DONOR PRIVACY NOTICE

Please take the time to read the following information carefully so that you fully understand our views and practices regarding your personal data and how we will use it.

BY REGISTERING AS A DONOR WITH US, YOU ACCEPT THE PRACTICES DESCRIBED IN THIS PRIVACY NOTICE

1. WHO DOES THIS PRIVACY NOTICE APPLY TO?

 This privacy notice applies to individuals who decide to register with us for the purposes of donating blood, blood derivatives and other bodily fluids for scientific or medical research purposes.

It is important that you read this privacy notice together with any other privacy notices we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data and what your rights are under applicable data protection laws including (without limitation) the UK’s Data Protection Act 2018, the UK’s General Data Protection Regulation and other relevant US data privacy laws (collectively referred to as Data Protection Laws). This privacy notice supplements other notices and privacy notices and is not intended to override them unless otherwise stated.

2. WHO ARE WE

This privacy notice is issued by the following list of BioIVT group controllers. Your controller is typically the BioIVT entity located in your country of residence or where you will be donating blood, blood derivatives and other bodily fluids as specified below, but may also include our parent company, BioIVT LLC (whose principal place of business is 123 Frost Street, Suite 115, New York, NY 11590):

When we refer to BioIVT, we, us or our in this privacy notice, we are referring to the relevant company within the BioIVT group responsible for processing your personal data as per the table above.

 If you have any questions regarding this privacy notice or believe we have breached any Data Protection Laws, please contact us at privacy@bioivt.com or write to us at the donating center relevant to your location (marked for the attention of our Data Protection Officer).

 3. ABOUT THIS PRIVACY NOTICE

 This privacy notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

 This privacy notice is effective on and from December 05, 2022. We may amend this privacy notice at any time, and whenever we do so we will notify you by posting a revised version on our website and/or emailing you.

 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at privacy@bioivt.com. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

4. PERSONAL DATA WE COLLECT ABOUT YOU

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity of the individual has been removed (anonymous data).

 In connection with your registration/enrolment as a donor, we will collect, store, and use the following categories of personal data about you:

• your full name;
• your contact details including email address and phone number(s);
• your gender;
• the donor center location you choose;
• whether you are a new or returning donor;
• what you are interested in donating;
• information about you when you interact with us on social media platforms or access our social media content (the information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them); and
• any other information you are asked to provide on an appointment booking form (including how you heard about us and if you are a University student which University you attend) or that you voluntarily provide to us (including when attending a donor center).

If you enter any of our competitions, promotions or giveaways, or complete a survey or otherwise give us feedback, we will hold (as applicable) your name, email address, phone number, location, and any other details you give us (including the details you complete if you use a form on our website to contact us, the details you complete on entry, survey and feedback forms, and any other information you choose to give us). We will not collect any personal data about you if our surveys or feedback forms are being run on an anonymous basis.

 We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate information about donor location to calculate the percentage of donors. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

5. HOW WE COLLECT PERSONAL DATA ABOUT YOU

We collect personal data about you through the enrolment/registration process, either directly from you or sometimes from the website, if you place an inquiry to donate or contact us for other purposes through the website.

6. HOW WE USE PERSONAL DATA ABOUT YOU

 We will use your personal data for the following legitimate interests (whether ours or a third party’s) and your interests and fundamental rights do not override those interests including (as applicable) to:

• communicate with you in relation to:
  • your registration/enrolment as a donor;
  • an existing scheduled appointment or to inform you about a cancellation or the need to reschedule an existing scheduled appointment;
  • other donation opportunities that you have expressed a wish to hear about or that we think might be of interest to you;
• send you important updates about changes in research conditions, contact information changes, operational changes;
• ensure we keep up-to-date records about you and to manage our relationship with you (including to notify you of any changes to this privacy notice);
• seek your feedback on, and help us to, improve, personalise and develop our donor services and products;
• understand donor demographics;
• determine additional products and services that would be of interest to our donors;
• measure donor satisfaction with our products and services;
• understand interactions with our brand;
• understand our donors;
• create and tailor marketing tactics and campaigns based on what we learn;
• send you information about promotional campaigns and other marketing content or sales follow-up calls (see Marketing and Notifications below);
• protect the rights, property or safety of BioIVT, our donors, customers, suppliers or others (we will also use your information where we are required by law to do so);
• deal with any issues, complaints or concerns that have been reported to us; and
• exercise legal rights and/or defend claims.

 Where we need to collect personal data in order for you to donate and you fail to provide that data when requested you may not be able to donate.

 We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at privacy@bioivt.com.

 We will use personal data you have provided to us when you enter any of our competitions, promotions or giveaways to perform the contract we are about to enter into or have entered into with you. We will also use your personal data to enforce any contract we enter into with you. Where we need to collect personal data under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, you may not be able to enter any of our competitions, promotions or giveaways.

 In some limited circumstances, we may also use your personal data in the following situations:

• where you provide us your consent (e.g. inclusion of your image in marketing collateral); and
• where we need to protect your interests (or someone else's interests).
  

 We will only share personal data with third parties (but only the minimum amount they need) in the following instances:

• our employees, contractors, consultants and agents (but their use shall be limited to the performance of their duties and in line with the reason for processing);
• other affiliates in the BioIVT group (acting as controllers or processors) who provide support and services in relation to our donor services and products;
• when information about you is processed by third parties (acting as processors or controllers) who we use to help provide donor services and products including suppliers and partners who work at our donor centers;
• when information about you is processed by third parties (acting as processors) who own, host and/or support software, tools, IT and related infrastructure that we use to enable us to provide our donor services and products including (without limitation):
  • customer relationship and donor management systems;
  • email, instant messaging, document/contract management and file-sharing;
  • email and SMS management and/or delivery;
• when information about you is processed by third parties (acting as processors or controllers) who provide services, software and tools in relation to marketing, advertising campaigns, marketing and business analytics, marketing strategies, marketing research, marketing content, social media, competitions, promotions, giveaways and/or surveys;
• when information about you is shared with (acting as controllers or processors):
  • professional advisers (acting as processors or controllers) including lawyers, bankers, auditors, and insurers who provide legal, banking, accounting and insurance services/advice to us;
  • our regulators and other authorities who require reporting of processing activities in certain circumstances;
  • potential buyers (and their agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal data only for the purposes disclosed in this privacy notice;
• if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
• where we are required by law to do so; and
• our telephony suppliers (which would get to see phone numbers if we call you) and our broadband suppliers (which could see email addresses (but not the content of what you send us, if you encrypt it)) (acting as processors).

 To the extent required by law, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third party service providers who are processors to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

8. HOW LONG WE WILL RETAIN YOUR PERSONAL DATA

Your personal data is kept for so long as it is required for the purposes set out in this privacy notice, or as long as we are legally required or permitted to retain such information. When deciding how long to retain your personal data, we take into account our legal and regulatory obligations, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data described above, and whether we can achieve those purposes through other means. We may also retain your personal data to investigate or defend against potential legal claims in accordance with the limitation periods of countries where legal action may be brought.

 We are required to keep your donation records for up to 30 years in the UK and up to 10 years in the US. Some records may need to be stored indefinitely for legal and regulatory purposes. For example, if you have been permanently deferred from participating in our donation programs.

9. INTERNATIONAL TRANSFERS

 We may transfer your personal data to various jurisdictions to perform our obligations under this privacy notice and related agreements including (without limitation) countries in which we operate. The applicable data protection laws of those jurisdictions may differ from the data protection laws of your country and, in some cases, may not be as protective. Whenever we transfer your personal data outside your country, we will ensure a similar degree of protection is afforded to it as the data protection laws of your country. For example, if you are based in the UK or EEA, your personal data may be transferred to countries that have been deemed to provide an adequate level of protection for personal data by (as applicable) the UK Government or the European Commission. In other instances, we will ensure at least one other lawful safeguard is implemented, which may include the use of specific contracts approved by (as applicable) the UK Government or the European Commission.

 If you have questions about, or need further information concerning, international data transfers, please contact us at privacy@bioivt.com

10. YOUR RIGHTS

 It is important that the personal data we hold about you is accurate and current. Please contact us at privacy@bioivt.com if your personal data changes during your relationship with us.

 In relation to personal data that we hold about you, under applicable Data Protection Laws you may have the right to:

•  where we process your personal data based on your consent, to withdraw your consent easily and at any time;
• get access to your personal data that we hold and receive information about our processing of it;
• ask us to correct the record of your personal data maintained by us if it is inaccurate or to complete incomplete personal data;
• ask us, in certain instances, to erase your personal data or cease processing;
• object to us processing your personal data for direct marketing purposes (see Marketing and Notifications below);
• challenge us processing your personal data which has been justified on the basis of our legitimate interests;
• ask us, in certain instances, to restrict processing personal data to merely storing;
• ask us, in certain limited instances, to transfer your personal data to another online provider; and
• not to be subject to automated decision making (including profiling) in certain circumstances.

 Under applicable Data Protection Laws, you may have the right to make a complaint to your local data protection authority about our collection and use of your personal data. We would, however, appreciate the chance to deal with your concerns before you approach your data protection regulator so please contact at us privacy@bioivt.com in the first instance. The contact details for relevant data protection regulators are as follows:

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

 If you would like to exercise any of these rights, please contact us via privacy@bioivt.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

 We try to respond to all legitimate requests within one calendar month (starting from the day we receive your request). Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 11. HOW WE PROTECT YOUR PERSONAL DATA

 To help protect the privacy of personal data you transmit, we maintain physical, technical, and administrative safeguards and, to the extent required by law, require the same of any third parties with which we share your personal data. We update and test our security technology on an ongoing basis. In addition, we train our staff about the importance of confidentiality and maintaining the privacy and security of your personal data.

 As you will be aware the transmission of information via the internet is not completely secure. Although we will take measures to protect your personal data as described above, no security measures are perfect, and we cannot guarantee the security of your personal data transmitted or otherwise provided to us; any transmission is at your own risk.

 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable data protection authority of a breach where we are legally required to do so.

 We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. To opt out of marketing communications, see Opting out below.

 Donation Notifications: We may, with your opt-in, contact you via SMS text message or email regarding your eligibility to donate either because the required wait period between specimen donations (e.g. whole blood) has ended, or because we have a special donation program for which we believe you may be qualified. We will not contact you for non-donation related items.

 Test Results: We may contact you, when required, to share information resulting from the viral testing done on blood/plasma that you have previously donated. Contacting you to provide you with the viral test information on your previous donation(s) is required by various governmental entities and you may not opt-out of it.

 Third-party marketing: We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

 Opting out: You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at privacy@bioivt.com any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us in relation to our donor services or products. Please note that if you ask us not to contact you by email at a certain email address, we will retain a copy of that email address on a “suppression list” in order to comply with your no-contact request.