Privacy Policy

Effective Date: 22 January 2024

Version 1.0

At Ground Truth Labs Ltd (“GTL”), we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data.

By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.

GTL processes Personal Data in its interactions with visitors, prospects, partners, clients, employees, job applicants, contacts, investors, service providers, contractors, and users (collectively the “Individuals”) of its platforms, namely groundtruthlabs.com (the “Website”) app.groundtruthlabs.com (the “App”).

GTL is committed to conducting its business in compliance with applicable data protection regulations, particularly the General Data Protection Regulation (EU) 2016/679 of 27th April 2016 (“GDPR”), as well as other relevant laws and regulations which aim to protect individual rights concerning the collection, use, retention, transfer, disclosure, and destruction of Personal Data.

This Privacy Policy sets out the types of Personal Data GTL may receive and address several key questions:

1. What Personal Data does GTL collect and process about Individuals?
2. Why does GTL process this data?
3. What legal bases allow GTL to do so?
4. From what sources does GTL collect Personal Data?
5. Who is authorised to process Personal Data on behalf of GTL?
6. How does GTL ensure the security and protection of Personal Data?
7. How long will GTL retain Personal Data?
8. What are the Individuals' rights regarding GTL's processing of their Personal Data?
9. How can Individuals exercise these rights?

Definitions

The following definitions apply throughout:

Please note: GDPR makes a distinction between organisations that process personal data for their own purposes (known as “Data Controllers”) and organisations that process personal data on behalf of other organisations (known as “Data Processors”). GTL acts as a Data Controller for information where GTL determines the nature and purpose of the processing. GTL may be a Data Processor if it acts on behalf of a third party.

Objective

This Privacy Policy fulfils GTL's information obligation under the GDPR (Articles 12 to 14) and document the rights of Individuals regarding the processing of their Personal Data.

Scope

This Privacy Policy applies to all processing of Personal Data by GTL.

GTL ensures that Personal Data is processed within strict internal governance. However, this Privacy Policy only covers Personal Data for which GTL is the Data Controller and not any processing outside GTL's governance.

Processing may be managed directly by GTL or via designated Data Processors.

This Privacy Policy is independent of other documents that may apply in the contractual relationship between GTL and the Individuals. Specific privacy, data protection notices, and/or consent or non-opposition forms will be provided to concerned Individuals as needed, particularly regarding specific situations where GTL may process Personal Data.

Purposes

GTL only processes Personal Data that complies with GDPR's general principles and is related to data collected by or for its teams, or processed with its teams, and only if it complies with GDPR's general principles.

GTL may process Personal Data for the following purposes:

Business and Contractual Relationships

• Managing contractual and contact relationships, and business development, including identifying potential contractors, partners, service providers, and clients.
• Executing and managing agreements with GTL's academic partners (e.g., healthcare organisations like hospitals, universities, research centres, healthcare professionals), non-academic partners (e.g., pharma companies, biotech companies, or other corporate partners), service providers, and/or suppliers.
• Implementing and managing invoicing and accounting.

Compliance with Legal, Regulatory, Best Practices, and Ethical Obligations Applicable to GTL

• Complying with industry standards and GTL policies.
• Ensuring the security of Personal Data collected and processed by GTL.

Marketing

• Managing marketing campaigns (via email, SMS, phone, etc.) and media advertising.
• Communicating and managing newsletters.
• Managing targeted advertising and segmentation.
• Organising and managing events which GTL sponsors or participates in.
• Managing social media campaigns (including data on registrations, posts, likes, replies, forwards, comments, opinions, etc.).
• Managing surveys.

Recruitment

• Managing job advertisements and applications, including pre-contractual relationships with job applicants.

Website Maintenance and Management

• Managing the Website (case studies, contact forms, etc.).

Protecting GTL's Rights and Interests

• Managing investigations, pre-litigations, and litigations.
• Protecting GTL's rights or third-party rights, including intellectual property, privacy, safety, and property.
• Protecting GTL against harmful actions or omissions, including fraudulent activity.

Although the above list is intended to be exhaustive, any new use, modification, or withdrawal of existing processing will be notified to concerned Data Subjects via new versions of this Privacy Policy on the Website. GTL invites Data Subjects to regularly check this Privacy Policy online.

GTL is granted the right by Individuals to process their Personal Data for the aforementioned purposes. However, any data supplemented by GTL's processing and analysis, known as supplemented data, remains GTL's exclusive property (usage analysis, statistics, etc.).

Lawfulness of Processing Conducted by GTL

The purposes for which GTL processes Personal Data are based on the legal bases described below.

Processing is Required for GTL's Legitimate Interest or a Third Party

• When GTL processes Personal Data for its legitimate interest, it evaluates whehter this interest conflicts with the fundamental rights and interesets of the Data Subjects.
  • For instance, protecting GTL from fraudulent activities, managing research and development activities, managing contact relationships and business development, and sending newsletters to relevant industry and professional groups and contractors with pre-existing relationships with GTL.

Processing Required to Meet Legal Requirements and Enforcing Legal Terms

• GTL may process Personal Data to comply with all legal obligations.
  • For example, monitoring adverse events or device deficiencies of marketed products, transparency regarding GTL&aspos;s relationships with healthcare professionals and institutions, and financial and tax reporting.

Data Subject Has Given Consent for the Processing of Personal Data

• GTL may process Personal Data for specific purposes for which the Data Subject has given clear consent.
  • For instance, sending GTL's newsletter to Data Subjects is based on their consent.

Processing is Required for Performance of a Contract

• GTL may process Personal Data for the execution of contracts between Data Subjects (or their employers) and GTL.
  • For example, GTL processes Personal Data necessary for contract performance for purposes like negotiating contracts with GTL's partners, suppliers, service providers, clients, and following up on GTL's contractual relationships.

Processing is Required for Reasons of Public Interest

• When applicable laws entitle GTL to do so, notably in public interest cases, GTL may process Data Subjects' Personal Data.
  • For instance, if laws in a Data Subject's country allow GTL to process Personal Data in public health areas to ensure high-quality healthcare and safety of medicinal products or medical devices, GTL could process Personal Data for scientific research projects to improve or develop new products or devices.

Personal Data GTL Processes

GTL processes a wide range of Personal Data, depending on its relationship with Data Subjects and third parties it works with, which may provide GTL access to Personal Data.

For example, GTL processes Personal Data like identification details (names, birth dates, pseudonyms, client numbers, usernames, passwords), contact details (emails, addresses, phone numbers), professional data (company names, job titles), bank details, contract-related data, and internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP addresses, etc.).

Personal Data Sources

Personal Data is generally collected directly from Data Subjects (direct collection).

Collection may also be indirect via partners, clients, service providers, and suppliers of GTL, authorised to do so in compliance with applicable law and their privacy and data protection policies.

In such cases, GTL ensures the quality of the data it receives. If Data Subjects have questions about the initial collection of their Personal Data by GTL's partner, client, service provider, or supplier, GTL invites Data Subjects to contact them directly or refer to their data protection policies.

Personal Data of Children

GTL's Website is not designed for use by children under the age of thirteen (16) years. GTL does not deliberately process Personal Data from children below thirteen (16) years through its Website.

Should a parent or guardian discover that their child has supplied Personal Data to GTL via its Website, they are urged to contact GTL's Chief Technology Officer promptly to request the erasure of the relevant Personal Data in compliance with applicable data protection laws.

For details on how to reach GTL's Chief Technology Officer, please refer to the article titled “Head of Information Security” of this Privacy Policy.

Recipients of Personal Data

GTL ensures that Personal Data, considering the processing purpose(s), is accessible solely to authorised internal and external Data Recipients who require this information.

Internal Data Recipients of GTL

Authorised personnel from GTL, depending on the processing purpose(s) and the Personal Data involved, may include members of the following teams:

• Communications and marketing
• Business development
• Clinical
• Finance
• IT
• Legal
• HR
• Product
• Authorised employees from teams handling control and audit functions (teams overseeing internal control procedures, etc.).

External Data Recipients of GTL

External Data Recipients of GTL may include, depending on the processing purpose(s) and the Personal Data involved:

• GTL's partners (e.g., healthcare organisations like hospitals, research centres, universities, healthcare professionals, service providers, suppliers, pharmaceutical companies, biotech firms, or other corporate partners);
• Legal or administrative authorities, as mandated by applicable laws and regulations to which GTL is subject;
• Potential acquirers and other stakeholders in case of a corporate transaction such as a change in GTL's control, arising from a capital increase, merger, demerger, or through the total or partial sale of business activities.

Data Recipients are subject to a confidentiality obligation. GTL only provides them with the essential information required to process Personal Data in line with identified purposes.

GTL decides which Data Recipients can access specific Personal Data through contracts or internal policies.

Personal Data may also be forwarded to any legally authorised authority. In such instances, GTL is not responsible for how these authorities access and process the Personal Data but will restrict the data accessed by these authorities to the minimum required.

GTL will never sell Personal Data to any third parties.

Retention Period

GTL determines the retention period for Personal Data in line with its legal and contractual obligations.

After specified periods, Personal Data is either deleted or retained post-anonymisation, particularly for statistical purposes. It may be kept in case of pre-litigation and litigation.

Data Subjects are reminded that deletion or anonymisation are irreversible, and GTL cannot restore Personal Data afterwards. Once anonymised, it is impossible to link anonymised data with the initial Personal Data, and GTL will not be able to respond to Data Subjects' requests to exercise their rights as described below.

GTL follows the retention principles outlined below:

Clients and Partners' Personal Data

For the duration of the contractual relationship with GTL, including the contract term, warranty terms plus five (5) years for legal obligations, notwithstanding storage and retention obligations or statute of limitations.

Job Applicants' Personal Data

Unless a job applicant requests otherwise, their Personal Data is processed and stored for two (2) years from collection, with GTL possibly asking the applicant to extend this period every two (2) years.

The above retention period is subject to any storage and retention obligations or statute of limitations applicable to GTL.

Personal Data Related to Contacts and Potential Clients

Three (3) years from GTL's collection of the Personal Data or from the last contact initiated by the potential client or contact.

Bank Details Information (i.e., data related to bank or payment cards)

Until full payment is made or; Until receipt of goods or provision of service. This period extends by the withdrawal period for distance sales of goods and services.

For managing claims, data related to payment cards may be stored in intermediate archives as evidence in case of disputed transactions for thirteen (13) months following the debit date. This period may extend to fifteen (15) months to accommodate deferred payment cards.

Rights of Data Subjects

Any requests related to exercising the rights above must be made in writing, sent by email to privacy@groundtruthlabs.com or by post to the Legal team – Ground Truth Labs – 125 Wood Street, London, United Kingdom, EC2V 7AW accompanied by a signed copy of identity document such as a passport or national ID card/driver's licence.

In accordance with data protection laws and regulations, Data Subjects are informed that the rights mentioned above are personal and can only be exercised by the Data Subjects concerning their information. For security purposes, GTL must verify the identity of the Data Subject before disclosing any Personal Data.

Response time for Data Subject's requests may vary based on the request's complexity or if the Data Subject submitted multiple requests.

Confirmation and Access Right

Data Subjects can request GTL to confirm whether their Personal Data is being processed and can access their Personal Data, including requesting copies. Misuse of this right may incur costs for the Data Subjects.

1. If requested electronically, the information will be provided in a commonly used electronic format, unless otherwise specified.
2. Data Subjects are informed that this right does not extend to confidential information or data whose communication is legally restricted.
3. The right to access should not be exercised abusively, i.e., legally but with the sole aim of hindering the proper execution of the service in question.

Updating and Rectification Rights

Data Subjects can ask GTL to correct their Personal Data if it is inaccurate, incomplete, or outdated.

Right to Oppose Processing Activities

Data Subjects can object to the processing of their Personal Data, subject to legal and/or regulatory restrictions. For instance, concerning GTL's newsletters, Data Subjects can opt-out at any time using the “unsubscribe” link in these newsletters.

Right to Deletion

The right to deletion does not apply where processing complies with a legal obligation or is necessary for legal claims.

In other cases, Data Subjects can request deletion if:

1. The Personal Data is no longer needed for its original purpose;
2. The Data Subject withdraws consent and there is no other legal basis for processing;
3. The Data Subject objects to processing for GTL's legitimate interests, and there are no overriding legitimate grounds for continuing processing;
4. The Data Subject objects to processing for marketing purposes, including profiling;
5. The Personal Data has been unlawfully processed.
6. Under Personal Data protection legislation, Data Subjects are informed that this is a personal right that can only be exercised concerning their own information.

Rights to Restrict Processing

Data Subjects are informed that the right to restrict processing is not applicable when GTL's processing complies with legal and regulatory obligations or when processing Personal Data is necessary for service performance.

Personal Data Portability Right

GTL will comply with Personal Data portability requests specifically concerning data provided by Data Subjects themselves, via online services provided by GTL and based solely on personal consent. In such instances, Personal Data will be provided in a structured, commonly used, and machine-readable format.

Automated Individual Decision-Making

GTL does not engage in automated individual decision-making.

Rights After Death

Data Subjects have the right to issue instructions regarding the retention, deletion, and communication of their data post-mortem.

Data Processors - Subprocessors

GTL may select any Data Processor of its choice for processing Personal Data. In such cases, GTL ensures that the Data Processor adheres to obligations under applicable data privacy laws and regulations, particularly the GDPR.

GTL commits to signing a contract with every Data Processor, imposing the same Personal Data protection obligations as those applicable to GTL. GTL also reserves the right to audit the Data Processor to ensure compliance with GDPR obligations.

Subprocessors

In order to provide our products and services, GTL engages the subprocessors listed on this page. A Subprocessor is a third-party engaged by GTL, to support our broad operations in some way that requires them to process some Personal Data for which GTL is the Data Controller.

Security

GTL has implemented comprehensive technical and organisational measures to safeguard the integrity and confidentiality of Data Subjects' Personal Data. These measures consider the state of the art, implementation costs, and the nature, scope, context, and processing purposes, as well as the risk to the rights and freedoms of the Data Subjects. These measures include, but are not limited to:

1. Management of Personal Data access rights;
2. Internal backups;
3. Identification processes;
4. Security audits;
5. Implementing an IT system security policy;
6. Implementing business continuity and disaster recovery plans;
7. Using security protocols and/or solutions.

Personal Data Breach

In case of a Personal Data breach, GTL commits to notifying the relevant data supervisory authority (e.g., the list of competent supervisory authorities within the European Union can be found on the European Data Protection Board's website) as required by the GDPR. If such a breach poses a high risk to Data Subjects and the Personal Data was not protected, GTL will notify the affected Data Subjects and provide necessary information and recommendations to the affected Data Subjects.

Head of Information Security

GTL has appointed a Head of Information Security. They can be contacted at:

Data Subjects seeking specific information or having questions can contact the Head of Information Security, who will respond within a reasonable timeframe based on the nature of the request or information sought.

For issues related to Personal Data processing, Data Subjects may contact the Head of Information Security.

Right to Lodge a Complaint with a Supervisory Authority

Individuals whose personal data is processed by GTL have the right to lodge a complaint with the relevant supervisory authority (for example, the list of competent supervisory authorities within the European Union can be found on the European Data Protection Board's website) if they believe the processing of their personal data is not in accordance with applicable data protection laws and regulations.

Data Processing Agreement/Addendum (“DPA”)

GTL's DPA outlines the terms and conditions under which GTL processes personal data. The DPA is available online for review by Individuals and Data Controllers where GTL is a Data Processor of a third party Data Controller.

Modification of this Privacy Policy

GTL reserves the right to modify or add to this Privacy Policy at any time due to legal, judicial developments, new applications, decisions, or recommendations from the relevant supervisory authority, or to reflect changes in GTL's practices.

Any updated version of this Privacy Policy will be made available on this page. Consequently, GTL encourages individuals to review this Privacy Policy regularly.

Additional Information

For more general information about personal data protection, please visit the website of the competent supervisory authority (for instance, the list of competent supervisory authorities within the European Union is available on the European Data Protection Board's website).

Queries Regarding this Privacy Policy

Should individuals require further information or assistance regarding this Privacy Policy, they are welcome to contact GTL via the details below: