This Privacy Policy describes how Purple Directive ("we," "us," or "Nexrial") collects, uses, stores, and protects information when you use Nexrial CTMS ("the Service"). It applies to all users of the Service and to visitors of nexrial.com.
If you are using the Service on behalf of an organization, this policy applies to your use, and your organization's use, of the Service. Your organization may have additional privacy obligations under applicable law, including HIPAA, which are addressed in Section 9.
Nexrial CTMS is a product of Purple Directive, a software company specializing in compliance-grade software for regulated industries. For privacy purposes, Purple Directive is the data controller for account and usage information, and acts as a data processor for Protected Health Information (PHI) entered by subscribing organizations under an executed Business Associate Agreement (BAA).
Contact: [email protected]
We collect three categories of data:
Account Information. When you or your organization registers for the Service, we collect:
Usage Data. When you use the Service, we automatically collect:
Clinical Data (PHI and Study Data). If you enter Protected Health Information or clinical study data into the Service, we store it on your behalf as your data processor. This data is governed by your Business Associate Agreement with us (see Section 9). We do not use clinical data for any purpose other than operating the Service for your organization.
We use the data we collect strictly to operate and improve the Service:
We do not use your data for advertising, behavioral profiling, or sale to third parties.
We share data only in the following limited circumstances:
PHI is never shared with any party except as required by your BAA or by applicable law.
We implement technical and organizational security measures appropriate to the sensitivity of the data we process:
No system is perfectly secure. If we become aware of a data breach that affects your data, we will notify you promptly in accordance with applicable law and your BAA.
We retain your data for as long as your subscription is active. Specifically:
You may request early deletion of specific data by contacting us, subject to our obligations under applicable law and your BAA (which may require retention of certain audit records for regulatory purposes).
With respect to your personal account information (not clinical data, which is governed by your BAA), you have the right to:
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing certain requests.
For rights related to PHI under HIPAA (access, amendment, accounting of disclosures), contact us and reference your organization's BAA.
The Service uses a minimal set of cookies:
ctms_session). A single, server-set session cookie is used to authenticate logged-in users. This cookie contains a cryptographically random token with no personally identifiable information embedded. It expires when your session ends or after the configured inactivity timeout. This cookie is strictly necessary for the Service to function.We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. The nexrial.com marketing site may use minimal, privacy-respecting analytics to measure page visits; this does not involve personal data beyond your IP address, which is not stored in identifiable form.
You can disable cookies in your browser, but the authenticated Service will not function without the session cookie.
Nexrial is designed to support HIPAA-compliant clinical research operations. Where you use the Service to store or process Protected Health Information (PHI), the following applies:
You, as the HIPAA Covered Entity or upstream Business Associate, are responsible for ensuring your own HIPAA compliance, including obtaining appropriate patient authorizations, maintaining your Notice of Privacy Practices, and fulfilling your obligations under your BAA with sponsors and IRBs.
To request a BAA or ask about our HIPAA safeguards, contact [email protected].
The Service is intended exclusively for use by licensed clinical research professionals and authorized staff of clinical research organizations. The Service is not directed at, and should not be used by, individuals under the age of 18.
We do not knowingly collect personal information from minors. If you believe a minor has registered for an account, please contact us immediately at [email protected] so we can investigate and remove the account.
Note: the Service may store clinical data about minor research subjects as part of a clinical trial. This is distinct from a minor using the Service, and is governed by your BAA and applicable regulations.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to the address on file and by posting the updated policy at nexrial.com/privacy at least 30 days before the changes take effect.
Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes. If you do not agree, you may terminate your subscription before the effective date.
The "Last updated" date at the top of this page reflects when the policy was most recently revised.
If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, please contact us:
We aim to respond to all privacy inquiries within 5 business days and to resolve them within 30 calendar days.