Research Participant Privacy Policy

Last Revised: October 28, 2025

What does this policy cover?

This Research Participant Privacy Policy (the “Policy”) describes how Trinity Partners, LLC., its subsidiaries and related corporations (referred to here as “Trinity,” “we” or “us”) uses the personal data you provide to Trinity to help us determine your eligibility to participate in research on behalf of our client[s]. If you are a patient, this may involve the collection of your health data and may cover other sensitive pieces of information such as your ethnicity or sexual activity if this is relevant to this research.

Please confirm that you consent to our collection, use, disclosure and/or processing of personal data relating to you for purposes as provided for in this Research Participant Privacy Notice. You can withdraw this consent at any time. To find out more about how we and our clients use your data, or about your rights, you can review our Research Participant Privacy Policy below.

If you live within the United Kingdom (UK) or European Economic Area (EEA), you will be informed of the identity of our client[s] once the information will no longer bias our study. EEA residents may visit the section of the policy titled, “Non-US Residents: What rights do you have?” to learn more about their rights.

Residents of California can visit the section of the policy titled, “Notice at Collection for California Residents”. Additional information about our personal data collection practices and your rights as pertains to California Residents can be found below.

Residents of Australia can visit the section of the policy titled, “Notice at Collection for Australian Residents”. Additional information about our personal data collection practices and your rights as pertains to Australia can be found below.

Key points:

Trinity uses personal data relating to you to determine your eligibility to participate in our research studies and, where you are accepted for a study, to carry out research processing.
Trinity works as a controller with our end client in carrying out our research – we will identify this client to you at a later stage of the study if you live within the UK or EEA, in order to ensure our research is unbiased. Before providing personal data to our client, we ensure that we have anonymized the data you provide to the fullest extent possible. You will never be contacted by our end client, but they may be invited to listen to moderated interviews, view research via video streaming, or be given an audio or video recording or transcript of an interview – you will be informed before this takes place, and we take every possible precaution to ensure you remain anonymous.
Trinity may instruct another research organization to assist us in carrying out our research, particularly where this involves work in a non-English speaking country. This researcher will also be a controller for this data processing, and more details of how they handle personal data relating to you can be confirmed in their privacy policy.
As Trinity’s research engagements typically require us to screen individuals to ensure they belong to a relevant patient group, we will necessarily need to collect certain health data for these purposes. We may also need to collect other special category or sensitive personal data where this is relevant to our research, such as details of your ethnicity or sexual activity. We do this with your consent, which you may withdraw at any time.
We also use personal data relating to you where we need to comply with legal obligations. We may share data with our service providers and advisors for these purposes.

What information do we collect from you?

Trinity collects, uses, discloses and processes personal data relating to you where you submit responses to screening questions or participate in research studies we conduct for our clients. We process the information you provide to us.

If you are a Patient: Where you are a patient or caregiver this will typically involve information about your (or your care receiver’s) health, the impact of this on your personal life, and certain details of your home life that may be relevant to determine eligibility for research studies – such as information about whether you have children, your or your care receiver’s ethnicity, age and nationality and your availability for further research. Depending on the nature of the research we conduct, we may also collect sensitive information from you. This sensitive information may include: racial or ethnic background, sexual activity data or other heath information.

If you are a Health Care Professional (HCP): We will typically collect information about your role, background, and practice.

What information do we receive from third parties?

Sometimes, Trinity receives personal data about you from third parties. In particular, we may instruct another research organization to assist us in carrying out our research, particularly where this involves work in a non-English speaking country. This organization will also be a controller for this personal data processing, and more details of how they handle your personal data can be confirmed in their privacy policy. If you participate in a research project or a service conducted by a third party, we will disclose your personal data to the researchers or individuals who conduct the service and who are responsible for the project or service and who will use your personal data for the purposes of that project or service.

We may use the personal data you provide us to validate your identity using checks against publicly available information.

Trinity may also obtain your personal data from paid recruiters – these recruiters will provide us with your contact details, other information you may have provided them to confirm your eligibility (which could include health, ethnicity or sexual activity data as appropriate if you are a patient) and details of any consent you may have given to pass this information to us.

If you are a HCP, your personal data may be given to us by another HCP of your acquaintance, by our clients, or be procured from publicly available lists.

How do we use this information, and what is the legal basis for this use?

Trinity processes this personal data for the following purposes:

as needed to conduct our business and pursue our (and our client’s) legitimate interests, in particular, protecting our legitimate business interests and legal rights. This includes, but is not limited to, use in connection with legal claims, compliance, regulatory, auditing, investigative and disciplinary purposes (including disclosure of such information in connection with legal process or litigation) and other ethics and compliance reporting requirements; and
to enter into and administer any contract associated with our research activities, including any payments made to you for your participation in our research, involving use of payment details and Tax ID or Social Security numbers as required.

With your consent:

recruiting appropriate individuals for research, including verifying the identity of respondents;
contacting and carrying out research, and creating de-identified research products for our end client;
in the case of our client, they carry out research and evaluate its results – you will never be contacted by our end client unless you have reported an adverse event (and have consented to be re-contacted), but they may be invited to listen to study calls, or be given audio recordings or transcripts of calls, or view live research. You will be informed before this takes place and Trinity will take every possible precaution to ensure you remain anonymous); and
where Trinity has separately obtained your consent, for any other purpose as described in that consent; and
for purposes which are required by law – for example, our client may contact you where you report an adverse event (with your consent).

Relying on our legitimate interests

We rely on legitimate interests as a legal basis for the processing of personal data. You can obtain more information by contacting us using the details set out later in this notice.

Withdrawing consent

Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. Where you withdraw your consent, please note that this may affect your eligibility to participate in our research on behalf of our clients – either affecting your ability to participate entirely, or affecting your ability to participate to the full extent available.

Who will we share this data with, where and when?

Trinity will share personal data with our partner research organizations where this is necessary to carry out research in your country or territory – particularly where this involves work in a non-English speaking country. As explained above, details of how they handle your personal data can be confirmed in their privacy policy.

Trinity will share personal data with our end client, although we attempt to anonymize or de-identify this to the fullest extent possible. You will never be contacted by our end client unless it is in relation to suspected adverse events, and you have given your consent to be contacted. If you live within the UK or EEA, you will be informed of the Data Controller(s) once there is no further risk of bias to the study.

We share personal data with government authorities and/or law enforcement officials if this is needed for the purposes above, if mandated by law or if required for the protection of our legitimate interests, in compliance with applicable laws.

We also share personal data with service providers, who process it on our behalf for the purposes above. In particular, we use third party providers for screening and recruitment, moderating, audio transcription, translation services, payment processing, and audio modification.

We may also share your personal information with other entities of the Trinity corporate group, for purposes associated with the carrying out of these research functions.

How long will you retain my data?

Where we process your personal data in relation to your use of Trinity websites, we only retain this data as long as necessary for the given business purpose, contract, or legal requirement. Where we process personal data for marketing purposes or with your consent, we process the personal data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your personal data indefinitely so that we can respect your request in the future.

Where we are required to process your personal data to meet legal requirements, we will hold your personal data for as long as necessary for these purposes or as required by these laws, and will ensure your records are reviewed over time to ensure it is not held where no longer necessary.

Protection of Your Personal Data

We maintain physical, electronic, and procedural security measures that comply with applicable legal and regulatory standards to safeguard your personal data. Access to such personal data is restricted to those employees who are trained in the proper handling of personal data and have a legitimate business need to access that personal data. We follow generally accepted standards to protect the personal data you submit to us, whether that personal data is in transit or at rest. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.

International Transfers of Personal Data

Your personal data may be transferred, processed and/or stored in a country other than the one in which your personal data is collected, including but not limited to the United States, Brazil, Canada, Germany, India, Italy, Mexico, Portugal, Singapore, Japan, Australia and the United Kingdom. Trinity has implemented procedures to ensure that appropriate safeguards are in place to protect the personal data regardless of where it is being transferred to. Where we transfer your data internationally, we will do so on the basis of: (i) an adequacy decision; (ii) your consent; (iii) model contractual clauses; or (iv) another valid transfer mechanism. For information on the safeguards applied to such transfers, please contact us at Compliance@trinitypartners.com.

Non-US residents: What rights do you have?

Depending on the applicable jurisdiction and local laws, you may have the right to ask us for a copy of your personal data; to correct it, erase it or restrict (stop any active) processing of your personal data; and to ask us to transfer some of this information to other organizations in a structured, machine-readable format.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement).

These rights may be limited in some jurisdictions and in some situations, for example if fulfilling your request would reveal personal data about another person, where this would infringe the rights of a third party (including our rights) or if you ask us to delete personal data which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the UK and EU GDPR and in applicable national legislation in other countries. We will inform you of relevant exemptions when responding to any request you make.

We hope that we can satisfy any queries you may have about the way we process your personal data. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work, or where you believe a breach may have occurred To exercise any of these rights, or to obtain other information you can get in touch with us using the details set out below in the “How do I get in touch with you?” section..

How do I get in touch with you?

We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, or if you would like to exercise your data subject rights , you can get in touch at Compliance@trinitylifesciences.com or by writing to Compliance Department, Trinity, 230 Third Ave., Waltham, MA 02451.

CCPA Notice at Collection for California Residents

Additional information for residents of California:

To the extent that you are a resident of California, this CCPA Notice at Collection supplements the above Privacy Policy with respect to specific obligations and rights granted under the California Consumer Privacy Act of 2018 (the “CCPA”) as amended and expanded by the California Privacy Rights Act of 2020 (CPRA) to natural person California residents and provides information regarding how such California residents can exercise their rights under the CCPA.

Categories of Personal Data We Collect and Disclose For a Business Purpose:

Within the last twelve (12) months we have collected the following categories of personal data from California residents and we have disclosed each of these categories of personal data with third-party service providers as set forth in “With whom will we share this data, and when?” in this Privacy Policy.

Category of Personal Data	Examples	Categories of External Recipients	Disclosed for a Business Purpose as defined in the CCPA
A. Identifiers.	A real name, alias, postal address, unique personal identifier, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.	Service Providers	Yes
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	Service Providers	Yes
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	Service Providers	Yes
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	Service Providers	Yes
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	Service Providers	Yes
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	Service Providers	Yes

In addition to the categories of external recipients identified above, during the 12-month period prior to the last updated date of this Privacy Notice, we may have disclosed personal data about you to governmental agencies, regulators, and other third parties for the purposes set forth in “With whom will we share this data, and when?” in this Privacy Policy.

Sensitive personal data:

Subject to the relevant jurisdictional requirements, Trinity may process sensitive personal data. Trinity will only use and disclose sensitive personal data for a purpose for which it was originally collected. Unless we request it, we ask that you not send us, or disclose, any sensitive personal data.
The sensitive data that Trinity processes may include:

Information related to racial or ethnic origin.
A social security, driver’s license, state identification card, or passport number.
An individual’s precise geolocation.

Purposes for Collecting Personal Data:

We collect personal data for business or commercial purposes set forth in “How do we use this information, and what is the legal basis for this use?”, respectively, in the Privacy Policy above.

Trinity does not sell your personal data or share your personal data for the purpose of cross context behavioral advertising, as defined by the California Privacy Rights Act (CPRA) of 2020.

Retention:

We retain the categories of personal data set forth above in the “Categories of Personal Data We Collect and Disclose For a Business Purpose section of this Supplemental California Notice at Collection for those business or commercial purposes described in “How do we use this information, and what is the legal basis for this use? in this Supplemental California Notice at Collection and as set forth in “How long will you retain my data?” section in the main Privacy Policy above, except as may be required under applicable law, court order or government regulations.

California Privacy Rights Under The CCPA:

You have certain rights under the CCPA in respect of the personal data we hold and which you may exercise. These rights are:

Deletion rights: You have the right to request that we delete any of your personal data that we retain, subject to certain exceptions, including, but not limited to, our compliance with U.S., state, local and non-U.S. laws, rules and regulations.

Disclosure and access rights: You have the right to request that we disclose to you certain information regarding our collection, use, disclosure and sale of personal data specific to you over the last twelve (12) months. Such information includes:

The categories of personal data we collected about you;
The categories of sources from which the personal data is collected;
Our business or commercial purpose for collecting such personal data;
Categories of third parties or persons with whom we share the personal data;
The specific pieces of personal data we have collected about you; and
Whether we disclosed your personal data to a third party, and if so, the categories of personal data that each recipient obtained.

CCPA also provides you the right to receive information about any financial incentives (i.e., compensation payments) that we may offer in connection with use of your personal data for participating in certain of our Activities (as that term is defined in “About Trinity” in our Main Privacy Policy).

Additional rights: Under CCPA, you also have the right to:

Request the correction of any inaccurate personal data maintained by us about you.
Request that we limit the use and disclosure of your sensitive personal data. Currently, however, we do not use or disclose your sensitive personal data other than for the purpose(s) for which it was collected.
Choose to opt-out of the sale of personal data or the sharing of personal data for cross-context behavioral advertising. Currently, however, we do not sell or share personal data as defined under the CCPA.

Your rights will in each case be subject to the restrictions set out in the CCPA. Further information on these rights, and the circumstances in which they may arise in connection with our processing of your personal data, can be obtained by contacting us.

Non-Discrimination for Exercising Your Rights:

We follow the requirements of California Civil Code §1798.125 and will not discriminate against any consumer who exercises the rights set forth in this Privacy Policy.

We will never penalize or otherwise subject you to discriminatory treatment for exercising any of your California Privacy Rights.

Exercising Your California Privacy Rights:

To exercise any of your rights under the CCPA, please contact us by any of the methods below:

By mail:
Trinity
230 Third Avenue
5th Floor
Waltham, MA 02451-7528

By email: Compliance@trinitypartners.com

By phone: 1-855-56-2229

Verifying Your Identity:

If you choose to contact us with a request, you will need to provide us with identifying information that matches the personal data we currently have about you.

Authorized Agent:

You have the right to appoint an authorized agent to exercise your rights on your behalf. If you would like to do so, please contact Compliance@trinitypartners.com

Accessibility Information:

For individuals with disabilities who need to access to this policy in an alternative format, please contact us at Compliance@trinitypartners.com

Updates To This California Notice at Collection:

We may reserve the right to periodically update this California Notice at Collection. Please reference the “LAST UPDATED” note below for the effective date of the most recent updates.

This California Notice at Collection was last updated on January 8, 2025

Notice at Collection for Australian Residents

This notice supplements the information contained in the main Trinity Research Participant Privacy Policy (the “Main Privacy Policy”) set forth above and applies solely to individuals located in Australia, in accordance with the Privacy Act 1988 (Cth) including the Australian Privacy Principles, and all other applicable federal, state and territory-based privacy and data protection legislation (“Australian Privacy Legislation“) pertaining to the protection of “Personal Information”. Whilst the specific definitions of “Personal Information” are set out below, it is referred to for consistency as “Personal Data” in accordance with the Main Privacy Policy.

The Australian Privacy Legislation variously details how Personal Data may be collected, used, disclosed, stored and destroyed, and how an individual may gain access to or make complaints about the Personal Data held about them. If any of the provisions within this Annexure conflict with any of the Main Privacy Policy provisions, the provisions in this Annexure will prevail.

Definitions

“Personal Information” means information and/or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual who is identifiable, whose identity is apparent, or whose identity can reasonably be ascertained, from the information or opinion.

“Sensitive Information” is a subset of personal information, and includes information or an opinion about an individual’s racial or ethnic origin, political opinions, political association membership, religious beliefs or affiliations, philosophical beliefs, professional or trade association membership, trade union membership, sexual orientation or practices or criminal record. Sensitive information also specifically includes health information and genetic information.

What Personal Data we collect and hold

We will only collect Personal Data by lawful and fair means, in accordance with the Australian Privacy Legislation.

We only collect Personal Data for purposes which are reasonably necessary for, or (particularly in respect of health information) directly related to our business functions of conducting HCP and patient research, and other activities as permitted under the Australian Privacy Legislation. This includes for the reasons set out in the Main Privacy Policy under the headings of “How do we use this information?”.

Additional categories of Personal Data collected, used, held, stored and disclosed include:

Information related to racial or ethnic origin.
A social security, driver’s license, state identification card, or passport number.
An individual’s precise geolocation.

We collect, hold, use and disclose Personal Data from you or about you where it is reasonably necessary for us to carry out our business functions and activities in respect of research, including the purposes listed in the Main Privacy Policy.

If we do not collect, hold, use or disclose your Personal Data, or if you choose not to provide certain Personal Data to us, or if you do not consent to our collection, holding, use or disclosure of your Personal Data as specified in the Main Privacy Policy, then certain consequences may flow. These may include as follows:

we may not be able to complete our transaction with you;
you may not be able to participate at all in our research activities;
you may not be able to participate to the full extent in and of our research activities;

Where we wish to use or disclose your Personal Data for purposes other than those listed in the Main Privacy Policy, we will do so in accordance with the Australian Privacy Legislation, or we will otherwise obtain your consent.

How we collect and hold personal information

As stated in the Main Privacy Policy, we will collect Personal Data from you or about you in various ways, including directly from you, or from third parties.

If received, we will ensure that all unsolicited Personal Data will be afforded the same privacy protection as solicited Personal Data. Where unsolicited Personal Data is received:

We will assess whether we could have collected the Personal Data directly from you, and
If not, then we will destroy or remove identifying components in the Personal Data as soon as practicable, but only if lawful and reasonable to do so.

You have the option of not identifying yourself or of using a pseudonym when dealing with us, unless the use of your true identity is a legal requirement or necessary for your participation in our research activities.

How we hold and store personal information

We take reasonable precautions and follow industry best practices to protect your Personal Data, and make sure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed. We limit access to your Personal Data to those employees and third parties who need access for our research program and business purposes. In addition, we train our employees and require contractual accountability from our third party service providers about the importance of maintaining the privacy and security of your Personal Data.

Complaints?

We would like to be the first to know if you have any complaints or concerns in relation to our privacy and data protection practices. To raise a query or make a complaint, you can contact: Compliance@trinitiypartners.com.
We will respond to your complaint or query in accordance with the requirements of the Australian Privacy Legislation.

What are your rights?

As mentioned in the Main Privacy Policy, different jurisdictions have different rights attached to your Personal Data.

We have procedures in place for dealing with and responding to requests for access to, and correction of, the Personal Data held about you.

When you request access to Personal Data, or request that we change your Personal Data, we will do so unless we consider that there is a sound reason under the Australian Privacy Legislation or other relevant law.

In most cases, we expect that we will be able to comply with your request. However, if we do not agree to provide you access or to correct the Personal Data as requested, we will give you written reasons why. For further information please contact us.

If we refuse your request, we will give you reasons why. The written notice will set out:

the reason for refusal (unless this would be unreasonable);
the mechanisms available to you to complain about the refusal; and
any other matter prescribed by the Australian Privacy Legislation.

We will respond to a correction request within a reasonable period. We will not charge for making the request, for correcting the information, or for associating any statement with the personal information.

To assist us to keep our records up to date, please notify us of any changes to your personal information.

Destruction and De-identification

As mentioned in the Main Privacy Policy, we will retain your Personal Data while it is required for any of our business functions or for any other lawful purpose. When the Personal Data that we collect is no longer required, we will use secure methods to destroy or permanently de-identify it.

Overseas Disclosure

Trinity’s Australian business operations are part of the wider Trinity corporate group. We may disclose your personal information to recipients located outside of Australia (including within, or external to the Trinity corporate group). However, we will only do so where:

you have provided consent; or
we believe on reasonable grounds that the overseas recipient is required to deal with your Personal Data by enforceable laws which are similar to the requirements under the Australian Privacy Legislation; or
it is otherwise permitted by law.

In the course of undertaking activities associated with conducting our research, we may disclose your personal data to third-party service providers, contractors, software, or cloud providers. These providers assist us with various functions, including data storage and processing, screening and recruitment, moderating, audio transcription, translation services, payment processing, and audio modification. Please note that some of our staff may also be based outside of Australia, and may have access to your information for research-related activities.

Our overseas affiliates are located all over the world, with the main locations being: EEA, UK, US, Canada, India, Singapore and Japan.

Trinity in Australia

Trinity’s identity and contact details in Australia are as follows:

Contact: Paul Lucchese
Entity Name: Trinity Partners, LLC
Address: 230 Third Avenue, Waltham, MA 02451
Phone: +1 781.691.9326
Email: plucchese@trinitylifesciences.com

Further detail about the entities within the Trinity Life Sciences group can be found here: Contact Trinity Life Sciences | Global Offices & Expert Support.