GLOBAL INFORMATION PRIVACY POLICY

The purpose of this Personal Data Processing Policy (hereinafter the “Policy”) is to set forth and inform the Personal Data processing made by Khiron of people who have provided said information such as patients, suppliers, customers, health care professionals and employees of Khiron, as well as to disseminate and protect the rights of the holders of such Personal Data. This policy sets out the minimum requirements to ensure an adequate level of protection within Khiron for the collection, use, disclosure, transfer, storage, and other Personal Data processes.

1. KHIRON AND OF THIS POLICY:

Khiron Life Sciences Corp, a company based in Toronto, Ontario, Canada, acts globally through its local subsidiaries in various jurisdictions around the world. Whenever used in this document, the term “Khiron” refers to the conglomerate of companies, without such term entailing a group of companies as defined in the legislation of different countries. This is a global policy, but in the last section hereof you will find the particularities applicable to your jurisdiction and in compliance therewith. In case there is any conflict between this Policy and the particular provisions of a country, the latter shall prevail.

For the purposes of this Policy, the following definitions shall apply:

  • Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data.
  • Databases: Organized set of personal data subject of processing.
  • Personal Data: Any personal information linked to or that can be associated with, one or more determined or determinable natural persons.
  • Sensitive Personal Data: Personal data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of social or human rights organizations or promoting the interests of any political party, as well as data concerning the health or medical condition of the person or caregiver, sex life and biometric data.
  • Data processor: Natural or legal person, public or private, who, by themselves or in association with others, carries out the processing of personal data on behalf of the data controller.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  • Data subject: Natural person whose data is subject to processing.
  • Data controller: Natural or legal person, public or private, that by themselves or in association with others decides on the data base and/or Processing of the Data, being in this case Khiron.

Khiron’s ethics code emphasizes the company’s commitment to privacy and personal data protection. This Policy shall be applied to all databases and/or files containing Personal Data subject to processing by Khiron and shall apply to all communication and interaction channels that Khiron may use and wherein Personal Data is collected, i.e., sensitive data, personal data, trade and/or administrative data, among others.

2. LEGAL BASES AND GUIDING PRINCIPLES

Data Subject’s Personal Data is processed only when the Data Subject has granted consent, and only to fulfill the specific purposes and legitimate interests for which the data has been required.

During the Processing of Personal Data and Sensitive Personal Data, Khiron shall comply with the following guiding principles of data protection: (i) legality; (ii) purpose; (iii) freedom; (iv) truthfulness; (v) transparency; (vi) access and restricted circulation; (vii) security; and (viii) confidentiality. 

Personal Data shall only be processed for a period of time that is both reasonable and necessary, in accordance with the intended purposes, in compliance with the provisions applicable to the matter in question (e.g. administrative, accounting, tax, legal and historical aspects of the information). Once the purpose or purposes of the processing have been fulfilled, Khiron shall proceed to delete the Personal Data in its possession, subject to the possibility of keeping those required for the fulfillment of a legal or contractual obligation or the enforcement of legal rights.

Personal data shall be processed under high standards of security and confidentiality, using the data exclusively for the purpose described in the corresponding privacy notice and complying with the requirements of applicable regulations.

Khiron shall provide the reasonable physical, technical, human, and administrative measures to protect the records, avoiding their adulteration, loss, consultation, unauthorized or illegal use, disclosure or access. Khiron’s obligation and responsibility is limited to the provision of appropriate means for that purpose. Khiron does not guarantee the total security of the Data Subject’s information nor shall it be liable for any consequences arising from technical failures or improper entry by third parties into the database or file where the Personal Data being processed by Khiron and its data controllers are stored. Khiron shall require all third parties, including its contractors with whom it exchanges information, to adopt and comply with the appropriate physical, technical, human, and administrative measures for the protection of the Personal Data in relation to which such third parties act as data controllers. 

3. PASSIVE COLLECTION OF INFORMATION

By accessing or using services on Khiron websites, Khiron may passively collect information (collected without you directly providing the information) on the Data Subject’s computer hardware and software, the Data Subject’s IP address, browser type, operating system, domain name, access times and referring website addresses through the use of information technology such as cookies. No Personal Data of users is directly collected with those tools. Information will also be collected from the pages most frequently visited by the user on those websites to learn about their browsing habits. However, the user of Khiron websites may configure the operation of the cookies, according to their internet browser options.

Khiron and our third-party service providers passively collect and use information in different ways, as listed below:

Via the Data Subject’s browser: Some information is collected by most browsers, such as the Data Subject’s Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system version, and Internet browser type and version. Khiron may collect similar information, such as the Data Subject’s device type and identifier or whether you access the site via a mobile device.

Use of cookies: Cookies represent a compilation of information stored directly on the computer you use. Cookies allow us to collect information such as browser type, time spent on the site, pages viewed, and language preferences. Khiron and our service providers use the information for security purposes, to make navigation easier, to display information more efficiently and to customize your experience when navigating the site. Khiron also uses cookies to recognize your computer or device, thus making it easier for you to use the site, like remembering what is in the shopping cart. Moreover, Khiron uses cookies to obtain statistical information about site usage to continually improve the design and functionality of the site, to understand how people use the site, and to help us answer questions about the site. Cookies are useful even to select which of our advertisements or offers are most likely to appeal to you and to display them while you are on the site. We may also use cookies in online advertising to track consumer responses to our ads. 

You can refuse to accept these cookies by following your browser's instructions; however, such refusal may make you experience some troubles when using the site. You may also not receive advertising or other offers from us that are relevant to your interests and needs. For further information about cookies, please visit www.allaboutcookies.org.

Use of pixel tag, web beacon, Clear GIFs or other similar technologies: These may be used in connection with certain pages of the site and HTML-formatted emails to, among other things, track the actions of site users and email recipients, measure the success of our marketing campaigns and compile statistics on site usage and response rates.

Online Behavioral Advertising: The use of cookies, web beacon, pixel tags, clear GIFs or other similar technologies allows our third-party providers to display ads about our products and services when you enter the site or other websites or web properties over the Internet. These providers may place web beacon, clear GIFs or similar technologies on the site and other websites or web properties and may also place or recognize third party cookies when you enter the site or other websites or web properties. They may use information of your visits to the site and other websites or web properties to display advertisement about goods and services that may be of your interest.

IP Address: The IP address is a number that the Data Subject’s Internet Service Provider (ISP) automatically assigns to the computer you are using. An IP address is identified and automatically recorded in our server log files when a user enters the site, along with the time and the page(s) visited. The collection of IP addresses is a common practice on the Internet and is performed automatically by many websites. Khiron uses IP addresses for purposes such as calculating site usage levels, helping diagnose server problems and administering the site.

Device Information: Information about the Data Subject’s mobile device may be collected, such as a unique device identifier.

4. TREATMENT AND PURPOSE

Khiron, acting as the Personal Data Controller, for the proper development of the activities set forth in its corporate purpose, collects, stores, uses, circulates, deletes, processes, compiles, reproduces, exchanges, updates, arranges, communicates and transmits to third countries, as the case may be, Personal Data of persons with whom it has or has had a relationship.

The general purposes for which Khiron processes the Personal Data include, but are not limited to, the following:

  1. Carry out activities related to Khiron’s corporate purpose in each jurisdiction.
  2. Carry out trade and marketing activities, including research to develop and improve all or some of our products and services.
  3. Send important information about the Data Subject’s relationship with Khiron, as well as products, campaigns, events, about Khiron websites or digital initiatives, modifications of Khiron’s terms, conditions and policies and any other administrative information.
  4. Follow up activities, management of actions, identification of opportunities, quality of services, for administrative, organizational, academic, scientific, and research purposes, reporting obligations established by law or by Codes of Ethics.
  5. Comply with legal obligations, judicial, contractual or any other type of proceedings.
  6. For business purposes, such as data analysis, market research, audits, development of new products, improvement of the website, improvement of Khiron products and services, identification of site usage trends, customizing clients experience on Khiron websites by presenting products and services and determining our promotional campaigns’ effectiveness.
  7. Respond to your queries and attending to your requests, as well as sending documentation you request or alerts by e-mail.
  8. Follow up and process product and/or service quality complaints and adverse events reports.
  9. Manage and administer Khiron’s Human Resources, payroll, benefits and other compensations programs.
  10. Share, transfer and transmit your Personal Data within the conglomerate of companies referred to by the term Khiron and with internal third parties.
  11. Share your Personal Data with our external service providers who provide services such as website hosting and moderation, mobile application hosting, data analysis, payment processing, order fulfilment, infrastructure provision, IT services, customer service, email and direct mail delivery services, credit card processing, customer and supplier analysis, audit services and other services, in order to enable them to provide the services.
  12. Share your Personal Data with a third party in case of reorganization, merger, sale, spin-off, joint venture, assignment, transfer or other disposition of all or part of our business, assets or shares (including acts related to any bankruptcy or similar proceedings), as well as any change in Khiron’s corporate or administrative structure.
  13. Respond to requests from public and government authorities, including public and government authorities in your country of residence and abroad.
  14. Enforcement of Khiron’s rights.
  15. Protect our operations.
  16. Protect our business, rights, privacy, security, or assets, among others. 
  17. In overall, to manage our relationship with you as a Personal Data Subject.
  18. For any other legitimate authorized purpose.

5. DATA TRANSFERS

Khiron may transfer your Personal Data to internal and external third parties in carrying out its corporate purpose and to fulfill the purpose you have authorized. 

In such cases, Khiron signs a transfer of Personal Data contract with the determined third party, whereby the third parties are required to keep the information confidential, secure and to use it only to carry out/provide the activities and/or services set out in the data transfer contract or in the document containing the contractual relationship to be executed.

INTERNATIONAL DATA TRANSFER

Your personal information may be processed locally in the country where you work or reside or in any other country where Khiron is present, as permitted by law. For such purpose, Khiron must have your express authorization.

In case your personal information is to be transferred outside the European Economic Area or another country banning transfers of personal information, Khiron applies the European Commission's standard contractual terms or any other transfer mechanism in accordance with local rules, such as consent, to ensure that your personal information is kept at an appropriate or similar level of protection to that employed in your home country. 

Notwithstanding the foregoing, please note that if the applicable local jurisdiction so permits, Khiron may transfer your Personal Data to another country without your consent in the following instances:

  1. When an exchange of medical data takes place, when required for the Data Subject’s treatment or for reasons of public health or hygiene;
  2. Cases of bank or stock exchange transfers, according to the legislation applicable thereto;
  3. Transfers that are made pursuant to international treaties signed by Colombia, based on the principle of reciprocity;
  4. When it is required to make legally mandatory transfers to protect the public interest, or to recognize, exercise or defend a right in legal proceedings; and
  5. When it is necessary in the performance of a contract entered by and between the Data Subject and Khiron, including a contract of employment, or for the execution of pre-contractual measures, as long as it is authorized by the Data Subject. 

6. DATA SUBJECTS’ RIGHTS

Below you may find a description of your rights as the owner of the Personal Data processed by Khiron:

  1. Consult, update, include, correct, rectify, and/or delete Personal Data subject to Processing by Khiron, as well as revoke, limit, or contest the authorization of Processing, at any time and at no cost;
  2. Request proof of authorization given to Khiron for the Processing of Personal Data;
  3. Be informed by Khiron, upon request, about the use Khiron has made of your Personal Data;
  4. File before the corresponding authorities in each country actions for violations of the provisions of the respective law on protection of personal data and other provisions that amend or supplement it;
  5. Revoke the authorization and/or request the deletion of the Personal Data and/or Sensitive Personal Data; and
  6. Access free of charge to your Personal Data and/or Sensitive Personal Data that have been processed.

PROCEDURE TO EXERCISE RIGHTS

You can consult, update, correct, rectify, and/or delete your Personal Data subject to Processing by Khiron, as well as revoke, limit or contest the authorization of Processing, at any time and free of charge.

For such purpose, you must send a detailed communication of your request to Khiron’s Personal Data Protection Officer at the physical addresses set out in the “Specific Privacy Provisions by Country” section hereof, or in the emails set out therein. All physical communications sent to Khiron shall include an email or physical address so that the company can respond to the request.

Remember that these rights can only be exercised by: (i) the Data Subject, who must sufficiently prove their identity; (ii) the Data Subject’s assignees (e.g. heirs, successors), who must prove such capacity; (iii) the Data Subject’s legal representative and/or attorney-in-fact, prior accreditation of the representation or attorney-in-fact; and (iv) a third party when it is the result of a provision in favor of someone else or for someone else, subject to prior accreditation thereof.

Khiron may only deny access to Personal Data, or revoke authorization, or request data deletion when (i) the applicant is not the Data Subject, their assignees (e.g., heirs, successor) or the legal representative is not duly accredited to do so; (ii) the applicant is not a public or administrative entity in the exercise of its legal functions, or there is no court order; and (iii) the Data Subject has a contractual duty to remain in the database or, if applicable, a legal duty.

For requests: they will be responded within a maximum of ten (10) working days from the date of receipt thereof. If the law expressly sets forth a shorter time in the Data Subject’s jurisdiction, such time shall be met. When the consultation or request may not be responded within said term, you will be informed of the reasons for such delay and the date in which Data Subject’s consultation or request will be responded, such date in no case may exceed five (5) working days following the expiration of the first term.

For more than one request per calendar month, Khiron shall only charge the Data Subject for the costs of shipping, reproduction and, where appropriate, certification of documents. The reproduction costs may not exceed the cost of recovering the corresponding material.

For complaints or claims: if they lack information, you will be required within five (5) working days of receipt thereof to provide the missing information. If upon two (2) months elapsing from the date of the request the applicant has failed to submit the required information, the claim shall be deemed to have been withdrawn. If the complaint or claim information is complete, a legend will be included in the database stating “claim in process” and the reason for it, in no more than two (2) working days. Such legend shall be maintained until the claim is resolved.

The maximum term for resolving complete claims shall be fifteen (15) working days from the day following the date of receipt thereof. If the law expressly sets forth a shorter time in the Data Subject’s jurisdiction, such time shall be met by Khiron. For claims not resolved within that time, the interested party shall be informed of the reasons for the delay and the date by which the claim shall be resolved, which in no case may exceed eight (8) working days following the expiration of the first term.

7. SENSITIVE PERSONAL DATA AND MINORS’ DATA

In executing its corporate purpose, Khiron collects Sensitive Personal Data and minors’ data. In some cases, this type of Personal Data is processed within the KHIERO Patient Program (or its counterpart in a given jurisdiction) framework, which is a program for permanent patient follow-up during their treatment, which complies with the legal requirements of each jurisdiction. In such context or in any other applicable context according to Khiron’s lines of business, Khiron or third parties authorized thereby undertake to give the Sensitive Personal Data and minors’ data the corresponding processing in accordance with the regulations applicable in the Data Subject’s jurisdiction. 

The creation of data bases of Sensitive Personal Data shall have a legitimate justification, a specific purpose, and shall develop Khiron’s activities. To create that type of database, your express consent shall be required. However, you must always bear in mind that you are not obliged to authorize the personal data’s processing, since providing such consent is optional and Khiron ensures respect for the fundamental rights of children and adolescents and cares for and respects their best interests. Khiron shall also validate the minor's right to be heard when appropriate. 

Processing of sensitive Personal Data for historical, statistical, or scientific purposes is permitted. In such cases, Khiron shall delete the Data Subject’s identity.

8. PRIVACY POLICY AMENDMENTS

Khiron reserves the right to amend this Policy. By publishing amendments on our website, you will be deemed to have been notified of changes thereto. Furthermore, any change in the particular privacy conditions of a country shall be published in the section “Special Privacy Provisions by Country”.

9. SPECIAL PRIVACY PROVISIONS BY COUNTRY

COLOMBIA

1. Khiron in Colombia.

The Data Controllers in Colombia are the following companies, whether referred to individually or jointly: Khiron Colombia S.A.S, Nueva Alternativa de Salud IPS S.A.S and ILANS S.A.S

2. Contact for exercising your rights.

To contact Khiron Colombia S.A.S or Nueva Alternativa de Salud IPS S.A.S, as well as to exercise your rights as a Data Subject and file a consultation, claim, request or complaint, a communication must be sent to habeasdata@khiron.ca or in physical to the address Carrera 11 No. 84-09. 3rd Floor, Bogotá, Colombia.

To contact ILANS S.A.S. as well as to exercise your rights and file a consultation, claim, request or complaint, a communication must be sent to the habeasdata@ilans.co or in physical to the address Carrera 19ª No. 82-14 Bogotá, Colombia.

3. Legal Basis and Authority

Personal Data Protection Law (Law 1581/2012) and other provisions that amend or supplement it.

The SUPERINTENDENCY OF INDUSTRY AND COMMERCE, through its Delegation for the Protection of Personal Data, acting as national authority for the protection of Personal Data, has the power to receive complaints filed by those whose rights have been violated as a result of noncompliance with the regulations in force regarding Personal Data protection.

4. Personal Data and Personal Information

Personal information, as defined in the Law on Personal Data Protection (Law 1581/2012), means: Any information that is linked or can be associated with one or more determined or determinable natural persons.

PERU

1. Khiron in Peru

 The Data Controller in Peru is Khiron Peru S.A.

2. Contact for exercising your rights.

In order to contact Khiron Peru S.A., as well as to exercise your rights as a Data Subject and file a consultation, claim, request or complaint, a communication must be sent to habeasdata@khiron.ca or in physical to the address Santo Toribio Avenue No. 173, Int. 1635, Urbanización El Rosario - San Isidro, Lima, Peru.

3. Legal Basis and Authority

Personal Data Protection Law (Law 29733) and other provisions that amend or supplement it.

The Ministry of Justice - National Justice Directorate is the national authority for the protection of Personal Data, which will receive claims filed by those whose rights have been violated for noncompliance with the regulations in force regarding Personal Data protection.

4. Personal Data and Personal Information

Personal information, as defined in the Personal Data Protection Law (Law 29733), means: any information about a natural person identifying them or making them identifiable by any means that can reasonably be used.

CANADA

1. Khiron in Canada

The Data Controller in Canada is Khiron Life Sciences Corp., a British Columbia (BC) corporation.

2. Contact for exercising your rights.

To contact Khiron Life Sciences Corp., as well as to exercise your rights and file a consultation, claim, request or complaint, a communication must be sent to habeasdata@khiron.ca or to ATT: Khiron Privacy Officer c/o Gowling WLG, 100 King Street West, Toronto, Ontario M5X 1G5.

3. Legal Basis and Authority

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private- sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).

British Columbia's Personal Information Protection Act (PIPA) applies to any private sector organization (such as a business or corporation) that collects, uses, and discloses the personal information of individuals in BC. PIPA also applies to any organization located within BC that collects, uses, or discloses personal information of any individual inside or outside of BC. 

4. Personal Data and Personal Information

"personal information" means information about an identifiable individual and includes employee personal information but does not include (a) contact information, or (b) work product information;

"employee personal information" means personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment;

"contact information" means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual; 

"work product information" means information prepared or collected by an individual or group of individuals as a part of the individual's or group's responsibilities or activities related to the individual's or group's employment or business but does not include personal information about an individual who did not prepare or collect the personal information.

5. Other

  • Consent required: an organization must not collect, use or disclose personal information about an individual unless the individual gives consent to the collection, use or disclosure; PIPA authorizes the collection, use or disclosure without the consent of the individual; or PIPA deems the collection, use or disclosure to be consented to by the individual.
  • Implicit consent: an individual is deemed to consent to the collection, use or disclosure of personal information by an organization for a purpose if at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and if the individual voluntarily provides the personal information to the organization for that purpose. An organization may collect, use or disclose personal information about an individual for specified purposes if the organization provides the individual with a notice that it intends to collect, use or disclose the individual's personal information for those purposes, gives the individual an opportunity to decline and the individual does not decline, and the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances. 
  • Collection of employee personal information: an organization may collect employee personal information without the consent of the individual. However, an organization may not collect employee personal information without the consent of the individual unless the collection is reasonable for the purposes of establishing, managing, or terminating an employment relationship between the organization and the individual. An organization must notify an individual that it will be collecting employee personal information about the individual and the purposes for the collection before the organization collects the employee personal information without the consent of the individual.
  • Obligation to Notify Individuals of Security Breaches: an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

MEXICO 

1. Khiron in Mexico

The Data Controller in Mexico is Kuida Life Mexico S.A de C.V

2. Contact to Exercise your Rights.

To contact Kuida Life Mexico SA de CV, as well as to exercise your rights as Owner and file a query, claim, request or complaint, you must send a communication to the email habeasdata@khiron.ca or physically to the address Vía Gustavo Baz # 2160, Building 3, Floor 1, Col. La Loma. Tlalnepantla De Baz. Cp 54060, México D.F., United Mexican States.

3. Legal Basis and Authority.

Federal Law on Protection of Personal Data Held by Private Parties and others that modify or add to it. The Federal Institute for Access to Information and Data Protection is the authority in charge of monitoring and verifying compliance with the law. Said institute will attend to claims and procedures for the protection of rights by those affected in their rights due to breach of current regulations on the protection of Personal Data. 

4. Personal Data and Personal Information

Personal Information as defined in the Federal Law on Protection of Personal Data Held by Private Parties, refers to any information concerning an identified or identifiable natural person. The consent to process your personal data may be tacit or express.