Leal Health Inc. (“Leal Health”, “we”, “us”, “our” or the “Company”) is a patient-first digital health company with a mission to democratize access to advanced cancer treatment. We provide an AI-based clinical trial matching and decision support web application that serves as a gateway between cancer patients and biopharma (the “Platform”). We connect Platform-registered cancer patients (“Patients”) to clinical trials suitable to their condition, by offering them a real-time personalized list of matched clinical trials; facilitating their communication with trial coordinators; and supporting them throughout their trial enrollment process (together “Trial Matching Services”). Our Trial Matching Services also offer cancer patients’ healthcare providers with a trial-matching search engine. Our Platform also provides biopharmaceutical companies (“Clients”) with a Patient Match Optimizer (“PMO”), which allows them to monitor, track and analyze the barriers keeping cancer patients from enrolling into their clinical trials, in order to improve and diversify patient enrollment (Trial Matching Services and PMO together, the “Services”).
Leal Health respects the privacy of Patients, Clients, health care providers, partners, vendors, service providers, employment candidates and website visitors, and is committed to protecting the personal information that is shared with us (these and any others with respect to whom we collect Personal Data, shall collectively be referred to as “you” or “Data Subjects”).
For the purposes of the EU General Data Protection Regulation and the UK Data Protection Law 2018 (together the “GDPR”), as well as other applicable privacy laws, Leal Health is a data controller (“Controller”) in relation to the Personal Data of Patients who seek our Services, the representatives of our Clients and prospective clients, health care providers, caregivers, employees, partners, vendors and website visitors.
1. WHAT INFORMATION MAY WE COLLECT?
Summary: we collect various categories of Personal Data in order to meet our contractual obligations, provide you with our Services, and also to meet various legitimate interests, such as fraud prevention and marketing.
Personal Data (also known as ‘personal information’) means information which identifies or is reasonably capable of being associated with a particular natural person. Personal Data does not include information that has been deidentified, aggregated or anonymized.
You do not have any legal obligation to provide any Personal Data to Leal Health. However, we require certain information in order to perform contracts, for internal audit purposes or to provide any Services. If you choose not to provide us with certain information, then we may not be able to provide you or your organization with some or all of the Services.
We collect several categories of Personal Data from a variety of sources while providing our Services and conducting our business, including those listed below.
(a) Patient data
If you are a Patient making use of our Trial Matching Services, we collect your Personal Data as necessary in order to provide you with our Services (“Patient Data”). This data is provided voluntarily by you, or by your legally authorized representative or healthcare provider, in a variety of ways, including: when you fill out our online questionnaire, during your registration to our Platform; during your ongoing use of our Platform; when you contact us in order to provide us with your data, and; in the framework of our clinical team’s ongoing communications with you by phone or email throughout your trial enrollment process.
Patient Data may consist of any/all of the following information, to the extent you provide it to us:
- Name (first and last)
- Contact information (e.g. email, phone number)
- Platform login credentials
- Date of birth (by month and year)
- Demographics (gender, age, race)
- Location (general location stored in a geo-hashed form, i.e. not exact address). This data helps us offer you clinical trials that are closest to you first.
- Medical data: Type of cancer, cancer diagnosis date, disease characteristics (e.g. status, size, stage, location), biopsy genetic testing biomarkers, whether patient is pregnant and/breastfeeding, treatment history, general health information (e.g. ECOG/karnofsky, labs, other medications and health problems), medical documentation which may contain any of the above and any other medical data you may choose to provide to us.
We will only save your data after you agree to our Terms and Conditions. Your data will be used by our Platform, including through use of AI (Artificial Intelligence), in order to match you with the most relevant clinical trials, based on your medical profile and location. Your data will also be used by our clinical staff in order to support you throughout your clinical trial journey. After your registration to the Platform, you will receive automatic updates regarding new trial matches, and if you are matched with any of our Clients’ clinical trials, our clinical staff will reach out to you by phone or email in order to offer guidance and assistance throughout the enrollment process. If you wish, you may choose to opt out of receiving such communications. If you express interest in enrolling in a clinical trial sponsored by one of our Clients, we will, under your express instructions, share your data with the relevant clinical trial site coordinator.
If you choose to do so, you may also share your matched clinical trial/s and relevant health data to your healthcare provider through the Platform.
Your data may also be shared with us by your healthcare provider or caregiver, using the Platform on your behalf. In such cases, we won’t collect any of your directly identifying data, such as name or contact information, and will only collect your relevant medical and location data. We further require whoever shares such data on your behalf to receive your authorization prior to sharing your data and to redact directly identifying data before uploading any medical files.
Your data will be fully anonymized and aggregated in order to present statistical information to our Clients on our PMO, which enable them to track and analyze the barriers keeping cancer patients from enrolling into their clinical trials, in order to improve and diversify patient enrollment. Our Clients will not be able to identify you in any way through their usage of our Platform and Services. We may also use anonymized Patient Data for optimization of the Platform’s trial-matching AI capabilities. You are entitled to object to using your data for each of these purposes (PMO/AI optimization) by contacting us using the contact details below, and we shall assess such requests in accordance with applicable laws.
If you are an unregistered patient who wishes to make use of our Services, but the cancer type you selected in our online questionnaire is not yet supported by our Platform, we offer you to provide us with your Personal Data (“Unregistered Patient Data”), such as your email, details regarding your cancer condition (type, stage and location). We will use this data in order for us to notify you when our Platform is prepared to support you with our Services and to send you clinical trial related patient resources that you may find useful.
(b) Healthcare provider and caregiver data:
If you are a cancer patient’s healthcare provider or caregiver making use of our Platform, we will require your personal data in order to register to the Platform. This will include your name (first and last), email, phone number and login credentials. We will also collect your Personal Data when you contact us in other ways, such as by email, phone, meetings or conferences. If you are a health care provider, we may also process your email address when a Platform-registered Patient shares a matched trial with you via the Platform. In this case, we may use your email address to communicate with you regarding our Services.
(c) Client, clinical trial coordinator and vendor data:
If you are a Client representative, a coordinator of a trial sponsored by our Client, a vendor, distributor or other business partner, we collect Personal Data when you or the organization you are associated with send it to us; we also collect Personal Data through our website and through our interactions with you.
We collect Personal Data required to provide Services when you register interest, or when you provide us such information in meetings or conferences, or in the course of preparing a contract, or when contacting us or submitting requests for information or support, through your use of our website and Platform, by email, phone, or other ways in which you communicate and interact with us. This Personal Data generally includes your name (first and last), email address, phone number, job title, company name, country, Platform login credentials and other information you may choose to provide to Leal Health. If you are a coordinator of a clinical trial sponsored by our client, we may receive your contact details from our Client and may use these details in order to match our Patients with your trial.
(d) Technical and behavioral information we collect through your use of our website and Platform:
When you are using our website and Platform, we are aware of it and gather, collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below. This includes technical information and behavioral information such as the user’s Internet protocol (IP) address used to connect your device to the Internet, your uniform resource locators (URL), operating system, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting.
We likewise place functional cookies on your browsing devices (see "Cookies" section below).
(e) Social media network information:
if you log in to our Platform through social media networks, such as Facebook, we will receive information about you from those networks, such as your public profile information, email address and other information you permit those networks to share with third parties.
(f) Employment candidates:
We collect Personal Data and other information relating to employment candidates, including name, address, email address, telephone number, and information on resumes. We may also collect information through notes on meetings, standardized tests, reports, references, interviewer impressions and such industry standard data, as well as data made publicly available or available to us on social networks.
2. WHAT ARE THE PURPOSES OF PERSONAL DATA WE COLLECT?
Summary: we process Personal Data to provide our Services, operate our website and Platform, meet our obligations, protect our rights and manage our business.
We will use Personal Data to provide and improve our Services to our Clients, Patients and others, operate our website and Platform and meet our contractual, ethical and legal obligations. All Personal Data will remain accurate, complete and relevant for the stated purposes for which it was processed, including for example:
Processing which is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract:
- carrying out our obligations arising from any contracts entered into between you and Leal Health and/or any contracts entered into with Leal Health and to provide you with the information, support and Services that you request from Leal Health;
- verifying and carrying out financial transactions in relation to payments you make in connection with the Services.
Processing which is necessary for the providing Patients with our Trial Matching Services as described in our Terms of Service (performance of contract) and necessary for advancing scientific research:
- collection of Patient Data in order to provide Patients with a real-time list of relevant clinical trials, including sending them automatic notifications regarding newly matched trials;
- maintaining ongoing communications between our clinical team and Patients in order to provide assistance and guidance throughout the trial matching process;
- processing of health care provider data in order to assist Patients with sharing matched trials and health data with them and vis-versa;
- sharing Patient Data with matched clinical trial coordinators (under the Patient’s explicit instructions);
- collection of Unregistered Patient Data in order to notify patients when our Platform is prepared to support their type of cancer and to send them clinical trial related patient resources.
Processing which is necessary for the purposes of the legitimate interests pursued by Leal Health or by a third party of providing an efficient and wide-ranging service to Clients, health care providers and Patients, in conjunction with processing that is necessary for advancing scientific research (when applicable – such as regarding health data):
- notifying you about changes to our Platform and Services;
- contacting you to give you educational or promotional information about clinical-trial related content and webinars, or additional Services offered by Leal Health which may be of interest to you (after you provide consent, when required under applicable law). You can unsubscribe from these communications at any point;
- soliciting feedback in connection with the Services;
- tracking use of our website and Platform to enable us to optimize them;
- contacting you to ask if you wish to provide a Patient testimonial on our website;
- enabling your health care provider or caregiver to share your health data with us for trial matching purposes;
- If you are a potential client or health care provider - contacting you in order to interest you in our Services;
- anonymizing Patient Data in order to provide Clients with statistical aggregated data on the PMO;
- anonymizing Patient Data in order to use such data for optimization of the Platform’s trial-matching AI capabilities;
- for security purposes and to identify and authenticate your access to the login zone.
Processing which is necessary for compliance with a legal obligation to which Leal Health is subject or for exercising and defending legal claims:
- compliance and audit purposes, such as meeting our reporting obligations in our various jurisdictions, anti-money laundering, tax related obligations, and for crime prevention and prosecution in so far as it relates to our staff, clients, service providers, facilities etc;
- if necessary, we will use Personal Data to enforce our terms, policies and legal agreements, to comply with court orders and warrants and assist law enforcement agencies as required by law, to collect debts, to prevent fraud, infringements, identity thefts and any other service misuse, and to take any action in any legal dispute and proceeding.
3. SHARING DATA WITH THIRD PARTIES
Summary: we share Personal Data with our service providers, partners, and group companies, and authorities where required.
We transfer Personal Data to:
Members of our Group: If in the future we have affiliates - which means affiliate companies - whether wholly or partially owned by Leal Health, and co-owned companies – we will transfer Personal Data to them.
Clinical Trial Administrators: We share Patient Data with matched clinical trial coordinators, after Patients agree to sharing their data. Our Clients are fully responsible, as independent Controllers, with regards to all data processing activities in the framework of the clinical trial/s you choose to enroll in.
Third Parties We transfer Personal Data to third parties in a variety of circumstances. We endeavor to ensure that these third parties use your information only to the extent necessary to perform their functions, and to have a contract in place with them to govern their processing on our behalf. These third parties include business partners, suppliers, affiliates, agents and/or sub-contractors for the performance of any contract we enter into with you. They assist us in providing the Services we offer, processing transactions, fulfilling requests for information, receiving and sending communications, analyzing data, providing IT and other support services or in other tasks, from time to time. These third parties also include analytics and search engine providers that assist us in the improvement and optimization of our website, Platform and marketing.
We periodically add and remove third party providers. At present services provided by third-party providers to whom we transfer Personal Data include also the following:
- Website analytics;
- Document management and sharing services;
- Client and Patient ticketing and support;
- On-site and cloud-based database services;
- Authentication and pseudonymization services;
- CRM software;
- Data security, data backup, and data access control systems;
- Our lawyers, accountants, and other standard business software and partners.
In addition, we will disclose Personal Data to third parties if some or all of our companies or assets are acquired by a third party including by way of a merger, share acquisition, asset purchase or any similar transaction, in which case Personal Data will be one of the transferred assets. Likewise, we transfer Personal Data to third parties if we are under a duty to disclose or share your Personal Data in order to comply with any legal or audit or compliance obligation, in the course of any legal or regulatory proceeding or investigation, or in order to enforce or apply our terms and other agreements with you or with a third party; or to assert or protect the rights, property, or safety of Leal Health, our clients, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.
For avoidance of doubt, Leal Health may transfer and disclose non-Personal Data to third parties at its own discretion.
4. WHERE DO WE STORE YOUR DATA?
Summary: we store your Personal Data across multiple locations globally
We store your Personal Data on servers owned or controlled by Leal Health, or processed by third parties on behalf of Leal Health, by reputable service providers (see the following section regarding international transfers).
5. INTERNATIONAL DATA TRANSFERS
Summary: we transfer Personal Data within and to the EEA, UK, USA, Israel and elsewhere, with appropriate safeguards in place.
Personal Data collected in the EU and UK is transferred to, and stored and processed at, a destination outside the European Economic Area (EEA) and the UK. This includes transfers to Israel, a jurisdiction deemed adequate by the EU Commission and the UK, and to the USA, not currently deemed adequate.
We transfer Personal Data to locations outside of the EEA and UK, including in particular USA and Israel, in order to:
- store or backup the information;
- enable us to provide you with the Services and fulfill our contract with you;
- fulfill any legal, audit, ethical or compliance obligations which require us to make that transfer;
- facilitate the operation of our group businesses, where it is in our legitimate interests and we have concluded these are not overridden by your rights;
- to serve our clients across multiple jurisdictions;
- to operate our affiliates in an efficient and optimal manner.
6. DATA RETENTION
Summary: we retain Personal Data according to our data retention policy, as required to provide our Services, meet our obligations, protect our rights, and manage our business.
Leal Health will retain Personal Data it processes only for as long as required in our view, to provide the Services, and as necessary to comply with our legal and other obligations, to resolve disputes and to enforce agreements. We will also retain Personal Data to meet any audit, compliance and business best-practices.
Data that is no longer retained will be anonymized or deleted. Likewise, some metadata and statistical information concerning the use of our website, Platform and Services are not subject to the deletion procedures in this policy and will be retained by Leal Health. We will not be able to identify you from this data.
7. SERVICES AND WEBSITE DATA COLLECTION AND COOKIES
In many cases, these cookies lead to the use of your device’s processing or storage capabilities. Some of these cookies are set by us, others by third parties; some only last as long as your browser session, while others can stay active on your device for a longer period of time.
These cookies can fall into several categories: (i) those that are necessary for functionality or Services that you request or for the transmission of communications (functionality cookies); (ii) those that we use to carry out website performance and audience metrics (analytics cookies) and (iii) the rest (tracking across a network of other websites, advertising, etc.) (other cookies).
Internet browsers allow you to change your cookie settings, for example to block certain kinds of cookies or files. You can therefore block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies, you may not be able to access all or parts of the website, due to the fact that some may be functionality cookies. For further information about deleting or blocking cookies, please visit: https://www.aboutcookies.org/how-to-delete-cookies/
Functionality cookies do not require your consent. For other cookies, however, we request your consent before placing them on your device. You can allow cookies in your browser settings and use our website cookie management too.
8. SECURITY AND STORAGE OF INFORMATION
Summary: we take data security very seriously, invest in security systems, and train our staff. In the event of a breach, we will notify the right people as required by law.
We take great care in implementing, enforcing and maintaining the security of the Personal Data we process. Leal Health implements, enforces and maintains security measures, technologies and policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of Personal Data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Where we deem it necessary in light of the nature of the data in question and the risks to data subjects, such as regarding Patient Data, we pseudonymize and encrypt data in transit and at rest. Likewise, we take industry standard steps to ensure our website, Platform and Services are safe and to prevent unauthorized access to our data bases. Other security safeguards include, but are not limited to, firewalls, WAF, anti-virus, audit logs, strict access controls, breach detection systems and physical access controls to buildings, systems and files.
Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
Leal Health acts in accordance with its policies and with applicable law to promptly notify the relevant authorities and data subjects in the event that any Personal Data processed by Leal Health is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. Leal Health promptly takes reasonable remedial measures.
9. DATA SUBJECT RIGHTS
Summary: depending on the law that applies to your Personal Data, you may have various data subject rights, such as rights to access, erase, and correct Personal Data, and information rights. We will respect any lawful request to exercise those rights.
Data Subjects in certain jurisdictions, such as in the EU, the UK, have rights granted pursuant to local laws under certain circumstances and with certain exceptions, including:
- Access– the right to receive confirmation whether your Personal Data is being processed by us, what types of Personal Data, for what purposes, with whom is it or will it be shared (if at all) and for how long will it be stored.
- Rectification – the right to correct your Personal Data held by us that may be inaccurate or incomplete. Please note that you may correct your data through your accout settings.
- Erasure– the right to have your Personal Data held by us deleted.
- Restriction of Processing – the right to require us to cease processing your Personal Data.
- Portability – the right to receive a copy of any of your Personal Data held by us in a convenient format and to have any of your Personal Data held by us transferred to a third party.
- Objection – the right to object to the processing of your Personal Data by us.
- Objection to Direct Marketing– the right to object to the processing of your Personal Data by us for the purposes of direct marketing, this can be achieved by opting out using the unsubscribe/opt-out feature displayed in our communications with you.
- Objection to Processing based on our Legitimate Interests – the right to refuse to have your Personal Data processed in connection with activities that are based on our legitimate interests. This includes your right to object to anonymization of your data for the purposes of presenting our Clients with our trial-optimization PMO dashboard, as well as for optimization of the Platform’s trial-matching AI capabilities. In such cases, Leal Health will assess whether its legitimate interests override your rights and freedoms.
- Withdrawal of Consent– where we rely upon your consent in order to process your Personal Data, you have the right to withdraw such consent at any time.
A data subject who wishes to modify, delete or retrieve their Personal Data, or to otherwise exercise their data subject rights, may do so by contacting Leal Health (email@example.com).
Note that Leal Health may have to undertake a process to identify a data subject exercising their rights. Leal Health may keep details of such rights exercised for its own compliance and audit requirements. Please note that Personal Data may be either deleted or retained in an aggregated manner without being linked to any identifiers or Personal Data, depending on technical commercial capability. Such information may continue to be used by Leal Health.
It is clarified that where Personal Data is provided by a client being the data subject"s employer, such data subject rights will have to be effected through that client, the data subject’s employer. In addition, data subject rights cannot be exercised in a manner inconsistent with the rights of Leal Health employees and staff, with Leal Health proprietary rights, and third-party rights. As such, job references, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, cannot be accessed or erased or rectified by data subjects. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply. If processing occurs based on consent, data subjects have a right to withdraw their consent.
Data subjects in the EU, UK and other locations have the right to lodge a complaint, with a data protection supervisory authority in the place of their habitual residence. If the supervisory authority fails to deal with a complaint, you may have the right to an effective judicial remedy.
10. CALIFORNIA ONLINE PRIVACY PROTECTION ACT NOTICE
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers to inform websites that they do not want to be tracked. We do not respond to or honor DNT signals.
Leal Health does not meet the threshold of the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”, and therefore its data processing activities as a Business (such as regarding Website visitor data and Patient Data) are not governed by the CCPA. Leal Health acts as a Service Provider (as defined in the CCPA) on behalf of its customers regarding customer Platform users, and, where the CCPA is applicable to its customers, Leal Health is committed to processing Personal Information on their behalf in accordance with the CCPA.
We do not knowingly collect or solicit information or data from or about children under the age of 16 without parental consent, or knowingly allow children under the age of 16 to register to our Platform. If you are under 16, do not register or attempt to register for any of the Leal Health Services or send any information about yourself to us. If we learn that we have collected or have been sent Personal Data from a child under the age of 16 without appropriate permissions, we will delete that Personal Data as soon as reasonably practicable without any liability to Leal Health. If you believe that we might have collected or been sent information from a minor under the age of 16, please contact us at: firstname.lastname@example.org, as soon as possible.
13. THIRD PARTY LINKS
15. CONTACT US
Leal Health’s data protection officer (DPO), and its appointed GDPR Article 27 representative, MyEDPO Ltd., may both be contacted at: email@example.com.
Last Revised: July 18,2023