Privacy Statement

Effective Date: June 1, 2021 (prior version) (Terms and Conditions of Service)

1. Introduction

Welcome to xCures, Inc. (“xCures,” “we,” “us,” “our”). This Privacy Statement describes treatment-related and other individually identifiable information we collect, including health information we collect when patients enroll in clinical trials, managed access or patient support programs, or investigational studies through our services, or information we collect from their treating physicians when they access and use our services.

This Privacy Statement also explains the purposes of our data collection practices. In addition, this Privacy Statement describes limits on how we can use and disclose the information we collect, and the rights of patients and their treating physicians with respect to those uses and disclosures. It also describes our commitments to be transparent with our stakeholders about our data practices.

xCures understands that patient health information is powerful, valuable, and sensitive. For this reason, securing and maintaining the trust of all our stakeholders is mission critical to our success. We are committed to maintaining strong and meaningful security systems and privacy protections as a bedrock principle of our company. Complying with applicable law is just our starting point; our commitment to serving you includes regularly thinking about how we can improve how well we are both protecting patient privacy and securing the confidentiality of health information.If you have any questions or concerns about this Privacy Statement, please contact us at privacy@xcures.com.

2. Data – Definitions

We use definitions in this Privacy Statement for the different types of information we collect, create, maintain and share, to ensure consistency in how we manage and communicate our data practices.

Health Information. Health information is medical information that relates to patient health status and/or the delivery of healthcare. This information may be in machine-readable format, but oftentimes is not. It also may originate as “protected health information” under HIPAA, but sometimes is not. (For more information about protected health information and HIPAA, see How We Collect Health Information.) Health information can come from a variety of sources, including:

Electronic health records
Claims and billing activities
Product, disease and vital statistics registries
Patient-generated data, including in home-use settings
Data gathered from other sources that can inform health status, like mobile devices.
Medical records and data captured during clinical trials or investigational studies

Real World Data. xCures collects, creates and acquires “real world data”. Real world data (RWD) is a structured representation of the health information that we collect, and enables further analysis and machine learning. It also satisfies regulatory reporting standards, to support the development of real world evidence.

Real World Evidence. xCures collects, creates and acquires “real world evidence”. Real world evidence (RWE) is the clinical evidence regarding the usage and potential benefits or risks of a medical product derived from the analysis of RWD. RWE is generated by our analyses of real world data, including RWD that derives from health information and data collected from randomized clinical trials, large simple trials, pragmatic trials and observational studies, including studies with a sample size of N=1.

Patients or Research Participants. Health information and the RWD and RWE derived from health information pertains to individual patients with advanced disease, and resides in our systems. After patients enroll in a clinical trial or study through xCures, we sometimes refer to patients as research participants.

Individually Identifiable. Information or data that we collect, create, receive, use or share may be “individually identifiable”. Individually identifiable means that the information or data can be used to identify an individual.

De-Identified. Information or data that we collect, create, receive, use or share may be “de-identified”. At minimum, de-identified means that the information or data has been stripped of personal identifiers. Depending upon the particular conditions of a circumstance in which de-identified information or data is used or disclosed, we may apply additional measures to further safeguard privacy, prevent re-identification and comply with applicable laws or industry-recognized best practice clinical guidelines.

Pseudonymization. We create, use and apply pseudonyms as a way to de-identify information and data. Pseudonyms are unique identifiers that we substitute in place of individual identifiers in information and data of individual patients. Pseudonyms are generated and do not include any individually identifiable information. Pseudonyms are one measure we use to manage information and data, maintain data quality and integrity, and safeguard patient privacy.

Account and Usage Data. xCures creates and collects unique identifiers for individuals that create account credentials to use our services (“account holders”). Some of these identifiers can include identifiers from the devices, browsers and operating systems that account holders use when they access our services.

3. Our Business Purpose

For convenience, we provide the following summary of our business purpose, to provide context for the data practices described in this Privacy Statement. Since information in this summary is described in more detail elsewhere, please read the Privacy Statement in full, and not rely on this summary alone.

Our aims are to help more patients with known or suspected cancer get access to potentially life-saving therapies, and to accelerate the drug research and development lifecycle. We accomplish these aims by helping patients and their treating physicians identify and select therapies based on evidence of potential benefit, which we are able to identify and display through our services. When these therapies are not covered by a patient’s insurance or otherwise accessible to the patient, we help patients access the therapy by other means. Typically, we do this by working with relevant sponsors to design a trial or study that we help run, and by partnering with non-profit foundations and other organizations that offer to subsidize or pay for ancillary treatment or other costs associated with running a trial or study.

Patients that we help connect to a given therapy enroll in one of our programs, and other studies or trials that we design or identify for their participation. As part of the informed consent process for these studies or trials, research participants direct xCures to collect, use and disclose their health information for the permitted purposes outlined in this Privacy Statement.

In general, we collect the health information of research participants to create real world data. We generate reports containing real world data and real world evidence for their treating physicians, and maintain dashboards through our service for treating physicians that are also account holders. We also allow research participants and their treating physicians to direct us to share these reports with others involved in the patient’s care. These parties can include other physicians, friends, family members and health plans.

The informed consent process also allows xCures to continue collecting the health information of patients for the duration of their participation in a clinical trial or study, to use their health information internally to improve our treatment matching algorithms, and to commercialize de-identified derivatives of their health information.

xCures does not disclose individually identifiable health information or real world data with trial or study sponsors, and we implement measures that control and limit the disclosure of individually identifiable information or data with other third parties.

Our approach to generating real world data and real world evidence is unique because it invites patients to participate in efforts that accelerate innovation in the life sciences, in ways that benefit themselves but also other patients, now and in the future.

4. How We Collect Health Information

We only collect health information when we have a legal basis for doing so. Most of the time, we collect health information at the direction and with the consent of patients. Sometimes, we collect health information without patient consent. In these cases, our access, use and sharing of health information is determined and limited by our contractual and legal obligations as a HIPAA “business associate” or clinical research organization, described more fully below.

Background: HIPAA and Protected Health Information

Most of the health information we collect is considered “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and their implementing regulations (collectively, “HIPAA”). HIPAA is a federal medical privacy law that applies to covered health care providers, health plans and any entity that creates, receives, maintains or transmits protected health information on their behalf (“business associates”). It also gives patients the right to request their protected health information and the ability to designate a third party to request and receive their information on their behalf.

Collecting Data under the HIPAA Right of Access

If we collect health information at the direction of patients, we do so as the patient’s designated third party requester under the HIPAA “right of access”, consistent with a clinical trial or study protocol that has been approved by an institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for clinical research.

Once HIPAA covered entities transmit a research participant’s health information to xCures, the health information is not considered to be “protected health information” under HIPAA anymore. Instead, it is managed according to this Privacy Statement and other laws applicable to the use of data for clinical research. For more information, see “Collecting Health Information As a Clinical Research Organization”.

A differentiating characteristic of xCures’ data practices is its XCELSIOR research study protocol. This protocol is foundational to all clinical trials and studies available through our xACCESS platform. Under the XCELSIOR research study protocol, patients enrolling as research participants not only consent to the collection of their medical information and real world data to support clinical research, they also receive a clinical summary – called Cancer Journey – which is portable, personalized and persistent, and protected by the Patient Rights detailed below.

Collecting and Creating Data as a HIPAA Business Associate

When we collect health information without a patient’s consent, we may be doing so as a service provider or vendor of a HIPAA covered entity. In these situations, we are acting as the HIPAA covered entity’s “business associate”. As a HIPAA business associate, our rights to access, create and use health information are not dictated by a patient, but by the contractual arrangements between xCures and the HIPAA covered entity. In these situations, our data practices are governed by HIPAA and other applicable state medical privacy laws.

Collecting Health Information As a Clinical Research Organization

When we help administer a study or trial, we collect health information according to the protocols for the study or trial. These protocols are governed by an institutional review board, and our activities must adhere to widely recognized best practice guidelines and laws.

In addition, we may help design a study or trial protocol, and ask HIPAA covered entities for access to protected health information in their systems to inform the study design or identify patients as potential research participants. In these cases, we may sign a business associate agreement or other data use agreement to ensure our access is compliant with HIPAA.

5. Information We Collect When You Visit Our Website or Use Our Services

When you use the xCures website, we may collect technical and navigational information about your visit, such as computer browser type, Internet protocol address, pages visited, and average time spent on the site. This information will be used to improve our site design and functionality. We also may use a tracking technology, such as cookies (a small text file placed on your computer to identify your computer and browser) or web beacons (an electronic file placed on a web site that monitors usage) to improve the experience of our site (for example, prepopulating your information for ease of use). We also may from time to time share information about your website use with service providers who are assisting us in analyzing or operating the site; however, these service providers are contractually prohibited from using that information for other purposes. You may reset your web browser to refuse all cookies or indicate when a cookie is being sent – however, certain features of our site or services may not work if you delete or disable cookies.

Be advised: Third parties, like advertising networks, web analytics companies and social media and networking platforms, may collect information about your online activities over time and across multiple web and mobile platforms. Their use of tracking technologies when you access our online services may be used to predict or determine a likely association or relationship between two or more devices, or to help them serve you content on other websites and social media platforms. We are not responsible for third party tracking technologies used by these third parties, or for the targeted advertisements they may enable to be served to you on other platforms. We encourage you to check the privacy policies of these third parties to learn more about their privacy practices, and use internet and portable device technologies from third parties that you trust when you access and use our services.

6. How We Use Information and Data

We use health information to create de-identified real world data and real world evidence to improve our treatment matching algorithms, to deliver our services, and to support other activities consistent with the business purposes described in this Privacy Statement.

Without limiting the foregoing, we use health information, real world data, real world evidence, account credentials, usage data and pseudonyms to:

Deliver and manage account holder access to our online services
Send communications to our account holders, and provide them with customer service and technical support
Bill and collect payment for our services
Carry out our contractual obligations
Evaluate and improve our services
Take appropriate action to maintain the security of our services, safeguard the privacy of individually identifiable information, and adhere to applicable laws, regulations and consensus-based standards associated with human subject research in clinical studies
Take actions to enforce our agreements and policies

7. How We Disclose Information and Data to Others

We consider individually identifiable information and data that we receive to be confidential. We do not disclose individually identifiable information or data without a legal basis for doing so. Our business does not involve the sale of individually identifiable information or data, or use for marketing purposes. However, we do sell de-identified real world data and real world evidence when we have a legal basis for doing so. We will disclose individually identifiable information or data to patients, their treating physicians and others to support clinical or treatment purposes, consistent with HIPAA, or when patients otherwise direct us to do so.

Without limiting these use cases, we may disclose information or data as follows:

Third Party Service Providers

To deliver our services, we use a variety of third party service suppliers of technology, internet service hosting, payment processing, technical integration, marketing, analytics, customer service, and customer service and support. We share the minimum necessary individually identifiable information or data with these third parties for them to provide their services to us. These companies are acting on our behalf and are required, by contract with us, to keep our information and data confidential, and are only authorized to use and disclose it for specified purposes, which are consistent with this Privacy Statement.

Treating Physicians

We share individually identifiable real world data and real world evidence with the treating physicians of patients enrolled through xCures in a clinic trial or study.

Other Physicians, Clinical Trial Teams and Third-Parties, As Directed by Patients

We share individually identifiable real world data and real world evidence with other physicians that have a patient-provider relationship with the patients enrolled through xCures in a clinical trial or study, members of the clinical trial teams involved in the study or trial in which a patient participates, and with any other third parties that a research participant designates. These third parties can include friends and family members involved in the research participant’s care.

Clinical Trial or Study Sponsors

We share de-identified real world data and real world evidence with the biotech companies, drug manufacturers, clinical laboratories and other entities that sponsor a patient’s participation in a clinical trial or study.

Health Plans

If directed by a research participant or treating physician, we share individually identifiable real world data and de-identified real world evidence with health plans. Typically, these disclosures are made to support a patient or treating physician’s request for coverage of an off-label use of a therapy under the patient’s health insurance plan. We may also sell de-identified real world data and real world evidence with health plans, to determine the effectiveness of treatment for a given population of patients, for example.

Nonprofit and Patient Advocacy Organizations

We share de-identified real world data and real world evidence with the organizations that pay or subsidize costs of a patient’s participation in a clinical trial or study, including ancillary costs. These organizations can include non-profit foundations, patient advocacy organizations and the managed access or patient support programs of biopharma companies. Ancillary costs can include family lodging, meal and travel costs, for example, when patients must visit a clinical trial or study site for a given therapy.

xCures’ Virtual Tumor Board

If a treating physician subscribes to xCures’ virtual tumor board services, we may disclose case summaries or other reports containing de-identified real world data to other tumor board participants.

Other Clinical Researchers and Investigators

We share de-identified real world data and real world evidence with a variety of other clinical researchers and investigators, to aid in their clinical research activities. These clinical researchers may be employed or compensated by universities, academic medical centers, biotechnology companies, drug manufacturers, next generation genomic sequencing laboratories and other similar enterprises.

Publications

We may publish or permit the publication of de-identified real world data or real world evidence when it supports the dissemination of generalized scientific knowledge.

Law Enforcement and Regulatory Authorities

We resist disclosing individually identifiable information or data to law enforcement or regulatory authorities unless we determine we must do so under law to comply with a valid court order, subpoena, or search warrant. We closely scrutinize all law enforcement and regulatory requests. If we determine that we must comply with a valid law enforcement or regulatory request, we first determine if we can comply after receiving the explicit authorization to make the disclosure. Otherwise, we attempt to comply by limiting disclosure to de-identified information or data, or by redacting information so that only the minimum necessary individually identifiable information or data is disclosed. We also attempt to receive adequate assurances from the requesting law enforcement or government agency that it will protect the Individually Identifiable information or data to the highest degree possible, and will not disclose it in violation of applicable federal or state confidentiality laws. While we cannot offer assurance that these efforts will be successful, we will maintain a detailed record of all disclosures we make in response to law enforcement and regulatory requests. Also, if permitted by applicable law, we will notify you of the disclosure by certified mail to any home address that you have disclosed in your account profile.

Civil Proceedings

If xCures is a party to a legal proceeding with an account holder or research participant, we may disclose individually identifiable information or data to the court or arbitrator for purposes of resolving a civil dispute. If xCures is not a party to a legal proceeding, we may be required by law to disclose this individually identifiable information or data pursuant to a valid subpoena, discovery request or other lawful process. Even if additional protections are not required by applicable laws, we use our reasonable best efforts to obtain your authorization or seek a qualified protective order to protect individually identifiable information or data before disclosing it in a civil proceeding. We also use reasonable best efforts to limit disclosures of individually identifiable information or data to the minimum necessary to accomplish their intended purpose.

Affiliates

xCures does not have any subsidiaries, is not controlled by a parent entity and is not under common control with any other affiliated entity. If we have affiliates in the future, xCures will not share individually identifiable or de-identified information or data with them unless they sign an agreement contractually obligating them to keep disclosed information confidential and to limit their use of information to the purposes permitted in this Privacy Statement.

Business Transfers

If we enter into a merger, acquisition, or the sale of all or part of our assets, the information and data we maintain will likely be part of the assets transferred. If this happens, we will attempt to notify research participants and account holders, using the most recent e-mail address we have associated with their respective profile. We will use our reasonable best efforts to ensure that the successor entity maintains commitments that are consistent with this Privacy Statement; otherwise, we will dispose of information or data that is individually identifiable, consistent with practices described under How Long We Retain Information.

8. How We Secure Personal Data

We implement industry-leading safeguards to protect our information systems and the information and data in our control from unauthorized access, disclosure, use, modification and loss. Information security measures include: secure storage, encryption of digital records in transit and at rest, periodic log reviews, and system backups.

We regularly review our data protection practices to consider appropriate new technological and other safeguards. Designated officers are responsible for ensuring that our data practices and security measures are consistent with this Privacy Statement, the Terms and applicable laws. We also maintain a formal training program to ensure our workforce is familiar with common and emergent security and privacy risks, that they understand their responsibilities for safeguarding the information and data in our control, and that they report concerns to their immediate supervisors. Despite these and other measures, we cannot and do not guarantee that individually identifiable information or data will be absolutely safe from interception or intrusion during transmission or while stored on our systems, or otherwise. Account holders and patients acknowledge and agree that they consent to our collection, creation and maintenance of Individually Identifiable information at their own risk.

When selecting appropriate measures for de-identification, we follow a risk-adjusted approach, because the risk of identification for one particular data set in the context of a specific environment may not be appropriate for the same data set in a different environment, or a different data set in the same environment.

If we believe that the security of the individually identifiable information or data of a patient or account holder may have been compromised, we will notify the impacted parties about the breach using the email provided in their respective account profile. The notification will include the following information:

A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
A description of the types of unsecured Individually Identifiable information or data that were involved in the breach;
Steps individuals should take to protect themselves from potential harm resulting from the breach;
A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches; and
Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.

At any time, research participants and account holders can notify us by contacting privacy@xcures.com if they prefer to be notified by first class mail, or want to request a print copy, at no charge, of any electronic notice that we may have sent about the incident.

9. How Long We Retain Information

In general, we retain de-identified information or data in perpetuity. We retain individually identifiable information and data for as long as needed to maintain our information systems and comply with applicable laws. If required by law to delete individually identifiable information or data, we delete that information by following internal policies that align to these laws.

Be advised, given the complexity of our production environment and the security measures in place to safeguard the confidentiality, integrity and availability of all data, it is not feasible for us to destroy or erase all data, particularly those created pursuant to our standard electronic backup and archival procedures. However, the personnel with access to these retained copies are curtailed and monitored; access is limited to that reasonably necessary for the performance of their information technology duties (e.g., for purposes of system recovery) or legal duties. All individually identifiable information that is not destroyed as permitted remains subject to the Privacy Statementthen in effect.

10. Patient Rights

Research participants can exercise any of the following rights:

Request a copy of their Cancer Journey. The Cancer Journey is a report populated with the research participant’s individually identifiable real world data, including extracts from the research participant’s health information.

Request that information in their Cancer Journey be amended, corrected or deleted. If a research participant believes any of the information in their case summary is not accurate, timely, complete, relevant or necessary, please let us know that you would like the Cancer Journey to be amended, corrected or deleted. A member of our team will review the request and consult with the treating physician or study investigator to determine if the case summary needs to be amended, corrected or deleted, and promptly take appropriate action.

Restrict access to copies of their Cancer Journey. A research participant can also direct xCures not to share a Cancer Journey with a third party, or to stop sharing Cancer Journey updates with a third party.

Revoke xCures’ authorization to continue requesting health information. A research participant can revoke xCures’ authorization to continue requesting health information. Revoking this authorization will not impact the research participant’s continued enrollment in current clinical trials or studies, but may limit their ability to participate in future clinical trials or studies.

Request that health information be deleted. A research participant can request xCures to delete their health information; however, fulfilling these requests may not be feasible, given regulatory recordkeeping requirements. We will act on these requests as required by applicable laws, but may decline these requests at our sole discretion in order to comply with our legal and contractual obligations, and to resolve disputes to enforce our legal agreements; we may retain a de-identified copy for research purposes. If feasible, we may curtail access in health information systems to personnel involved in the performance of information technology duties (e.g., for purposes of system recovery) or legal duties. All health information that is not destroyed as permitted remains subject to the Privacy Statement in effect at the time a request for deletion is made, for as long as we retain that health information.

Request an accounting of disclosures to third parties. A research participant can request an accounting of Cancer Journey it makes at their direction or the direction of their treating physicians. Patients cannot request an accounting of de-identified information or data.

To exercise any of these rights, contact xCures Support Team at privacy@xcures.com. We acknowledge emails within one business day. Requests are subject to individual verification procedures. After verifying the request, a member of our team will review your materials, and make a determination as to whether the request can be fulfilled. Please allow up to ten (10) business days after verifying identification for us to make this determination. We will inform you in writing if we need more time, if the request will be granted or the reasons for denial.

11. Changes to this Privacy Statement

We reserve the right to change this Privacy Statement. When we change it, we will notify account holders and research participants by email to the address associated with their account profile. These notifications will include a link to the updated Privacy Statement. The updated Privacy Statement will indicate its effective date, and include links (i) to the Privacy Statement it is replacing and (ii) a summary of changes.

To continue using xCures’ services, account holders will be required to accept the updated Privacy Statement and affected research participants will be required to accept an updated Participation Agreement or informed consent. If we make significant changes (for example, a new use or disclosure of Individually Identifiable information or data that we have already collected and stored), we will give account holders and affected research participants a reasonable amount of time to consider the changes before they become effective. If account holders do not accept the updated Privacy Statement, they may be blocked from accessing xCures services. If you are blocked from your xCures account, please contact privacy@xcures.com for assistance with closing your account and getting a machine-readable copy of information or data that you have the authority to access and download.

12. Personal Representatives

xCures may allow individuals that are recognized as a patient’s “personal representative’ or “legal guardian” under applicable state law to give consent for the patient to become a research participant. xCures recognizes parents of children under the age of majority in the state where they live, or the holder of a medical power of attorney as personal representatives, absent actual knowledge to the contrary. xCures reserves the right to verify the identity and authority of individuals holding themselves out as the personal representative or legal guardian of a Patient.

13. Minors

We do not knowingly market to or solicit information or data from children under the age of 13. A parent or personal representative of a patient under the applicable legal age of consent must give consent for the patient to become a research participant. If we obtain actual knowledge that we have collected individually identifiable health information about minor under the applicable legal age of consent without their legal representative’s consent, we will use reasonable efforts to refrain from further using such individually identifiable health information, take steps to disable further use or access of it in a retrievable form, and delete real world data and real world evidence that derives from that information.

14. Supplemental Privacy Notices

We may provide additional privacy notices that supplement or amend the disclosures contained in this Privacy Statement when account holders or patients access services of xCures that are not described in this Privacy Statement. Those notices control with respect to the services that they reference when they conflict or are inconsistent with this Privacy Statement.

15. International Data Transfers

If you are located in the United States—

We do not knowingly transfer any health information outside of the United States unless that transfer is subject to an agreement for safeguarding the health information, consistent with applicable medical privacy laws in the United States, including HIPAA.

We do not knowingly transfer any individually identifiable real world data or real world evidence outside of the United States, except at the direction of a research participant, a treating physician or in accordance with a clinical trial or study protocol that has been approved by a institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for healthcare research.

We may transfer de-identified real world data or real world data outside the United States as long as the transfer complies with applicable data protection laws.

16. Jurisdiction-Specific Provisions

The services that currently link to this Privacy Statement are intended primarily for users located in the United States, and we only store individually identifiable information or data in our control in data centers located in the United States. If you are located outside of the United States, or a resident of another jurisdiction, be advised:

The laws of the United States governing data collection and use may differ from the applicable laws where you are located, and that you will be transferring data to the United States for storage and processing. By visiting our website, using our services or providing your personal data, you consent to such transfer, storage and processing.

16 A. European Economic Area (EEA)

That said, if you are an account holder or research participant, and also reside in the EEA, the data protections specified by the EEA’s General Data Protection Regulation (GDPR) may be applicable to you. In consequence, the following disclosures explain our legal basis for collecting and using your individually identifiable information or data, and the rights guaranteed to you as an EEA resident with respect to that information and data. For this purpose, we are a “data controller”.

Be advised: While the GDPR represents a minimum set of data protection standards that the individual nations within the European Economic Area are required to implement, the actual laws of the nation of the EEA where you reside may confer additional rights to you, which are not included in the following disclosures.

xCures does not self-certify under the E.U.-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield to comply with data protection requirements when transferring Personal Data from the European Economic Area (EEA) to the United States.

Legal Basis for Processing

Our legal basis for collecting and using your individually identifiable information or data depends on the nature of the personal information concerned and the specific context in which we collect it. We always seek your explicit consent before collecting and using your individually identifiable health information or data, unless we are otherwise authorized or directed to do so as a “business associate” to a HIPAA covered entity, or participating on a clinical study team with respect to a study or trial that has been approved by an institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for healthcare research. In some cases, we also may have an independent legal basis for collecting and using some or all of your health data; for example, if you direct a third party to share your individually identifiable health information with xCures.

We collect and process health information and real world data for the purposes listed in Our Business Purpose. These purposes are subject to overriding individual rights guaranteed under the GDPR, listed below. If we are unable to deliver services and simultaneously help you exercise these rights to the fullest extent, we will let you know the reasons why. At that point, you can decide either to close your xAccess account (if you are an account holder), or withdraw your consent as a research participant in a study or trial accessed through xCures.

In some cases, we may also have a legal obligation to collect individually identifiable information from you or may otherwise need this information to protect your vital interests or those of another person. An example is if we need to verify your identity or authority to access individually identifiable information or data to fulfill a data request.

If we ask you to provide individually identifiable information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of that information is mandatory or not (as well as of the possible consequences if you do not provide it).

If we collect and use your individually identifiable information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate the services that link to this Privacy Statement, to communicate with you about these services and for other legitimate commercial interests, like those listed in How We Use Information and Data. We may have other legitimate interests and if appropriate we will make clear to you at the relevant time what those legitimate interests are.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us by email to privacy@xcures.com subject line: GDPR Privacy.

Individual Rights of EEA Users

Access. You may request access to your real world data upon request. For more information, see Request a copy of their Cancer Journey under Patient Rights.

Correction. You can request corrections in inaccurate/incomplete information in your Cancer Journey. In some cases, you may need to request these corrections from the source of the health information. For more information, see Request that information in their Cancer Journey be amended, corrected or deleted under Patient Rights.

Object to, Limit, or Restrict Use of Data. You can ask us to stop using all or some of your individually identifiable information or data, or to limit some or all of our uses of it. If you wish to limit or restrict use of this information or data, some or all of the services – including therapies through clinical trials or studies – may not be available to you or your patients. If that is the case, your remaining option is to discontinue using our services.

Deletion. In certain circumstances, you can request a right “to be forgotten” (this is a right to have your information deleted or our use of your data restricted). We will honor these requests unless we have to retain this information to comply with a legal obligation or unless we have an overriding interest to retain it. For more information, see Request that health information that be deleted under Patient Rights.

Portability. As a research participant, you can exercise the right of data portability (this is a right to obtain a transferable version of your Cancer Journey to transfer to another provider). For more information, see Request a copy of their Cancer Journey under Patient Rights.

16 B. California

California Privacy Act Notice – Use of Information for Marketing. Under California Civil Code Sections 1798.83-1798.83, California residents are entitled to ask us, once per year, for a notice identifying the categories of information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for these affiliates and/or third parties. Requests will apply to information provided during the previous calendar year (for example, if your request information in 2021, you will receive information regarding 2020).

xCures does not currently have any Affiliates and does not use individually identifiable information or data for marketing purposes.

California Consumer Privacy Act of 2018 and California Consumer Privacy and Enforcement Act of 2020

Notice – Accessibility. California Civil Code Sections 1798.100-1798.198 and their implementing regulations. This Privacy Statement must be made available in the languages we use in the ordinary course of disclosing contracts, disclaimers, and other information to consumers.

This Privacy Statement is available in English. Please do not hesitate to contact help@xcures.com if you experience difficulty with reading this Privacy Statement, or accessing any of our services. We are committed to ensuring equity of access to the therapies available through our services.

Right To Know. California residents can request a disclosure in machine-readable format of the categories and specific pieces of individually identifiable information that we have collected about you and your household during the 12 months preceding our receipt of a verifiable consumer request (limit two times per 12-month period). You can also ask where this information came from, and what we use it for.

For this information, patients in California can request a copy of their Cancer Journey. For more information, see Patient Rights.

Right to Opt Out of Sale of Your Information. California residents have the right to opt out of any sale of their personal information, unless the business does not sell personal information, and states in its Privacy Statement that it does not and will not sell personal information.

xCures does not sell any individually identifiable information or data, or use it for marketing purposes. For more information, see How We Disclose Information and Data to Others.

Right to An Accounting of Disclosures, When Individually Identifiable Data Is Sold. California residents have the right to receive an additional accounting of disclosures made by businesses subject to the CCPA that sell the personal information of California residents.

Since xCures does not sell any individually identifiable information or data, this right is not applicable to California residents that access or use any xCures services that link to this Privacy Statement.

Disclosures about Incentives and Differential Terms. Businesses subject to the CCPA must notify California residents when they offer financial incentives – or vary their service terms – in exchange for selling their personal information.

xCures does not offer financial incentives or vary our service terms as a way to induce you or other users to permit us to sell your individually identifiable information. Deletion Rights. Businesses subject to the CCPA must honor requests that enable California residents to request that their personal information be deleted. For more information, see Request that health information be deleted under Patient Rights.

17. Prior Versions; Summary of Changes

We updated our Privacy Statement from the previous version to coincide with the launch of new services, including xACCESS, and xINFORM. The version of the Privacy Statement it replaces can be found at http://xcures.com/privacy-policy-v2020