Privacy policy
1. Purpose of the Policy
At Strides Pharma Science Limited ("Strides", "we", or "company") we are committed to protecting the personal data of all individuals whose information we collect such as patients, employees, job applicants, customers, suppliers, vendors, contractors, partners, clinical trial participants and other personal information collected in due course.
This Privacy Policy outlines how the company collects, uses, stores, shares, and protects data in compliance with applicable regulations including but not limited to the EU's General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act, 2023 (DPDP Act). The company's commitment to data privacy also includes a zero-tolerance policy for any form of data mismanagement.
2. Principles of Data Processing
Our data processing activities are based on the following principles together with any other prevailing global practices:
- Lawfulness, Fairness, and Transparency
- Specified Purpose
- Data Minimization
- Accuracy of Data
- Storage Limitation
- Data Integrity and Confidentiality
- Accountability of the Data Processor
Strides' wholly owned subsidiary, Arco Lab Pvt. Ltd (Arcolab), is responsible to collect, process and ensure protection of personal data of patients, employees, job applicants, customers, suppliers, vendors, contractors, partners, clinical trial participants etc.
Arcolab is an entity that provides and performs a myriad of specialized services for Strides. Arcolab’s competence as a responsible service provider is augmented by its ISO 27001 (Information Security Management System) and ISO 27701 (Privacy Information Management System) certifications.
3. Scope and Applicability
This Policy applies to all personal data collected, processed, and stored by Strides and its subsidiaries, across their global operations, platforms, and services.
This policy shall govern all employees (including part-time, temporary, contractual), workers, trainees, consultants, customers, volunteers of the Company, and its subsidiaries, suppliers, contractors, and service providers integrated within the Strides ecosystem. This policy shall extend across our value chain, defining our forward-thinking approach to collaborating with partners and setting clear standards for their operational conduct bound by strict contractual safeguards.
Categories of personal data we may collect
- Patients and trial participants: health-related data, diagnoses, and biometric details for scientific research and clinical trials.
- Employees, contractors, and job applicants: identity, contact information, professional experience and other employment-related information (may include family-member details for benefits such as medical insurance or compliance requirements like SEBI insider trading rules).
- Website visitors: digital information such as IP address and browsing preferences.
Data collected by Arcolab on behalf of Strides group entities is protected in accordance with Arcolab's policy and procedures.
Passive data collection & cookies
Strides' website may passively gather certain information about your visits without requiring you to actively submit it. This data may be collected through technologies such as cookies, internet tags, and web beacons.
A cookie is a small file that asks permission to be placed on your device. Once you agree, the file is added and helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual and tailor operations to your preferences.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. Doing so may prevent you from taking full advantage of the website.
Examples of information captured include URL of the previously visited website, IP address, GPS location, mobile service provider, operating system details, and browser version. The information collected through these technologies cannot personally identify the data subject unless combined with other identifiable details.
If you register using third-party accounts such as Facebook, Twitter or Gmail, Strides may access the necessary information from those accounts to facilitate your registration, maintain communication, and deliver services.
4. Security and Confidentiality
Strides is committed to ensuring that personal information collected/processed is secured. To prevent unauthorized access or disclosure, the company has put in place suitable physical, electronic, and managerial procedures to safeguard the information it collects.
Our systems are safeguarded through role-based access controls, encryption, intrusion detection mechanisms, and secure data backups.
On a need basis, under strict contractual safeguards and as per statutory requirements, the company may share information with regulators, research partners, or service providers.
Personal information collected will be retained only for as long as necessary to fulfill the purpose for which it was collected or to meet applicable legal or regulatory obligations.
Data breach and incident response
In the unlikely event of a data breach, a clearly defined incident response plan is promptly activated. The company is committed to transparent investigation and resolution; affected data subjects and authorities will be notified within prescribed timelines. If data is transferred outside India, adequate regulatory procedures will be followed to ensure protection.
To uphold our commitment to data protection, the company conducts internal and independent audits periodically.
Strides outsources part of its activities to Arcolab (a wholly owned subsidiary) which holds ISO 27001 and ISO 27701 certifications. Details of any sub-processor appointed by a processor for the purpose of processing personal data will be shared with data subjects upon appointment of the sub-processor.
5. Data Principal / Subject Rights
The company believes privacy rights should be accessible and actionable. Data subjects have the right to know what data the company holds about them, request correction or deletion, and request data transfer—either with their consent or for fulfilling a contract or statutory obligation. Data subjects may withdraw consent at any time in line with legal procedures; however, withdrawal will not affect the lawfulness of prior processing.
As a Data Principal/Subject, you may:
- Request access to personal data.
- Seek correction of inaccurate data.
- Request deletion of personal data, subject to exceptions.
- Withdraw consent at any time (without affecting past processing).
- Restrict or object to processing.
To ensure transparency in data protection, we have appointed a Data Protection Officer (DPO), supported by a cross-functional governance team. You may reach the DPO, Ms. Prathima P D, at dataprotection@strides.com.
6. Periodic Review
This policy shall be subject to mandatory review at least once every year and as may be deemed necessary in accordance with regulatory amendments and international guidelines.
Glossary of Key Terms
Term | Definition |
|---|---|
Consent | Freely given, informed, and unambiguous agreement by the data subject for the processing of their personal data. |
Cookies | Small data files stored on a user’s device by websites to remember preferences or track activity for analytics and performance. |
Cross-Border Data Transfer | The transfer of personal data outside the country where it was originally collected, subject to applicable privacy safeguards. |
Data Breach | Any unauthorized access, disclosure, or loss of personal data. It requires notification and remediation under applicable laws. |
Data Controller | The entity (in this case Strides) that determines how and why personal data is processed. |
Data Processor | A third party (such as vendors, service providers) that processes personal data on behalf of the data controller. |
Data Protection Officer (DPO) | The designated individual/team responsible for ensuring compliance with data protection obligations and addressing privacy-related queries or concerns. |
Data Subject | Any individual whose personal data is collected or processed (such as patients, employees, healthcare professionals). |
Personal Data | Information that identifies or can be used to identify an individual, such as name, email address, contact information, health records and IP address. |
Right to access/erasure | The data subject’s right to request access to their data or request its deletion under applicable laws. |
Web beacon | Tiny graphics embedded in emails or web pages used to monitor user interactions at the website for the purpose of web analytics. |
