Farmacon Global Data Privacy Policy


This Data Policy is intended to ensure transparency and compliance with data privacy laws and to protect the privacy and rights of individuals whose data is collected.

  1. Purpose Farmacon Global’s Data Policy outlines the procedures and practices for the collection, storage, and usage of contact information for medical facilities, sites, and doctors in the United States and Latin America.
  2. Compliance with Data Privacy Laws Our company is committed to complying with all relevant data privacy laws and regulations in the countries in which we operate, including but not limited to GDPR, HIPAA, and local data protection laws in the countries we have partnerships.
  3. Data Collected We collect contact information for medical facilities, sites and doctors, which may include their email addresses, phone numbers, contact names, and addresses. We do not collect any patient data.
  4. Data Collection Methods Data is collected through research conducted online, as well as through direct communication methods such as phone calls and emails with doctors, sites, and medical facilities.
  5. Purpose of Data Collection The collected data is used to establish partnerships with doctors, sites and medical facilities who wish to join our network.
  6. Data Retention We will retain the data as long as it is still relevant and appropriate to our business needs. Requests can be made to to access, update, or delete personal data.

7.1 Data Access Only authorized personnel have access to view or edit the data. Access to data is only given to those who must have access for legitimate business reasons. We follow a Zero Trust Policy which means that access to any data is never given to anyone by default.

7.2 Privileged access management requirements

  • Google Workspace 2 factor authentication is currently enforced on the entire organization
  1. Data Security We ensure the security of the data by using a secure cloud service. Access to these documents is controlled, and the Data Controller has capacity to manage permissions for viewing and editing. In addition to this, all Farmacon Google accounts are required to have 2 factor authentication.
  2. Consent After an initial outreach to the potential referring doctor or medical site partner, if there is interest the potential referring doctor or medical site partner agrees to join the network and share their information with sponsors.
  3. Data Updates and Deletion All independent contractors, subcontractors, vendors, partners, healthcare providers, sites, or facilities can request updates or deletion of their data by contacting the company through email
  4. Partnership Agreements and CDAs Farmacon Global has partnership agreements and Confidentiality Disclosure Agreements (CDAs) in place with investigators, site personnel and/or clinical research sites who have expressed interest in working with the company.

Farmacon Global Data Definitions

Data Processing

Data Processing means any operation which is performed on personal data, including  collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data

Personal data refers to any information that can be used to identify an individual. In many data protection regulations, including the General Data Protection Regulation (GDPR) and data protection laws in various countries, personal data includes, but is not limited to, the following:

  1. Name: A person’s full name or any part of it.
  2. Contact Information: This includes email addresses, phone numbers, physical addresses, and any other contact details.
  3. Identification Numbers: Such as passport numbers, driver’s license numbers, or national identification numbers.
  4. Location Data: Information about a person’s current or past location that can be used to identify such a person.
  5. Online Identifiers: This can include IP addresses, cookies, and similar online tracking technologies.
  6. Biometric Data: Data related to physical, physiological, or behavioral characteristics, such as fingerprints, facial recognition data, or DNA that can be used as identify an individual
  7. Demographic Information: Data about an individual’s age, gender, race, religion, or similar attributes.
  8. Health Information: Including medical records, health conditions, or treatment history.
  9. Financial Information: Bank account numbers, credit card information, and financial transactions.
  10. Social Media Posts: Information posted on social media profiles that can be used to identify an individual.
  11. Workplace Information: Information related to an individual’s employment, such as job title and company name.

When it comes to collecting contact information that is publicly available on the internet, it’s important to consider a few key points:

  1. Transparency: Even if information is publicly available, it’s a good practice to be transparent with individuals about why you are collecting their data.
  2. Purpose Limitation: Collect the data only for specific, legitimate purposes. If you collect publicly available contact information, ensure it is for a lawful purpose, such as business communication.
  3. Data Minimization: Collect only the information that is necessary for the intended purpose. Avoid collecting more data than you actually need.
  4. Compliance with Data Protection Laws: Even if the data is publicly available, you may still need to comply with data protection laws in your jurisdiction. Some laws have specific requirements regarding the collection of personal data, regardless of the source.
  5. Respect for Data Subject Rights: If you collect personal data, individuals may have rights, such as the right to request access to, correction of, or deletion of their data. Be prepared to address such requests.

These are guiding principles for the Data Controller to consider when conducting their activities.

Farmacon Global’s Data Consent Process

Farmacon Global’s consent process has been established for all stakeholders, which may include: independent contractors, subcontractors, vendors, partners, doctors, sites and facilities.

This consent process is to provide the specific legal and regulatory requirements of the jurisdiction in which the consentee or facility operates, while maintaining transparency and clear communication with consentees regarding their rights and the handling of their personal information.

Specifically, Farmacon Global’s consent process is to grant or withdraw consent for any consentee  to access, correct, or erase their personal information. This process should be clear, transparent, and compliant with relevant data protection laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States or the General Data Protection Regulation (GDPR) in the European Union. The consent process includes the following:

  1. Inform the Consentee:
    • Clearly inform the consentee about the purpose of collecting their personal information, who will have access to it, and how it will be used.
  2. Provide Consent Forms:
    • Create consent forms that outline the specific information that will be collected and how it will be processed.
  3. Obtain Informed Consent:
    • Ensure that consentees provide informed consent by explaining the details of data collection, access, correction, and erasure procedures.
  4. Withdrawal of Consent:
    • Clearly state in the consent form that consentees have the right to withdraw their consent at any time without facing any negative consequences.
  5. Access to Personal Information:
    • Explain how consentees can access their personal information, what information is available, and the process for requesting access.
  6. Correction of Personal Information:
    • Describe how consentees can request corrections to inaccurate or incomplete personal information and the process for doing so.
  7. Erasure of Personal Information (Right to Be Forgotten):
    • Explain how consentees can request the erasure of their personal information, subject to legal and regulatory limitations.
  8. Data Retention and Deletion Policies:
    • Data will be retained as long as the business still has “legitimate interest” in it and therefore it is necessary for the business to function. Data will be deleted or modified upon request to
  9. Data Security Measures:
    • Assure consentees of the security measures in place to protect their personal information.
  10. Complaint Procedures:
    • Explain how consentees can raise concerns or file complaints regarding their personal information.
  11. Consent Records:
    • Maintain clear records of consentees’ consents, withdrawals, and any actions taken regarding their personal information.
  12. Regular Review:
    • Periodically review and update the consent process to ensure it remains compliant with changing laws and regulations.
  13. Training and Awareness:
    • Ensure that staff and personnel are aware of and trained in the consent process and data protection policies.
  14. Communication Channels:
    • Provide easily accessible communication channels for consentees to exercise their rights and seek clarification on the consent process.
  15. Legal Compliance:
    • Ensure that the entire process complies with relevant data protection laws and regulations.

Data Controller Manual

Data Controller Principles:

The Data Controller Principles Farmacon uses are the 7 principles of GDPR.

  1. Personal data must be processed fairly, lawfully and transparently
    1. Identify a legal basis for your processing of personal data
    2. Transparency
    3. Fairness
  2. Personal data must be used for specified, explicit purposes
    1. Purpose limitation principle
  3. Personal data must be adequate, relevant and limited to only what is necessary
    1. Only collect the data that is necessary
    2. Less data means less liability
  4. Personal data must be accurate and, where necessary, kept up to date
    1. Data subjects have the right to correct and delete their personal data
  5. Personal data must be kept for no longer than is necessary
  6. Personal data must be kept secure
  7. Personal data controller must be accountable

Data Collection points:

  • Research for potential referring doctors
  • Research for potential medical sites
  • Business development research for potential clients

Data Classification Policy:

Farmacon stores public and private data of HCPs, medical sites and doctors. We also store internal data such as meeting notes. Lastly, we have confidential and proprietary data related to the business and its operations. We do not store any patient data and instead work with partners when it is appropriate.

Data Overview:

  • Legitimate interest
      • “Legitimate interest” is the legal basis to process personal data that Farmacon uses as per the GDRP recommendations. This means that we have a legitimate interest in doing business with third party persons such as doctors as well as third party medical sites.
  • Purpose of the data
      • Referring Doctors and medical sites
  • Protection of the data
      • None of this data is shared with any third parties. We act at the initial touch point with the third party and determine their level of interest and capabilities. 
      • Only after we have signed contracts with the do we share their data consensual with sponsors or other third parties
  • Deletion of data
      • At any time, anyone can make a request to be removed from the internal list of Doctors & Site partners
  • Data Security Policy
    1. 2FA on all accounts where it is available
    2. Security officer oversees and provides risk assessment for the safely of all Farmacon data


  • Uphold the Data Controller Principles
  • Review and maintain the Global Data Policy, which is this document, and includes various data and security policies and procedures
  • Keep a log that is separate from the Global Data Policy of all relevant events and learnings that occur related to IT, security, data privacy and anything else relevant
  • Conduct a risk assessment on the internal Farmacon team annually
  • Backup all relevant data to another cloud service annually. Only maintain one backup that should be no older than 1 year. All older backups are deleted.
  • Review and update the training materials for the annual Security and Privacy Training
  • Conduct a risk assessment on Farmacon annually
  • Make sure that all independent contractors have two factor authentication setup for their Google account
  • Make sure that all independent contractors have encryption settings turned on for their devices
  • In case a computer or phone is stolen, it is the responsibility of the Data Controller to forcibly remove 
  • Onboarding of contractors to relevant Software Assets including Google Workspace
  • Offboarding of contractors to relevant Software Assets including Google Workspace
  • Regularly auditing of the active and inactive users for the Google Workspace account
  • Manage all requests related to implementing new Software Assets, adding or removing Google Workspace users, and updating document permissions based on relevant and reasonable business needs
  • Monitor the email for personal data requests such as access, correction or deletion

Security Policies


We ensure the security of data by using a secure cloud service to collect, process and store data. We use Google Suite since it is highly secure and the data is stored in Google Spreadsheets with appropriate permissions.

Control Access:

Access to these documents is controlled, and only relevant team members will have the capacity to manage permissions for viewing and editing. We follow a Zero Trust Policy which means that access to any data is never given to anyone by default. Access to data is only given to those who must have access for legitimate business reasons.

2 Factor Authentication:

2FA or 2 factor authentication adds an additional layer of security requiring a user to receive a text message with a code for login in addition to a password. All Farmacon Google accounts are required to have 2 factor authentication.

Safety First Culture:

Every contractor at Farmacon is responsible for security. It’s always better to ask a question and alert the Data Controller if you are unsure of any potential security risk.

Vulnerability Management:

The Data Controller conducts an internal audit annually on Farmacon’s potential vulnerabilities. This includes auditing the software assets used by contractors as well as considering how contractor’s hardware assets may be compromised. 1 on 1 interviews, surveys, or emails are sent in order to inquiry about currently used software assets for contractors in order to make sure software assets documentation is up to date.

All potential or known vulnerabilities must be reported in writing to the Data Controller as soon as possible. Once they have been reported, the Data Controller will assess the severity, document the process in the Data Controller log, and take corrective actions.

Incident Management:

All security or data privacy incidents must be reported in writing to the Data Controller as soon as possible. Once they have been reported, the Data Controller will assess the severity, document the process in the Data Controller log, and take corrective actions.

Below is a list of principles of incident management derived from ISO/IEC 27035 that should be considered:

  • technical/technological, organizational or physical vulnerabilities, partly due to incomplete implementations of the decided controls, are likely to be exploited, as complete elimination of exposure or risk is unlikely;
  • humans can make errors;
  • technology can fail;
  • risk assessment is incomplete and risks have been omitted;
  • risk treatment does not sufficiently cover the risks;
  • changes in the context (internal and/or external) so that new risks exist or treated risks are no longer sufficiently covered

For data security purposes as well as general best practices, the following policy must be followed by all Farmacon contractors:

1) Secure Devices

All devices that are used for Farmacon related work must be passcode or password protected. The passcode / passwords / device that is used for Farmacon work should not be shared with other individuals.

2) Physical Data

All Farmacon data lives in the cloud and there should never be physical copies of any data. Any questions or concerns about this should be directed to the Data Controller.

3) Keep a clean physical and virtual desk environment

It is important at Farmacon that we maintain a clean working environment both physically and digitally. Since we are a remote company we do not have a shared office space but we review the clean desk policy annually with all active contractors who implement it remotely. This includes clearing one’s computer desktop and organizing one’s Google Drive.

Risk Assessment 

Farmacon completes a risk assessment once per year covering topics such as security and data privacy to make sure contractors are following best practices.


  1. Is your laptop’s encryption setting enabled?
  2. What applications / software programs do you currently use for your projects at Farmacon?
  3. What is two factor authentication? Do you have two factor authentication enabled on all the applications / software programs where it exists?
  4. Do you use antivirus software? If so, which antivirus software?
  5. How can you tell a phishing email from a real email?
  6. What should you do if you suspect any security risk?

Data Privacy:

  1. What constitutes personal data?
  2. Do you store Farmacon personal data on your computer or in the cloud or both?
  3. What should you do if you suspect any data privacy risk?

Data Archiving Protocol

Farmacon Global will retain the data as long as it is still relevant and appropriate to our business needs. In some cases, it may be appropriate to archive a given set of data if that data is quite large but still relevant to business activities. In this case, the data should be placed in the data archive folder by the Data Controller and then is converted into a ZIP file. The original data will then be deleted. In order to access the data, the Data Controller will extract the original data again from the ZIP file.

Sara Tylosky, MBA

Sara Tylosky, MBA, CEO at Farmacon Global, brings over 20 years of experience leading teams in both large and small pharmaceutical and biotech environments. She has led Farmacon Global, a strategic CRO of medical consultants, in accelerating clinical trials, increasing diversity, supporting enrollment, and paving the way to market access in emerging markets.

Known for her high cultural intelligence and problem-solving skills, Sara and her team specialize in Rare Diseases, Immunology, Infectious Diseases, Cancer, and Vaccines. Fluent in Spanish and having lived on four continents, she has a special focus on Latin America while actively expanding into other key markets globally. Sara’s direction plays a pivotal role in steering Farmacon Global toward healthcare innovation and global market leadership.