Privacy Policy

Critical Path Institute Privacy Policy

This Policy explains how and why Critical Path Institute (C-Path) collects and processes personal information about people who visit our website, users who log on to our systems to access our SharePoint Online Collaboration Portals or data repositories, and any other individuals from whom we may collect information, directly or indirectly.  This Policy also provides a summary of the conditions under which we may disclose your information to others, your rights regarding the information we collect about you, and the measures we take to secure that information.

Information Collected

The C-PathSharePoint Online Collaboration Portals, the C-Path Online Data Repository (CODR) and the C-Path Relational Sequencing Platform for TB (ReSeqTB) may collect information about you when you apply for access or utilize the services they provide. C‑Path uses the information collected to keep C‑Path consortia members aware of C‑Path activities and events, and to notify data repository users about events and important information pertaining to their use of the repository.

C-Path may collect personal information such as your name, mailing address, email address, education, employer and internet protocol (IP) address. If you make a donation online, your credit card information is not held by C-Path.  It is collected by our third-party payment processors, who specialize in the secure online capture and processing of credit/debit card transactions.

In all cases, C‑Path will only collect information in accordance with legitimate interests. We collect personal data from individuals in the course of their participation in C‑Path activities and events and will only use it in a manner that is consistent with their expectation as C‑Path consortia members, participants, repository users or stakeholders.

Note that anonymized clinical data related to research individuals collected by others and shared with C-Path is accepted into the C‑Path data repositories.  For the purposes of this data collection, C-Path does not process any identifiable personal data of those research individuals and there is no ability for C-Path to provide access to personal data collected in this manner since there is no method of identifying an individual through the data.

Cookies and Tracking Technologies

Like many websites, we may use “cookies.” Cookies are text files placed in your computer’s browser to store your preferences and provide you with a better website experience.Cookies do not contain personal information; however, once you choose to furnish a website with personal information, such personal information may be linked to the data stored in the cookie.  We use services like Google Analytics for our data repositories to help us analyze how our visitors use the site. When you log on to a C-Path website that uses cookies, you will be provided with the option to accept or reject cookies. Please note that if you reject cookies, some features and functions within the website may be impacted.  If you do not consent to the placing of Cookies on your device, please do not visit, access, or use the website.

How Information May be Used

C-Path may use personal information that it collects to:

  • Process a donation that you have made through its website;
  • Carry out our obligations arising from any contracts for services entered into by you and us;
  • Notify you about C-Path activities and events;
  • Notify you of changes to our website or services;
  • Support clinical data research where anonymizedhuman-individual-level data is collected.

External Links

Links to third-party websites from the C-Path website are provided solely as a convenience to you. Using these links will direct you away from the C-Path website. We have not reviewed these third-party sites and do not assume responsibility or control for any of these sites, their content, or their privacy policies. C-Path does not endorse or make any representations about them or any information, software or other products or materials found there, or any results that may be obtained from using them. If you decide to access any of the third-party sites linked to a C-Path site, you do so at your own risk.

Commitment to Data Security

C-Pathis committed to maintaining the security of your information. To prevent unauthorized access or disclosure, maintain data accuracy, and ensure the appropriate use of information, we have put in place reasonable procedures to safeguard and secure the information we collect and store online. We use encryption technology when collecting or transferring sensitive data. C-Path will not resell or distribute your confidential information to any third party.

Acceptance of Privacy Policy

If you use the C-Path website, SharePoint Online Collaboration Portals or data repositories, you are accepting the terms and conditions of this Privacy Policy, and we will have the right to use your information as described in this Privacy Policy. If you do not agree to have your information used in any of the ways described in this Privacy Policy, you can choose to not access or use our services and to discontinue use of C-Path websites, SharePoint Online Collaboration Portals, data repositoriesor other resources.

Changes to Privacy Policy

C-Path reserves the right to modify this Privacy Policy at any time. Your continued use of the website, SharePoint Online Collaboration Portals or data repositoriesafter we either personally notify you or generally post such changes on the site will constitute your acceptance of those changes.

How to Contact Us

C-Path strives to comply with applicable policy regulations and to maintain current and accurate data. If you have any comments, questions or concerns about any of the information in this Policy, corrections, or any other issues or requests relating to the Processing of User Information carried out by us, or on our behalf, please contact:

Critical Path Institute
Attention: Data Privacy Officer
1730 E River Road, Suite 100
Tucson, AZ 85718-5893

Data Subjects Whose Personal Information May Be Collected in or from the EEA

Critical Path is committed to treating all information received from European Union (EU) member countries, the U.K. and Switzerland, in accordance with the EU General Data Protection Regulation’s applicable Principles. Information provided below is applicable to personal data collected from individuals within the European Economic Areas (“EEA”).  To facilitate the services we provide to individuals located in the EEA, we request explicit consent for the transfer of personal information from the EEA to the U.S. If you are an individual located in the EEA and you decline to consent to such transfer, you will no longer be able to use C-Path services.

Rights of the Individual

Access and Rectification

Upon the request of an individual, C-Path will confirm whether personal information is held, processed, and for what purpose. Additionally, upon request, C-Path will provide a copy of the individual’s personal information, free of charge, in an electronic format. Requests should be sent to

Right to be Forgotten

Personal information held by C-Path that is no longer relevant to original purposes will be erased upon request. Additionally, if applicable and relevant GDPR requirements for data erasure are present, C-Path will erase personal information if an individual withdraws consent to process such information. Requests should be sent to

Data Portability

Upon the request of an individual, and where possible, C-Path will provide the personal information previously provided by the individual in machine readable format or transmit such data to another entity. Requests should be sent to

Recourse, Enforcement and Liability
If you are located in the EEA or Switzerland and you have concerns about the privacy or processing of your data by C-Path, please email your concern to DPO@c-path.orgto have your concern reviewed and addressed promptly, if confirmed.  If, as a resident of the EEA, you believe that we have not adequately resolved any such issues, you have the right contact the EU Supervisory Authority.

Automated Decision-Making

We do not engage in automated decision-making.

Non-Disclosure of Personal Information

Our employees are prohibited, either during or after their employment, from disclosing personal information to any person or entity outside of our company, including family members, except under the circumstances described above. An employee is only permitted to disclose the personal information of a user to such other employees who need access to such information in order to deliver our services to that user.

To learn more about the EU GDPR, visit

Last updated: June 2018