Privacy Policy

Introduction

CRAbuddy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our back-office support services for independent Clinical Research Associates (CRAs).

As a HIPAA-compliant service provider, we take data security and privacy seriously. This policy applies to all users of our services.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, phone number, and business details
• Financial Information: Expense receipts, travel bookings, and reimbursement details
• Professional Information: MVR documents, client communications, and work-related correspondence
• Delegate Access Credentials: Email access tokens (zero-password authentication)

1.2 Automatically Collected Information

• Usage Data: Service interaction patterns, feature usage, and session information
• Device Information: IP address, browser type, operating system, and device identifiers
• Cookies and Tracking: Session cookies for authentication and service functionality

2. How We Use Your Information

We use your information to:

• Provide expense management, MVR support, and inbox triage services
• Process expense reports and coordinate reimbursements
• Format and review MVR documents for compliance
• Manage your email inbox and draft routine responses
• Communicate with you about service updates and support
• Improve our services and develop new features
• Ensure HIPAA compliance and maintain security standards
• Comply with legal obligations and prevent fraud

3. HIPAA Compliance

As a Business Associate under HIPAA, we implement appropriate administrative, physical, and technical safeguards to protect Protected Health Information (PHI):

• Encryption: All PHI is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Audit Logs: Comprehensive logging of all PHI access and modifications
• Business Associate Agreements: We execute BAAs with all clients handling PHI
• Breach Notification: We follow HIPAA breach notification requirements
• Minimum Necessary: We access only the minimum PHI necessary to perform our services

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: Third-party vendors who assist in service delivery (e.g., Concur for expense management)
• Legal Requirements: When required by law, subpoena, or court order
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you explicitly authorize us to share information

All third-party service providers are contractually obligated to maintain confidentiality and HIPAA compliance.

5. Data Security

We implement industry-standard security measures to protect your information:

• End-to-end encryption for all data transmission
• Secure cloud infrastructure with SOC 2 Type II compliance
• Regular security audits and penetration testing
• Employee training on data security and HIPAA compliance
• Zero-password "delegate" access using OAuth 2.0 tokens
• Automated backup and disaster recovery procedures

While we strive to protect your information, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Active Accounts: Data retained while your account is active
• Financial Records: Retained for 7 years per IRS requirements
• HIPAA Records: Retained for 6 years per HIPAA requirements
• Deleted Accounts: Data deleted within 90 days of account closure, except where legally required

7. Your Privacy Rights

You have the right to:

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your information (subject to legal retention requirements)
• Portability: Request your data in a portable format
• Opt-Out: Opt out of marketing communications
• Revoke Access: Revoke delegate access permissions at any time

To exercise these rights, contact us at privacy@crabuddy.com

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences and settings
• Analyze service usage and performance
• Prevent fraud and enhance security

You can control cookies through your browser settings, but disabling cookies may limit service functionality.

9. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect information from children.

10. International Data Transfers

Your information may be transferred to and processed in the United States. By using our services, you consent to this transfer. We implement appropriate safeguards for international data transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or service notification. Your continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: