Terms & Privacy Policy

Sciteline respects the privacy of our clients, business partners, employees and those who seek information and/or
contact us through www.sciteline.com. We recognize the need for appropriate protections and management of the
information provided to Sciteline by its clients and users. As such, Sciteline has established policies and
practices to inform what information we collect and how that information is used. These policies and practices apply
to Sciteline, including its divisions and subsidiaries.

This Privacy Policy explains how information, including Personally Identifiable Information is processed for the products and services we provide to our clients. This Policy also explains how information is processed through use of our website and our products and services.

We want to help you understand how data is processed so that you may make informed decisions on your personal data.

Information Collection

Personal Identifiable Information (“PII”) is any information relating to an identified or identifiable individual;
this includes any information that could be used on its own or in combination with other pieces of information to identify a person. PII is not just a person’s name or email address, it can include information related to your location, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of an individual.

Sciteline may store PII provided to us by our clients and business partners who use our products and services. PII may also be directly collected by you when you register and use certain products and services, and when you visit our website and request information.

As part use of our products and services, we store individuals’ PII, which may include health information such as patient reported outcomes. This information may come directly from you when you register and use specific products and services, to which we request your explicit consent. This information may also be obtained indirectly from your healthcare provider (e.g. hospital, clinic, physician, principal investigator) who is using our products and services, and it is the responsibility of your healthcare provider to obtain your consent.

Sciteline will never share, sell, or trade Personal Identifiable Information (PII) or Personal Health Information (PHI) to third parties. Sciteline does not use or disclose Personal Health Information, except as necessary in the course of providing its product and service to its clients. If disclosure of Personal Health Information is
necessary at any point, it is used or disclosed strictly in accordance with the Personal Health Information
Protection Act.

We store and/or use the following categories of data:

Personal Identifier Details (PII)

To communicate with individuals and provide our products and services, individuals will be asked to provide basic
contact information about themselves, such as name, email address, telephone number and physical address when
registering with us. Individuals are responsible for the accuracy and completeness of the information they provide.

Some PII is automatically collected (e.g. the type of web browser and operating system used by the website visitor)
when you visit our website. Other PII is not collected unless you choose to provide such PII or indicate your
consent to any cookies that our website may employ. On our website, you can request information, subscribe to
marketing or support materials or apply for jobs at Sciteline. The types of personal information you provide to us
on these pages may include name, address, phone number, e-mail address, contact preferences, education and
employment background and job interest data.

User Login Data

When a user profile is created with our products, users will be asked to provide a username and password, contact and
demographic information about themselves, such as email address, gender, date of birth. This request is for identity
purposes and to manage individual user accounts.

Health Information

As part use of our products and services, we store individuals’ personal health information. This information may
come directly from users/clients when registering and using specific products, to which explicit consent is
requested. This information may also be obtained indirectly from a healthcare provider who is using our products and
services, and it is the responsibility of the healthcare provider to obtain consent.

Technical Information

When visiting our website, we may automatically collect the following information:

1) Technical information, including the internet protocol (IP) address, internet domain names, the web browser and
operating system used to access the Sciteline’s website, client support and to collect aggregate information for
internal reporting purposes

2)Information about an individual visit to the site, including the full URL, any products viewed or searched for, the
files visited, the time spent in each file and the time and date of each visit.

This is required in improving the stability and functionality of our website. The data will not be passed on or used
in any other way. However, we reserve the right to check the server log files subsequently, if there are any
concrete indications of illegal use.

Human Resources Information

Sciteline also collects PII of its employees (human resources data) in connection with the administration of its
Human Resources programs and functions. These programs and functions include compensation, performance appraisals,
training, travel, expense reimbursement, access to Sciteline’s computer facilities and computer networks, employee
profiles, internal employee directories, Human Resource record keeping and other employment related purposes. In
addition, we may collect PII that is provided when individuals apply for jobs at Sciteline, such as name, address,
phone number, e-mail address, contact preferences, education and employment background and job interest data.

Does Sciteline use or disclose PII and non-personal information?

Sciteline is committed to protecting the privacy, confidentiality and security of all personal data that has been
entrusted to us.

We do not use or disclose PII except as may be necessary in the course of providing its product and services to its
clients and business partners. When use or disclosure of personal information is necessary, it is used or disclosed
strictly in accordance with applicable laws, including the Personal Information Protection and Electronic Documents
Act, and applicable provincial health legislation.

PII may be used for the following reasons:

• To provide our products and/or services; to perform or fulfil a contract;
• To provide a user account for the products or services;
• Contact a prospective client;
• Provide notifications about unscheduled downtimes or new features, functionalities, terms or other aspects of the services;
• To monitor and analyze the use of the services;
• To improve our level of service;
• Respond to inquiries and other communications;
• To provide to third party vendors, service providers or agents that we have contracted with to provide
  services on our behalf (e.g., our Cloud Service Provider). These third-party vendors are bound by strict
  privacy and security provisions
• If we have a legal obligation in response to a court order, subpoena, search warrant, law or regulation;
• To consider an application for employment;
• Human Resources data may be shared with third party vendors for the exclusive purpose of enabling the vendor
  to provide service and/or support to Sciteline in connection with these Human Resource programs and
  functions. Personal information is not shared with those third parties for non-employment related purposes

Non-personal information or de-identified data may be used for the following reasons:

• To conduct audits, measurement and analyses functions in an effort to maintain, administer, support, enhance and protect the services including determining usage trends and patterns and measuring the effectiveness of content, features or services;
• To monitor and analyze the use of the services;
• To track adoption and usage of the products and services for internal quality improvement, internal research and internal product development purposes;/li>
• To provide benchmarking and performance tracking solution

Sciteline de-identifies the data for the purposes as mentioned above, and more generally, improving the services through understanding usage patterns by end users. We will not use data to re-identify individuals.

Legal Issues

We may use PII to detect, investigate, address and prevent fraudulent or illegal activities. We reserve the right to disclose an individuals’ PII as required by law, when we believe that disclosure is necessary to comply with a judicial proceeding, court order, or legal process served on us and to defend against legal claims.

Corporate Matters

Except as provided in this policy, Sciteline does not use or process PII for a purpose that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual, as required by law.

Third parties receiving PII are expected to apply the same level of privacy protection as contained in this Privacy Policy. Except for the examples described above, Sciteline will not share PII with any other third parties without your permission, unless required by, or in connection with, law enforcement action, subpoena or other litigation or applicable law.

We will not sell, trade or lease any personal data to others.

Data Security

Sciteline is committed to taking reasonable efforts to secure the PII you choose to provide us. To protect the privacy of any PII you have provided, we employ industry-standard controls

including physical access controls, internet firewalls, intrusion detection and network monitoring.

When an individual communicates with us via our site, we cannot guarantee or warrant the security of any information that transmitted, as is the nature of the internet, no data transmission over the internet can be guaranteed to be 100% secure. While we have implemented reasonable safeguards to prevent unauthorized use or disclosure of the information, we cannot guarantee the security of any information transmitted via our site.

Links to Non-Patient Websites and Third Parties

The Sciteline website may provide links to third-party web sites for convenience and information; by accessing those links, you will leave the Sciteline website.

Sciteline does not control those sites or their privacy practices which may differ from Sciteline’s policy. We do not endorse or make any representations about third party websites.

We encourage individuals to review the privacy policy of any company or institution before submitting personal data. Some third-party companies and institutions may choose to share personal data with Sciteline; that sharing is governed by that third-party’s privacy policy.

Storage and Transfer

Sciteline provides its products and services from its head office in Toronto, Ontario, Canada, unless otherwise specified. We store Canadian client data on secure servers located in Canada and U.S. client data on secure servers located in the US. Sciteline’s Canadian servers are located in Montreal, Quebec and certified as ISO 27001:2013
compliant. Sciteline may also store, process or access clients’ data from Canada for purposes of, for example: responding to client support and technical requests; fixing software issues; or, providing services to a client on the back end of the platform (e.g. performing simulation testing of our disaster recovery plan). However, regardless of location, PII will be protected in accordance with applicable privacy laws, including having stringent privacy and security safeguards and appropriate mechanisms in place.

Retention

For our products and services that we provide to healthcare providers, we will retain data in accordance with our client’s data retention policy and will destroy and/or return data at the end of the provision of services. After such time, data may be stored in an aggregated and anonymized format.

Where we have collected PII directly (e.g. via the website or use of our Virtual Clinical Trial product) and not from you’re an individual’s healthcare provider, it shall not be kept for longer than is necessary for that purpose or those purposes. An individual may notify us at any time should they choose to deactivate their account and have
their personal data deleted. We will delete or destroy the PII in a manner designed to ensure that it cannot be reconstructed or read.

Openness, Transparency and Access to PII

Under privacy laws, individuals have specific rights, and we work with individuals, clients and healthcare provider (e.g. hospital, clinic, physician, principal investigator) to honour this.

PII Collected by Healthcare Provider

Where a healthcare provider (e.g. hospital, clinic, principal investigator, trial coordinator, nurse) has collected PII directly, and has provided it to Sciteline as the result of the product or service with the appropriate consents (e.g., Virtual Clinical Trial platform), we encourage individuals to contact their healthcare provider directly
regarding the request. These may include requests related to:

• Access to information
• Consent
• Rectification or corrections
• Restriction of processing
• Inquiries or complaints

We will provide the data custodian with all the information necessary to respond to requests and work with them to assist them fulfill their obligations as custodians and address your rights under the law.

PII Collected by Sciteline

As indicated in this Policy, whenever we rely on an individual’s explicit consent to process their PII, the individual has the right to opt-out and withdraw their consent at any time.

We do not require that any individual provides us with PII. The decision to provide PII is voluntary. Except as expressly stated otherwise in this policy, individuals may opt out of having Sciteline share PII with third parties as described in this policy by notifying us in writing of their desire to do so.

If an individual does not wish to provide the PII requested, however, they may not be able to proceed with the activity or receive the benefit for which the personal information is being requested. Similarly, by choosing to unsubscribe from receiving notifications or messages, my compromise the client experience in using the products
and/or services. If complying with a request would result in termination of any services, we will make that clear and confirm this with the individual before proceeding.

If we have obtained PII directly with express consent, in addition to the right to withdraw consent, an individual may:

• Ask Sciteline to restrict our processing of personal data or object to our processing;
• Request a copy of information we hold about the individual;
• Make an inquiry and/or complaint

In order to make an inquiry, complaint or withdraw consent, an individual can contact contact@sciteline.com and we will employ best efforts to deal with the request as soon as possible.

Access to and accuracy of information

Sciteline strives to keep PII we collect accurate. We have implemented technology, management processes and policies to maintain data accuracy. We will provide individuals with access to their information and the opportunity to change that information. The individual providing us with personal information is responsible to provide true, accurate, current and complete information about themselves, and notify Sciteline if there are any updates or changes to ensure it remains true, accurate, current and complete.

Verification

Sciteline will engage in periodic self-assessment to verify that it continues to be in compliance with this these policies.

Changes to this Policy

Sciteline will review and update this policy periodically. We reserve the right to change the terms of at any time (for example due to changes in data protection laws). We will take adequate and reasonable action to obtain your consent if required, as a result of any such change.

Training and Awareness

We know that privacy and security is everyone’s responsibility, and this is reflected in our training and awareness program.

• Privacy and security training content is reviewed and updated on a regular basis.
• All staff are required to sign a Privacy and Security Employee Acknowledgment and a Privacy and Security Employee Standard of Conduct upon commencement of employment.
• Our employment agreements include contractual provisions for the safeguarding and proper handling of confidential information (which may include PI and/or PHI) made available by our clients, should employees require access as part of their job function.

Privacy Incident and Breach Management

In accordance with Sciteline’s regulatory requirements, Sciteline’s Privacy Incident &Breach Management Procedures provide a comprehensive set of steps for handling privacy events (which include concerns, incidents, breaches, including third party breaches) that impact Sciteline and its clients, employees and end users.

If you have concerns or are reporting a breach in Ontario an individual may contact the Information and Privacy Commissioner of Ontario:

Email: info@ipc.on.ca
Toll Free: 1-800-387-0073

HOW TO CONTACT SCITELINE

For more information about Sciteline’s privacy practices or to raise a concern you have with our practices, contact us:

Chief Executive Officer, Chad Walsh

chad.walsh@sciteline.com

351 King Street East, Toronto, ON M5A 0L6

1-519-766-3203