Novoic

Privacy Policy

Version 1.1, last updated 09th of February 2024

This Privacy Policy explains in general terms how Novoic Ltd and its wholly owned US subsidiary ("Novoic", "we", "us", or "our") collect, use, disclose, and process your personal information in connection with our website, services, and other online platforms (collectively, the "Services"). Novoic is a digital health company which provides services to facilitate brain health awareness, support clinical trials and medical research studies. As the data controller of the information we collect when you interact with our Services, we determine and are responsible for how your personal information is used.

We take your privacy very seriously, and are committed to protecting your personal information and your right to privacy. This privacy policy sets out our approach to protecting your personal data, recognising that different jurisdictions and legal systems will apply depending on your location of residence. We comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) in the UK and EU.

This Privacy Policy, together with the Terms of Use, regulates your use of our services. By using our services, you consent to the practices described in this Privacy Policy and the Terms of Use. If you do not agree with the terms of this Privacy Policy or the Terms of Use, please do not use our Services.

1. The data we collect about you

This section provides a summary of how information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

1.1 Which personal information we collect from you

Personal data, or personal information, means any information relating to an identifiable person that could be used to identify or be associated with a specific person or household. The types of personal information we may collect, store, and transfer include:

• Identity information, including your first and last name, date of birth, and biological sex at birth.
• Contact information, including your zip or postal code, email address, and phone number.
• Speech Recordings collected during the speech-based tasks.
• Race and ethnicity information to monitor the representativeness of users of our services. These questions are optional. We do not collect any other Special Categories of Personal Data (including religious or philosophical beliefs, sex life, sexual orientation, political opinions, and trade union membership) without your explicit consent.
• Communications Data, including our communications with you, your contact preferences on receiving information from us and/or our affiliates.

It is important that the personal data we hold about you is accurate and up-to-date. Please keep us informed if your personal data changes while you engage with our Services.

Some information might be collected automatically when you use our services. This could include the following technical data: your internet protocol “IP” addresses (or proxy server), operating system, browser type and version, time zone setting, location information, access time and domain name, the URL entered and the referring page/campaign. We will also collect other technical or site use data, including your journey through our services, objects you click on or interact with, and system activity and error reports.

We may also collect personal health data, including information in relation to any aspect of your health and/or consequences of taking part in any clinical trials organised by our partners or affiliates. We’ll always ask your explicit consent for this and ensure that this data is processed in accordance with applicable health data protection laws.

1.2 How we collect your personal data

We collect personal information from direct interactions with you, such as when you register an interest to participate through our Websites, communicate with us and agree to our services.

We also automatically collect passive technical information about your equipment and browsing actions while you interact with our website.

We may collect personal information from third-party sources that you interact with in relation to our services or materials or recruitment drives for clinical trials or research. This may include community partners, clinical trial sites, recruitment organisations, analytics providers (e.g., Google, Facebook), advertising networks, social networks, portals, and search information providers. Please note that we are not responsible for the privacy practices of these third-party sources, and we recommend that you review their privacy policies.

If you are matched with a clinical trial site as part of using our services and/or enrolling in one of our studies or registries, we may receive information about your health characteristics and trial participation outcomes from the site or partner organisations. We handle this sensitive information carefully and in compliance with all relevant data protection laws.

1.3 Cookies policy

Novoic may use cookies and similar technologies to collect information for analyzing user activity and improving the functionality of our services. We may also receive information through cookies from third-party providers, including social media providers, to monitor and analyze user interactions with our services.

1.4 How we use your personal information

We will only use your personal information when legally permitted and in compliance with applicable data protection laws, such as the General Data Protection Regulation (GDPR) in the EU, UK-GDPR in the UK, and other applicable data protection laws elsewhere. We will not use your personal information for purposes other than those specified in this Privacy Policy unless we obtain your explicit consent for such additional purposes. We process your personal data based on one of the following legal grounds:

• Consent: We may process your personal data when you have given us explicit consent to do so for a specific purpose. For example, when you opt in to receive marketing communications or participate in clinical studies.
• Performance of a contract: We may process personal data to fulfil our contractual obligations with you, such as providing services that you have requested or information about clinical studies you have expressed interest in.
• Legal obligation: We may process your personal data when it is necessary to comply with a legal or regulatory obligation, such as responding to a lawful request from authorities.
• Legitimate interests: We may process your personal data when it is necessary to pursue our legitimate interests or those of a third party, provided that your rights and interests do not override these. Legitimate interests may include improving our Products and Services, conducting research, and maintaining the security and integrity of our systems.

Most often, we use the collected personal information for the following purposes:

• Facilitating the provision of your information to trusted research partners, clinical trial organizers, clinical trial sites, and clinical research organizations to allow contact with you for participation in research or clinical trials, on the legal basis of your consent.
• Contacting you to provide updates on our services, informing you of clinical trial opportunities, send marketing information or newsletters, or send reminders for scheduled screening tests or other relevant events, on the legal basis of your consent or our legitimate interest in keeping you informed about our services and opportunities.
• Secure storage, processing, and analysis of your data in partnership with third-party providers, on the legal basis of our legitimate interest in providing a high-quality service and maintaining data security.
• Doing internal research and improving the user experience of our Services, on the legal basis of our legitimate interest in improving our offerings and ensuring customer satisfaction.
• Research and development: We may use your personal data to conduct research and development activities aimed at improving our Services, understanding the effectiveness of our offerings, and developing new products, services, or features, on the legal basis of our legitimate interest in innovation and maintaining our competitive advantage, or with your explicit consent when required by law.

Please note that we may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. If you need more information about the legal bases on which we rely for processing your personal data, please contact us using the information provided in section 4.7, "Contact Information.”

2. Brain Health Awareness and Opportunities toparticipate in Clinical Research

2.1 Brain Health Awareness

Novoic is collecting your personal data with the aim of facilitating brain health awareness, and if you’re interested, opportunities to participate in clinical research.. Your personal data may be shared with our trusted partner sites for the purpose of contacting you to discuss brain health, and if you’re interested, learn more about clinical research. The purposes for which your personal data will be used are addressed in this Privacy Policy. You should carefully review this Privacy Policy to understand how your personal data is processed in relation to clinical studies.

2.2 Future contacting

If you provide your consent to do so, we or our partner organisations may keep your personal information and contact you about content related to brain health, and to learn more about clinical research. This will involve keeping your personal and contact information.

We would like to keep your information up-to-date, and we may re-contact you to update your information. You can opt out of our mailing list at any time, see section 4.1 “Opting out”.

2.3 Communication Methods

We may contact you by telephone and email, which may include automated calls or email notifications. These communications may be for the purpose of providing updates on our services, informing you of clinical trial opportunities, sending marketing information or newsletters, or sending reminders or information about relevant events.

As standard email is not encrypted, there is a risk that unauthorized individuals could intercept our email communications. We cannot be held responsible for the privacy of email messages, except for those stored within our system. Please note that we will never ask for personal and sensitive information, such as bank account details, through email.

By providing your contact information and using our Services, you acknowledge and agree to receive these communications from Novoic. You can manage your communication preferences and opt-out of receiving certain types of communications by contacting us using the information provided in section 4.7, 'Contact Information’.

3. How we use your personal data

We only share your personal data with trusted partners, clients and service providers. All third parties with whom we share your data are required to respect the security of your personal data and treat it in accordance with the law.

3.1 With whom we will share your personal data

We may disclose your personal data to our partners organisations, which may include brain health experts, clinical trial organisers, clinical trial sites, clinical research organisations, or appropriate medical centres. This will allow these parties to contact you in relation to your results, and if you’re interested, about participating in a clinical trial or other clinical research. We only do this with your explicit consent.

We may also need to share your personal data with the following third parties described below:

Subcontractors that help us store, process, and analyze your data. Subcontractors who provide services for us and/or help to provide services to you. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change of control arises in relation to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. To comply with the law, we will share information about you if required by state, federal, or national laws. If you agree or ask us to, we may display your testimonial on our website or in materials related to our services.

3.2 Security and Confidentiality

We and our partners use suitable security measures to protect your personal data against accidental loss, unauthorized access, alteration, or disclosure. Access to your data is limited to employees, agents, contractors, and third parties who need it for business purposes.

Security measures employed to protect users' personal data include encryption, secure servers, access controls, and regular security assessments. We store your information on secure cloud servers located in the UK, EU, or USA. Our data protection practices comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the General Data Protection Regulation (GDPR) for EU residents, the 2018 Data Protection Act for UK residents, the California Consumer Privacy Act (CCPA) for California residents, and other relevant data management laws across other countries or regions where we operate.

Novoic has procedures in place to handle suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.

3.3 Data retention

We keep your personal data only as long as needed to fulfil its purpose, meet legal, accounting, or reporting requirements.

To determine the retention period, we assess the data's amount, nature, sensitivity, the risk of harm from unauthorized use or disclosure of your personal data, the processing purpose, and if we can achieve the purpose differently. We also consider legal requirements and the duration of time for data retention specified in your consent form.

In certain cases in the EEA and UK, you may request data deletion. Refer to section 4.2 "Rights of EU and UK citizens" for details.

For research or statistics, we may anonymize your data (making it unlinked to your personally identifiable information) and may use it indefinitely without further notifying you.

3.4  International Transfers

Novoic may transfer personal information across borders to provide our Services, process data, or comply with legal requests. In doing so, we ensure that appropriate safeguards are in place to protect users' personal information during these transfers. These safeguards may include:

1. Standard Contractual Clauses: Novoic enters into agreements with our data processors and other third parties, incorporating standard contractual clauses approved by the European Commission or other relevant authorities, to ensure the protection of personal information when transferred outside of the European Economic Area (EEA) or other jurisdictions with strict data protection laws.
2. Adequacy Decisions: Where possible, Novoic will transfer personal information to countries that have been recognized by the European Commission or other relevant authorities as providing an adequate level of data protection.
3. Binding Corporate Rules: In cases where standard contractual clauses or adequacy decisions are not applicable, Novoic may rely on binding corporate rules to ensure the protection of personal information during international transfers.
4. User Consent: We will obtain your consent for international transfers of personal information when required by applicable laws and regulations.

By using our Services, you acknowledge and agree to the potential transfer of your personal information across borders in accordance with the safeguards described above.

3.5 Third party links

Our Services may include links to third-party websites, plug-ins and applications to provide other sources of information for our visitors. Clicking on those links or enabling those connections may allow third parties to collect data about you. We do not control these third-party websites and are not responsible for their use of your personal information, the content of those sites or their own privacy statements.

4. Your Rights

Based on the relevant laws and regulations in your country or place of residence, you may have the right to request access, correct, delete, and object to the processing of your data. To request to review, update or delete your personal information please contact us directly, see section 4.7 “Contact Information”, below. We will respond to your request in a timely manner and in accordance with applicable laws. We will not discriminate against you for exercising your privacy rights.

4.1 Opting out

You can ask us to stop sending information/reminder messages at any time by contacting us, or by unsubscribing from our email lists. You can manage your consent for data processing or opt-out of specific processing activities at any time. To opt-out of our email communications, you can follow the "unsubscribe" link in the relevant email communication. To opt out of all communications or withdraw consent you can contact us directly, see section 4.7 “Contact Information”, below. Please note that opting out of communication may impact your use of our services.

4.2 Rights for European Union (EU) and United Kingdom (UK) residents

For residents in the United Kingdom and the European Union residents, the General Data Protection Regulation (GDPR) and the United Kingdom Data Protection Act 2018 provide additional rights, including:

• Right to data portability: The right to receive personal information in a structured, commonly used, and machine-readable format and, where technically feasible, to have the data transmitted directly to another data controller.
• Right to restrict processing: The right to request that Novoic restricts the processing of personal information under certain circumstances, such as when the user contests the accuracy of the data or when the processing is unlawful but the user opposes erasure.
• Right to object to automated decision-making: The right to object to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them. Novoic shall provide an opportunity for users to express their point of view and contest the decision. As described in section 6, Novoic does not make decisions based solely on automated processing.
• Right to erasure: The right to request the deletion of your personal data, subject to certain exceptions.
• Right to access and rectify: The right to request access to your personal data and to have any inaccurate personal data rectified.

To exercise these rights, EU and UK residents please contact us directly, see section 4.7 “Contact Information”, below.

4.3 Privacy of your health data in the United States

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and subsequent regulations issued by the Department of Health and Human Services ("DHHS") impose certain restrictions on organizations (Covered Entities) that may fall under HIPAA concerning your relationship with our company. Although Novoic is not a Covered Entity, when providing services for Covered Entities, Novoic might act as a Business Associate under HIPAA and adhere to the relevant privacy and security requirements.

Our data security policies align with Good Clinical Practice, HIPAA, and GDPR standards.

We also comply with other applicable US state privacy laws, such as the California Consumer Privacy Act (CCPA) Nevada Privacy Law and the Virginia Consumer Data Protection Act, if applicable.

4.4 Rights of people in the state of California

If you are a resident of California, you have certain rights under the California Consumer Privacy Act (CCPA) regarding your personal information. As a California resident, you have the following rights under the CCPA: a. The right to request access to your personal information. b. The right to request deletion of your personal information. c. The right to opt-out of the sale of your personal information (if applicable). d. Right to Request Information about Disclosures for Direct Marketing Purposes. e. The right to non-discrimination for exercising your CCPA rights.

To exercise your rights under the CCPA, please submit your request in writing to our Data Protection Officer using the contact information provided in Section 4.7 "Contact Information." Please include your full name, email address, and a description of the specific right you wish to exercise. We will respond to your request within 45 days, as required by the CCPA. Please note that the rights provided under the CCPA apply only to residents of California.

4.5 Children and Vulnerable Populations

Novoic does not knowingly collect data from children under the age of 18. By using our services, you confirm that you are at least 18 years of age. If we become aware that we have inadvertently collected personal information from a child under the age of 18, we will take appropriate steps to delete such information from our records in accordance with applicable laws and regulations. If you become aware that we may have collected any data from children under age 18, please contact us directly using the information in section 4.7 “Contact Information”, below.

Our Services are intended for use by adults, including elderly individuals and those who may have cognitive or neurological issues. We recognize the importance of protecting the privacy of vulnerable populations and take additional measures to ensure their information is handled with care and in compliance with applicable laws and regulations.

For users with cognitive or neurological problems, we recommend involving a trusted family member, caregiver, or legal guardian during the registration process and when using our Services to ensure informed decision-making and proper understanding of our Privacy Policy.

4.6 Complaints

You can complain if you feel that your privacy rights have been breached. To do so, please reach out to our Data Protection Officer (refer to 4.7 “Contact Information”, below).

You are entitled to file a complaint with the appropriate national supervisory authority in your country of residence at any time. To learn more about this right and find the suitable Data Privacy Authority, if you are based in the European Economic Area please find you National Data Protection Authority on the European Commission website (https://ec.europa.eu/newsroom/article29/items/612080). For those in the UK, consult the Information Commissioner's Office (ICO) website (www.ico.org.uk). If you reside in the United States, you may contact the US Federal Trade Commission regarding your concerns (https://www.ftc.gov/faq/consumer-protection/submit-consumer-complaint-ftc). If you reside in Switzerland please contact the Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home.html).

Please note that this is not an exhaustive list. You can find the relevant DPA for your jurisdiction by searching online or consulting local data protection laws.

However, we kindly request that you give us the opportunity to address your concerns before reaching out to a national supervisory authority, and would be grateful if you contacted us first. Please find our contact information below in section 4.7 “Contact information”

4.7 Contact information

If you have any questions, requests, complaints about our website or services, or if need more information about our privacy practices, and the information we collect from you, or if you have have privacy rights requests, please use the following contact information:

5 Automated Decision Making and Profiling

5. 5.1. Our Services, including Storyteller uses automated systems to process your personal data, including demographic information, location, contact information, and performance on speech-based tasks, to match you with potential clinical trials. This process may involve profiling based on your provided information.
6. 5.2. Importantly, the automated systems do not make the final decision on whether you are contacted by our partner sites. This decision is always made by the site staff, who review the data provided by our Services, including Storyteller.
7. 5.3. The automated processing and profiling conducted by our Services, including Storyteller are designed to facilitate brain health awareness, but they do not produce legal effects concerning you or similarly significantly affect you.
8. 5.4. If you have any concerns about the automated processing or profiling conducted by our Services, including Storyteller, please contact us using the details provided in section 4.7.

6 Changes to privacy policy

We reserve the right to modify or change the terms of this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date and version number, and will be effective as soon as it is accessible. If we make material changes to this Privacy Policy, we will notify users of any changes by email, posting on our website, or using other appropriate communication channels. We encourage you to review this Privacy Policy periodically to be informed of how we use your information. Your continued use of our Services constitutes acceptance of the updated Privacy Policy. Our up-to-date Privacy Policy can be found at: https://novoic.com/storyteller/privacy

7 Terms of Use

Before accessing our Services you must agree to the Terms of Use (available at https://novoic.com/storyteller/tos) and this Privacy Policy. If you do not accept the Terms of Use or Privacy Policy outlined, you may not access or use the Services or content. By using or accessing our Services, you confirm that you have read, understood, and agreed to be bound by this Privacy Policy and Terms of Use. Please note that the Terms of Use include important information about your legal rights, remedies, and obligations, including various limitations and exclusions.