Frontage Laboratories, Inc. is a leading global Contract Research Organization in the United States.
This privacy policy applies to the Company and its affiliates and subsidiaries in the United States (hereinafter collectively referred to as the “Company,” “we,” “us” or “our”).
The Company has certified its compliance with the EU-U.S. Data Privacy Framework (DPF) Principles, UK Extension of the EU-U.S. Data Privacy Framework Principle, and the Swiss-U.S. Data Privacy Framework Principles. The Company is committed to subjecting, and does subject, all Personal Data received from the European Economic Area (EEA),UK or Switzerland, in reliance on the Data Privacy Framework, to the Framework’s applicable Principles. To learn more about the Data Privacy Framework, visit the U.S. Department of Commerce’s Data Privacy Framework List: https://www.dataprivacyframework.gov/list.
US residents using our website or services may have further protections under State specific Privacy regulations.
The Company is a global company with affiliates, varied business processes, management structures, and technical systems that cross borders. Information collected by the Company or on our behalf may be stored on our servers and may be transferred to, accessed from, or stored and processed in, the United States and other countries or regions including but not limited to the EU and China, and any other country where the Company or its service providers maintain facilities. This policy will be adhered to at all times regardless of your jurisdiction and we will endeavor to protect your privacy rights at all times regardless of the location of our processing.
This privacy policy outlines our general policy and practices for implementing the principles, including the types of information we gather, how we use it, notify, and confirm with affected individuals regarding our use of information, and their ability to correct that information. This privacy policy applies to all personal information received by the Company whether in electronic, paper or verbal format.
The details of the Company’s privacy policy are below. This policy applies to all aspects of the Company’s operations. If you have questions about our privacy policy, please email privacy@frontagelab.com.
PP.1.1. Overview of the Company’s Services
The Company is a leading contract research organization specializing in collaborations with pharmaceutical & biotech companies to help them bring drug candidates to market. All service offerings are supported by computerized systems which, dependent on their applicability are compliant with the International Conference on Harmonization (ICH), Good Clinical Practices (GCP) E6(R2), and 21 CFR Part 11 Electronic Records and Signatures and are, by design, not intended to process unblinded personal information.
PP.1.2. Alignment with Privacy Regulations and Statutory requirements
The Company is committed to ensuring the privacy of our website visitors, our customers, and the patients whose data we process. In order to transparently do so, our alignment with major domestic and international privacy is described below. Broadly and regardless of jurisdiction or country of residency, privacy inquiries specific to our use or processing of your data are welcomed via privacy@frontagelab.com. We will require verification of identity before processing a query or complaint.
PP.1.3. EU-U.S., UK Extension to the EU-U.S. & Swiss-U.S. Data Privacy Framework
The Company’s Privacy Policy describes the types of Personal Data the Company may process, the types of third parties to which it discloses Personal Data and the purposes for which it does so. Residents of the EEA, UK or Switzerland have the right to access the Personal Data that the Company maintains and, in some cases, may have the right to correct or amend information that is inaccurate or has been processed in violation of the Data Privacy Framework Principles, to the extent allowed by law. To exercise this right, contact us at privacy@frontagelab.com.
The Company complies with the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, United Kingdom and Switzerland to the United States, respectively. The Company has certified to the Department of Commerce that it adheres to the Date Privacy Framework Principles. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
The Company is responsible for the processing of Personal Data it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. The Company complies with the Data Privacy Framework Principles for all onward transfers of Personal Data from the EEA, UK or Switzerland, including the onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Data Privacy Framework, the Company is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, the Company may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Residents of the EEA, UK or Switzerland with inquiries or complaints regarding this Privacy Policy should first contact the Company Data Protection Officer via the contact information listed in the Website Privacy Policy below. If your privacy concern is not resolved satisfactorily, please contact the Data Protection Authority in your country of origin. Under certain conditions, more fully described on the Data Privacy Framework Program website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
PP.1.4. Legal Basis of Processing Data
We may process Personal Data under the following conditions:
• Consent: You have given your consent for processing Personal Data for one or more specific purposes.
• Participation in a Clinical Study: You have given consent to be an active participant in a clinical study which may be listed on https://clinicaltrials.gov/
• Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
• Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
• Vital interests: Processing Personal Data is necessary to protect your vital interests or of another natural person.
• Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
• Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.
Under all conditions and at the request of an impacted data subject the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
PP.1.5. Data Collection & Use
You may exercise your rights of access, rectification, cancellation, and opposition by contacting privacy@frontagelab.com. Please note that we may ask you to verify your identity before responding to such requests, and further by making your request you are consenting for the personally identifiable information that you have provided to be used in the course of our internal response to your query or complaint.
You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, if you are in the EEA, UK or Switzerland, please contact your local Data Protection Authority in the EEA, UK or Switzerland.
PP.1.6. Sensitive Personal Data
Sensitive Personal Data includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning a person’s sex life or sexual orientation.
The Company does not intentionally collect or process sensitive Personal Data unless one or more of the following conditions apply:
• Explicit Consent: The data subject has given explicit consent for one or more specified purposes, such as participation in a clinical trial or research activity.
• Legal Obligations: The processing is necessary for compliance with legal obligations or public interest in the area of public health (e.g., under GDPR Article 9(2)(i)).
• Vital Interests: Processing is necessary to protect the vital interests of the data subject or another individual, where the data subject is physically or legally incapable of giving consent.
• Medical or Scientific Research: The processing is necessary for scientific research or statistical purposes in accordance with GDPR Article 9(2)(j), with appropriate safeguards in place.
• Employment or Social Security: Processing is required under employment or social protection law.
• Other Exceptions: Any other lawful basis permitted under applicable regulations, such as GDPR Article 9 or U.S. state-specific legislation.
All processing of sensitive Personal Data is subject to heightened security measures, access controls, and data minimization practices. Such data is only accessed by authorized personnel and only for the purpose for which it was collected. Sensitive data will never be sold, shared, or used for marketing purposes.
If you believe your sensitive data has been collected or processed improperly, please contact our Data Protection Officer at privacy@frontagelab.com.
PP.1.7. Choice
When possible, the Company will offer individuals the opportunity to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, the Company will give individuals the opportunity to affirmatively or explicitly (opt out) consent to the disclosure of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. The Company shall treat as Sensitive Personal Information any information received from an individual where the individual would treat and identify it as Sensitive Personal Information.
PP.1.8. Data Sharing: Personally, Identifiable Information
The Company will not rent or sell your personally identifiable information to others. We may store personal information in locations outside the direct control of the Company (for instance, on servers or databases co-located with hosting providers). Any personally identifiable information you elect to make publicly available on our website or social media channels such as posting comments on our twitter feed, will be available to others. If you remove information that you have made public on our website or social media channels, copies may remain viewable in cached and archived pages of our website, or if other users have copied or saved that information. Our twitter feed, LinkedIn page and YouTube channel are managed by third-party applications that may require you to register to post a comment. You will need to contact or login into the third-party application if you want the personal information that was posted to the site in question removed. To learn how the third-party application uses your information, please review their privacy policy.
PP.1.9. Data Sharing: Non-Personally Identifiable Information
We may share non-personally identifiable information (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with interested third parties to help them understand the usage patterns for certain the Company services and those of our partners. Such data consists solely of non-personally identifiable information. If you choose to publish any personally identifiable information during an interaction with a Company service or member of personnel you understand and agree that this information, along with any personally identifiable information you choose to make available in connection with such results, may be made publicly available. If you remove information that you have made public on the website, copies may remain viewable in cached and archived pages of the website, or if other users have copied or saved that information, this is inclusive of social media postings. Non-personally identifiable information may be stored indefinitely.
PP.1.10. Legal Requirements
We may disclose such data in response to subpoenas, court orders, or other legal processes, or to establish or exercise our legal rights and obligations or defend against legal claims.
PP.1.11. Children
Our services and this website are not intended for children under the age of 13 (or 16 where applicable). We do not knowingly collect Personal Data from children. If you are concerned that such information has been collected inadvertently or otherwise, please contact privacy@frontagelab.com.
PP.1.12. Personal Data Protection Rights
Citizens of the EEA, UK or Switzerland have full rights to access, update, object to, restrict, or request deletion of Personal Data or make use of data portability. If you wish to do so, contact us at privacy@frontagelab.com stating that request. We will respond within 96 hours of your request.
PP.1.13. EEA/Swiss Citizens Rights under the GDPR
The Company undertakes to respect the confidentiality of your Personal Data and to guarantee you can exercise your rights.
You have the right under this Privacy Policy, and by law if you are within the EEA, UK or Switzerland, to:
• Request access to your Personal Data: The right to access, update or delete the information that we hold about you. Whenever made possible, you can access, update or request deletion of your Personal Data by making a request via privacy@frontagelab.com.
• Request correction of the Personal Data that we hold about you: You have the right to have any incomplete or inaccurate information we hold about you corrected.
• Object to processing of your Personal Data: This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation which makes you want to object to our processing of your Personal Data on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes (not a Company business practice).
• Request erasure of your Personal Data: You have the right to ask us to delete or remove Personal Data when at the conclusion of our data processing activities.
• Request the transfer of your Personal Data: We will provide to you, or to a third-party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for and does not apply to deidentified or blinded clinical study data that we have processed.
• Allow the Company, by your own consent, to process your data in conjunction with our contracted business practices.
• Withdraw your consent: you have the right to withdraw your consent on using your Personal Data. If you withdraw your consent, the Company will be unable to perform the contracted services we are engaged in, on your behalf.
PP.1.14. Voluntarily Submitted Information on our Websites
This privacy policy applies to our corporate websites and explains how the Company collects, uses, and share information on the website that links to this policy (collectively “Website”). By using the Website, you agree to the terms of this Privacy Policy.
PP.1.15. Information Collection & Use
When you use the Website, you may encounter areas that allow you to voluntarily enter personal data, which includes your name, email address, telephone number and mailing address.
You may provide this information to us when you sign up for our newsletter, request information about products, apply for a job, fill out surveys, or otherwise provide Personal Data to us.
PP.1.16. Website Usage Information
When you browse our Website, we may collect various types of usage information, including, but not limited to, IP address, web pages visited, links clicked, your operating system and browser type and your mobile device identifier. Such information is used for the purposes of operating and improving our Website, analyzing demographic and statistical research about website usage, customizing offers and monitoring the Website for compliance with our terms of service and the law, as well as other purposes.
This usage information may be collected through various technologies, including but not limited to “cookies.”
Through interaction with our public website, we may collect various types of information, including personal data, from mobile devices using cookies, scripts, web beacons, software development kits (“SDK”), or other similar techniques. These technologies are used to collect digital actions of users that visit and use mobile websites and apps or interact with our website.
The data we collect can include a device identifier, browser and operating system type and version, device type and other data from or about a mobile device including precise location data, as well as information about users’ web viewing, app use, and demographic data collected by other parties such as gender or year of birth. This data may be collected over time across different apps, websites, browsers or devices.
We limit the use of data voluntarily shared via our website for purposes including analytics; research; reporting; attribution; Service enhancements and other business operations; predicting possible relationships among different browsers and devices; differentiating and/or associating multiple device users as well as associating devices or users with locations such as a household or workplace.
Entry of direct personal information into our website (your name, telephone number) requires your affirmative consent.
We will not sell, rent, license, trade or disclose your Personal Data collected through our Website to an unaffiliated third party.
PP.1.17. Security
We follow generally accepted security standards to help protect the Personal Data submitted to us, both during transmission and once it is received. Data security is managed by our Information Security Management System.
PP.1.18. Automated Decision-Making and Profiling
The Company does not use Personal Data to make decisions based solely on automated processing, including profiling, which produce legal effects concerning the individual or similarly significantly affect the individual.
If such practices are introduced in the future (e.g., in connection with recruiting or clinical trial eligibility screening), individuals will be informed with clear documentation of the logic involved, the significance, and the possible consequences of such processing. Affected individuals will also be given the opportunity to contest the decision and request human intervention.
PP.1.19. The Company as the Data Controller or Processor
When the Company acts as the data controller we are committed to the enforcement of all aspects of this policy. We have developed internal mechanisms for the receipt of complaints, for the communication of data breaches and for joint data processing engagements.
We are committed to adhering to the codes of conduct for patient privacy and study integrity as outlined by the International Conference on Harmonization for Good Clinical Practices E6(R2). Technical and organizational measures which are designed to implement data-protection principles, such as pseudonymization and data minimization, will be applied as necessary and required by the study protocol and with the express consent of the study participants (data subjects).
Where processing is to be carried out by the Company on behalf of a controller, we are committed to agreeing a mutually executed Data Processing Agreement. The Company shall not engage another processor without prior specific or general written authorization of the controller.
In the case of general written authorization (as codified by our Data Processing Agreement), the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
All Company associates are trained in both this policy and additional internal privacy practices that have been created in support of this policy.
PP.1.20. Data Retention
The Company retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, contractual, or reporting requirements. The specific retention period for each category of Personal Data is determined based on the nature of the data, the sensitivity, and applicable legal requirements. After this period, data is securely deleted or anonymized unless continued retention is required by law.
PP.1.21. In the event of a Data Breach
We have developed an internal process for the identification and processing of data breaches. In the event of a Personal Data breach, where feasible and not later than 72 hours after having become aware of it, the Company will notify the Personal Data breach to the supervisory authority competent in accordance with either Article 55 for EU and Swiss subjects (unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of the affected person(s)) or the national or state competent authority relevant to the residence of the Data Subject.
Further, as mitigation against data breaches and as an integrated part of our Information Security Management System, we have integrated Data Protection Impact Assessments (DPIA) into our Security Risk Register.
We are additionally committed to the enforcement of The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 for US Data Subjects and the CCPA.
If you are concerned that you have been impacted by a breach as a direct result of the Company processing your data, contact our Data Protection Officer: privacy@frontagelab.com.
PP.1.22. For residents of US States that have enacted Privacy Regulations one or more of the following rights may apply:
• Right to access — The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or some combination of similar information.
• Right to correct — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
• Right to delete — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
• Right to opt out of certain processing — The right for a consumer to restrict a business’s ability to process personal information about the consumer.
• Right to portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
• Right to opt-out of sales — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
• Right to opt in for sensitive data processing — The right for a consumer to opt in before a business can process their sensitive data.
• Right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
• Private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.
PP.1.23. Exercising Your Data Protection Rights
In order to exercise any of your rights under your individual state’s regulation, as a resident of the respective state, you can send a request to us at privacy@frontagelab.com. The Company will disclose and deliver the required information free of charge within 45 calendar days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 calendar days when reasonably necessary and with prior notice.
PP.1.24. State Privacy Regulation: Do Not Sell My Personal Information
We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology that “sells” personal information as defined by the relevant state law. If you wish to opt out of the use of your personal information for interest- based advertising purposes and these potential sales as defined under your state of residence’ law, you may do so by following the instructions below.
Please note that any opt out is specific to the browser You use. You may need to opt out of every browser that you use.
You can opt out of receiving ads that are personalized as served by our service providers by following our instructions as prompted.
The opt out will place a cookie on your computer that is unique to the browser you use to opt out. If you change browsers or delete the cookies saved by your browser, you will need to opt out again.
Cookie Preferences is located at the bottom of the Frontage webpage.
PP.1.25. Links to Other Websites
Our website may contain links to other websites that are not operated by the Company. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
PP.1.26. Changes to this Privacy Policy
The Company reserves the right to update or modify this Privacy Policy at any time without prior notice.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
PP.1.27. Contact Us
If you have questions or queries regarding our privacy policy or practices, please contact us, at:
Frontage Laboratories, Inc.
700 Pennsylvania Drive, Exton, PA 19341 (HQ)
privacy@frontagelab.com
As a Data Privacy Framework registered organization, we will respond to your request within 45 calendar days. In certain circumstances, we may need additional time to respond to your request. If we do, we will inform you of the extension before the end of the initial 45-calendar-day period. In any case, you will receive a response no later than 90 calendar days from the date we receive your request.
Last updated as of 02 June 2025.