Privacy Policy

CytoReason Privacy and Data Protection Policy and Notice

Last Updated: March 28, 2022

CytoReason Ltd (“CytoReason“, “we”, “our” or the “Company“, and their cognates) respects the privacy of its Customers, employees and candidates, and is committed to protecting the personal information you may share with us. We also protect the privacy of our Customers’ End-User’s, as well as our website visitors, site visitors, followers, vendors, service providers, partners and others who come in contact with CytoReason (these and any others with respect to whom we collect personal data, shall collectively be referred to as “Customers” or “you” or “Data Subjects”).

This privacy policy and notice (the “Privacy Policy“) explains the types of information we may collect from you or that you may provide when you visit our website, www.CytoReason.com, (the “Website”), our social media pages, or you may provide us with such data in the course of your interest in our services, at conferences, and in job applications, in the course of employment or provision of services. This policy also explains how we process the personal data on behalf of our Customers. We are transparent about our practices regarding the information we may collect, use, maintain and process and describe our practices in this Privacy Policy. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

For the purposes of European Economic Area data protection law, (the “Data Protection Law“):

CytoReason will usually be a data controller (the “Controller“) in relation to the Personal Data of our Customers, our prospective Customers, our employees and our candidates.

CytoReason will usually be a data processor (the “Processor“) in relation to the Personal Data processed on behalf of our Customers, specifically the Personal Data of end-user participants of the clinical trial that our Customers have governance over (“End-Users”), or other providers of clinical data.

  1. WHICH INFORMATION WE COLLECT?

 

Summary: we collect various categories of personal data in order to meet our contractual obligations, and also to meet various legitimate interests, such as fraud prevention and marketing.

We collect data about you in connection with your transactions with us, or in processing data for our Customers.

We elaborate here on two categories of information and data we may collect from, on behalf of, or in connection with our Customers.

Data we collect about you from your interactions with us:

One type of data is non-identifiable and anonymous information (“non-personal data“). We also collect several categories of personal data (“Personal Data“). Personal Data which is being gathered consists of any details which are personally identifiable provided consciously and voluntarily by you, or by an organization you represent or are associated with or through your use of the Website (as described below). This may include your name (first and last), email address, phone numbers, postal address, gender, birthdate, position and organization name, and other information you may choose to provide to CytoReason. Additionally, we may obtain location data related to the geographic location of your laptop, mobile device or other digital device on which the CytoReason website is used.

You do not have any legal obligation to provide any information to CytoReason. However, we require certain information in order to perform contracts, sale or purchase, or to provide any services. If you choose not to provide us with certain information, then we may not be able to provide you or your organization with some or all of the services.

CytoReason collects data relating to employees. This is governed by a specific notice we have made available to our employees.

CytoReason also collects data relating to its own employment candidates. This includes CVs and the data contained therein, notes on meetings, standardized tests, reports, references, interviewer impressions and such industry standard data, as well as collecting data made publicly available or available to us on social networks. We collect such data based on the intention of the candidate to enter into an employment agreement with CytoReason. In the unlikely event that we collect and process special categories of personal data in the recruiting context, we will do so based on our legitimate interest of ensuring we recruit well-suited people.

Data that we process on behalf of our Customers:

Our Customers collect Personal Data about End-Users who are participants in clinical trials. As part of the services that we offer to our Customers, we store and process this Personal Data. This can include End-User’s genetic material, gender, age, medical and pharmaceutical history and any other Personal Data that our Customers choose to collect as part of their clinical trial. This will almost certainly include sensitive categories of personal data such as data revealing health data, and may include other sensitive data such as data revealing racial or ethnic origin. We use this data in order to provide data driven target discovery and drug development.

  1. HOW DO WE COLLECT PERSONAL DATA OF YOURS ON CYTOREASON FACILITIES AND SERVICES?

 

Summary: we collect personal data when you or your organization send it to us, or when a vendor sends it to us so; we collect personal data through our websites, cookies and services.

We collect Personal Data through your use of our Website. In other words, when you are using the Website, we are aware of it and gather, collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below. This includes technical information and behavioral information such as the User’s Internet protocol (IP) address used to connect your computer to the Internet, your uniform resource locators (URL), operating system, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting, the User’s ‘clickstream’ on the website, the period of time the User visited the website, methods used to browse away from a page. We likewise place cookies on your browsing devices (see section ‘Cookies’ below), though you may block these.

We collect Personal Data in connection with site visits, in the course of preparing a contract, or otherwise in engaging with us. We may also collect Personal Data through our CCTV recordings, which automatically collect information about your presence CytoReason’s offices.

  1. WHAT ARE THE PURPOSES OF PERSONAL DATA WE COLLECT?

 

Summary: we process personal data to meet our obligations, protect our rights, and manage our business.

We will use Personal Data to provide and improve our services to our Customers and others and meet our contractual, ethical and legal obligations, including for example:

Processing which is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract:

  • to enable us to meet our legal, contractual, ethical and business obligations as an employer and a potential employer for our employees and job applicants;
  • carrying out our obligations arising from any contracts entered into between you or your employer or organization and CytoReason and/or any contracts entered into with CytoReason and to provide you with the information and services that you request from CytoReason;
  • verifying and carry out financial transactions in relation to payments you make in connection with the services;

 

Processing which is necessary for the purposes of the legitimate interests pursued by CytoReason or by a third party of providing an efficient and wide-ranging service to customers:

  • notifying you about changes to our services;
  • replying to your queries, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity;
  • Storing and processing log-in behaviours and information by Customers to better understand Customer experience and to prevent fraud;
  • contacting you to give you commercial and marketing information about events or promotions or additional services offered by CytoReason;
  • soliciting feedback in connection with your use of the services;

 

Processing which is necessary for compliance with a legal obligation to which CytoReason is subject:

  • compliance and audit purposes, such as meeting our reporting obligations, and for crime prevention and prosecution in so far as it relates to our staff, Customers, facilities etc;
  • if necessary, we will use Personal Data to enforce our terms, policies and legal agreements, to comply with court orders and warrants and assist law enforcement agencies as required by law, to collect debts, to prevent fraud, infringements, identity thefts and any other service misuse, and to take any action in any legal dispute and proceeding;
  • for security purposes and to identify and authenticate your access to the parts of the facilities;

 

We may collect Personal Data of our Customers’ personnel, which will be used for the purposes set out above.

 

  1. SHARING DATA WITH THIRD PARTIES

 

Summary: we share personal data with our service providers and authorities where required.

We transfer personal data to third party service providers.

We transfer Personal Data to third parties in a variety of circumstances. We endeavor to ensure that these third parties use your information only to the extent necessary to perform their functions, and to have a contract in place with them to govern their processing on our behalf. These third parties assist us in providing the services we offer, processing transactions, fulfilling requests for information, receiving and sending communications, storing data, providing IT and other support services or in other tasks, from time to time. These third parties also include analytics and search engine providers that assist us in the improvement and optimisation of our website, and our marketing.

We periodically add and remove third party providers. At present our third-party providers to whom we may transfer Personal Data include also the following:

  • [Google/cloud services]
  • Wix, Google Analytics.
  • Office365
  • Azure
  • Slack
  • Our lawyers, accountants, local payroll service providers, other standard business service providers.
  • Other industry standard business software and partners.

 

In addition, we will transfer Personal Data to third parties if we are under a duty to disclose or share your Personal Data in order to comply with any legal or audit or compliance obligation or respond to a complaint or security threat, in the course of any legal or regulatory proceeding or investigation, to prevent illegal uses of our services or in order to enforce or apply our terms and other agreements with you or with a third party; or to assert or protect the rights, property, or safety of CytoReason, our Customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.

For avoidance of doubt, CytoReason may transfer and disclose non-personal data to third parties at its own discretion.

We will not sell or otherwise transfer the personally identifiable information you provide to us at our Website to any third parties for their own direct marketing use unless we provide clear notice to you and obtain your explicit consent for your data to be shared in this manner.

 

  1. WHERE DO WE STORE YOUR DATA?

 

Summary: we store your personal data across multiple locations globally

 

We store your Personal Data in Google’s Cloud/ Microsoft’s cloud services; Azure.

We may in the future also keep Personal Data in servers which will be owned or controlled by CytoReason, or processed by third parties on behalf of CytoReason, by reputable cloud-service providers in Israel or in the EU, including use of cloud-service providers with servers located in the US; see the following section regarding international data transfers.

 

  1. INTERNATIONAL DATA TRANSFERS

 

Summary: we transfer personal data within and to the EEA, UK, USA, Israel and elsewhere, with appropriate safeguards in place.

Personal Data is transferred to, and processed in Israel, a country outside the European Economic Area (EEA) recognized by the EU as having adequate Data protection laws.

 

[Personal Data is transferred to, and processed in the USA, for storage purposes through the use of Microsoft’s cloud services Azure. This is done under mechanisms recognized by Data protection laws such as SCCs.]

We may transfer your Personal Data elsewhere outside of the EEA, in order to:

  • store or backup the information;
  • enable us to provide you with the services and fulfil our contract with you;
  • fulfill any legal, audit, ethical or compliance obligations which require us to make that transfer;
  • facilitate the operation of our business, where it is in our legitimate interests and we have concluded these are not overridden by your rights;
  • to serve our Customers across multiple jurisdictions; and
  • to operate our company in an efficient and optimal manner.

When transferring personal data to countries outside the EU/EEA, to jurisdictions that did not receive an adequacy decision by the European Commission, we use standard contractual clauses approved by the European Commission to ensure a sufficient level of protection for your personal information. The standard contractual clauses can be found via the following link: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

  1. DATA RETENTION

Summary: we retain personal data according to our data retention policy, as required to meet our obligations, protect our rights, and manage our business. Our clients decide when to delete the data they control.

CytoReason will retain Personal Data it processes only for as long as required in our view, to provide the services and as necessary to comply with our legal and other obligations, to resolve disputes and to enforce agreements. We will also retain Personal Data to meet any audit, compliance and business best-practices.

Data with respect to which CytoReason is the Processor may be deleted only on action and/or instruction of the Controller, except where such data must be retained by us, in our judgment, as above, if not otherwise instructed by legal contract.

Data that is no longer retained may be anonymized or deleted. Likewise, some metadata and statistical information concerning the use of our services are not subject to the deletion procedures in this policy and may be retained by CytoReason. We will not be able to identify you from this data. Some data may also be retained on our third-party service providers’ servers until deleted in accordance with their privacy policy and their retention policy.

  1. SERVICES AND WEBSITE DATA COLLECTION AND COOKIES

Summary: with your consent, we place cookies on your device. You control our use of cookies through a cookie management tool on our websites, or through your device and browser

 

When you access or use our services or Websites, CytoReason may use industry standard technologies such as cookies, pixels and similar technologies, which store certain information on your computer or browsing device and which will allow us to identify the computer or device and in some cases to identify them with the user, and to enable automatic activation of certain features, and make your user experience more convenient and effortless. We use different types of cookies: some cookies are strictly necessary, they are required for the operation of our Websites and services under our terms with you; We also use analytical and performance monitoring cookies, which allow us to recognise and count the number of visitors and to see how visitors move around our website and services when they are using it.

Different cookies are kept for different periods. Session cookies are used to keep track of your activities online in a given browsing session; these cookies generally expire when the browser is closed but may be retained for a period on your device. Third-party cookies are installed by third parties with the aim of collecting certain information to research behaviour, demographics. Third party cookies on our site include, for example, Google Analytics. Likewise, pixels from LinkedIn and others enable integration of third-party service providers (eg Twitter, YouTube) may be embedded on our site. Third party cookies will be retained according to the terms of those third parties, and you can control those cookies in your browser settings.

We use cookies and other technologies on the basis that they are necessary for the performance of a contract with you, or because using them is in our legitimate interests of improving, optimizing and personalizing our services, and these are not overridden by your rights.

Most browsers will allow you to erase cookies from your computer’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. However, if you block or erase cookies your online experience on our Website and services will be limited.

Our services and Website may, from time to time, contain links to external sites. We are not responsible for the operation, privacy policies and practices or the content of such sites.

  1. SECURITY AND STORAGE OF INFORMATION

 

Summary: we take data security very seriously, invest in security systems, and train our staff. In the event of a breach, we will notify the right people as required by law.

We take great care in implementing, enforcing and maintaining the security of the Personal Data we process, whether as Processor or as Controller. CytoReason implements, enforces and maintains security measures, technologies and policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of Personal Data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Where we deem it necessary in light of the nature of the data in question and the risks to data subjects, we may encrypt data. Likewise, we take industry standard steps to ensure our Website and services are safe. We are ISO27001 certified.

Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.

Within CytoReason, we endeavor to limit access to Personal Data to those of our personnel who: (i) require access in order for CytoReason to fulfil its obligations, including also under its agreements, and as described in this Privacy Policy , and (ii) have been appropriately and periodically trained with respect to the requirements applicable to the processing, care and handling of the Personal Data, and (iii) are under confidentiality obligations as may be required under applicable law or legal contracts & documents.

CytoReason shall act in accordance with its policies and with applicable law to promptly notify the relevant authorities and data subjects (or data providers when CytoReason is a processor) in the event that any Personal Data processed by CytoReason is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. CytoReason shall promptly take reasonable remedial measures.

  1. EU DATA SUBJECT RIGHTS

Summary: depending on the law that applies to your personal data, you may have various data subject rights, such as rights to access, erase, and correct personal data, and information rights. We will respect any lawful request to exercise those rights.

Data subjects with respect to whose data GDPR applies, have rights under GDPR and local laws, including, in different circumstances, rights to data portability, rights to access data, rectify data, object to processing, and erase data. It is clarified for the removal of doubt, that where Personal Data is provided by a Customer, such data subject rights will have to be effected through that Customer. In addition, data subject rights cannot be exercised in a manner inconsistent with the rights of CytoReason employees and staff, with CytoReason proprietary rights, and third-party rights. As such, job references, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, cannot be accessed or erased or rectified by data subjects. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply. If processing occurs based on consent, data subjects generally have a right to withdraw their consent.

If, for any reason, a data subject wishes to modify, delete or retrieve their Personal Data, they may do so, where applicable, by contacting CytoReason (privacy@CytoReason.com). Note that CytoReason will have to undertake a process to identify a data subject exercising their rights. CytoReason keeps details of such rights exercised for its own compliance and audit requirements. Please note that Personal Data may be either deleted or retained in an aggregated manner without being linked to any identifiers or Personal Data, depending on technical commercial capability. Such information will continue to be used by CytoReason. Please note however that deletion could mean that CytoReason cannot provide you any requested services.

Data subjects in the EU have the right to lodge a complaint, with a data protection supervisory authority in the place of their habitual residence. If the supervisory authority fails to deal with a complaint you may have the right to an effective judicial remedy.

Where CytoReason is a Processor, any data subject rights may be exercised only through the relevant Controller.

  1. GENERAL

 

Minors. We do not knowingly collect or solicit information or data from children under the age of 16 or knowingly allow children under the age of 16 to register for CytoReason services. If you are under 16, do not register or attempt to register for any of the CytoReason Service or send any information about yourself to us. If we learn that we have collected or have been sent Personal Data from a child under the age of 16, we will delete that Personal Data as soon as reasonably practicable without any liability to CytoReason. If you believe that we might have collected or been sent information from a minor under the age of 16, please contact us at: privacy@CytoReason.com, as soon as possible.

Changes to this Privacy Policy. The terms of this Privacy Policy will govern the use of the services, websites, and any information collected in connection with them. CytoReason may amend or update this Privacy Policy from time to time. The most current version of this Privacy Policy will be available at: https://www.CytoReason.com/privacy . Changes to this Privacy Policy are effective as of the stated “Last Revised” date and your continued use of our services will constitute your active acceptance of the changes to and terms of the Privacy Policy.

CytoReason aims to process only adequate, accurate and relevant data limited to the needs and purposes for which it is gathered. It also aims to store data for the time period necessary to fulfill the purpose for which the data is gathered. CytoReason only collects data in connection with a specific legitimate purpose and only processes data in accordance with this Privacy Policy. Our policies and practices are constantly evolving and improving, and we invite any suggestions for improvements, questions or comments concerning this Privacy Policy, you are welcome to contact us (details below) and we will make an effort to reply within a reasonable timeframe.

CytoReason contact details: Azrieli Circular Tower, 16th floor Derech Menachem Begin 132, Tel Aviv-Yafo 6701101, Israel, privacy@CytoReason.com.

*          *          *          *          *