nChroma Bio Website Privacy Notice

Introduction

nChroma Bio, Inc. of 201 Brookline Avenue, Boston, MA 02215 (referred to as “nChroma Bio”, “We, “Our” or “Us”, inclusive of any affiliates or subsidiaries) is committed to protecting the privacy and security of your personal information.

This Privacy Notice applies to individuals who interact with nChroma Bio through our website or otherwise engage with us as:

A user of this website (https://www.nchromabio.com/);
An employee, contractor, or consultant associated with and/or contracted by nChroma Bio;
An employee, contractor, or consultant associated with and/or contracted by nChroma Bio’s Service Providers;
A healthcare professional conducting an nChroma Bio clinical trial and/or engaged with nChroma Bio’s research activities;
An nChroma Bio clinical trial participant; and/or,
Any other individual with whom nChroma Bio may conduct business.

This Notice explains what Personal data we collect, how we use it, the lawful basis on which we rely, how long we retain it, and the rights available to you under application Data Protection Legislation. Please note that although this Notice does refer to how we process your Personal Data in the context of you as a user of this Website, this Notice also applies to our processing of your Personal Data outside of the context of this Website, such as may be the case in the conduct of our clinical trials, research activities, or broader business dealings.

If this Notice conflicts with local law, the provisions of local law will prevail.

Definitions

Cookies means small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses.

Data Controller means the organization that determines the purposes and means of processing Personal Data. For the purposes of EU GDPR and UK GDPR, nChroma Bio acts as Data Controller

Data Processor means third parties (“Service Providers”) engaged by nChroma Bio to process Personal Data on our behalf (e.g., IT providers, CROs).

Personal Data means any information relating to an identified or identifiable individual, or as otherwise defined by UK GDPR and EU GDPR.

Services refers to any service offered by nChroma Bio, including, for the purposes of this Privacy Notice: the nChroma Bio Website; the opportunity to work with nChroma Bio or nChroma Bio’s Service Providers; and/or, any collaboration or participation relating to an nChroma Bio clinical trial.

Usage Data means any information automatically collected, through website interactions, such as IP address, browser type, and browsing activity.

Website refers to the nChroma Bio website, accessible from https://www.nchromabio.com/, and any other website which nChroma Bio may operate from time to time.

Data Protection Legislation

Throughout this Notice we refer to Data Protection Legislation.

European Union (EU) and European Economic Area (EEA)

In the EU and EEA, Data Protection Legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’), the ePrivacy Directive (Directive 2002/58/EC), as well as any local data protection implementation laws, including any replacement legislation coming into effect from time to time.

United Kingdom (UK)

In the UK, Data Protection Legislation means the Data Protection Act 2018 (‘DPA 2018’), the United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’), the Data (Use and Access) Act 2025, and any legislation implemented in connection with the aforementioned legislation, including any replacement legislation coming into Effect from time to time.

United States (US)

In the US, Data Protection Legislation refers to any federal, state, sectoral, or case laws and regulations governing the privacy and security of personal data. This includes applicable state privacy legislation, including, but not limited to, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), New York’s Shield Act and Delaware’s Online Privacy and Protection Act (DOPPA), as well as other relevant state and federal regulations. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

New Zealand (NZ)

In New Zealand, Data Protection Legislation refers to the Privacy Act 2020, as amended. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

Hong Kong (HK)

In Hong Kong, Data Protection Legislation refers to Personal Data (Privacy) Ordinance (PDPO) (Cap. 486), as amended. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

Data Controllership

Where applicable under local Data Protection Legislation, nChroma Bio is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated. We have appointed a Data Protection Officer (DPO) who oversees our compliance and acts as a point of contact for individuals and regulators. See the Contact Us section for details.

The Personal Data we collect about you

We collect Personal Data that we know we will use, and in accordance with the Data Protection Legislation and/or, where relevant, applicable legislation related to clinical trials, including, but not limited to:

the EU Clinical Trials Regulation (Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (Text with EEA relevance), “EU CTR”) in the EU;
The Medicines for Human Use (Clinical Trials) Regulations (2004), as amended (“UK CTR”) in the UK;
The Medicines Act 1981, as amended (“NZ CTR”) in New Zealand;
Applicable laws governing clinical trials in Hong Kong, including the Pharmacy and Poisons Ordinance (Cap 138), the Radiation Ordinance (Cap 303), and the Telecommunications Ordinance (Cap 106); and,
Applicable laws governing clinical trials in the US, including the Food and Drug Administration Amendments Act (FDAAA) (2007) and Title 21 of the Code of Federal Regulations (21 CFR).

Where you are a user of this website, a clinical trial participant, or any other individual with whom nChroma Bio may conduct business, and unless otherwise stated, you are under no statutory or contractual requirement or obligation to provide us with your Personal Data. For instance, if you do not wish to participate in a clinical trial as a participant, you are under no obligation to provide the information outlined below to us. However, where you wish to engage with nChroma Bio’s Services, we require at least the information outlined below for us to provide you with our relevant Services in an efficient and effective manner. Please note that, where you are either an employee, contractor, or consultant of nChroma Bio or nChroma Bio’s Service Providers or a healthcare professional, and depending on the terms of any contract you may have signed with nChroma Bio or with your employer (where relevant), you may be statutorily or contractually obliged to provide nChroma Bio with some or all of the information outlined below.

The type of Personal Data that we will collect on you will depend on whether you are a user of this website, an employee, contractor, or consultant of nChroma Bio or nChroma Bio’s Service Providers, a healthcare professional, or a clinical trial participant:

Website User

Where relevant, your name
Where relevant, your contact information (email address)
Where relevant, your Website Contact form responses
Your Usage Data (e.g., your IP address and other pseudonymized unique identification number(s))

Employees, Contractors, or Consultants of nChroma Bio or nChroma Bio’s Service Providers

Your name
Where relevant, your date of birth
Your contact information (telephone number, email address, or mailing address)
Your employment details
Where relevant, your pseudonymized unique identification number(s) (e.g., payroll no.)
Where relevant, your financial information (e.g., bank information)
Where relevant, your Right to Work information (e.g., nationality)
Where relevant, your health data (e.g., sick leave information)

Healthcare professional (HCP)

Your name
Your contact information (telephone number, email address, or mailing address)
Your professional qualifications
Your employment details
Where relevant, your financial information (payment details, and, where applicable, financial disclosure information about you, your spouse, and adult children’s financial interests)
Your research involvement, expertise, and advisory input

Clinical Trial participant

Your name*
Your date of birth*
Your age
Your gender
Your contact information (telephone number or email address)*
Where applicable, the name of your legally authorized representative*
Where applicable, the name and contact details of your partner and/or children*
Your pseudonymized unique identification number(s)
Your health data
Your ethnicity

* This participant identifiable information is collected by nChroma Bio’s Research Sites, acting on their behalf. This data may be shared with clinicians, health authorities, ethics bodies and other personnel as authorized by nChroma Bio. However, this data will only be processed where nChroma Bio is legally obligated to process this data in accordance with Clinical Trial Regulations and other applicable laws. nChroma Bio will not directly receive participant identifiable information and will not instruct their partners to process or share this information other than where the law requires.

Cookies, analytics and tracking technologies

We use Cookies and similar technologies to monitor activity on our website, store certain information, and improve overall functionality and user experience.

You can configure your browser to refuse all Cookies or to alert when a Cookie is set. Please not, however, that certain features of our website may not function correctly without cookies.

We use the following categories of Cookies for the purposes set out below:

Strictly Necessary Cookies
Type: Session Cookies
Administered by: nChroma Bio; CloudFlare
Purpose: These Cookies are essential to provide You with Services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the Services that You have asked for cannot be provided, and We only use these Cookies to provide You with those Services.

The following cookies are used on our Website:

Cookie Name	Cookie Description	Cookie Type
__cf_bm	CloudFlare cookie placed to detect, read, and filter requests from suspected bots.	Strictly Necessary
cf_clearance	CloudFlare cookie placed to detect and store activity relating to JavaScript.	Strictly Necessary

How we collect your Personal Data

We collect your personal information when you:

Participate in one or more of our clinical trials;
Apply for a job in nChroma Bio and participate in our recruitment process;
Interact with our team;
Use our Services, IT assets, websites, systems, networks and communication channels;
Respond to surveys; and
Otherwise provide it to us.

We may also receive information about you from other sources, such as recruitment agencies, healthcare providers, background check agencies and publicly available sources, when permitted by law.

How we use your Personal Data

We will only process your Personal Data when the law allows us to do so. We will have provided you with our lawful basis for processing your Personal Data at the point the information was initially collected from you. We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.

Where the lawful basis for processing is Consent, you are able to remove your consent at any time. You can do this by contacting our DPO using the contact details provided in the Contact Us section below.

We may use your information for the following purposes:

Lawful Basis (where EU GDPR and/or UK GDPR apply)	Purpose
Our Legitimate Interest in conducting clinical research GDPR, Article 6(1)(f)	Clinical Trial Operations (Legitimate Interest) Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Legitimate Interest, to collect information from you and process your health information in order to conduct a clinical trial.
Our Legitimate Interest in conducting clinical research GDPR, Article 6(1)(f)	Clinical Research (Healthcare Professional Administration) Where you are a Health Care Professional (HCP) involved in the planning, delivery, or oversight of nChroma Bio clinical trials, to collect information from you and process your employment information in order to conduct a clinical trial.
Contractual Obligation GDPR, Article 6(1)(b)	Employment Where you are an employee, contractor, or consultant of nChroma Bio, to collect information from you and make available our Services to you for the purposes of fulfilling our contractual obligations with you.
Our Legitimate Interest in managing nChroma Bio’s affairs GDPR, Article 6(1)(f)	Service Providers (Legitimate Interest) Where you are an employee, contractor, or consultant of nChroma Bio’s Service Providers, to collect information from you or your employer and make available our Services to your employer.
Contractual Obligation GDPR, Article 6(1)(b)	Service Providers (Contractual Obligation) Where you are an employee, contractor, or consultant of nChroma Bio’s Service Providers, to collect information from you and take payment from you, make a payment to you, give you a refund or request a refund.
Our Legitimate Interest in managing nChroma Bio’s affairs GDPR, Article 6(1)(f)	Service Providers (Performance) Where you are an employee, contractor, or consultant of nChroma Bio’s Service Providers, to collect information from you or your employer and liaise with your employer about your contact details and/or the nature and performance of your work, as required.
Our Legitimate Interest in providing Services to you GDPR, Article 6(1)(f)	Service Provision To collect information from you and monitor, provide and maintain our Services.
Our Legitimate Interest in providing Services to you GDPR, Article 6(1)(f)	Inquiries To contact you following your inquiry where you have provided your contact information and to reply to any questions, suggestions, issues, or complaints, including any Data Subject Requests, about which you have contacted us.
Our Legitimate Interest in providing a secure platform GDPR, Article 6(1)(f)	Security To collect your Usage Data in order to power our security measures and Services so you can safely access our website and other Services.
Our Legitimate Interest in contacting you about our Services GDPR, Article 6(1)(f)	Service Messages To contact you, where you have provided your contact information, about news and information relating to our Services through Service messages.
Our Legitimate Interest in marketing our Services to you GDPR, Article 6(1)(f)	Direct Marketing (Legitimate Interest) B2B direct marketing to you, where you have provided your contact information, about Services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under the UK PECR and/or EU ePrivacy legislation.
Your Consent GDPR, Article 6(1)(a)	Direct Marketing (Consent) B2B direct marketing to you, where you have provided your contact information, about Services from us where you are a sole trader, partnership or otherwise classified as an individual subscriber and/or the ‘soft opt-in’ does not apply under UK PECR and/or EU ePrivacy legislation.
Vital Interest GDPR, Article 6(1)(d)	Vital Interest Monitor your health in order to safeguard and protect you, or to act in your vital interest, or the vital interest of a third party.
Legal Obligation GDPR, Article 6(1)(c)	Legal Obligation To comply with our legal obligations, such as retaining any accounting information generated during the course of our interaction for statutory accountancy retention periods.
Our Legitimate Interest in managing nChroma Bio’s affairs GDPR, Article 6(1)(f)	Legal Claims To respond to and defend against legal claims, where you have provided us with information which may give rise to legal claims.

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Criminal convictions and offences data

Where you are an employee, contractor, or consultant for nChroma Bio – or you are a candidate for such a role – and depending on the jurisdiction in which you operate and on the specific role in question, we may collect information about your criminal convictions and offences. We do this to satisfy ourselves that there is nothing in your criminal convictions and offences history which makes you unsuitable for the role. Our roles require a high degree of trust and integrity, and it is therefore best practice to undertake such checks and a pre-requisite in some instances.

We will only collect and use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations, or where we have an overriding legitimate interest to do so, and provided we do so in line with our Data Protection Policy. We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.

Automated technologies and AI use

As part of our ongoing efforts to improve the efficiency and quality of our research and clinical trial activities, we may use artificial intelligence (AI) tools (“AI tools”) to support data analysis, communication, and system functionality. Some of these third-party software platforms, systems may process your personal data, including, but not necessarily limited to, Microsoft o365 suite of applications including Connected Experiences and Microsoft Copilot, an AI tool. Other AI tools, such as ChatGPT, which may be utilized by us may also include AI features and functionalities that may process your personal data. Throughout our professional relationship with us, your personal data may be processed by these AI tools.

Our use of AI tools for processing your personal data is carried out on the basis of our Legitimate Interests to conduct clinical research. We balance our interests against your data protection rights and apply appropriate safeguards to protect your personal data.

If you have any questions or concerns about this processing, please contact our Data Protection Officer on the contact email address set out in the Contact Us section.

The recipients of your Personal Data

We treat your Personal Data with strict confidentiality. However, we may disclose it to trusted third parties in the following circumstances:

Strategic clinical trial partners – where necessary to support the planning, delivery, or oversight of clinical trials.
Legal and regulatory authorities – where required by law, regulation, court order, or in response to lawful requests from public authorities.
Legal rights and fraud prevention – to establish, exercise, or defend our legal rights, including sharing information the purposes of fraud detection and prevention.
Specialist Service Providers – from time to time we may engage carefully selected third parties to perform business-critical processes on our behalf.

nChroma Bio uses Service Providers who are third parties who provide elements of Services for us. Examples of these Data Processors include, but are not limited to:

Our Contract Research Organizations (CRO) and EU representative;
Our Clinical Trial Data Processors,
Our IT Service Providers, such as Microsoft Corporation.

We have binding Data Processing Agreements in place with all our Data Processors. These agreements ensure that:

They may only process your Personal Data on our documented instructions.
They are prohibited from sharing your Personal Data with any organization other than nChroma Bio or authorized sub-processors who are bound by the same contractual safeguards.
They must implement and maintain appropriate technical and organizational measures to protect your Personal Data.
They may only retain your Personal Data for the period specified by nChroma Bio, after which it must be securely deleted or returned.

How long we keep your Personal Data

Where EU GDPR and UK GDPR apply, we will keep your Personal Data for as long as reasonably necessary for the purposes described in this Privacy Notice, while we have a legitimate business need to do so, or as required by law (e.g. for tax, legal, accounting or other purposes). We will retain your Personal Data in accordance with the Data Protection Legislation and any other applicable laws and regulations. nChroma Bio follows a Retention Schedule which outlines how long nChroma Bio will retain your Personal Data. nChroma Bio considers the retention period to begin from the point at which nChroma Bio last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law. As such, where EU GDPR and UK GDPR apply, unless otherwise required by law, your data will be retained for the period specified in the summarized table below and then securely deleted in accordance with our internal policies and procedures.

Purpose	Retention Period
Processing data in relation to You as a clinical trial participant in the EU/EEA	25 years following the conclusion of the clinical trial, as determined by EU CTR.
Processing data in relation to You as a clinical trial participant in the UK	For UK trials that have been authorized to commence on or before the 28^th April 2026, or UK trials where an ethics committee is in receipt of a request for an ethics committee opinion and that request was received on or before the 28^th April 2026, at least 5 years following the conclusion of the clinical trial, as determined by UK CTR. For UK trials which have been authorized commence on or before 28^th April 2026, or UK trials where an ethics committee is not in receipt of a request for an ethics committee opinion dating from on or before the 28^th April 2026, at least 25 years following the conclusion of the clinical trial, as determined by UK CTR.
Processing data in relation to You as a Health Care Professional (HCP) involved in the planning, delivery, or oversight of an nChroma Bio’s clinical trial in the EU/EEA	25 years following the conclusion of the clinical trial, as determined by EU CTR.
Processing data in relation to You as a Health Care Professional (HCP) involved in the planning, delivery, or oversight of an nChroma Bio’s clinical trial in the EU/EEA	For UK trials that have been authorized to commence on or before the 28^th April 2026, or UK trials where an ethics committee is in receipt of a request for an ethics committee opinion and that request was received on or before the 28^th April 2026, at least 5 years following the conclusion of the clinical trial, as determined by UK CTR.For UK trials which have been authorized commence on or before 28^th April 2026, or UK trials where an ethics committee is not in receipt of a request for an ethics committee opinion dating from on or before the 28^th April 2026, at least 25 years following the conclusion of the clinical trial, as determined by UK CTR.
Processing data in relation to You as an employee, contractor, or consultant contracted by nChroma Bio	6 years following the termination of your employment.
Processing data in relation to You as an employee, contractor, or consultant contracted by nChroma Bio’s Service Providers	6 years following the termination of your employment.
Processing data in relation to You as a user of this Website	1 year.
Processing data in relation to You as any other individual with whom nChroma Bio may conduct commercial operations	6 years.

International transfers of your Personal Data

Your Personal Data is processed at nChroma Bio’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to devices located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when nChroma Bio shares clinical trials data with Trusted Data Processors, your Personal Data, which will be pseudonymized in any case, would be stored and processed within third countries. Where this occurs, nChroma Bio will ensure that:

the security and confidentiality of your Personal Data is secure at all times;
any Data Controller receiving your Personal Data has entered into an agreement with nChroma Bio which contains standard data protection clauses as required by UK and/or EU GDPR, or other applicable legislation, or there is an alternative appropriate safeguard in place governing the transfer; and,
any Data Processor receiving your Personal Data has entered into an agreement with nChroma Bio which contains the required Data Processor clauses as well as standard data protection clauses as required by UK and/or EU GDPR, or other applicable legislation, or there is an alternative appropriate safeguard in place governing the transfer.

Where you are based in the UK or EU and we were required to transfer your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer may in some cases be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data. You can obtain a copy of this documentation by contacting the EU Representative or DPO identified in the Contact Us section below. In other cases, we may request your explicit consent for this international transfer.

How we protect your Personal Data

Data security is of great importance to nChroma Bio. We have put in place appropriate technical and organizational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorized way, altered, or disclosed.

We take security measures to protect your information including:

Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies);
Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
Implementing access controls to our information technology; and,
Deploying appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.

How we keep you updated on our Services

Where you are a clinical trial participant or a Health Care Professional involved in the planning, delivery, or oversight of an nChroma Bio clinical trial, we will contact you through our Contracted Research Organization (CRO) where it is necessary to do so.

Where you are an employee, contractor, or consultant of nChroma Bio, we will contact you through existing nChroma Bio communication channels, including email, where it is appropriate to do so.

Where you are an employee, contractor, or consultant of nChroma Bio’s Service Providers, a user of this website who has provided us with your contact information, or any other business contact, we will send you relevant news about our Services in a number of ways including by email, but only if we have a Legitimate Interest to do so. Where we do not have a Legitimate Interest, we will not send you marketing communications unless we have asked for, and gained, your consent.

We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity or have not otherwise provided their consent.

All email communications will have an option to unsubscribe and so if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences. Alternatively, you can contact our DPO using the contact details provided in the Contact Us section below.

Giving your reviews and sharing your thoughts

When using our website and other Services, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so that you are comfortable with how your information is used and shared on them.

Third party websites and links

Our Website may contain links to other sites operated by third parties. nChroma Bio does not control such other sites and is not responsible for their content, their privacy policies, or their use of personal information. nChroma Bio’s inclusion of such links does not imply any endorsement of the content on such sites or of their owners or operators except as disclosed through the Services. Any information submitted by you directly to these third parties is subject to that third party’s privacy policy.

We expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third parties.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

Children’s privacy

We do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our database.

If you are the parent or guardian of a minor child who has provided us with personal information, you may Contact Us using the contact information below to request it be deleted.

Your rights regarding your Personal Data

European Union (EU), European Economic Area (EEA), and the United Kingdom (UK)

Where EU GDPR and UK GDPR apply, you have certain rights over your Personal Data. For your protection, and to protect the privacy of others, we may need to verify your identity before completing what you have asked us to do. If you would like to exercise these rights, or if you would like more information about your rights or have any concerns about how we process your personal information, please Contact Us as set out below.

Right to be Informed

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

Right to Access Your Personal Data

You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes termed a ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed. If your request is particularly complex, we may extend this response window to a total of 3 months. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.

Right to Rectify Your Personal Data

If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. If we shared your Personal Data with others, we will tell them about the correction where possible.

Right to Erasure

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data. If we shared your data with others, we will alert them to the need for erasure where possible.

Right to Restrict Processing

You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances. We will tell you before we lift any restriction on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible.

Right to Portability

The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format, where the lawful basis for processing relies upon consent or a contract entered into with you. It also gives them you the right to request that a controller transmits this data directly to another controller.

Right to Object

You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.

Rights Related to Automated Decision-Making

You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. nChroma Bio does not intend to conduct any automated decision-making for your Personal Data. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have otherwise notified you.

Right to withdraw consent

If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.

Right to lodge a complaint with the data protection authority

If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.

More Information About Your Privacy Rights

If you are in the UK, you have the right to lodge a complaint directly with us at any time, or you may lodge a complaint with the Information Commissioner’s Office (ICO) https://ico.org.uk/, the UK supervisory authority for data protection.

If you are in the EU or EEA, you also have the right to lodge a complaint at any time with the relevant supervisory authority responsible for data protection. For a list of the relevant supervisory authorities, please see https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. If you have any questions about which supervisory authority applies in your jurisdiction, please Contact Us as set out below.

United States – California

California Data Protection Legislation

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”) requires that we provide you with a privacy policy of our online and offline information practices and your rights under this law regarding your personal information.

We currently collect, share, disclose, and use your personal information. In the 12 months prior to the last updated date of this Privacy Notice, we have collected, shared, disclosed the personal information set out in the Your Information section above. We may collect personal information directly from California and other US state residents, credit reporting agencies, and/or our third-party service providers. We do not collect all categories of personal information from each source.

California Resident Rights

California residents are afforded the following rights:

to delete your personal information, unless we:
- can prove this to be impossible;
- it involves disproportionate effort; or
- it is reasonably necessary for us to maintain records in order to fulfil the transaction(s) for which the personal information was collected;
to correct inaccurate personal information held about you;
to know what personal information is sold or shared and to whom (this right is fulfilled with the information provided within this Notice);
to request specific pieces of information from us;
to opt out of the sale or sharing of your personal information;
to limit use and disclosure of sensitive personal data; and,
to no retaliation following opt-out or exercise of other rights.

If you would like to contact us regarding this right, please Contact Us as set out below. Please note that we may need to verify your identity before processing your request. Rights requests shall be reviewed to see if an exemption allows us to retain the information. We may deny your deletion request if an exemption applies and/or if retaining the information is necessary for us or our Service Provider(s), for example to detect fraudulent activity or comply with a legal obligation. We will delete, de-identify or limit the scope of personal information not subject to an exemption from our records and will direct our Service Providers to take similar action.

United States – Other Data Protection Legislation

Other US Data Protection Legislation

If you are a US resident, we process your personal data in accordance with applicable US state data privacy laws, including the CCPA/CPRA described above. This section of our Privacy Notice contains information required by other US state data privacy laws and supplements the above section on CCPA/CPRA.

Several US states have enacted comprehensive privacy statutes, including but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. These laws include provisions aimed at safeguarding consumer rights and outlining business obligations. If you have relevant rights under these laws, you can exercise them by contacting us using the details provided in the Contact Us section as set out below

Our practices are designed to adhere to the highest standards set forth by these laws, ensuring that we respect the privacy rights of all individuals. As the US privacy laws continue to evolve, we will monitor these changes, adjust our privacy practices, and update our Privacy Notice(s), accordingly.

We Do Not Sell Your Personal Information

If you are a US resident, you have the right to know whether your personal information is being sold. Your personal information is “sold” when it is provided to a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other US state data privacy laws.

Please note a “sale” does not include when we disclose your personal information at your direction, or when otherwise permitted under law.

We May Share Your Personal Information

If you are a US resident, please note that we may “share” your personal data, as defined under California and other applicable US state laws, for personalised advertising purposes and/or for any other purposes outlined in this Privacy Notice.

Do Not Track

If you are a US resident, please note that, due to varying practices among browser providers and the lack of a market standard, we do not respond to Do Not Track signals at this time.

Non-Discrimination

If you are a US resident, please note that US state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying goods or services, providing a different level or quality of service, or charging different prices.

The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

Other Data Protection Legislation

Where you are located in a jurisdiction outside of the EU, EEA, UK, and US, you may have data protection rights under the Data Protection Legislation applicable in your jurisdiction, such as the right to access, rectify, or erase your Personal Data. If you have relevant rights under these laws, you can exercise them by contacting us using the details provided in the Contact Us section as set out below

Contact Us

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact us by one of the following means:

nChroma Bio Data Protection Officer: Dr. Lawrence Carter, The DPO Centre Netherlands, B.V., Vijzelstraat 68, Amsterdam 1017HL, Netherlands, +33153455472, CRMA-1001-101-DPO@nchromabio.com
nChroma Bio EU GDPR Representative: The DPO Centre Europe Limited, Alexandra House, 3 Ballsbridge Park, Dublin, Ireland, D04C 7H2, +33153455472, CRMA-1001-101-EURep@nchromabio.com
nChroma Bio UK GDPR Representative: The DPO Centre Limited, 50 Liverpool Street, London, EC2M 7PY, UK, +442037976340, CRMA-1001-101-UKRep@nchromabio.com

Thank you for taking time to read this Notice.