Privacy Policy

1. General  

Atticus Medical Proprietary Limited ACN 638 176 342 (referred to as Atticus) takes its privacy obligations seriously and is committed to ensuring that we handle personal  information in accordance with applicable privacy laws. 

Unless we advise you otherwise at the point where we collect your personal information to  the extent that the General Data Protection Regulation (EU) 2016/679 (the GDPR) applies to the processing undertaken by Atticus, it is the controller of that personal information. 

This policy sets out how we collect, use, disclose and secure your personal information. It  also sets out your rights to access and correct it. This policy covers all of our functions,  activities and business, including the operation of our website at www.atticusmed.com.  

2. Collection of your personal information 

We collect personal information relating to individuals who visit our website, use our  products, our customers, suppliers, applicants for positions with us, our employees, and  people who make general enquiries for our business purposes. Our business purposes are  generally to research, develop and provide affordable medicine and vaccine products and  related services, to administer our relationships with our research, clinical and  governmental partners, customers and potential customers, suppliers, corporate partners  and others, and to operate our website. Our business purposes are also detailed generally on  our website. 

We also collect personal information relating to research and clinical trial participants  (including trial subjects and their families). We will provide you with information about  our collection, processing, use and disclosure of this information as part of the information  given to you about the trial.  

We may collect personal information including (but not limited to) the following: your  title, name, address, email address, telephone numbers, birthdate, national insurance  information, occupation, employment records and history, performance information and  any other information relating to your employment, transaction and payment details and  other information reasonably necessary for us to carry out our functions, activities or  business. 

For individuals who contact us regarding the use of our products and for research and clinical trial participants, we may also collect sensitive personal information such as your racial or ethnic origin, sexual preferences or activities, genetic information, state of health  or medical history including, where relevant, a family medical history and current  treatments or medications, the name of any care provider, health service provider or  medical specialist involved in your care, copies of any referrals and reports and test results  and samples. 

We collect personal information directly from you when you communicate with us. For  example, when we receive an email from you, we are collecting your personal information,  including your email address. We also collect information about you from third parties. For  example, we may receive personal information about you from a family member or doctor  responsible for your care.

We may make a record of information relating to your visit to the website. Such  information includes your server address, domain name, IP address, the date and time of  your visit, pages accessed, and documents downloaded. The website also uses cookies and  third-party analytics tools such as those provided by Google to provide us with information  about how you use our website. 

For information about how Google use your personal information, please see  http://www.google.com/intl/en/policies/privacy/ and  

https://support.google.com/analytics/answer/6004245. 

The web browser or device you use may offer settings that allow you to choose whether  cookies are accepted or to delete them. More information about these controls will be  available in the help material for your browser or device. 

We will not collect personal information in a way that would be unlawful or where such  information is unnecessary or unrelated to our functions, activities or business. 

The website may contain links to other websites and social media pages. We are not  responsible for the privacy practices or the content of any of those websites or social media  pages. 

3. Use and disclosure of your personal information 

Personal information subject to the GDPR 

We use the personal information we collect for our business purposes described above. Our  legal basis for processing will be one of the following: 

• for the performance of any contract that we enter with you or to take steps at your  request prior to entering into a contract; 
• for the purposes of our legitimate interests in ensuring that we provide you with  the best service possible in all our interactions with you, which if you are a current  or former participant may include providing you with information about our other  development programmes which may be of interest to you. We may also have a legitimate interest in keep people informed about our functions, activities and business;  
• to fulfil our legal obligations; 
• you have provided your consent for one or more purposes of processing. 

Where we process sensitive personal information such as information about your  background including your ethnicity, genetic data, biometric data and health data, we will  do this on the basis that you have provided your explicit consent for us to process this  information. Where we rely on your consent for any processing, your consent may be  withdrawn at any time. This will not affect the lawfulness of the processing based on  consent before its withdrawal. Please contact us to discuss this if you have any questions or  are considering withdrawing your consent.  

Our processing for the above purposes and on the above legal bases could include  communicating with you by phone, email or post.

Other personal information 

Atticus will only use or disclose your personal information for the purpose for which it was  collected, to comply with our legal obligations, or for another, related purpose for which  you would reasonably expect us to use it, or for any other purpose with your consent (whether express or implied). For example, we may use your personal information to  analyse data obtained on our website to determine the website’s effectiveness and to  modify it to improve its functionality and the service it provides to suppliers and customers. 

Use and disclosure generally 

Depending on the purpose of collection, your personal information may be disclosed to:

1. research, clinical and governmental bodies with which we are collaborating; 
2. external service providers (on a confidential basis and in circumstances where those service providers may only use your information for the purpose of our functions, activities and business), such as clinical monitoring and service  providers, data storage providers; 
3. specialist advisers to us that have been engaged to provide us with legal,  accounting, administrative, financial, insurance, research, marketing or other  services; and 
4. any other person authorised and specified by you. 

In addition, we may use or disclose your personal information: 

1. where required or authorised by law or an order of a court or tribunal;  
2. in accordance with applicable privacy law, including where we hold a  reasonable belief that the use or disclosure is required for certain enforcement  or health and safety purposes, or that use or disclosure is necessary in relation  to certain suspected unlawful activity or misconduct; or 
3. if reasonably necessary for the establishment, exercise or defence of a legal or  equitable claim or for the purposes of confidential alternative dispute resolution. 

We may at other times notify you about our disclosure practices in respect of specific functions or activities. 

If you do not provide some requested personal information, you may not be able to participate in a particular activity (for example, a clinical trial) or we may be delayed or  prevented from finalising our business with you, or satisfying your request or enquiry. If  you have any queries about this, please contact us.  

4. Storage and security of your personal information 

We may hold your personal information in a number of different formats, including  software programs (located both onsite and offsite, including in the cloud), databases, filing  systems and in offsite backup storage. Personal information may be stored in email  accounts that are accessible through mobile devices. Given the nature of our business, we are likely to disclose your personal information overseas to countries within and outside the  European Economic Area, including to recipients in the following countries: Australia,  France, the United Kingdom and the United States. When we transfer your personal  information outside the EEA (for example to our internet servers which are located in Australia) we take all steps reasonably necessary to ensure that any such transfer is made  securely and that there is adequate protection in place in order to protect your personal  information.  

Please contact us if you wish to find out more; you can ask us for a copy of the relevant  safeguards implemented in relation to the transfer should they be required. 

We take all reasonable steps to protect your personal information from loss, unauthorised  access, modification, disclosure or misuse. However, we cannot ensure the security of any  information that you transmit to us over the internet and you do so at your own risk. 

5. Retention of your personal information  

We will retain your personal information for as long as is necessary, considering the  purpose for which we process it. If you have a query about the period for which your  personal information will be retained by us, please contact us and we will inform you of the  reasons why it might be necessary for us to process your information and how long we  expect to retain it. 

6. Your rights to your personal information 

Depending on the circumstances, you may have the right to: 

1. request information about the personal information we hold about you and why  we hold or use it; 
2. request access to your personal information; 
3. request correction of the personal information that we hold about you; 
4. request erasure of your personal information where there is no good reason for us  continuing to process it or where you have exercised a right to object to processing  (see (e) below); 
5. object to processing of your personal information where we are relying on a “legitimate interest” (or the interests of a third party) under the GDPR and there is  something about your situation which makes you want to object to processing on  this ground or where we are processing your personal information for direct marketing purposes; 
6. object to automated decision-making including profiling by us using your personal  information; 
7. request the restriction of processing of your personal information (for example, to  suspend the processing of your personal information due to inaccuracy or our  stated reason for processing it); 
8. request that we provide you or a third party the personal information we hold  regarding you in an electronically useable format; and
9. where you may have provided your consent to the collection, processing and  transfer of your personal information for a specific purpose, to withdraw your  consent for that specific processing, in which case we will no longer process your  information for the purpose or purposes to which you originally consented, unless  we have another legitimate basis for doing so. 

If you wish to exercise a right that you have regarding your personal information, please  contact our Privacy and Data Protection Officer using the details below. 

We may need to request specific information from you to help us confirm your identity and  ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it and to prevent unauthorised modification of your personal  information. 

We will process your request within a reasonable time, and, where required, within the  timescales provided by the GDPR. If we do not comply with your request, we will give you  the reasons why it has been refused and advise you on avenues to make a complaint. 

7. Complaints 

Please notify our Privacy and Data Protection Officer if you have any complaints relating  to our handling of your personal information.  

You also have the right to lodge a complaint with a supervisory authority. In Australia, this  is the Office of the Australian Information Commissioner (www.oaic.gov.au). In France, this is the CNIL (www.cnil.fr/en/home). In the United Kingdom, this is the ICO (www.ico.org.uk). 

8. Changes to this policy 

This policy was last updated on 28 November 2023.  

We may amend this policy by publishing a revised policy on our website. Any changes will  be effective as at the date they are published. 

9. Contact details and further information 

If you have any questions in relation to privacy or you wish to request to exercise any of  your rights detailed above, please contact our Privacy and Data Protection Officer (John Lambert) directly by email at info@atticusmed.com or write to the Privacy and Data  Protection Officer at Level 1, 18 Kavanagh Street, Southbank VIC 3006, Australia.  

For further information about privacy issues, see the website for the privacy regulator in  your jurisdiction. In Australia, this is the Office of the Australian Information Commissioner (www.oaic.gov.au). In France, this is the CNIL (www.cnil.fr/en/home). In  the United Kingdom, this is the Information Commissioner’s Office (www.ico.org.uk).

Privacy Policy 5/5 28 Nov 2023