Privacy Policy – 29 Nov 2023 | Privacy Policy – 29 Nov 2023 Updated November 29, 2023 Purpose “Signant Health” is the trademark name for a group of companies, including, but not limited to Bracket Global LLC, CRF Inc., Motentia, LLC, CRF Health Management Limited, VirTrial, LLC and any affiliates, successors, and subsidiaries, each as applicable. Signant Health is committed to transparency when it comes to its collection and use of Personal Data. This notice sets out Signant Health’s commitment to privacy, data protection, and individual rights and obligations in relation to Personal Data. This notice applies to all Personal Data of clients, clinical trial participants, health care professionals, vendors, job applicants, employees, contractors, former employees, and visitors to Signant Health’s website (such as cookies and internet tags) which is provided to, or collected and processed by Signant Health. If you are a resident of certain states in the United States, this Policy also incorporates our Supplemental Privacy Notice for US Residents, which includes additional information required to be provided under certain state laws. Signant Health respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. Signant Health strives to collect, use and disclose Personal Data in a manner consistent with the laws of the countries in which it does business. This notice may occasionally be updated. When material updates are made, the date of the last revision will be reflected at the end of the page. Data Protection Principles Signant Health processes Personal Data in accordance with the following data protection principles: · Processes Personal Data fairly, lawfully, and in a transparent manner. · Collects Personal Data only for specified, explicit and legitimate purposes. · Processes Personal Data only where it is adequate, relevant and limited to what is necessary for the purposes of Processing. · Keeps accurate Personal Data and takes all reasonable steps to ensure that inaccurate Personal Data is rectified or deleted without delay. · Keeps Personal Data only for the period necessary for Processing. · Adopts appropriate measures to make sure that Personal Data is secure, and protected against unauthorized or unlawful Processing, and accidental loss, destruction or damage. Signant Health takes responsibility for how it acquires, processes, and disposes of Personal Data, and for ensuring compliance with the above principles. Information collected Below is a high-level summary of the types of Personal Data we may collect from you. Following that high-level summary is additional detail and information on how we collect, process and use your Personal Data. Signant Health does not knowingly collect, maintain, disclose, or otherwise process Personal Data from minors below the age of 16 without the permission of such minor’s parents or legal guardians. Signant Health may process Personal Data as a data controller or as a data processor (or sub-processor). When Signant Health processes the Personal Data as a data processor (or a sub-processor), Signant Health (a) will only process the Personal Data in accordance with the applicable laws, rules, regulations, and as specifically directed by the data controller; (b) and will use the Personal Data only to the extent necessary to provide the services. Clinical trial participants and candidates Visitors to Our Corporate Websites and Physical Locations, and Senders of Inquiries Health Care Professionals Employees, contractors or candidates Customers (sponsors and CROs) Vendors Attendees at events Clinical trial participants and candidates We may process your Personal Data when you participate or intend to participate in a clinical trial or you are a caregiver of a patient who participates in a clinical trial that is sponsored by one of our customers. Signant Health provides software and various other services to clinical trial sponsors and CROs (Contract Research Organizations). Under such circumstances, Signant Health is the data processor, and the clinical trial sponsor is the data controller. The data controller may provide you with additional data privacy information. In all event, if you decide to participate in a clinical trial, you will receive a separate privacy notice from the data controller, which describes how your Personal Data is processed in the clinical trial. Examples of the types of data we process: Depending on the services Signant Health provides to the data controller, and subject always to applicable laws, Signant Health may process the following types of data: Identity and contact information, such as: • first and last name • patient ID • email address • postal address • phone number • signature Other personal information, such as: • age • gender • initials • date of birth • username • password Visual and audio information, such as: • still images • video or audio recordings Technical Information, such as: • Internet Protocol (IP) address • browser type and browser language • device type and/or device ID, if the device is provided by Signant Health • location data to enable Bluetooth connection to study devices (only for TrailMax). • activity on our website or applications • data collected from cookies or other similar technologies Health information • diseases • study visit dates • medical history and treatment information • responses to questionnaires/e-diaries Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal Data under data protection laws Where do we get the data? We may get your Personal Data (1) directly from you; (2) from the devices you use; (3) from your caregiver; (4) from health care professionals. Why do we process the data? to send you your login credentials to provide the software/services to you and to our customers to send you reminder messages to determine your eligibility to participate in the clinical trial to identify and authenticate you to detect security incidents to protect against malicious or illegal activity to ensure the appropriate use of our software to improve our software and services for short-term, transient use for administrative purposes for quality assurance Signant Health’s role in the data processing: Signant Health processes the Personal Data on behalf of the study sponsor as a data processor. The study sponsor is the data controller of the Personal Data. The legal basis of processing: As determined by the data controller. Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies our customers (the data controller who sponsors the clinical trial) Health care professionals (members of the study team) vendors that assist us in providing our Services The device manufacturers or OS providers have no access to Personal Data. Visitors to Our Corporate Websites and Physical Locations, and Senders of Inquiries We may process your Personal Data when you (1) visit our websites or our physical locations; (2) submit inquiries to us online or offline; (3) sign up for our newsletters or other informational or marketing materials. Examples of the types of data we process: Identity and contact information, such as: • first and last name • email address • postal address • phone number Visual and audio information, such as: • still images • video (including via CCTV) • recordings of your calls Technical Information, such as: • Internet Protocol (IP) address • browser type and browser language • device type • Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving our website • activity on our website and referring websites or applications • data collected from cookies or other similar technologies Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal Data under data protection laws. Where do we get the data? We may get the Personal Data (1) directly from you; (2) from the devices you use; (3) our security systems (CCTV); (4) third parties. Why do we process the data? to provide you with access to our website and to our services to communicate with you to send you updates to customize content for you to detect security incidents to protect against malicious or illegal activity to ensure the appropriate use of our website to improve our services for short-term, transient use for administrative purposes for marketing, internal research, and development for quality assurance Signant Health’s role in the data processing: Signant Health is the entity responsible for the collection and use of your Personal Data (known in some jurisdictions as the “data controller”) The legal basis of processing: for the purposes of our legitimate interests in circumstances where we have requested and received consent for other purposes that may be required or allowed by law Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies vendors that assist us in providing our services or help us improve our marketing or administration. Health care professionals We may process your Personal Data if you work at a research site and participate in a clinical trial that is or has been sponsored by one of our customers. Examples of the types of data we process: Depending on the services Signant Health provides to its customers, Signant Health may process the following types of data: Identity and contact information, such as: • first and last name • email address • postal address • phone number Other personal information, such as: • username • password Visual and audio information, such as: • video or audio recordings Technical Information, such as: • Internet Protocol (IP) address • browser type and browser language • device type and/or device ID, if the device is provided by Signant Health • activity on our website or applications • data collected from cookies or other similar technologies Professional and educational information • job title or position • employer • medical license number • work skills • employment history • degrees and certifications • clinical trial experience • specialized trainings and training records • performance metrics Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified and the information is no longer considered Personal Data under data protection laws Where do we get the data? We may get the Personal Data (1) directly from you; (2) from the devices you use; (3) from our customers; (4) data may be generated based on your interaction with Signant Health. Why do we process the data? to send you your login credentials to provide the software/services to you and to our customers to send you reminder messages to communicate with you to provide you training to identify and authenticate you to detect security incidents to protect against malicious or illegal activity to ensure the appropriate use of our software to improve our software and services for short-term, transient use for administrative purposes for quality assurance for marketing, internal research and product development to assess your eligibility to participate in clinical trials to recommend you to clinical trial sponsors Signant Health’s role in the data processing: • When Signant Health provides services to a sponsor of a clinical trial or Contract Research Organization (CRO), Signant Health processes the Personal Data on behalf of the study sponsor as a data processor. The study sponsor is the data controller of the Personal Data. • Signant Health processes the Personal Data as a data controller for the following purposes: for marketing, internal research and product development to assess your eligibility to participate in clinical trials to recommend you to clinical trial sponsors for administrative purposes for quality assurance The legal basis of processing: As determined by the data controller for the purposes of our legitimate interests for other purposes that may be required or allowed by law your consent that you provided to the study sponsor/CRO or directly to Signant Health Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies our customers If you agree, your data may be shared with our other customers vendors that assist us in providing our services The device manufacturers or OS providers have no access to Personal Data. Employees, contractors or candidates We may process your Personal Data if you apply for a position at Signant Health or if you are an employee or a contractor at Signant Health. If you are a candidate, please visit our Recruitment Privacy Policy for further information on how we process your Personal Data. If you are an employee or a contractor, please visit the separate privacy notice that was provided to you for further information on how we process your Personal Data. Examples of the types of data we process: Identity and contact information, such as: • first and last name • email address • postal address • phone number Other personal information, such as: • age • gender • date of birth • marital status, dependents Visual and audio information, such as: • still images • video (including via CCTV) • recordings of your calls Technical Information, such as: • Internet Protocol (IP) address • browser type and browser language • device type and/or device ID, if the device is provided by Signant Health • activity on our website or applications • data collected from cookies or other similar technologies • geolocation Health information • disability • maternity, parental leave • sick leave Commercial and financial information • bank account information • tax information • salary Professional and educational information • job title or position • employer • work skills • employment history • degrees and certifications • training records • performance metrics Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal Data under data protection laws Where do we get the data? We may get the Personal Data (1) directly from you; (2) from the devices you use; (3) from third parties (e.g. background checks); (4) data may be generated based on your interaction with Signant Health. Why do we process the data? to communicate with you to provide you training to identify and authenticate you to detect security incidents to protect against malicious or illegal activity to ensure the appropriate use and operation of our software and services to improve our software and services for short-term, transient use for administrative purposes for quality assurance for marketing, internal research and product development to assess your eligibility for a position to evaluate your performance to perform other employment related tasks Signant Health’s role in the data processing: Signant Health is the entity responsible for the collection and use of your Personal Data (known in some jurisdictions as the “data controller”). The legal basis of processing: for the purposes of our legitimate interests for other purposes that may be required or allowed by law to comply with legal obligations in preparation for or to perform a contract your consent that you provided to Signant Health Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies our customers vendors that assist us in providing our Services public and governmental authorities, to the extent required by law Customers (sponsors and CROs) We may process your Personal Data if work at one of our customers (sponsors and CROs) and interact with Signant Health and/or access our software. Examples of the types of data we process: Identity and contact information, such as: • first and last name • email address • postal address • phone number Other personal information, such as: • username • password • job title • employer Technical Information, such as: • Internet Protocol (IP) address • browser type and browser language • device type and/or device ID, if the device is provided by Signant Health • activity on our website or applications • data collected from cookies or other similar technologies Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal Data under data protection laws Where do we get the data? We may get the Personal Data (1) directly from you; (2) from the devices you use; (3) from your employer. Why do we process the data? to send you your login credentials to provide the software/services to you or to your employer to communicate with you to identify and authenticate you to detect security incidents to protect against malicious or illegal activity to ensure the appropriate use of our software to improve our software and services for short-term, transient use for administrative purposes for quality assurance for marketing, internal research and product development Signant Health’s role in the data processing: • When Signant Health provides services to a sponsor of a clinical trial or Contract Research Organization (CRO), Signant Health processes the Personal Data on behalf of the study sponsor as a data processor. The study sponsor is the data controller of the Personal Data. • Signant Health processes the Personal Data as a data controller for the following purposes: for marketing, internal research and product development for administrative purposes for quality assurance The legal basis of processing: as determined by the data controller for the purposes of our legitimate interests for other purposes that may be required or allowed by law to comply with a legal requirement in preparation for or to perform a contract your consent Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies vendors that assist us in providing our Services The device manufacturers or OS providers have no access to Personal Data. Vendors We may process your Personal Data if you provide any services to Signant Health. Examples of the types of data we process: Depending on the services you provide to Signant Health, Signant Health may process the following types of data: Identity and contact information, such as: • first and last name • email address • postal address • phone number Technical Information, such as: • Internet Protocol (IP) address • browser type and browser language • device type and/or device ID, if the device is provided by Signant Health • activity on our website or applications • data collected from cookies or other similar technologies Commercial information • bank account information • tax information, including tax number Professional and educational information • job title or position • employer • work skills • degrees and certifications • specialized trainings and training records • performance metrics Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal Data under data protection laws Where do we get the data? We may get the Personal Data (1) directly from you; (2) from the devices you use; (3) from third parties; (4) data may be generated based on your interaction with Signant Health. Why do we process the data? to provide the software/services to our customers to communicate with you to provide you training to identify and authenticate you to detect security incidents to protect against malicious or illegal activity to ensure the appropriate use of our software to improve our software and services for short-term, transient use for administrative purposes for quality assurance for marketing, internal research and product development for vendor assessment and qualification Signant Health’s role in the data processing: Signant Health is the entity responsible for the collection and use of your Personal Data (known in some jurisdictions as the “data controller”). The legal basis of processing: for the purposes of our legitimate interests for other purposes that may be required or allowed by law your consent to comply with a legal requirement in preparation for or to perform a contract Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies our customers other vendors that assist us in providing our Services Attendees at events We may process your Personal Data if you attend professional events we sponsor or hold. Examples of the types of data we process: Identity and contact information, such as: • first and last name • email address • postal address • phone number Visual or audio information, such as: • still images • video (CCTV) Professional and educational information: • job title • employer • employment history • certifications and education • responses to questionnaires Anonymized / de-identified data • Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal Data under data protection laws Where do we get the data? We may get the Personal Data (1) directly from you; (2) from our business partners; (3) from your employer. Why do we process the data? to communicate with you to identify and authenticate you to detect security incidents to protect against malicious or illegal activity to improve our software and services for short-term, transient use for administrative purposes for quality assurance for marketing, internal research and product development Signant Health’s role in the data processing: Signant Health is the entity responsible for the collection and use of your Personal Data (known in some jurisdictions as the “data controller”). The legal basis of processing: for the purposes of our legitimate interests for other purposes that may be required or allowed by law in preparation for or to perform a contract to comply with a legal requirement your consent Who receives the data? Signant Health, our affiliates, subsidiaries, and related companies Other event attendees vendors that assist us in providing our Services How We Share Personal Data In addition to the third parties described under each category in the above section, we may share Personal Data with the following categories of third parties to accomplish the purposes set out above and for the additional purposes set forth below. To Protect Our Legal Rights or Comply with Legal Requirements. We may disclose Personal Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Sale or Transfer of Corporate Assets. In the event of a merger, sale, joint venture or other transaction involving a transfer of our business or assets, we may transfer your information to other parties involved in the transaction. Any entity acquiring our data assets will do so with the express, written commitment to use the data only for authorized purposes, and to maintain a similar level of privacy and information security protection. You will be notified via email or notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information. With Your Consent. We may disclose your personal information to other third parties with your prior opt-in consent. Individual Rights You may have a right under your jurisdiction’s data protection law to the following rights with respect to some or all of your Personal Data: To request access to your Personal Data (including under GDPR Article 15); To request that we rectify or erase your Personal Data (including under GDPR Articles 16 and 17); To request that we restrict or block the processing of your Personal Data (including under GDPR Articles 18, 21 and 22 and to object to the sale or sharing of your Personal Data under other relevant laws); To provide your Personal Data directly to another organization, i.e., a right to data portability (including under GDPR Article 20); When we previously obtained your consent, to withdraw consent to processing (including under GDPR Article 21); and To lodge a complaint with the data protection authority in your area. We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. We may, after receiving your request, require additional information from you to honor the request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so. When we receive your Personal Data from our customers and process your Personal Data on their behalf, we do so in the capacity of a data processor. In such cases Signant Health may need to contact the data controller and follow the data controller’s instructions. To exercise these rights, please use Signant Health’s contact page https://signanthealth.com/contact-us/, direct email to dpo@signanthealth.com, or contact a Signant Health HR representative, as the case may be. Data Security Signant Health takes the security of Personal Data seriously. Signant Health has internal policies and controls in place to reasonably protect Personal Data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed by unauthorized users. However, as is the case with all websites, applications, products, and services, we unfortunately are not able to guarantee security for data collected through our products and services. In addition, it is your responsibility to safeguard any passwords, PIN codes, or similar individual information associated with your use of our products and services. Where Signant Health engages third parties to process Personal Data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data. Signant Health recognizes potential liability in cases where Personal Data may be transferred to third parties. Signant Health will not transfer any Personal Data to a third party without first ensuring that the third-party adheres to principles or similar laws providing an adequate and equivalent level of protection. International Data Transfers Your Personal Data may be transferred and maintained outside your state, province, country, or other jurisdiction where the privacy laws may not be as protective as those in your location, including the United States. We have put in place lawful transfer mechanisms and adequate safeguards, in accordance with applicable legal requirements, to protect your Personal Data. How long your personal data will be retained We generally retain Personal Data for as long as needed for the specific business purpose or purposes for which it was collected. In some cases, we may be required to retain Personal Data for a longer period of time by law or for other necessary business purposes. Whenever possible, we aim to anonymize the information or remove unnecessary identifiers from records that we may need to keep for periods beyond the specified retention period. When we act as a data processor, the retention period is determined by the data controller. Cookies and similar technologies Signant Health uses cookies which are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us or third parties for a variety of purposes including to operate and personalize the website to improve users’ experience and for targeted advertising purposes. Cookies may expire at the end of your browsing session, or they may be stored on your computer ready for the next time you visit the website. You can prevent the setting of cookies by adjusting the settings on your browser (see your browser “Help” section for how to do this). Disabling cookies will affect how you experience our website. Contact us If you have questions or comments about this Notice or about how your Personal Data is processed, please contact us by using Signant Health’s contact page https://signanthealth.com/contact-us/ or email to dpo@signanthealth.com.