Privacy Policy

1. INTRODUCTION
2. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?
3. WHAT DATA DO WE PROCESS?
4. FOR WHAT PURPOSES DO WE PROCESS YOUR DATA?
5. COLLECTION AND PROCESSING OF PERSONAL DATA
   1. Principles – How does Company collect and use Personal Data?
   2. Collection of Data – How is the Personal Data collected?
   3. Specific principles for Internet Users
   4. Transfers of Personal Data – What happens when the Personal Data goes to another country?
   5. Data Protection Impact Assessments.
6. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
7. HOW LONG DO WE STORE YOUR PERSONAL DATA?
8. ON WHAT LEGAL BASIS THE DATA PROCESSING RELIEF?
9. HOW DO WE PROTECT YOUR PERSONAL DATA?.
10. WHAT RIGHTS DO YOU HAVE WITH REGARD TO YOUR PERSONAL DATA?
11. CONTACT

I. INTRODUCTION

Alpha-9 Oncology Inc. and its affiliates (“Company”) processes Personal Data (also referred to as “personal information”) relating to you or other individuals in different ways and for different purposes. In this Privacy Policy you will find information on how we process your Personal Data. «Personal Data» is any information that can be linked to a particular individual, and «process» means any handling of Personal Data, such as the collection, use and disclosure of Personal Data.

In the course of pursuing its mission of developing new therapies, the Company collects and analyzes Personal Data of various individuals, including patients, vendors and healthcare professionals. This Privacy Policy explains our processing of Personal Data when you

• visit our website www.a9oncology.com
• are in contact with us under a contract,
• contact us via email, letter, via a contact form, etc,
• you deal with us in the context of all other data processing related to our business offers,
• participate in our research programs

This Privacy Policy is not part of a contract. Company may amend this Privacy Policy at any time. The version published on this website is the current version.

II. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?

For data processing under this Privacy Policy, the following company is the «controller», i.e. the party primarily responsible under data protection law:

Alpha-9 Oncology Inc.
27 E 7th Ave, Suite 300
Vancouver, BC V5T 1M4
Canada
Email: info@a9oncology.com

If you are in contact with another group company, e.g. because you or your company purchase a service from this company or because you correspond directly with this other company, this company in question is the controller.

III. WHAT PERSONAL DATA DO WE PROCESS?

This Privacy Policy applies to all Personal Data collected, processed, shared, or used by Company in the context of its various activities.

We process the following Personal Data from you as far as they are or become known to us, in each case with the current and also the previous information, if information changes over time:

• Master data and contact information: We refer to master data as the basic data that we need to process our business relationships and that relates directly to your person and characteristics. This includes, for example, first and last name, home address, phone number, email address, username, language skills, nationality, ethnic origin, gender, relations to the company for which you are employed, government identification (e.g., driver’s license, passport), photo or image, login credentials, answers to security questions, medical license number, banking or credit card details. We usually obtain this master data from yourself, but may also obtain it from other persons who work for your company;
• Contract data: Contract data are details that arise in connection with the conclusion or processing of a contract, e.g. details about contracts and the services to be provided, as well as data from the preparation of the conclusion of a contract, details about the conclusion of the contract itself (e.g. the date of conclusion and the subject matter of the contract), as well as the details required or used for processing. For example, we process information on the type and duration as well as conditions of the contract in question, data on the termination of the contract, contact details, information on the use of services, information on payments and payment methods, invoices, complaints, information on customer satisfaction, feedback, etc.
• Health Data: For certain programs and services, we process health information from individuals directly or indirectly from a third party, e.g. information regarding patients’ health status, medications, medical history, and other healthcare-related information
• Communication data: Communication data is data in connection with our communication with you, e.g. when you contact us via the contact form or via other means of communication. Communication data are e.g. name and contact details such as postal address, email address and telephone number; content of correspondence (e.g. from emails, written correspondence, telephone conversations etc.); details of the type, time and possibly location of the communication and other marginal data of the communication.
• Technical data: Technical data is generated in connection with the use of our website. This includes, for example, the IP address of the device and device ID; information about your device, the operating system of your device or language settings; information about your internet provider; accessed content or logs in which the use of our systems is recorded; date and time of access to the website and your approximate location.
• Applications, professional career, education and training: We process information of job applicants, employees, ex-employees and healthcare professionals about the work history, qualifications, education and other data, such as curriculum vitae, information about certificates, diplomas, job references or confirmations of employment and other information about skills, competencies and qualifications, professional organization membership status, language skills, information about previous jobs and employers, reference persons and their contact details, information from references, and other information for example in the context of an application and from the internet and other public sources.
• Further data: It is possible that we process further Personal Data which we cannot list here conclusively. We inform you separately about the processing of such data if this is possible or we are obliged to do so.

Company may also collect other information that is not Personal Data, such as business, company or institutional information.

IV. FOR WHAT PURPOSES DO WE PROCESS YOUR DATA?

We process the Personal Data mentioned in section III for various purposes related to your employment, in particular for the following purposes:

• Identifying potential investigators: We analyze the professional profiles of doctors and other healthcare providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications or otherwise collaborating with Company.
• Clinical or medical research: We more generally collect and process healthcare professional’s Personal Data for the purposes of executing specific agreements to assist in clinical or medical research and other aspects of product development.
• Improvement of our services and for the development of services.
• Communication purposes, e. to contact you and to maintain contact with you.
• Ensuring business operations and other security purposes, e.g. operation and security of IT systems and applications, support hotlines, workplace security, building security including access controls, protection of our data, secrets and assets, furthermore spam and virus filters or DLP (data loss prevention) systems, which in particular can check emails for certain search terms or the like in order to reduce the risk of sending confidential information or Personal Data to unauthorized recipients. Also, documentation of security incidents, data breaches, complaints, interactions with authorities and third parties, and other relevant events and corresponding measures that relate to or contain information about you.
• Compliance, investigations and legal proceedings, e.g. the prevention, investigation and prosecution of violations of the law by employees, internal regulations and directives, including the investigation of complaints, tips and objections, evaluation of surveillance measures and the conduct of investigations, participation in official investigations and proceedings, and the assertion, exercise or defence of legal claims.

We will inform you separately about other purposes insofar as this is possible and we are obliged to provide information.

V. COLLECTION AND PROCESSING OF PERSONAL DATA

1.0 Principles – How does Company collect and use Personal Data?

Where mandated by data privacy law, or where it is a matter of good practice, Company will seek consent of data subjects to collect, use, and disclose their Personal Data consistent with the relevant privacy notice. Specific requirements may vary by jurisdiction and must always be followed.

As required under applicable law, Company shall:

• Collect and use Personal Data only in instances where it has legal justification to do so.  For example, some Company guidelines or local laws may require explicit consent or a right to object of the data subject prior to collection or further use of his or her Personal Data as required by applicable law (e.g., informed consent for clinical research);
• Notify data subjects as to how their Personal Data will be used prior to collection of such information;
• Collect only that Personal Data which is required for the specified business purpose;
• Use Personal Data only for the specific business purpose described in the applicable consent form or privacy statement or for purposes that would be reasonably anticipated by the data subject;
• Use Personal Data in ways that do not have adversely impact the data subject unless such use is justified by law; and
• Anonymize or pseudonymize Personal Data where possible or appropriate.

Company recognizes that responsible management of Personal Data is required to protect privacy rights and comply with data privacy laws and regulations.

Personal Data may be shared with other Company affiliates, government agencies, service providers and third parties on a “need to know” basis for legitimate business reasons or as otherwise allowed or required by law.

Company websites may contain links to websites outside of Company. Linked websites are not under the control of or endorsed by Company. This Policy do not apply to linked websites outside the Company organization. It is recommended that visitors review the privacy policy of each individually linked website.

2.0 Collection of Data – How is the Personal Data collected?

Company may collect Personal Data from the following sources:

Company may, to the extent permitted by law, collect Personal Data from data subjects through various channels, including the websites, in surveys, during business or marketing events, and when delivering programs and services to various persons.

Company may provide opportunities to sign up to receive specific information or services and may ask for contact information (e.g., name, home/contact address, home/contact phone number or personal/contact email address), so that we can send specific information about Company’s business or operation.

Company may indirectly collect information about patients’ health condition, diagnosis, and treatment from healthcare professionals, but only where the healthcare professional has obtained consent to disclose that information to Company, as required by law.

Company may, to the extent permitted by law, collect various information from healthcare professionals as part of marketing or educational activities to healthcare professionals, including first name, last name, age, gender, home/contact address, home/contact phone number, medical specialization, professional qualifications, license number and scientific society membership number.

When navigating the websites, certain passive information may also be collected.  This type of information is used for the purposes of gathering data to provide improved administration of Company websites and to improve the quality when interacting with Company websites.

Company may also collect information about data subjects from third-party sources to supplement information received from the data subjects.

Company may collect Personal Data to enable data subjects to use online social media resources offered either by Company or a third party.

When using an online social media resource offered by a third-party through the Company website, the user acknowledges that Company may be able to access any information made public through such third-party (such as username, comments, posts and contacts) and other information the privacy settings on such third-party permit Company to access.  Company will comply with the terms of this Privacy Policy and the privacy policies applicable to the social media resources it uses.

3.0 Specific principles for Internet Users

We use third-party services for our website in order to assess and improve the user experience of the website and online advertising campaigns. In order to do this, we may embed third party services on our website, which themselves may use cookies. When we track you or use similar technologies, the core purpose is to enable us to distinguish access by you (via your system) from access by other users so that we can ensure the functionality of the website and undertake statistical analyses. We do not want to infer your identity in the process. The techniques used are designed in such a way that you are recognised as an individual visitor each time you access the site, for example by our server (or the servers of third parties) assigning you or your browser a specific recognition number (so-called “cookie”).

A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions are enabled to the computers of visitors to Company websites for the following purposes: to allow the site to deliver the service requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the company to perform site analytics; and to help tailor marketing messages to the visitor based on previous browsing. Company cookies are enabled and controlled by the Company IT team, which is established in the United States. The online relationship with Company may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on his/her computer, to delete or disable cookies, and to set “Do Not Track” as a function. Please note that disabling cookies may prevent a visitor from using certain features on Company websites.

To read more about cookies and principles for internet users please click on the following link: https://www.a9oncology.com/cookie-policy/

No part of Company online presence is directed to children.

4.0 Transfers of Personal Data – What happens when the Personal Data goes to another country?

Company is part of an industry that is increasingly globalized in its approach to life sciences. Personal Data may be shared across international borders as required to support global projects, particularly clinical trials. Company may in the future host Personal Data in databases in different locations throughout the world, Company recognizes that many countries have regulations restricting the flow of Personal Data across international borders. Company will protect the Personal Data during the transfer according to applicable laws and regulations.

5.0 Data Protection Impact Assessments

From time-to-time and as required by applicable laws, Company will conduct data protection impact assessments (DPIA).  A DPIA is for example required when processing of Personal Data uses new technologies. Criteria for evaluating when a DPIA is required also include the nature, scope, context and purposes of the processing, and whether the processing is likely to result in a high risk to the rights and freedoms of natural persons A single assessment may address a set of similar processing operations that present similar high risks.

VI. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?

We may disclose Personal Data to other recipients if this is necessary for the stated purposes (section 4) and insofar as this is permitted by law. In particular, we disclose Personal Data to recipients of the following categories:

• Service providers: We use various services from third parties domestically and abroad, e.g. contract research organizations, IT service providers, maintenance and support service providers, etc. These service providers may process or access your Personal Data to the extent necessary;
• Governmental authorities and official agencies, when we deem it necessary or appropriate in order to comply with laws and regulations or to verify compliance therewith, to respond to inquiries from competent authorities (e.g. in the context of a criminal investigation, in the context of regulatory submissions) or to participate in official or judicial investigations and proceedings;
• Parties to legal proceedings, e.g. opposing parties and other parties, experts, witnesses, etc., if we participate in legal proceedings or are considering participation;
• Acquirers or parties interested in acquiring business units, companies or assets;

VII. HOW LONG DO WE STORE YOUR PERSONAL DATA?

We generally store your Personal Data for the duration of the contract. Exceptions apply if longer legal retention obligations exist in individual cases, if retention is necessary for reasons of evidence or other grounds for exception exist. An exception also applies if earlier deletion is indicated (e.g. because we no longer require the data or are obliged to delete it).

For operational and security-related data, shorter retention periods usually apply. Business-related documents are retained for as long as we require them to achieve our purpose, have a sufficient business interest in retaining them or are legally obliged to do so. When the retention period has expired, your Personal Data will be deleted or anonymized.

VIII. ON WHAT LEGAL BASIS THE DATA PROCESSING RELIES?

Depending on the case, data processing is only permitted if the applicable law specifically allows it. The various privacy laws in the world apply different legal grounds for the collection and processing of the Personal Data. We may rely on the following legal bases for processing your Personal Data:

• on your consent;
• that the processing is necessary for the performance of a contract or pre-contractual measures (e.g. the examination of a contract application;);
• that the processing is necessary for the assertion or defence of legal claims or civil proceedings;
• the processing is necessary for compliance with domestic or foreign legal provisions;
• the processing is necessary for a legitimate interest in the data processing.

IX. HOW DO WE PROTECT YOUR PERSONAL DATA?

We take appropriate technical (e.g. access regulations and restrictions) and organizational measures (in particular instructions and directives) to protect your Personal Data from loss, misuse and unauthorized access, disclosure, alterations, and destruction, and continually adapt these to technological developments, taking into consideration the risks involved in the processing and the nature of the Personal Data.

To enhance privacy, data subjects’ names and other direct identifiers are not attached to records or samples collected by Company for research purposes. Instead, data subjects are only identified by a code.

X. WHAT RIGHTS DO YOU HAVE WITH REGARD TO YOUR PERSONAL DATA?

You have certain rights with respect to your Personal Data processed by us in order for you to control or influence our processing. These are in particular the following rights:

• Information: You have the right to obtain information about your Personal Data processed by us at any time in writing and generally free of charge.
• Correction: You may, at any time and free of charge, request that we correct, complete or update your Personal Data if it is incorrect.
• Objection and deletion: You may object to our data processing and request that we delete your Personal Data at any time if we are not obliged to continue processing or storing this data and if it is not necessary for the employment contract.
• Withdrawal of consent: If we process your Personal Data based on your consent (see section 3), you may withdraw consent at any time. Such withdrawal of consent is only effective for future data processing.

Some of these rights may not apply in individual cases, and we may be entitled or obligated to restrict or postpone the fulfilment of a right. We will inform you accordingly in such a case.

You also have the right to lodge a complaint with the relevant local data protection authority at any time if you do not agree with our processing of your Personal Data.

XI. CONTACT

All communications, queries, requests to exercise data subjects’ rights (e.g., access to data), or complaints should be addressed to the attention of the Company Data Protection Office at dpo@a9oncology.com.

Any questions or exercise of privacy rights can be addressed to the Data Protection Office listed above or by sending an email to dpo@a9oncology.com. In order for Company to be able to prevent misuse, Company needs to identify the requestor.