Areteia Privacy Notice (Effective Date July 30, 2024)

Your privacy is important to us. Please read this Privacy Notice (“Policy”) and any other privacy notice or fair processing notice Areteia Therapeutics (“ARETEIA”, “we” and “us”) may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information.

This Policy has been drafted as to be applied to personal information processing activities globally. The processing activities may be more limited in some jurisdictions due to the restrictions of their laws. For example, the laws of a particular country may limit the types of personal data we can collect or the manner in which we process that personal data. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of local law.

This Privacy Notice supplements our other notices (for example specific privacy notices we provide for the purposes of a specific clinical trial in a specific jurisdiction) and is not intended to override them.

This Policy is layered, so you can easily find to the information you want. Please click on the headings or subheadings to read the full text.

Contents

  1. Policy Scope
  2. Privacy Law and Principles
  3. Additional and supplementary privacy notices
  4. Important information and who we are
  5. How to contact us
  6. What types of personal data do we collect?
  7. What is Sensitive or Special Category Data
  8. Do you collect sensitive personal data?
  9. How do we collect your Personal Data?
  10. How and on what basis do we use your Personal Data?
  11. Selling Personal Data
  12. With whom do we share your Personal Data?
  13. Do you have a choice about the data we collect and use about you?
  14. Children’s Privacy
  15. How do we protect your Personal Data?
  16. Transferring your information overseas
  17. Keeping your Personal Data current
  18. How long do we keep your Personal Data?
  19. Data Subject Rights
  20. Withdrawing Consent
  21. Changes to Our Privacy Notice
  22. Data Privacy Framework
  23. Dispute Resolution
  24. Binding Arbitration
  25. Do Not Track
  26. Contact and Complaints
  27. Areteiatx.com Website Servers
  28. Additional Information for Residents of the European Economic Area (the “EEA”) and the United Kingdom (the “UK”)
  29. Additional Information for Residents of California

1. Policy Scope

This Policy applies to ways in which we interact with individuals, which we referred to herein as “Data Subjects”, in connection with our business, including, without limitation:

  • visitors to our website located at www.areteiatx.com (the “Website”);
  • directors, officers, employees and other representatives of portfolio companies in which ARETEIA has made an investment or is considering making an investment;
  • individual representatives of third-party sellers, placement agents, finders, investment bankers, consultants, lawyers, accountants, advisers and other service providers, whether or not engaged by ARETEIA;
  • directors, officers, employees and other representatives of ARETEIA;
  • individuals applying for or enquiring about employment with us;
  • individuals who consider or do invest with us and their representative agents with whom we interact during the normal course of business; and
  • visitors to our websites and users of any digital services we provide.

We may provide you, as required with a supplementary country specific privacy notice when you are a participant in a clinical trial.

2. Privacy Law and Principles

This Privacy Notice has been generally drafted is in accordance with the GDPR (EU General Data Protection Regulation) but may be applied to personal information processing activities globally. The processing activities may be more limited in some jurisdictions due to the restrictions of their laws. For example, the laws of a particular country may limit the types of personal information we can collect or the manner in which we process that personal data. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of local law.

We always strive to:

  • process personal data lawfully, fairly and in a transparent way.
  • obtain personal data only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • collect personal data relevant to the purposes we have told you about and limited only to those purposes.
  • take reasonable steps to ensure that personal data is accurate and kept up to date.
  • Subject to applicable legal or other requirements, keep personal data only as long as necessary.
  • use appropriate technical and/or organizational measures to ensure appropriate security of the personal data.

Please see the following sections for more information about specific jurisdictions:

3. Additional and supplementary privacy notices

Exhale Clinical Trials

Please note that we provide additional and/or supplementary privacy notices or similar disclosures for the clinical trials, which we Sponsor and these additional and/or supplementary privacy notices comply with the privacy law in the country in which they take place, they are provided to trial participants at the start of the clinical trial but if you want any further information, you can contact our Data Protection officer (“DPO”) at [email protected].

Employees

We provide our former or existing employees with supplementary privacy notices where we are required to do so and dependent on the employees’ geographies and jurisdictions.

General

We may also provide additional privacy notices for certain entities within ARETEIA, categories of Data Subjects (e.g., certain investors or prospective investors in a fund managed or advised by ARETEIA, and certain geographies and jurisdictions.

4. Important information and who we are

The website www.areteiatx.com is provided by Areteia Therapeutics, Inc. (‘we’, ‘our’ or ‘us’), a clinical stage biotechnology company whose purpose is to develop and deliver novel Inflammation and Immunology (I&I) therapies. We are the Controller of and responsible for your personal data as set out in this Policy.

We also act as a Sponsor for Clinical Trials and handle your predominately coded clinical trial data as detailed in the jurisdictionally compliant privacy notice, which is provided, where required by applicable law, for the clinical trial you are participating in.

5. How to contact us

Name: Please contact us via the Areteia Privacy Team

By email: [email protected]

By mail: Areteia Therapeutics, Inc.
101 Glen Lennox Dr
Suite 300
Chapel Hill, NC 27517

6. What types of personal data do we collect?

Personal Data. When we use the term “Personal Data” we mean information that reasonably can be used to identify you as an individual person.

The personal information that we collect depends on the context of your interactions with us and the website, the choices you make and your relationship with us and may include the following types of personal data:

  • Appointment and Interview Data
  • Behaviour: information about daily habits and moods.
  • Candidate data: your resume, application letters and forms; job details, work history interview notes and any other information you provide us with as part of your application process.
  • Commercial data: including tax information, bank account details, credit card number, money transfers including communications on bank transfers, assets, investor profile, credit history, debts, and expenses.
  • Communication Data: Any information you voluntarily provide, including online or through communication.
  • Contact data: data such as your postal address, tax ID, personal or work email address, mail address, work address, phone number, or other similar identifiers.
  • Education and Training data: information about your education, qualifications, training, degrees, certifications, specialisms, school name; school contact details; student number; qualification details; field of study; attendance dates; graduation
  • Identification data: name, passport number, tax ID, study identification number, internet protocol address, account name, social security number, driver’s license number, Age, gender, biological sex and date of birth.
  • Images: including your picture and other visual information.
  • Location data: includes your IP Address, telephone codes, address, clinic or hospital, work address, country of birth and/or residence , questionnaires. The physical location of your device by, for example, using satellite, ‎cell phone tower or Wi-Fi signals.
  • Marketing data includes preferences in receiving marketing from us and our third parties and communication preferences.
  • Payment data: money owed and paid and bank account for payment, tax details.
  • Professional data: includes professional or employment-related information, including your employment history, employer’s name, remuneration, references, training records, disciplinary and performance records, health and safety records, employment status: employer name; employer contact details; manager name; manager contact details; job title; pay rate; dates of employment; reason for leaving.
  • Technical data: includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access our website.
  • Profile Data includes username and password, interests, preferences, feedback, and survey responses.
  • Publicly available data includes identity and contact data from publicly available data sources such as LinkedIn.
  • Relationship data: Guardians and Parents relationship to minor data subject
  • Observations preferences and opinions: information included in questionnaires and consent.
  • Usage Data: includes information about how you use our website and services and online activity based on your interaction with us, our websites and applications for example searches, site visits browsing actions and patterns. Internet or other electronic network activity information, including, but not limited
  • Other Information relevant to conducting business with us or becoming our customer or Information classified as personal or protected information by state, federal, or other applicable law.

7. What is Sensitive or Special Category Data

Sensitive or Special Category Data is personal data that needs more protection because it is sensitive.

Where you choose to provide us with this information or we have a lawful reason for collecting it, we will only process that sensitive personal information in such jurisdiction if and to the extent permitted or required by applicable law.

8. Do you collect sensitive personal data?

We may collect sensitive Personal Data (in some jurisdictions this is called “Special Category Data”) depending on your relationship with us e.g. we collect sensitive data from employees or participants including:

  • Health data: data concerning health , sick absence notes, disabilities, medical history, medications, work accident injuries, examination notes and test results from the study (e.g., blood type, vital signs, urine test, x-rays, physical exams, known conditions, medical survey or questionnaire results, and other study-specific procedures required by the study protocol);
  • Demographic Data: including ethnicity and race
  • Sex: including sex life and sexuality
  • Pregnancy Information (for purposes of clinical trials): Information about women who are pregnant, such as Medical history, including information about any previous pregnancies, and list of current conditions, medications taken during pregnancy, date of last period (menstruation), the date pregnancy was confirmed by lab testing, and estimated pregnancy due date, results of all tests performed during pregnancy, problems or illnesses you have during pregnancy, updates on the status of pregnancy, outcome of pregnancy (e.g., birth of full term child, birth of a premature child, miscarriage, or early termination of the pregnancy), follow-up information on newborns will also be asked for, and pregnant partner names and signed consent.

We may, as required by applicable law, provide you with a supplementary country specific privacy notice when you are a participant in a clinical trial that sets out exactly what sensitive personal data we will collect for the purposes of that trial.

When we employ you, we may, where required by applicable law, provide you with a supplementary country specific privacy notice that sets out exactly what sensitive personal data we will collect for the purposes of your employment.

9. How do we collect your Personal Data?

From you directly

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us, when you apply to work for us, participate in activities with us or on the Website or otherwise when you contact us.

Information Collected through Technical means

  • Indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in our ‘ Cookies Notice'.
  • When you visit our website and its subdomains as referenced above, and the landing pages of marketing campaigns that we may create and run from time to time.
  • Pixel tags (also known as web beacons and clear GIFs) may be used in connection with some services to, among other things, track the actions of users of the services (including email recipients), and compile statistics about usage of the services and response rates as well as general demographic information and aggregated information.
  • When you download a white paper available or other digital content from our website.

Information we receive from third parties in each case where permissible and in accordance with applicable law

  • Sometimes we collect your personal data from third parties such as Clinical Research organisations, agencies, marketing agencies, market research companies, our suppliers, contractors, partners or consultants, group companies
  • We may also collect other identifiable information from clinical trial research site staff
  • Sometimes we collect your personal information from third parties such as from your insurance or healthcare ‎provider, our joint marketing partners, agencies, marketing agencies, market research companies, our suppliers, contractors, partners or consultants, your employees, and/or group companies

Information we receive from public sources

  • We may collect Information about you from publicly available sources, including any social media platforms such as LinkedIn, public websites and public agencies.

If you are located outside of the United States, please be aware that the Personal Data we collect will be processed and stored in the United States, a jurisdiction in which the data protection and privacy laws may not offer the same level of protection as those in the country where you reside or are a citizen. For more jurisdiction specific information on how we use and process your information see the sections linked below:

10. How and on what basis do we use your Personal Data?

We may use your Personal Data for a variety of purposes, and (to the extent applicable) on the basis of various legal bases, including, but not limited to, the following:

  • Complying with legal or regulatory obligations, such as our obligations regarding know-your-client and anti-money laundering due diligence;
  • Performing a contract with you or to take steps at your request before entering into a contract, including to: (i) provide you with information regarding ARETEIA products or services; (ii) assist you and answer your requests; (iii) evaluate whether we can offer you a ARETEIA product or service and under what conditions; and (iv) responding to know-your-client and anti-money laundering information requests presented by counterparties with whom we do business on your behalf or for your benefit; and
  • Other legitimate business interests, such as:
    • Communicating with Data Subjects;
    • Performing activities relating to client management, financial management and administration;
    • Creating, improving and developing our products and services;
    • Conducting market research, surveys, and similar inquiries to help us understand trends, client and Website visitor needs;
    • Investigating and resolving disputes and security issues and enforcing our Terms of Service and other agreements;
    • Monitoring and auditing compliance with internal policies and procedures, legal obligations and to meet requirements and orders of regulatory authorities; and
    • Processing and considering applications for employment, including evaluating and confirming your suitability for the position and accuracy of any information submitted.

We will not use your Personal Data for any purposes inconsistent with this Policy and the purpose for which it was collected, without your permission or otherwise in accordance with applicable law.

For further information on this for EEA/UK residents see here.

11. Selling Personal Data

We do not sell any Personal Data and have not sold any Personal Data in the past.

12. With whom do we share your Personal Data?

Within ARETEIA. We share your Personal Data among ARETEIA entities and affiliates for the purposes set forth above. In general, ARETEIA entities and affiliates, in turn, are not permitted to share your information with other non-affiliates entities, except as described herein or otherwise permitted by applicable laws.

To Third Parties. We share your Personal Data with third parties in certain circumstances, including the following:

  • Service Providers. We share Personal Data with service providers that perform services on our behalf (e.g., third-party service providers to operate the Website) and with service providers and other counterparties to our clients and investors. These companies may have access to your Personal Data but are permitted to use the information solely to provide the specific service or as otherwise permitted by law. We generally require these providers by contract to keep the information confidential.
  • Transaction or Other Corporate Event. Your Personal Data can be disclosed as part of a corporate business transaction, such as a merger, acquisition, joint venture, financing, or sale of company assets, including bankruptcy proceedings, or other investment activity, and could be transferred to a third party as one of the business assets in such a transaction. It also can be disclosed in the event of insolvency, bankruptcy, or receivership. In such an event, we will post prominent notice of the change in ownership.
  • For purposes of Sponsoring Clinical Trials. We may share personal data with following third parties to help us deliver our clinical trials and services:
    • Our representatives, monitors and auditors working on the Clinical Trial and the contract research organization working with the Sponsor on this study
    • The study doctor and study staff
    • Independent Ethics Committees
    • Competent Authorities
    • Regulatory authorities such as, the Food and Medication Administration (FDA), other US governmental agencies, or the European Medicines Agency
    • Government agencies to whom certain diseases (like HIV, hepatitis, and sexually transmitted diseases) must be reported
    • Other Government Agencies (including those outside of Europe and the US, depending on where the clinical trial is undertaken)
    • Laboratories working with us on the clinical research studies
    • Vendors working on the clinical trials studies supporting the electronic capture of clinical trial data
    • Individuals involved in obtaining marketing authorization for the study medication.
    • Service providers who assist in managing, administering, or delivering reimbursement services
    • Regular health care providers (for safety).
  • As Required by Law. We also disclose your Personal Data if we are required to make disclosures by applicable law or to the government or private parties in connection with a lawsuit, subpoena, investigation, or similar proceeding, or as part of our legislative or regulatory reporting requirements.

13. Do you have a choice about the data we collect and use about you?

Yes, you may always choose what personal information (if any) you wish to provide to us.

In cases where you are requested to affirmatively provide information, such as to complete a form, or an application, or a survey on our website, you may decline to do so. Please understand, however, that in some cases certain information is required to complete an application, form ,survey, contract, recruitment activity or clinical trial and if you decline to provide the information requested you may not be able to submit your application or particate in the applicable activity or service. For example, if you decline to provide information requested on a screening questionnaire you may not be able to participate in clinical trials or research projects for which that information is a necessary.

If you would like to restrict our placement of cookies on your device, please see our Cookie Notice.

If you would prefer not to receive e-mail marketing messages from us, please use the opt-out instructions included in the email message to opt-out of additional communications.

You may be given additional choices in the context of particular preferences tools or functions that we make available through our website.

14. Children’s Privacy

We do, on occasion, collect the coded personal data of children when they participate in a Clinical trial and if that is the case, they will be supplied with an age appropriate supplementary country specific privacy notice when they participate in our clinical trial.

This website is intended for general audiences and not for children. Although the Website is not targeted toward children, we are concerned about the safety and privacy of children who use the Internet. If a child under 16 has provided personal information (as defined by the Children’s Online Privacy Protection Act) or personal data (under the GDPR) to us through the Website, a parent or guardian may inform us using the contact details set out under the “Contact and Complaints” heading above, and we will use commercially reasonable efforts to delete it from our database, subject to applicable law and this Policy.

15. How do we protect your Personal Data?

We take seriously the obligation to safeguard your Personal Data. Your Personal Data held by us will be kept confidential in accordance with applicable ARETEIA policies and procedures.

We will use all reasonable efforts to ensure that all Personal Data is kept secure and safe from any loss or unauthorized disclosure or use. All reasonable efforts are made to ensure that any Personal Data held by us are stored in a secure and safe place and accessed only by our authorized employees and transferees.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal information, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many Information security risks that exist and take appropriate steps to safeguard your own information.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

16. Transferring your information overseas

We do business globally and may centralise certain aspects of our information processing activities and data storage in different countries. We may therefore have to share and transfer your personal data from one country to another, or even across multiple jurisdictions, including, but not limited to transfers between the EU and US, EEA and the US, the UK and US. Your personal data may therefore be subject to privacy laws that are different from those in the country where the personal information is collected or those in your country of residences.

We will ensure your personal information has an appropriate level of protection and will undertake appropriate due diligence and risk assessments prior to transferring the information.

We will ensure the transfer your personal information in line with applicable Privacy Law. Often, this protection is set out under a contract with the organisation that receives your personal data. You can find more details of the protection given to your information when it is transferred overseas by contacting us.

Where a privacy regulatory authority requires a corresponding privacy regulatory approval before we transfer your Personal Data outside your jurisdiction, we will obtain the approval before transferring your personal data.

.

17. Keeping your Personal Data current

In general, we seek to ensure that we keep your Personal Data accurate and up to date. However, you are responsible for, and we kindly request that you inform us of, any changes to your Personal Data (such as a change in your contact details).

To update or edit your Personal Data that we have on file, including your communication preferences, please contact us using the contact details set out under the “Contact and Complaints” heading below or by sending an e-mail to [email protected].

18. How long do we keep your Personal Data?

In general, we will process and store your Personal Data for as long as it is necessary in order to fulfil our contractual, regulatory and statutory obligations, which may differ depending on the relevant ARETEIA entity or jurisdiction. Subject to those qualifications, our goal is to keep such data for no longer than necessary in relation to the purposes for which we collect and use the Personal Data (we refer to the purposes as set forth above). If you have any specific questions in this respect, please feel free to contact us.

Personal data collected during your participation in a clinical trial or research study sponsored by ARETEIA will be subject to the period described in the specific privacy notice and informed consent for that clinical trial.

19. Data Subject Rights

ARETEIA uses your personal data in compliance with applicable Privacy laws. Most notably, the General Data Protection Regulation (GDPR) and US data protection legislation these privacy laws and some laws in other regions such as Canada have rights that allow you greater control of and access to your Personal Data.

These rights may include the right:

  • To request and obtain a copy of your personal information
  • To request rectification and/or erasure
  • To restrict processing of your personal information
  • Data portability (if applicable)

ARETEIA does not use automated decision making that has a legal consequence for or otherwise materially and negatively impacts a data subject.

The application of these and any other privacy rights you may have depends on applicable data protection law and if you would like more information about your specific rights under data protection law in your jurisdiction and how to exercise those rights, please contact us at: [email protected]

We may request specific information from you to help us confirm your identity, verify your rights, and respond to your request, including to provide you with the personal data that we hold about you, if applicable.

Applicable law may allow or require us to deny your request, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices.

We will consider and act upon any requests in accordance with applicable privacy laws.

20. Withdrawing Consent

If we rely on your consent to process your personal information, which may be express or implied consent according to the applicable law, you have the right to withdraw consent at any time. You can withdraw your consent by contacting us at [email protected]

Please note that this will not affect the lawfulness of the processing before the withdrawal, nor when applicable law allows, will it affect the processing of your personal information on the basis of any other lawful ground other than consent.

21. Changes to Our Privacy Notice

We may update this Policy from time to time. If we make any material changes to this Policy , we will change the "last updated" date so that you can quickly determine whether there were material changes since the last time you reviewed the Policy. You are advised to review this Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page.

22. Data Privacy Framework

Areteia Therapeutics, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Areteia Therapeutics, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In relation to the personal information, we process and transfer from the European Union, or the UK to the United States, as outlined in this Policy, we are a committed participant in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF as applicable. The Federal Trade Commission oversees our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF.

In instances where this notice might conflict with the Principles of the Data Privacy Frameworks, the Principles shall take precedence. For further details on the Data Privacy Framework program and our certification, please visit https://www.dataprivacyframework.gov/s/. For individuals in the EU, UK, there is an option to seek binding arbitration in certain scenarios for complaints concerning our adherence to the Data Privacy Framework Principles, which are not resolved by other Data Privacy Framework mechanisms. Additional details can be found here:

https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

When we engage third parties to process personal information on our behalf under the Data Privacy Framework, these third parties must also comply with the obligations of the Framework. We accept liability for any non-compliance by these third parties, unless we can demonstrate that we are not responsible for the event leading to any incurred damages.

23. Dispute Resolution

If a privacy complaint or dispute relating to Personal Data received by Areteia Therapeutics, Inc. in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here:

https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Areteia Therapeutics, Inc. commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

24. Binding Arbitration

If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.

25. Do Not Track

ARETEIA does not track Data Subjects over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (“DNT”) signals. However, some third-party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser allows you to set the DNT signal so that third parties (particularly advertisers) know you do not want to be tracked. You should consult the help pages of your browser to learn how to set your preferences so that websites do not track you.

26. Contact and Complaints

ARETEIA takes very seriously any complaints we receive about our use of your Personal Data. Questions, comments, requests or complaints regarding the Website, this Policy, the Terms of Service and/or our use of your Personal Data should be addressed to [email protected].

Any Personal Data we receive from you when making a complaint will be treated in accordance with this Policy and only to process the complaint and check on the level of service we provide. Similarly, where inquiries are submitted to us, we will only use the information supplied to us to deal with the inquiry and any subsequent issues and to check on the level of service we provide.

For further information on contacts and complaints EEA/UK residents can click here.

27. Areteiatx.com Website Servers

areteiatx.com is operated from servers in the United States.

Please be aware that a website may contain links to other websites hosted by third parties. ARETEIA does not control and is not responsible for the content or privacy practices and policies of such third-party websites. We encourage you to be aware when you leave the Website and to read the privacy policies of each third-party website, especially if such website collects Personal Data from you.

28. Additional Information for Residents of the European Economic Area (the “EEA”) and the United Kingdom (the “UK”)

For purposes of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 and the UK GDPR (as defined in the UK Data Protection Act 2018 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2018 (SI 2019/419)) (both referred to herein as the “GDPR”), in addition to the information above, the below applies to any Data Subject whose personal data we collect whilst they are resident in the EEA or the UK.

Data Protection Officer (DPO)

We have appointed GRCI Law Limited as our DPO, who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, our privacy practices or how we handle your personal data, please contact our DPO at [email protected].

EU Representative

We have appointed IT Governance Europe Ltd to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR) or have any queries in relation to your rights or general privacy matters, please email our representative at [email protected].

Please ensure you include our company name in any correspondence you send to our representative.

Further Details about our processing of your personal information

The table below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Table 1: Lawful Basis of processing

Lawful Basis Purpose Types of personal data

Contract

We use your personal information on the basis that it is necessary for us evaluate applications and candidates for a vacant role prior to entering into an employment or services contract for that role with the most suitable candidate.

Recruitment of candidates (contractors, employees, and providers)

We will use the personal information we collect about you to assess your skills, qualifications, and suitability for the role for which you applied.

We may use the following personal data:

  • Appointment and Interview Data
  • Candidate data: Communication Data
  • Contact data
  • Identification data.
  • Location Data:
  • Publicly available data
  • Observations preferences and opinions
  • Education and Training data

Contract

Employment Contract

Used for performance of employee contract.

Used to process salaries and benefits / performance of employee contract.

We may use the following personal data:

  • Behaviour
  • Candidate data.
  • Commercial data:
  • Communication Data
  • Contact data
  • Education and Training data
  • Identification data
  • Images
  • Location
  • Payment Information
  • Professional data
  • Publicly available data
  • Relationship data
  • Observations preferences and opinions
  • Usage Data Other Information
  • Health data as set out in the sensitive personal data below.

Contract

Business Contracts

Ensuring compliance with Vendor, Supplier, Consultancy and other third party Contracts

We may use the following personal data:

  • Commercial data:
  • Communication Data
  • Education and Training data
  • Contact data
  • Identification data
  • Location
  • Payment data

Legitimate interest

Note 1: When we rely on this, we will carry out a Legitimate Interests Assessment to ensure we consider and balance any potential impact on you (both positive and negative), and your rights under Data Protection Law.

Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.

Managing our business

We process Personal Data for our own legitimate business interest. This relates to us managing our business to enable us to maintain and monitor the performance of our website and services and to constantly look to improve the website and the services it offers to our users, including when we respond to your queries, communications and complaints,

We may use the following personal data:

  • Communication Data
  • Contact data
  • Location Data:
  • Marketing Data
  • Technical data:
  • Profile Data .
  • Usage Data:
  • Other Information

Legitimate interest (see Note 1)

Provide and maintain our Websites.

To provide and maintain our Website, including to monitor the usage of these, troubleshooting, data analysis, network security and system testing necessary for our legitimate interests in maintaining the useability, security and integrity of our website

We may use the following personal data:

  • Communication Data
  • Contact data
  • Location Data
  • Marketing Data
  • Technical data
  • Profile Data
  • Usage Data

Legitimate interest (see Note 1)

Research Activity PurposesOn occasion EU national Law may require we use consent for these purposes

Personal data will be processed for scientific research purposes related to Clinical Trials including:

  • determining eligibility for a Clinical Trial;
  • conducting the Clinical Trial;
  • conducting related scientific and medical research.

The legal basis is the Sponsor’s legitimate interests (GDPR Article 6(1)(c)) to undertake a trial to assess the efficacy, safety, and tolerability of dexpramipexole. make sure that relevant information about the study is recorded for your care, and to oversee the quality of the study

We may use all categories of personal data including health and other sensitive personal data.

  • Appointment and Interview Data
  • Behaviour
  • Communication Data
  • Contact data
  • Identification data
  • Images
  • Education and Training data
  • Location Data
  • Relationship data
  • Observations preferences and opinions
  • health and other special category data as set out in the sensitive personal data below.

Legitimate interest (see Note 1)

Communications about Clinical Trials

The legal basis is the Sponsor’s legitimate interests (GDPR Article 6(1)(c)) in being able to communicate with the trial participants for e.g., visit reminders or follow-up purposes and after the study has ended to inform data subjects of the trial outcome.

We may use the following personal data:

  • Identity data
  • Contact data
  • Appointment and Interview Data
  • Communication Data

Legitimate interest (see Note 1)

Monitoring and Auditing Purposes.

The legal basis is the legitimate interests (GDPR Article 6(1)(c)) in ensuring that the Trial data is correct and that the study was conducted properly.

We may use the following personal data:

  • Appointment and Interview Data
  • Behaviour
  • Communication Data
  • Contact data
  • Education and Training data
  • Identification data
  • Images
  • Education and Training data
  • Location Data
  • Relationship data
  • Observations preferences and opinions

We may use health and other sensitive personal data as set out in the table below.

Legitimate interest (see Note 1)

Administration of a Clinical Trial

The legal basis is operational reasons, such as improving efficiency, training and quality control and administration of the trial including file management and travel reimbursement.

We may use the following personal data:

  • Identity data
  • Contact data
  • Location details
  • communications data
  • Appointment and Interview Data
  • Payment Data

Legitimate interest (see Note 1)

Recommendations and marketing

To make recommendations to you about services that may interest you.

We may use the following personal data:

  • Identity data
  • Contact data
  • Technical Data
  • Marketing and communications data
  • Usage data

Legitimate interest (see Note 1)

To measure and analyse the effectiveness of the advertising we serve you.

We may use the following personal data:

  • Identity data
  • Contact data
  • Location data
  • Technical Data
  • Marketing and communications data
  • Usage data

Legitimate interest (see Note 1)

To comply with applicable laws and regulations and regulatory obligations

To comply with our legal and regulatory obligations; for our legitimate interests, i.e., to protect our business, interests and rights in the Clinical trial.

We may use all categories of personal data depending on the legal requirement, law and circumstances.

Legitimate interest (see Note 1)

Rights and claims

To enforce or apply our Website terms of use, our notice terms and conditions, or other contracts. To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.

We may use all categories of personal data depending on the legal requirement, law and circumstances.

Legitimate interest (see Note 1)

Data subject rights

Verifying your identity when you exercise your data subject rights. Fulfilling data subject rights requests.

We may use you’re your categories of personal data we hold on you depending on the details and nature of your data subject request.

Legitimate interest (see Note 1)

Fraud and business reorganisation or group restructuring.

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise.

We may use all categories of personal data depending on the legal requirement, law and circumstances.

Legitimate interest (see Note 1)

To make Marketing suggestions and recommendations to you about services that may be of interest to you and necessary for our legitimate interests (to develop our products/services and grow our business). We may use the following personal data:

We may use the following personal data:

  • Communication Data
  • Contact data
  • Education and Training data
  • Identification data
  • Location data:
  • Marketing data
  • Profile Data
  • Publicly available data
  • Usage Data

Legal obligations

Note 2: We may use your Personal Data to comply with laws (for example, if we are required to co-operate with a police investigation after a court order orders us to).

Legal requirement - All categories of personal data

The processing is necessary for compliance with legal obligations, such as but not limited security requirements.

We may use all categories of personal data depending on the legal requirement, law and circumstances.

Legal obligations (see note 2)

To comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law.

We may use all categories of personal data depending on the legal requirement, law and circumstances.

Legal obligations (see note 2)

For Clinical Trials the processing is necessary to meet legal requirements in regard to the Reliability and Safety of clinical trials to ensure that clinical trial personal data is reliable and that safety requirements have been met for your participation in the study as a trial participant and also has a member of the research staff.

We may use the following personal data:

  • Communication Data
  • Appointment and Interview Data
  • Education and Training
  • Behaviour
  • Communication Data
  • Contact data
  • Identification data
  • Location data
  • Relationship data
  • Observations preferences and opinions

We use health and other sensitive personal data as set out in the table below.

Legal obligations (see note 2)

Payroll and Payments

Used to process salaries and benefits / performance of employee contract and vendor contracts and support tax inquiries.

We may use the following personal data:

  • Communication Data
  • Contact data
  • Professional data
  • Identification data
  • Payment data
  • Commercial data

Legal obligations (see note 2)

Criminal activity

To detect fraudulent or criminal activity, we may share information with forces such as the police.

We may use all categories of personal data depending on the law and circumstances.

Consent

Note 3: We may have to get your consent to use your Personal Data, such about you or when we want to send you marketing.

Wherever consent is the only reason for using your Personal Data, you have the right to change your mind and/or withdraw your consent at any time by clicking the Unsubscribe button at the bottom of an applicable email or by contacting us.

Marketing

To measure and analyse the effectiveness of the advertising we serve you.

We may collect IP addresses and store Cookies on visitors’ devices.

We may use the following personal data, depending on what you consent to:

  • Communication Data.
  • Contact.
  • Education and Training data
  • Identification data Location data
  • Marketing data
  • Profile Data
  • Publicly available data
  • Observations preferences and opinions
  • Usage Data

Consent (see Note 3)

Data analytics

We use data analytics to improve our website, products/services, marketing, customer relationships and experiences.

We may use the following personal data, depending on what you consent to:

  • Identity data
  • Transaction data
  • Technical Data
  • Profile data
  • Usage data

Consent (see Note 3)

Clinical Trial Participation;-

Where national requires consent be used for processing personal information for the purpose of participating in clinical trials.

We may use the following personal data, depending on what you consent to:

  • Appointment and Interview Data
  • Behaviour
  • Communication Data
  • Contact data
  • Identification data
  • Location
  • Relationship data:
  • Observations preferences and opinions

Table 2: Sensitive Personal data

The lawful basis of processing for sensitive personal data is set out below:

Purpose Lawful Basis

Reliability and Safety Purposes:

Your personal data will be processed in order to ensure that study data is reliable and that safety requirements have been met for your participation in the study.

For sensitive personal data, the legal basis is ‘public task’ as processing is necessary for the performance of a task carried out in the public interest (GDPR Article 9(2)(i)).We may use the following data:

  • Health data
  • Demographic data
  • Sex
  • pregnancy information

Research Activity Purposes: Your personal data will be processed for scientific research purposes related to EXHALE-4 study including:

  • determining your eligibility for a Trial;
  • conducting the Trial;
  • conducting related scientific and medical research.

For sensitive personal data, the legal basis is that processing is necessary for scientific research purposes (GDPR Article 9(2)(j) and Article 89(1)). We may use the following data:

  • Health data
  • Demographic data
  • Sex
  • pregnancy information

In some cases, national law may require that consent I used for the lawful basis.

Monitoring and Auditing Purposes:

For sensitive personal data, the legal basis is that processing is necessary for scientific research purposes (GDPR Article 9(2)(j) and Article 89(1)). We may use the following data:

  • Health data
  • Demographic data
  • Sex
  • pregnancy information

To comply with applicable laws and regulations and with our legal and regulatory obligations enforce legal rights or defend or undertake legal proceedings depending on the circumstances.

For sensitive personal data, the legal basis is that processing is necessary for scientific research purposes (GDPR Article 9(2)(j) and Article 89(1)). We may use the following data:

  • Health data
  • Demographic data
  • Sex
  • pregnancy information

Employment purposes

For sensitive personal data, the legal basis is that processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (GDPR Article 9(2)(b) We may use the following data:

  • Health data: data concerning health , sick absence notes, disabilities, medical history, medications, work accident injuries, examination notes and test results from the study (e.g., blood type, vital signs, urine test, x-rays, physical exams, known conditions, medical survey or questionnaire results, and other study-specific procedures required by the study protocol);
  • Demographic Data

Transfer of Personal Data Outside of the UK/EEA

Your personal data will be hosted in the United States and will therefore be transferred and stored outside of the UK or European Economic Area (“EEA”) both inside of our group and to certain third party suppliers, where such information is collected in the EU or UK. For the purpose of applicable EU/UK laws, such third countries (including the U.S.) may not offer the same level of data protection as your country of residence, and additional safeguards may be necessary for such transfers.

We ensure that such transfers will be made in accordance with applicable EU/UK data privacy laws, for example using specific contracts approved for use in the EU/UK which give Personal Data the same protection it has in the EU/UK. This may include the EU Standard Contractual Clauses, the UK IDTA (International data transfer agreement) and/or the UK Addendum to the EU Standard Contractual Clauses.

GDPR Data Subject Rights

Under the GDPR, in certain circumstances, a UK or EEA-resident Data Subject has certain individual rights with respect to the Personal Data that we hold about them. In particular, you may have the right to:

  • Request access to any data held about you;
  • Ask to have inaccurate data amended;
  • Request data held about you to be deleted, provided the data is not required by ARETEIA to perform a contract, defend a legal claim or to comply with applicable laws or regulations;
  • Prevent or restrict processing of data which is no longer required; and
  • Request transfer of appropriate data to a third party where this is technically feasible.

Additionally, in the circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.

To exercise any of these rights, please contact us using the contact details set out under the “Contact and Complaints” heading above. We may need to request further information from you to help us confirm your identity to help facilitate your request. This is a security measure to ensure that Personal Data is not mistakenly disclosed.

Automated Decision Making

We respect your legal rights not to be subject to decisions that are based solely on automated processing of your Personal Data, including profiling, especially where such processing has legal or other significant effects on you. In establishing and carrying out a business relationship, we generally do not use any automated decision making pursuant to the GDPR. We may process some of your Personal Data automatically, with the goal of assessing certain personal aspects (profiling), such as to comply with legal or regulatory obligations to combat money laundering, terrorism financing, and offenses that pose a danger to assets. We also use assessment tools in order to be able to allow communications and marketing to be tailored as needed, all following applicable EEA or UK law.

Complaints to Local Authorities

As a resident of the EEA or UK, you are also entitled to direct any complaints in relation to our processing of your Personal Data to your national or local data protection supervisory authority.

UK residents can contact the ICO here

EU residents can find their applicable local data protection supervisory authority here.

29. Additional Information for Residents of California

The information below may apply to Data Subjects who are residents of California.

California Data Subject Rights

California’s “Shine the Light” law permits California residents to annually request and obtain information free of charge about what personal information is disclosed to third parties for direct marketing purposes in the preceding calendar year. For more information on these disclosures, please contact us using the contact details set out under the “Contact and Complaints” heading above.

In addition, Data Subjects in California may have a right under the California Consumer Privacy Act (“CCPA”) to request erasure of their Personal Data or access to Personal Data that we have collected in the last twelve (12) months.

You may submit requests for access or erasure of your personal information by contacting us at [email protected].

Individuals who submit requests for access or erasure of personal information will be required to verify their identity by answering certain questions. We will not disclose or delete any information until identity is verified.

If you are making a request for access, we may not be able to provide specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your personal information, your account with us, or our systems or networks.

If you are making a request for erasure, we will ask that you confirm that you would like us to delete your personal information again before your request is addressed.

You may designate an authorized agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honor the request.

Agents who make requests on behalf of individuals, will be required to verify the request by submitting written authorization from the individual. We will not honor any requests from agents until authorization is verified.

Under the CCPA, you cannot be discriminated against for exercising your rights to access or request erasure of their Personal Data.

We use only necessary cookies to ensure our website can work correctly and to enhance your experience. For more information about the cookies we use, please see our Cookie Policy.