Privacy Notice
Effective: 09/26/2020 Revised: 06/03/2025
Your privacy is important to the Regenstrief Institute, Inc. (“RI”, “Regenstrief”) so we have developed a Privacy Policy that covers how we collect, use, disclose, transfer, and store your information.
Regenstrief is a healthcare research organization with many research initiatives, products, and services.
Please take a moment to familiarize yourself with our privacy practices and contact us if you have any questions.
Scope of Policy
This Privacy Notice applies to all official Regenstrief websites, applications, and digital services that are owned and operated by Regenstrief. It explains our data collection, usage, sharing, and protection practices.
Other research projects, affiliated organizations, or external entities may maintain their own privacy policies. We encourage you to review the privacy policies of any linked websites or services before providing personal information. Regenstrief is not responsible for the privacy practices of external websites or third parties that are not under our direct control.
Collection and Use of Personally Identifiable Information
Personally Identifiable Information (“PII”) is data that can be used to identify a single person.
You may be asked to provide your PII anytime you contact Regenstrief. Regenstrief and its partners may share this PII with each other and use it consistent with this Privacy Policy. They may also combine it with other information to improve our research or services. You are not required to provide personal information that we have requested, but, if you choose not to do so, in many cases we will not be able to respond to any questions you may have.
Legal Basis for Processing Your Data
Regenstrief processes personal information based on the following lawful bases:
- Consent: Where legally required, we obtain your explicit consent before processing personal data (e.g., research participation, marketing emails).
- Contractual Necessity: When processing is required for fulfilling a contract (e.g., employment records, research agreements).
- Legal Obligation: When required by law (e.g., regulatory reporting, compliance with court orders).
- Legitimate Interests: When necessary for research, security, or administrative purposes, provided such processing does not override your rights.
Here are some examples of the types of PII that Regenstrief may collect and how we may use it:
Categories of Personal Data We Collect
Regenstrief collects information to operate effectively and provide high-quality research and services. The types of data we collect depend on how you interact with us:
- Website Visitors: IP address, device identifiers, browser type, and browsing activity through cookies.
- Research Participants: Name, contact information, health data, demographic information, and other relevant research data (subject to IRB approval and consent).
- Job Applicants: Name, resume details, employment history, and references.
- General Inquiries: Contact details and any information voluntarily provided via email, phone, or online forms.
Other: We may ask for a government issued ID in limited circumstances, including when you may receive a gift card for participating in a research study.
How We Use Your Personally Identifiable Information
We may process your PII: for the purposes described in this Privacy Policy, with your consent, for compliance with a Regenstrief legal obligation; for the performance of a contract to which you are a party; to protect your vital interests; or when we have assessed it is necessary for the legitimate interests pursued by Regenstrief or to a third party to whom it may be required to disclose information. If you have questions about the lawful basis that we process your PII, you can contact the Privacy & Data Protection Officer.
- The PII we collect allows us to keep you posted on Regenstrief-related announcements, articles, and upcoming events. You can change your preferences for our email list anytime here.
- We may also use PII to help us create, develop, operate, deliver and improve our research, products, services, content and advertising, and for anti-fraud purposes. We may also use your PII for account and network security purposes, to protect our services and research from harm, and for pre-screening or scanning uploaded content for potentially illegal or other harmful content. We limit our uses of data for anti-fraud purposes to those which are strictly necessary and within our assessed legitimate interests to protect our research and services.
- We may use your PII, including , to verify your identity, assist with identification of users, and to determine appropriate services. For example, we may use date of birth to determine the age of a participant
- From time to time, we may use your PII to send important notices, such as communications about research or changes in our policies.
- We may also use PII for internal purposes such as auditing, data analysis and process improvement to enhance our research and services.
- If you apply for a position at Regenstrief or we receive your information in connection with a potential role at Regenstrief, we may use your PII to evaluate your candidacy and to contact you. If you are a candidate, you will receive separate information about how Regenstrief handles candidate PII at the time of application.
Source of Your Personally Identifiable Information Not Collected from You
We may have received your PII from other entities if those entities have entered into data sharing agreements with Regenstrief. We may also validate the information provided by you with a third party for security and fraud prevention purposes.
If you are a potential candidate for employment with Regenstrief, we may have received your PII from third parties such as recruiters or external websites. We will use the PII we receive to contact you about a potential opportunity or in evaluating your candidacy. If you did not provide us your PII directly, we will inform you of the source when we first contact you regarding your candidacy.
For research purposes, we may use data that could be associated with an identifiable person. The majority of the data we receive is already identifiable. When acquiring such data for research, we do so in accordance with applicable laws in the jurisdiction where the data is hosted. If we receive de-identified data, whose data may be within unless we have received explicit approval to do so. In all cases, we adhere to legal and ethical standards for the use of such data in research.
Collection and Use of Non-Personal Information
Non-personal Information (“de-identified”) is data that cannot be used to identify a single person.
We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose de-identified information in accordance with applicable laws and institutional policies. The following are some examples of de-identified information that we collect and how we may use it:
- We may collect information such as occupation, language, zip code, area code, , referrer URL, location, and time zone where you have accessed our services so that we can better understand our outreach and improve our research, products, and services.
- We may collect information regarding users and research participants from other research teams, websites, and services. This information is aggregated and used to help us understand which parts of our website, products, and services are utilized. Aggregated data is de-identified data.
If we link PII with de-identified data, the linked data will be treated as PII for as long as the link remains.
Cookies and Other Technologies
Regenstrief’s websites, online services, applications, email messages, and social media posts may use “cookies” and other technologies such as pixel tags and web beacons.
Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. We use cookies and similar technologies for storing and honoring your preferences and settings, enabling you to sign in, combating fraud, analyzing how our products and services perform, and fulfilling other legitimate purposes.
You have a variety of tools to control the data collected by cookies, web beacons, and similar technologies. For example, you can use controls in your Internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies.
As true with most Internet services, we gather some information automatically and store it in log files. This information includes Internet Protocol addresses, browser type and language, Internet service provider, referring and exit websites and applications, operating system, date/time stamp, and clickstream data. We use this data to understand trends, administer web sites, learn about user behavior on a site, improve research, product and services, and to gather demographic information about the user base as a whole. Regenstrief may use this information in our marketing and communication services.
In some of our communications, we use a “click-through URL” linked to content on a website or social media post. When you click on one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our communication efforts. If you prefer not to be tracked this way, you should not click on text or graphic links in the email messages or social media posts. Pixel tags enable us to send email messages in a format that viewers can read, and they tell us whether the email has been opened. We may use this information to reduce or eliminate messages sent to recipients.
Disclosure to Third Parties
At times, Regenstrief may provide third parties with certain PII to improve our research, products, and services, or to help our communication efforts. When we do, we require those third parties to handle PII in accordance with relevant laws. Regenstrief does not sell PII to third parties. However, we may share your data with:
- Service Providers: Third-party vendors who assist us with research, website analytics, cloud storage, and communications. These vendors are contractually required to protect your information.
- Research Collaborators: With appropriate consent, we may share de-identified data with research institutions and healthcare organizations for approved studies.
- Legal Authorities: When required by law, subpoena, or in response to lawful requests by public authorities.
- Affiliated Institutions: If you are a student, employee, or research participant associated with a university or healthcare system, your information may be shared in compliance with institutional agreements and applicable laws.
Service Providers
Regenstrief shares PII with companies who provides services to us such as information processing and storage, managing data, conducting market research or surveys, and assessing your interest in our research, products, and services.
Others
It may be necessary (by law, legal process, litigation, requests from governmental agencies) for Regenstrief to disclose your PII. We may also disclose your PII if we determine that disclosure is necessary or appropriate for law enforcement or other issues of public importance. We may also disclose your PII, but only if there is a lawful basis for doing so, if we determine that disclosure is reasonably necessary to enforce our terms and conditions, or to protect our systems and research. This could include providing PII to public or governmental authorities.
Protection of Personally Identifiable Information
Regenstrief takes the security of your PII very seriously. Our websites and online services protect your PII during transit using encryption such as Transport Layer Security (“TLS”). When we store your PII, we use encrypted storage solutions with limited access using appropriate administrative, technological, and physical safeguards.
When you use some Regenstrief services or post on Regenstrief social media accounts, the PII and content you share may be visible to others and can be read, collected, or used by other users. You are responsible for the PII you choose to share or submit in these instances. For example, if you list your name and email address in a social media post, that information is public.
Automated Decision-Making and Profiling
Regenstrief does not make any decisions involving the use of algorithms that significantly affect you.
Integrity and Retention of PII
Regenstrief allows you to keep your PII accurate, complete, and up to date. We will retain your PII for the period necessary to fulfill the purposes outlined in this Privacy Policy and our research-specific retention terms. Regenstrief may retain research data, including data involving PHI, for at least 10 years following the completion of a study, or longer if required by applicable law, policies or funding agreements. Employment & HR Data may be retained for up to and following seven (7) years following employment termination, per labor laws and other federal guidance.
Upon expiration of the retention period, data will be securely deleted or anonymized. Individuals may request data deletion by contacting us unless legal or research obligations require continued retention.
When assessing these retention periods, we carefully examine our need to collect PII at all, and if we establish a relevant need, we only retain it for the shortest possible period to realize the purpose of the collection unless a long retention period is required by law.
Your Privacy Rights
Regenstrief will provide you with a copy of your PII for any purpose including to request that we correct the data if it is inaccurate or delete the data unless Regenstrief is not required to retain, provide access or copies, or delete it by law or for legitimate research or business purposes.
We may decline to approve requests that are frivolous, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by law. We may also decline deletion or access requests if we believe doing so would undermine our legitimate use of data for anti-fraud and security purposes described earlier. Contact Regenstrief to request access, corrections, or deletions of your PII.
California
The California Consumer Privacy Act (“CCPA”) provides California consumers with the right to obtain from certain businesses information about the PII they collect, use, and disclose. If you choose to exercise your privacy rights, you have the right to not receive discriminatory treatment or a lesser degree of service from the business. Regenstrief is not a business organized or operated for the profit or financial benefit of its shareholders or other owners.
Nevada
A consumer has the right to opt-out of the sale of their PII. Regenstrief does not sell PII, and we do not sell goods or services to consumers for personal, family, or household purposes from Internet websites or online services.
Children Online Privacy Protection Act (“COPPA”)
Regenstrief takes extra precautions to protect the privacy and safety of children who may access our websites, services, and be included in research. Children under the age of 13, or equivalent minimum age in the relevant jurisdiction, are not allowed to create unique accounts for our websites and services. If we discover that we have collected the information of a child under the age of 13, or the equivalent minimum age in the relevant jurisdiction, we will take steps to delete the information as soon as possible. If at any time a parent needs to access, correct, or delete data associated with their child under the age of 13, or the equivalent minimum age in the relevant jurisdiction, they may contact us to delete their child’s information.
Location-Based Services
Regenstrief does not provide location-based services to collect, use, or share precise location data such as the real-time geographic location of your computer or device without your explicit consent for research.
On occasion, third parties may share their location data with us for research purposes. Location data may be de-identified or limited in detail, depending on the data source and applicable privacy protections. The identifiability of this data depends on the data source and applicable legal requirements.
Third-Party Sites and Services
Regenstrief website, social media posts, and other communications may contain links to third-party websites, products, and services.
Information collected by third parties, which may include features such as location data or contact details, is governed by their privacy policies. We encourage you to learn about the privacy practices of those third parties.
International Transfers
Regenstrief does not transfer or store the information to locations outside of the United States, and we do not have any legal entities or control agents outside of the United States that collect, process, store or share PII. When you share your information, which originates from outside the United States to us, that information will be subject to jurisdiction of the United States.
When data is transferred internationally, we ensure adequate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) for data transfers to the European Economic Area (EEA).
- Data encryption and access controls to protect transferred information.
Our Commitment to Your Privacy
Regenstrief strives to ensure your PII is secure and endeavors to be a good steward of your information. We stress the importance of the privacy and security of our data in two ways.
- We require our employees, collaborators, and subcontractors to complete (initial and annually thereafter) privacy and security training.
Regenstrief requires data sharing agreements when another party is authorized to collect, store, transfer, access, or use our information that may contain PII.
Privacy Questions
If you have any questions or concerns about Regenstrief’s Privacy Policy, you would like to contact our Privacy/Data Protection Officer, or if you would like to make a complaint about a possible breach of local privacy laws, please contact us by phone, email, or by filling out the form below.
When we receive a privacy question or a question about PII, we attempt to respond as quickly as possible within our limited resources, but some substantive questions may require up to seven (7) days for us to respond to you. You may contact the relevant jurisdictional regulator about your complaint at any time or if you are unsatisfied with our reply.
When your complaint indicates we can make an improvement in our handling of privacy issues, we will take steps to make such improvement at our next reasonable opportunity.
Regenstrief may update this Privacy Policy from time to time. When significant changes occur, we will notify users through:
- A banner notification on our website.
- Revision of the policy’s effective date at the top of this page.
Contact Us About Privacy and Compliance
"*" indicates required fields