Follow Us

Select Language
Mobile

Privacy Policy

Last update: 03/15/2024

This “Privacy Policy” explains how we collect, use, protect, and treat the personal information and user data of people using https://www.massivebio.com website and its affiliate websites (“Website”),and services provided there, Synergy-AI Clinical Trial Finder and Cancer Quiz mobile applications (“Mobile Apps”), Clinical Trial Matching, Virtual Tumor Board, Clinical Network, Drug Utilization Optimizer (“DUO“)  , Real World Data and other online and off-line applications (“Platforms”), including cancer patients (“you” / “your”), your oncologists, referring physicians, primary investigators and clinic staff, expert oncologists who evaluate your case history and identify options for treatment or clinical trials. From now on, collectively, Website, Mobile Apps, and Platforms are noted as “Solutions”.

The Solutions is operated by Massive Bio, Inc. and Massive Bio Yazılım Dijital Sağlık Tenkolojileri A.Ş. (“Company”, “we”, “us” or “our”). Massive Bio is a data analytics firm that provides a medical second opinion and clinical trial matching by evaluating a cancer patient’s existing clinical information, leveraging our proprietary artificial intelligence platform, and providing consulting services to patient’s oncologists by identifying and explaining treatment options that best fit the patient’s medical profile, treatment objectives, and resources (collectively, the “Services”).

This Privacy Policy covers only information and data collected or processed through the Solutions and not any other information or data collected or processed by third parties who provide products and services in connection with our Solutions, and Services such as health plan administrators, patient assistance administrators (“Service Providers”), or to third-party web pages, or websites, solutions, products, or services to which we link that do not display this Privacy Policy. We are not responsible for the content or privacy practices of other websites, solutions, or online or mobile services. Each user signifies the data practices described in this Privacy Policy and our Terms of Use by using the Solutions.

We have revised our Privacy Policy to comply with the GDPR, HIPAA, PIPEDA, Data Protection Act, LGPD and local, state, national legislations where the company conducts an activity informing individuals whose personal information, we process on why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their data.

THE COMPANY IS NOT A MEDICAL PROVIDER, NOR IS IT A “COVERED ENTITY” SUBJECT TO STATE OR FEDERAL LAWS GOVERNING THE PRIVACY OF MEDICAL RECORDS OR INFORMATION, INCLUDING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, COMMONLY REFERRED TO AS “HIPAA”.

I. INFORMATION WE COLLECT

1. Personally identifiable information

Our Solutions and our Service Providers only collect personally identifiable information (“PII”, also referred to as personal data or personal information in some jurisdictions) for our purposes as set out in the next section II. THE CATEGORIES OF PII WE COLLECT FOR OUR PURPOSES AND THE APPLICABLE LEGAL BASIS FOR OUR DATA PROCESSING. Collection of PII occurs if you register for an appointment on the Solutions, subscribe to a newsletter, tweet to us, or use other features and resources on the Solutions. You may visit our Site anonymously, but that may prevent you from accessing certain features or Services or Solutions.

A. Your patient profile

B. Health provider profiles

C. Service Provider profiles

Medical Information Released to Company:

  • Through EMR platforms APIs
  • Through the EMR platform, online pages shared by you
  • Through EMR platform online pages accessed by Company’s corporate accounts with your authorization to see your PII
  • Through emails, SMS, any chat application, Whatsapp or other means of communication channels

2. Protected Health Information and Sensitive Personal Information

We will collect and store sensitive personal information and data about you.

3. Non-Personally Identifiable Information

Our Website, Solutions, and Service Providers may also collect non-personally identifiable (anonymous) information (“Non-PII”) from visitors, including cancer patients, health care providers, staff, clinical staff, oncology experts, data analysts, and health plan administrators. Non personally identifiable information is any information that cannot be directly or indirectly associated with you.

4. Cookies

“Cookies” are short computer codes known as cookies, web beacons, and other technologies that collect and store both PII and Non-PII when you visit our Solutions, or share Website content or solutions through a social media account. The following are examples of information we or third-party service providers collect with cookies:

  • Cookies that may uniquely identify your browser session and the other website, solutions you have visited
  • Browser type and operating system
  • Hardware settings
  • Date and time of visit
  • Website pages you visited
  • Web page that referred you to Company
  • Web pages your visit after leaving the website

5. Social Media

We may collect information through our presence on social media and networking platforms. You may use social networks or other online services to sign into the Solutions. When you do so, information from those services may be made available to us. By associating a social network account with the Solutions, we may collect your PII, such as your username and email address.

6. Patient Representatives

A patient can give written, verbal or SMS authorization for a person (for example, a solicitor or relative) to make an application on their behalf. We may withhold access if it is of the view that the patient authorizing the access has not understood the meaning of the authorization. The authorization is only good for 90 days and requires a recording.

Next of kin

Despite the widespread use of the phrase ‘next of kin,’ this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to sharing information on a patient’s behalf. A next of kin had no right of access to medical records.

Court Representatives

A person appointed by the court to manage the affairs of a patient who is incapable of managing her experiences may make an application. Access may be denied where the General Practitioner opinion thinks that the patient underwent relevant examinations or investigations to expect the information would not be disclosed to the applicant.

7. Information about You from Other Sources

We collect personal information about you on the Solutions, and from other sources, including data from your oncologists, oncology practice staff, clinical staff, health claims administrators, and patient benefits organizations. We may combine all information we collect about you to provide Services to you, including data analysis for identifying testing and treatment options and, when de-identified, for our research efforts and to improve our Services and Solutions.

II. THE CATEGORIES OF PII WE COLLECT FOR OUR PURPOSES AND THE APPLICABLE LEGAL BASIS FOR OUR DATA PROCESSING

1. Depending on where you live, how you interact with us, and how we may interact with certain Service Providers, we may collect personal information (PII) about you as set out in the ‘personal information’ column below. You will also find below the purpose of the processing and (for the EEA, UK, Canada, and other countries) the legal basis we rely on for each type of PII that we process about you

Personal information

Purpose(s)

Legal basis (EEA / UK / Canada / Other Countries)

Patient profile data, such as:

  • First and last name
  • Home address
  • Home telephone number
  • Cancer diagnosis
  • Health insurance account numbers
  • Medical history
  • Cancer screenings
  • Cancer history and treatments
  • Pathology reports
  • Your diagnostic images
  • Your clinical information and data

We use your patient profile data to:

(i) communicate with you and your oncologist about our Services;

(ii) register you as a patient;

(iii) collect data for patient profile;

(iv) interpretation of genetic profiling data to provide a range of treatment options for difficult or complex cases;

(v) determine patient eligibility for assistance programs for certain out-of-pocket health care costs;

(vi) submitting requests to your health insurer for reimbursement purposes; and

(viii) provide: (a) the Services; (b) guidance and recommendations regarding an array of treatment options ranging from standards of care to experimental treatments; (c) clinical data to support the use of off-label medications; (d) range of various clinical trials appropriate for and convenient to you; and (e) consulting and remote access to bioinformatics and molecular expertise to support your patient presentations at tumor boards.

Necessary for the purpose of our legitimate interests to provide access to the Solutions, provide the Services, maintain an adequate profile administration; and

Insofar it regards health related data: Consent, both as the legal basis (article 6 (UK) GDPR) and as the exemption to process special category data (article 9 (UK) GDPR). Relevant national rules and regulations.

In compliance with the regulations of the European Economic Area (EEA) and Canada, and as outlined in sections 10 and 11 of the Terms and Conditions, we ensure adherence to applicable laws governing data processing and privacy protection.

Health provider data, such as:

  • Oncologist first and last name
  • Oncologist email address
  • Oncologist employer
  • Oncologist address
  • Oncologist telephone number
  • Oncologist’s notes

We use health provider data to:

(i) communicate with health provider;

(ii) register you as health care provider staff, expert oncologist, or practice administrators that assist or support patients.

Necessary for the purpose of our legitimate interests to interact with health providers, to register and to provide the Services to patients.

Service Provider Data, such as:

  • Service Provider first and last name
  • Service Provider email address
  • Service Provider employer
  • Service Provider address
  • Service Provider telephone number
  • Service Provider work product

We use Service Provider data to:

(i) communicate with (potential) Service Provider;

(ii) assess and accept of a (potential) Services Provider;

(iii) conclude and execute an agreement with the Service Provider.

Necessary for the purpose of our legitimate interests to effectively manage our relationships with Service Providers, to interact with (potential) Service Providers.

Cookies

Please see our cookie notice.

Please see our cookie notice.

Social media data, such as: username, email address.

For providing access to your patent profile via your other (social media) profile(s) / account(s).

Necessary for the legitimate interest of offering you multiple options to access out Solutions and use other (social media) accounts to sign into our Services and Solutions.

Please be aware that:

  • Loss, misuse, modification, or unauthorized access of your PII, including in particular Sensitive Personal Information can adversely affect your privacy or welfare depending on the level of sensitivity and nature of the information.
  • You may refuse to provide your protected health information to Solutions, but you and your health care providers will not be able to use our Services.
  • We do not use cookies that store your Sensitive Personal Information or profile you based on your Sensitive Personal Information.

2. SMS/MMS Mobile Messaging

We respect your privacy. We will only use your PII to transmit your mobile messages and respond to you if necessary. This includes, but is not limited to, sharing PII with platform providers, phone companies, and other vendors who assist us in the delivery of mobile messages.

WE DO NOT SELL, RENT, LOAN, TRADE, LEASE, OR OTHERWISE TRANSFER FOR PROFIT ANY PHONE NUMBERS OR CUSTOMER INFORMATION COLLECTED THROUGH THE WEBSITE OR THE SOLUTIONS TO ANY THIRD PARTY.

Nonetheless, we always reserve the right to disclose any information as necessary to satisfy any law, regulation, or governmental request, avoid liability, avoid liability, or protect our rights or property (see Section III of this Privacy Notice) in accordance with applicable data protection laws. When you complete forms online or otherwise provide us PII connected to the Services, you agree to provide accurate, complete, and true PII. You agree not to use a false or misleading name or a name that you are not authorized to use. Suppose, in our sole discretion; we believe that any such information is untrue, inaccurate, or incomplete, or you have opted into the program for an ulterior purpose. In that case, we may refuse you access to the program and pursue any appropriate legal remedies.

We, Service Providers and any third-party agency acting on our behalf may communicate with you and record calls or any communication at such number(s) by phone call, voice message, internet-to-phone message, SMS text message, interactive voice recordings using auto-dial systems, or prerecorded artificial or voice messages (“Communications”) regarding orders, delivery updates, requests for transactional feedback, and other informational purposes.

Standard message, data, voice, or other rates may apply from your landline, mobile service, or wireless device carrier for communications you receive.

You may also call 1-844-627-7246 to get help at any time.

You may send any of the following messages in response to an SMS text message to opt-out of receiving further SMS text messages from Company: Stop” or “Unsubscribe.” After sending one of these messages, you might receive one final SMS text message as confirmation of your opt-out request.

Additional terms and conditions may be provided to you in the future (e.g., as part of an opt-in confirmation text message), and such terms and conditions will supplement and not replace these terms.

You further represent and warrant that you are the subscriber for the phone number(s) provided, and you possess the phone(s) associated with such number(s). You agree to notify us if your phone number(s) changes or you no longer possess the phone(s) associated with such number(s).

BY PROVIDING YOUR TELEPHONE OR CELL PHONE INFORMATION, YOU KNOWINGLY AND VOLUNTARILY AGREE TO INDEMNIFY, DEFEND, AND COMPANY, ITS PARENTS, SUBSIDIARIES, AFFILIATES, PREDECESSORS, SUCCESSORS, AND ASSIGNS, AND EACH OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AND AGENTS, HARMLESS FROM AND AGAINST ANY AND ALL LOSSES, COMPLAINTS, DEMANDS, CLAIMS, CAUSES OF ACTION, LIABILITIES, COSTS, JUDGMENTS, DAMAGES, FINES, PENALTIES, COMPENSATION, ATTORNEY’S FEES, AND EXPENSES OF ANY KIND, INCLUDING ANY AND ALL TYPES OF INJURIES OR DAMAGES SUFFERED BY YOU, WHICH ARISE AS A RESULT OF (OR ARE RELATED TO) THE COMMUNICATIONS. YOU KNOWINGLY AND VOLUNTARILY AGREE NOT TO USE OR CAUSE ANY LAWSUIT, COMPLAINT, CLAIM, OR CHARGE TO BE FILED ON YOUR BEHALF AGAINST COMPANY OR ITS VENDORS TO CONCERNING ANY SUCH DAMAGES.

Wireless carriers are not responsible for delayed or undelivered messages, which may occur due to factors outside carriers’ control.

3. Links to Other Websites

The Website includes links (the “Linked Sites”) to other websites. In providing access to these Linked Sites, the Company is by no means endorsing the products or services on these Linked Sites. The Company is not responsible for the privacy practices or the content of the Linked Sites at this moment. It, at this moment, expressly disclaims all responsibility and liability associated with the use of the Linked Sites. We recommend that you review the privacy statements posted on those sites to understand their procedures for using and disclosing personal information.

III. WHEN DO WE SHARE INFORMATION?

1. Service Providers

We may transfer personal information to Service Providers such as outside contractors, auditors, consultants, or others hired by the Company to assist in providing financial or operational activities on the Company’s behalf, including technical and processing Services and analysis of Website performance.

2. Legal Requirements

Under certain circumstances, to comply with laws, regulations, judicial or other government subpoenas, warrants, or orders, we may disclose your personal information to respond to any government or regulatory request.

We may transfer PII to other third parties if we receive your permission or we are required to do so by law, or we have a good faith belief that such disclosure is necessary to comply with a current judicial proceeding, a court order, a legal process served on the Company or to resolve any potential fraud or perceived irregularity in any audits of the accuracy of any documentation or information submitted to the Company by you or on your behalf, as deemed appropriate by the Company.

We take precautions to safeguard your personal information against loss, theft and misuse and unauthorized access, disclosure, alteration, and destruction through the use of appropriate technical and organizational measures including encryption technologies for data in transit and data at rest. Your personal information may be stored and processed in your region or another country where the Company and their service providers maintain servers and facilities. We take steps, including through contracts (such as the EU Commission approved Standard Contractual Clauses), to ensure that the information continues to be protected wherever it is located, in a manner consistent with the standards of protection required under applicable law.

3. Transfers of Business Assets

Suppose the Company goes through a transaction, such as a merger, being acquired by another entity, bankruptcy, or selling all or a portion of its assets. In that case, your PII may be part of the business assets transferred. We cannot assure that you will be notified in advance of the transfer, if any, of your PII in connection with any such transition or transfer.

4. Protection of Company and Others

We reserve the right to access, read, preserve, and disclose any information that we reasonably believe is necessary to comply with law or court order; enforce or apply our conditions of use and other agreements; or protect the rights, property, or safety of our Company, employees, users, or others. This includes exchanging information with other companies and organizations for fraud protection and data breach risk reduction.

5. Aggregate or Anonymous Information

We may share your PII and user data in aggregate or anonymously: to improve our Services, communicate with Service Providers and other third parties, and in our annual report and marketing materials.

6. With Consent

Except as set forth above, you will be notified when PII may need to be shared with third parties and will be able to prevent the sharing of this information.

7. How we use Non-Personally Identifiable Information (Non-PII)

We also use Non-PII to monitor and improve our Services and Website quality to tour Services and Website quality, data research and statistical purposes. We use Non-Personally Identifiable Information in consulting Services to other users, for research, and to share, lease, or sell our data and analysis to patient assistance programs, clinical laboratories, cancer screening providers, pharmaceutical manufacturers, and oncologists for improvement of their professional services, screening, and treatment products, and to educate the public about the Services we provide.

IV. HOW DO WE MANAGE CHILDREN’S DATA?

Children of 16 years or over

Subject to local laws, if a mentally competent child is 16 years or over, they are entitled to request or refuse access to their records. If any other individual requests access to these Company, should first check with the patient that he or she is happy for them to be released.

Children Under 16 Years

Unless otherwise provided by local laws, individuals with parental responsibility for an under 16-year-old will have a right to request access to those medical records. A person with parental responsibility is either:

  • the birth mother, or
  • the birth father (if married to the mother at the time of child’s birth, or subsequently) or,
  • an individual parental responsibility by a court.

Suppose the appropriate health professional considers that a child patient is Gillick competent (i.e., has sufficient maturity and understanding to make decisions about disclosure of their records). The child should be asked for their consent before disclosure is given to someone with parental responsibility.

If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, its mother and the father apply for access to the child’s records, there is no “obligation” to inform the mother. However, this may not be possible in practical terms, and both parents should be aware of access requests unless there is a good reason not to do so.

In all circumstances, good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.

V. HOW WE PROTECT AND RETAIN YOUR INFORMATION

We take security measures to protect against unauthorized access to or unauthorized alteration, disclosure, or data destruction. These include secure socket layers, firewalls and encryption, internal reviews of our data collection, storage and processing practices, security measures, and physical security measures to guard against unauthorized system access. However, because the internet and mobile web are inherently insecure, no information system is 100% secure, and even the most secure system can be compromised; we cannot guarantee security. Suppose we retain PII on our systems or the cloud. In that case, we restrict access to PII to employees, contractors, and agents who need to know that information to operate, develop, or improve our website, solutions, and services. If they fail to meet these obligations, these individuals are bound by confidentiality obligations and may be subject to discipline, including termination.

We do not keep your PII any longer than necessary for the processing purposes. We retain your personal information for as long as necessary to provide the Services and fulfil the transactions you have requested, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, resolving disputes, maintaining security, detecting, and preventing fraud and abuse, and enforcing our agreements. Where no specific legal requirement exists, Massive Bio will retain the data for no longer than ten (10) years, unless a shorter period is justified. This period is subject to regular review and may be adjusted to comply with changes in national laws and GDPR guidance. Massive Bio will also ensure that all data subjects are informed about their rights regarding their personal data, including the right to access, rectification, and erasure as per GDPR regulations. We delete and destroy individual records of PII and all Non-PII according to the Schedule below.

Patient profile data Retention Period
Eight years after collection.
Health provider data Two years after the end of the relationship.
Service Provider data Two years after the end of the relationship.
Cookies Please see our Cookie Notice
Social Media data Eight years after collection.

We may retain your PII for the establishment, exercise or defense of legal claims. Also, we may retain your PII to make it available to the supervisory authority, investigative authority, courts, or other governmental body for the period specified by the law.

We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction and have several layers of security measures, including:

SSL, access controls, password policy, encryptions, pseudonymization, practices, restriction, IT, authentication, VPN, firewalls, token management.

VI. HOW TO CONTROL AND CORRECT YOUR INFORMATION

The Solutions uses cookies which collect user data as disclosed in Section I and Section II, as set out in our Cookie Notice. You may accept or decline cookies. Most browsers automatically accept cookies. You may elect not to provide users with our Service Providers or providers by following the opt-out procedures set forth below, but you may not be able to access some of our Services.

1. Correcting Your Personal Information

To gain access to the personal information you collected online and keep it accurate, complete, and current, or to request deletion, you may contact us at compliance@massivebio.com. In some cases, where we are required to retain information by law or regulation to continue to manage a service you have requested, to ensure that we honor your preferences, or for other necessary business purposes, we may not be able to delete certain personal information about you.

2. Control: Your Choices

You have several options to control how your data is shared and used after you have provided it.

You choose:

  • To store or discard the records you provide to us, and the reports returned to you based on the results of your documents.
  • Clinical Trials Matching report(s) you view or opt-in to view.
  • When and with whom do you share your information, including your caregivers, family members, approved family members, health care professionals, or others outside our Services.
  • To delete your Massive Bio Clinical Trial Matching account and data at any time.
  • Everyone has the rights below by applying to Company;
  • a) Learning whether PII is processed or not,
  • b) If PII has been processed, requesting information about it,
  • c) The purpose of processing PII and whether the purpose of learning uses them,
  • d) To know the third parties to whom PII is transferred in the country or abroad,
  • e) To want to correction of their data in case of incomplete or incorrect processing of PII,
  • f) Deletion or destruction of PII within the framework of the applicable laws,
  • g) To request notification of the transactions made under subparagraphs (d) and (e) to third parties to whom PII has been transferred,
  • h) Object to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • i) Request the compensation of the damage in case of loss due to unlawful processing of PII.

3. Accountability for Onward Transfers

We will not disclose your PII to unaffiliated third parties without first receiving your permission unless it is required by national security or law enforcement authorities. In cases of onward transfer to third parties of data of EU individuals, we are liable for appropriate onward transfers of PII to third parties.

4. Enforcement

Company adheres to the Privacy Shield Principles. Company has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view our certification, please visit https://www.privacyshield.gov/.

Company has further committed to refer unresolved Privacy Shield complaints to USCIB (United States Council for International Business), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.uscib.org/privacy-shield/ for more information or to file a complaint. If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Binding Nature of Decisions at https://www.privacyshield.gov/article?id=D-Binding-Nature-of-Decisions.

Company has an ongoing process to review how we’re meeting the Privacy Shield promises, and we provide an independent way to resolve complaints about our privacy practices. Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

In light of the judgement of the Court of Justice of the EU in Case C-311/18 (Schrems II), Company no longer relies on the EU-U.S. Privacy Shield Framework as a legal basis for transfers or safeguard of PII from the European Union to the United States of America.

Our company adheres to the EU–U.S. Data Privacy Framework (EU–U.S. DPF), which provides reliable mechanisms for personal data transfers from the European Union, United Kingdom, and Switzerland to the United States. We have self-certified our commitment to these principles, ensuring data protection consistent with EU, UK, and Swiss law. In case of any conflict, our adherence to the EU–U.S. Data Privacy Framework takes precedence.

5. Learn More about Cookies, Web Beacons, and Other Technologies

To learn more about cookies, including how to refuse cookies on your computer by adjusting web browser settings, follow these links:

  • All About Cookies: www.allaboutcookies.org/cookies/
  • Google: www.google.com/analytics/learn/privacy.html
  • Google Chrome: http://www.google.com/chrome/intl/en/more/privacy.html
  • Microsoft Internet Explorer: www.microsoft.com/info/cookies.htm
  • Mozilla Firefox: http://support.mozilla.com/en-US/kb/Options+window+-+Privacy+panel
  • Flash: www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html

6. Limitation of Liability

YOU UNDERSTAND AND AGREE THAT ANY DISPUTE RELATING TO THE SOLUTIONS OR YOUR USE OF THE SOLUTIONS, INCLUDING BUT NOT LIMITED TO A DISPUTE OVER PRIVACY, IS SUBJECT TO THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY AND THE COMPANY’S TERMS OF USE (INCLUDING ANY INDEMNIFICATION AND LIMITATIONS ON DAMAGES CONTAINED THEREIN). A LINK TO THESE TERMS OF USE CAN BE FOUND AT THE BOTTOM OF THE HOME PAGE OF THE WEBSITE AND LINKS EMBEDDED IN VARIOUS SECTIONS IN SOLUTIONS.

7. Unavailability of Solution or Services

The Company reserves the right to alter, suspend or discontinue the Solutions or Services for any reason without notice or cause. The Solutions or Services may be temporarily unavailable due to computer equipment maintenance or malfunction.

VI. AGREEMENT: CHANGES TO THIS PRIVACY POLICY

Using the Solutions or Services, you acknowledge that you have read the data practices described in this Privacy Policy. You agree that your visit and any dispute over privacy are subject to our Terms of Use, including, without limitation, provisions regarding limitations on Company liability and application of the laws of the State of Delaware. The Company may periodically update this Privacy Policy in response to new technologies, changes in applicable laws, or for any other reason in the Company’s sole discretion. If we decide to change this Privacy Policy, we will post those changes here so you will always know what information we gather, how we might use it, and whether we will disclose it to anyone. Please review this Privacy Policy periodically to stay informed of any changes. You can tell when this Privacy Policy was modified by looking at the “Last Updated” legend at the top of the page.

VII. LOCAL PROVISIONS

1. Local provisions: California

If you are a California resident, the following applies in addition to the remainder of this Privacy Policy:

  • Your California Privacy Rights. Under California Civil Code Section 1798.83, California residents who have an established business relationship with us have the right to request that we provide specific information regarding disclosing their personal information to third parties for their direct marketing purposes during the immediately preceding calendar year. You may send your request for such information to compliance@massivebio.com. Requests shall only be accepted via this email address. We are not responsible for requests made over the telephone or any other means.
  • California Online Personal Privacy Act Disclosures
    • When you visit our Solutions, our Service Providers may drop a cookie on your browser to remember your preferences and collect analytical data about your visit. The Solutions does not employ technology to track you across multiple Solutions, or override the privacy settings in your web browser or Services.
    • Our Service Providers do not track Website visitors across multiple Websites or override the privacy settings in your web browser. If you access our social media sites from the Website or the Solutions, be aware that the social media platforms may track you across multiple Websites and disregard the privacy settings in your web browsers.

2. Local provisions: European Union

If you are based in the European Union, the following applies in addition to the remainder of this Privacy Policy:

  • GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • The use of ‘PII’ in this Privacy Policy has the meaning of ‘personal data’ under the GDPR.
  • If we share your personal data with our group companies or third parties located outside the European Economic Area, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, particularly by signing the Standard Contractual Clauses adopted by the European Commission (article 46(2)(c) GDPR). You can find more information about the Standard Contractual Clauses here.
  • Below, we set out your data protection rights under the GDPR in more detail and give information on how you can exercise them. Most of these rights are not absolute and are subject to exemptions in the law. We will respond to your exercise of right request within one month but have the right to extend this period in certain circumstances. If we extend the response period, we will let you know within one month from your request. If your request is clearly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse to comply with it in such circumstances.
    • Access your personal data. You are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you.
    • Request the transfer of your personal data. We will provide to you or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note, this right applies to the personal data you have provided to us and only if we use your personal data on the basis of consent or where we used your personal data to perform a contract with you.
    • Request erasure (deletion) of your personal data. You are entitled to ask us to delete or remove personal data in certain circumstances. There are certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with legal claims. When we need to rely on an exemption, we will inform you about this.
    • Request correction or updating of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected.
    • Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.
    • Object to our processing of your personal data where we are relying on legitimate interest. You also have a right to object where we are processing your personal data for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
    • Withdraw your consent. Where you have provided your consent to our processing of your personal data you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your personal data before you withdrew consent.
    • Lodge a complaint at a supervisory authority. We will do our best to resolve any complaint. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with a supervisory authority in the country where you live, where you work or where an alleged infringement of the applicable data protection law took place. A list of EU supervisory authorities and their contact details is available here.

    3. Local provisions: Canada

    If you are based in Canada, the following applies in addition to the remainder of this Privacy Policy:

    PIPEDA means the Personal Information Protection and Electronic Documents Act, which governs the collection, use, and disclosure of personal information in Canada. The use of ‘PII’ in this Privacy Policy has the meaning of ‘personal information’ under PIPEDA. If we share your personal information with our group companies or third parties located outside of Canada, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal information, particularly by signing agreements that include privacy clauses and protections. You can find more information about these safeguards by contacting us at the address provided below. Below, we set out your privacy rights under PIPEDA in more detail and give information on how you can exercise them. Most of these rights are not absolute and are subject to exemptions in the law.

    We will respond to your requests within a reasonable time frame. If your request is complex, we may extend this period but will inform you accordingly. Access your personal information. You are entitled to ask us if we are processing your personal information and, if we are, you can request access to your personal information. This enables you to receive a copy of the personal information we hold about you. Request the transfer of your personal information. We will provide to you or a third party you have chosen, your personal information in a commonly used, machine-readable format. Please note, this right applies to the personal information you have provided to us and only if we use your personal information on the basis of consent or where we used your personal information to perform a contract with you. Request erasure (deletion) of your personal information. You are entitled to ask us to delete or remove personal information in certain circumstances.

    There are certain exceptions where we may refuse a request for erasure, for example, where the personal information is required for compliance with law or in connection with legal claims. When we need to rely on an exemption, we will inform you about this. Request correction or updating of your personal information. This enables you to have any incomplete or inaccurate data we hold about you corrected. Request the restriction of our processing of your personal information in some situations. If you request this, we can continue to store your personal information but are restricted from processing it while the restriction is in place. Object to our processing of your personal information where we are relying on legitimate interests. You also have a right to object where we are processing your personal information for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can demonstrate compelling legitimate grounds to continue that processing. Withdraw your consent.

    Where you have provided your consent to our processing of your personal information, you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your personal information before you withdrew consent. Lodge a complaint with the Office of the Privacy Commissioner of Canada. We will do our best to resolve any complaint. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with the Office of the Privacy Commissioner of Canada. Contact details are available on their website.

    • If you exercise the rights above and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
    • You can exercise the rights above by sending an email to compliance@massivebio.com.
    • Contact information of the Data Protection Officer: Cagatay M. Culcuoglu, cculcuoglu@massivebio.com