Keymay LifeSciences Pvt Ltd (hereinafter referred to as "Keymay," "the Company," "we," "us," or "our") hereby articulates its unwavering, absolute, and comprehensive commitment to the preservation, confidentiality, and integrity of the data assets entrusted to its care by clients, partners, and employees. This Privacy Policy (the "Policy") serves not merely as a legal notice but as the definitive and exhaustive document delineating the specific methodologies, operational protocols, and binding legal frameworks under which the Company collects, processes, utilizes, safeguards, and discloses Personal Information throughout the entire lifecycle of its Clinical Research Organization (CRO) services, its digital presence via the website (www.mironregistry.com), and its proprietary Keymay Electronic Data Capture (EDC) and Artificial Intelligence Platform (the "Platform"). This document has been meticulously constructed to ensure rigid alignment and complete compliance with a multiplicity of applicable domestic and international privacy statutes, including but not limited to the Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments (HIPAA), the California Consumer Privacy Act of 2018 (CCPA) as amended by the CPRA, and the rigorous data integrity requirements mandated by the United States Food and Drug Administration (FDA) under 21 CFR Part 11, alongside other relevant global regulatory frameworks applicable to our operational footprint, ensuring that our governance model meets the highest threshold of global scrutiny.
The ambit and purview of this Policy extend comprehensively to cover all forms of Personal Information and Protected Health Information (PHI) that are assimilated, processed, or generated by the Company during the execution of its professional mandates, leaving no interaction unregulated. This applicability covers a broad spectrum of interactions, including but not limited to the provision of sophisticated clinical data management and CRO services to our Clients (inclusive of Sponsors and research Institutions), the engagement and correspondence with prospective Clients, the recruitment and employment verification of staff and candidates, and the thorough vetting of clinical investigators and site personnel. Furthermore, the scope explicitly encompasses all data ingress and processing activities occurring within the operational environment of our EDC and AI-enabled software solutions, ensuring that every byte of data—from the moment of initial collection or entry into our systems to the final point of archival or destruction—is strictly governed by the stipulations herein, thereby ensuring that no data element falls outside the protection of this governance framework.
In its capacity as a full-service Clinical Research Organization and technology provider, the Company engages in the systematic processing of distinct and granular categories of data required to facilitate complex clinical trials and business operations, adhering strictly to principles of data minimization. Regarding Clinical Trial Data, the Company primarily and strictly processes health data that has been De-Identified, Pseudonymized, or Key-Coded in strict accordance with the Safe Harbor or Expert Determination methods defined under the HIPAA Privacy Rule and Good Clinical Practice (GCP) guidelines; while the EDC platform possesses the capability to process Demographic Data—specifically variables such as age, gender, and ethnicity—such processing is restricted exclusively to the purposes of clinical study analysis and stratification. It is the explicit policy of the Company to avoid the possession of Direct Identifiers of trial subjects unless there exists an unavoidable regulatory mandate for specific pharmacovigilance, adverse event tracking, or safety reporting. Concurrently, regarding Professional and Operational Data, the Company collects comprehensive records on Employees and Candidates (including names, contact modalities, SSN/Tax IDs, and background verification data), as well as Clinical Site Staff and Investigators, for whom we retain CVs, medical licenses, and financial disclosures (specifically FDA Form 1572) to ascertain regulatory suitability. Technical data collection from Website and Platform Visitors involves the automated logging of Internet Protocol (IP) addresses, browser user agents, and device metadata to ensure security integrity; however, it is explicitly noted and guaranteed that the solution architecture is neither designed for nor capable of the processing, storage, or transmission of credit card or financial payment information, ensuring zero financial risk for users on that front.
The Keymay Platform integrates advanced Artificial Intelligence (AI) and Machine Learning (ML) capabilities to augment data analysis, yet these technologies are deployed under a strict framework of Responsible AI and data sovereignty to preemptively address privacy concerns. The Company enforces a rigorous "No Retention for Training" policy, whereby Institutional data utilized for AI inference is treated as transient; data is processed solely for the immediate generation of outputs and is strictly prohibited from being assimilated into the permanent weights, parameters, or memory of shared foundation models without the explicit, written consent of the Client. Furthermore, to mitigate the risks associated with algorithmic determinism, the Company adheres to a "Human-in-the-Loop" philosophy, mandating that any significant decision affecting user privileges or clinical outcomes must undergo human review rather than relying on fully automated logic. From an architectural standpoint, despite the utilization of enterprise-grade, licensed AI services, customer data is logically and physically isolated to prevent cross-tenant leakage or vector contamination. Institutions retain the prerogative to Opt-Out of specific AI functionalities either globally or on a per-user basis. Additionally, an AI Ethics framework is operationalized through mandatory privacy reviews and ethics assessments for every new model deployment to preemptively identify and mitigate latent biases.
In scenarios where Keymay operates in the capacity of a Business Associate to Covered Entities such as hospitals, clinics, or healthcare providers, the Company executes its duties in full and unyielding compliance with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. This compliance is substantiated through the implementation of a triad of safeguards—Administrative (policies and training), Physical (data center security), and Technical (encryption and access controls)—specifically architected to ensure the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI). The Company is prepared to execute comprehensive Business Associate Agreements (BAA) with its clients to formally codify these obligations and liability structures. It is explicitly stated that the Company is strictly prohibited from, and hereby disclaims any engagement in, the sale of PHI or the utilization of PHI for marketing, advertising, or any commercial purpose extraneous to the contracted services, ensuring that health data remains utilized solely for clinical and research purposes.
The Company employs a "Privacy by Design" and "Security by Default" philosophy that is intrinsic to its Software Development Life Cycle (SDLC), ensuring that security is not an afterthought but a foundational element of our code and infrastructure. The technical measures deployed are of enterprise-grade caliber, utilizing AES-256 encryption (the industry gold standard) for all data at rest within our storage volumes and TLS 1.3 protocols for all data in transit across public and private networks, rendering intercepted data unreadable. Access to these systems is governed by a rigorous Principle of Least Privilege, enforced through strict Identity and Access Management (IAM) policies and fortified by mandatory Multi-Factor Authentication (MFA) for all administrative and user sessions. This defensive posture is augmented by continuous security monitoring, immutable audit logging, and automated threat detection systems that scan for anomalies 24/7. Furthermore, the Company is committed to continuous improvement through Vulnerability Management, evidenced by our regimen of quarterly internal audits and our current strategic roadmap towards achieving formal ISO 27001 and ISO 27701 certifications, demonstrating our commitment to evolving alongside emerging threats.
Keymay maintains a strict policy of non-disclosure regarding personal data, sharing such information only under highly specific and controlled circumstances to facilitate necessary business functions. We engage third-party Service Providers and subprocessors solely for the purpose of supporting service delivery (such as cloud hosting); such entities are onboarded only after the completion of rigorous Privacy Impact Assessments (PIAs) and the execution of strict contractual data protection agreements that mandate adherence to our security standards. In terms of Legal Requirements, the Company may disclose data if, and only if, compelled by a valid, legally binding subpoena, court order, or search warrant; we explicitly refuse to voluntarily share institutional data with law enforcement agencies in the absence of such legal compulsion. Given that Keymay operates globally, International Transfers of data to our headquarters in India or other jurisdictions are executed under the protection of Standard Contractual Clauses (SCCs) and in alignment with international privacy frameworks to ensure that the data enjoys an equivalent level of protection regardless of its geographical location.
The retention of Personal Information is governed by a policy of strict necessity, whereby data is retained only for the duration required to fulfill the specific purposes for which it was collected or to satisfy statutory obligations, preventing "data hoarding." For Clinical Data, retention schedules are dictated by immutable regulatory requirements, such as those found in 21 CFR Part 11, which mandate the preservation of trial records for specific periods following marketing approval or study discontinuation to allow for regulatory inspection. Upon the expiration of these retention periods or the conclusion of the service agreement, the Company guarantees the secure disposal of data through certified deletion protocols or irreversible anonymization techniques, thereby rendering the data unrecoverable and ensuring compliance with our corporate records management policy.
Keymay fully recognizes and supports the expansive rights of individuals regarding their personal data under various jurisdictions, ensuring users remain in control of their information. Specifically, for California Residents under the CCPA, we acknowledge the Right to Know (requesting specific categories and pieces of data collected), the Right to Delete (requesting erasure of personal information, subject to statutory retention exceptions for clinical data), the Right to Opt-Out (regarding the sale of data, though we affirm we do not sell data), and the right to Non-Discrimination for exercising these privileges. Beyond California, we provide universal Data Subject Access Rights (DSAR) mechanisms, offering self-service tools and dedicated support channels that allow users to access, rectify, update, or request the suppression of their personal data. All such requests should be directed to the contact information provided herein, and will be processed in accordance with applicable statutory timeframes.
In the unfortunate event of a confirmed security incident or data breach, Keymay has operationalized a robust Incident Response Plan to mitigate harm and ensure transparency. We are committed to notifying the affected Institution and relevant regulatory bodies without undue delay following the definitive discovery of the breach. This response is coordinated by our dedicated Incident Response Team, which includes a specialized Privacy Officer tasked with managing all privacy implications, ensuring transparency, and mitigating potential harm to data subjects through rapid containment and remediation strategies.
Should you harbor any inquiries, concerns, or require clarification regarding the stipulations of this Policy, our AI ethics frameworks, or if you wish to exercise your data privacy rights, you are encouraged to direct your correspondence to our Privacy Team, who are equipped to address technical and legal queries. All formal communications should be addressed to info@keymaylife.com.
