Skip to main content
FreeGCP
Privacy & compliance

Privacy Policy & Data Protection Notice

This notice explains how FreeGCP safeguards personal data under GDPR, CCPA, PIPEDA, and global research regulations. It forms part of the terms you accept when using our platform.

July 28, 2025Version 1.0GDPR / CCPA / PIPEDAGlobal standards

Critical legal notices

  • All purchases are final; refunds, returns, or exchanges are not available.
  • Secure infrastructure cannot guarantee absolute security for internet transmissions.
  • FreeGCP is not liable for unauthorized access events when industry safeguards are maintained.
  • You are responsible for protecting credentials, devices, and backups linked to your account.
  • We may update this policy at any time. Continued use constitutes acceptance of revisions.

Table of contents

Navigate quickly

1. Definitions and Interpretations

For the purposes of this Privacy Policy, the following definitions shall apply throughout this document:

"Personal Data" or "Personal Information"

Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing"

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Data Controller"

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Data Processor"

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Consent"

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Data Controller Information

Company Details

Entity Name: FreeGCP Training Platform

Legal Structure: Online Educational Service Provider

Primary Operations: Clinical Research Training & Certification

Jurisdiction: California, United States

Data Protection Officer

Role: Data Protection Officer (DPO)

Responsibilities: GDPR Compliance & Privacy Management

Contact Method: Via secure contact form only

Contact DPO

EU Representative: For GDPR purposes, we have appointed a representative in the European Union. Contact details are available upon request through our secure contact form.

3. Data Processing Principles

In accordance with Article 5 of the GDPR and similar provisions in other privacy regulations, we adhere to the following fundamental principles when processing your personal data:

a) Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. We ensure all processing activities have a valid legal basis and are conducted with full transparency regarding how data is collected, used, and protected.

b) Purpose Limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. We strictly limit data use to the purposes outlined in this policy.

c) Data Minimization

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We only collect the minimum data required to provide our services effectively.

d) Accuracy

Personal data shall be accurate and, where necessary, kept up to date. We implement measures to ensure data accuracy and provide mechanisms for users to update their information.

e) Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

f) Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

4. Lawful Basis for Processing

We process personal data only when we have a lawful basis under Article 6 of the GDPR. The specific lawful basis depends on the context and purpose of processing:

Contract Performance (Article 6(1)(b))

Processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract.

  • • Account creation and management
  • • Course access and delivery
  • • Payment processing
  • • Certificate generation and verification
  • • Customer support services

Legal Obligations (Article 6(1)(c))

Processing is necessary for compliance with legal obligations to which we are subject.

  • • Tax and financial record keeping
  • • Fraud prevention and detection
  • • Compliance with court orders
  • • Regulatory reporting requirements

Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate interests, except where overridden by your interests or fundamental rights.

  • • Platform security and fraud prevention
  • • Service improvement and analytics
  • • Direct marketing (with opt-out rights)
  • • Network and information security

Consent (Article 6(1)(a))

You have given consent to the processing of your personal data for specific purposes.

  • • Marketing communications and newsletters
  • • Non-essential cookies and analytics
  • • Participation in surveys or research
  • • Testimonials and success stories

5. Information Collection Categories

Information You Actively Provide

Account Registration Data

  • • Full legal name (first name, last name, middle initial if provided)
  • • Email address (primary and any alternates)
  • • Username and account credentials
  • • Phone number (if provided for two-factor authentication)
  • • Date of birth (for age verification)
  • • Country and timezone information

Professional Information

  • • Current job title and role description
  • • Organization/employer name and type
  • • Years of experience in clinical research
  • • Educational background and qualifications
  • • Professional certifications and licenses
  • • Areas of specialization or interest

Payment and Billing Information

  • • Billing name and address
  • • Payment method details (processed securely)
  • • Transaction history and receipts
  • • Tax identification numbers (where required)
  • • Subscription preferences and history
  • • Discount or promotional code usage

Learning and Assessment Data

  • • Course enrollment selections
  • • Quiz and exam responses
  • • Assignment submissions
  • • Discussion forum posts and comments
  • • Notes and bookmarks within courses
  • • Questions submitted to instructors

Information Collected Automatically

Usage and Analytics Data

  • • Pages visited and features used
  • • Time spent on each course module
  • • Video watch time and completion rates
  • • Click patterns and navigation paths
  • • Search queries within the platform
  • • Error logs and performance metrics
  • • Feature usage frequency

Device and Technical Information

  • • IP address and approximate geolocation
  • • Browser type, version, and language settings
  • • Operating system and version
  • • Device type (desktop, mobile, tablet)
  • • Screen resolution and color depth
  • • JavaScript and cookie support status
  • • Network connection type and speed
  • • Referring website or application

Learning Progress Tracking

  • • Course completion percentages
  • • Module and lesson progression
  • • Quiz attempts and scores
  • • Time between learning sessions
  • • Certification achievement dates
  • • Learning path preferences
  • • Content interaction patterns

Information from Third-Party Sources

We may receive limited information about you from third-party services:

  • • Authentication providers - account verification status
  • • Payment processors - transaction confirmation
  • • Analytics services - aggregated usage patterns
  • • Email service providers - delivery and engagement metrics
  • • Social media platforms - if you choose to connect accounts

7. GDPR Rights for EU/EEA Residents

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access (Article 15)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, access to the personal data and the following information:

  • • The purposes of the processing
  • • The categories of personal data concerned
  • • The recipients or categories of recipients
  • • The envisaged period for which data will be stored
  • • The existence of automated decision-making

Right to Rectification (Article 16)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure / Right to be Forgotten (Article 17)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies:

  • • The data is no longer necessary for the original purposes
  • • You withdraw consent (where consent was the lawful basis)
  • • You object to the processing under Article 21
  • • The data has been unlawfully processed
  • • Erasure is required for compliance with EU or Member State law

Right to Restriction of Processing (Article 18)

You have the right to obtain restriction of processing where one of the following applies: the accuracy of the personal data is contested, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.

Right to Data Portability (Article 20)

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance where the processing is based on consent or contract and is carried out by automated means.

Right to Object (Article 21)

You have the right to object at any time to processing of personal data concerning you based on legitimate interests or for direct marketing purposes. Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for contract performance, authorized by law, or based on explicit consent.

How to Exercise Your GDPR Rights

To exercise any of these rights, please submit a request through our secure contact form. We will respond within one month of receiving your request, as required by GDPR.

Submit GDPR Rights Request

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

8. CCPA Rights for California Residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) regarding your personal information:

Right to Know About Personal Information Collected, Disclosed, or Sold

You have the right to request that we disclose certain information about our collection and use of your personal information over the past 12 months:

  • • The categories of personal information collected
  • • The categories of sources from which information was collected
  • • The business or commercial purpose for collecting information
  • • The categories of third parties with whom we share information
  • • The specific pieces of personal information collected about you

Right to Delete Personal Information

You have the right to request that we delete any of your personal information that we collected and retained, subject to certain exceptions. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

  • • Complete the transaction for which the information was collected
  • • Detect security incidents or protect against illegal activity
  • • Debug products to identify and repair errors
  • • Exercise free speech or ensure another's right to free speech
  • • Comply with the California Electronic Communications Privacy Act
  • • Enable internal uses reasonably aligned with consumer expectations
  • • Comply with a legal obligation

Right to Opt-Out of the Sale of Personal Information

WE DO NOT SELL YOUR PERSONAL INFORMATION

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. Therefore, we do not offer an opt-out for the sale of personal information.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising any of your CCPA rights. We will not discriminate against you for exercising your privacy rights by denying goods or services, charging different prices, providing different quality of services, or suggesting you will receive a different price or quality.

Authorized Agent

You may designate an authorized agent to make a request under the CCPA on your behalf. We may request that you provide the authorized agent written permission to do so and verify your identity directly with us.

How to Exercise Your CCPA Rights

To exercise any of these rights, California residents may submit a verifiable consumer request through our secure contact form. We will verify your identity before processing your request.

Submit CCPA Rights Request

Response Timing and Format

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 45 days. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing. We will deliver our response by mail or electronically, at your option.

9. California Online Privacy Protection Act (CalOPPA) Compliance

In compliance with CalOPPA, we declare the following:

Personal Information Collection

We collect personal information as detailed in Section 5 of this policy. Users can visit our site anonymously, but certain features require account creation.

Privacy Policy Location

Our Privacy Policy link appears on our home page and on any page where personal information is collected. The word "Privacy" is clearly displayed in the link.

Privacy Policy Changes

Users will be notified of Privacy Policy changes via email and a prominent notice on our website. The "Last Updated" date at the top of this policy will be updated.

Personal Information Management

Users can change their personal information by logging into their account and visiting the profile settings page, or by contacting us via our secure contact form.

"Do Not Track" Signals

We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place.

Third-Party Behavioral Tracking

We do not allow third-party behavioral tracking on our website. We use only first-party analytics for improving our services.

6. Data Security Measures

We implement a comprehensive security program designed to protect your personal information from unauthorized access, use, alteration, disclosure, or destruction. Our security measures include:

Technical Security Controls

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Web Application Firewall (WAF) protection
  • DDoS mitigation and protection
  • Regular security vulnerability scanning
  • Intrusion detection and prevention systems

Organizational Security Measures

  • Role-based access control (RBAC)
  • Principle of least privilege access
  • Regular security awareness training
  • Background checks for key personnel
  • Incident response procedures
  • Third-party security assessments

Critical Security Disclaimers

  • • Despite our security measures, no system is 100% secure
  • • We cannot guarantee absolute protection against all threats
  • • You use our platform at your own risk
  • • We are not liable for any security breaches or data loss
  • • We disclaim all liability for third-party security incidents
  • • You are responsible for maintaining your account security

10. Data Breach Response Procedures

In the event of a personal data breach, we have established comprehensive procedures to ensure compliance with GDPR Article 33 and 34 requirements:

Breach Detection and Assessment

Upon becoming aware of a potential breach, we will:

  • • Immediately initiate our incident response protocol
  • • Assess the nature, scope, and impact of the breach
  • • Determine the categories and approximate number of affected individuals
  • • Evaluate the risk to individuals' rights and freedoms

Regulatory Notification (Within 72 Hours)

If required, we will notify the relevant supervisory authority within 72 hours, including:

  • • Description of the nature of the breach
  • • Contact details of our Data Protection Officer
  • • Likely consequences of the breach
  • • Measures taken or proposed to address the breach

Individual Notification

If the breach is likely to result in high risk to your rights and freedoms, we will:

  • • Notify you without undue delay
  • • Describe the breach in clear and plain language
  • • Provide recommendations for mitigating potential adverse effects
  • • Offer support and additional security measures where appropriate

Important: While we maintain robust security measures and breach response procedures, we cannot guarantee prevention of all breaches. You acknowledge and accept this risk when using our services.

11. Contact Information & Data Protection Inquiries

For all privacy-related inquiries, data protection requests, or to exercise your rights under GDPR, CCPA, or other applicable privacy laws, please use our secure contact channels:

Privacy & Data Protection

For privacy policy questions, data access requests, deletion requests, and other privacy matters

Contact Privacy Team

Data Protection Officer

For GDPR-specific inquiries and formal data protection matters

Contact DPO

Response Commitments

  • GDPR requests: Response within 30 days
  • CCPA requests: Acknowledgment within 10 days, response within 45 days
  • General inquiries: Response within 5-7 business days

This privacy policy was last updated on July 28, 2025. We reserve the right to update this policy at any time. Your continued use of our services constitutes acceptance of any changes.

Governing Law: This Privacy Policy shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions. Any disputes arising under or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in California.