Ottimo Pharma Ltd, Global Privacy Notice

Ottimo Pharma Limited, (“Ottimo”, “We”) understands your concerns regarding your privacy when it comes to your Personal Information (PI). We are a pharmaceutical development company conducting clinical research in several countries and, as laws relating to privacy and security of information may vary between countries and even individual states, we endeavour to align privacy practices with the highest standard global standards.

We may collect PI on the following:

• clinical trial subjects,
• employees, consultants, contractors, collaborators,  and healthcare professionals
• service provider,
• website visitors.

WHAT INFORMATION YOU WILL FIND HERE

This Global Privacy Notice informs you how we collect, use, maintain and disclose PI that could identify you.

Below is a summary of the information; you can read the document throughout or click on the links below to take you to the area most relevant to you.

• How, why, and the type of personal information we may collect about you, including:
  • Personal and business contact information
  • Health related data
  • Insurance information details
  • User information, cookies and similar technologies
• Any laws and regulations governing the processing of Personal Information (including those relevant to children)
• How we keep your data safe and secure
• Sharing personal information
• Data retention
• Data accuracy and minimization
• Your rights and choices about your Personal Information
• How to contact us or our representatives and regional specific statements
  
  • The United States of America and State Comprehensive Data Privacy Laws
    • U.S. State Privacy Rights
    • Washington’s My Health, My Data Act (MHMDA)
  • European Union and GDPR-like Data Privacy Laws
  • Other countries

Please be sure to read this Global Privacy Notice before submitting your PI to us so that you can make a fully informed decision as to whether you share your PI with us.

WHAT IS PERSONAL INFORMATION?

Personal Information (PI), or Personal Data, is information that can be used to identify an individual. It can be obvious things such as your first and last names, home address, email address, telephone number, and job title. However, it can also include information that can indirectly identify you; examples can include your user ID, login and password, profile picture, qualifications, organization name, industry sectors, or any other information which might reasonably be used in combination with each other to identify you.

It does not include information which is already in the public domain. Or if the disclosure is provided by law, such as in official documents.

Sensitive personal information is a subset of PI  and requires additional protection by us. This may include the following:

• Racial or ethnic origin
• Political, religious or philosophical beliefs and union membership
• Data concerning health
• Genetic data
• Biometric data that may uniquely identify you
• Identification numbers such as social security, driver’s license, state identification card or passport number
• Account details such as login, financial account information, or credentials allowing access to an account
• Precise geolocation
• Mail, e-mail and text messages (unless from our employees acting in their role with us)

How and what information is collected, and for what purposes

In general terms we collect personal Information:

• Directly from you, such as when you contact us, are enrolled in a clinical trial or apply for a position within our organization
• Through our website
• From health care organizations (e.g., physician practices, hospitals, clinics, pharmacies)
• From contract research organizations, clinical trial investigators, laboratories
• From government agencies or public records
• From third-party service providers, or business partners such as recruiters and employment websites
• From web research, social media and public sources
• The organizations with which you are employed or affiliated
• If you visit or interact with our clinical trial software or mobile apps or those services outside of a clinical research trial, we may collect information that identifies or is capable of being associated with you directly or indirectly from your operating system and platforms.
• From service providers, consultants/contractors for procurement of services

Personal and business contact information

We collect this information which you provide voluntarily via the website. This may be when you submit a query through, for example, the ‘Contact Us’ form, or when pursuing employment opportunities.

We may use this information:

• To communicate with you
• Providing you with information you request related to Ottimo
• Employment purposes such as processing a job application

In some areas the provision of PI is identified as necessary to complete the task you have requested, for example, requesting your contact details in order to respond to a query. However, the decision to submit any data is entirely voluntary, and we aim to provide you with knowledge and opportunities to determine to what extent you share your data with us and for what purposes.

If you decide to opt-in to email notifications on our website you will receive information that may include company news, updates, events, or financial information.

If, at any time, you would like to unsubscribe from email notifications, detailed instructions are included at the bottom of each email.

If you submit a job application via our website, or through other means, we will retain your information in line with our personal data retention policy, and it will be used in line with the sections relevant to you below.

HEALTH RELATED DATA

We may collect health related information, sometimes called Personal Health Information (PHI), only when it is voluntarily provided directly from you or someone who has your permission or a responsibility to do so, for example, your healthcare professional.

We may use this information for:

• Conducting clinical trials to develop new medicines and to show that those medicines are safe and effective.
• For employment purposes in certain countries and jurisdictions

Healthcare Professionals, employees, CONSULTANTS, CONTRACTORS, and service Providers

We may collect some or all of the following personal information about you:

• General information: name, postal and/or email address, phone number, date of birth and other information such as photographs, digital imagery and sound recordings, payment-related information, government issued identification (e.g., driving license, passport, tax identification number), agreements made with Ottimo.
• Professional information: such as a job title, educational information, professional qualifications, prescribing history, work experience, medical/professional licenses, curriculum vitae (CV), networks and affiliates, programs and activities participated in, publications authored or co-authored, awards, board memberships, professional conference, attendance at events and employment status.
• Assessment information: such as internal assessments, feedback and evaluations, classifications or performance ratings of your professional activities and outcomes.
• Financial information: such as your bank details so that we can pay you for your expenses, or other compensation, this could also include collecting information to validate or make claims for any required insurances.
• Other information: we may be required to collect and process other personal information as required by law. An example is financial disclosure information to comply with the U.S. Food and Drug Administration regulation, 21 CFR Part 54.

User information, Cookies and similar technologies

Cookies.  Our website uses cookies, tags, pixels, web beacons, and similar tracking technologies (“Cookies”) to provide, customize, evaluate, improve, and secure our website and services.

A Cookie is a small piece of text that is placed on your website browser when you visit a website. These include our own first-party Cookies as well as third-party Cookies of our service providers and marketing partners. Some Cookies are only stored temporarily and destroyed each time you close your web browser. Our website also uses persistent Cookies, which do not delete when you close your browser and may collect and store data for a set period of time after you’ve left our website. You can find out more about Cookies in general and how they work at Cookiepedia.

How We Use Cookies.  We use Cookies for the following purposes:

• Website Operation.   Cookies help us run our website securely and enable basic functions like page navigation.
• Performance and Analytics.  Cookies help us analyze how you interact with our website. This enables us to monitor and improve our website performance, services, and your experience.
• Advertisements.  Cookies may allow us to deliver advertisements that are meaningful to you. Our third party advertising partners may use the Cookies to build a profile of your interests, deliver relevant advertising on other sites, and measure the efficiency of the advertisements. For instance, we may use Google Analytics to analyze Site traffic and to improve our advertising efforts. To disable Google Analytics, please download the Google Analytics Opt-out browser add-on. You also have the option to opt out of Google’s use of cookies by changing your settings via Google’s advertising opt-out page.

How to Manage Cookies.  If you wish to prevent Cookies from tracking your activity on our website or visits across multiple websites, you can set your browser to block certain Cookies or notify you when a Cookie is set. If you block Cookies, certain features on our website may not work. For more information on how you can customize your browser’s Cookie setting please visit the link to your web browser below:

• Google Chrome
• Safari
• Internet Explorer
• Mozilla Firefox

You may opt-out of interest-based advertising in general by visiting the Digital Advertising Alliance’s or Network Advertising Initiative’s websites. You can also turn off ad personalization from Google. We are not responsible for the completeness, effectiveness, or accuracy of any third party opt-out options or programs.

Web log data.  When you use the Site, we automatically receive and record certain information from your computer (or other device) and your browser. This may include such data as your IP address and domain name, the pages you visit on the Site, the date and time of your visit, the files that you download, the URLs from the websites you visit before and after navigating to the Site, your software and hardware attributes (including device IDs), your general geographic location (e.g., your city, state, or metropolitan region), and certain cookie information (see above). To obtain such information, we may use web logs or applications that recognize your computer and gather information about its online activity.

Laws and regulations governing the processing of your Personal Information

Ottimo processes your PI only as permitted by law. In some areas (for example, the European Union) this means that we must define the legal basis as described below:

1. Some of the PI collected will be processed to meet legal obligations, for example, the legal obligation to report the safety of our products, or reporting in relation to the protection of health for employment purposes.
2. We may also use the PI collected for public interest purposes compatible with public health during the clinical trial but not specified within a specific legal obligation. In this instance there is potential for new knowledge about medical conditions; thereby improving the quality of life for a number of people. We will consider the reasonable expectations you have in allowing your information to be processed in relation to the clinical trial and ensure that the manner in which we collect and use the PI is proportionate to the aim pursued, respects the essence of the right to data protection, and we will provide suitable and specific measures to safeguard the fundamental rights and the interests of you as a data subject.

We will assess the balance of your interests with our own to ensure that we do not override yours. If we do, the reasons will be explained to you. (See the section labelled “YOUR RIGHTS AND CHOICES ABOUT YOUR PERSONAL INFORMATION”).

1. An additional basis for processing your PI would be our legitimate business interests, since it is our business to develop and commercialise our medical products.

As with the preceding points, we will consider  the reasonable expectations you have in allowing your information to be processed (it must be proportionate to the aim pursued, respecting your rights with regard to data protection and providing suitable and specific measures to safeguard them).

1. The processing of PI is in anticipation of entering into engagements or a contractual service with you or your institution or company.
2. As we outlined in the section on health information, consent may also be a legal basis for processing PI under global privacy laws and under the comprehensive privacy legislation that is applicable to some states in the U.S. This may also mean using your PHI where required for the vital interests of an individual or yourself.

Ottimo does not knowingly collect any PI from children under 13 years old through this website. However, if the parent or the guardian of a child under 13 believes that the child has provided us with Personally Identifiable Information, the parent or guardian of that child should contact us (See Contact Information).

Anyone under 18 years old should seek their parent’s or guardian’s permission prior to using or disclosing any PI on this website.

How we keep your data safe and secure

We take reasonable steps to protect your personal data as you transmit your information from your computer to our website. We protect it from loss, misuse and unauthorized access and disclosure, its alteration or destruction.

To do this we adopt appropriate data collection and processing practices, as well as employing security measures during data transmission and storage. We consider the nature, scope, context and purposes of processing, within the limits of current security principles and technologies.

You should keep in mind, however, that no internet transmission is ever 100% secure or error free. In particular, email sent to or from our website may not be secure, and you should therefore take special care in deciding what information you send to us via email.

Sharing personal information

With regards to PHI collected for use in clinical trials we may be legally required to share certain personal information if we are involved in legal proceedings or when complying with legal obligations, a court order, or the instructions of a government authority.

However, in most instances your PI will be ‘pseudonymized’ (i.e., we cannot identify you directly by name, address, or hospital number).

Your pseudonymized PI may be shared with:

• Healthcare regulatory authorities
• Commercial collaborators such as clinical research organizations that help us conduct our clinical trials, laboratories that we use to analyze how our drugs work, and authorized third parties (for example, if we sell a medicinal product for which you participated in the clinical trial)
• We may sometimes contract with third parties to supply hosted secure database services to us. In some cases, those third parties may require limited access to some of your personal information for the purpose of maintaining that information in the database.

For healthcare professionals, employees, consultants, contractors and service providers, we disclose individual information only as reasonably required to pursue our legitimate business aims or as required by law. Appropriate safeguards will be established, where possible, to protect your information.

If you are taking part in a clinical trial, we may also disclose your PI to third parties such as public/regulatory authorities/governmental bodies (including social and benefits departments), third parties that provide services to us (such as conducting audits, IT services, assisting in our clinical trials and studies, or health care compliance activities), business partners and collaborators (such as external scientists).

In addition, we may disclose personal information about you (a) if we are required or permitted to do so by law or legal process, for example due to a court order or a request from a law enforcement agency, (b) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (c) in connection with an investigation of suspected or actual fraudulent or other illegal activity, and (d) in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation).

Ottimo does not and will not sell, trade, or otherwise transfer to third parties your PI for their own direct marketing use unless it provides clear notice regarding this and obtains your explicit consent for your data to be shared in this manner.

With regards to the strictly necessary cookies outlined above, when you use our website you are accepting that your PI can be transmitted to our website hosting and editing partners and other sub-contractors who assist us in providing this service, so long as those sub-contractors undertake to process the information only according to our instructions and to comply with the applicable law regarding the protection of personal identification information.

INTERNATIONAL TRANSFERS

Ottimo does not transfer PI to any third-party country nor to any international organization, except when there is a comparative level of protection for your PI as in your own country and when suitable safeguards and transfer mechanisms are in place.

Data retention

Ottimo takes all reasonable measures to ensure that your PI is processed for the minimum period necessary for the purposes set out in this Privacy Notice and consistent with the reason(s) for which it was first collected. You may request a copy of our data retention policy

Under international and national regulations governing clinical trials, we are required to keep your personal information and study coded information for up to 25 years after the end of the clinical trial or according to our data retention policy.

After this period, your personal information will be irreversibly destroyed or retained for a further period if required by law.

PI obtained from healthcare professionals that is required to be kept as key documents under international and national regulations applying to clinical research will be retained for a period of 25 years following completion of clinical development.

For employees, consultants, contractors, and service providers, PI will be retained in accordance with our retention policy, which may be for a period of up to 10 years after the discontinuation of our business relationship with you where applicable laws or regulations require or allow us to do so. For further information, please contact us using the information provided below.

In general  we will retain other PI according to the following criteria:

• as long as Ottimo maintains an ongoing relationship with the you (e.g., where you are in receipt of our services, or you are lawfully included in a mailing list as you have not unsubscribed);
• as long as your PI is necessary in connection with the purposes set out in this Privacy Notice, and for which Ottimo has a valid legal basis as outlined above;
• with your prior consent, until the expiry of any additional retention period.

Data accuracy and minimization

We take reasonable measures:

• to ensure that your PI is accurately kept up to date; and
• that PI is collected only as needed in connection with the purposes set out in this Privacy Notice.

Your rights and choices about your Personal Information

If we process PI on you then you have the following rights:

• a right to be informed about what PI is being collected relating to you.
• a right of access to the PI collected about you;
• a right to modify and correct your PI;
• a right to oppose or restrict the processing of your PI;
• the right to erase your PI;
• and a right to portability of your PI.

However, for PI processed in relation to clinical trials your personal information is pseudonymized and we cannot identify you directly. Therefore, we recommend you contact your study doctor or healthcare institution if you wish to exercise the rights shown above. Additionally, if you should withdraw your consent to future processing, this would make it impossible for you to continue in the study. In this case, we have an legal obligation to process PI collected before your withdrawal.

Outside of a clinical trial, if you want to exercise one or more of your data you can ask us for details about the PI we have on you if any such personal information is held. This is known as a “Data Subject Access Request” (DSAR);

All DSAR and other rights requests should be made in writing and sent to: [email protected]. You can also request a form from us to help make your request.

There is not normally any charge for a DSAR and other rights requests. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding or we may refuse your request.

We will provide you with a written response to your request within 30 calendar days of the receipt of your request after having verified your identity. Should there be any delay due to your request being complex or there are multiple requests, we have a further 30 days to respond (we will notify you if that is the case, together with the reason).

We may refuse to comply with your request to enforce your rights where;

• the rights of other persons would be violated,
• where any other legal exemptions may apply,
• where your request is not legitimate or applicable,
• or where it is not in our legitimate interests to the extent allowed by the data protection laws.

If we refuse to comply, we will explain to you our reasons for doing so.

However, if you still feel that your personal information has not been handled appropriately according to the law, you can contact a Data Protection Authority and file a complaint with them.

HOW TO CONTACT US

Ottimo Pharma Limited, is a company registered in England & Wales, with a registered office at c/o Kreston Reeves LLP Innovation House, Ramsgate Road, Sandwich, CT13 9FF United Kingdom.

We can be contacted –

• +1 617 693 7383
• By email at [email protected]
• By postal mail to one of the addresses above.

REGION SPECIFIC

California Consumer Privacy Act

If you are a U.S. resident, certain jurisdictions may grant you rights related to your personal information, including, e.g., the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”) (collectively referred to as “State Privacy Laws”).

The State Privacy Laws grant you rights.

You may be able to request information about how we have collected, used and shared your personal information.

• Access. You may be able to request a copy of the personal information that we maintain about you and to know what data we collect.
• Deletion. You can ask us to delete the personal information that we collected or maintain about you, subject to certain exceptions.
• Correction. You may have the right to request the correction of inaccurate information collected.
• Opt-out. You may have the right to opt out of any sale, sharing, or targeted advertising as defined in State Privacy laws if such sale / sharing / targeted advertising is occurring.
• Appeal. You may have the right to appeal a refusal to take action on a request by contacting us at [email protected].

You are entitled to exercise the rights described above free from discrimination. Please note that State Privacy Laws may limit these rights by, for example, prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. If we deny your request, we will communicate our decision to you.

The CCPA requires employers to inform individuals who reside in California about the employment-related personal information (PI) collected by the employer and how that data is used. Covered individuals can include applicants, employees, dependents and independent contractors.

Much of the personal information that Ottimo collects in the course of our business operations is not subject to the CCPA:

• Where we collect personal information as a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA”), this information is not subject to the CCPA.
• Where we collect and maintain information in connection with clinical trials, this data is subject to clinical trial protocols and informed consents executed by individuals participating in these clinical trials and is not subject to the CCPA.
• In addition, we collect information that has been de-identified according to the HIPAA rules or other frameworks that is not “personal information” under the CCPA.

If you are a U.S. resident living in a jurisdiction covered by a State Privacy Law or a California employee and wish to request us to provide you with your rights, you may submit a request to us using the details under ‘HOW TO CONTACT US’.

You may also designate an authorized agent to submit a request on your behalf. To designate an agent, please also send us a written and signed document by both you and the agent that authorizes the agent to act on your behalf. You may also use a power of attorney. Please note that we will still require you to provide sufficient information to allow us to reasonably verify that you are the person about whom we are receiving a request.  We may also need to verify the identity of your agent.

If you have implemented an opt-out preference signal (sometimes known as a global privacy control) through your browser or device, we will treat that opt-out preference signal as a valid request of your Right to Opt-out. Once we recognize the opt-out preference signal on our Services, we will automatically apply your right to opt-out of sale and sharing to the browser or device through which we recognize the signal. The Services respond to opt-out preference signals in a frictionless manner (i.e., you do not need to take any additional steps for your opt-out preference signal to be recognized).

Ottimo declares that, to the best of its knowledge, it is in compliance with its Comprehensive Compliance Program and with the California Health and Safety Code 119400 -119402.

Washington’s My Health, My Data Act (MHMDA)

Section 12 of Washington’s My Health My Data Act (the “Act” or “HB 1155”) contains statutory exceptions for research activities pursuant to;

• the good clinical practice guidelines issued by the International Council for Harmonization (“ICH”) or under the FDA’s regulations governing informed consent and Institutional Review Board (IRB) requirements
• health care information collected, used, or disclosed in accordance with laws that permits health care providers and health care facilities’ disclosure of adverse events and
• data covered by the Health Insurance Portability and Accountability Act (“HIPAA”).
• and PI that has been de-identified in accordance with HIPAA.

Ottimo does not knowingly collect any health information with regards to reproductive or sexual health outside of clinical trials. Nevertheless, the rights provided to you outlined above will ensure that your data is protected under this act and Ottimo confirms it will not sell or share your health information with law enforcement authorities unless legally compelled to do so.

Health Insurance Portability and Accountability Act (HIPAA)

In response to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the United States Department of Health and Human Services (HHS) issued regulations entitled Standards for Privacy for PHI for covered entities, known as the Privacy Rule.

These covered entities include physicians and other health care professionals that process and share PHI such as information in a patient’s medical chart or a patient’s test results as well as other identifiable health information relating to the relevant clinical research gathered by a covered health care provider when conducting clinical trials.

HIPAA permits a covered entity to use or disclose PHI for research with your written permission and when PHI has been de-identified in accordance with the standards set by the Privacy Rule.

EUROPEAN UNION

Further information about your rights in Europe can also be obtained from your national Data Protection Authority or the Supervisory Authority. A list can be found here: https://ec.europa.eu/digital-single-market/en/news/list-personal-data-protection-competent-authorities. In the UK, the Data Protection Authority is the Information Commissioner’s Office (https://ico.org.uk/make-a-complaint/).

You additionally have a right to lodge a complaint with the supervisory authority from your country of residence, or from the country where you are located when the PI is collected.

BRAZIL

For the purpose of the Brazilian data protection legislation, Ottimo’s Data Protection Officer’s details are as follows:

Name: Dr Michael Bowden

Address: Pharma Data Protection SARL, 1 La Cour, 50210 Belval, France

Email: [email protected]

Changes

Because this policy is subject to change without notice, you should check this Global Privacy Notice regularly for any changes.

Data Retention

Ottimo will revise the “last update date” at the bottom of this page. Users acknowledge and agree that it is their responsibility to review this Global Privacy Notice periodically and become aware of modifications.

This Privacy Notice is applicable from May 13, 2026.