Privacy Notice for Clinical Trial Participants and Healthcare Professionals

Effective On: November 28, 2025
Last Modified On: November 28, 2025

1. Introduction

SymBio Pharmaceuticals Limited and our affiliates (collectively, "SymBio", "we", "us", "our") sponsor clinical trials. We take the protection of your personal information ("Personal Data") very seriously. Personal Data is any information about you that can be used to identify you as a person. This Privacy Notice for Clinical Trial Participants and Healthcare Professionals (this "Notice") addresses individuals ("Trial Participant") whose Personal Data we may receive in connection with participation in a clinical trial (a "Trial" or the "Trials") we sponsor, as well as healthcare professionals with whom we interact when we conduct the Trials ("Healthcare Professionals"). We refer to Trial Participants and Healthcare Professionals individually and together herein as "you" or "your."

This Notice is meant to help you understand the Personal Data we collect when you agree to be part of one of our Trials in your capacity as a Trial Participant or as a Healthcare Professional, why we collect it, how we protect it, and how you can exercise your privacy rights. We are required to give you this information in order to comply with applicable privacy laws, including the EU General Data Protection Regulation ("EU") 2016/679 (the "GDPR"), and the UK General Data Protection Regulation (the "UK GDPR").

This Notice does not apply to Personal Data we collect by other means, like Personal Data that we receive directly through our public website (https://www.symbiopharma.com/). This Notice also does not apply to Personal Data of our employees, job applicants, or contractors.

2. Controllership

Within the scope of this Notice, SymBio generally acts as a data controller for the Personal Data we collect, use and process in the context of the Trials we sponsor. This means that we alone determine the purposes and the means of the processing of your Personal Data.

In some jurisdictions, we are considered a "joint controller" with another organization, such as the study site where the Trial is being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with SymBio, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you are participating in or providing services for.

3. Categories of Personal Data

Even though we are a data controller for the Personal Data processed in the context of our Trials, SymBio itself does not have direct access to Trial Participants' identifiable Personal Data, meaning that we are typically unable to directly identify Trial Participants pursuant to Good Clinical Practice Guidelines. Your Personal Data is collected by the contract research organization ("CRO") assisting us with the Trial, the Trial site (the doctor's office, clinic, hospital, or other healthcare facility where the Trial is being conducted), or other third parties, such as your primary care doctors. When any information relating to Trial Participants is shared with us, it will be key-coded (also known as "pseudonymized") so that you will not be identified by any direct personal identifier (such as your name, social security number, address, or telephone number).

The following types of Trial Participants’ Personal Data may be processed in the context of our Trials:

  • Basic identifying information, such as your first and last name and initials;
  • Contact information, such as your phone number, physical address, and email address;
  • Participation data, such as study ID, site number, investigator details, informed consent forms and status, visit schedules, attendance, and participation status;
  • Health care information, such as the identity and contact information of your doctors and health care providers;
  • Health information, such as your medical history, current health status, results of physical examinations and laboratory tests conducted in this Trial, and reaction to the Trial drug;
  • Genetic information obtained from any biological samples you provide;
  • Financial data such as payment-related information (including social security number, taxpayer identification number, and financial account details);
  • Other demographic and sensitive information, including age, sex, race, and ethnicity; and
  • Location information, such as the location of your testing site and Trial location (i.e., study site).

Your identifiable Personal Data may be viewed by one of our service providers, like the contract research organization (the "CRO"), so they can verify the accuracy of records involved in the trial, but that information will never be copied into any system that we have access to and will not be made available to us.

You can ask your study doctor if you are unsure whether any specific Personal Data that you are being asked to provide is required as part of your participation in the Trial.

The following types of Healthcare Professionals’ Personal Data may be processed in the context of our Trials:

  • Identification data, such as name, title, role, specialty, age, and gender;
  • Contact details, such as email, phone number, address, workplace/affiliation, and country of practice;
  • Professional details, such as your place of practice, job title, the medical field in which you are active, professional qualifications, and scientific activities;
  • Financial and transactional data, such as payment-related information (including social security number, taxpayer identification number, and financial account details); and
  • Communications, such as correspondence with SymBio, feedback, and survey responses.

4. How We Receive Personal Data

In the context of this Notice, we collect Trial Participants’ Personal Data from the following sources:

  • you provide it to us when you participate in a Trial (including when you provide your Personal Data to one of our service providers acting on our behalf);
  • a study doctor (also known as an "investigator") or other healthcare personnel at the study site provides it to us, or your healthcare provider provides it to us;
  • we receive it from the contract research organization ("CRO") that conducts the Trial on our behalf;
  • you visit one of our Trial-specific websites or online portals; and
  • you provide it to us, the CRO, or a study doctor when you complete a pre-screening questionnaire to confirm your eligibility to participate in the Trial.

In the context of this notice, we collect Healthcare Professionals’ Personal Data from the following sources:

  • you provide it to us in the context of assisting in the operation of a Trial.
  • your employer or the institutions where you provide Trial services, such as hospitals, universities, research sites, or clinics; and
  • third-party providers including recruitment agencies, credential verification providers, and compliance and due diligence providers.

5. Basis of Processing

Before, during, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on an appropriate lawful basis for processing your Personal Data. We will only process your sensitive Personal Data (like health and genetic data) when allowed by law.

We may process Trial Participants’ Personal Data on the basis of:

  • Consent: We may ask for your consent and process your Personal Data, including special categories of Personal Data, such as your health status and medical history.
  • Compliance with Legal Obligations: We may process your Personal Data for us to comply with applicable laws or regulations, such as laws regulating the safety and reliability of our Trials.
  • Legitimate Interests: We may process your Personal Data based on our legitimate interests in facilitating and managing our Trials, such as for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.
  • Public Interest: We may process your Personal Data for reasons of public health interests to ensure adequate standards of quality and safety of the drugs or treatments we are developing.

SymBio will need to process data about your health in order for you to participate in a Trial. Health data is considered sensitive Personal Data (also known as a "special category" of Personal Data) and special rules apply to working with it. When we process special categories of your Personal Data, including health data or data about your race or ethnicity, we do so based on your explicit consent, which you gave in the Informed Consent Form you signed when you joined the Trial or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

The specific grounds on which we process your Personal Data, including your health data, may vary from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Trials. Please refer to the informed consent form you signed when you joined the Trial for more information about the legal grounds on which we process your Personal Data.

We may process Healthcare Professionals’ Personal Data on the basis of:

  • Legitimate Interests: We may process your Personal Data personnel based on our legitimate interests in facilitating the operation of our business and conducting Trials, making informed investigator selection decisions, and improving our principal investigator and Trial staff recruiting and contracting processes.
  • Contract: We also process your Personal Data because it is necessary for the performance of the contracts between SymBio and Trial sites, including by enabling us to communicate with you and other principal investigators about the performance of the relevant Trial.
  • Compliance with Legal Obligations: We may process your Personal Data in order to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect Personal Data from individuals who participate in the conduct of a Trial.
  • Consent: We may also process your Personal Data with your consent.

Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests.

Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

6. Purpose of Processing

We process Trial Participants’ Personal Data for the purposes of:

  • Determining your eligibility for a Trial;
  • Conducting the Trial;
  • Managing and facilitating the Trial;
  • Enabling your participation in the Trial;
  • Answering the research questions for the Trial and aggregating data to generate statistics relating to the Trial and/or study drug or health treatment;
  • Arranging for the delivery of drugs to you and collection of unused drugs from you in relation to the Trial;
  • Arranging your transportation to or from the study site;
  • Providing reimbursement for certain Trial-related expenses (as applicable);
  • Sending you reminders about your appointments at the study site, or to take your medication on time;
  • Monitoring and reporting on any adverse events, such as negative side effects;
  • Developing new medicinal drugs or health treatments;
  • Complying with legislation governing Trials;
  • Disclosing your Personal Data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law;
  • Responding to your inquiries and requests;
  • Communicating with you on the status of the Trial;
  • Ensuring that each Trial drug is safe and reliable; and
  • Conducting related scientific and medical research.

We also process your Personal Data for the specific purposes described in the ICF provided to you by Trial personnel.

We process Healthcare Professionals’ Personal Data for the purposes of:

  • Managing our relationship with you;
  • Contacting Trial personnel for planning and organizing the Trials;
  • Conducting the Trials; and
  • Complying with applicable laws and regulations.

7. Automated Individual Decision-Making

Trial Participants will be assigned a unique Participant identification number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated in the Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.

For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making, including profiling.” But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.

8. Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide website functionality, authentication (session management), usage analytics (web analytics), and to remember your settings, and to generally improve our websites.

For more information on how we use cookies, please refer to the cookie policy located in the footer of the Trial-specific website.

9. Data Retention

SymBio will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable laws or regulations.

In regard to Trial Participants’ Personal Data, it should be noted that our Trials are long-term. We use them to track the effects of test medications using information collected from Trial participants like you. This means we will need to keep your Personal Data for a long time. However, in order to protect your privacy, the information of every Trial participant is "key-coded" before we enter it into the studies and reports. This means that we replace identifying information like your name and contact information with a code number.

To the maximum extent permitted by law, once Trial Participants’ Personal Data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the Trial and test results. For example, European law requires us to keep Personal Data that is part of the clinical trial master file for at least twenty-five (25) years after the conclusion of the applicable Trial. Other laws may require different retention periods.

10. Sharing Personal Data with Third Parties

We will share your Personal Data with our affiliates as well as service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by applicable laws and regulations.

We may share Trial Participants’ Personal Data with providers of the following services:

  • the contract research organization ("CRO") for Trial operations;
  • quality assurance, safety and pharmacovigilance software and related services;
  • data storage and archiving software and related services;
  • data analytics and reporting software and services;
  • services related to the collection, storage, testing, and transportation of biological material;
  • software that randomly decides which treatment you will receive during the Trial;
  • providers of expense reimbursement:
  • logistics and transport service providers; and
  • electronic data capture software and hardware.

We may share Healthcare Professionals’ Personal Data with:

  • The contract research organization ("CRO") for Trial operations to support the management and conduct of clinical trials;
  • Academic institutions and research partners to collaborate on scientific or medical projects;
  • Service providers and vendors, such as IT providers, payment processors, consultants, or professional advisors;
  • Regulatory authorities and public bodies;
  • Law enforcement or courts; and
  • Pharmacovigilance partners.

We require that all of these service providers protect your Personal Data, including through the adoption of adequate security measures, and use the data solely to provide the services to us.

We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right, meaning they also may determine the purpose or means of collecting or using your data for their own purposes. They will have their own privacy notices to govern their collection, use, and protection of your data. These third parties include clinical sites like hospitals and medical offices, and public government agencies.

We may share your Personal Data with certain regulatory agencies who oversee the conduct of clinical trials, including the United States Food and Drug Administration ("FDA"), the European Medicines Agency ("EMA") and the Medicines and Healthcare products Regulatory Agency ("MHRA"), and the Japanese Pharmaceuticals and Medical Devices Agency ("PMDA") as required to comply with certain reporting and regulatory obligations or in the context of future research. If we have to disclose your Personal Data to a government or law enforcement authority, we may not be able to ensure that those officials will protect your Personal Data to the same standard as we require in our contracts with our service providers.

11. Data Transfers

Some of these service providers and other third parties are located outside of the UK and European Economic Area ("EEA"), for example, in the United States and Japan. Therefore, your Personal Data may be processed outside your jurisdiction and in countries not subject to an adequacy decision by the European Commission, the UK Secretary of State, or your local legislature and/or regulator, and that may not provide for the same level of data protection as your jurisdiction.

When the GDPR or UK GDPR applies to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries which are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data, These safeguards may include the model data protection clauses approved by the European Commission and the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, as appropriate. To access these model clauses, please contact our Data Protection Officer at the contact details provided below.

If you are in a country outside the EEA and the UK, please note that we will only transfer your Personal Data outside of your country in accordance with applicable laws.

12. Other Disclosure of your Personal Data

We may disclose your Personal Data:

  • to the extent necessary, to regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order;
  • to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties);
  • if, in the future, we sell or transfer, or we consider selling or transferring, part or all of our company, business, shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events; and/or
  • in the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose, or assign your Personal Data in connection with the foregoing events.

If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

13. Data Integrity & Security

We have put in place and have required our service providers to put in place, technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know and are subject to confidentiality obligations.

14. Your Privacy Rights

You have specific rights regarding your Personal Data that we collect and process.

If we process your Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. This means that you have the right to ask us to confirm whether or not we process your Personal Data, and, where that is the case, obtain a copy of or access to your Personal Data and other related information (such as the purposes for which we collected your Personal Data, and the categories of third parties that we share it with). You can also ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have about you, and to complete any incomplete Personal Data.

You may also have the right to ask that we limit/restrict our processing of your Personal Data (e.g., if you ask us to only use or store your Personal Data for certain purposes). You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate or the processing activity is unlawful.

You have the right to object to our processing of your Personal Data. We will always strive to fulfill your request. However, please note that there are occasions when doing so may not be possible, like when the law tells us we cannot do that, or where we need your Personal Data to complete the transaction for which we collected the Personal Data.

If we requested your consent to process your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

You may also have the right to “data portability,” which means that you may have the right to ask us to provide you with a copy of your Personal Data. If you exercise this right, we will provide you with a copy of your Personal Data in a structured, commonly used, and machine-readable format.

For Trial Participants: to exercise your privacy rights, please first speak with your study doctor instead of contacting us directly.

For Healthcare Professionals: to submit these requests or raise any other questions, please contact us by using the information in the "Contact Us" section below. You may also have the right to lodge a complaint with a data protection regulator in your applicable jurisdiction.

15. Data About Children

We obtain parental or legal guardian consent before processing Personal Data about children.

16. Changes To This Notice

If we update this Notice, we will post the revised version on our website and indicate the date of last modification.

17. Contact Us

If Trial Participants have any questions about this Notice or our processing of your Personal Data, please first speak with your study doctor. You may also contact our Data Protection Officer ("DPO") at experts@verasafe.com or at the contact information provided below. Upon receipt of your request, please allow up to one month for us to reply.

18. Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer ("DPO"). Please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe's contact details are:

VeraSafe, LLC
100 M Street S.E., Suite 600
Washington, D.C. 20003
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
Tell: +1-617-398-7067

19. Data Protection Representative

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form:
https://www.verasafe.com/privacy-services/contact-article-27-representative/

Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road Cork T23AT2P
Ireland

United Kingdom Representative

We have appointed VeraSafe as our representative in the United Kingdom ("UK") for data protection matters. To contact VeraSafe, please use this contact form:
https://verasafe.com/public-resources/contact-data-protection-representative or via
telephone at :+44 (20) 45322003.

Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom