Privacy Policy

SubjectRX Ltd ("SubjectRX", "we", "us", "our"), company number 17081989, registered office 124 City Road, London, EC1V 2NX, is the data controller responsible for your personal data. SubjectRX is registered with the Information Commissioner's Office as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, share and protect personal data in connection with our website (subjectrx.com), our healthcare primary market research recruitment services, and our internal research tools. It applies regardless of how you interact with us.

We keep this policy under regular review. The date at the top of this page indicates when it was last revised. Where changes are material, we will take reasonable steps to bring them to your attention.

This policy applies to:

• Clients and prospective clients of SubjectRX
• Healthcare professionals, patients, caregivers, payers and other individuals who participate in research projects facilitated by SubjectRX
• Healthcare professionals whose publicly available professional information is processed by SubjectRX for the purpose of identifying candidates for market research projects
• Service providers, freelance partners and other professional contacts who work with SubjectRX in the delivery of its services, including but not limited to research moderators, simultaneous interpreters, translators, recruitment partners and agency collaborators
• Visitors to our website

3.1 Clients and prospective clients

Name, job title, business email address, company name, telephone number, project details, correspondence records, payment and invoicing information.

3.2 Research participants - healthcare professionals

Name, contact details, professional email address, job title and employer details, medical specialty, therapeutic areas of expertise, professional registration number, LinkedIn profile URL, conflict of interest declarations, participation history and honorarium payment records.

3.3 Research participants - patients and caregivers

Name, contact details, health condition or area of personal experience (provided with explicit consent), country of residence, participation history, compensation details and charitable donation preferences where applicable.

3.4 Healthcare professionals identified from publicly available sources

SubjectRX operates internal research tools that collect and process publicly available professional information about healthcare professionals for the purpose of identifying individuals who may be suitable candidates for healthcare primary market research projects. We search the internet and other publicly available sources to develop our expert databases, in line with standard practice among expert networks and healthcare recruitment businesses operating in this sector.

The categories of data collected from public sources are strictly limited to professional information that is already in the public domain:

• Name and professional title
• Institutional affiliation as publicly listed
• Medical specialty
• Published research activity, including publication titles, journal names and publication dates
• Clinical trial involvement as listed on public trial registries, including role, trial phase and sponsor
• Professional registration numbers obtained from public medical registers
• Institutional or corresponding author email addresses as published in academic papers or on institutional websites

Sources include publicly accessible government databases, academic research repositories, public medical registers, clinical trial registries, and institutional websites.

We do not collect patient data, private or personal contact details, home addresses, health information about healthcare professionals themselves, or any information that is behind a login, paywall, or other access restriction.

The legal basis for this processing is legitimate interests under UK GDPR Article 6(1)(f). SubjectRX has a legitimate interest in identifying and verifying healthcare professionals from publicly available professional sources for the purpose of market research recruitment. We have assessed that this interest does not override the rights and freedoms of the individuals concerned, whose professional activities are already in the public domain and whose data is processed solely for the purpose of potential research engagement. A copy of our Legitimate Interests Assessment is available on request by writing to privacy@subjectrx.com.

3.5 Service providers, freelance partners and other professional contacts

SubjectRX works with a range of independent professionals and partner organisations in the delivery of its services. Where these individuals provide professional information to SubjectRX, whether directly, via a third party, or through a structured intake process, we may collect and process: name, contact details, company name, professional qualifications and accreditations, areas of expertise, language capabilities, geographic coverage, career history, professional biography, photograph and payment details.

Where we produce professional profiles, marketing materials, or other content featuring a service provider, we do so on the basis of information they have provided and with their knowledge.

The legal basis for this processing is contractual necessity (UK GDPR Article 6(1)(b), to manage our working relationship) and legitimate interests (UK GDPR Article 6(1)(f), to maintain a network of vetted professionals and, where appropriate, to present their capabilities to clients).

3.6 Website visitors

IP address, browser type, pages visited, device information, referring URLs. Website analytics data is collected only with your consent, as described in Section 12 below.

SubjectRX processes personal data on one or more of the following legal bases under UK GDPR:

• Consent (Article 6(1)(a)) - where you have given explicit consent, for example when a patient participant agrees to share health information for research purposes, or when a website visitor accepts analytics cookies
• Contractual necessity (Article 6(1)(b)) - where processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract
• Legal obligation (Article 6(1)(c)) - where processing is required to comply with applicable law, including financial reporting and regulatory requirements
• Legitimate interests (Article 6(1)(f)) - where processing is necessary for our legitimate business interests and those interests are not overridden by your rights, including the identification of healthcare professionals from publicly available sources for market research recruitment, maintaining business relationships, and improving our services

Where consent is the legal basis, you may withdraw that consent at any time by contacting privacy@subjectrx.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

We use personal data for the following purposes:

• To provide our recruitment and research management services to clients
• To identify, verify and contact healthcare professionals who may be suitable for specific market research projects
• To manage and administer research engagements, including scheduling, honorarium payments and compliance
• To respond to enquiries submitted through our website or by email
• To manage relationships with recruitment partners, service providers and freelance collaborators
• To process payments and maintain financial records
• To comply with legal and regulatory obligations, including those under BHBIA, EphMRA and ABPI codes of conduct where applicable
• To improve our services and internal research tools

Where we have collected professional data from publicly available sources (as described in Section 3.4), we use this data solely to identify healthcare professionals who may be suitable for specific market research projects, to verify their professional credentials, and to facilitate recruitment outreach. We do not use publicly sourced data for direct marketing, advertising, or any purpose unrelated to healthcare primary market research.

Health information provided by patient and caregiver participants is special category data under UK GDPR Article 9. We process this data only where you have given explicit consent (Article 9(2)(a)) or where processing is necessary for scientific or historical research purposes in the substantial public interest, subject to appropriate safeguards (Article 9(2)(j)).

We do not collect or process special category data about healthcare professionals identified from publicly available sources.

We may share personal data with the following categories of recipients, and only to the extent necessary for the stated purpose:

• Clients - anonymised or consented participant data as specified in the project scope
• Recruitment partners - participant details necessary to facilitate recruitment, subject to data processing agreements and mutual non-disclosure agreements
• Service providers - including payment processors, cloud hosting providers, and analytics services, who are contractually bound to process data in accordance with applicable law
• Regulatory and legal authorities - where required by law, regulation, court order, or other legal process

We do not sell, rent, or trade personal data to third parties for their marketing purposes.

SubjectRX operates across the United Kingdom, France, Germany, Spain, Italy and the United States. Where we transfer personal data outside the United Kingdom or the European Economic Area, we ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses approved by the ICO or the European Commission, or reliance on an adequacy decision where applicable.

Where US patient data is involved in a project, SubjectRX will enter into a Business Associate Agreement where required under the Health Insurance Portability and Accountability Act (HIPAA).

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:

Data category	Retention period
Client records	7 years from end of relationship
Research participant records	3 years from last participation
Public source professional data	Reviewed annually; deleted on request or after 12 months of inactivity
Service provider and partner data	Duration of relationship plus 3 years, or on request
Website enquiry data	2 years
Financial records	7 years (Companies Act 2006)
Compliance records	6 years
API response cache	7 to 90 days depending on source (automatically expired)

Data that has exceeded its retention period is reviewed quarterly and deleted or anonymised as appropriate.

Under UK GDPR, you have the following rights in relation to your personal data:

• Access - the right to request a copy of the personal data we hold about you
• Rectification - the right to request correction of inaccurate or incomplete data
• Erasure - the right to request deletion of your personal data, subject to any overriding legal obligations
• Restriction - the right to request that we restrict the processing of your data in certain circumstances
• Portability - the right to receive your data in a structured, commonly used format where processing is based on consent or contract
• Objection - the right to object to processing based on legitimate interests, including the right to object to automated profiling

If you are a healthcare professional whose data has been collected from publicly available sources as described in Section 3.4, you additionally have the right to request that you be placed on our permanent exclusion list, which ensures your details are automatically excluded from all future searches conducted by our research tools.

To exercise any of these rights, contact privacy@subjectrx.com. We will acknowledge your request within five working days and provide a substantive response within one calendar month of receipt. Where a request is complex, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.

Residents of the European Economic Area have equivalent rights under EU GDPR. California residents have rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information. SubjectRX does not sell personal information.

SubjectRX uses automated tools to search publicly available databases and professional registers to identify healthcare professionals who may be relevant to specific market research projects.

This automated processing is used to assist with identification and prioritisation only. It does not produce legal effects or similarly significant effects on any individual. No individual is contacted, recruited, or excluded from a research opportunity solely on the basis of automated processing. All recruitment decisions involve human review and assessment.

We use essential cookies that are strictly necessary for the website to function correctly. We also use analytics cookies (Plausible Analytics) to understand how visitors use our site. Analytics cookies are placed only with your consent, which you may give or withdraw at any time using the cookie banner displayed on our website.

We do not use advertising cookies or tracking cookies, and we do not share cookie data with third-party advertisers.

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data transmission (TLS/HTTPS), access controls, secure cloud hosting, and regular review of our security practices.

While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

Our website may contain links to third-party websites, including LinkedIn, PubMed, ClinicalTrials.gov and professional registration bodies. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policy of any website you visit.

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us immediately at privacy@subjectrx.com and we will delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. The "Last updated" date at the top of this page indicates when the policy was last revised. Where changes are material, we will take reasonable steps to bring them to your attention. Your continued use of our website or services after any update constitutes acceptance of the revised policy.

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we have handled your personal data, please contact us:

SubjectRX Ltd
124 City Road
London EC1V 2NX
privacy@subjectrx.com

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concerns before you approach the ICO, and we will always endeavour to resolve any issue promptly and fairly.