Privacy Policy

Last updated: 12 December 2025

1. Introduction

We take your privacy very seriously. Please read this Privacy Notice (sometimes called a “Privacy Policy”) and any other fair processing notice we may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export and delete your personal information.

This Privacy Notice has been drafted to be applied to personal information processing activities globally. The processing activities may be more limited in some jurisdictions due to the restrictions of their laws. For example, the laws of a particular country may limit the types of personal information we can collect or the way we process that personal information. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of local law.

This Notice supplements our other policies and notices and is not intended to override them.

A separate privacy notice regarding our collection of personal information in relation to our clinical trial activities will be distributed as applicable at the relevant stage of the process, although if you have any questions or concerns then please contact the DPO.

A separate privacy notice regarding our collection of personal information in relation to employees, workers and contractors is distributed internally.

Who we are

We are Synox Therapeutics, a company that continues the development of emactuzumab as a potentially best-in-class treatment for patients with TGCT and other macrophage-driven pathologies around the globe (hereafter referred to as “Synox”, “we”, “us” or “our”).

SynOx Therapeutics Limited and SynOx Therapeutics UK Limited are each a “data controller”.
This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. SynOx Therapeutics acts as the data controller for the personal information described in this Privacy Notice. We determine the purposes and means of processing your personal information in compliance with applicable data protection laws, including the GDPR. For any questions or concerns about how we handle your personal information, please contact us at [email protected]

How to contact us

You can contact us at:

Email: [email protected]
EU Address: SynOx Therapeutics Limited
3 Dublin Landings
North Wall Quay
Dublin
D01 C4E0
Ireland

UK Address: SynOx Therapeutics UK Limited
John Eccles House
Robert Robinson Avenue
Oxford Science Park
Oxford
OX4 4GP
UK

When you contact us, any information you choose to disclose is sent directly to us to assist us in better answering your request.

Data protection officer (DPO)

We have appointed GRCI Law Limited as our DPO, who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, our privacy practices or how we handle your personal data, you can contact our DPO as follows:
GRCI Law Limited
Unit 3, Clive Court
Bartholomews Walk
Cambridgeshire Business Park
Ely
Cambridgeshire
CB7 4EA
[email protected]
03339005555

5. Additional and supplementary privacy notices

5.1 Clinical Trials
Please note that we provide additional and/or supplementary privacy notices or similar disclosures for the clinical trials and these additional and/or supplementary privacy notices comply with the privacy law in the country in which they take place, they are provided to trial participants at the start of the clinical trial but if you want any further information, you can contact our Data Protection officer (“DPO”) at [email protected].

5.2 Employees
We provide our former or existing employees, workers and contractors with supplementary privacy notices where we are required to do so and dependent on the employees’ geographies and jurisdictions these are distributed internally.

5.3 General
We may also provide additional privacy notices for certain entities within SynOx Therapeutics, categories of Data Subjects (e.g., certain investors or prospective investors in a fund managed or advised by SynOx Therapeutics, and certain geographies and jurisdictions.

6. What is meant by personal information or personal data

We use the terms “personal data” and “personal information” to refer to any information that can reasonably be used to identify you as an individual, either on its own or when combined with other information.

The types of data we collect depend on how you interact with us, the choices you make, and your relationship with us. This may include information such as your name, contact details, account credentials, payment details, professional or employment-related information, technical details like IP addresses, and preferences. In some cases, and only as permitted by applicable law, we may collect sensitive personal data, such as health or biometric information, with your explicit consent where required.

7. What types of personal information we collect

The personal information that we collect depends on the context of your interactions with us and the website, the choices you make and your relationship with us and may include the following types of personal data:

Appointment and Interview Data
Behaviour: information about daily habits and moods.
Candidate data: your resume, application letters and forms; job details, work history interview notes and any other information you provide us with as part of your application process.
Commercial data: including tax information, bank account details, credit card number, money transfers including communications on bank transfers, assets, investor profile, credit history, debts, and expenses.
Communication Data: Any information you voluntarily provide, including online or through communication.
Contact data: data such as your postal address, tax ID, personal or work email address, mail address, work address, phone number, or other similar identifier by which you may be contacted online or offline.
Education and Training data: information about your education, qualifications, training, degrees, certifications, specialisms, school name; school contact details; student number; qualification details; field of study; attendance dates; graduation.
Identification data: name, passport number, tax ID, study identification number, internet protocol address, account name, social security number, driver’s license number, Age, gender, biological sex and date of birth.
Images: including your picture and other visual information.
Location data: includes your IP Address, telephone codes, address, clinic or hospital, work address, country of birth and/or residence, questionnaires. The physical location of your device by, for example, using satellite, ‎cell phone tower or Wi-Fi signals.
Marketing data includes preferences in receiving marketing from us and our third parties and communication preferences.
Payment data: money owed and paid and bank account for payment, tax details.
Professional data: includes professional or employment-related information, including your employment history, employer’s name, remuneration, references, training records, disciplinary and performance records, health and safety records, employment status: employer name; employer contact details; manager name; manager contact details; job title; pay rate; dates of employment; reason for leaving.
Technical data: includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access our website.
Profile Data: includes username and password, interests, preferences, feedback, and survey responses.
Observations preferences and opinions: information included in questionnaires and consent.
Usage Data: includes information about how you use our website and services and online activity based on your interaction with us, our websites and applications, for example searches, site visits browsing actions and patterns. Internet or other electronic network activity information, including, but not limited.
Other Information relevant to conducting business with us or Information classified as personal or protected information by state, federal, or other applicable law.

8. What is Sensitive or Special Category Data

Sensitive or Special Category Data is personal data that needs more protection because it is sensitive.

Where you choose to provide us with this information or we have a lawful reason for collecting it, we will only process that sensitive personal information in such jurisdiction if and to the extent permitted or required by applicable law.

9. Do you collect sensitive personal data?

We may collect sensitive Personal Data (in some jurisdictions this is called “Special Category Data”) depending on your relationship with us e.g. we collect sensitive data from employees or participants including:

Health Data: data concerning health, sick absence notes, disabilities, medical history, medications, work accident injuries, examination notes and test results from the study (e.g., blood type, vital signs, urine test, x-rays, physical exams, known conditions, medical survey or questionnaire results, and other study-specific procedures required by the study protocol);
Demographic Data: including ethnicity and race
Sex: including sex life and sexuality

We may, as required by applicable law, provide you with a supplementary country specific privacy notice when you are a participant in a clinical trial that sets out exactly what sensitive personal data we will collect for the purposes of that trial.

When we employ you, we may, where required by applicable law, provide you with a supplementary country specific privacy notice that sets out exactly what sensitive personal data we will collect for the purposes of your employment.
In connection with our operations, including recruitment and clinical trial activities, we may collect and process sensitive or special category personal data, as defined under applicable data protection laws, including the UK GDPR, EU GDPR, and relevant U.S. privacy laws. This data may include:

Information about your race, ethnicity, or nationality, religious beliefs, and/or sexual orientation.
Information about your health, including medical conditions, disabilities, and health or sickness records.
Information about criminal convictions and offenses where required by law, such as for certain roles where background checks are appropriate and legally permitted.

We will only process such data where:

It is necessary to fulfill our legal obligations (e.g., compliance with employment or health and safety laws).
It is required for conducting clinical trials in the public interest or for scientific research purposes.
You have provided your explicit consent (e.g., for voluntary diversity monitoring or trial participation).

For recruitment purposes, information about criminal convictions will only be collected where appropriate for the nature of the role and where we are legally permitted to do so. This may include information provided by you or obtained through lawful background checks. Such processing is conducted in connection with our obligations under employment laws or other legal requirements.

We have implemented appropriate policies and safeguards, as required by law, to ensure the secure and lawful processing of sensitive and special category data. For more information on these safeguards, or to request further details about how we handle this type of data, please contact us using the details provided in this Privacy Notice.

10. How We Collect Your Personal Data

For us to operate effectively, we may request and collect information about you, The information we collect depends on the context of your interactions with us and the choices that you make, including your privacy settings and the features that you use.

10.1 From you directly

We collect personal information through your behaviour and interactions with us and information that you voluntarily provide to us when you express an interest in obtaining information about us, when you apply to work for us, participate in activities with us or on our website or otherwise when you contact us.

10.2 Information Collected through Technical means

indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in our ‘Cookies Notice.
When you visit our website and its subdomains as referenced above, and the landing pages of marketing campaigns that we may create and run from time to time.
Pixel tags (also known as web beacons and clear GIFs) may be used in connection with some services to, among other things, track the actions of users of the services (including email recipients), and compile statistics about usage of the services and response rates as well as general demographic information and aggregated information.
When you download a white paper available or other digital content from our website
When you visit our website and its subdomains as referenced above, and the landing pages of marketing campaigns that we may create and run from time to time.

10.3 Information we receive from third parties in each case where permissible and in accordance with applicable law

Sometimes we receive your personal data from third parties such as Clinical Research organisations, agencies, marketing agencies, recruitment agencies, talent acquisition agencies, market research companies, our suppliers, contractors, partners or consultants, group companies. We may also collect other identifiable information from clinical trial research site staff.

We may also collect your personal information from third parties such as from your insurance or healthcare ‎provider, our joint marketing partners, agencies, marketing agencies, market research companies, our suppliers, contractors, partners or consultants, your employees, group companies

10.4 Information we receive from public sources

We may collect Information about you from publicly available sources, including any social media platforms such as LinkedIn, public websites and public agencies.

10.5 Jurisdiction Specific Information

If you are located outside of the country where we operate or provide services, please be aware that your personal data may be processed and stored in a jurisdiction where data protection and privacy laws may differ from those in your country of residence or citizenship. We take appropriate measures to ensure that any transfers comply with applicable legal requirements and that your information remains protected.
For more jurisdiction-specific information on how we use and process your data, please see the sections linked below or contact us

• EEA and UK residents

11.Cookies

For more details about how we use cookies, please click here to view our Cookie Notice, which explains the types of cookies we use, their purpose, and how they enhance your browsing experience. Our Cookie Notice also outlines how you can manage or disable cookies through your browser settings or other tools, allowing you to control the collection of certain types of data. Please note that disabling some cookies may affect the functionality of our website and your ability to access certain features or services.

12.Children

Our website is not directed to children under the age of 16, and we do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete the information as soon as possible. If you believe we may have inadvertently collected data from a child, please contact us.

14. Why We Use Your Personal Data

We may use your Personal Data for a variety of purposes, and (to the extent applicable) on the basis of various legal bases, including, but not limited to, the following:

Complying with legal or regulatory obligations, such as our obligations regarding know-your-client and anti-money laundering due diligence;
Performing a contract with you or to take steps at your request before entering into a contract, including to: (i) provide you with information regarding SynOx Therapeutics products or services; (ii) assist you and answer your requests; (iii) evaluate whether we can offer you regarding SynOx Therapeutics products or services and under what conditions; and (iv) responding to know-your-client and anti-money laundering information requests presented by counterparties with whom we do business on your behalf or for your benefit; and

Other legitimate business interests, such as:

Communicating with Data Subjects;
Performing activities relating to client management, financial management and administration;
Creating, improving and developing our products and services;
Conducting market research, surveys, and similar inquiries to help us understand trends, client and website visitor needs;
Investigating and resolving disputes and security issues and enforcing our Terms of Service and other agreements;
Monitoring and auditing compliance with internal policies and procedures, legal obligations and to meet requirements and orders of regulatory authorities; and
Processing and considering applications for employment, including evaluating and confirming your suitability for the position and accuracy of any information submitted.

We will not use your personal information for any purposes inconsistent with this document and the purpose for which it was collected, without your permission or otherwise in accordance with applicable law.

Please contact us if you have any questions about how we use your personal data.

EEA and UK residents: For more information about our basis for processing your personal data see here.

15. Selling Personal Data

We do not sell any personal information and have not sold any personal information in the past.

16. Your Rights

We will only collect, process and/or use personal information where we are satisfied that we have an appropriate legal basis to do so. Depending on your location and applicable data protection laws, you may have certain rights regarding your personal data. These rights may include the right to access, correct, update, or delete your data; the right to restrict or object to certain types of processing; the right to data portability; and the right to withdraw your consent where processing is based on consent. You may also have the right to lodge a complaint with a supervisory authority.

To exercise your rights or for more information, please contact us. We will review and respond to your request in accordance with applicable data protection laws.

Please note that we may need to verify your identity before processing certain requests.

17. Unsubscribe and Opting Out

SynOx does not send marketing emails or other promotional communications. You should not receive any marketing messages from us. If you do receive a message that appears to come from SynOx and you believe it is unsolicited or was sent in error, please contact us immediately so we can investigate and address your concerns.

If you wish to opt out of other forms of communication or have any issues with unsubscribing, you can contact us directly at [email protected]. We will process your request promptly in accordance with applicable data protection laws, including the UK GDPR and the EU GDPR.

Please note that opting out of marketing communications does not affect transactional or service-related communications necessary for the performance of a contract or other legitimate purposes.

18. How long we hold your personal data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Notice, or to comply with applicable legal, regulatory, or contractual obligations.

Retention periods vary depending on the nature of the data, the context of the processing, and jurisdictional requirements. For example, personal data may be retained longer where required by laws in the United States (e.g., tax or employment laws) or the United Kingdom (e.g., data protection and employment regulations). Once retention periods have elapsed, we securely delete, anonymise, or archive personal data in accordance with applicable data protection laws, including GDPR and UK GDPR, as well as U.S. state-specific privacy laws such as the California Consumer Privacy Act (CCPA). If you require further details on specific retention periods, please contact us using the information provided below.

19. Who do we share your personal data with?

We may occasionally share your personal data with the following types of organisations, ensuring that they maintain confidentiality, safety, and security in accordance with applicable data protection laws:

1. Potential Employers as part of a job application or recruitment process.

2. Service Providers, including those offering IT, system administration, and software services.

3. Payment Service Providers, for processing transactions.

4. Third Parties Involved in Our Services, such as webinar hosts or clinical trial partners involved in research activities.

5. Clinical Teams and Healthcare Professionals who support or administer clinical trials or related services.

6. Regulatory and Oversight Bodies for clinical trials, including ethics committees, institutional review boards, or relevant health authorities.

7. Marketing Use: If you provide a testimonial or commentary about our company, services, or partners, we may use these in our marketing materials both on and off our site.

8. Analytics Providers, such as Google Analytics, to assist us with insight analytics.

9. Suppliers and Administrative Support: Third parties, employees, agents, subcontractors, and professionals who provide products, services, and administrative support to us.

10. Regulatory and Legal Authorities, such as law enforcement agencies, judicial bodies, tax authorities, or other government and regulatory entities, where required by law.

11. Business Transactions: As part of a proposed sale, reorganisation, transfer, financial arrangement, asset disposal, or similar transaction related to our business or assets.

12. Other Parties with Your Permission: We may share data with other third parties explicitly authorised by you.

This list is non-exhaustive, and there may be other situations where we need to share your personal data to effectively provide our services.

We only share your personal data with organisations that implement appropriate measures to protect your information. Contractual obligations are imposed on these organisations to ensure they use your data solely for the services they provide to us or to you.

We will not share your personal data with any other third party without your explicit consent, unless required or permitted by law. The specific information shared will depend on your interactions with us and will always be limited to what is necessary for the intended purpose.

20. Third-Party Providers

Please note, this Privacy Notice does not apply to personal data collected directly by third-party providers who may share information with us. We strongly encourage you to review the privacy notices/policies of any third-party providers before submitting your personal data to them.

21. Do we transfer personal data Overseas?

We operate globally, and certain aspects of our information processing and data storage may be centralised in countries outside your own. As a result, we may need to share and transfer your personal information across multiple jurisdictions, including the UK, USA, and countries within the European Economic Area (EEA). These jurisdictions may have data protection laws that differ from those in the country where your personal information was collected or your country of residence.

To safeguard your personal information, we ensure that all international transfers comply with applicable data protection laws, including the UK GDPR, EU GDPR, and other relevant privacy regulations. We undertake thorough due diligence and risk assessments before any data transfer, ensuring your information has an appropriate level of protection. Where required, we implement legal safeguards such as Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure your data is handled securely and lawfully.

For further details about the measures, we use to protect your personal information when it is transferred internationally, please contact us at [email protected]

22. Third-party links

Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

23. How to withdraw consent

You can withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to supply certain products or services to you. We will tell you if this is the case at the time you withdraw your consent. If you wish to withdraw your consent, please contact us at [email protected].

For more information on Consent in US states see: “Consent Requirements Regarding Targeted Advertising, Sale of Personal Information, and Sensitive Data Processing”

24. Do we use automated decision-making or profiling?

We do not use automated decision-making or profiling.

25. How We Keep Your Personal Data Secure

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

26. How to Make a Complaint

If you have any concerns about our handling of your personal information or believe your privacy rights have been infringed, you have the right to make a complaint. We are committed to resolving privacy-related complaints promptly and effectively.

We encourage you to contact us directly at [email protected] so that we can address any issues promptly. However, if you are not satisfied with our response, you may also have the right to file a complaint directly with your local privacy regulator. We have provided some contact details for your reference below:

United Kingdom: You can file a complaint with the Information Commissioner’s Office (ICO) via www.ico.org.uk.
European Economic Area (EEA): If you are located in the EEA, you can reach out to your local data protection authority. A list of EEA data protection authorities can be found here.
United States: You may also reach out to the consumer protection agency in your state or contact the Federal Trade Commission (FTC) for general privacy concerns via www.ftc.gov.
Canada: If you have concerns regarding our data practices in Canada, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) via www.priv.gc.ca.

27. Non-Discrimination

We will not discriminate against individuals for exercising any of their privacy rights. We provide the same level of service and pricing to all users, regardless of privacy preferences, except where allowed by law.

28. Privacy Notice changes and updates

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make significant changes, we will take appropriate steps to inform you, consistent with the nature of the changes and applicable legal requirements.

We encourage you to review this Privacy Notice regularly to stay informed about how we process your personal data. Where required by law, we will seek your consent for material changes. However, we will not use your personal data for purposes that are materially different, unrelated, or incompatible with those outlined in this Privacy Notice without obtaining your explicit consent where required.

Your continued use of our website or services after any updates constitutes your acknowledgment of the revised Privacy Notice.

29. Supplemental Information for U.S. Residents

This section applies to individuals residing in the United States, with specific provisions for residents of states with enacted privacy laws. This notice outlines how we process personal information, including our practices related to consent, and the rights granted to residents under various state laws, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, and Virginia.

22.1 US Residents Rights

Us Residents in certain states have specific rights regarding their personal information. These rights vary depending on the state, as indicated below.

• Right to Access: The right to access copies of personal information held by us.
(California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia)

• Right to Correct: The right to request corrections to inaccurate personal information.
(California, Colorado, Connecticut, Iowa, Utah, Virginia)

• Right to Delete: The right to request deletion of personal information, subject to legal limitations and exceptions.
(California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia)

• Right to Opt-Out of Sale or Sharing: The right to opt-out of the sale or sharing of personal information for purposes such as targeted advertising or profiling.

(California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia)

• Right to Limit Use of Sensitive Personal Information: California residents have the additional right to limit the use and disclosure of their sensitive personal information to purposes specified under the CPRA.
(California)

• Universal Opt-Out Mechanism: The right to use a universal opt-out mechanism to signal privacy preferences across platforms (where applicable).
(California, Colorado, Connecticut, Iowa)

22.2 Consent Requirements Regarding Targeted Advertising, Sale of Personal Information, and Sensitive Data Processing

In accordance with various state privacy laws, we provide consumers with the right to opt out of the use of their personal information for targeted advertising or its sale to third parties. While these laws do not always require upfront consent, they ensure that consumers have control over how their data is used for these purposes. Additionally, certain states require explicit consent to process “sensitive” personal information, which may include data such as race, ethnicity, health information, biometric data, and, in some cases, precise geolocation. We are committed to respecting these rights, providing options to manage the use of your personal information, and ensuring that your sensitive data is only processed in compliance with applicable legal requirements.

22.3 Shine the Light Law and Similar Requirements

Under California’s Shine the Light law (California Civil Code Section § 1798.83), California residents are entitled to request and receive information regarding certain types of personal information that we share with third parties for their direct marketing purposes.
In addition to California, the following states have similar, though narrower, laws concerning data transparency or opt-out rights:

• Nevada: Nevada law allows residents to opt-out of the sale of their personal information to third parties. While this law does not require detailed disclosures about data sharing for direct marketing, Nevada residents may request that we refrain from selling their personal data. For opt-out requests, please contact us at [Privacy Contact Email].

• Vermont: Vermont’s law requires data brokers to disclose certain data-sharing practices and allows residents to opt-out of the sale of personal information if their data is collected by a data broker. Vermont residents may contact us for more details on our data-sharing practices.

To make a Shine the Light request or exercise similar rights under Nevada or Vermont law, please:

Please specify the nature of your request (e.g., Shine the Light, Nevada Opt-Out, or Vermont Disclosure Request) and include sufficient details in your request to help us identify your records. We will process and respond to your request within the required timeframes.

Please note that we may require additional information to verify your identity before processing certain requests. Once verified, we will respond within the timeframe specified by the relevant state law.

30. Supplemental Information for Canadian Residents

This section applies to residents of Canada and addresses federal and provincial privacy requirements, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. This is part of our commitment to protect personal information and ensure transparency about how we process it.

22.4 Scope of this Privacy Section

This section applies to personal information collected, used, and disclosed by us in the course of commercial activities and to fulfil obligations under applicable Canadian privacy laws, including:

• Provincial Privacy Laws – Include British Columbia’s Personal Information Protection Act (BC PIPA), Alberta’s Personal Information Protection Act (AB PIPA), and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (ARPPIPS, also known as Quebec’s Law 25).

• Provincial Health Privacy Laws – In some provinces, specific laws govern health information.

22.5 Consent and Lawful Basis for Processing

We rely on consent and other lawful bases for processing personal information, as required by Canadian privacy laws.

• Express or Implied Consent: Where required, we obtain your express or implied consent to collect, use, or disclose your personal information.

• Consent may be implied for purposes that are obvious or necessary to fulfil your request.

• Exceptions to Consent: In certain cases, we may collect, use, or disclose personal information without consent if required or authorized by law (e.g., for fraud prevention, security, or legal compliance).

Important Note for Quebec Residents: Under Quebec’s ARPPIPS, as amended by Law 25, explicit consent is required for processing “sensitive” information, including health data. In some cases, written consent may be required.

22.6 Rights of Canadian Residents

Canadian residents have specific privacy rights under federal and provincial laws, which may vary slightly by province.

1. Right to Access
You have the right to request access to your personal information, including details on how it has been used or disclosed.

2. Right to Correct
You may request corrections to your personal information if it is inaccurate or incomplete.

3. Right to Withdraw Consent
You may withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.

4. Right to Complain
If you believe your privacy rights have been violated, you may file a complaint with the relevant privacy commissioner’s office:

– Office of the Privacy Commissioner of Canada (PIPEDA): For individuals – Office of the Privacy Commissioner of Canada

– British Columbia Privacy Commissioner (BC PIPA): How do I make a complaint? – Office of the Information and Privacy Commissioner for BC

– Alberta Privacy Commissioner (AB PIPA): https://oipc.ab.ca/

– Quebec Commission d’accès à l’information (CAI): Commission d’accès à l’information du Québec

5. Right to Data Portability (Quebec)
Quebec residents have the right to request that their personal information be transferred to another organization in a structured, commonly used, and machine-readable format, subject to certain conditions under Law 25.

We will respond to your request within the timeframe required by the applicable federal or provincial privacy law.

31. Additional Information for EU and UK Residents

We are subject to the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR) in relation to goods and services we offer to individuals and our wider operations in the UK and European Economic Area (EEA).

31.1 Further Details about our processing of the personal data of for EU and UK Residents

The table below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

31.2 Privacy rights of EEA and UK Residents

Please see more details about your rights below. In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you.

Access –the right to request a copy of the personal data we hold on you. In most cases, this will be free of charge, however in some limited circumstances, for example, repeated requests for further copies, we may apply an administration fee.

Rectification of personal data – this right enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Erasure of personal data – You can ask us to delete or remove your personal information in some circumstances such as where there is no good reason for us continuing to process it. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, job applicants who submit their personal info through the job application portal may also need to contact the potential Employer to have this data deleted or requested.

Restriction of processing personal data – this enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Objection to processing of personal data – you can ask us to stop processing your personal information, and we will do so, if we are relying on legitimate interests to process your personal information, except if we can show compelling legal grounds for the processing; or if we are processing your personal information for direct marketing purposes.

Automated decision making – you have the right to ask for a decision to be made manually, where a decision is made using automated means and this harmfully affects you.

Portability – you have the right to have personal data we hold about you transferred securely to another service provider in electronic form.
In most circumstances you do not need to pay any charge for exercising your rights. We have 1 month to respond to you.