78

Privacy Policy

Frontage Laboratories, Inc. is a leading global Contract Research Organization in the United States.
This privacy policy applies to the Company and its affiliated United States subsidiaries:

• Frontage Laboratories, Inc.
• RMI Laboratories, LLC
• BRI Biopharmaceutical Research, Inc.
• Biotranex, LLC
• Frontage Clinical Services, Inc.
• ACME Bioscience Inc

(hereinafter collectively referred to as the “Company,” “we,” “us” or “our”) has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework. the Company is committed to subjecting, and does subject, all personal data received from the European Economic Area (EEA or Switzerland), in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List: https://www.privacyshield.gov/list.

Further, all US citizens accessing this website from the continental United States, Hawaii, Alaska, our any US territory are afforded the same rights defined herein, including but not limited to US citizens who have given consent to the Company to control, process or otherwise transact Protected health Information as defined by 45 CFR Part 160 & Part 164 Health Insurance Portability and Accountability Act of 1996 (HIPAA) are further protected by this policy and by the consent given at point of care.

California residents using our website or services have further protections under the California Consumer Privacy Act (CCPA), please see Sections PP.1.20, PP.1.21 & PP.1.22.

The Company is a global company with affiliates, varied business processes, management structures and technical systems that cross borders. Information collected by the Company or on our behalf may be stored on your computers, on your mobile devices, or on our servers, and may be transferred to, accessed from, or stored and processed in, the United States and other countries including but not limited to the EU and China, and any other country where the Company or its service providers maintain facilities. This policy will be adhered to at all times regardless of your jurisdiction and we will endeavor to protect your privacy rights at all times regardless of the location of our processing.
This privacy policy outlines our general policy and practices for implementing the Principles, including the types of information we gather, how we use it, notify, and confirm with affected individuals regarding our use of, and their ability to correct that information. This privacy policy applies to all personal information received by the Company whether in electronic, paper or verbal format.
The details of the Company’s privacy policy are below. If you have questions about our mobile and website security or our privacy policy, please email privacy@frontagelab.com.

This privacy policy additionally applies to our corporate website www.frontagelab.com. This privacy policy describes how the Company collects, uses, shares, and secures information, and describes your choices regarding use, access and correction of your personal data.

PP.1.1. Overview of the Company’s Services

The Company is a leading contract research organization with a focus on pre-clinical support areas. The table below represents the services offered. All service offerings are supported by computerized systems which, dependent on their applicability are compliant with the International Conference on Harmonization (ICH), Good Clinical Practices (GCP) E6(R2) and 21 CFR Part 11 Electronic Records and Signatures and are, by design, not intended to process unblinded personal information.

All relevant data processes and flows have been assessed as part of our Security Risk Register and meet the Data Protection Impact Assessment Requirements of the GDPR and HIPAA/HITECH.

PP.1.2. Alignment with Privacy Regulations and Statutory requirements

The Company is committed to ensure the privacy of our website visitors, our customers, and the patients whose data we process. In order to do so transparently, our alignment with major domestic and international privacy is described below. Broadly and regardless of jurisdiction or country of resident, privacy inquiries specific to our use or processing of your data are welcomed via privacy@frontagelab.com. We will require verification of identity before processing a query or complaint.

PP.1.3. EU-U.S.& Swiss-US Privacy Shield

The Company’s Privacy Policy describes the types of personal data the Company may process, the types of third parties to which it discloses personal data and the purposes for which it does so. Residents of the EEA or Switzerland have the right to access the personal data that the Company maintains and, in some cases, may have the right to correct or amend information that is inaccurate or has been processed in violation of the Privacy Shield Principles, to the extent allowed by law. To exercise this right, contact us at privacy@frontagelab.com.

The Company complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. The Company has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

The Company is responsible for the processing of personal data it receives, under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. The Company complies with the Privacy Shield Principles for all onward transfers of personal data from the EEA or Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, the Company is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, the Company may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Residents of the EEA or Switzerland with inquiries or complaints regarding this Privacy Policy should first contact the Company Data Protection Officer via the contact information listed in the Website Privacy Policy below. If your privacy concern is not resolved satisfactorily, please contact the Data Protection Authority in your country of origin. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

PP.1.4. Legal Basis of Processing Data

We may process Personal Data under the following conditions:

• Consent: You have given Your consent for processing Personal Data for one or more specific purposes.
• Participation in a Clinical Study: You have given consent to be an active participant in a clinical study which may be listed on https://clinicaltrials.gov/
• Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.
• Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
• Vital interests: Processing Personal Data is necessary to protect your vital interests or of another natural person.
• Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
• Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.

Under all conditions and at the request of an impacted data subject the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

PP.1.5. Data Collection & Use

You may exercise Your rights of access, rectification, cancellation, and opposition by contacting privacy@frontagelab.com. Please note that we may ask You to verify your identity before responding to such requests, and further by making your request you are consenting for the personally identifiable information that you have provided to be used in the course of our internal response to your query or complaint.

You have the right to complain to a Data Protection Authority about Our collection and use of your Personal Data. For more information, if You are in the European Economic Area (EEA or Switzerland), please contact your local data protection authority in the EEA or Switzerland.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation will not be collected – unless:
a. You have given explicit consent to the processing of those personal data for one or more specified purposes, most commonly as a participant in a clinical study or analysis that the Company is performing on behalf of a study sponsor or a health care professional under whose care you currently reside.
b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
c. an additional exception rule of GDPR Article 9 is met
The purposes by which the Company processes personal data by way of our normal business practices may require the identification of a data subject, in those cases subjects provide prior written consent to the applicable data controller and therefore beyond our obligations to the applicable Data Protection Agreement we are therefore not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR.

PP.1.6. Choice

When possible the Company will offer individuals the opportunity to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, the Company will give individuals the opportunity to affirmatively or explicitly (opt out) consent to the disclosure of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. The Company shall treat as Sensitive Personal Information any information received from an individual where the individual would treat and identify it as Sensitive Personal Information.

PP.1.7. Data Sharing: Personally, Identifiable Information

The Company will not rent or sell your personally identifiable information to others. We may store personal information in locations outside the direct control of the Company (for instance, on servers or databases co-located with hosting providers). Any personally identifiable information you elect to make publicly available on our website or social media channels such as posting comments on our twitter feed, will be available to others. If you remove information that you have made public on our website or social media channels, copies may remain viewable in cached and archived pages of our website, or if other users have copied or saved that information. Our twitter feed, LinkedIn page and YouTube channel are managed by third-party applications that may require you to register to post a comment. You will need to contact or login into the third-party application if you want the personal information that was posted to the site in question removed. To learn how the third-party application uses your information, please review their privacy policy.

PP.1.8. Data Sharing: Non-Personally Identifiable Information

We may share non-personally identifiable information (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with interested third parties to help them understand the usage patterns for certain the Company services and those of our partners. Such data consists solely of non-personally identifiable information. If you choose to publish any personally identifiable information during an interaction with a Company service or member of personnel you understand and agree that this information, along with any personally identifiable information you choose to make available in connection with such results, may be made publicly available. If you remove information that you have made public on the website, copies may remain viewable in cached and archived pages of the website, or if other users have copied or saved that information, this is inclusive of social media postings.
Non-personally identifiable information may be stored indefinitely.

PP.1.9. Legal Requirements

We may disclose such data in response to subpoenas, court orders, or other legal process, or to establish or exercise our legal rights and obligations or defend against legal claims.

PP.1.10. Change of Control

We may buy or sell/divest/transfer the Company (including any shares in the Company ), or any combination of its products, services, assets and/or businesses. Your information such as customer names and email addresses, and other User information related to the Company may be among the items sold or otherwise transferred in these types of transactions. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the Company.

You will be notified via a prominent notice on our website as to any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information. In the event of a change of control privacy@frontagelab.com will continue to operate or be forwarded to the competent party with the new entity.

PP.1.11. Children

Our services and this website are not intended for children under the age of 16, and we do not knowingly collect information from children under the age of 16. If you are concerned that such information has been collected inadvertently or otherwise, please contact privacy@frontagelab.com.

PP.1.12. Personal Data Protection Rights

Citizens of the EEA or Switzerland have full rights to access, update, object to, restrict, or request deletion of personal data or make use of data portability. If you wish to do so, contact us at privacy@frontagelab.com stating that request. We will respond within 96 hours of your request.

PP.1.13. EEA/Swiss Citizens Rights under the GDPR

The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.

You have the right under this Privacy Policy, and by law if you are within the EEA or Switzerland, to:
• Request access to Your Personal Data. The right to access, update or delete the information that we hold about you. Whenever made possible, you can access, update or request deletion of your personal data by making a request via privacy@frontagelab.com.
• Request correction of the Personal Data that we hold about you. You have the right to have any incomplete or inaccurate information we hold about you corrected.
• Object to processing of your Personal Data. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your Personal Data on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes (not a Company business practice).
• Request erasure of Your Personal Data. You have the right to ask us to delete or remove Personal Data when at the conclusion of our data processing activities.
• Request the transfer of Your Personal Data. We will provide to you, or to a third-party you have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for and does not apply to deidentified or blinded clinical study data that we have processed.
• Allow the Company, by your own consent, to process your data in conjunction with our contracted business practices.
• Withdraw your consent. You have the right to withdraw your consent on using your Personal Data. If You withdraw your consent, the Company will be unable to perform the contracted services we are engaged in, on your behalf.

PP.1.14. Voluntarily Submitted Information on our Websites

This privacy policy applies to our corporate websites and explains how the Company (“we,” “us,” “our”) and our affiliates and subsidiaries collect, use and share information on the website that links to this policy (collectively “Website”). By using the Website, you agree to the terms of this Privacy Policy.

PP.1.15. Information Collection & Use:

When you use the Website, you may encounter areas that allow you to voluntarily enter personal data, which includes your name, email address, telephone number and mailing address.

You may provide this information to us when you sign up for our newsletter, request information about products, apply for a job, fill out surveys, or otherwise provide personal data to us.

PP.1.16. Website Usage Information

When you browse our Website, we may collect various types of usage information, including, but not limited to, IP address, web pages visited, links clicked, your operating system and browser type and your mobile device identifier. Such information is used for the purposes of operating and improving our Website, analyzing demographic and statistical research about website usage, customizing offers and monitoring the Website for compliance with our terms of service and the law, as well as other purposes.

This usage information may be collected through various technologies, including but not limited to “cookies.”

Through interaction with our public website we may collect various types of information, including personal data, from mobile devices using cookies, scripts, web beacons, software development kits (“SDK”), or other similar techniques. These technologies are used to collect digital actions of users that visit and use mobile websites and apps or interact with our website.

The data we collect can include a device identifier, browser and operating system type and version, device type and other data from or about a mobile device including precise location data, as well as information about users’ web viewing, app use, and demographic data collected by other parties such as gender or year of birth. This data may be collected over time across different apps, websites, browsers or devices.

We limit use of data voluntarily shared via our website for purposes including analytics; research; reporting; attribution; Service enhancements and other business operations; predicting possible relationships among different browsers and devices; differentiating and/or associating multiple device users as well as associating devices or users with locations such as a household or workplace.

Entry of direct personal information into our website (your name, telephone number, website requires your affirmative consent.

We will not sell, rent, license, trade or disclose your personal data collected through our Websites to an unaffiliated third party, except with your permission.

PP.1.17. Security

We follow generally accepted security standards to help protect the personal data submitted to us, both during transmission and once it is received. Data security is managed by our Information Security Management System.

PP.1.18. The Company as the Data Controller or Processor

When the Company acts as the data controller we are committed to the enforcement of all aspects of this policy. We have developed internal mechanisms for the receipt of complaints, for the communication of data breaches and for joint data processing engagements.

We are committed to adhering to the codes of conduct for patient privacy and study integrity as outlined by the International Conference on Harmonization for Good Clinical Practices E6(R2). Technical and organizational measures which are designed to implement data-protection principles, such as pseudonymization and data minimization, will be applied as necessary and required by the study protocol and with the express consent of the study participants (data subjects).

Where processing is to be carried out by the Company on behalf of a controller, we are committed to agreeing a mutually executed Data Processing Agreement. the Company shall not engage another processor without prior specific or general written authorization of the controller.

In the case of general written authorization (as codified by our Data Processing Agreement), the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

All Company associates are trained on both this policy and additional internal privacy practices that have been created in support of this policy.

PP.1.19. In the event of a Data Breach

We have developed an internal process for the identification and processing of data breaches.
In the event of a personal data breach, where feasible and not later than 72 hours after having become aware of it, the Company will notify the personal data breach to the supervisory authority competent in accordance with either: Article 55 for EU and Swiss subjects (Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the affected person(s)); or the national or state competent authority relevant to the residence of the Data Subject.

Further, as mitigation against data breaches and as an integrated part of our Information Security Management System we have integrated Data Protection Impact Assessments (DPIA) into our Security Risk Register.

We are additionally committed to the enforcement of The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 for US Data Subjects and the California CCPA.

If you are concerned that you have been impacted by a breach as a direct result of the Company processing your data, contact our Data Protection Officer: privacy@frontagelab.com.

PP.1.20. For residents of California: California Consumer Privacy Act (CCPA) your Rights under the CCPA

Under this Privacy Policy, and by law if You are a resident of California, you have the following rights:
• The right to notice: You must be properly notified which categories of Personal Data are being collected and the purposes for which the Personal Data is being used.
• The right to access / the right to request: The CCPA permits you to request and obtain from the Company, information regarding the disclosure of Your Personal Data that has been collected in the past 12 months by the Company or its subsidiaries to a third-party for the third party’s direct marketing purposes.
• The right to say no to the sale of Personal Data: You also have the right to ask the Company not to sell your Personal Data to third parties. You can submit such a request by emailing our Data Protection Officer at privacy@frontagelab.com
• The right to know about Your Personal Data: You have the right to request and obtain from the Company information regarding the disclosure of the following:

  • The categories of Personal Data collected
  • The sources from which the Personal Data was collected
  • The business or commercial purpose for collecting or selling the Personal Data
  • Categories of third parties with whom we share Personal Data
  • The specific pieces of Personal Data we collected about you

• The right to delete Personal Data: You also have the right to request the deletion of your Personal Data that have been collected in the past 12 months.
• The right not to be discriminated against: You have the right not to be discriminated against for exercising any of Your Consumer’s rights, including by:

  • Denying goods or services to you
  • Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties
  • Providing a different level or quality of goods or services to You
  • Suggesting that You will receive a different price or rate for goods or services or a different level or quality of goods or services.

PP.1.21. Exercising Your CCPA Data Protection Rights

In order to exercise any of Your rights under the CCPA, and if you are a California resident, you can email us at privacy@frontagelab.com. the Company will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.

PP.1.22. CCPA: Do Not Sell My Personal Information

We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology that “sells” personal information as defined by the CCPA law. If you wish to opt out of the use of your personal information for interest- based advertising purposes and these potential sales as defined under CCPA law, you may do so by following the instructions below.

Please note that any opt out is specific to the browser You use. You may need to opt out on every browser that you use.

You can opt out of receiving ads that are personalized as served by our Service Providers by following our instructions as prompted.

The opt out will place a cookie on Your computer that is unique to the browser you use to opt out. If you change browsers or delete the cookies saved by your browser, you will need to opt out again.

PP.1.23. Mobile Devices

Your mobile device may give you the ability to opt out of the use of information about the apps you use in order to serve you ads that are targeted to your interests:

  • “Opt out of Interest-Based Ads” or “Opt out of Ads Personalization” on Android devices
  • “Limit Ad Tracking” on iOS devices

You can also stop the collection of location information from Your mobile device by changing the preferences on your mobile device.

“Do Not Track” Policy as Required by California Online Privacy Protection Act (CalOPPA)
Our Service does not respond to Do Not Track signals. However, some third-party websites do keep track of Your browsing activities. If You are visiting such websites, you can set Your preferences in Your web browser to inform websites that You do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of Your web
browser.

PP.1.24. Your California Privacy Rights (California’s Shine the Light law)

Under California Civil Code Section 1798 (California’s Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their Personal Data with third parties for the third parties’ direct marketing purposes.
If you would like to request more information under the California Shine the Light law, and if you are a California resident, you can contact Us using the contact information provided below.

PP.1.25. California Privacy Rights for Minor Users (California Business and Professions Code Section 22581)

California Business and Professions Code section 22581 allow California residents under the age of 18 who are registered users of online sites, services, or applications to request and obtain removal of content or information they have publicly posted. To request removal of such data, and if you are a California resident, you can contact us using the contact information provided below and include the email address associated with your account.

Be aware that Your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

PP.1.26. Links to Other Websites

Our Website may contain links to other websites that are not operated by the Company If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

PP.1.27. Changes to this Privacy Policy

This Privacy Policy is subject to bi-annual review as consistent with Company policy.

We will notify you of any changes by posting the new Privacy Policy on this page. We will let You know via email and/or a prominent notice on website, prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

PP.1.28. Contact Us

If you have questions or queries regarding our privacy policy or practices, please contact us, at:

Frontage Laboratories, Inc
700 Pennsylvania Drive, Exton, PA 19341 (HQ)

Our Data Protection Officer is Ellen P Jimenez, MS, who can be reached at: privacy@FrontageLab.com.

As a Privacy Shield registered organization, we will respond to your request within 45 days.

Last updated as of July 16, 2020