Privacy notice
Effective as of September 13, 2024
1. Introduction and Scope
Tisento Therapeutics, Incorporated, and our affiliates (“Tisento”, “we”, “us”, “our”) sponsor ethically approved clinical trials. We take the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individual participants whose Personal Data we may receive in connection with the clinical trials (“Trial” or “Trials”) we sponsor, healthcare providers, business contacts, and website visitors (“Data Subjects”).
Please read this Notice to learn what we are doing with your Personal Data, how we protect it, and how you can exercise your privacy rights.
2. Controllership
Within the scope of this Notice, Tisento generally acts as a data controller for the Personal Data processed in the context of the Trials we sponsor, and for the processing of your Personal Data that takes place when you visit our website. This means that we alone determine the purpose and means of the processing of your Personal Data.
In some jurisdictions, we are considered a “joint controller” with another organization, such as the study site where a Trial is being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with Tisento, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you are participating in.
3. Categories of Personal Data
Personal Data of Individual Trial Participants
Even though we are a data controller for the Personal Data processed in the context of our Trials, Tisento itself does not have access to identifiable Personal Data, meaning that we are unable to identify you personally from the information we have access to. Personal Data is collected by our service providers like the study site (the clinic or other healthcare facility where the Trial is being run) or other third parties, such as your doctors or our clinical research organizations. When any information relating to you is shared with us by our service providers, it will first be key-coded (also known as “pseudonymized”) so that we cannot identify you by any direct personal identifier (such as your name, social security number, address, or telephone number).
The following types of Personal Data may be processed in the context of our Trials:
basic identifying information, such as your first and last name;
contact information, such as your phone number, physical address, and email address;
location information, such as the location of your testing site and Trial location (i.e., study site);
healthcare information, such as the identity and contact information of your doctors and healthcare providers;
health information, such as your medical history, current health status and reaction to the Trial drug or treatment;
your genetic information, race, and ethnic origin;
images (such as photographs, scans, and recordings);
audio recordings of entry and exit interviews;
recordings of telemedicine (virtual) consultations with health care providers; and/or
identifiers and device information, such as IP address and associated location, operating system, and device IDs (e.g., when you visit a Trial-specific website).
You can ask your study doctor if you are unsure whether or not any specific Personal Data that you are being asked to provide is required as part of your participation in the Trial.
Personal Data of Healthcare Providers and Business Contacts
We may process the following types of Personal Data about healthcare providers in the context of our Trials:
basic identifying information, such as your first and last name;
contact information, such as your phone number, physical address, and email address;
professional- and employment-related information, such as your qualifications and job titles;
location information, such as the location of your testing site and Trial location (i.e., study site); and/or
whatever additional information these Data Subjects may disclose to us, or which are included in documents, presentation slides, meeting minutes, memoranda and other records of business value to Tisento.
Personal Data of Website Visitors
We may process the following types of Personal Data about website visitors who connect to us:
basic identifying information, such as your first and last name;
contact information, such as your phone number, physical address, and email address;
IP address and high-level location information; and/or
whatever information the individual shares with us via the website or other contact points listed on the website.
4. How We Receive Personal Data
We may receive your Personal Data when:
you provide it directly to us (including when you provide your Personal Data to one of our service providers acting on our behalf);
a study doctor (also known as an “investigator”) or other healthcare personnel at the study site provides it to us, or your healthcare provider provides it to us;
we receive it from the clinical research organization that conducts the Trial on our behalf;
you visit one of our Trial-specific websites or online portals;
a third party includes it in professional materials that are shared with us, such as brochures, presentation slides, invoices, memoranda, and other business documentation; and
you provide it to us, the clinical research organization, or a study doctor when you complete a pre-screening questionnaire to confirm your eligibility to participate in a Trial.
5. Purpose of Processing
We may process your Personal Data for the purposes of conducting our business, including:
responding to your requests or questions (including requests to exercise your data protection rights) by using your basic identifying and contact information. This may also include reviewing other information about you that we have on record in order to respond to your requests or questions;
facilitating your access to our website and other resources;
assessing your qualifications and suitability to assist with our Trials;
managing and facilitating the Trial by using all the information set out under Section 3 above as may be necessary;
enabling your participation in the Trial by using some or all of the information described under Section 3 above;
answering the research questions for the Trial and aggregating data to generate statistics relating to the Trial and/or investigational treatment or health treatment by using your location information, health care information, health information, and/or your genetic information;
arranging for the delivery of drugs to you and collection of unused drugs from you in relation to the Trial by using your basic identifying and contact information and location information;
arranging your transportation to or from the study site and overnight accommodations, as needed, by using your basic identifying and contact information and location information;
arranging for a nurse or other healthcare provider to visit you at your home, as needed in relation to the Trial;
sending you reminders about your appointments at the study site, or to take your medication on time by using your basic identifying and contact information;
monitoring and reporting on any adverse events, such as negative side effects by using your health care information, health information, and/or your genetic information;
developing new medicinal drugs or health treatments by using your health care information, health information, and/or your genetic information;
complying with legislation governing Trials;
disclosing your Personal Data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law; and/or
communicating with you on the status of the Trial by using your basic identifying and contact information.
If you are a Trial participant, we also process your Personal Data for the specific purposes described in the informed consent form provided to you by Trial personnel.
6. Basis of Processing
We may process your Personal Data on the basis of:
Consent: We may ask for your consent to collect and process your Personal Data, including special categories of Personal Data, such as your health status and medical history.
Contract: We may process your Personal Data to fulfill a contract we have with you.
Legitimate Interests: We may process your Personal Data based on our legitimate interests in facilitating and managing our Trials.
Compliance with Legal Obligations: We may need to process your Personal Data for us to comply with applicable laws or regulations, such as the laws regulating the safety and reliability of our Trials.
Public Interest: We may process your Personal Data for reasons of public health interests to ensure adequate standards of quality and safety of the drugs or treatments we are developing.
Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.
Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfill our contractual obligation towards you.
Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment that balances your right to privacy and our legitimate interests.
Since we process special categories of Personal Data, such as your health status and medical history, the EU General Data Protection Regulation (“GDPR”) requires that we must have an additional ground to process this type of information about individuals in the EU. Tisento may process special categories of Personal Data about individuals in the EU on the basis of your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or where the processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Trials. If you are a participant in a Trial, please refer to the informed consent form you signed when you joined the Trial for more information about the legal grounds on which we process your Personal Data.
7. Automated Individual Decision-Making
If you participate in a Trial we sponsor, you will be assigned a unique patient identification number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated in the Trial, or if you will receive a different treatment or placebo. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.
For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making, including profiling." But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.
8. Cookies
A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide website functionality, authentication (session management), usage analytics (web analytics), and to remember your settings, and to generally improve our websites.
For more information on how we use cookies, please refer to the cookie policy available on our website.
9. Data Retention
We will retain your Personal Data until we fulfill the purposes listed above, or for as long as we are required to keep it to comply with applicable laws or regulations.
If you are a participant in a Trial, once your information has been entered into the Trial records, we cannot remove it without affecting the accuracy of the Trial and the test results. Some laws require us to keep Trial records for at least 25 years after the conclusion of the Trial. We will ensure that your Personal Data is safeguarded at all times.
10. Sharing Personal Data With Third Parties
We may share Personal Data with our service providers who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in fulfilling the purposes of processing as described in Section 5 above, or as required by law. Our service providers include parties providing:
managed information technology services, for which they may process some or all of the information described under Section 3 above;
contract/clinical research organization services, for which they may process some or all of the information described under Section 3 above;
patient recruitment services, for which your basic identifying information, contact information, location information, healthcare information, health information, and genetic information may be processed;
pathology laboratory services, for which they may receive your basic identifying information, healthcare information, health information, and genetic information;
clinical pharmacology services, for which your basic identifying information, healthcare information, health information, and genetic information may be processed;
laboratory services, for which your basic identifying information, healthcare information, health information, and genetic information may be processed;
data management and biostatistics services for which they may process your basic identifying information, location information, healthcare information, health information, genetic information, images and audio recordings and identifiers and device information;
cardiac safety services for which your basic identifying information, contact information, healthcare information, health information, and genetic information may be processed;
trial oversight, imaging, and digital patient services for which they may process your basic identifying information, contact information, location information, healthcare information, health information, genetic information and, audio recordings of your entry or exit interviews;
quality assurance, safety, and pharmacovigilance software and related services for which they may process your basic identifying information, contact information, location information, healthcare information, health information, and genetic information;
data storage and archiving software and related services for which some or all of the information described under Section 3 above may be processed;
data analytics and reporting software and services, for which they may process your basic identifying information, location information, healthcare information, health information, genetic information, images and audio recordings and identifiers and device information;
services related to the collection, storage, testing, and transportation of biological material, for which your basic identifying information, location information, healthcare information, health information, and genetic information may be processed;
software that randomly decides which dose level or treatment you will receive during the Trial, for which they may process your basic identifying information, healthcare information, health information, and genetic information;
logistics and transport services, in pursuit of which they may process your basic identifying information, contact information, and location information; and/or
electronic data capture software and hardware, for which some or all of the information described under Section 3 above may be processed.
11. International Transfers of Personal Data
Some of the above-mentioned third parties may be located in countries outside of the EU or the EEA. In some cases, the European Commission may not have determined that those countries’ data protection laws provide an adequate level of protection for your Personal Data. When the GDPR applies to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries that are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data. These safeguards may include the model data protection clauses approved by the European Commission. To access these model clauses, please contact our Data Protection Officer.
12. Other Disclosure of Your Personal Data
We may disclose your Personal Data:
with regulators or competent authorities, to the extent necessary to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws);
to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties);
if, in the future, we sell or transfer, or consider selling or transferring, part or all of our company, business, shares or assets to a third party, and we disclose your Personal Data to such third party in connection with the sale or transfer; or
in the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events.
If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
13. Data Integrity and Security
We have implemented and will maintain appropriate technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.
14. Your Privacy Rights
If we process your Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. This means that you have the right to ask us to confirm whether or not we process your Personal Data, and, where that is the case, obtain a copy of or access to your Personal Data and other related information (such as the purposes for which we collected your Personal Data, and the categories of third parties that we share it with). You can also ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have about you, and to complete any incomplete Personal Data.
You may also have the right to ask that we limit/restrict our processing of your Personal Data (e.g., if you ask us to only use or store your Personal Data for certain purposes). You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate or the processing activity is unlawful.
You have the right to object to our processing of your Personal Data. We will always strive to fulfill your request. However, please note that there are occasions when doing so may not be possible, like when the law tells us we cannot do that, or where we need your Personal Data to complete the transaction for which we collected the Personal Data.
As discussed in Section 6 above, if we requested your consent to process your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.
You may also have the right to “data portability”, which means that you may have the right to ask us to provide you with a copy of your Personal Data. If you exercise this right, we will provide you with a copy of your Personal Data in a structured, commonly used, and machine-readable format.
To exercise any of your privacy rights or raise any other questions, please contact us by using the information in the “Contact Us” section below. If you are an individual in the EU, you also have the right to lodge a complaint with a data protection regulator in one or more EEA member States.
15. Privacy of Children
Our Trials are generally not directed at, or intended for use by, children under the age of 18. However, if we do conduct any Trials that are directed at children, we will ensure that the data subjects and their legal guardians are provided with comprehensive information about how we will process and safeguard their Personal Data.
16. Contact Us
If you have any questions about our processing of Personal Data of a Trial participant, please first speak with the participant’s study doctor. If we collected your Personal Data in any other context (e.g., if you are a healthcare provider, business partner or website visitor), you can contact us by emailing privacy@tisentotx.com or mailing us at the address below.
Tisento Therapeutics
245 First Street, Riverview II, 18th Floor
Cambridge, MA 02142
You may also contact our Data Protection Officer directly using the contact details listed in Section 18 below.
Please allow up to four weeks for us to reply.
17. Data Protection Representative
While you may contact us at any time, our data protection representative can be contacted about matters related to the processing of your Personal Data.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://www.verasafe.com/public-resources/contact-data-protection-representative.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
United Kingdom Representative
VeraSafe has also been appointed as our representative in the United Kingdom for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
18. Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly as explained in Section 16 above, VeraSafe can also be contacted on matters related to the processing of Personal Data.
VeraSafe’s contact details are:
VeraSafe
22 Essex Way #8203
Essex, VT 05451 USA
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
Toll-free: 1-888-376-1079
19. Changes to this Notice
If we change this Notice, we will publish the revised Notice on our website. We will also update the “Effective” date.