简体中文

Privacy Notice for Clinical Trial Personnel

Effective on: December 03, 2025

Corxel Pharmaceuticals, together with its affiliates (including but no limited to Corxel Pharmaceuticals, Inc. and Corxel Pharmaceuticals Hong Kong Limited) (“Corxel”, “we”, “us”, or “our”) is a clinical-stage biopharmaceutical company dedicated to developing innovative therapies for individuals with cardiometabolic conditions around the world. Corxel is the sponsor of clinical trials ("Clinical Trials"). 

This Privacy Notice (“Privacy Notice”) applies to individuals involved in conducting the Clinical Trials sponsored by Corxel, including clinical investigators (principal investigators, co-investigators, and sub-investigators) and other health care practitioners and personnel at our Clinical Trial sites (“Trial Sites”) (individually and together, “you”, “your”, “Trial Personnel”), whose personal data we process in connection with your work related to the execution of the Clinical Trials.  

This Privacy Notice does not apply to trial participants nor personal data that we collect by other means, such as through our public website. This Privacy Notice also does not apply to personal data of other individuals including our employees or contractors. 

1.    Controller
The Corxel legal entity that sponsors the Clinical Trial in which you are involved is the data controller of your personal data. The Clinical Trial sponsor's information is disclosed in the Clinical Trial protocol and in Section 12 of this Privacy Notice. For most of our Clinical Trials, Corxel is the sponsor and data controller. As the data controller we determine why and how your personal data processed. Our “processing” includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Corxel is a “joint controller” of your personal data together with the European Medicines Agency, European Commission, and EU Member States for the purpose of processing your personal data, in structured data and documents, in the Clinical Trial Information System (CTIS). The essence of the joint controller arrangement is available here.

2.    Categories of Personal Data
We collect and process the following types of personal data from you in the context of our Clinical Trials:

  • Biographic data, such as your first name and last name, and National Provider Identifier (NPI) number, if applicable
  • Contact data, such as your phone number, physical address, and email address
  • Professional data, such as your place of practice, job title, employer, curriculum vitae, the medical field in which you are active, professional qualifications, and scientific experience
  • Financial data, such as bank account information for reimbursements and payments in connection with the Clinical Trial, and declaration of financial interests in Corxel (if relevant)
  • Technical data, such as data and logs related to your use of Corxel’s systems and applications in the context of the Clinical Trial
  • Location data, such as the location of the Trial Site where you are based
  • Any other personal data which you may provide to us during our interactions

We do not collect special category data or sensitive data about you (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation) unless it is required by applicable law, or you provide your explicit consent.

3.    How We Collect Your Personal Data
We collect your personal data as follows: 

  • You provide it directly to us
  • From the Trial Site conducting the Clinical Trial
  • From our Clinical Research Organization
  • From our service providers in your role as Trial Personnel in the context of assisting in the conduct of the Clinical Trial
  • From public records such as registries, our service providers, subscription databases.

4.    Purpose of Processing
Throughout our Clinical Trials we process your personal data to give effect to the Clinical Trial. We process your personal data for the following purposes:

  • To identify and recruit you to participate in our Clinical Trial as Trial Personnel.
  • To assess your suitability and eligibility to participate in our Clinical Trials as Trial Personnel, including confirming and assessing your qualifications and relevant experience.
  • To manage our relationship with you during the conduct of the Clinical Trial, including contacting you for planning and organizing the Clinical Trials such as shipment and return shipments for destruction of trial drug, arrangement for the collection of biological samples.
  • To conduct scientific research and monitor the quality of the research being conducted in our Clinical Trials, including, but not limited to, managing and facilitating the Clinical Trial such as the shipment of biological samples, archiving and storing documents and personal data relevant to the Clinical Trial master file, analysis of data, assessment of clinical outcomes, to do translational research and medical writing applicable to the Clinical Trial.
  • To pay you for the services rendered to Corxel or to reimburse you for expenses incurred related to the Clinical Trial.
  • To conduct training regarding the Trial Drug and our Clinical Trial.
  • To comply with Good Clinical Practice, applicable laws, and regulations regarding our Clinical Trials including, but not limited to, laws regulating safety reporting, retention obligations related to the Clinical Trial master file, disclosure of Clinical Trial data to national competent authorities in the course of an inspection in accordance with relevant national rules, publication of results relevant to the Clinical Trial, various laws and directives regulating pharmacovigilance, laws regulating applications for and to comply with the conditions of marketing approval granted in respect of any medication studied under our Clinical Trials, and regulations regarding your disclosures of financial interests, where applicable.
  • To disclosure data to our licensors, partners, and collaborators in the context of the development and commercialization rights to the trial drug in certain regions (if permitted by law).
  • To defend Corxel's rights and enforce Corxel's policies.

We will use your personal data consistent with the purposes stated above. We will inform you if we use your personal data for other purposes. We request information from you that we require. If you do not provide us with the information, we may not be able to appoint you as a Trial Personnel for our Clinical Trials. 

5.    Basis of Processing
Certain data protection laws require us to identify a valid legal reason (called a “legal basis”) before we collect, use, share or otherwise process your personal data on one or more of the following legal bases:

  • Legitimate Interest: We process your personal data based on our legitimate interests in facilitating the operation of our business and conducting Clinical Trials, making informed investigator-selection decisions, and improving our principal investigator and Trial Personnel recruiting and contracting processes. Where we process your personal data on the basis of our legitimate interests, we do so after a careful assessment which requires balancing your right to privacy and our legitimate interests. You have the right to request a copy of our assessment.
  • Contract: We process personal data because it is necessary for the performance of the contracts between Corxel and Trial Sites, including by enabling us to communicate with you and other Trial Personnel about the performance of the relevant Clinical Trial, and to pay or reimburse you for any services rendered or valid expenses incurred relevant to the Clinical Trial.
  • Compliance with Legal Obligations: We process personal data of Trial Personnel to comply with applicable laws and regulations, such as the EU Clinical Trials Regulation, requiring us and those acting on our behalf to collect and process personal data from individuals who participate in the conduct of a Clinical Trial.
  • Consent: For specific processing purposes, we may ask for your consent to process your personal data.

6.    Data Retention
We will retain your personal data until we fulfill the purposes for which it was collected, or for as long as we are required to keep it to comply with applicable laws, regulations, and Good Clinical Practice. Your personal data will form part of our trial master file for the applicable Clinical Trial. Once your information has been entered into the Clinical Trial records, we cannot remove it without affecting the accuracy of the trial and the test results. Applicable laws regulating our Clinical Trial require us to keep trial records for at least 25 years after the conclusion of the Trial. We retain your data in accordance with our retention policies.

7.    How We Share Your Personal Data 
We share your personal data with our service providers who process personal data on our behalf, and who agree to use the personal data only to assist us in fulfilling the purposes of processing as described in this Privacy Notice, or as required by law. Our service providers include parties providing:

  • Contract/clinical research organization services
  • Patient recruitment and concierge services
  • Quality assurance, safety and pharmacovigilance software and related services
  • Data storage, sharing, and archiving software and related services
  • Data analytics and reporting software and services
  • Laboratories for data analysis
  • Services related to the collection, storage, testing, and transportation of biological material
  • Interactive response technologies
  • Translation services
  • E-consent services
  • Adverse events safety database

We may disclose your personal data to our affiliates and the following third parties:

  • Regulators, competent authorities, ethics committees, to the extent necessary to comply with applicable laws, regulations, and rules.
  • Our service providers, described above, as well as our professional advisors such as lawyers, auditors, insurers, and bankers, where applicable.
  • Our licensors, collaborators, and partners that own the development and commercialization rights to our products in certain regions. We only disclose your data to these third parties upon request and if permitted by applicable law.
  • Governmental or law enforcement officials, or private parties, to the extent required by law, or if we have a good-faith belief that we need to disclose it to comply with official investigations or legal proceedings. If we must disclose your personal data to these parties, we may not be able to ensure that those officials will maintain the privacy and security of your personal data.
  • If, in the future, we sell or transfer, or consider selling or transferring, our company, business, shares or assets to a third party, we may disclose your personal data to such third party in connection with the sale or transfer. If we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your personal data in connection with the foregoing events.
  • If we are required to upload your information to a publicly available platform as part of a regulatory submission related to our Clinical Trials, your information could be available to other third parties.

8.    International Transfers of Personal Data
We operate in many countries including the United States, Europe, Australia and more. This means we may transfer or provide access to your personal data to affiliates, service providers or collaborators and others in other countries where the data protection laws may not be as strong as in your own country.

We also take appropriate measures to ensure that your personal data is protected and to ensure that you can exercise your rights in accordance with the laws. We require those who receive your personal data to have appropriate protection measures for your personal data.

Whenever we transfer personal data originating from the European Economic Area or the United Kingdom, we use legal mechanisms, such as the EU 2021 Standard Contractual Clauses approved by the European Commission under Article 46.2 of the GDPR, and UK International Data Transfer Agreement, to ensure the protection of your personal data, in accordance with applicable data protection law. In other jurisdictions we may rely on applicable standard contractual clauses, or request and rely on your consent to transfer your personal data, or if required or authorized by applicable laws. 

We use a combination of contractual, technical, and organizational safeguards to ensure your personal data is secure even when it is transferred to the third countries listed above. Our safeguards include:

  • Encryption: Your personal data is encrypted in transit and at rest using secure implementation of the Transport Layer Security (TLS) protocol version 1.2 or higher in transit using a minimum of 128-bit encryption.
  • Data Minimization: We only collect and transfer personal data that is necessary to achieve the specific purposes of the Clinical Trial as outlined in the Protocol.
  • Policies and Procedures: We have an internal policy and procedure that guides how we respond to requests from law enforcement and government entities regarding access requests to personal data and our systems.
  • Governance: Our Data Protection Officer is informed of and involved in assessing how we respond to access requests to personal data and our systems. We have appointed specific individuals and teams to handle access requests.

While we have implemented various measures to secure your personal data, there is always a risk that your data could be accessed by third parties including law enforcement and government entities in the third countries above. If we are compelled by a public authority, intelligence agency, or law enforcement agency to disclose any of your transferred personal data, we will, as soon as reasonably practicable, notify the Trial Site who will notify you, if we are allowed by law. If we are legally prohibited from notifying you or the Trial Site, we will use all reasonable and lawful efforts to obtain a waiver from this to allow us to communicate as much information to you or the Trial Site as possible. We will also challenge any unlawful, overly broad, or inappropriate request to access your personal data. If we remain compelled to disclose your transferred personal data to the requesting authorities, we will disclose only the minimum amount of personal data necessary to satisfy the request.

If you have further questions about this or would like to request copies of the applicable safeguards used to transfer your data, please contact us.

9.    Data Integrity and Security
We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect personal data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction. We store your personal data in systems that use reasonable security measures to prevent unauthorized access, and we follow reasonable standards to protect personal data. Unfortunately, the transmission of information via the Internet is not completely secure and although we will do our best to protect your personal data, we cannot guarantee the security of the data during transmission through our systems. 

We have implemented various technical, organization, and physical security measures to protect your data. Corxel has a dedicated IT governance team and dedicated CISO that is responsible for managing data security. We ensure that all personnel responsible for processing personal data are bound to confidentiality obligations. We have implemented and enforced our information security policies, including, but not limited to, our Information Security Policy and Personal Data Breach Notification Policy. If required by law, we will inform you of a personal data breach affecting your personal data. We encrypt your data in transit and at rest using Transport Layer Security (TLS) protocol version 1.2 or higher for personal data in transit using 128-bit encryption. We adopt role-based access controls that means access to your personal data is only permitted on an as-needed basis, and our IT team performs annual access reviews of our key systems and applications. We also have established security policies and standards that clearly identify what activities can and cannot be performed, what information is stored, retained, accessed, and used across the organization’s computing resources. 

If you want to know more about how we secure your personal data, please contact us.

10.    Your Privacy Rights 
Depending on where you are based, you have certain privacy rights in relation to the personal data that we collect. 

  • You have the right to request access to your personal data. This means that you can ask us to confirm whether or not we process your personal data, and, where that is the case, obtain a copy of or access to your personal data and other related information (such as the purposes for which we collected your personal data, and the categories of third parties that we share it with).
  • You can ask us to correct anything that you think is wrong with the personal data that we have about you, and to complete any incomplete personal data.
  • You have the right to ask that we limit/restrict our processing of your personal data. You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate, or the processing activity is unlawful.
  • You have the right to object to our processing of your personal data. We will always strive to fulfill your request. However, we may not be able to fulfill your request if the law restricts us.
  • If we request your consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdraw your consent. It will also not affect processing performed on other lawful grounds. 
  • You also have the right to data portability, which means that you can ask us to provide you with a copy of your personal data or transfer it to another entity. If you exercise this right, we will provide you with a copy of your personal data in a structured, commonly used, and machine-readable format.
  • You have the right to ask us to delete your personal data. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
  • You have the right not to be subject to automatic decision-making, including profiling.
  • You have the right to complain to your local data protection regulator, and in certain jurisdictions, you may initial and denounce lawsuits, claim for damages incurred from our violations of data protection laws that affect your personal data.
  • You have the right to self-protection of your personal data.

To exercise any of your privacy rights, please contact us by using the information in the “Contact Us” section below. 

Verification and Authorization: We might need some extra information from you to verify your identity if we are unsure that it is in fact you who have made the privacy request. We will let you know if we do. If somebody else makes a privacy request on your behalf, we will need to verify that they have authority to act on your behalf. We will request signed permission (such as a power of attorney) or proof from them. 

Responses to Your Privacy Requests: You are generally entitled to receive a reply from us within 30 days, and in some cases faster than that. In certain exceptional cases, we might extend this to 90 days, but we will inform you of the reason why and the extension period in writing. 

If we cannot satisfy your request, we will explain why in our response. We will not charge a fee for processing or responding to your requests. However, we may charge a fee if your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

11.    Privacy of Children
In this context of this Privacy Notice, we do not collect information of children. 

12.    Contact Us
If you have any questions about this Privacy Notice or our processing of your personal data, you can contact us by emailing [email protected]. You may also contact our Data Protection Officer or Data Protection Representatives. 

Data Protection Officer
You may contact our Data Protection Officer, John Li, on matters related to the processing of personal data. Email: [email protected], attention: “Privacy – Clinical Trials”

Data Protection Representatives
We have appointed VeraSafe Czech Republic s.r.o. as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative, or via telephone at +420 228 881 031, or by mail to Rohanské nábřeží 678/23, Prague 8, 18600, Czech Republic, Databox ID: eicpabq. Attention: “Corxel”.
 
VeraSafe United Kingdom Limited has been appointed as our representative in the United Kingdom for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative, or via telephone at +44 (20) 4532 2003, or by mail to 37 Albert Embankment, London SE1 7TL, United Kingdom. Attention: “Corxel”.

13.    Changes to this Notice
If we change this Notice, we will publish the revised Privacy Notice on our website. We will also update the effective date. 

Developing innovative cardiometabolic therapies globally

Copyright © 2026 CORXEL. All Rights Reserved.
Designed & built by SampsonMay

沪ICP备20017872号-3

沪公网安备31010602008424号