This Privacy Policy (“Policy”) describes how Novotech Health Holdings collects and uses Personal Information in compliance with applicable privacy laws (including General Data Protection Regulation ((EU) 2016/679) (“GDPR”) where that applies to Personal Information handled by the Company).

In the course of our work and when we provide services to Clients, engage with prospective Clients, prospective employees, investigators, and others we may require Personal Information or have another person’s Personal Information disclosed to us.


The text set out below is the Policy which is publicly available on www.novotech-cro.com.  Clients and others may request a copy of our Policy.  Please direct all requests to Legal.


Affiliate:  any entity under common control with Novotech, controlled by Novotech, or which controls Novotech.

Legal: Novotech Legal Compliance Department, contactable at privacy@novotech-cro.com



Novotech Health Holdings, our subsidiaries, and our affiliates across Asia Pacific, United States and South Africa (collectively “Novotech,” “we,” “our,” or “us”) respect your right to privacy and this Policy sets out how we collect, store, use, share, transfer, and delete Personal Information collected from or about you.

“Personal Information” is information we hold which is identifiable as being about you.

Effect of Other Notices

Novotech has additional privacy notices or terms that are tailored for the different ways your Personal Information is collected by different Novotech lines of business or functions. If you receive a privacy notice provided to you for a specific purpose, the terms of the more specific notice or contract will control your interaction with Novotech to the extent that notice conflicts with this notice.


Novotech is a full service CRO.  To carry out this role, we collect Personal Information from various categories of data subjects and abide by the laws and regulations of various jurisdictions where the data subject is subjected to.  Example of Personal Information handled at Novotech are:

Employees & potential employees Personal Information such as name, images, email, address, date of birth, sex, gender, race and ethnicity, family members, health records, marital status, emergency contact, citizenship or legal status, telephone, qualification, education, professional licenses and certificates, work experience, position, professional membership, professional training, account details, etc. for employment purposes.
Client’s/Vendor’s employees, representatives, agents Personal Information such as name, company name, phone numbers, work email for business communication purposes.
Principal Investigators Personal Information such as name, email address, date of birth, address, telephone, place of work, qualification, education, professional licenses and certificates, work experience, position, professional membership, professional training, publications, awards, clinical trial experience for the purpose of identifying and assessing suitability to assist in clinical trials and research studies and to provide services to us.
Event participants Personal Information such as name, phone numbers, email, company name for potential marketing purposes and demographic reports.
Websites visitors Personal Information such as name first and last name, company name, IP address, email address for potential advertisement, marketing purposes, and websites improvements.
Trial Participants Novotech collects and process de-identified health information of clinical trial participants in accordance with the study protocol and instructions from Sponsors .
Sensitive Personal Information Where required by law, Novotech may ask for data subject’s explicit consent to collect information considered to be sensitive Personal Information (such as information about ethnicity or health information). Novotech will not collect sensitive Personal Information through our websites. We obtain personally identifying information about you only if you voluntarily choose to provide such information via legitimate correspondence.

Under data privacy laws of certain jurisdictions, an organisation that process Personal Information will be categorized as a data controller or a data processor depending on the nature of its processing activities.

A “controller’ decides the reasons and necessity for the processing.  A “processor” processes Personal Information on behalf of the controller under their instructions.  Novotech’s capacity as a data controller or a data processor will depend on the business activities that we are performing. Where we are required to identify the legal bases for processing Personal Data, we process Personal Data:

To perform contracts with the Data Controller or the data subject or to take steps at their request prior to entering into such contract;

  • To comply with a legal obligation.
  • For our legitimate business interests, which will be assessed in connection with the specific use of Personal Information.
  • With data subject’s consent, which will be requested and obtained via the appropriate sources.

Withdrawal of Consent

In certain jurisdictions, when we process Personal Information based on your consent or your explicit consent, you have the right to withdraw your consent in whole or in part at any time.  Where applicable, once we have received notification that you have withdrawn your consent, we will no longer process the Personal Information for the purpose(s) to which you originally consented unless there are compelling legitimate grounds that override your interests, rights, and freedoms (for example, to comply with a legal obligation), or for the establishment, exercise, or defense of legal claims. 

If we processed Personal Information for marketing purposes, you have the right to object at any time, in which case we will no longer process your Personal Information for such purposes.  The withdrawal of your consent does not affect the lawfulness of such processing that occurred before its withdrawal. Should you withdraw consent to future processing of your Personal Information, we may not be able to contact or interact with you as originally planned when you first provided your consent.


We collect Personal Information from you in a variety of ways, including when you request information from us, when you provide us with your information, when we provide services and when you access our websites, and through other legitimate sources such as recruitment agencies or business partners.

We may collect your Personal Information online when you request information about our services, when you download our content resources (whitepapers, reports), when you register for our events, when you provide us with your Personal Information in relation to a job opportunity, when you respond to an online survey or when you otherwise interact with our people.

We may collect Personal Information from you as part of clinical research studies managed by the Company as CRO.  Information about study participants is usually required to be provided by researchers to CROs in a de-identified format (that is, a format in which the identity of the person cannot be reasonably identified).  Researchers are required to seek express consent to collect and disclose health related information.

When you visit our websites, we may collect information such as browser type, operating system, websites visited immediately prior to visiting our site (etc.).  We may use aggregated anonymous information to analyse how people use our site so that we can improve our services.  We also use cookies and tracking tools on our websites (see below).  


A cookie is a piece of data (text files), which can be stored on a device, such as a PC, a mobile device or any other device that can store information. Cookies collect information like IP addresses.  An IP address is a number assigned to you by your Internet service provider so you may access the Internet. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.

Cookies enable the computers operating our websites to differentiate between visitors and to track the patterns of activities engaged in by different visitors.  By tracking such activities, the computers operating our websites can recognize a visitor and customize certain features for that visitor.  We may also use aggregated, non-identifiable information regarding persons who visit our site to learn more about the use of the site and how we can improve it. 

Our websites also contain the following tools:

We do not use any Personal Information to track an individual or sell their Personal Information to a third party. 

You may be able to modify your browser preferences to accept all cookies, to be notified when a cookie is set, or to reject all cookies except necessary cookies and choose the “Do Not Track” option.  If you choose not to accept cookies and/or “Do Not Track” option, you may not be able to use certain functions of the websites that require the information.

Strictly Necessary Cookies

These cookies are necessary for the websites to function and cannot be switched off in our systems.  They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.  You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.  These cookies do not store any directly identifiable information about you such as your name or email address.

Third-Party Sites. 

Our websites may link to or provide the ability to connect with non-Novotech websites, social networks or applications (“Third-Party Sites”).  Clicking on those links or enabling those connections may allow the third party to collect or share information about you.  Those Third-Party Sites are beyond Novotech’s control and are subject to the terms of the Third-Party Sites’ privacy policies, and not the terms of this Policy.  We encourage you to check the privacy policies and terms of use of any Third-Party Sites before providing your information to them.  Novotech is not responsible for the privacy practices or content of Third-Party Sites.


You may have an opportunity to elect to receive recurring informational/promotional e-mail from us.  Our e-mail correspondence will include instructions on how to update certain Personal Information and how to unsubscribe from our e-mails.  Please follow the instructions in the e-mails to opt-out of an e-mail. We will unsubscribe you from that newsletter or other programs within 30 business days.

You can always contact us at communications@novotech-cro.com in order to change your preferences with respect to marketing contacts.


To the extent permitted by applicable law, example of which how we may use your Personal Information:

We may use your information to provide our services and to notify you of opportunities that we think you may be interested in.  

We may use your Personal Information (when you visit our websites or voluntarily provide the information) to analyse and improve our sites, services, marketing, and business purposes.  As part of these activities, we may provide separate notice to you on how we collect and use your data, and may in all cases create aggregated, de-identified or other anonymous data from Personal Information we collect.     

We may use Personal Information in response to authorised information requests of governmental authorities or where required by law. 

We may disclose Personal Information where necessary for our legitimate business interests to protect the rights, property, or safety of Novotech or for the purposes of fraud protection. Such disclosure may, as appropriate, include exchanging information with other organisations, companies, auditors, and governmental departments.

We do not provide your Personal Information to third parties other than to the applicable clients, to third parties who assist us in providing services or under any other legitimate basis.  When we appoint any third party or affiliate to process information on our behalf, we require them to adhere to local data processing laws and to protect the privacy of your Personal Information.


We take all reasonable steps to ensure the security and confidentiality of the Personal Information we process.  To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we process. 

We also enter into an appropriate agreement with relevant third parties who can guarantee adequate level of data protection when appointing third parties to provide service on our behalf.


We generally retain Personal Information for as long as needed for the specific business purpose or purposes for which it was collected.  In some cases, we may be required to retain Personal Information for a longer period by law or for other necessary business purposes.  We aim to not to keep Personal Information longer than its required purposes or anonymize the information or remove unnecessary identifiers from records that we may need to keep for periods beyond the specified retention period.


You can access and ask us to update or correct your Personal Information by contacting:

Privacy Officer


Level 19, 66 Goulburn Street, 

Sydney, New South Wales 2000


+ 61 2 8569 1400 


To protect your privacy and security, we will also take reasonable steps to verify your identity before providing you with access to your information.

Other Rights

You may also have a right under your jurisdiction’s data protection law to the following with respect to some or all your Personal Data:

To request access to your Personal Data (including under GDPR Article 15);

To request that we rectify or erase your Personal Data (including under GDPR Articles 16 and 17);

To request that we restrict or block the processing of your Personal Data (including under GDPR Articles 18, 21 and 22 and to object to the sale or sharing of your Personal Data under other relevant laws);

To provide your Personal Data directly to another, i.e., a right to data portability (including under GDPR Article 20);

When we previously obtained your consent, to withdraw consent to processing (including under GDPR Article 21); and

To lodge a complaint with the data protection authority in your jurisdiction.

To exercise these rights, please write to our Privacy Officer at privacy@novotech-cro.com

We may, after receiving your request, require additional information from you to honor the request and verify your identity.  Upon request of an individual, Novotech may take reasonable steps to comply with an individual rights request, except where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, where it is commercially proprietary, or where doing so is otherwise consistent with applicable law. 

If we determine that access should be restricted in any instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. 

Novotech, when acting as a CRO, has no direct relationship with medical research subjects participating in a clinical trial and any such individuals who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study Sponsor or investigator which has transferred such Personal Information to Novotech for processing.

In any other circumstances in which Novotech maintains Personal Information as a service provider or data processor for its clients or affiliates, Novotech’s clients or affiliates are responsible for providing individuals with access to their Personal Information and the right to correct, amend or delete the data where it is inaccurate.  In these circumstances, individuals should direct their questions to the appropriate Novotech client or affiliate.  If they do not receive a response, Novotech will provide reasonable assistance in forwarding the Individual’s request.


It may be necessary to transfer Personal Information within Novotech businesses and with agents, contractors, clients, and affiliates. Regardless of whether the transfer is within Novotech Group or to a third party, Novotech will apply appropriate safeguards to such transfers as required by applicable law. For example, Novotech has in place mechanisms to ensure a compliant transfer of Personal Information including executing Standard Contractual Clauses (“SCC”) adopted by the European Commission for the purpose of transferring Personal Information from the European Economic Area (“EEA”) to non-EEA countries. 

As part of, or during negotiations of, any merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, (including as part of any bankruptcy or similar proceedings), Novotech may transfer your Personal Information to other parties involved in these transactions.  Under these circumstances, all parties have entered into a confidentiality agreement and are obligated to protect any information provided as part of the transaction and not to use the Personal Information for any other purpose than the purpose it was collected for in the first instance.


Novotech does not knowingly collect, maintain, disclose, or otherwise process Personal Information from minors without the permission of such minor’s parents or legal guardians.


We take the privacy of our people and others that we interact with seriously.  If we become aware of a breach of privacy, we will take steps to both notify those people affected by the breach and mitigate the breach including to delete and/or destroy Personal Information coming into our possession in error.


If you receive or have any complaints about our privacy practices, please contact us with details of your complaint at:

Privacy Officer


Level 19, 66 Goulburn Street, 

Sydney, New South Wales 2000


+ 61 2 8569 1400 


We take complaints very seriously and will respond to complainants within a reasonable period.  If a party is not satisfied with our response to the complaint, they may refer the complaint to their applicable local privacy regulator.


We may change this Policy from time to time.  We will upload revised versions onto our websites. 

If you would like a copy of this Policy, please contact our Privacy Officer.