Revised 11/1/2020

BLOCK CLINICAL INC. GDPR COMPLIANCE STATEMENT

Last updated:  September, 2021

GENERAL STATEMENT

Block Clinical Inc., a Delaware corporation (“Company”, “we”, “us” or “our”), respects your privacy and is committed to protecting your privacy through our compliance with this GDPR Compliance Statement (“GDPR Statement”).

This GDPR Statement describes our practices in connection with information we collect through conduct of our Service and store in our software platform (“Platform”) on behalf of our Customers.

GDPR, stands for “General Data Protection Regulation”. It is one of the most important changes made to data privacy regulations in the last two decades. It establishes a new framework for handling and protecting the personal data of EU-based residents and is in effect since May 25, 2018. It provides the citizens of the EU greater control over their personal data and assures them that their information is protected.

Block Clinical Inc. has undertaken a Data Protection Agreement (“DPA”) with our Clients (“Clients”) to comply with all applicable regulations on Personal Data processing (“Data Privacy Laws”), including but not limited to; orders and authorizations of any Data Protection Authority, the national and international legislation on clinical trials, and the specific provisions applicable to studies, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Regulation (EU) 2016/679 (“GDPR”).

DEFINITIONS

Data Controller – the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. In this case, refers to the Client (and its authorized persons, which determine the purpose and means of processing of Personal Data).

Data Processor – any natural or legal person who processes the data on behalf of the Data Controller. In this case, is Block Clinical Inc. who processes Personal Data on behalf of the Data Controller and under its control.

Data Subject – any living individual who is using our Service and is the subject of Personal Data.

DOES GDPR AFFECT YOU?

Although GDPR is a data protection framework for the citizens residing in the EU, it also applies to all companies that handle personal data of individuals from the EU. This means that almost every major corporation in the world will need to be ready when GDPR comes into effect. If you or your organization stores and processes personal data in connection to services or goods offered in EU, then the laws applies to you as well. Also, in the the event of infringement of these laws, you can face fines and penalties from 10 million to 20 million dollars or 2% to 4% of the annual revenue of the organization depending upon whichever is higher.

This GDPR Statement applies to the following groups of individuals who interact with our Platform:

● Customers: “Customers” are individuals who are employees or associates of sponsors, contract research organizations, third party patient logistics companies, clinical research sites, hospitals, and similar organizations, including customer personnel who are assigned a login ID and are authorized to access and use our Platform pursuant to an active agreement.

● Customer Contacts: “Customer Contacts” are individuals who interact with our Customers or other Customer Contacts through our Platform, including Customer Contacts who are assigned a login ID and are authorized to access and use our Platform pursuant to an active agreement. Customer Contacts include our Customers’ clients, clinical site personnel, logistics supplier partners, other business contacts, and the patients and caregivers they support (for example, Customer Contacts include patients and caregivers that opt-in to our Customers’ service, clinical site coordinators, and logistics supplier partners who ultimately delivery services to patients) using our Platform.

● Block Clinical Inc. Employees and Contractors: “BCI” are individuals who support patients to deliver logistics and payment services and operate on behalf of Block Clinical and our Customers.

OUR COMMITMENT TO GDPR

Block Clinical is working towards full GDPR compliance, and making sure that we are aligned to the GDPR framework, and have built product features for greater privacy and data control.

As an organization, Block Clinical has always implemented and practiced processes which ensure that customer data is stored and processed in ways necessary only to serve our customers in the best possible way. Our privacy policies are also streamlined with the GDPR goals and objectives. Know more about the privacy policy here.

PRINCIPLES FOR PROCESSING PERSONAL DATA

Our principles for processing personal data are:

Fairness and lawfulness. When we process personal data, the individual rights of the Data Subjects must be protected. All personal data must be collected and processed in a legal and fair manner.
Restricted to a specific purpose. The personal data of Data Subject must be processed only for specific purposes.
Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.

WHAT PERSONAL DATA WE COLLECT AND PROCESS

In this section, we explain the information collected about Customer Contacts (collectively, “Customer Contact Data”).

Our Platform is flexible and allows our Customers to collect a variety of personal information from and about their Customer Contacts, including name, organization, title, address, e-mail address, telephone number, and other information including but not limited to gender, date of birth, passport number, travel dates, and other travel preferences (“Personal Information”).

We are the sole owners of the Customer Contact Data (which includes Personal Information) collected through our Platform. We only collect information that you voluntarily give our Customers permission to use. You may provide our Customers with information by phone, email, input directly into our Platform, or through applications that are integrated with our Platform.

We will not sell or rent Customer Contact Data to anyone.

HOW WE USE INFORMATION

We do not use Customer Contact Data for any purpose other than to provide services that our Customers have contracted us to provide through our Platform, as noted below, or as required by law.

Here are examples of situations in which we use Customer Contact Data:

Types of 3rd parties we share Customer Contact Data with: logistics suppliers who our Customer Contacts have opted-in to receive logistics services from – airlines, hotels, ground transportation companies, payment remittance companies, etc…

If a Customer uses our Platform to request and track delivery of logistics services through multiple logistics supplier partners.

Transfer of Customer Contact Data to a logistics supplier partners for the sole purpose of booking travel on behalf of the patient and/or caregiver (for example, we may provide name, arrival and departure dates to a hotel for reservation purposes).

When a Customer or Customer Contact uses our Platform to deliver logistics confirmation information related to travel and payments to other Customer Contacts including patients, caregivers, and/or coordinators.

To deliver to a third party in the event of a merger, divestiture, restructuring, recapitalization, reorganization, dissolution or other sale or transfer of some or all of the Company’s assets, whether as a continuing operating business or as part of bankruptcy, liquidation or a similar proceeding, in which Customer Contact Data is among the assets transferred.

As we believe to be necessary or appropriate: (a) under applicable law, including laws outside your country of residence; (b) to respond to requests from public and government authorities including public and government authorities outside your country of residence; and (c) to protect against or identify fraudulent transactions.

For other purposes when Customers or Customer Contacts provide explicit consent.

We aggregate and anonymize information about Customers and Customer Contacts, and the use of our Platform, in order to improve our Platform and create benchmark and other business intelligence products. None of the aggregated and anonymized information contain Personal Information (i.e., does not identify any individual).

LEGAL BASIS FOR COLLECTING AND PROCESSING PERSONAL DATA

Block Clinical’s legal basis for collecting and using the personal data depends on the personal data we collect and the specific context in which we collect the information:

Block Clinical needs to perform a contract for you
You have given Block Clinical permission to do so
Processing your personal data is in Block Clinical’s legitimate interests
Block Clinical needs to comply with the law

RETENTION OF PERSONAL DATA

Block Clinical will retain your personal information only for as long as is necessary for the purposes set out in this GDPR Statement.

Block Clinical will retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.

DATA PROTECTION RIGHTS

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. If you wish to be informed about what personal data we hold about you and if you want it to be removed from our systems, please contact us at privacy@blockclinical.com.

In certain circumstances, you have the following data protection rights:

The right to access, update or to delete the information we have on you
The right of rectification
The right to object
The right of restriction
The right to data portability
The right to withdraw consent

REVIEWING, UPDATING AND DELETING YOUR INFORMATION

All individuals have the right to access their Personal Information. We provide our Customers with the capability to review, update and delete your Personal Information. We require that our Customers receive your permission before any of your Personal Information is accessed, retrieved or made available to logistics supplier partners. In addition, we provide our Customers the ability to revoke permission to access your Personal Information. Contact your appropriate Customer representative to:

See what data we have about you, if any.

Change/correct any data we have about you.

Have us delete any data we have about you.

Express any concern you have about our use of your data.

Alternatively, you can reach us directly by emailing our Privacy Officer at the email listed in the Contact Information section below.

CONTACT INFORMATION

If you have questions or comments regarding this GDPR Statement, our Privacy Policy, or our practices, please contact us at:

Block Clinical Inc

Privacy Officer

16787 Bernardo Center Dr

Suite 7

San Diego, CA 92128

privacy@blockclinical.com

REPRESENTATION FOR DATA SUBJECTS IN THE EU AND THE UK

We value your privacy and your rights as a data subject and have therefore appointed Prighter as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://prighter.com/q/19348574538

Prighter certificate of Art 27 representation