Vastrax Privacy Policy

1.   YOUR PRIVACY IS IMPORTANT TO US
Vastrax is committed to respecting the privacy of all individuals. This privacy notice explains our personal data processing practices in accordance with applicable data privacy and protection laws and regulations. As needed, Vastrax may provide additional notices. Any questions or other inquiries can be directed to the contact information listed below. This privacy notice primarily describes personal data processing details related to our role as a Data Controller or similar. Please note, in our core business activities as a Contract Research Organization, we may process personal data on behalf of our customers (clinical sponsors), in which case our customer is the Data Controller, and we are the Data Processor. Any data privacy inquiries regarding specific clinical trials or studies should be directed to the appropriate Sponsor.


2.   CONTACT DETAILS          
Vastrax is the Data Controller for all purposes discussed within this notice. Communications, questions, or concerns about this privacy notice may be addressed to our Data Protection Officer (DPO)or if you are in the European Union (EU), to our EU Representative, using the info below:

Data Protection Officer:    Project Consulting Group
104 Main Street North, Suite 100  Stillwater, MN, 55082
Email: privacy@vastrax.com.  

EU Representative:    Prighter Group
Schellinggasse 3, 1010  Vienna, Austria
Contact: https://app.prighter.com/portal/14209815300                          

If you feel any of your rights related to the collection or use of your personal data have been violated, please contact us using the contact information provided. We will investigate and attempt to resolve reasonable complaints and disputes. You also have the right to lodge a complaint with your local data protection authority if you have concerns about how we process your Personal Data.


3.   DEFINITIONS
The following definitions apply to terms used throughout this notice:

3.1.  Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2.  Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.


4.   OVERVIEW OF PERSONAL DATA PROCESSING
The types of Personal Data we process, how we collect it, and our uses vary depending on your relationship to our company. This Privacy Notice applies to you if you interact with Vastrax in one or more of the ways described below. Please note it is likely that not all the following scenarios apply to you:

·  Website Visitors: This applies to you if you visit our website.
·  Customers: This applies to you if you represent a company that has hired or is considering hiring us.
·  Vendors: This applies to you if you represent a company we hired or are considering for services or other offerings.
·  Candidates: This applies to you if you have applied for or are otherwise considered for employment opportunities with our company.  

The sections below expand on the Personal Data processing details referenced above. Refer to Sections 4.1 – 4.4 to see our Personal Data processing details, and Section 4.5 for an explanation of the types of Personal Data referenced in this privacy notice.

4.1.  Website Visitors:

Purpose: To administer and protect our websites.
Types of Personal Data Processed (*Indicates Sensitive Data Types): Device or online identifiers, Location (Approximate), Usage data.
Legal Basis: We have a legitimate interest in ensuring the basic functioning and security of our websites.
Data Sources: We receive this info from your direct interactions with our websites.
Categories of Third Party 
Recipients: Our website administration technology providers may process your personal data.

Purpose: For marketing and advertising related purposes, and to analyze how our website is used for optimization and enhancement purposes.
Types of Personal Data Processed (*Indicates Sensitive Data Types): Device or online identifiers, Location (Approximate), Usage data.
Legal Basis: Consent.
Data Sources: We receive this info from your direct interactions with our websites.
Categories of Third-Party Recipients: Our website analytics and marketing technology providers may process your personal data.

4.2.  Customers:

Purpose: To manage our relationship with you and any related projects; prospective or otherwise.
Types of Personal Data Processed (*Indicates Sensitive Data Types)Basic Identifiers, Career/Professional, Communications, Contact Info.
Legal Basis: Performance of a Contract.
Data Sources: We receive this info directly from you.
Categories of Third-Party Recipients: Our sales and project management software providers may process your personal data.

Purpose: To market to you or otherwise promote our services or offerings.
Types of Personal Data Processed (*Indicates Sensitive Data Types)Basic Identifiers, Career/Professional, Communications, Contact Info.
Legal Basis: Consent.
Data Sources: We receive this info directly from you.
Categories of Third-Party Recipients: Our marketing and project management software providers may process your personal data.

4.3.  Vendors:

Purpose: To manage our relationship with you and any related projects.
Types of Personal Data Processed (*Indicates Sensitive Data Types): Basic Identifiers, Career/Professional, Communications, Contact Info.
Legal Basis: Performance of a Contract.
Data Sources: We receive this info directly from you.
Categories of Third-Party Recipients: Our finance and project management software providers may process your personal data.

4.4.  Candidates:

Purpose(s): (1) To collect and review employment applications or otherwise source candidates, conduct interviews, manage applicant database(s), & (2) To confirm that candidates who receive job offers are authorized to work in the applicable country, & (3) To conduct background checks before hiring individuals.
Types of Personal Data Processed (*Indicates Sensitive Data Types): Basic identifiers, Career/Professional, Communications, Contact info, Demographic, Location (approximate), Citizenship/Immigration Status*, Criminal Data*, Race or Ethnicity* (voluntary), National Origin*.
Legal Bases: (1) Performance of a Contract, and/or (2) Explicit Consent.
Data Sources: We may receive this data directly from you, employment references, prior employers, third party recruiters, background check providers, or publicly available sources.
Categories of Third-Party Recipients: Our HR software providers, recruiting firms, and background check providers may process your data.

4.5.  Personal Data Categories:
Refer to the table below for descriptions and examples of the types of Personal Data mentioned earlier in this privacy notice (* Indicates Sensitive Data Types).

Personal Data Categories & Description or Examples (if applicable):
Basic Identifiers: First name, last name, initials.
Career/Professional: Job history, current role, resume, educational history, certifications, licenses, military service, or other career related info.
Communications: Voice messages, email records, or chat records of correspondence with the individual.
Contact Info: Physical address, email address, phone number.
Demographic: Age, gender, DOB, language(s), etc.
Device or Online Identifiers: IP Address, MAC Address, Serial Number, Cookie or Pixel IDs, etc.
Location (Approximate): Neighborhood, city, state,  province, country, or region.
Usage Data: Interaction logs (clicks, scrolls, views) and usage patterns.
Citizenship/Immigration Status*: Info indicating an individual's citizenship or immigration status.
Criminal Data*: Data relating to criminal convictions and offences (i.e., background checks).
National Origin*: Info indicating an individual's country or nation of origin.
Racial or Ethnic Origin*: Info indicating an individual's race or ethnicity.


5.   DATA SECURITY
Vastrax maintains a high standard for information security, including in relation to Personal Data. Computer equipment, networks, systems and data are monitored and maintained to a high standard, and access to data and equipment is restricted to appropriate staff. Vastrax’s information security program framework is designed to ensure that holistic and effective security practices are in place to protect Personal Data.


6.   INDIVIDUAL RIGHTS
Depending on where you’re located, privacy laws and regulations may allow you to exercise certain rights regarding the processing of your personal data – such as those listed in the table below. If you wish to exercise any of your rights, please contact us at privacy@vastrax.com. If you are from the EU, you may also submit requests via our EU Representative at https://app.prighter.com/portal/14209815300. Requests are typically addressed within 30 days, and we will notify you if we need additional time to process your request. Vastrax will not discriminate against individuals for exercising their rights under applicable data privacy laws. 

Not all these rights are absolute. Certain requests may be declined depending on the applicable privacy law(s), our legal basis for data processing, and whether a request is manifestly unfounded or excessive, or requires disproportionate effort to fulfill. 

Absent statutory or contractual requirements, individuals are not strictly obligated to provide us with their personal data. However, if you prefer not to provide your data for certain purposes, please understand that such a refusal may compromise Vastrax’s ability to deliver for you upon the purpose(s) or function(s) for which that personal data is intended.

Data Subject Rights & Descriptions
- Right to be Informed: This privacy notice provides the awareness you are entitled to.
- Right of Access: The right to confirm if we process your personal data, to view what Personal Data is processed, request a copy or additional details.
- Right to Rectification The right to have your Personal Data rectified if it is inaccurate.
- Right to Erasure The right to have your Personal Data deleted.
- Right to Restrict or Limit Processing The right to limit the way we use your Personal Data, including sensitive personal data.
- Right to Data Portability The right to have your Personal Data transferred to oneself or to another controller, in a machine-readable electronic format.
- Right to Object The right to object to certain data processing such as that based on legitimate interests or the public interest, for direct marketing, or scientific/historical research and statistical purposes.
- Right in Relation to Automated Decision Making: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant affects.
- ‘Do Not Sell My Data’: Right to request that we do not “sell” your personal data.
- Right to Withdraw Consent: In situations where you have consented to us processing your personal data, you have the right to withdraw that consent at any time.


7.   THIRD PARTIES INVOLVED IN PROCESSING PERSONAL DATA
Vastrax may share your Personal Data with third parties that process information in connection with the data processing purposes described in this notice. We may also disclose or share your personal data if compelled under duty to comply with any legal obligation.  Vastrax requires third parties receiving personal data to be bound to confidentiality requirements, agree to handle all personal data in accordance with applicable laws, and maintain appropriate technical and organizational measures for safeguarding the data relative to its risk. In Section 4 of this Privacy Notice, we have identified the categories of third parties that may receive personal data in connection with our different purposes for processing data.


8.   INTERNATIONAL TRANSFERS OF PERSONAL DATA
When collecting Personal Data or sharing it with third parties, data may cross international borders. That may include data originating from the European Economic Area (EEA) or United Kingdom (UK) and transferring to third countries outside of those regions. Where EU and UK personal data is concerned, Vastrax utilizes standard data protection clauses (GDPR 46(2)(c)), other applicable safeguards and laws for the protection of your personal data. Vastrax takes steps to protect this information by implementing appropriate safeguards relative to the risk and sensitivity of the information processed. If you have questions regarding the safeguards used to protect your data when itis transferred to countries outside of the EU or UK, please contact us using the contact information at the top of this notice. This may take the form of a copy or a reference to where such information is available.


9.  DATA RETENTION
Vastrax will retain Personal Data only for as long as is necessary for the purpose(s) for which it was collected – based on internally defined business rules and in accordance with any applicable laws. Data may be removed upon request by a data subject (when applicable), or when the data is no longer needed for the purpose(s) it was collected for.


10.  AUTOMATED DECISION MAKING
Vastrax does not use your Personal Data to make automated decisions without human intervention, that have legal or similarly significant impacts upon you.


11.  MINORS
Vastrax services and websites are not intended for use by minors and do not intentionally collect personal data associated with minors. If you are a parent or guardian and have reason to believe we process your dependent’s personal data, please contact us and we will remove the relevant info from our systems.


12. COOKIES, PIXELS AND OTHER TRACKING TECHNOLOGIES
Cookies are blocks of textual information that are sent electronically from a webserver to your browser and are stored on your computer or mobile device. Pixels are small image files that send data to a server when a page loads, enabling the collection and tracking of data. We may use cookies, pixels and other tracking technologies to offer a better browsing experience, to facilitate the use of analytics tools that measure and identify traffic patterns and to deliver and track the performance of advertisements. These technologies enable us to continually improve the form and functionality of our websites and to convey to you the most relevant information and current offers. Information gathered by these technologies may be shared with third parties that provide services to Vastrax, including ad networks and analytics technology providers.

We classify these technologies (collectively referred to as “cookies” for simplicity) into the following categories:  

Essential Cookies — These cookies are essential for the basic functionality and security of website features.
Preference Cookies — these cookies enable our website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.  
Analytics Cookies — these cookies track opportunities for website audience improvement. 
Marketing Cookies – these cookies collect personal identifiers and display ads for our company on other sites.

We do not sell your Personal Data to third parties in the usual sense of the word. As mentioned above, if you use our websites certain cookies may be placed by us and our third-party service providers for marketing purposes to assist us with identifying, segmenting, and displaying targeted advertisements to you. In some cases, this practice can be known ascross-context behavioral advertising and is considered “selling” or “sharing” Personal Data under the laws of certain jurisdictions such as California. Where applicable, you will have the right to opt out of the sale or sharing of Personal Data for these purposes.

Most web browsers offer settings that permit the user to manage cookies. You can set your browser to refuse cookies or to alert you when websites set or access cookies. Please be advised that if you opt out of certain cookies, you may not be able to use the full functionality of the Website.


13.  MERGER, DIVESTITURE, BANKRUPTCY
If Vastrax should ever file for bankruptcy or be acquired by a third party, merge with a third party, sell all or part of our assets, or otherwise transfer substantially all our relevant assets to a third party, Vastrax is entitled to share the Personal Data to potential and subsequent business and merger partners.


14.  PRIVACY NOTICE CHANGES
This privacy notice will be reviewed at least annually and updated as needed. For instance, this privacy notice may need to change as new legislation is introduced or as it is amended. This privacy notice was last updated January 8, 2026.

303 Wyman Street, Suite 300
Waltham, MA 02451
USA

Company
Privacy PolicyContact Careers
Linkedin
Navigate
HomeOur ServicesWho We AreWhy Vastrax
Contact
info@vastrax.com+1 (781) 239-7514
© 2026 Vastrax, Inc. All rights reserved