Privacy Policy

Effective Date: November 13, 2024

Note: This privacy policy applies to our collection, use, and disclosure of data received or created due to your access to and use of certain items provided by us, Beacon Biosignals, Inc. (referred to here as Beacon, we, us, or our). These items consist of our website at beacon.bio (the Site), the Beacon mobile application (the Application), and the following limited services we provide to you: clinical data upload, annotation, review, and reporting. The Site, Application, and the foregoing services are referred to collectively as the Services.

Topics:

• Age Requirements

• What data do we collect?

• How will we collect/use your data?

• Third party data access

• How do we store your data?

• Global Privacy Compliance Notice

• Lawful Basis for Processing Personal Data

• Marketing

• What are your data protection rights?

• Cookies?

• How do we use cookies?

• What types of cookies do we use?

• How to manage cookies

• Privacy policies of other websites

• HIPAA

• CCPA

• PCI

• Notification to EU user

• Changes to our privacy policy

• How to contact us

Age Requirements

The Site and Application are not designed or intended to appeal to minors and we do not knowingly collect User Data from children under the age of 13 from the site or use of the application outside of the scope of providing the Services in the course of clinical trials. As a tool for providing the Services, users of the Site and/or Application may enter Information related to minors into the application where a parent or guardian has consented and where we have retrieved appropriate IRB approval/consent under the purview of clinical trials to perform the Services with respect to that individual.

If a parent or guardian becomes aware that their child has provided us with information without parent or guardian consent, they should contact us at privacy@beacon.bio so we can promptly delete such information.

What data do we collect?

The Site and/or Application may collect or process data elements such as:

• Identifiers (ex. real name, alias, postal address, unique identifiers, online identifiers, internet protocol (IP) address, email address, account name, or other similar identifiers).

• Categories of personal information described in subdivision (e) of Section 1798.80 (Identifiable information contained in Customer Records).

• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

• Professional or employment-related information.

For users of Beacon Biosignals products, and/or for individuals or organizations whose data is processed on behalf of Beacon Biosignals, Beacon Biosignals may collect or process data elements such as:

• Identifiers (ex. real name, alias, postal address, unique identifiers, online identifiers, internet protocol (IP) address, email address, account name, or other similar identifiers).

• Categories of personal information described in subdivision (e) of Section 1798.80 (Identifiable information contained in Customer Records).

• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

• Characteristics of protected classifications under California or federal law.

• Biometric and health-related information.

• Information regarding a consumer’s interaction with our internet website, application or advertisement.

• Geolocation data.

• Audio, electronic, visual, thermal, olfactory, or similar information.

• Professional or employment-related information.

How will we collect/use your data?

• Beacon will only collect/use User Information as it relates to providing the Services.

• Beacon will only collect/use Application Information as it relates to providing the Services.

You directly provide Beacon Biosignals with most of the data we collect. We collect data and process data when you:

User Information:

• When you download and log into the Application

• Submit information to us through the Site

• Requests or questions you submit to us via email (ex. support forms, research surveys) or forms

• Your general communications with us

• Uploads or posts to the Services

Application Information:

• Information from synced devices as part of the Services workflow

• Use of application and/or view our website via your browser’s cookies.

In addition, the Site and Application may collect certain information automatically, such as the type of mobile device you use, your mobile device’s unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about your use of the Application (Usage Data). Usage Data will be used by us either individually or in aggregated form to enhance and improve the Application .

Third Party Data Access

User Information and Usage Data may be shared with the third-party service providers who host and support the application on Beacon’s behalf. These service providers do not have any right to independently use any personal information that we share with them.

We only use and disclose Application Information in accordance with all applicable compliance frameworks, only for specific purposes, and we will inform recipients of Beacon's services about the identity of these parties and the reasons for sharing their data.

When necessary to ensure compliance, we enter into a written Business Associate Agreement (BAA) and/or a Data Privacy Agreement (DPA) with third parties that receive Application Information.

We take responsibility for the onward transfer of personal information to third parties and ensure that appropriate safeguards are in place to protect your data. We carefully vet all third-party partners and require them to adhere to the same strict data protection standards, ensuring that your personal information remains secure throughout the transfer process.

We may provide paid products and/or services within the Site or Application. In those cases, we work with third-party service providers to perform payment processing on our behalf (e.g. payment processors). See the “ Payment Card Industry” subsection below for further details.

How do we store your data?

Beacon Biosignals and our service providers make use of physical, electronic, and procedural safeguards to protect the information that we process and maintain in our cloud environment that is hosted by a top tier cloud infrastructure service provider.

Beacon Biosignals will retain personal information about you for as long as you use the Site, Application, or consume the Services, and for a reasonable period after you stop using the Application. We use and retain Usage Data, in both individualized or in aggregate form, indefinitely.

Global Privacy Compliance Notice

Should you access our Services from a location outside the United States, please be aware that your information may undergo transfer, storage, and processing in the United States or other countries by us and our third-party providers. Any international transfer of your personal data adheres to relevant data protection laws. We are dedicated to ensuring the security of your information during transfers by implementing strong protective measures, including but not limited to the use of encryption protocols for secure data transmission, enforcement of rigorous access controls to monitor and restrict data access, and establishment of comprehensive data protection agreements with our third-party providers.

Beacon Biosignals adheres to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension, and the Swiss-U.S. DPF as mandated by the U.S. Department of Commerce. Beacon Biosignals certifies adherence to these frameworks’ principles regarding the processing of personal data from the EU, UK, and Switzerland. In case of a conflict between this policy and the DPF Principles, the Principles will govern. For more information and our certification, visit https://www.dataprivacyframework.gov.

Our organization may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In such cases, we are committed to ensuring that any disclosure is strictly limited to the extent necessary to comply with the legal obligation, while maintaining the highest level of transparency and protection for the individuals concerned.

Beacon Biosignals commits to resolving any DPF-related complaints through our Individual Recourse Mechanism, JAMS, a U.S.-based dispute resolution provider, at no cost to you. Please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint.

If a data subject has reason to believe their request has been unresolved through the utilization of JAMS, there is a possibility, under certain conditions, for the individual to invoke binding arbitration.

The Federal Trade Commission oversees Beacon Biosignals’s compliance with these frameworks.

Note - Although we endeavor to provide security for the information that we process and maintain based on the sensitivity of that information, no security system can prevent all potential security breaches. In addition to the security safeguards we provide, we urge you to take precautionary measures in maintaining the integrity of your data. Please be responsible for making sure that no one can see or access your account or log-in/password information, or your mobile device.

Lawful Basis for Processing Personal Data

Beacon Biosignals’s processing is considered lawful based on the following grounds:

• Data subjects have given consent when they sign up for Beacon Biosignals’ services and/or provide informed consent as part of their participation in a clinical study.

• Legitimate interests: A legal basis for processing personal data under data protection regulations, allowing organizations to use individuals' information for reasonable and justifiable purposes, balancing their interests against the rights and freedoms of the data subjects.

Marketing

Beacon Biosignals would like to send you information about products and services of ours that we think you might like.

If you have agreed to receive marketing, you may always opt out at a later date. If you no longer wish to be contacted for marketing purposes, please follow the instructions in the marketing emails.

You have the right at any time to stop Beacon Biosignals from contacting you for marketing purposes or giving your data to other members of the Beacon Biosignals Group.

Note - Opting out of marketing emails will not affect our administrative emails to you (e.g., emails about your transactions or policy changes).

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. For further information, visit allaboutcookies.org.

How do we use cookies?

Beacon Biosignals uses cookies in a range of ways to improve your experience on our website, including:

• Keeping you signed in

• Understanding how you use our website

• To personalize your experience

• Gain statistical knowledge for website improvement

What types of cookies do we use?

There are a number of different types of cookies, however, our website uses:

• Functionality – Beacon Biosignals uses these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.

• Advertising – Among other uses, these cookies limit the number of times you may see our advertisements, and help us measure the effectiveness of our outreach campaigns. The advertising or social media networks that we work with place these cookies on our behalf. They may track that you have visited this Website, and we then share this information with the advertising network, either automatically, or manually (this practice is sometimes referred to as retargeting). We work with the following advertising networks, and more information about their policies, and how you can customize or opt out of certain types of ads, are available using the links provided:

• Google Ads

• LinkedIn Ads

We may use information that we collect from you to contact you or send you information, for example, to send you our newsletters, marketing or promotional materials, and other information that we think may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or the instructions provided in any email we send.

How to manage cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Privacy policies of other websites

The Beacon Biosignals website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

HIPAA (Health Insurance Portability and Accountability Act)

We only use and disclose Application Information in accordance with HIPAA. When necessary to ensure compliance with HIPAA, we enter into a written Business Associate Agreement (BAA) with third parties that receive Application Information.

CCPA (California Consumer Privacy Act of 2018)

For the purposes of documenting compliance with the California Consumer Privacy Act of 2018, as amended, and its associated regulations (CCPA), we collect Personal Information from the following categories:

• Identifiers (ex. real name, alias, postal address, unique identifiers, online identifiers, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

• Categories of personal information described in subdivision (e) of Section 1798.80 (Identifiable information contained in Customer Records).

• Characteristics of protected classifications under California or federal law.

• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

• Biometric information.

• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement.

• Geolocation data.

• Audio, electronic, visual, thermal, olfactory, or similar information.

• Professional or employment-related information.

• Education information, defined as information that is not publicly available personally identifiable information in the Family Educational Rights and Privacy Act (FERPA).

• Inferences drawn from any of the information identified in this subdivision to create a profile about a reflection of the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

PCI (Payment Card Industry)

We may provide paid products and/or services within the Site or Application. We will not store or collect your payment card or banking details so in those cases, we work with third-party service providers to perform payment processing on our behalf (e.g. payment processors). Information that you provide to our third-party payment processors is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

When Beacon Biosignals processes your order, it may send your data to, and also use the resulting information from, credit reference agencies to prevent fraudulent purchases.

Notification to EU, UK, and Swiss users

Beacon Biosignals would like to make sure you are fully aware of all of your data protection rights. Every user within the GDPR is entitled to the following:

The right to access – You have the right to request Beacon Biosignals for copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that Beacon Biosignals correct any information you believe is inaccurate. You also have the right to request Beacon Biosignals to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Beacon Biosignals erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Beacon Biosignals restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Beacon Biosignals’s processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that Beacon Biosignals transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email: [privacy@beacon.bio](mailto:privacy@beacon.bio)

How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Beacon Biosignals has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.

For or users in the European Economic Area: Please use the provided link to identify the appropriate board member and their contact information: https://edpb.europa.eu/about-edpb/board/members\_en

• For users in the UK: Please use the following information to contact the UK data protection regulator:
  
  The Information Commissioner’s Office Water Lane,
  Wycliffe House
  Wilmslow - Cheshire SK9 5AF
  Tel. +44 303 123 1113
  Website: https://ico.org.uk/make-a-complaint/

• For users in Switzerland: Please use the provided link to contact the Swiss data protection regulator: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

Changes to our privacy policy

Beacon Biosignals keeps its privacy policy under regular review and places any updates on this web page. The date of the last update to the privacy policy can be found at the top of this page.

European Union Representative

An EU representative is an individual or entity appointed by a non-EU-based company to act as a liaison between the company and EU data protection authorities. This representative ensures compliance with GDPR requirements, facilitating communication and cooperation regarding data protection matters and serving as a point of contact for individuals within the European Union seeking to exercise their data privacy rights. the information for our EU representative is as follows:

RedNeuron SAS

17-21 Rue Saint Fiacre
75002 Paris, France
privacy@beacon.bio

UK Representative

Under Article 27 of the UK Data Privacy Act, we have appointed a UK Representative to act as our data protection agent. Our nominated UK Representative is:

GDPR Local Ltd.
Adam Brogden
contact@gdprlocal.com
Tel +44 1772 217800
1st Floor Front Suite, 27-29 North Street, Brighton, England, BN1 1EB.

If you have any questions about Beacon Biosignals’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.