Prism logoPrism Back to home
Legal · Privacy

Global Data Privacy Policy

Last updated April 30, 2026

1.Our Role: Processor vs. Controller

Prism operates in two distinct legal capacities depending on the context of the data being processed:

As a Data Processor (Clinical Trial Execution): When contracted by a Sponsor or Clinical Research Organization (CRO) to convert protocols into video and stream them to site personnel and patients, we act exclusively as a Data Processor. The Sponsor or CRO is the Data Controller, determining the purpose and legal basis for data collection.

As a Data Controller (Business & AI Operations): We act as a Data Controller regarding our own internal business operations, managing B2B account data (e.g., Sponsor/CRO contact info), and if we utilize pseudonymized or aggregated client data for the purpose of training, auditing, and improving our proprietary AI models.

2.Scope and Applicability

This policy describes how we collect, use, and protect personal data. It applies to clinical site personnel (PIs, nurses, coordinators), patients participating in clinical trials, and interactions with our enterprise B2B clients.

3.Information We Collect

From Clinical Personnel: Identifiers (name, email, role, institution) and professional engagement data (video viewership, training completion).

From Patients: Limited, pseudonymized, or aggregated demographic and engagement data strictly tied to study comprehension and participation. We do not attempt to re-identify any patient data.

B2B & Technical Data: Enterprise client contact details, IP addresses, browser types, and secure session cookies necessary to operate the platform.

4.How We Use the Information

  • To securely host and stream AI-generated protocol videos.
  • To provide our clients (Sponsors and CROs) with analytics on training completion and protocol comprehension.
  • To govern, audit, and train our AI models securely (as a Controller).
  • To improve platform accessibility, functionality, and security.

5.How We Share Your Information

We do not sell or rent personal information. We only share information with:

  • Clients & Partners: The specific Trial Sponsor or contracted CRO overseeing your trial.
  • Authorized Sub-processors: Vetted third-party cloud hosting and IT service providers bound by strict data processing agreements.
  • Legal Authorities: When mandated to comply with binding legal or regulatory obligations.

6.Data Security and Retention

Data is protected using industry-standard encryption in transit and at rest. We retain Processor data only for as long as necessary to fulfill the services contracted by the Sponsor/CRO. Controller data is retained for as long as necessary for business operations. Upon expiration, data is securely anonymized or permanently deleted.

7.Your Privacy Rights

Subject to local law, you have the right to request access to, rectification of, or erasure of your personal data. You may also restrict processing, object to processing, request data portability, and withdraw consent.

Note on Processor Data: If your request relates to clinical trial data, we will route your request to the appropriate Data Controller (the trial Sponsor or CRO) and assist them in fulfilling it.

8.Regional Privacy Addendums

The following addendums supplement the policy above for users in specific jurisdictions.

A.European Union, UK & Switzerland (GDPR)

Legal Basis for Processing: As a Data Processor, Prism processes personal data solely on the documented instructions of the Data Controller. The Controller’s legal basis typically involves explicit consent (for patients) or legitimate interests / performance of a contract (for clinical site personnel).

International Data Transfers: Your data may be transferred to and processed in the United States. We ensure adequate protection through Adequacy Decisions, approved Standard Contractual Clauses (SCCs), and compliance with the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks (DPF).

Your GDPR Rights: You have the right to access, correct, erase (“Right to be Forgotten”), restrict, object to processing, and request data portability. To exercise these rights regarding trial data, contact your site or Sponsor. For direct platform inquiries, contact our Data Protection Officer at privacy@prism.health.

B.South Korea (PIPA)

Delegation of Data Processing: To provide our services, we delegate specific tasks to external providers under strict oversight, including [Cloud Provider Name] for secure data storage and video hosting.

Data Destruction Procedures: In compliance with PIPA, personal data is destroyed without delay when the purpose of processing is achieved. Electronic data is permanently deleted using technical methods preventing recovery; physical records are shredded.

Domestic Representative: In accordance with PIPA Article 39-11, our designated domestic representative in South Korea is:

  • Entity: [Representative Name]
  • Address: [Physical Address in South Korea]
  • Contact: [Phone / Email]

C.Latin America (e.g., Brazil LGPD)

Legal Bases and Processing: Under frameworks like the LGPD, Prism acts as an Operator (Processor). The Controller determines the legal base, generally including the execution of a contract, the protection of life, or the fulfillment of regulatory obligations.

Your Rights Under LGPD: In addition to access, correction, and deletion, you have the right to request the anonymization or blocking of unnecessary data, receive information about shared data, understand the consequences of denying consent, and revoke consent at any time.

Cross-Border Transfers: Data transfers outside of Latin America are conducted using legal mechanisms approved by local data protection authorities, ensuring a level of protection equivalent to local laws.

D.Localized Consent & Electronic Forms

Electronic Signature Validation: Where we capture consent directly on behalf of a Sponsor or for platform usage, we utilize electronic signature protocols compliant with 21 CFR Part 11, the eIDAS Regulation (EU), and local electronic transaction laws.

Right to Withdraw Consent: Participation in clinical trial training is voluntary. You may withdraw your consent for data processing at any time without affecting your relationship with your medical provider or the clinical trial.

How to Submit a Withdrawal Request:

  • Via Platform: Log into your profile and select “Privacy Settings > Withdraw Consent.”
  • Via Controller: Contact the PI or Sponsor representative at your clinical site.
  • Via Form: Complete our localized Right-to-Withdraw Form and submit it to privacy@prism.health. We will forward your request to the Data Controller within 72 hours.
Contact our Privacy team

For any questions about this policy or to exercise your privacy rights, please email privacy@prism.health.