Y-Prime, LLC Privacy Policy

1. Purpose

Y-Prime, LLC (“YPrime”) is a provider of eClinical technologies and consulting services to the pharmaceutical and life sciences industries, offering Interactive Response Technology (IRT), Electronic Clinical Outcome Assessment (eCOA), Electronic Informed Consent (eConsent), and Electronic Monitoring Visit Report (eMVR) services. YPrime’s solutions, including mobile application technologies, support clinical trial management and execution at independent clinical trial sites for clinical research, health, and wellness purposes. These technologies are used by YPrime customers (typically Sponsors or Controllers) to collect, process, store, and manage trial subject personal and medical data, as well as sensitive information, in support of clinical trials.

YPrime is dedicated to transparency in the collection and use of Personal data. This notice outlines YPrime’s commitment to privacy, data protection, and the rights and responsibilities related to personal data. This policy is structured into the following sections, detailing how YPrime upholds its privacy commitments:

1. Purpose
2. Data protection principles
3. Information collected
4. Clinical trial participants and candidates
5. Visitors to our corporate websites and physical locations, and senders of inquiries
6. Health care professionals
7. Vendors
8. Attendees at Events
9. How We Share Personal data
10. Individual Rights
11. Data Security
12. International Data Transfers
13. How long your personal data will be retained
14. Cookies and similar technologies
15. Contact us
16. Data Localization in China
17. Supplemental Privacy Notice for US Residents

This notice applies to all Personal data of clients, clinical trial participants, health care professionals, vendors, job applicants, employees, contractors, former employees, and visitors to YPrime’s website (such as cookies and internet tags) which is provided to, or collected and processed by YPrime.

If you are a resident of certain states in the United States, this Policy also incorporates our Supplemental Privacy Notice for US Residents, which includes additional information required to be provided under certain state laws.

YPrime respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. YPrime strives to collect, use and disclose personal data in a manner consistent with the laws of the countries in which it does business.

This notice may occasionally be updated. When material updates are made, the date of the last revision will be reflected within the YPrime Quality Management System.

2. Data protection principles

YPrime processes personal data in accordance with the following data protection principles:

Processes personal data fairly, lawfully, and in a transparent manner.
Collects personal data only for specified, explicit and legitimate purposes.
Processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
Keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
Keeps personal data only for the period necessary for processing.
Adopts appropriate measures to make sure that personal data is secure, and protected against unauthorized or unlawful processing, and accidental loss, destruction or damage.

YPrime takes responsibility for how it acquires, processes, and disposes of personal data, and for ensuring compliance with the above principles.

3. Information collected

Below is a high-level summary of the types of personal data we may collect from you. Following that high-level summary is additional detail and information on how we collect, process and use your personal data.

YPrime does not knowingly collect, maintain, disclose, or otherwise process personal data from minors below the age of 16 without the permission of such minor’s parents or legal guardians.

YPrime may process personal data as a data controller or as a data processor (or sub- processor). When YPrime processes the personal data as a data processor (or a sub- processor), YPrime (a) will only process the personal data in accordance with the applicable laws, rules, regulations, and as specifically directed by the data controller; (b) and will use the personal data only to the extent necessary to provide the services.

4. Clinical trial participants and candidates

We may process your personal data when you participate or intend to participate in a clinical trial, or you are a caregiver of a patient who participates in a clinical trial that is sponsored by one of our customers. YPrime provides software and various other services to clinical trial sponsors and CROs (Contract Research Organizations). Under such circumstances, YPrime is the data processor, and the clinical trial sponsor is the data controller. The data controller may provide you with additional data privacy information. In every case, if you choose to participate in a clinical trial, the data controller will provide you with a separate privacy notice detailing how your personal data will be processed during the trial.

Examples of the types of data we process:
Depending on the services YPrime provides to the data controller, and always in compliance with applicable laws, YPrime may process the following types of data:

Identity and contact information, such as:

First and last name
Patient ID
Email address
Postal address
Phone number
Signature

Other personal information, such as:

Age
Gender
Initials
Date of birth
Username
Password

Visual and audio information, such as:

Still images
Video or audio recordings

Technical Information, such as:

Internet Protocol (IP) address
Browser type and browser language
Device type and/or device ID, if the device is provided by YPrime
Location data to enable Bluetooth connection to study devices
Activity on our product portal or applications
Data collected from cookies or other similar technologies

Health information:

Diseases
Study visit dates
Medical history and treatment information
Responses to questionnaires/e-diaries

Anonymized / de-identified data:

Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered personal data under data protection laws.

Where do we get the data?
We may get your personal data (1) directly from you; (2) from the devices you use; (3) from your caregiver; (4) from health care professionals.

Why do we process the data?

To send you your login credentials
To provide the software/services to you and to our customers
To send you reminder messages
To determine your eligibility to participate in the clinical trial
To identify and authenticate you
To detect security incidents
To protect against malicious or illegal activity
To ensure the appropriate use of our software
To improve our software and services
For short-term, transient use
For administrative purposes
For quality assurance

YPrime’s role in the data processing:
YPrime processes the personal data on behalf of the study sponsor as a data processor. The study sponsor is the data controller of the personal data.

The legal basis of processing:
As determined by the data controller.

Who receives the data?

YPrime, our affiliates, subsidiaries, and related companies
Our customers (the data controller who sponsors the clinical trial)
Health care professionals (members of the study team)
Vendors that assist us in providing our Services

The device manufacturers or OS providers have no access to Personal data.

5. Visitors to our corporate websites and physical locations, and senders of inquiries
We may process your personal data when you (1) visit our websites or our physical locations; (2) submit inquiries to us online or offline; (3) sign up for our newsletters or other informational or marketing materials.

Examples of the types of data we process:

Identity and contact information, such as:
- First and last name, email address, postal address, phone number
Visual and audio information, such as:
- Still images, video (including via CCTV), recordings of your calls
Technical Information, such as:
- Internet Protocol (IP) address, browser type and browser language, device type, Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving our website, activity on our website and referring websites or applications, data collected from cookies or other similar technologies
Anonymized / de-identified data
- Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered personal data under data protection laws.

Where do we get the data?

We may get the personal data (1) directly from you; (2) from the devices you use; (3) our security systems (CCTV); (4) third parties.

Why do we process the data?

To provide you with access to our website and to our services
To communicate with you
To send you updates
To customize content for you
To detect security incidents
To protect against malicious or illegal activity
To ensure the appropriate use of our website
To improve our services
For short-term, transient use
For administrative purposes
For marketing, internal research, and development
For quality assurance

YPrime’s role in the data processing:
YPrime is the entity responsible for the collection and use of your Personal data (known in some jurisdictions as the “data controller”).

The legal basis of processing:

For the purposes of our legitimate interests
In circumstances where we have requested and received consent
For other purposes that may be required or allowed by law

Who receives the data?

YPrime, our affiliates, subsidiaries, and related companies
Vendors that assist us in providing our services or help us improve our marketing or administration

6. Health care professionals

We may process your Personal data if you work at a research site and participate in a clinical trial that is or has been sponsored by one of our customers.

Examples of the types of data we process:
Depending on the services YPrime provides to its customers, YPrime may process the following types of data:

Identity and contact information, such as:
- First and last name, email address, postal address, phone number
Other personal information, such as:
- Username, password
Visual and audio information, such as:
- Video or audio recordings
Technical Information, such as:
- Internet Protocol (IP) address, browser type and browser language, device type and/or device ID, if the device is provided by YPrime, activity on our website or applications, data collected from cookies or other similar technologies.
Professional and educational information
- Job title or position, employer, medical license number, work skills, employment history, degrees and certifications, clinical trial experience, specialized trainings and training records, performance metrics.
Anonymized / de-identified data
- Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified and the information is no longer considered personal data under data protection laws.

Where do we get the data?
We may get the personal data (1) directly from you; (2) from the devices you use; (3) from our customers; (4) data may be generated based on your interaction with YPrime.

Why do we process the data?

To send you your login credentials
To provide the software/services to you and to our customers
To send you reminder messages
To communicate with you
To provide you training
To identify and authenticate you
To detect security incidents
To protect against malicious or illegal activity
To ensure the appropriate use of our software
To improve our software and services
For short-term, transient use
For administrative purposes
For quality assurance
For marketing, internal research and product development
To assess your eligibility to participate in clinical trials
To recommend you to clinical trial sponsors

YPrime’s role in the data processing:
When YPrime provides services to a sponsor of a clinical trial or Contract Research Organization (CRO), YPrime processes the personal data on behalf of the study sponsor as a data processor. The study sponsor is the data controller of the personal data.

YPrime processes the personal data as a data controller for the following purposes:

For marketing, internal research and product development
For administrative purposes
For quality assurance

The legal basis of processing:

As determined by the data controller
For the purposes of our legitimate interests
For other purposes that may be required or allowed by law
To comply with a legal requirement
In preparation for or to perform a contract
Your consent

Who receives the data?

YPrime, our affiliates, subsidiaries, and related companies
Vendors that assist us in providing our Services

The device manufacturers or OS providers have no access to Personal data.

7. Vendors

We may process your personal data if you provide any services to YPrime.

Examples of the types of data we process:
Depending on the services you provide to YPrime, YPrime may process the following types of data:

Identity and contact information, such as:
- First and last name, email address, postal address, phone number

Technical Information, such as:
- Internet Protocol (IP) address, browser type and browser language, device type and/or device ID, if the device is provided by YPrime, activity on our website or applications, data collected from cookies or other similar technologies.
Commercial information:
- Bank account information, tax information, including tax number
Professional and educational information:
- Job title or position, employer, work skills, degrees and certifications, specialized trainings and training records, performance metrics.
Anonymized / de-identified data:
- Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal data under data protection laws.

Where do we get the data?
We may get the personal data (1) directly from you; (2) from the devices you use; (3) from third parties; (4) data may be generated based on your interaction with YPrime.

Why do we process the data?

To provide the software/services to our customers
To communicate with you
To provide you training
To identify and authenticate you
To detect security incidents
To protect against malicious or illegal activity
To ensure the appropriate use of our software
To improve our software and services
For short-term, transient use
For administrative purposes
For quality assurance
For marketing, internal research and product development
For vendor assessment and qualification

YPrime’s role in the data processing:
YPrime is the entity responsible for the collection and use of your personal data (known in some jurisdictions as the “data controller”).

The legal basis of processing:

For the purposes of our legitimate interests
For other purposes that may be required or allowed by law
Your consent
To comply with a legal requirement
In preparation for or to perform a contract

Who receives the data?

YPrime, our affiliates, subsidiaries, and related companies
Our customers
Other vendors that assist us in providing our Services

8. Attendees at Events

We may process your Personal data if you attend professional events we sponsor or hold.

Examples of the types of data we process:

Identity and contact information, such as:
- First and last name, email address, postal address, phone number
Visual or audio information, such as:
- Still images, video (CCTV)
Professional and educational information:
- Job title, employer, employment history, certifications and education, responses to questionnaires
Anonymized / de-identified data
- Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified, and the information is no longer considered Personal data under data protection laws

Where do we get the data?
We may get the personal data (1) directly from you; (2) from our business partners; (3) from your employer.

Why do we process the data?

To communicate with you
To identify and authenticate you
To detect security incidents
To protect against malicious or illegal activity
To improve our software and services
For short-term, transient use
For administrative purposes
For quality assurance
For marketing, internal research and product development

YPrime’s role in the data processing:
YPrime is the entity responsible for the collection and use of your personal data (known in some jurisdictions as the “data controller”).

The legal basis of processing:

For the purposes of our legitimate interests
For other purposes that may be required or allowed by law
In preparation for or to perform a contract
To comply with a legal requirement
Your consent

Who receives the data?

YPrime, our affiliates, subsidiaries, and related companies
Other event attendees
Vendors that assist us in providing our Services

9. How We Share Personal Data

In addition to the third parties described under each category in the above sections, we may share personal data with the following categories of third parties to accomplish the purposes set out above and for the additional purposes set forth below.

To protect our legal rights or comply with legal requirements. We may disclose personal data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Sale or transfer of corporate assets. In the event of a merger, sale, joint venture or other transaction involving a transfer of our business or assets, we may transfer your information to other parties involved in the transaction. Any entity acquiring our data assets will do so with the express, written commitment to use the data only for authorized purposes, and to maintain a similar level of privacy and information security protection. You will be notified via email or notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
With your consent. We may disclose your personal information to other third parties with your prior opt-in consent.

10. Individual Rights

You may have a right under your jurisdiction’s data protection law to the following rights with respect to some or all of your Personal data:

To request access to your personal data (including under GDPR Article 15);
To request that we rectify or erase your personal data (including under GDPR Articles 16 and 17);
To request that we restrict or block the processing of your personal data (including under GDPR Articles 18, 21 and 22 and to object to the sale or sharing of your Personal data under other relevant laws);
To provide your personal data directly to another organization, i.e., a right to data portability (including under GDPR Article 20);
When we previously obtained your consent, to withdraw consent to processing (including under GDPR Article 21); and
To lodge a complaint with the data protection authority in your area.

We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. We may, after receiving your request, require additional information from you to honor the request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

When we receive your Personal data from our customers and process your personal data on their behalf, we do so in the capacity of a data processor. In such cases YPrime may need to contact the data controller and follow the data controller’s instructions.

To exercise these rights, please email privacy@yprime.com, or contact a YPrime HR representative, as the case may be.

11. Data Security

YPrime takes the security of personal data seriously. YPrime has internal policies and controls in place to reasonably protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed by unauthorized users. However, as is the case with all websites, applications, products, and services, we unfortunately are not able to guarantee security for data collected through our products and services. In addition, it is your responsibility to safeguard any passwords, PIN codes, or similar individual information associated with your use of our products and services.

Where YPrime engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data.

YPrime recognizes potential liability in cases where personal data may be transferred to third parties. YPrime will not transfer any personal data to a third party without first ensuring that the third-party adheres to principles or similar laws providing an adequate and equivalent level of protection.

12. International Data Transfers

Your personal data may be transferred and maintained outside your state, province, country, or other jurisdiction where the privacy laws may not be as protective as those in your location, including the United States. We have put in place lawful transfer mechanisms and adequate safeguards, in accordance with applicable legal requirements, to protect your Personal data.

13. How long your personal data will be retained

We generally retain personal data for as long as needed for the specific business purpose or purposes for which it was collected. In some cases, we may be required to retain Personal data for a longer period of time by law or for other necessary business purposes. Whenever possible, we aim to anonymize the information or remove unnecessary identifiers from records that we may need to keep for periods beyond the specified retention period.

When we act as a data processor, the retention period is determined by the data controller.

14. Cookies and similar technologies

YPrime uses cookies which are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us or third parties for a variety of purposes including to operate and personalize the website to improve users’ experience and for targeted advertising purposes. Cookies may expire at the end of your browsing session, or they may be stored on your computer ready for the next time you visit the website. You can prevent the setting of cookies by adjusting the settings on your browser (see your browser “Help” section for how to do this). Disabling cookies will affect how you experience our website.

15. Contact us

If you have questions or comments about this Notice or about how your personal data is processed, please contact us by via email to privacy@yprime.com.

16. Data Localization in China

YPrime complies with China’s Personal Information Protection Law (PIPL) and Cybersecurity Law (CSL) in the context of clinical research’s eCOA services, classified as handling “Important Data,” require a data localization strategy, which includes synchronization of eCOA device data to Chinese servers.

Conversely, YPrime’s IRT service has not been classified as “Important Data,” and therefore is not subject to data localization requirements under current Chinese regulations.

17. Supplemental Privacy Notice for US Residents

a. Your California Privacy Rights
Under California’s “Shine the Light” law, California residents who provide certain personally identifiable information in connection with obtaining products or services for personal, family, or household use are entitled to request and obtain from us (once a calendar year) information about the customer information we shared (if any) with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g., requests made in 2021 will receive information regarding 2020 sharing activities, if any).

To obtain this information, please send an email message to privacy@yprime.com with “Request for California Privacy Information” in the subject line and in the body of your message. We will provide the requested information to you at your email address in response.

Please be aware that not all information sharing is covered by the “Shine the Light” requirements, and only information on covered sharing will be included in our response.

YPrime respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. YPrime strives to collect, use and disclose Personal data in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.

Questions about this notice, or requests for further information, should be directed to privacy@yprime.com.

This notice may occasionally be updated. When material updates are made, the date of the last revision will be reflected at the end of the page.