacy Policy explains how we protect and process your personal information when you interact with our clinical research platform, including Castor EDC, Castor Connect, Castor Catalyst, and Castor eConsent. This policy specifically applies to you as a participant in a clinical study. For broader information regarding our corporate privacy practices, please refer to our general Privacy & Cookie Statement.

 

Our Role in Your Data

To understand your privacy rights, it is important to recognize the different roles involved in a clinical trial. The hospital, university, or pharmaceutical company conducting the research is the “Data Controller” (or the “Business” under California law and “Covered Entity” under HIPAA). They decide why and how your data is collected and remain your primary contact for exercising your privacy rights. Castor acts as the “Processor” or “Business Associate.” We provide a secure digital infrastructure and process your data strictly according to the written instructions provided by the study team.

 

Categories of Information Collected

In the course of a clinical study, we process several categories of information to ensure the research is accurate and secure:

  • Identifiers & Account Information: This includes your name (if provided), email address, phone number, and security credentials such as PINs used to access our services.
  • Clinical Study Data: This is your health information, survey responses, and medical measurements provided during the study. This is often classified as “Sensitive” or “Special Category” data.
  • Technical & Usage Data: We automatically collect IP addresses, device identifiers, and time-stamped activity logs. This is a legal requirement for clinical trials to maintain a secure “Audit Trail.”
  • Biometric Data: If you use biometric login (like FaceID) on your mobile device, this data stays on your device; Castor does not store or access your actual biometric templates.

Legal Basis for Processing

We process your data based on the instructions of your study team. Depending on your region, the study team relies on Informed Consent for your voluntary participation, Legal Obligations for mandatory safety reporting and data archiving, or Public Interest for conducting scientific research that benefits public health.

 

EU & UK Privacy Compliance (GDPR)

For participants in the European Economic Area (EEA) and the United Kingdom, we comply strictly with the General Data Protection Regulation (GDPR) and the UK GDPR. As a Processor, we implement rigorous technical and organizational measures to ensure your data is handled with the highest level of care. Our adherence to these regulations is further detailed in our general Privacy & Cookie Statement, which outlines our commitment to data protection principles and provides a transparent look at our technical compliance framework.

 

US Privacy Compliance (HIPAA & CCPA/CPRA)

For participants in the United States, we adhere to HIPAA standards by operating as a Business Associate and maintaining Business Associate Agreements (BAAs) with our clients to protect your Protected Health Information (PHI). Regarding the CCPA/CPRA, Castor acts as a service provider and does not “sell” or “share” your personal information for advertising purposes. We only use sensitive health data for the specific purpose of facilitating the clinical trial as directed by the study team.

 

China Privacy Compliance (PIPL)

For participants in China, we comply with the Personal Information Protection Law (PIPL). We recognize medical and health data as “Sensitive Personal Information” and apply enhanced encryption and stricter access controls. If your data is transferred outside of China, the study team is responsible for obtaining your separate consent and ensuring a standard contract is in place, supported by Castor’s technical safeguards.

 

International Data Transfers

Castor is a global company, and your data may be stored or accessed in regions outside your home country. We ensure a lawful basis for these transfers by using Standard Contractual Clauses (SCCs) for data moving outside the EU or UK. Whenever possible, we offer regional data hosting to minimize the need for international transfers. You can find more details on our infrastructure providers in our general privacy notice.

 

How We Protect Your Data

Security is at the heart of our infrastructure. Castor is ISO 27001 and ISO 27701 certified, and our program includes:

  • Encryption: Data is encrypted both at rest (AES-256) and in transit (TLS 1.2 or higher).
  • Restricted Access: Only authorized members of your study team can see your identifiable health data. Castor staff only access technical logs for maintenance or support and cannot see your health data unless specifically authorized for troubleshooting.
  • Data Integrity: We maintain detailed audit trails. Every change to your study data is recorded to meet “Good Clinical Practice” (GCP) standards.

 

Data Retention

Retention periods are determined by the study team and international law. Clinical trial data is typically archived for 15 to 25 years to ensure results can be verified by health authorities. Account technical data is deleted or anonymized once it is no longer needed for system security or support.

 

Your Privacy Rights

You have specific rights regarding how your information is handled. To exercise these, you should contact your study team directly. Your rights include:

  • Right of Access: The right to receive a copy of the personal data we hold about you.
  • Right to Rectification: The right to request the correction of inaccurate or incomplete data.
  • Right to Portability: The right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to Object: The right to object to the processing of your data in certain circumstances.
  • Right to Erasure: Often called the “right to be forgotten.” Please note that in clinical trials, this right is limited to protect the scientific integrity of the study; once data is submitted, it usually cannot be deleted.
  • Right to Withdrawal: You can stop using the app at any time, which will not affect the lawfulness of the data processed before your withdrawal.

 

Contact and Complaints

If you have questions about a specific study, please contact your study investigator or study sponsor. For technical privacy questions regarding Castor’s infrastructure, contact our Data Protection Officer:

Ciwit B.V. (Castor HQ) Fred. Roeskestraat 115, 1076 EE Amsterdam, the Netherlands
Email: [email protected]

Back to top