Privacy Policy

Your privacy is important to you. It is also important to us at ECRI. We respect your privacy and understand the importance of protecting your personal information. The protection, confidentiality, and integrity of your personal data are our prime concerns.

Please read this Privacy Policy carefully. It explains the role of ECRI as a data controller and data processor of personal information that we collect, including (i) what data we collect, (ii) why and how it is collected and used, (iii) our rights to use it, (iv) how long we keep it, and (v) how it may be shared.
This Privacy Policy may be updated periodically by ECRI. We will notify you via the website of any future changes to our processing purposes that affect how we use your personal data.

We will only use your personal information to administer your account, provide the products and services you have requested from us, and to keep you informed about our products and services. Here are important details:

Our services

ECRI offers multiple services and products that are delivered via our websites and via written contracts with ECRI customers. Some of those products and services involve the use of personal data in printed form and others in the form of electronic data. Information and contract terms for each product are located in your membership or services agreement with ECRI, the Terms of Service section of, and in written customer contracts. Please see your membership or services agreement, the Terms of Service, and your written customer contract, as applicable, for important information about specific products and services.

What personal data do we collect?

We need certain personal information to be able to deliver our products and services and to keep you informed of our other services. You provide some of this data directly, for instance when you register on our website or data is provided as part of an organizational membership or service. We also collect usage data from our website, via Google Analytics and HubSpot.

When you register on our website or order a service, the information we collect may include:
1. First and Last Name
2. Title
3. Email address
4. Your business telephone number
5. Your business fax number
6. Payment and billing information, e.g., purchase order number and addresses
7. Company name
8. Company address
9. Business registration number
10. VAT/IVA number
11. Additional members name and email address
12. For suppliers we collect bank account details plus all of the above
13. IP Address
14. IP based Geographical Position/location
15. Browser Agent

We may receive your personal information from our customers pursuant to written contracts that specify the particular uses for which ECRI may access, use, transmit and store your personal information. In such cases, (i) ECRI’s customer is responsible for obtaining your prior consent before we collect and process your personal information, and (ii) ECRI is not required to separately obtain your individual consent for the permitted uses described in this Privacy Policy. Examples of personal information that may be obtained from ECRI’s customers include the demographic information described above, plus data about your personal health, including without limitation, diagnoses, treatments, insurance, and payment information.

We may also receive data from third parties that provide technical and administrative services to ECRI. For instance, we collect usage data for our website via Google Analytics and HubSpot. The partners listed below currently provide a variety of back-office services to ECRI. This list may be updated periodically by ECRI. If a material change in the relationship between ECRI and any of our partners is reasonably expected to have a material effect on you, we will notify you by email.

Website hostingWeb Design Hertfordshire
Survey ServicesSurvey Monkey UK LTD
Website trafficGoogle
Email ServicesMicrosoft
Application HostingIT Builder Ltd
Accountancy (ECRI UK)Alvis & Company
Accountancy (ECRI US)Alvis & Company
Marketing AutomationHubSpot
Colocation ServicesIron Mountain and TierPoint, LLC
Data De-Identification ServicesPrivacy Analytics

ECRI’s partners are not permitted to use personal data obtained from ECRI for any purpose other than performing services for ECRI, unless otherwise approved.

Cookies and other similar technologies
ECRI uses cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to gather demographic information about our user base as a whole. We also use the services of Google Analytics Solutions to measure website usage.

Examples of cookies that we use are:

By using our websites, you agree that we can place cookies and similar tracking technologies on your device.

Location Records

As an additional security measure, your login to ECRI websites may be associated with the internet address (IP Address) from which you log in.

How do we use your personal data?
We only use your personal data for the purposes for which it was collected, to provide you with information about our products and services, and where relevant, to meet local legal obligations. We use your personal data for the following purposes:

  • Performance of contracts with users. To provide you with the products and services you have purchased. For example, we use your personal information to facilitate access to our web service.
  • Performance of commercial contracts. To process personal information received from companies that purchase products and services from ECRI Institute. We may receive data from our customers, subject to written agreements that specify the particular uses for which ECRI Institute may access, use, transmit and store your personal information. Our customer is responsible for obtaining your consent prior to your personal information being sent to ECRI Institute. ECRI Institute is not required to separately obtain your consent to the permitted uses described in this Privacy Policy. Examples of personal information that may be obtained from our customers include your name, address, contact information, and social security number or other unique identifier, plus data about your personal health, including without limitation, diagnoses, treatments, insurance, and payment information.
  • Contribution of de-identified personal information to master file available to healthcare providers and others under contract with ECRI. As part of the mission of ECRI to promote healthcare research and education, personal data received by ECRI may de-identified and stored in a proprietary, encrypted database that is made available on a subscription basis to customers pursuant to a written agreement for research and educational purposes.
  • Customer support. To support you in your use of our products and services. This includes the use of personal information to diagnose product issues and provide other account-related services.
  • Customer engagement and communication. To communicate with you via email or other electronic media for instance on service issues, invoices, renewals etc. Other instances where we engage with you include confirming the purchase of a product, resolving complaints, and asking you to take part in one of our product surveys.
  • Marketing by ECRI. To send you information about our products and services that may be of interest to you. We communicate with you via email or other electronic media. You have the right at any time to stop us from contacting you for marketing related purposes. You can unsubscribe, change your settings on‐line or contact our Customer Support team to do so. See Your Rights, Questions, Concerns, and Complaints below for information about withdrawing your consent and to lodge complaints.
  • Legal obligations. To meet our legal obligations. For example, complying with requests from competent authorities, performing our administrative obligations, and meeting our obligations in legal disputes.
  • Improving and personalizing our products and services. To improve the experience of you and other users with our products and services. We may also use your information in connection with a contractual obligation to provide consultancy services to you.
  • Maintenance, development and incident management. To address issues you may have with a product or service, and for administrative purposes during routine maintenance tasks.
  • General business process execution, internal management and management reporting. To be able to run our business. This includes processing your information for accounting, legal, and other administration related purposes, management reporting, billing and collection, and processing in relation to audits.

Notice to European Union data subjects: The decisions relating to the purposes and means of the personal data processing are in principle decided by ECRI European Office which acts as data controller and data processor for this personal data processing. ECRI USA acts as a sub-data processor and jointly decides some means of data processing.

With whom do we share your personal data?

We only share your personal data with third parties that perform services for ECRI. We do not permit third parties to use your personal information for any other purposes. We do not permit any third party to use your personal information for their own direct marketing purposes.

  • To the extent necessary to operate our business, to provide you our products and services, to perform our customer contractual obligations, to complete any related transactions and collect related payments, to provide customer care, and to communicate with you in connection with our products and services.
  • Where you gave us explicit consent to do so.
  • As required by regulatory authorities (e.g., HMRC in the United Kingdom).
  • If we are legitimately requested or obliged to do so pursuant to law enforcement, e.g. for investigation of illegal activities.
  • To enforce our contract with you, for instance in cases where you have not paid for your service/ product, we may share your information with a debt collecting agency.
  • To enforce our rights towards third parties, or to defend ourselves against any third-party claims or allegations.
  • To protect the security, integrity or safety of our services.

We may also disclose or transfer your personal information in connection with a re-organization, merger, consolidation, joint venture, or other business change involving the sale or disposition of ECRI or any of its offices or divisions.

Products and services are provided or performed in whole or in part by ECRI’s offices in the United States, Europe, Middle East and Asia Pacific. To be able to provide you with our products and services, we rely on some intra-company resources, such as the use of a common website customer access platform and local employees and contractors to perform professional services. This may involve sharing your personal data with different ECRI offices, some in locations that may not provide the same level of data protection as your own country. When your personal information is shared with an ECRI office in a different country from your own, ECRI requires that the recipient of your personal information implement appropriate safeguards to protect your data to the level required by the General Data Protection Regulation (“GDPR”), effective May 2018, that was enacted by the European Union for the protection of data subjects in the European Union. Any intra-company sharing of personal data is solely for purposes of operating our business and to provide you with our products and services as described in the Terms of Service.

Where is your personal data processed?

Depending on your location, your personal data may be processed in the United States or the United Kingdom. We may also share data with our international offices in the context of operating our business, providing our products and services, and other processing purposes as outlined in this Privacy Policy.

Personal information collected by our offices in the United States will generally be processed by staff located in the United States. This personal information will be processed and stored either on hardware owned and controlled by ECRI or on Supplier platforms noted earlier on this page. ECRI currently uses a Canadian company to de-identify certain data selected by ECRI.

Personal information collected by our office in the United Kingdom will generally be processed by staff located in the United Kingdom. For related application hosting e.g. ECRI-AIMS, your personal data will be processed and stored in the United Kingdom and other countries within the European Union.

To the extent any other personal data will be transferred to a country outside the European Union or an international organization, we will make sure that this only happens to such countries and international organizations that ensure an adequate level of protection, have put appropriate safeguards in place to protect your data and your rights in accordance with the EU privacy law (GDPR), or as is otherwise allowed under the GDPR.

We employ reasonable means to protect your personal information once received, but ECRI does not guarantee that personal information you send to us over the internet will not be lost, stolen, modified, or otherwise misused by unauthorized persons.

If you wish to receive more information of the safeguards we have implemented, please contact our Customer Support team at

How long do we keep your personal data?

We will retain your personal information only for as long as is necessary for the purposes for which the information was collected, or as long as is required pursuant to law.

If you discontinue using ECRI products and services, a portion of the record of your personal information will also be retained for the purposes of ensuring that we understand your contact preferences e.g. “Do not contact me”.

Data may be retained longer in cases where it is used in relation to a legal claim or is used in relation to a valid legal process.

Lawful basis for data processing

We only collect and process your personal data when there is a lawful basis to do so. The lawful basis we rely on in this respect includes:

Lawful BasisDescription
ContractWhere the processing is necessary to perform your contract with ECRI or the contract of an ECRI customer that has separately obtained your personal data.
Legitimate interestFor example; (i) A legitimate commercial interest to process certain of your personal data for running our business and the purposes of certain forms of direct marketing. (ii)If there is a legitimate interest from business or security perspective, e.g. to prevent fraud or abuse of our Services.
Legal obligationThe processing necessary to comply with a legal obligation, e.g. the legal obligation to share certain data on a police order for criminal investigation purposes.
Public interest taskThe processing necessary to assist in tasks in the public interest.
ConsentWhere you or an ECRI customer gave us explicit consent to process the data concerned, for example, if applicable ‐ to share your data with partners or other third parties for commercial purposes.

Your rights, questions, concerns, and complaints

If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time, by updating your preferences via our website or emailing We will discontinue the processing of your information upon receipt of your notice. However, any processing performed prior to your notice remains a legitimate processing based on a valid consent at the time. We will be under no obligation to reverse said processing. Where exercising this notice prevents the further delivery of our products or services to you, you will be deemed to have terminated your contract with ECRI.

You may also contact us by email at with any questions or comments about the way in which we use your personal information, to request a copy of the personal data that ECRI has collected from you that it retains in storage, to request corrections to your personal information, or to unsubscribe from mailing lists.

We will respond to your request within 30 days.

Data subjects in the European Union may also contact our Data Protection Officer (DPO) via If you are resident of the UK and feel that an issue has not properly been resolved, you also have the right to lodge a complaint with the supervisory authority ICO:

Responsible Entity

United States
5200 Butler Pike
Plymouth Meeting, PA 19462
(610) 825-6000

ECRI European Office
Suite 104, 29 Broadwater Road
Welwyn Garden City
Hertforshire, AL7 3BQ
Registration No. FC018589
Branch No. BR002963