Privacy policy: Novoic AMYPRED application

Version 1.0, last updated 23/May/2023.

This Privacy Policy is for the Novoic application used for the AMYPRED research studies. The application is used to administer speech-based testing remotely, on participants’ own smart devices. The participants’ speech samples are then analyzed using natural language processing, other AI models and other analytic methods.

This privacy policy explains in general terms how Novoic Ltd ("Novoic", "we", "us", or "our") collects, uses, discloses, and processes your personal information in connection with our application. As the controller of the information Novoic collects when you interact with our application, we determine and are responsible for how your personal information is used.

We take your privacy very seriously, and are committed to protecting your personal information and your right to privacy. This privacy policy sets out our approach to protecting your personal data, recognising that different jurisdictions and legal systems will apply depending on your location of residence.

This Privacy Policy regulates your use of our application. By using our application, you consent to the practices described in this Privacy Policy.

1. The data we collect about you

This section provides a summary of how information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

1.1 Which personal information we collect from you

Personal data, or personal information means information related to an identifiable person and could be used to identify or be associated with a specific person or household. On this application, the types of information we may collect, store and transfer include:

Speech Recordings collected during the speech-based tasks.
Some information is collected automatically when you use our application. This includes app performance and diagnostic information, and information about your operating system.

1.2 How we collect your personal data

In this application we collect personal information from direct interactions with you, such when you provide speech recording through our application. We also automatically collect passive technical information about your equipment and browsing actions while you interact with our application.

1.3 How we use your personal information

We will only use your personal information when legally permitted and in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We will not use your personal information for purposes other than those specified in this Privacy Policy unless we obtain your explicit consent for such additional purposes. We process your personal data based on one of the following legal grounds:

Consent: We may process your personal data when you have given us explicit consent to do so for a specific purpose.
Legal obligation: We may process your personal data when it is necessary to comply with a legal or regulatory obligation, such as responding to a lawful request from authorities.
Legitimate interests: We may process your personal data when it is necessary to pursue our legitimate interests or those of a third party, provided that your rights and interests do not override these. Legitimate interests may include improving our application, conducting research, and maintaining the security and integrity of our systems.

Most often, we use the collected personal information for the following purposes:

Secure storage, processing, and analysis of your data in partnership with third-party providers, on the legal basis of our legitimate interest in providing a high-quality service and maintaining data security.
Doing internal research and improving the user experience of our application, on the legal basis of our legitimate interest in improving our offerings and ensuring customer satisfaction.
Research and development: We may use your personal data to conduct research and development activities aimed at improving our application, understanding the effectiveness of our speech based testing, on the legal basis of our legitimate interest in innovation and maintaining our competitive advantage, or with your explicit consent when required by law.

Please note that we may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. If you need more information about the legal bases on which we rely for processing your personal data, please contact us using the information provided in section 4.7, "Contact Information.”

2. Your participation in clinical research

2.1 Consent to research participation

The purposes for which your personal data will be used are addressed in this Privacy Policy and the study-specific documentation and participant consent documentation that we ask you to review as part of the associated research study. You should carefully review the consent documentation to understand how your personal data is processed in relation to a study.

You will be asked to complete a separate consent form for each clinical trial or research project you participate in. You have the right to withdraw your consent at any time.

2.2 Communication Methods

We will not contact you directly unless it is necessary for the research study or to address any concerns or issues related to your participation.

3. How we use your personal data

We only share your personal data with trusted clients and service providers. All third parties with whom we share your data are required to respect the security of your personal data and treat it in accordance with the law.

3.1 With whom we will share your personal data

We may need to share your personal data with trusted clients and service providers, such as research partners, data storage providers, and data analysis companies. A list of these parties can be provided upon request. These include:

Subcontractors that help us store, process, and analyze your data.
Subcontractors who provide services for us and/or help to provide services to you.
Researchers from other organizations that will be carefully selected through a diligent process. These organizations and researchers will only have access to your data for a specific time period and for a specific purpose that is directly related to developing speech biomarkers for Alzheimer’s Disease. These organizations and researchers will be bound by confidentiality and data protection rules not less strict than the Sponsor organisation. These organizations and researchers can be from other commercial companies developing speech biomarker technologies, or from academic institutions.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change of control arises in relation to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
To comply with the law, we will share information about you if required by state, federal, or national laws.

3.2 Security and Confidentiality

We and our partners use suitable security measures to protect your personal data against accidental loss, unauthorized access, alteration, or disclosure. Access to your data is limited to employees, agents, contractors, and third parties who need it for business purposes.

Novoic has procedures in place to handle suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.

3.3 Data retention

We keep your personal data for the duration of time for data retention specified in your consent form.

4. Your Rights

Based on the relevant laws and regulations in your country or place of residence, you may have the right to request access, correct, delete, and object to the processing of your data. To request to review, update or delete your personal information please contact us directly, see section 4.7 “Contact Information”, below. We will not discriminate against you for exercising your privacy rights.

4.1 Opting out

To opt out of all communications or withdraw consent please email or call the research site that initially recruited you into our study, and ask for the withdrawal of your participation from the study. You may delete this application at any time, and no more assessment reminders will be sent to you.

4.2 Rights for European Union (EU) and United Kingdom (UK) residents

For residents in the United Kingdom and the European Union residents, the General Data Protection Regulation (GDPR) and the United Kingdom Data Protection Act 2018 provide additional rights, including but not limited to:

a) Right to data portability: The right to receive personal information in a structured, commonly used, and machine-readable format and, where technically feasible, to have the data transmitted directly to another data controller.
b) Right to restrict processing: The right to request that Novoic restricts the processing of personal information under certain circumstances, such as when the user contests the accuracy of the data or when the processing is unlawful but the user opposes erasure.
c) Right to erasure: The right to request the deletion of your personal data, subject to certain exceptions.
d) Right to access and rectify: The right to request access to your personal data and to have any inaccurate personal data rectified.

To exercise these rights, EU and UK residents please contact us directly, see section 4.7 “Contact Information”, below.

4.3 Privacy of your health data in the United States

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and subsequent regulations issued by the Department of Health and Human Services ("DHHS") impose certain restrictions on organizations (Covered Entities) that may fall under HIPAA concerning your relationship with our company. Although Novoic is not a Covered Entity, When providing services for Covered Entities, Novoic acts as a Business Associate under HIPAA and adheres to the relevant privacy and security requirements.

We also comply with other applicable US state privacy laws, such as the California Consumer Privacy Act (CCPA) Nevada Privacy Law and the Virginia Consumer Data Protection Act, if applicable.

4.4 Rights of people in the state of California

If you are a resident of California, you have certain rights under the California Consumer Privacy Act (CCPA) regarding your personal information. As a California resident, you have the following rights under the CCPA:

a) The right to request access to your personal information.
b) The right to request deletion of your personal information.
c) The right to opt-out of the sale of your personal information (if applicable).
d) Right to Request Information about Disclosures for Direct Marketing Purposes.
e) The right to non-discrimination for exercising your CCPA rights.

To exercise your rights under the CCPA, please submit your request in writing to our Data Protection Officer using the contact information provided in Section 4.7 "Contact Information." Please include your full name, email address, and a description of the specific right you wish to exercise. We will respond to your request within 45 days, as required by the CCPA. Please note that the rights provided under the CCPA apply only to residents of California.

4.5 Complaints

You can complain if you feel that your privacy rights have been breached. To do so, please reach out to our Data Protection Officer (refer to 4.7 “Contact Information”, below).

You are entitled to file a complaint with the appropriate national supervisory authority in your country of residence at any time. If you are based in the UK, please consult the Information Commissioner's Office (ICO) website (www.ico.org.uk). If you reside in the United States, you may contact the US Federal Trade Commission regarding your concerns (https://www.ftc.gov/faq/consumer-protection/submit-consumer-complaint-ftc).

Please note that this is not an exhaustive list. You can find the relevant DPA for your jurisdiction by searching online or consulting local data protection laws.

However, we kindly request that you give us the opportunity to address your concerns before reaching out to a national supervisory authority, and would be grateful if you contacted us first. Please find our contact information below in section 4.7 “Contact information”

4.6 Contact information

If you have any questions, requests, complaints about our website or application, or if need more information about our privacy practices, and the information we collect from you, or if you have have privacy rights requests, please use the following contact information:

Name of legal entity: Novoic Ltd
Data Protection Officer: Dr Jack Weston
Email: support@novoic.com
Address: 50-52, Wharf Road, Wenlock Studios, Office G.05, London, United Kingdom, N1 7EU

5 Changes to privacy policy

We reserve the right to modify or change the terms of this Privacy Policy from time to time The updated version will be indicated by an updated "Last Updated" date and version number, and will be effective as soon as it is accessible. If we make material changes to this Privacy Policy, we will notify users of any changes by email, posting on our website, or using other appropriate communication channels. Your continued use of our application constitutes acceptance of the updated Privacy Policy.