Privacy Policy

The Concurrent Biologics Registry ("the Registry") is committed to protecting the privacy of all website visitors, submitters, and users. This Privacy Policy describes the types of information collected through the Website, how that information is used, and the measures taken to safeguard it.

The Registry operates as a quality assurance and practice improvement resource, consolidating de-identified clinical data to support informed decision-making when concurrent biologic therapy is considered. It does not function as a clinical research study and does not collect personally identifiable health information from patients.

The Registry is operated from Canada and complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). For submitters located in the European Economic Area (EEA), the Registry processes personal data in accordance with the principles of the General Data Protection Regulation (GDPR).

The following types of information may be collected through the Website:

• Submitter Information: first name, last name, and email address (required); institution or affiliation (optional). This information is collected when a healthcare professional submits a case through the submission form.
• De-identified Patient Case Data: geographic region (continent-level only), care setting, diagnoses (disease categories, recorded as ICD-10 codes where available; primary plus comorbid conditions, including specialty-specific terminology, may be listed), age band, biological sex, biologic agents, duration of therapy, concomitant systemic therapy, clinical outcome, adverse events, and additional notes. The Registry is designed so that personally identifiable health information is never collected. All patient data must be fully de-identified by the submitter prior to submission.
• Automatically Collected Technical Data: IP address, browser user agent string, and submission timestamp. This data is collected from HTTP request headers for the sole purpose of rate limiting and abuse prevention.

The following types of information are not collected:

• The Website does not use cookies.
• The Website does not use third-party analytics, advertising trackers, or marketing tools.
• The Website does not access geolocation, microphone, camera, or USB device data.

Information collected through the Website is used for the following purposes:

• Submitter contact information: to correspond with submitters regarding their case submissions, including clarification requests during the quality review process.
• De-identified patient case data: to build and maintain the Registry dataset, to generate aggregate statistics for quality assurance and clinical practice improvement, and to display anonymized data visualizations on the Website.
• IP address and user agent: exclusively for rate limiting (a maximum of five submissions per IP address per hour and three submissions per email address per hour) and for preventing abuse. This data is not used for tracking, profiling, or analytics.
• Submission review: all submissions undergo quality review by Registry administrators for completeness, clinical plausibility, and consistency before inclusion in the dataset. Submissions may be approved, rejected, or have their status changed during review.

For submitters located in the European Economic Area (EEA), the legal bases for processing personal data are as follows:

• Submitter personal information (name, email, institution): processed on the basis of consent. Submitters voluntarily provide their information when submitting a case and agree to the Terms of Service and this Privacy Policy at the point of submission.
• Technical data (IP address, user agent): processed on the basis of legitimate interest in maintaining the security and integrity of the Website and preventing abuse.
• De-identified patient case data: this data does not constitute personal data under the GDPR, as it is fully de-identified before submission. The submitter is responsible for ensuring proper de-identification.

The Registry is designed so that personally identifiable health information is never collected. The submission template captures only aggregate clinical variables: geographic region (continent-level only), care setting, age band, biological sex, disease category (recorded as ICD-10 code), biologic agents, duration of therapy, concomitant systemic therapy, clinical outcomes, and adverse events. No dates of birth, treatment dates, medical record numbers, patient names, addresses, or other information that could directly or indirectly identify a patient is requested at any stage.

The responsibility for ensuring proper de-identification rests with the submitter. Submissions undergo quality review, during which any data that appears to contain identifiable patient information will be flagged and removed. If the Registry discovers that any submission contains identifiable patient information, that submission will be immediately deleted from the dataset.

• Approved submissions: approved case submissions, including submitter attribution and de-identified patient case data, are retained as part of the Registry dataset.
• Pending submissions: submissions awaiting review are retained until the quality review process is completed.
• Rejected submissions: rejected submissions are retained for a limited period for audit purposes and then deleted.
• Technical data: IP address and user agent data is retained alongside the associated submission record. Rate limiting calculations use a rolling one-hour window.

Submitter personal information is never sold to third parties and is never shared for marketing purposes.

De-identified patient case data may be shared in the following ways:

• Aggregated, anonymized data may be published in peer-reviewed literature to share quality assurance findings with the broader clinical community.
• Aggregate data may be shared with collaborating clinical institutions for quality assurance and practice improvement purposes.
• Individual case data with submitter attribution is not shared publicly.

Information may also be disclosed when required by law, regulation, or legal process.

The Registry is hosted and operated from Canada. Submitters located outside of Canada, including those in the European Economic Area (EEA), should be aware that their data will be transferred to and stored in Canada.

Canada has been recognized by the European Commission as providing an adequate level of data protection under the GDPR. This adequacy determination provides a legal basis for the transfer of personal data from the EEA to Canada for organizations covered by PIPEDA.

The following measures are taken to protect information collected through the Website:

• HTTPS encryption for all data transmitted between users and the server.
• Content Security Policy (CSP) headers restricting script sources, frame embedding, and form submission targets.
• Permissions-Policy headers blocking access to geolocation, microphone, camera, and USB devices.
• Server-side validation and input sanitization for all form submissions.
• Rate limiting to prevent abuse and excessive submissions.
• Database access restricted to authorized administrators.

While reasonable measures are taken to protect information, no method of electronic transmission or storage is completely secure, and absolute security cannot be guaranteed.

Under PIPEDA, individuals have the following rights:

• Access: the right to request access to personal information held by the Registry.
• Correction: the right to request correction of inaccurate or incomplete personal information.
• Withdrawal of Consent: the right to withdraw consent for the collection, use, or disclosure of personal information, subject to legal or contractual restrictions.
• Deletion: the right to request deletion of personal information, subject to applicable retention requirements.
• Complaints: the right to file a complaint with the Privacy Commissioner of Canada regarding the handling of personal information.

For submitters located in the EEA, the following additional rights apply under the GDPR:

• Data Portability: the right to receive personal data in a structured, commonly used, and machine-readable format.
• Restriction of Processing: the right to request restriction of the processing of personal data.
• Objection: the right to object to processing based on legitimate interest.
• Supervisory Authority: the right to lodge a complaint with the relevant EU data protection supervisory authority.

To exercise any of these rights, the Registry may be contacted using the information provided in the Contact Information section below.

The Registry is intended for use by healthcare professionals only. The Website is not directed at individuals under the age of 18. Personal information is not knowingly collected from minors. If it is discovered that personal information has been inadvertently collected from an individual under 18, that information will be deleted promptly.

This Privacy Policy may be updated at any time without prior notice. Continued use of the Website following any changes constitutes acceptance of the revised policy. The "Last updated" date at the top of this page indicates when the most recent changes were made.

For questions or concerns regarding this Privacy Policy, or to exercise privacy rights, the Registry may be contacted through the contact page.