privacy policy
Thank you for choosing to be part of our community at HomeNurse4U Limited doing business as MEDORA™ ("HomeNurse4U Limited," "we," "us," or "our"). We appreciate your trust in using our services. Protecting your personal and health-related information is a responsibility we take seriously. This Privacy Policy outlines how we collect, use, share, store, and protect data across our healthcare home visit scheduling and clinical research data collection platform ("Platform").
This policy applies to all users interacting with our web and mobile applications and associated services.
IMPORTANT NOTICE
This platform processes sensitive personal data, including Protected Health Information (PHI) and Personally Identifiable Information (PII), in the context of clinical research and healthcare delivery. Please review this policy carefully to understand your rights and how your information is managed.
If you have any questions about this policy or our practices, you may contact our Data Protection Officer (DPO) at data.protection@homenurse4u.com.
1. SCOPE AND APPLICABILITY
This Privacy Policy applies comprehensively to various categories of users who interact with our platform in different capacities. Mobile Research Clinicians (Field Staff) who are engaged in conducting home visits and entering clinical or operational data are covered under this policy. Patients whose medical or personal data is recorded for treatment and/or clinical trial purposes receive full protection under these guidelines. Healthcare Providers and Investigators who are responsible for overseeing patient care or research protocols must adhere to and are protected by these provisions. Additionally, Project and Research Teams managing operational aspects of clinical studies fall within the scope of this policy.
This policy governs all data collected through our comprehensive suite of digital tools and services. This includes mobile applications that enable field data collection, web portals and applications that facilitate remote access to research data, and backend systems and services used for visit scheduling, clinical data capture, health information management, research compliance, and oversight activities. The scope extends to all interactions with our platform, regardless of the access method or device used.
2. REGULATORY COMPLIANCE
We maintain an unwavering commitment to full compliance with applicable national and international data protection regulations. Our compliance framework encompasses multiple jurisdictions and regulatory requirements to ensure comprehensive protection of your data.
United States
We adhere to the Health Insurance Portability and Accountability Act (HIPAA), which governs the protection and confidential handling of protected health information. We comply with 21 CFR Parts 11, 50, 56, 312, and 812, which constitute the Food and Drug Administration's clinical research regulations governing electronic records, informed consent, institutional review boards, investigational new drugs, and investigational device exemptions respectively.
Our operations align with Good Clinical Practice (GCP) E6 R3 guidelines, ensuring the highest standards in clinical research conduct. Where applicable, we also comply with the California Consumer Privacy Act (CCPA), providing California residents with enhanced privacy rights and protections.
Europe and United Kingdom
We comply with the General Data Protection Regulation (GDPR), which provides comprehensive data protection rights to individuals in the European Union and continues to apply in the United Kingdom through UK GDPR. We adhere to the EU Clinical Trial Regulation (CTR), which governs the conduct of clinical trials within the European Union, and the UK Clinical Trials Regulation for research conducted in the United Kingdom.
Americas (Beyond US)
In Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level and Personal Health Information Protection Act (PHIPA) in applicable provinces, ensuring comprehensive privacy protection for Canadian participants.
In Brazil, we adhere to the Lei Geral de Proteção de Dados (LGPD), Brazil's comprehensive data protection law that establishes rights for individuals and obligations for data controllers and processors.
Asia-Pacific Region
In India, we comply with the Digital Personal Data Protection Act (DPDP Act) 2023 and relevant provisions of the Information Technology Act, ensuring protection of personal data of Indian participants.
In Taiwan, we adhere to the Personal Data Protection Act (PDPA) and related healthcare data protection regulations.
In Australia, we comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs), with particular attention to health information privacy requirements.
In Singapore, we follow the Personal Data Protection Act (PDPA) and applicable healthcare data protection frameworks.
Global Standards and Additional Jurisdictions
Our practices align with the International Conference on Harmonisation Good Clinical Practice (ICH-GCP) guidelines, ensuring global standards in clinical research across all jurisdictions where we operate.
Additionally, we comply with relevant local laws and regulations in all countries where research or care is delivered, including but not limited to data protection, privacy, and clinical research regulations in Japan, South Korea, Mexico, Argentina, and other jurisdictions where we provide services, recognizing the importance of respecting local regulatory requirements and cultural considerations.
Ethical Framework
Our platform operates under the guidance of ethical principles and best practices defined by regulatory bodies, ethics committees, and international organizations, ensuring that all data processing activities meet the highest ethical standards and comply with applicable institutional review board requirements in each jurisdiction.
3. CATEGORIES OF INFORMATION WE COLLECT
We collect various types of personal and operational data, each serving specific purposes within our healthcare and research ecosystem. Our data collection practices are designed to support comprehensive healthcare delivery and rigorous clinical research while maintaining strict privacy protections.
To ensure the highest level of data security, we encrypt all data while it is being transferred internally between modules or through any other mode of data transfer. This encryption protocol allows us to keep data secure in case someone attempts to intercept transmissions during internal system communications, providing an additional layer of protection for your sensitive information throughout our platform's operations. More specific details on our security protocols and encryption measures are included in Section 7 SECURITY MEASURES of this policy.
Information from Mobile Research Clinicians
We collect comprehensive professional and operational information from our mobile research clinicians to ensure proper credentialing, effective communication, and optimal service delivery. Identity and Credentials information includes full name, professional license numbers, and relevant professional certifications, which we use to verify qualifications and maintain professional standards. Contact Details encompass email addresses, phone numbers, and home addresses, enabling us to maintain effective communication channels and provide necessary support. Work Profile information includes training history, prior professional experience, and scheduling preferences, which help us optimize work assignments and ensure appropriate skill matching for specific research protocols or patient care needs. System Use data encompasses login records, comprehensive audit trails, session duration metrics, and form submission activities, which are essential for security monitoring, compliance verification, and platform optimization.
Patient Personal and Health Data
Patient data collection represents the most sensitive aspect of our operations, and we handle this information with the utmost care and in strict accordance with applicable healthcare privacy regulations. Demographics information includes patient names, dates of birth, gender identifications, contact information, and language preferences, which are essential for proper patient identification, communication, and culturally appropriate care delivery. Health Information encompasses vital signs measurements, known allergies and adverse reactions, current diagnoses, medication lists and dosages, which are fundamental to providing safe and effective healthcare services. Visit Data includes specific locations where care is provided, precise timing of healthcare visits, and detailed home care notes documenting the care provided, which ensures continuity of care and proper documentation for regulatory compliance. Clinical Assessments consist of comprehensive evaluations, diagnostic test results, standardized questionnaires, and other assessment tools, which provide the clinical foundation for research studies and treatment decisions. Consent Documents include physically (on paper)/electronically/digitally signed informed consent or assent forms, which demonstrate patient understanding and voluntary participation in research activities. Study Participation Data encompasses protocol identification numbers, enrolment status tracking, randomization details, and other study-specific information necessary for proper research conduct and regulatory compliance.
Information from Healthcare Providers and Investigators
Healthcare providers and investigators represent a critical component of our research ecosystem, and we collect specific information to support their professional roles and responsibilities. Professional Details include complete names, medical license numbers, and areas of medical specialization, which ensure proper credentialing and appropriate assignment of responsibilities. Affiliation information encompasses organization names, department affiliations, and detailed contact information, facilitating proper institutional oversight and communication. Research Role designations include Principal Investigator, Sub-Investigator, Study Coordinator, and other study team positions, which define access permissions and responsibility levels within specific research protocols. Review Records consist of case report form (CRF) reviews, adverse event analysis documentation, and other oversight activities, which demonstrate proper study monitoring and quality assurance practices.
Project Team and Research Staff Information
Our project teams and research staff require specific information management to ensure effective collaboration and appropriate access controls. Personnel Profiles include names, professional titles, and institutional affiliations, which establish identity and authority within the research ecosystem. Access Records encompass login timestamps, specific modules accessed, and data export activities, which provide comprehensive audit trails for security and compliance purposes. Internal Communication includes messages, system alerts, and other communication records necessary for effective team coordination and platform functionality.
4. METHODS OF DATA COLLECTION
We employ multiple sophisticated methods of data collection, each designed to capture accurate, complete, and timely information while maintaining user privacy and data security. Our collection methods are implemented with appropriate technical and administrative safeguards to ensure data integrity and regulatory compliance.
Direct Collection represents the primary method of gathering information through user-initiated activities. This includes comprehensive user registration and onboarding forms that capture essential demographic and professional information, real-time data entry during patient visits conducted by Mobile Research Clinicians, uploaded documents or photographs that support clinical documentation, electronic case report forms (eCRFs) that standardize data collection across research sites, and consent and signature capture systems that ensure proper documentation of patient agreement and understanding.
Device Metadata collection involves the automatic gathering of technical information necessary for platform functionality and security. This includes IP addresses for security monitoring and geographic analysis, browser information for compatibility optimization, operating system details for technical support, and time zone information for proper scheduling and coordination across different geographic locations.
Session Analytics encompass the collection of user interaction data to optimize platform performance and user experience. This includes page view tracking to understand user navigation patterns, detailed navigation pattern analysis to identify areas for interface improvement, and session duration monitoring to assess platform efficiency and user engagement levels.
Security Logs represent a critical component of our data protection strategy, involving comprehensive monitoring of platform access and usage. This includes detailed login attempt records for security threat detection, file access logs for audit trail maintenance, and data modification records for change tracking and compliance verification.
5. PURPOSES OF DATA USE
We process your information based on legitimate business interests, the fulfilment of our contractual obligations with you, compliance with our legal obligations, and/or your explicit consent. We use personal information collected via our platform for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests ("Business Purposes"), in order to enter into or perform a contract with you ("Contractual Reasons"), with your consent ("Consent"), and/or for compliance with our legal obligations ("Legal Reasons"). We indicate the specific processing grounds we rely on next to each purpose listed below.
Clinical and Research Operations
To facilitate comprehensive visit scheduling, coordination, and tracking for Business Purposes, Contractual Reasons, and Legal Reasons. We use collected information to optimize healthcare delivery schedules, ensure appropriate resource allocation, coordinate between multiple healthcare providers and research staff, and maintain detailed tracking records for regulatory compliance and quality assurance purposes.
To enable thorough documentation of patient assessments for Legal Reasons, Contractual Reasons, and with your Consent. We process health information to create comprehensive medical records, support clinical decision-making, ensure continuity of care across multiple visits and providers, and maintain detailed documentation required for regulatory submissions and audit readiness.
To support adverse event and protocol deviation reporting for Legal Reasons and Business Purposes. We use collected data to identify, document, and report adverse events in compliance with regulatory requirements, track protocol deviations to ensure study integrity, and implement corrective and preventive actions to maintain research quality standards.
To facilitate submission of data to sponsors and regulatory agencies for Legal Reasons and Contractual Reasons. We process information to compile regulatory submission packages, prepare data for sponsor review and analysis, ensure compliance with Good Clinical Practice guidelines, and support regulatory agency inspections and audits.
To enable comprehensive study monitoring, audit readiness, and quality assurance for Business Purposes, Legal Reasons, and Contractual Reasons. We use collected information to conduct internal quality reviews, prepare for external audits and inspections, implement quality improvement initiatives, and maintain comprehensive documentation systems.
Platform Functionality and Support
To provide secure user authentication and role-based access controls for Business Purposes and Legal Reasons. We process authentication information to verify user identities, implement appropriate access permissions based on professional roles and responsibilities, maintain security audit trails, and prevent unauthorized access to sensitive healthcare and research data.
To deliver comprehensive notification services, including reminders and alerts for Business Purposes and with your Consent. We use contact information to send appointment reminders, deliver critical safety alerts, provide study-related updates, and facilitate timely communication between healthcare providers, research staff, and patients.
To maintain detailed audit trail systems for Legal Reasons and Business Purposes. We process usage data to create comprehensive activity logs, support regulatory compliance requirements, enable forensic analysis when necessary, and demonstrate adherence to data protection and research integrity standards.
To facilitate feedback collection and support ticket handling for Business Purposes and with your Consent. We use provided information to respond to user inquiries, resolve technical issues, implement platform improvements based on user feedback, and maintain high levels of user satisfaction and platform performance.
To optimize performance and resolve software bugs for Business Purposes. We process system usage data to identify performance bottlenecks, prioritize feature development, resolve technical issues, and ensure optimal platform functionality across all user types and access methods.
Compliance, Legal, and Ethical Obligations
To respond to Institutional Review Boards, ethics committees, and regulatory authorities for Legal Reasons. We process collected information to support ethical review processes, respond to regulatory inquiries, demonstrate compliance with research protocols, and facilitate ongoing oversight of research activities.
To fulfil legal disclosure requirements as mandated by applicable laws for Legal Reasons. We may process information to comply with court orders, respond to lawful government requests, support public health reporting requirements, and fulfil other legal obligations while maintaining appropriate privacy protections.
To secure and document informed consent throughout its lifecycle for Legal Reasons and Contractual Reasons. We use consent-related information to demonstrate voluntary participation, track consent status changes, maintain regulatory compliance documentation, and ensure ongoing patient rights protection.
To meet comprehensive data retention and archival requirements for Legal Reasons and Business Purposes. We process information to comply with regulatory retention schedules, maintain long-term research data availability, support future regulatory inspections, and ensure data availability for legitimate research purposes.
6. INFORMATION SHARING AND DISCLOSURE
We maintain a strict policy against selling or monetizing your personal data. Our information sharing practices are limited to legitimate business purposes, legal requirements, and healthcare operations that directly support patient care and research integrity. We may share information with carefully vetted third parties under the following circumstances and with appropriate safeguards in place.
Healthcare Operations
Sponsors and Clients receive appropriately de-identified or coded data for study oversight purposes. We share information necessary for research sponsors to monitor study progress, assess data quality, fulfill regulatory reporting requirements, and make informed decisions about study continuation or modification. All shared data undergoes rigorous de-identification processes or uses coding systems that prevent direct identification of individuals while maintaining data utility for research purposes.
Regulatory Bodies receive information as required for compliance with FDA, EMA, DCGI, and other relevant regulatory authorities. We provide data necessary for regulatory submissions, respond to agency inquiries, support inspection activities, and fulfil mandatory reporting requirements for adverse events and serious breaches of protocol.
Ethics Committees and Institutional Review Boards receive information necessary for monitoring study protocols, assessing ongoing risk-benefit ratios, reviewing protocol modifications, and ensuring continued ethical conduct of research activities. This sharing supports the oversight function of these bodies in protecting research participant rights and welfare.
Authorized Service Providers
We engage carefully selected third-party service providers to support our platform operations, and all such arrangements are governed by strict contractual protections.
Cloud hosting services, such as Amazon Web Services (AWS), provide the technical infrastructure necessary for platform operations while maintaining the highest security standards and regulatory compliance.
Translation services support multilingual studies by providing accurate translation of consent forms, questionnaires, and other study materials while maintaining the confidentiality of sensitive information.
Payment processing services and banking institutions handle secure financial transactions for study participants, research payments, and operational expenses while maintaining PCI-DSS compliance and financial data protection standards.
Communication and notification services enable secure messaging, email communications, and mobile push notifications for study participants and research teams while protecting personal contact information.
Analytics and monitoring services provide platform performance insights, security monitoring, and compliance reporting capabilities while ensuring participant data privacy through anonymization and aggregation techniques.
Customer support platforms facilitate help desk operations, technical assistance, and participant support services while maintaining confidentiality of all interactions and personal information.
All third-party service providers operate under comprehensive Data Processing Agreements (DPAs) and are bound by HIPAA Business Associate Agreements (BAAs) that establish legal obligations for protecting health information. These agreements include GDPR-compliant terms that ensure European data protection standards, access limitations that restrict data use to specified purposes, and robust confidentiality clauses that prevent unauthorized disclosure or use of information.
Legal and Emergency Disclosures
In certain circumstances, we may be required to disclose information to comply with legal obligations or address emergencies. Court orders or lawful investigations may require disclosure of relevant information, which we provide only to the extent legally required and with appropriate legal review. Threats to life or serious harm may necessitate disclosure to prevent imminent danger to individuals or public safety. Infectious disease reporting to public health bodies may be required to fulfil mandatory reporting obligations and support public health protection efforts.
7. SECURITY MEASURES
We implement comprehensive security measures encompassing technical, administrative, and physical controls to protect your information from unauthorized access, use, disclosure, alteration, or destruction. Our security framework is designed to meet or exceed industry standards and regulatory requirements for healthcare data protection.
Technical Controls
Our technical security infrastructure employs advanced encryption and access control technologies. We utilize AES-256 encryption for all data at rest, ensuring that stored information remains protected even in the event of physical media compromise. All data transmissions are secured using Transport Layer Security (TLS) version 1.2 or higher, providing robust protection for information in transit between devices and our servers.
We implement comprehensive role-based access permissions that ensure users can access only the information necessary for their specific job functions and responsibilities. Our authentication systems employ secure password hashing algorithms and multi-factor authentication (MFA) requirements for all user accounts, significantly reducing the risk of unauthorized access due to compromised credentials.
Advanced intrusion detection systems continuously monitor our network and systems for suspicious activities, providing real-time alerts for potential security incidents. These systems enable rapid response to security threats and help prevent unauthorized access attempts from succeeding.
Administrative Measures
Our administrative security controls focus on human factors and organizational processes that support data protection. All employees receive comprehensive privacy training and certification programs that ensure understanding of data protection requirements, appropriate handling procedures, and incident response protocols. This training is regularly updated to reflect changes in regulations, threats, and best practices.
We maintain detailed security policies and Standard Operating Procedures (SOPs) for data handling that provide clear guidance for all data processing activities. These policies are regularly reviewed and updated to ensure they remain current with evolving threats and regulatory requirements.
We conduct regular independent audits and risk assessments to identify potential vulnerabilities and ensure our security controls remain effective against evolving threats.
Physical Measures
Physical security represents a critical component of our comprehensive protection strategy. Our Cloud Infrastructure Security relies on Amazon Web Services data centers that maintain SOC 2 Type II compliance, demonstrating effective internal controls over security, availability, processing integrity, confidentiality, and privacy. These facilities feature 24/7 physical security with professional security personnel, biometric access controls that restrict entry to authorized personnel only, and comprehensive environmental monitoring systems that protect against power outages, temperature fluctuations, and other environmental threats.
Workstation Controls include secure workstation configuration standards that ensure all devices accessing our platform meet minimum security requirements, automatic screen locks that prevent unauthorized access to unattended devices, and regular security updates and patch management processes.
Media Controls encompass secure handling and disposal procedures for any physical media containing PHI, including encrypted storage requirements, secure destruction protocols, and comprehensive chain of custody documentation.
We verify our Cloud Service Provider Standards by confirming AWS compliance with HIPAA, SOC 2, ISO 27001, and other relevant security frameworks. This includes regular review of compliance certifications and security assessments.
Data Center Redundancy includes multi-availability zone deployment for business continuity and disaster recovery, ensuring that our services remain available even in the event of localized infrastructure failures or natural disasters.
8. DATA RETENTION POLICY
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal and regulatory requirements, and support legitimate business operations. Our retention periods are carefully designed to balance operational needs with privacy principles and regulatory compliance requirements.
Research data is retained according to the specific study protocol requirements, client or sponsor specifications, or applicable regulatory standards, with a default period of 25 years as required by the EU Clinical Trial Regulation (EU CTR). This extended retention period ensures data availability for long-term safety monitoring, regulatory inspections, and scientific integrity verification.
Patient health data retention periods are determined by applicable healthcare laws, institutional policies, and regulatory requirements specific to the type of care provided and research conducted. These periods typically range from 7 to 25 years, depending on the nature of the information and applicable regulatory framework.
Consent forms are retained for the lifetime of the associated study or as specified by Institutional Review Board (IRB) requirements, ensuring that documentation of participant agreement remains available for the duration of research activities and any subsequent regulatory review periods.
System logs, including security, access, and audit logs, are maintained for a minimum of 6 years to support regulatory compliance requirements and enable investigation of security incidents or compliance issues that may not be discovered immediately.
Account data is retained while user accounts remain active, plus an additional 7 years following account closure to support potential regulatory inquiries and maintain appropriate audit trails.
All data scheduled for deletion undergoes secure anonymization or destruction processes that prevent recovery of personal information while preserving any necessary statistical or research value through properly anonymized datasets.
9. YOUR PRIVACY RIGHTS
Depending on your jurisdiction and the applicable data protection laws, you may have various rights regarding your personal information. We are committed to facilitating the exercise of these rights while balancing legal obligations and research integrity requirements.
Right to access Allows you to view or request copies of your personal data that we process. We will provide this information in a clear and understandable format, along with details about how the information is being used and with whom it has been shared.
Right to rectification Enables you to correct inaccurate or incomplete personal data. We will promptly update our records upon verification of corrected information, ensuring that inaccurate data does not compromise the quality of care or research activities.
Right to erasure Permits you to request deletion of your personal data, subject to legal retention requirements and research integrity considerations. In active clinical research, this right may be limited during study participation to preserve data integrity and regulatory compliance.
Right to restrict processing Allows you to limit how your personal data is processed in certain circumstances. We will clearly explain any limitations that may apply due to regulatory requirements or research protocols.
Right to data portability Enables you to receive your personal data in a machine-readable format, facilitating transfer to other healthcare providers or research organizations when appropriate and legally permissible.
Right to object Permits you to object to certain types of data processing, where applicable law provides this right. We will carefully consider such objections while balancing legitimate research interests and legal obligations.
For clinical research participants, some rights may be limited during active study participation to preserve data integrity, ensure regulatory compliance, and protect the validity of research results. We will clearly explain any such limitations and the reasons they are necessary.
How to Exercise Your Rights
Contact Methods:
To exercise any of these rights, you may contact us through the following channels:
Identity Verification
To protect your personal information, we require identity verification before processing rights requests. You will need to provide:
Processing Timeframes
We are committed to responding to your requests within the timeframes required by applicable law:
Under GDPR (European Union/UK participants):
Processing Timeframes
We are committed to responding to your requests within the timeframes required by applicable law:
Under GDPR (European Union/UK participants):
Under HIPAA (United States participants):
Other Jurisdictions:
Request Processing Steps:
Processing Timeframes
We are committed to responding to your requests within the timeframes required by applicable law:
Under HIPAA (United States participants):
Other Jurisdictions:
Request Processing Steps:
10. INTERNATIONAL DATA TRANSFERS
When international data transfers are necessary for research collaboration, regulatory compliance, or platform operations, we implement appropriate safeguards to ensure your personal information receives equivalent protection regardless of its location. Our transfer mechanisms comply with applicable data protection laws and international agreements, including the requirements established following the Schrems II ruling (CJEU C-311/18).
Transfer Impact Assessments (TIAs):
In compliance with supervisory authority expectations following the Schrems II ruling, we conduct comprehensive Transfer Impact Assessments (TIAs) before transferring EU personal data outside the European Economic Area (EEA). These assessments evaluate:
We document all TIA findings and implement additional technical, organizational, or contractual measures where necessary to ensure essentially equivalent protection to that provided within the EU.
Transfer Mechanisms and Safeguards
We utilize Standard Contractual Clauses (SCCs) approved by the European Union and other data protection authorities to govern international transfers. These contractual provisions establish legally binding obligations for data protection and provide enforceable rights for data subjects. Where TIAs identify potential risks, we supplement SCCs with additional safeguards such as:
Where applicable, we implement Binding Corporate Rules (BCRs) that establish comprehensive internal policies for international data transfers within corporate groups, ensuring consistent protection standards across all locations, supplemented by TIA-driven additional measures.
We rely on adequacy decisions issued by data protection authorities that recognize certain countries as providing adequate protection for personal data, enabling transfers to these jurisdictions. However, we continuously monitor the status of adequacy decisions and conduct periodic reassessments to ensure ongoing compliance.
Ongoing Compliance and Monitoring
We maintain continuous monitoring of legal and practical developments in destination countries that may affect the level of protection for transferred data. This includes:
All international hosting infrastructure complies with GDPR, HIPAA requirements, and other applicable healthcare data protection standards, with additional safeguards implemented based on TIA findings to ensure that geographic location does not compromise data protection standards.
Transparency and Data Subject Rights
We maintain records of all international transfers and TIA outcomes, which are available to data subjects upon request. We will promptly notify affected individuals if we determine that adequate protection cannot be ensured for their transferred data, providing information about alternative processing arrangements or data subject rights that may be exercised.
11. CHILDREN & MINORS
We recognize that paediatric research and healthcare involve special protections and considerations for participants under 18 years of age. Our practices are designed to provide enhanced protections while facilitating legitimate research and healthcare activities.
Paediatric Participants
We conduct paediatric studies under strict ethical safeguards that exceed standard adult participant protections. We obtain verifiable parental or legal guardian consent through documented processes that ensure understanding and voluntary agreement. Additionally, we seek assent from children where age-appropriate, recognizing their developing autonomy and right to participate in decisions about their care and research participation.
We maintain strict policies against marketing or commercial profiling of paediatric participants, ensuring that their participation in research is not exploited for commercial purposes. Data access rights are extended to parents and legal guardians, enabling them to exercise privacy rights on behalf of minor participants while respecting the child's developing privacy interests.
COPPA Compliance (US)
For children under 13 years of age, we comply fully with the Children's Online Privacy Protection Act (COPPA). We collect no personal data without verifiable parental consent obtained through reliable verification methods. We do not use personal data of children under 13 for advertising or marketing purposes, maintaining strict limitations on data use. We provide clear access and deletion mechanisms for parents, enabling them to review, correct, or delete their child's information as appropriate.
12. BREACH NOTIFICATION
In the event of a data breach involving your personal information, we maintain comprehensive incident response procedures designed to minimize harm and provide timely notification to all affected parties. Our breach response protocols comply with applicable regulatory requirements and industry best practices.
Data Subject Notifications
Data subjects will be notified within 30 days when there is a high risk that the breach could adversely affect their rights and freedoms. Our notifications will be clear, comprehensive, and provide actionable guidance for protecting personal interests.
Regulatory Authority Notifications
European Union/EEA jurisdictions: We will notify the relevant Supervisory Authorities within 72 hours of breach discovery as required by GDPR Article 33, providing detailed information about the nature of the breach, categories of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
United States: We comply with the HHS Breach Notification Rule under HIPAA, notifying the U.S. Department of Health and Human Services within 60 days of breach discovery for breaches involving 500 or more individuals, or annually for smaller breaches. We also comply with state-specific breach notification requirements where applicable.
Other jurisdictions: We will notify relevant data protection authorities and regulatory bodies according to local requirements, including but not limited to notification timelines under LGPD (Brazil), PIPEDA (Canada), and other applicable regional data protection laws.
Research-Specific Notifications
Sponsors and Institutional Review Boards will receive immediate notification of any breaches involving research data, enabling appropriate response measures and regulatory reporting as required by research protocols and institutional policies.
Clinical trial authorities and research ethics committees will be notified according to applicable Good Clinical Practice (GCP) guidelines and local research regulations.
12. BREACH NOTIFICATION
In the event of a data breach involving your personal information, we maintain comprehensive incident response procedures designed to minimize harm and provide timely notification to all affected parties. Our breach response protocols comply with applicable regulatory requirements and industry best practices.
Data Subject Notifications
Data subjects will be notified within 30 days when there is a high risk that the breach could adversely affect their rights and freedoms. Our notifications will be clear, comprehensive, and provide actionable guidance for protecting personal interests.
Regulatory Authority Notifications
European Union/EEA jurisdictions: We will notify the relevant Supervisory Authorities within 72 hours of breach discovery as required by GDPR Article 33, providing detailed information about the nature of the breach, categories of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
United States: We comply with the HHS Breach Notification Rule under HIPAA, notifying the U.S. Department of Health and Human Services within 60 days of breach discovery for breaches involving 500 or more individuals, or annually for smaller breaches. We also comply with state-specific breach notification requirements where applicable.
Other jurisdictions: We will notify relevant data protection authorities and regulatory bodies according to local requirements, including but not limited to notification timelines under LGPD (Brazil), PIPEDA (Canada), and other applicable regional data protection laws.
Research-Specific Notifications
Sponsors and Institutional Review Boards will receive immediate notification of any breaches involving research data, enabling appropriate response measures and regulatory reporting as required by research protocols and institutional policies.
Clinical trial authorities and research ethics committees will be notified according to applicable Good Clinical Practice (GCP) guidelines and local research regulations.
Comprehensive Breach Communications
All breach notifications will:
We maintain detailed incident response documentation to demonstrate compliance with all applicable breach notification requirements and to support regulatory investigations or audits as needed.
13. COOKIES AND TRACKING
Managing Cookie Preferences
You have full control over your cookie preferences and can make choices about which cookies to accept or reject:
Cookie Preference
Access our cookie preference through the "Cookie Settings" link in the website footer or the cookie banner to:
Browser Settings
You can manage cookie preferences through your browser settings by:
Rejecting Cookies
You can reject non-essential cookies by:
Cookie Categories and Your Choices
Essential Cookies: These are necessary for basic platform functionality and cannot be disabled. They enable core features like secure login, form submissions, and maintaining your session.
Non-Essential Cookies: You can freely accept or reject these categories:
Consent Documentation
Consent Logging: We maintain detailed records of your cookie consent choices, including:
Consent Withdrawal: You can withdraw your consent at any time by revisiting our cookie preference center. Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Impact of Cookie Choices
Disabling Essential Cookies: May impact platform functionality and your ability to access certain features, including secure login, form submissions, and personalized healthcare services.
Disabling Non-Essential Cookies: Will not affect core platform functionality but may result in:
Your cookie preferences are respected across all our services, and we will not use cookies for purposes you have not consented to.
14. CONTACT US
For privacy-related concerns, questions, or requests, please contact our designated privacy officials, who are trained to handle privacy matters and facilitate the exercise of your rights.
Data Protection Officer (DPO)
Our DPO is responsible for overseeing privacy compliance, investigating privacy concerns, facilitating the exercise of privacy rights, and serving as the primary contact with data protection authorities.
Research Queries
Email: info@homenurse4u.com
For questions specifically related to research participation, study procedures,
or research-related privacy matters, please use our dedicated research inquiry
email.
15. CHANGES TO THIS POLICY
We may revise this privacy policy periodically to reflect regulatory updates, new platform features, changes in data processing practices, or internal security reviews. Our commitment to transparency means that we will provide advance notice of material changes through multiple communication channels.
Notification Methods
We will provide reasonable advance notice to allow users to review changes and make informed decisions about continued platform use.
Material Changes
Material changes that significantly alter your rights or our data processing practices will be highlighted clearly, with explanations of the changes and their implications for platform users.
16. VERSIONING
Effective Date: 20 Sep 2025
Version: V 1.0
This policy replaces all prior versions. Continued use of our services following the effective date constitutes acceptance of the current policy terms. If you do not agree with any provisions of this updated policy, please discontinue use of the platform and contact us to discuss your concerns or facilitate account closure if desired.
By using our platform, you acknowledge that you have read, understood, and agree to this privacy policy in its entirety. Your continued engagement with our services demonstrates your acceptance of these terms and your agreement to the data processing practices described herein. If you have questions about any aspect of this policy or wish to exercise your privacy rights, please contact us using the information provided in the contact section above.