Home Privacy Policy

Privacy Policy

EFFECTIVE OCTOBER 22, 2025

1. Introduction

  • 1.1 This policy applies to all information relating to any identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”).
  • 1.2 Medpace, Inc. and its global group of companies (“Medpace”, “we”, or “us”) respect the privacy of individuals of all nationalities in the processing of their Personal Data, recognizing the fundamental rights to lawfulness, fairness, and transparency. We adhere to the principles of data privacy by design and by default, including data minimization to the extent possible. We follow all laws relating to data protection in all jurisdictions in which we conduct our business, including but not limited to the Health Insurance Portability and Accountability Act (“HIPAA”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Protection Act (“CCPA”), the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Lei Geral de Proteção de Dados Pessoais (“LGPD”), the United Kingdom Data Protection Act of 2018, and United Kingdom GDPR.
  • 1.3 Personal Data of Children Under the Age of 16
    • 1.3.1 Unless required by a clinical trial managed by Medpace, Medpace does not collect the personal data of children under the age of 16. Further, Medpace’s website is not intended for, or designed to attract, children under the age of 16. No Personal Data should be submitted to Medpace through its website by visitors who are less than 16 years old. If Medpace determines that it has collected information about an individual under the age of 16 through its website, it will delete the information.

2. The Personal Data that We Collect

  • 2.1 Website Visitors
    • 2.1.1 We may collect information from individuals who visit our website, such as IP address and geographic location. We also may collect Personal Data from individuals who voluntarily submit inquiries on our website.
    • 2.1.2 The purpose of collecting and processing this Personal Data is our legitimate business interests.
    • 2.1.3 For individuals who choose to contact us and provide us with their Personal Data, we will collect and use their Personal Data to respond to them, to provide them with information that they have requested (which may relate to our products or services), or to communicate with them for other purposes which are requested by them in their inquiry. Other purposes may include, from time to time, monitoring our regulatory compliance.
    • 2.1.4 We may disclose Personal Data within our company and to our corporate affiliates who agree to treat it in accordance with this Privacy Policy. Personal Data may also be transferred to third parties who act for and on our behalf for further processing in accordance with the purpose(s) for which the data were originally collected. These third parties have contracted with us to only use Personal Data for the agreed upon purposes and not to sell or disclose Personal Data to third parties except as required by law or as stated in this Privacy Policy.
  • 2.2 Personal Data of Clinical Trial Participants
    • 2.2.1 With respect to clinical trials that are managed by us, we will work with the sponsor of the trial to collect certain forms of Personal Data from clinical trial participants. This data may include coded (“pseudonymized”) medical and health information which is collected by investigators and their staff at the clinical trial study sites.
    • 2.2.2 We may transmit this data from the jurisdiction in which it was collected to Medpace headquarters in the United States. When consent is required for the processing of Personal Data, the physician investigators overseeing the trial are responsible for ensuring that clinical trial participants understand and consent to the gathering of their Personal Data, including the transfer of such pseudonymized information to third parties who may be providing services for the clinical trial.
    • 2.2.3 The purpose of collecting the Personal Data of clinical trial participants is to promote the global development of safe and effective medical therapeutics. We are committed to conducting clinical trials in a manner that strictly adheres to all national and international ethical requirements and clinical trial regulations. Effective adherence to clinical trial regulations requires the gathering, recording, processing, storing, and transmitting of personal data of clinical trial participants, clinical trial investigators, vendors, support staff, and employees.
    • 2.2.4 As the EU permits, the basis for the processing of Personal Data of EU citizens participating in a clinical trial is the performance of a task carried out in the public interest and the sponsor of the clinical trial’s legitimate business interests in conducting the clinical trial. Specifically, the processing of sensitive categories of data is carried out for reasons of public interest in the area of public health, and/or archiving for scientific purposes in accordance with Article 89(1) of the GDPR.
  • 2.3 Personal Data of Investigators and Business Partners
    • 2.3.1 We collect Personal Data from parties that do business with us, which may include the investigators and clinical trial site staff before, during, and after a clinical trial. The Personal Data that is collected may include CVs/resumes, contact information, educational history, or other information necessary to manage a clinical trial. This Personal Data is collected to support the performance of a task carried out in the public interest and to fulfill our legal and contractual obligations with clinical trial study sites and our business partners. The data controller (the study site or sponsor of the clinical trial) is obligated to obtain consent from or provide a collection notice to its employees and staff. This Personal Data may be required for submission of clinical trial data to governmental and regulatory authorities, Institutional Review Boards, and ethical committees.
    • 2.3.2 We collect Personal Data from vendors and business partners before, during, and after a clinical trial. We may also collect Personal Data of vendors and business partners who conduct business with us that is not related to a clinical trial. We collect the Personal Data of our vendors and business partners to fulfill our contractual obligations to said vendors and business partners and to serve our legitimate business interests.
  • 2.4 Notice to Job Candidates
    • 2.4.1 The categories of Personal Data that we request from job applicants and the ways that we process their Personal Data may vary based on the country in which the position is located, rather than the country in which the applicant resides. We collect Personal Data directly from job applicants when they apply for a role with us, which may include contact information (including name, address, phone number, and email); professional or employment-related information, including work history; education information, such as achievements, test results and other relevant information from their Curriculum Vitae (CV). We also may collect Personal Data about job applicants from third parties, such as any references and/or prior employers that are provided to us. We may require a login name and password to facilitate using our online application services. We restrict access to job applicants’ Personal Data to people within the company who “need to know” that information, such as the individuals who will process job applications and manage the recruitment process, or recruiters and interviewers working on our behalf. When submitting an application for employment through our website, an applicant’s personal data may be shared with iCIMS, a talent acquisition and recruiting system we use to aid our recruiting and talent acquisition efforts. If any job applicants have any questions regarding how iCIMS may use their personal data, please review iCIMS’s Privacy Notice located at: https://www.icims.com/legal/privacy-notice-website/.
    • 2.4.2 Sensitive Personal Data includes data related to race/ethnicity, health, trade union membership, philosophical beliefs, sexual orientation, as well as other categories as described by law. We do not seek to obtain and will not collect such Personal Data about a job applicant unless permitted or required to do so by applicable laws (e.g., government reporting in the US). Should a job applicant choose to voluntarily provide such information it will be processed in accordance with applicable data protection laws and our standard business practices.
    • 2.4.3 We collect and use the Personal Data of job applicants for the following purposes:
      • 2.4.3.1 identifying and evaluating the applicant’s potential for employment, as well as for future roles that may become available;
      • 2.4.3.2 supporting and processing the applicant’s application, for example, so we can assess their ability to meet the job specification(s);
      • 2.4.3.3 verifying references and professional qualifications provided by the applicant;
      • 2.4.3.4 evaluating and assessing the results of interviews;
      • 2.4.3.5 record keeping in relation to recruiting and hiring;
      • 2.4.3.6 carrying out pre-employment screening, that is appropriate and proportionate to the nature of the job function, subject to specific local regulations;
      • 2.4.3.7 protecting our legal rights to the extent authorized or permitted by law; and
      • 2.4.3.8 contacting the applicant, either directly or through our recruitment partners, via the details they have provided us with in relation to their application.
    • 2.4.4 We may disclose the Personal Data of job applicants when required to do so by law; in response to a legitimate request for assistance by the police or other law enforcement agency; and to seek legal advice from our external lawyers or in connection with litigation.
  • 2.5 Use of Cookies
    • 2.5.1 Cookies are small text files that are stored on browsers or devices by websites, apps, online media, and advertisements. Medpace uses cookies and similar technologies for purposes such as:
      • 2.5.1.1 Authenticating users;
      • 2.5.1.2 Remembering user preferences and settings;
      • 2.5.1.3 Determining the popularity of content; and
      • 2.5.1.4 Analyzing site traffic and trends and generally understanding the online behaviors and interests of people who interact with our services.
    • 2.5.2 Certain web browsers may be programmed to notify a user when they are receiving a cookie, giving the user the choice to accept it or not. Users can also refuse all cookies by turning them off in their browser.
    • 2.5.3 We abide by all laws related to the collection and use of cookies. Any user may continue to use our website without cookies.

3. How We Use and Store Personal Data

  • 3.1 Improving our Website Functions
    • 3.1.1 We may use information gathered from our website for a variety of purposes related to our business, such as to enhance the user experience of our website. This may include internal operations necessary to provide our services, such as troubleshooting software bugs and operational problems; conducting website traffic data analysis, testing, and research; and monitoring and analyzing usage and activity trends.
  • 3.2 Responding to Inquiries
    • 3.2.1 We may use Personal Data to investigate or address claims or disputes relating to our business, or as otherwise allowed by applicable law, or as requested by regulators, government entities, and official inquiries. We may use information that candidates provide us in a job application to contact them regarding their application, or to respond to questions that they may have. We may share Personal Data if we believe it is required by applicable law, legal process or governmental request or where the disclosure is otherwise appropriate due to safety or similar concerns. This includes sharing Personal Data with law enforcement officials, other government authorities, or other third parties as necessary to enforce our Code of Conduct or other policies; to protect our rights or property; or the rights, safety, or property of others; or in the event of a claim or dispute relating to our business operations.
  • 3.3 Conducting Clinical Trials
    • 3.3.1 Personal Data collected from clinical trial participants during a clinical trial is used to test the safety and efficacy of experimental drugs and medical devices. Clinical trial participants in clinical trials managed by Medpace are encouraged to review the informed consent form provided by the study doctor and/or clinical trial site staff for more information about how the participant’s Personal Data will be used and protected.
  • 3.4 We retain Personal Data for as long as necessary for the purposes described above. We will retain different categories of Personal Data for different periods of time depending on the category of individual to whom the Personal Data relates, the type of Personal Data, the purposes for which we collected the Personal Data, and any legal or regulatory retention requirements with respect to the Personal Data.
  • 3.5 We do not sell or share Personal Data with third parties for their direct marketing.
  • 3.6 We do not engage in automated decision-making using Personal Data.

4. How We Protect Personal Data

  • 4.1 We use physical, electronic and organizational procedures to safeguard and secure Personal Data. This includes encryption, firewalls, access controls, and other procedures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Access to Medpace facilities is controlled via a combination of technical and physical controls.
  • 4.2 Personal Data is restricted to authorized individuals who only can access it on a “need to know” basis.
  • 4.3 We may store some business records or clinical trial documents in hard copy (paper or disk) format, as required by law or regulation, or pursuant to the fulfilment of a legitimate business purpose. In this case, documents are retained for the minimum time necessary, and then securely destroyed. Long-term storage of hard copy documents may be carried out by a qualified third-party vendor.

5. Where We May Transfer Personal Data

  • 5.1 Transfer to Third Parties
    • 5.1.1 Personal Data may be shared with third parties to fulfill the purposes for which it was originally collected. Personal Data is transferred to third parties pursuant to contractual obligations consistent with Article 28(4) of GDPR when applicable and in accordance with this Privacy Policy. Recipients of Personal Data may be regulatory authorities, ethical committees, third parties associated with the study, the Institution where the study takes place, or the CRO and its Affiliated companies. When Personal Data is transferred to third parties who are not affiliated with the Medpace group of companies, the recipient must enter into a contract with us that commits them to maintaining all Personal Data securely and confidentially.
  • 5.2 Transfer to Third Countries
    • 5.2.1 Personal Data may be transferred to a third country outside of an individual’s country of residence, or to a country where data protection is not as strong as in those in an individual’s country of residence. Please be aware that any Personal Data provided to us will be transferred to, processed, and stored in the United States. Individuals providing Personal Data to us consent to the transfer of their Personal Data, including sensitive Personal Data, if necessary, to the United States as set forth in this Privacy Policy by visiting our website, submitting an inquiry to us, submitting a job application to us, or otherwise voluntarily disclosing Personal Data to us. Transfers to these countries are made in accordance with all applicable laws and Medpace uses appropriate transfer safeguards, such as those outlined in Article 46 of the GDPR, as required by all applicable data privacy and/or data transfer laws. All of our US Affiliates comply with the requirements of the EU and other countries that have enacted similar laws concerning international data transfers to provide adequate safeguards for Personal Data transferred to the United States.

6. Rights of Those Who Provide Personal Data to Us

  • 6.1 We are committed to cooperating and complying with all applicable laws pertaining to the exercise of the rights of data subjects who provide Personal Data to us (you”). If you would like to exercise your rights under applicable data privacy laws, or to inquire about the processing of your Personal Data by us, please contact us pursuant to Section 7 of this Privacy Policy.
  • 6.2 EU and Swiss citizens whose Personal Data is processed by us have a right to be informed of the choices and means available for limiting its use and disclosure. EU and Swiss citizens may have the right to access, modify, or suppress your Personal Data, to elect not to have Personal Data transferred to a third party, or to object to your Personal Data being used for any purpose materially different from that disclosed to you, or stated within this Privacy Policy. We will honor your request to access, modify, suppress, prevent or stop transferring, or delete your Personal Data to the extent reasonably possible. We may, pursuant to applicable law, disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Please note that pursuant to clinical trial regulations, some Personal Data may be retained even if you request that it be deleted.
  • 6.3 If you are a clinical trial participant, you should first contact the study site at which you participated, or the Principal Investigator of the study, to inquire about your choices and the means available for limiting the use and disclosure of your Personal Data under applicable data privacy laws. The rights available to you as a clinical trial participant may be limited pursuant to applicable data privacy law exception(s) designed to preserve the integrity or scientific value of the clinical trial data that was collected.
  • 6.4 If you are an EU resident, you have a right to lodge a complaint with the appropriate EU supervisory authority, and also a right to an effective judicial remedy against data controllers and processors. You may lodge a complaint with a supervisory authority competent for your country or region. Please visit https://www.edpb.europa.eu/about-edpb/about-edpb/members_en for contact information for these authorities.
  • 6.5 CALIFORNIA RESIDENTS: If you are a resident of California, you may contact us to inquire about the collection of your Personal Data. We may collect, use, and disclose your Personal Data as required or permitted by applicable law. We will comply with collection requests unless (i) doing so would infringe on our (or any other person’s) rights, (ii) conflict with other applicable law, (iii) the request is manifestly unfounded or excessive, or (iv) we have responded to two of your prior collection requests within the preceding 12-month period. Our response will be limited to the twelve-month period prior to the request date, and you may request the following forms of information:
    • 6.5.1 The categories of personal data we have collected about you;
    • 6.5.2 The categories of sources from which we collected your personal data;
    • 6.5.3 The business or commercial purposes for our collecting or selling your personal data;
    • 6.5.4 The categories of third parties with whom we share your personal data;
    • 6.5.5 A list of the categories of personal data disclosed for a business purpose, in the prior twelve months, along with the categories of recipient for each category of personal data, or that no disclosure occurred; and
    • 6.5.6 A list of the categories of personal data sold about you in the prior twelve months, along with the categories of recipient for each category of personal data, or that no sale occurred.
  • 6.6 Medpace does not sell, or offer for sale, any personal data as that term is defined by the CCPA. We may disclose your personal data for the following purposes, which are not a sale: (i) if you direct us to share it; (ii) to comply with your requests under the CCPA; (iii) as part of a merger or asset sale; and (iv) as otherwise required or permitted by applicable law.
  • 6.7 Residents of California may have a private right of action in the event of a data breach. Pursuant to California law, affected individuals must first notify us of the alleged violation and provide us 30 days to cure the alleged violation.

7. How to Contact Medpace

  • 7.1 For more information about our commitment to protecting data privacy, or to exercise any rights you may have under applicable data privacy laws, please contact us at privacy@medpace.com,, by telephone at +1 (513) 579-9911 (Cincinnati local), +1 (800) 730-5779 (USA toll free) or by mail at 5375 Medpace Way, Cincinnati, Ohio 45227 United States of America, Attn: Data Protection Officer.
  • 7.2 We may occasionally update this, Policy. If we make significant changes, we will notify users of the changes on our website, or through other means, such as email. We encourage users to periodically review this Policy for the latest information on our privacy practices. After such notice, use of our services by users in countries outside the European Union will be understood as consent to the updates to the extent permitted by law.