Skip to main content

SR-DDRC Privacy Policy

SR-DDRC Privacy Policy

The Southern Regional Drug Data Research Center (SR-DDRC), housed at the University of Alabama (US), is committed to protecting your privacy and ensuring transparency in how data is processed when you visit our website or interact with our services. We take your privacy seriously and strive to collect and use only the minimum amount of information necessary to evaluate our website effectiveness and/or communicate updates in support of our public health, research, and data dissemination goals.

The SR-DDRC does not sell your personal information and does not use your personal data for commercial purposes. Any information collected is used solely for purposes related to website functionality, communication, or user requests, as described in this policy.

About This Privacy Policy

This Privacy Policy explains how the SR-DDRC collects, uses, stores, and shares information obtained through this website and through direct interactions with users. This includes information that is voluntarily provided when contacting the SR-DDRC as well as limited, pseudonymized information collected through third-party analytics services. Pseudonymized information refers to data that use a randomly generated identifier to link your visit activities rather than information that directly identifies you.

This policy applies only to information collected through the SR-DDRC website and related communications. It does not apply to external websites that may be referenced on our website, which operate under their own privacy policies.

The SR-DDRC may review and update this Privacy Policy periodically to reflect changes in technology, legal requirements or our data practices. Any updates will be posted on this page with an updated date.

What This Policy Applies To

This policy applies to data collected by the SR-DDRC through:

  • Voluntary communications by contacting the SR-DDRC or joining our mailing list
  • Submissions related to data requests or data governance
  • Usage data gathered when interacting with the website

Who This Policy Applies To

This policy applies to users/visitors of our website, as well as anyone that opts in for voluntary communications through our mailing list or data requests.

Analytics Data

We use Google Analytics 4 (GA4), a third-party web analytics service provided by Google LLC, to analyze website traffic and user behavior. This service is used strictly for analytics and usage data purposes and does not utilize any advertising features. This data is used to understand how users interact with the site to improve functionality, usability, and performance. This data collection is only enabled after giving consent and can be revoked at any time to prevent future data collection.

What Is Collected

We collect limited, pseudonymous usage data through Google Analytics 4 to understand how visitors interact with the website. This data may include:

  • Pages visited
  • Time spent on pages
  • General device information
  • General browser information
  • Approximate location (country or region)

This data is collected using a randomly generated identifier (Google Analytics client_id). It does not directly identify the user. Some user information, such as IP addresses, is used by Google Analytics for transient processing of user activities but is not stored.

What Is Not Collected

We do not store any personally identifiable information using Google Analytics including:

  • Names
  • User ID
  • Email addresses
  • Phone numbers
  • Account or login information
  • Payment information
  • Advertising identifiers
  • Precise location data
  • IP addresses

We do not use analytics data for advertising, remarketing, or profiling purposes.

IP Anonymization

GA4 is set up to anonymize IP addresses by default and ensures that IP addresses are masked within the EU/EEA (or immediately upon collection) before being stored or processed. This allows Google to determine a coarse geolocation without storing and processing an individual’s full IP address. Immediately following geolocation, these masked IP addresses are disposed of and are not stored, logged, or retained.

Pseudonymized Analytics Data

GA4 assigns a randomly generated, pseudonymous Client Id to your browser using cookies (including the _ga and ga{container-id} cookies). This identifier allows us to distinguish unique visitors to the website without collecting personally identifying information or identifying individuals.

Legal Basis for Processing

We collect site usage data for our site’s visitors in accordance with the General Data Protection Regulation (GDPR; https://gdpr.eu/) passed by the European Union, only processing pseudonymized data and only after explicit consent is given by the user.

Data Sharing and International Transfers

Analytics data are processed by Google on behalf of the SR-DDRC and may be transferred to and processed in countries outside the European Economic Area. Google implements appropriate safeguards for international data transfers, including Standard Contractual Clauses, in accordance with GDPR requirements.

Data Retention

Analytics data collected through GA4 is split into Event Data and User Data. Event Data is deleted after a period of 2 months, and User data is deleted after a period of 14 months.

Cookie Preferences and Opting Out

We use cookies solely for analytics purposes. These cookies help us understand how users use our website and help guide decisions on site improvement. You can control or prevent the collection of analytics data by declining our request to place the cookie or by adjusting your browser settings to block or delete cookies. You may also install the Google Analytics Opt-Out Browser Add-On, which prevents Google Analytics from collecting data about your website visits.

These cookies are only tracked when the user gives consent on our website. On first visit the user will be prompted with a cookie policy banner that they may accept/decline. The user may also choose to revoke/grant consent at any point using the cookie preferences portion of the website. When a user chooses to revoke access, any existing cookies are deleted, and data collection is stopped immediately.

Analysis and Derivative Data Products

In some cases, information collected by SR-DDRC may be used for analytical purposes or to develop derivative data products, such as summary statistics, reports, dashboards, or research outputs. Where applicable, data are aggregated and anonymized or de-identified in accordance with applicable guidance and best practices. This information will be used in the aggregate to report on website utilization to stakeholders and for evaluation reporting.

These products are developed for research, public health, informational, and non-commercial purposes and are not used for advertising, marketing, or promotional activities.

Your Rights

Depending on your location, you may have the right to:

  • Withdraw consent at any time
  • Request information about the data we collect
  • Request deletion of analytics data where technically feasible

Because we do not collect directly identifiable information, we may not be able to associate analytics data with a specific user deletion request. Please see the GDPR text (https://gdpr.eu/) for more information about your rights.

Voluntary Communications

Voluntary Communications with the SR-DDRC encapsulates joining the SR-DDRC mailing list as well as making data requests to the SR-DDRC. While there are slight differences in how this data is managed and processed, the data is very similar and is only captured on a voluntary basis.

Mailing List

The SR-DDRC allows users to voluntarily join a project-specific mailing list by providing their name, email address, and optional information about their organization or sector (e.g., public health, public safety, academic, or community-based organizations). Contact information is used to distribute project updates, announcements, domain-related information, and information related to SR-DDRC activities.

Users may unsubscribe from the mailing list at any time by following the instructions included in our communications or by contacting the SR-DDRC directly.

Data Requests and Communications

Users may submit requests to the SR-DDRC for access to specific data products. Information provided as part of these requests, including contact information and request details, is retained for administrative, record-keeping, governance, and archiving purposes. This information is used to evaluate requests, communicate with requestors, and maintain documentation related to data governance and compliance requirements.

Information collected through data requests is not shared outside the SR-DDRC except as required to fulfill the request, comply with applicable legal or institutional obligations, or protect the integrity and security of SR-DDRC data resources. As the SR-DDRC is housed within the University of Alabama (UA), data requests and associated data-use agreements are subject to applicable University policies and review processes.

Use of Aggregated Mailing List Information

At an aggregated level, optional organization or sector information may be used to better understand the types of audiences engaging with SR-DDRC resources and to inform the development of website content and data products that are relevant to the needs of different stakeholder groups.

This information is analyzed only in summary form and is not used to profile individuals, make automated decisions, or deliver third-party commercial or advertising content.

Changing Your Preferences

If you choose to join the SR-DDRC mailing list, you may withdraw your consent to receive communications at any time. The simplest way to do so is by using the unsubscribe link included in our emails or by contacting SR-DDRC directly at info@sddrc.com.

SR-DDRC does not use personal information for third-party advertising or targeted marketing purposes. Communications will be primarily informational updates related to SR-DDRC activities, research, and public resources.

How We Store and Process Your Data

Mailing List

Information voluntarily provided to the SR-DDRC, such as mailing list contact details or information submitted as part of a data request, is stored securely using institutionally approved systems and access controls. Access to this information is limited to trusted and vetted personnel with a legitimate need to perform administrative, communication, or governance-related functions. The mailing list will be stored in spreadsheet format on secured computers using software like MS Excel and collected using a secured virtual survey service such as MS Forms or Qualtrics. These emails will be stored for the life of the project or until an unsubscribe request is received, after which email contact information will be deleted within one week. Currently, no service providers are used to manage correspondence, but a service such as Constant Contact may be engaged in the future.

Data Requests and Communications

Data is processed in accordance with established data-use agreements, institutional policies, and applicable legal or regulatory requirements. Logged data request information and communications will be retained to support recordkeeping, compliance, auditing, and research governance obligations.

The SR-DDRC implements rigorous administrative, technical, and organizational safeguards to protect information from unauthorized access, alteration, disclosure, or loss. Data is not used for automated decision-making or profiling, and personal information is not processed for third-party commercial or advertising purposes.

Third Parties

We do not share your personal information for commercial purposes, and we never sell user data. Information collected through data requests or other SR-DDRC activities may be shared with third parties only as required to fulfill legal, contractual, or governance obligations, such as data-use agreements reviewed by UA’s Office for Research & Technology Agreements. All such sharing is strictly controlled and limited to what is necessary to comply with these obligations.

Contacting Us, Exercising Your Rights

The Southern Regional Drug Data Research Center acts as the data controller for this website. The applicable lawful basis depends on the nature of the interaction and the type of information involved.

This policy will be reviewed and updated from time to time to reflect changes in legal requirements or SR-DDRC data practices. Where material changes occur, updates will be posted on this page, and users will be notified where contact information is available and notification is appropriate.

Where processing is based on consent (such as for mailing list communications), you have the right to withdraw that consent at any time. Other processing activities may be subject to legal, contractual, or institutional obligations that limit withdrawal or deletion.

For questions regarding this privacy notice or data protection practices, please contact: info@sddrc.com.