Privacy Policy

2026

ObvioHealth takes your privacy very seriously and wants you to be familiar with ‎how we collect, use, disclose and retain information in accordance with laws applicable to our organisation.

Please read this Privacy Notice (sometimes called a privacy policy) and any other privacy notice or fair processing notice we may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and request deletion of your information.

This Privacy Notice supplements the other notices and is not intended to override them.

1.     Scope of this Privacy Notice

This Privacy Notice describes our practices in connection ‎with any information that we collect, including through our websites, mobile and cloud based clinical trial applications, any other ObvioHealth application that links to this notice, as well as through HTML-formatted email messages that we may send to ‎you that link to this Privacy Notice.

We may provide you, as required, with a supplementary country-specific privacy notice when you are a participant in a clinical trial using ObvioHealth software.

This Privacy notice applies to the following website: obviohealth.com.

2.     Privacy Law

This Privacy Notice has been generally drafted in accordance with relevant US legislation and General Data Protection Regulation) (EU & UK GDPR) but will also be applied to personal information processing activities globally. The processing activities may be more limited in some jurisdictions due to the restrictions of their laws. For example, the laws of a particular country may limit the types of personal information we can collect or the manner in which we process that personal data. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of local law.

California residents

To the extent you are subject to the California Consumer Privacy Act, we act as a data processor and process personal data collected accordingly. California’s “Shine the Light” law permits customers in California to request certain details about how certain types of their information are shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business should either provide California customers certain information upon request or permit California customers to opt in to, or opt out of, this type of sharing. Additionally, to the extent you are subject to the California Privacy Rights Act (“CPRA”), which expanded consumer rights effective January 1, 2023, you may have additional rights including: the right to correct inaccurate personal information; the right to limit our use and disclosure of sensitive personal information (including health and precise geolocation data); and rights related to automated decision-making. To exercise any of these rights, please contact us at my-privacy@obviohealth.com. ObvioHealth does not sell or share your personal information as those terms are defined under the CPRA. If you wish to exercise any rights under the CCPA or CPRA, including the right to know, the right to delete, or the right to opt-out of the sale or sharing of personal information, please contact us at my-privacy@obviohealth.com or visit our website.

Other U.S. State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive consumer privacy law, you may have similar rights to those described above, including the right to access, correct, delete, and port your personal data, and the right to opt out of targeted advertising. To exercise any of these rights, please contact us at my-privacy@obviohealth.com. We will process your request in accordance with the applicable state law.

Privacy Rights of Residents of the European Union, United Kingdom, and Switzerland

Relevant data protection laws make a distinction between organizations that process personal data for their own purposes (known as “data controllers”) and organizations that process personal data on behalf of other organizations (known as “data processors”). With regard to your personal data, we are a data controller of information that we collect when you enter your information into the “Contact Us” section of the Website and with respect to any Website Use Data or Device Connectivity and Configuration Data considered to be personal data under the law. Otherwise, we generally serve as a data processor with respect to the personal data we collect through the Website and otherwise through our services.

To exercise any of these rights with respect to personal data collected by us as a data controller, contact us as set forth in the section entitled “Contact Us” below and specify which right you intend to exercise. We will respond to your request within one calendar month. We may require additional information from you to allow us to confirm your identity. Please note that we store information as necessary to fulfil the purposes for which it was collected, and may continue to retain and use the information even after a data subject request for purposes of our legitimate interests, including as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

In compliance with the U.S. legislation, the GDPR and relevant data privacy laws, ObvioHealth is committed to cooperating unresolved complaints concerning our handling of personal data received under the GDPR, and applicable data protection laws.

Children

Protecting the privacy of minors is especially important to us. For that reason, no part of our website is structured to attract and collect or maintain information at our website from any Visitor that we have actual knowledge is a minor under thirteen (13) years of age. We do not knowingly collect personal information as defined by the U.S. Children’s Privacy Protection Act (“COPPA”) in a manner that is not permitted by COPPA. Please note that the age-13 threshold above applies specifically to our website under COPPA. Separately, our handling of personal data for individuals under the age of 18 in the context of clinical trials and research studies is addressed in the “Children Under the Age of 18” section below.

Security

We use appropriate organizational, technical, and administrative measures to protect personal information we process. No data transmission over the Internet or data storage system can be guaranteed to be one hundred percent secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately of the problem by contacting us in the "Contact Us" section below. All parties have the right to access their personal data at any time. An individual may request that their information on the ObvioHealth LLC website be changed or removed at any time by emailing my-privacy@obviohealth.com. In the case you believe your data privacy has been used outside of what you have consented to, you have the right to contact the relevant supervisory authority or invoke binding arbitration.

International Transfers

Your personal information may be stored and processed in any country where we have facilities or service providers, and by using our Site or providing consent to use (where required by law), you agree to the transfer of information to countries outside of your country of residence, including the United States, which may provide for different data protection rules than in your country. Where we do transfer your personal information to our affiliates or contracted services providers based outside of your country of residence, we ensure, by means such as Standard Contractual Clauses (SCCs) and other personal data transfer agreements, that your personal data is reasonably protected in accordance with applicable privacy laws, regulations or binding codes.

Important information and who we are

  • ObvioHealth (“we/us/our”) refers to ObvioHealth USA, Inc., a US corporation with its legal address at: 99 Wall Street, #1480, New York, NY 10005.
  • Our parent company, ObvioHealth PTE. LTD., is a Singapore entity with its registered address at: 79 Science Park Drive, #06-01, Cintech IV, Singapore 118264.

Our contact details

  • Please contact us via the ObvioHealth Privacy Team: By email: my-privacy@obviohealth.com By mail: 99 Wall Street, #1480, New York, NY 10005 By [Toll-Free] Telephone: (888) 880-1664

Privacy Contacts, DPO, UK and EU Representatives

Data Protection Officer (DPO):

We have appointed GRC Solutions/GRCI Law Limited as our DPO, who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, our privacy practices, or how we handle your personal data, please contact our DPO at dpoaaservice@grcsolutions.io.

EU Representative:

We have appointed IT Governance Europe Ltd to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR) or have any queries in relation to your rights or general privacy matters, please email our representative at eurep@itgovernance.eu.

Please ensure you include our company name in any correspondence you send to our representative.

UK Representative:

ObvioHealth has appointed GRCI Law Limited to act as our UK Representative. If you wish to exercise your rights under the UK General Data Protection Regulation (GDPR) or have any queries in relation to your rights or privacy matters generally, please email our representative at ukrep@grcsolutions.io. Please ensure to include our company name in any correspondence you send to our Representative.

3.     What is meant by personal data or personal information?

  • “Personal data” (also referred to as personal information) is information that identifies you as an individual. Also defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  • This may include details such as your name, address, bank account details, internet protocol (IP) address, username, or other unique identifiers.
  • Certain personal data, known as sensitive or special category data, requires additional protection due to its nature. Examples of sensitive data include information about your health, religious or philosophical beliefs, race, or ethnicity.

4.     Information we collect

The personal information we collect depends on the nature of our relationship with you (e.g., as a client, supplier, site user, or job candidate). Below are examples of the types of personal data we may collect, store, and use:

Identity Data:

Includes your first and last name, date of birth, gender, username or similar identifier, title, photo, maiden name, aliases, ID numbers (e.g., passport, national ID card, driver’s license).

Contact Data:

Includes your email address, current and past physical addresses, telephone numbers, and other communication channels.

Communication Data:

Includes information you voluntarily provide through communication channels, whether online or otherwise.

Employment Data:

Includes details about your employment, such as employer name, employer contact information, manager name and contact details, job title, pay rate, employment dates, and reasons for leaving.

Education and Training Data:

Includes school or institution name and contact details, student ID numbers, qualification details, field of study, attendance dates, and graduation details.

Payment Information:

Includes records of money owed and paid, bank account details for payment, and tax information.

Location Data:

Includes your country of birth, residence, address, and geographic location data collected via devices using satellite, cell tower, or Wi-Fi signals.

Transactional and Client Information:

Includes details about services we provide to you, customer service interactions, and customer relationship management records.

Marketing and Communication Preferences:

Includes your preferences for receiving marketing from us or third parties, as well as your preferred communication channels.

Technical Data:

Includes details such as time zone, IP address, domain name, operating system, browser type, device type, website visit data (e.g., pages visited, date and time of access), and website interaction preferences.

Behavioural Data:

Includes information about your daily habits and moods.

App Usage Data:

Includes tracking and usage data, such as the date and time the app on your device accesses our servers, and information or files downloaded to the app based on your device number.

Candidate Data:

Includes information from your resume, job details, work history, and other relevant job application materials.

5.     Do we collect and use Sensitive Information?

When you participate in an ObvioHealth screening questionnaire to assess whether you are eligible to participate in trials or studies, we collect personal data including health information. Our questionnaires may request health information such as:

  • medical conditions
  • medication usage
  • medical history
  • pregnancy status
  • information regarding gender, race, or ethnicity

When you participate in a clinical trial or research project, we may collect additional information requested by the sponsor of that clinical trial or project. This may include:

  • additional health information
  • demographic information
  • photographs
  • audio or
  • other personal information required for that study.

6.     How does ObvioHealth acquire my personal information

We use different methods to collect data from and about you, including:

Personal Data provided directly by you

  • When you use our Services, e.g., when you answer a Questionnaire or register to join the ObvioHealth community.
  • When you are participating in a clinical trial or research project, or you are staff for a clinical trial site or project sponsor.
  • When you subscribe to any of our marketing channels and/or respond to our marketing campaigns.
  • When you apply for a job with us.
  • When we receive business cards, emails, and other documents from individuals containing such information.
  • When you communicate with us, use our “contact us" features on our website or mobile application, or enter into a contract for our services.

Personal Data Collected through Technical means

  • When you visit our website or mobile application depending upon the features you use.
  • Cookies and pixel tags (also known as web beacons and clear GIFs) may be used in connection with some Services to, among other things, track the actions of users of the Services (including email recipients), and compile statistics about usage of the Services and response rates as well as general demographic information and aggregated information.
  • When you download digital content from our website.

Information we receive from third parties in each case where permissible and in accordance with applicable law

  • We may also collect additional identifiable information about you, as required to conduct the clinical trial, either directly or through the sponsor, trial site, or research staff.
  • Sometimes we collect your personal information from third parties such as from your insurance or healthcare ‎provider, our joint marketing partners, agencies, marketing agencies, market research companies, our suppliers, contractors, partners or consultants, group companies.

Information we receive from public sources

  • ObvioHealth may collect Information about you from publicly available sources, including any social media platforms, public websites, or public agencies.

7.     Why we use your personal information

ObvioHealth only processes (i.e., uses) your personal data when the law allows us to; that is, when we have a lawful basis for processing. We typically use your personal data in accordance with the reason you shared it and to:

  • Improve, administer, provide, and maintain our services, websites, mobile applications, and clinical trial services and capabilities.
  • Improve our services.
  • Monitor the usage of our service.
  • Prevent, detect, and address technical issues.
  • Keep internal records about our business, customers, suppliers, contractors, partners, and prospects.
  • Communicate and respond to inquiries, fulfil requests, and send administrative ‎information, for example, information regarding the Services and changes to our terms, ‎conditions, and policies.‎
  • Enroll individuals in clinical trials and research studies.
  • Collect data during the conduct of clinical trials and research studies per sponsor requirements.
  • Provide support services to members of the ObvioHealth community and the staff of sponsors, trial sites, or other partners that use our website or mobile applications.
  • Carry out obligations under our contracts with sponsors, trial sites, or other partners.
  • Assist with payment, including billing and participant financial compensation when applicable.
  • Better understand the needs of the users of our sites and mobile applications and create content that is relevant to the user.
  • Help with marketing and market research purposes.
  • Use for analytics purposes and to generate statistics, aggregate data, and de-identify data.
  • Consider your job application.
  • Prevent fraud and investigate potential misconduct.
  • Comply with law and legal process.

8.     Children Under the Age of 18

  • In the event that we collect personal data for children under the age of 18 for Clinical Trial purposes, we will provide the children with a child-friendly privacy notice and follow applicable requirements for any collected data.
  • If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will contact the trial sponsor, as data controller, and follow their instructions for handling the data. If you believe we might have any information from or about a child under 18, please contact us at my-privacy@obviohealth.com.

9.     Our Lawful basis for using your personal information

ObvioHealth only collects and uses your personal data when the law allows us. Most commonly (depending on the country you reside in), we will use your personal information based on the following:

  • Where you have explicit consent before the processing.
  • Where we need to perform a contract that we are about to enter or have entered with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and those legitimate interests do not override your fundamental rights and freedoms.
  • Where we need to comply with a legal or regulatory obligation or claim

We will only collect, process, and/or use the personal data where we are satisfied that we have an appropriate legal basis to do so.

For more jurisdiction specific information on how we use and process your information see the sections linked below:

10.     Do I have a choice about the data you collect and use about me?

Yes, you may always choose what personal information (if any) you wish to provide to us. You may also withdraw your consent at any time unless a specific legal exemption applies to the data we are processing on you.

In cases where you are requested to affirmatively provide information, such as to complete a form, or an application, or a survey on our website, you may decline to do so. Please understand, however, that in some cases certain information is required to complete an application, form, or survey, and if you decline to provide the information requested you may not be able to submit the application or request or to use certain functionalities of our websites or mobile applications. For example, if you decline to provide information requested on a screening questionnaire you may not be able to participate in clinical trials or research projects for which that information is a necessary consideration. Similarly, if you are participating in a clinical trial or research project and you decline to provide requested information or withdraw your consent, you may not be able to continue to participate in the clinical trial or research project.

If you would like to restrict our placement of cookies on your device, please see the section titled "How can I manage cookies?" in our cookie policy.

If you would prefer not to receive e-mail marketing messages from us, please use the opt-out instructions included in the email message to opt-out of additional communications.

You may be given additional choices in the context of particular preferences, tools, or functions that we make available through our website or mobile applications.

11.     How do you keep my personal data safe?

ObvioHealth has put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We will review, monitor, and update these security measures to meet our business needs and, changes in technology and regulatory requirements. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal information, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many Information security risks that exist and take appropriate steps to safeguard your own information.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Where required by the EU or UK GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. Please note that notification timelines may vary if processing applies under applicable US state laws.

12.     How long do you keep my personal data?

We will keep your personal information in line with our retention policy and applicable law and for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Personal data collected during your participation in a clinical trial or research study supported by ObvioHealth through our website or mobile application will be subject to retention by the sponsor of that clinical trial or research project for the period described in the informed consent for that clinical trial or project, which may differ.

If you use this site or mobile application, you are responsible for maintaining the confidentiality of any user ID and password or other access credentials that you may be provided. You should notify us immediately if any user ID and password or other access credentials we may issue you are compromised.

13.     Do you disclose my personal data to others?

We do not share, sell or lease personal data about you except as set forth in this Privacy Notice. The specific kind of information we share with third parties will depend on your activities with us and only to the extent as required or permitted by law. We contractually require these third parties to keep that personal data confidential and use it only for the contracted purposes.

Insofar as reasonably necessary for us in managing our business, delivering our services, and for the purposes set out in this Privacy Notice, we may share your personal information with the below parties that help us manage our business and deliver our services:

  • Any member of our corporate group, which means our subsidiaries, our ultimate holding company and its subsidiaries, and our affiliates.
  • Third parties we use to help deliver our services or facilitate shipping products or devices to you.
  • Reimbursement for participation.
  • Other third parties we use to help us run our business, e.g., marketing agencies or website hosts.
  • Third parties approved by you, e.g., social media sites you choose to link your account to.

We may also disclose personal data to the Food and Drug Administration, the European Medicines Agency, institutional review boards, ethics boards, or other regulators when required to do so in connection with clinical trials or research studies in which you choose to participate.

We may share your personal data in the event that our company or some of our assets are sold or transferred as part of a merger, acquisition or other corporate transaction, or used as security or to the extent we engage in business negotiations with our business partners, the personal data collected on our websites or mobile applications, including this site, may be transferred or shared with third parties as part of that transaction or negotiation.

If we receive a request from law enforcement officials or judicial authorities to provide personal data about individuals, we may provide such information. In matters involving claims of personal or public safety or in litigation where the data is pertinent, we may use or disclose information about you without a court order.

Please note, in the case of personal data collected during your participation in a clinical trial or research study supported by our website or mobile application, our ability to disclose your personal information is governed by our agreement with the Sponsor and we may disclose information to additional parties as the Sponsor may direct. For example, we may share information with clinical trial or research sites, clinical research organizations working with the Sponsor, or shipping or other partners working with the sponsor.

We only allow those organisations to handle your personal information if we are satisfied that they take appropriate measures to protect your information. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above occasionally also share personal data with:

  • Our and their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations.
  • Our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations.
  • Law enforcement agencies, courts, tribunals, and regulatory bodies to comply with our legal and regulatory obligations.
  • Other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering, or in the event of our insolvency—usually, information will be anonymised, but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

14.     Transferring your information overseas

We do business globally and may centralise certain aspects of our information processing activities and data storage in different countries. We may therefore have to share and transfer your personal information from one country to another, or even across multiple jurisdictions. Your personal information may therefore be subject to privacy laws that are different from those in the country where the personal information is collected or those in your country of residence. We may transfer your personal data outside of the United States, to, or within another country to accomplish the purposes of processing.

We will ensure your personal information has an appropriate level of protection and will undertake appropriate due diligence and risk assessments prior to transferring the information. We will ensure the transfer your personal information in line with applicable Data Protection Law. Often, this protection is set out under a contract with the organisation that receives your personal information. You can find more details of the protection given to your information when it is transferred overseas by contacting us.

Where a privacy regulatory authority requires a corresponding privacy regulatory approval before we transfer your Personal Data outside your jurisdiction, we will obtain the approval before transferring your personal data.

15.     Third-party services, websites, and plugins

Please note that this Privacy Notice does not apply to sharing of personal data by third party providers who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable the third-party provider’s privacy notice before submitting your personal information.

You should be aware that information about your use of our website (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider, and any third party that has access to your Internet traffic.

Our websites may contain links to third-party websites and plugins, for instance a social media login plugin. If you choose to use these websites, plugins, or services, you may disclose your information to those third parties.

We are not responsible for the content or practices of those websites, plugins, or services. The collection use and disclosure of your personal information will be subject to the privacy notices of these third parties and not this Privacy Notice. We urge you to read the privacy and cookie notice of the relevant third parties.

16.     Use of Artificial Intelligence Tools.

ObvioHealth may use AI-assisted tools and services (such as AI writing assistants or productivity tools) in the course of our internal business operations. These tools are provided by third-party vendors and are subject to data processor agreements that restrict their use of any personal data to the provision of services on our behalf. We do not permit the input of special category personal data, clinical trial participant data, or other sensitive personal information into AI tools unless appropriate contractual and technical safeguards are in place. Where AI tools are used in a way that involves the processing of personal data, we ensure such use is governed by our internal policies and applicable data protection law.

17.     Opting out of Marketing

If you provide us with your contact details (e.g., email address), we may contact you to let you know about the products, services, promotions, and events offered that we think you may be interested in.

You can unsubscribe from our marketing and promotional communications by clicking on the unsubscribe link in the emails you receive from us or by contacting us at my-privacy@obviohealth.com.

You will be removed from the marketing list. However, we may still communicate with you to send you service-related messages necessary for responding to your requests or for other non-marketing purposes.

18.     Cookies and other tracking technologies

Each time you visit our website, we may collect personal information—depending on your consent and jurisdiction. This includes technical details about your device, browsing actions, patterns, and usage data. We use cookies, server logs, and similar technologies such as pixels and tags to remember your preferences, analyze website usage, and tailor our marketing efforts.

Please see more information in our Cookie Notice.

19.     Your rights involving your personal data

ObvioHealth uses your personal data in compliance with applicable privacy laws, including the General Data Protection Regulation (GDPR), US data protection legislation, and HIPAA. These privacy laws, along with those in other regions such as Canada, grant you greater control over and access to your personal data.

These rights may include the right:

  • To request and obtain a copy of your personal information
  • To request rectification and/or erasure
  • To restrict processing of your personal information
  • Data portability (if applicable)

ObvioHealth does not use automated decision making that has legal consequences or otherwise materially and negatively impacts a data subject.

The application of these and any other privacy rights you may have depends on applicable data protection law and if you would like more information about your specific rights under data protection law in your jurisdiction and how to exercise those rights, please contact us at my-privacy@obviohealth.com.

We may request specific information from you to verify your identity, confirm your rights, and respond to your request, including providing you with any personal data that we hold about you, if applicable.

Applicable law may allow or require us to deny your request, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices.

We will consider and act upon any requests in accordance with applicable data protection laws and applicable contracts with relevant data controllers.

20.     Withdrawing Consent

If we rely on your consent to process your personal information, You have the right to withdraw consent at any time. You may withdraw your consent by contacting us at my-privacy@obviohealth.com

Please note that this will not affect the lawfulness of the processing before the withdrawal, nor when applicable law allows, will it affect the processing of your personal information on the basis of any other lawful ground other than consent.

21.     Changes to Our Privacy Notice

We may update our privacy notice from time to time. If we make material changes, the 'last updated' date will be revised to help you identify updates since your last review. We recommend checking this privacy notice regularly for any changes, as updates become effective upon being posted on this page.

Further information for EEA and UK residents

We are subject to the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR) in relation to goods and services we offer to individuals and our wider operations in the UK and European Economic Area (EEA).

Details about our processing of your personal information

The table below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Lawful Basis

Purpose

Contract

We use your personal information on the basis that it is necessary for us evaluate applications and candidates for a vacant role prior to entering into an employment or services contract for that role with the most suitable candidate.

Recruitment of candidates (contractors, employees and providers)

We will use the personal information we collect about you to assess your skills, qualifications, and suitability for the role for which you applied.

We may use the following personal data:

  • Identity data
  • Contact data
  • Location data
  • Candidate Data

Legitimate interest

When we rely on this, we will carry out a Legitimate Interests Assessment to ensure we consider and balance any potential impact on you (both positive and negative) and your rights under Data Protection Law.

Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.

Managing our business

We process Personal Data for our own legitimate business interest. This relates to us managing our business to enable us to maintain and monitor the performance of our website and services and to constantly look to improve the website and the services it offers to our users, including when we respond to your queries, communications, and complaints.

We may use the following personal data:

  • Identity data
  • Contact data
  • Technical data
  • Marketing and communications data

Provide and maintain our Websites.

To provide and maintain our Website, including to monitor usage, troubleshooting, data analysis, network security, and system testing necessary for our legitimate interests in maintaining the useability, security, and integrity of our website

We may use the following personal data:

  • Identity data
  • Location data
  • Transaction data
  • Technical data

Research Activity Purposes

Personal data will be processed for scientific research purposes related to Clinical Trials including:

  • Determining eligibility for a Clinical Trial.
  • Conducting the Clinical Trial.
  • Conducting related scientific and medical research.

The legal basis is the Sponsor’s legitimate interests (GDPR Article 6(1)(f)) to undertake a clinical trial, make sure that relevant information about the study is recorded for your care, and to oversee the quality of the study

We may use all categories of personal data including health and other sensitive personal data.

Communications about Clinical Trials

The legal basis is the Sponsor’s legitimate interests (GDPR Article 6(1)(f)) in being able to communicate with the trial participants for e.g., visit reminders or follow-up purposes and after the study has ended to inform data subjects of the trial outcome.

We may use the following personal data:

  • Identity data
  • Contact data

Monitoring and Auditing Purposes.

The legal basis is the legitimate interests (GDPR Article 6(1)(f)) in ensuring that the Trial data is correct and that the study was conducted properly.

We may use all categories of personal data including health and other sensitive personal data.

Administration of a Clinical Trial

Identification details Contact details, Location Details and Communication

The legal basis includes operational purposes such as enhancing efficiency, conducting training, ensuring quality control, and administering the trial, including file management and travel reimbursement

We may use the following personal data:

  • Identity data
  • Contact data
  • Location details
  • communications data

Recommendations and marketing

To make recommendations to you about services that may interest you. We may use the following personal data:

  • Identity data
  • Contact data
  • Technical Data
  • Marketing and communications data
  • Usage data

To measure and analyse the effectiveness of the advertising we serve you. We may use the following personal data:

  • Identity data
  • Contact data
  • Location data
  • Technical Data
  • Marketing and communications data
  • Usage data

To make suggestions and recommendations to you about services that may be of interest to you and necessary for our legitimate interests (to develop our products/services and grow our business). We may use the following personal data:

  • Identity data
  • Contact data
  • Location data
  • Technical Data
  • Marketing and communications data
  • Usage data

To comply with applicable laws and regulations and regulatory obligations

To comply with our legal and regulatory obligations; for our legitimate interests, i.e., to protect our business, interests and rights in the Clinical trial.

Rights and claims

To enforce or apply our website terms of use, our notice terms and conditions, or other contracts. To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with. We may use the following personal data:

  • Identity data
  • Contact data
  • Transaction data
  • Technical data
  • Profile data
  • Usage Data

Data subject rights

Verifying your identity when you exercise your data subject rights. Fulfilling data subject rights requests. We may use the following personal data:

  • Identity data
  • Contact data
  • Location data
  • Technical data
  • Usage Data
  • Candidate Data

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise.

Legal obligations

We may use your Personal Data to comply with laws (for example, if we are required to co-operate with a police investigation after a court order orders us to).

Legal requirement - All categories of personal data

The processing is necessary for compliance with legal obligations, such as but not limited to security requirements.

To comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law.

For Clinical Trials, the processing is necessary to meet legal requirements in regard to the Reliability and Safety of clinical trials to ensure that clinical trial personal data is reliable and that safety requirements have been met for your participation in the study.

Criminal activity

To detect and prevent fraudulent or criminal activity, we may share information with law enforcement authorities, such as the police.

Consent

We may have to get your consent to use your Personal Data, such as collecting sensitive data about you or when we want to send you marketing.

Wherever consent is the only reason for using your Personal Data, you have the right to change your mind and/or withdraw your consent at any time by clicking the Unsubscribe button at the bottom of an applicable email or by contacting us.

Marketing

To measure and analyse the effectiveness of the advertising we serve you.

We may collect IP addresses and store Cookies on visitors’ devices.

We may use the following personal data, depending on what you consent to:

  • Identity data
  • Contact data
  • Location data
  • Technical Data
  • Marketing and communications data
  • Usage data
  • Candidate Data

Data analytics

We use data analytics to improve our website, products/services, marketing, customer relationships, and experiences. We may use the following personal data:

  • Identity data
  • Transaction data
  • Technical Data
  • Profile data
  • Usage data

The lawful basis of processing for sensitive personal data is set out below:

Purpose

Lawful Basis

Reliability and Safety Purposes:

Your personal data will be processed in order to ensure that study data is reliable and that safety requirements have been met for your participation in the study.

For sensitive personal data, the legal basis is ‘public task’ as processing is necessary for the performance of a task carried out in the public interest (GDPR Article 9(2)(i)). We may use the following data:

  • medical conditions
  • medication usage
  • medical history
  • pregnancy status
  • information regarding gender
  • race or ethnicity
  • additional health information
  • demographic information
  • photographs
  • audio or
  • other personal information required for that particular clinical trial.

Research Activity Purposes: Your personal data will be processed for scientific research purposes related to the clinical study including:

  • determining your eligibility for a Trial;
  • conducting the Trial;
  • conducting related scientific and medical research.

For sensitive personal data, the legal basis is that processing is necessary for scientific research purposes (GDPR Article 9(2)(j) and Article 89(1)). We may use the following data:

  • medical conditions
  • medication usage
  • medical history
  • pregnancy status
  • information regarding gender
  • race or ethnicity
  • additional health information
  • demographic information
  • photographs
  • audio or
  • other personal information required for that particular clinical trial.

Monitoring and Auditing Purposes:

For sensitive personal data, the legal basis is that processing is necessary for scientific research purposes (GDPR Article 9(2)(j) and Article 89(1)). We may use the following data:

  • medical conditions
  • medication usage
  • medical history
  • pregnancy status
  • information regarding gender
  • race or ethnicity
  • additional health information
  • demographic information
  • photographs
  • audio or
  • other personal information required for that particular clinical trial.

To comply with applicable laws and regulations and with our legal and regulatory obligations enforce legal rights or defend or undertake legal proceedings depending on the circumstances.

For sensitive personal data, the legal basis is that processing is necessary for scientific research purposes (GDPR Article 9(2)(j) and Article 89(1)). We may use the following data:

  • medical conditions
  • medication usage
  • medical history
  • pregnancy status
  • information regarding gender
  • race or ethnicity
  • additional health information
  • demographic information
  • photographs
  • audio or
  • other personal information required for that particular clinical trial.

Complaints

You have the right to complain to the Data Protection Authority about our collection and use of your Personal Data.

For more information, please contact your local data protection authority in the European Economic Area (EEA) which can be found here.

For the UK, contact the ICO here.

Exercising your rights

Your rights are associated with our legal basis for processing your data. If you would like to exercise any of these rights or have a query about how we process your personal data, please contact our Data Protection Officer at my-privacy@obviohealth.com.

Further information for Swiss Residents

All processing of Swiss personal data by ObvioHealth is made in compliance with the Swiss data processing principles and the Federal Act on Data Protection of 25 September 2020 (FADP) and its ordinances, i.e., the Ordinance on Data Protection (ODP) and the Ordinance on Data Protection Certification.

ObvioHealth shall not disclose Sensitive personal data to third parties (in their capacity as controllers) without sufficient justification such as: (i) the data subject’s consent; (ii) any overriding private or public interest; or (iii) a provision of Swiss law requiring or permitting such disclosure.

Swiss privacy law defines sensitive data as:

  • Data relating to religious, philosophical, political, or trade union-related views or activities;
  • data relating to health, the intimate sphere, or the affiliation to a race or ethnicity;
  • genetic data;
  • biometric data that uniquely identifies a natural person;
  • data relating to administrative and criminal proceedings or sanctions;
  • data relating to social assistance measures.

Further information for Australian Residents

ObvioHealth is bound by the Australian Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).

Personal data choices

You have the choice not to submit personal data to us (other than as may be required by law) although this may reduce your ability to fully participate in all aspects of the ObvioHealth Community, our web sites and mobile applications, or clinical trials or research studies supported by ObvioHealth. It is not possible to register for participation in the ObvioHealth community or particular clinical trial or research study on an anonymous basis (although your identity may not be shared with the Sponsor). We will inform you if it is possible in other cases for an interaction to occur on an anonymous basis (for example through required/optional data field designations) and, where it is, it will be optional for you to provide personal information.

What is personal information?

Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be personal information regardless of whether it is true.

Where do you store my personal data?

We store most information about you in computer systems and databases.

We implement and maintain processes and security measures to protect personal information which we hold from misuse, interference or loss, and from unauthorised access, modification, or disclosure.

These processes and systems include:

  • the use of identity and access management technologies to control access to systems on which information is processed and stored;
  • requiring all employees to comply with internal information security policies and keep information secure;
  • requiring all employees to complete training about information security; and
  • monitoring and regularly reviewing our practice against our own policies and against industry best practice.

Your rights and subject access requests

You may access or request information regarding the personal information that we hold about you by contacting us at my-privacy@obviohealth.com. Under the Australian Privacy Act 1988 and the APPs, your rights reflect the following:

These rights and freedoms also are applied in conjunction with your rights under submitting a data subject access request. We will process these requests and will resolve most requests within one calendar month. Where it is not possible to do so, we may request an extension of this timeframe for up to two months. If you wish to submit a subject access request or exercise your privacy rights, please submit your request to my-privacy@obviohealth.com.

There is no charge for requesting access to your personal information, but in rare instances where there are multiple requests or overly complex, we may require you to pay for nominal administrative costs (e.g., copying when applicable) or even deny a request if it is found to be “manifestly unfounded or excessive”.

Complaints

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us at my-privacy@obviohealth.com.

We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may contact your local data protection supervisory authority or regulator. This may also include the UK ICO at Make a complaint | ICO , the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) or other competent authority within your residential jurisdiction.

Version 2  |  May 2026