Privacy Policy - Pregistry

This policy is effective as of April 7, 2020

Pregistry was created on the beliefs that:

This Privacy Policy is provided to you, in line with the following Applicable Personal Data Protection Legislation:

• The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from 25 May 2018, having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other considerations, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).

• The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

• The California Consumer Privacy Act 2018 (CCPA), assembly Bill of the State of California, United States of America, No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the Governor on 28 June 2018. Filed with the Secretary of State on 28 June 2018 and enforceable since 01 January 2020.

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

The primary goal of Processing Personal Data is to allow Pregistry the identification of those natural persons who have joined Pregistry’s Studies (as Participants) on their own free will and initiative.

Notwithstanding the herein above mentioned, study participants may decide to use an alias, meaning not submitting real Personal Data. Pregistry points out that, depending on which Personal Data the Participant choses to use an alias, there may be an impact on the accuracy of the “Study” results; as an example, whereas registering under a different name than the one pertaining to the Participant is innocuous in terms of impact in the Study, not disclosing the correct date of last menstrual period or gestational age may negatively impact the Study findings.

Pregistry (the organization and its staff members) is aware that Personal Data/ Health Information may represent a risk towards you if accessed by unauthorized third parties. That is a set of Policies, Operational Processes, and mechanisms (technological and human-based) have been developed, ensuring that the Personal Data entrusted by you to Pregistry will be maintained, handled, and shared in a manner that warrants its security, accuracy, confidentiality, and privacy, hence assuring your Personal Data Protection.

Personal Data is exclusively Processed under the scope and purpose of the Services described on this Privacy Policy (meaning each Study).

Every data subject maintains full control over their personal data (and, where applicable, their offspring’s), as well as the personal data processing activities undertaken by Pregistry (as defined under applicable personal data Protection Legislation or specifically the GDPR, where its ruling is more protective of the data subject’s Rights).

Applicability

Pregistry reserves the right to modify this Privacy Policy at any time by posting updated time-stamp versions on its websites.

The Data Controller

Pregistry is a United States-based company that conducts epidemiological studies on a variety of topics, including the safety of COVID-19 vaccines and therapeutics on pregnant women and their offspring. Currently, Pregistry is conducting three studies: • International Registry of Coronavirus Exposure in Pregnancy (IRCEP) (NCT04366986, EUPAS37360). The objective of this study is to assess the effect of COVID-19 during pregnancy on obstetric, perinatal, and postnatal outcomes. • COVID-19 Vaccines International Pregnancy Exposure Registry (C-VIPER) (NCT04705116, EUPAS39096). The objective of this study is to assess the effect of COVID-19 vaccination during pregnancy on obstetric, perinatal, and postnatal outcomes. • COVID-19 International Drug Pregnancy Registry (COVID-PR). The objective of this study is to assess the effect of specific newly developed COVID-19 medications during pregnancy on obstetric, perinatal, and postnatal outcomes. Participants may enroll in one or more studies simultaneously. Pharmaceutical companies which hold the marketing authorization of either COVID-19 vaccines or therapeutics indicated for COVID-19 may act as study sponsors; however, even in those cases, personal data pertaining to participants is never shared by Pregistry with those entities. All questions or requests regarding the processing of the personal data under Pregistry’s control or processing may be addressed to dpo@pregistry.com.

Pregistry’s Data Protection Officer (DPO) contact information:

Mr. Rui Serrano Country: Portugal Email: phrdpoaas@gmail.com

Pregistry Core Activity – Service Catalogue and Legal Basis

Pregistry service consists of allowing pregnant women to enroll in its studies and to provide information and support to those participants. Under this scope, Pregistry’s Service Catalogue includes the following services and applicable “Legal Basis” for processing Personal Data (respectively):

Study Participant Enrollment

Screening questions are posed to those natural persons who wish to become Participants to qualify them as valid contributors or not. A form is then made available for those natural persons to input their data. The Data Subject provides a name, phone number and creates a user login (username [email] and a password) and then Pregistry sends a One Time Password (OTP) consisting of a 6-digit code that they need to enter in order to continue to read and understand the Consent Form. Registered users are then re-directed to the “Profile” stage where they are asked to enter information related to the specific study. Required Personal Data consists of: • Name • Email 1 • Email 2 (Optional) • Enrolment ID • Age • Preferred Language • Time Zone • GUID • Phone number • Phone number 2 (Optional) • Source • IP Address • Consent • Consent name • Login (password) • Organization • Geolocation • Region • Country • City • Postal Code • Medical History (Optional) • Race/Ethnicity • Call recordings

Reporting Adverse Events

Study participants may at will report adverse events they have experienced (which may or not be causally related to a COVID-19 vaccine or therapeutic indicated for COVID-19), as this is one of the main goals of the studies conducted by Pregistry. The study participant may report adverse events in scheduled questionnaire modules or, at any time, using a button on the study website for logged in participants. Similarly, Participants may upload their redacted medical records (and those of their offspring), as medical records are used to improve the accuracy and validity of the information.

Newsletters

Sending out newsletters to those natural persons who have shown interest in receiving them (regardless of participation status in a study).

Processing (Treatment) over Personal Data

Gathering/ Collection

Pregistry exclusively gathers Personal Data directly from the Data Subjects, at Study enrollment and through the Data Subject’s actions on the platform. When a Data Subject uses the Pregistry website, a session cookie file may be placed on their browser device. Pregistry only uses cookies that record information about the IT architecture and landscape of the device being used by the visitor (e.g., browser, device, etc.); however, that visitor is never identified personally (as a Data Subject). IP addresses are exclusively cross-referenced with other data for the purpose of safekeeping both Pregistry, the Study results, and the Participants from fraud attempts. For detailed information about cookies in use and similar employed technologies please refer to the Cookies Policy.

Storing

Pregistry is a digital company and most of the data and information it requires to operate is exclusively maintained in digital format on its IT systems hosted at Amazon Web Services data centers in the United States. Data in transit and at rest are encrypted. This guarantees its security and confidentiality. participants are informed of the data hosting in the United States and they provide explicit consent to the processing of their Personal Data/ Health Information. Therefore, they are fully aware and consenting to the transfer and hosting of such data/ information in the United States.

Sharing

Pregistry only shares fully anonymized data. Pregistry never shares any identifiers that constitute personal data..

Recordings

In addition to the interaction over the platform or by email, designated Pregistry staff may speak with you both over the phone or video call using the software Twillio. Due to operational reasons, the phone and video calls are recorded and stored by Pregistry, unless you expressly refuse the recording at the beginning of the call. Twillio will save the call while fully encrypted and it shall be transferred within 24 hours to Pregistry’s repositories (also encrypted) and then erased from Twillio. Pregistry hosts data in the United States. Therefore, you hereby consent to such hosting. You should refrain from sharing any personal data that either does not pertain to you or to your child or that is irrelevant to the study when speaking to Pregistry staff over the phone or video call.

Data Minimization

Pregistry takes every reasonable step to ensure that Personal Data under its direct processing activities (as the Controller) is limited to the amount and type that is necessary to the successful execution of the Studies.

Personal Data Security, Privacy, and Confidentiality Assurance

Pregistry’s IT landscape is configured and monitored under guidance provided by the strictest security market standards (e.g., ISO 27000 family, Soc2, ITIL, Privacy by Design) and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under applicable Personal Data Protection Legislation towards the Protection of Personal Data/ Personal Information/ Health Information. This is intended to assure confidentiality and privacy while under Personal Data Processing Activities performed by itself and its partners within the scope of Pregistry rendered services.

Personal Data Retention

Data retention is a major potential risk generator since, during the period the data is available, it may be accessed by a third party, constituting a personal data breach. Pregistry fixes the data retention period according the duration of each study. Pregistry does not hold to personal data for longer than necessary. Additionally, Pregistry ensures that the risk of information being deleted prior to the end of its lifecycle is minimized. Study participant personal data is erased within one month (30 days) after leaving the study or one month (30 days) after having asked for their personal data to be erased.

Data Subjects Rights

Under applicable Personal Data Protection Legislation, the Data Subject has the following set of established rights: [HIPAA] The right to receive a notice of privacy practices. Please refer to this Privacy Policy plus the information provided to you upon requesting your consent to become a study participant. [GDPR] Right of access. The right to obtain from the Controller confirmation as to whether their personal data is being processed, and, if so, to access such personal data as well as related information. Pregistry will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the data Subject to ensure authorized secure access. Participants may exercise this right by reviewing information on the Pregistry website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not a Pregistry Participant. [CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California residents have the right to: • Know the categories of personal information we collect and the categories of sources from which we got the information. • Know the business or commercial purposes for which we collect and share personal information. • Know the categories of third parties and other entities with whom we share personal information, and • Access the specific pieces of personal information we have collected about you. [HIPAA] The right to access and request a copy of medical records. Please refer to the Right of Access under the GDPR. [GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Participants may directly amend existing information on the Pregistry website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Pregistry Participants. [HIPAA] The right to request an amendment to medical records. Please refer to the Right to Rectification (above) under the GDPR. [GDPR] Right to erasure. The right to have Personal Data pertaining to them that is under Processing by Pregistry erased and, therefore, Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Pregistry from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section. [CCPA] Right to deletion – again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/ information. We may refuse the exercise of such right if it prevents us from exercising legal defense, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfill any open contractual obligations. [GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to them. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section. [GDPR] The right to object to processing. The right to object to processing activities that have been qualified under this Privacy Policy has occurred under the Legal Basis of Legitimate Interest by the side of Pregistry. The exercise of this right may also occur where the Data Subject wishes to opt-out from an existing Service (and not necessarily cancelling the Service). When exercising this right, the Data Subject must be specific about which processing activities are being requested to stop and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section. [CCPA] Right to opt out of sales – We do not sell your data. [GDPR] Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. Pregistry will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the data Subject to ensure authorized secure access. Customers may directly amend existing information on Pregistry’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those data Subjects who are not Pregistry Customers. [GDPR] Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of its occurrence. [GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding Pregistry’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. Pregistry is however also available to provide any clarification towards those Data Subjects who may feel that it’s Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead. [CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data. For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide including information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfil your request. Any Data Subject may exercise his/ her rights under GDPR by reaching out to Pregistry’ DPO through the e-mail address dpo@pregistry.com or, while logged in to the platform via the “Exercise of Rights” form. If you have any questions, complaints or wish to exercise your rights under GDPR, please do make clear on your message: • Purpose: Question; Complaint; Exercise of the Data Subject’s rights under GDPR • What triggered your need to contact us? • When did the root cause which triggered the need to contact us took place? • If a Participant, a mobile phone number or alternative personal e-mail address so we may proceed with a two-factor authentication process. Why the need to provide alternative personal contact? Under applicable Personal Data Protection legislation only the Data Subject may exercise his/ her rights, hence organizations must ensure and document that the Data Subject or his/ her legal representatives are the ones interacting with the company while acting over his/ her Personal Data.

Glossary

“Data Protection Officer” (DPO) means the natural person within a company who bears the responsibility of ensuring corporate compliance towards GDPR (as defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with GDPR rules, guidelines and requirements. data subject means the identified or identifiable natural person to whom personal data relates. Both Parties understand that the data subject is the sole owner of personal data which pertains to them. “Data Subjects’ Rights” means the rights established towards the Data Subjects under Applicable Personal Data Protection legislation. Please check the item below under the title “How to exercise Data Subjects’ rights” “IT Landscape” means the set of IT assets and services of and at the disposal of each party that enables their Personal Data Treatment” operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources. “Legal Basis” means the enlisted lawful grounds that a company has to entice Personal Data Treatment” activities under GDPR, namely (but not limited to) having documented: the Data Subject Explicit Consent towards Personal Data Treatment activities; the company Legitimate Interest in proceeding with “Personal Data Treatment” activities; accessory legal obligations that the company must observe and which entitled it to proceed with Personal Data Processing Activities within the limits of such ruling and inherent obligations; other as per defined under GDPR. “Partner” means any 3rd party entity towards which each party may resort in order to ensure Personal Data Processing Activities under a legal basis (as established by GDPR) and within the scope of agreed Services. Personal Data means any Data that either on its own or where cross-referenced with other Data allows the identification of a specific natural person. “Personal Health Information” has (under the scope of this Privacy Policy) the same meaning as Personal Data (notwithstanding the fact that it still maintains the definition under HIPAA). “Personal Data Processing Activities” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing). “Personal Data Breach” means any event or incident (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Processor means the entity which proceeds with authorized Personal Data Processing Activities (under this DPA and the Agreement) on behalf of the Controller. “Scientific Method” means a set of principles and empirical processes of discovery and demonstration considered characteristic of or necessary for scientific investigation, generally involving the observation of phenomena, the formulation of a hypothesis concerning the phenomena, experimentation to test the hypothesis, and development of a conclusion that confirms, rejects, or modifies the hypothesis. “Service Catalog” means the set of Services rendered by Pregistry that requires Personal Data Processing Activities. “Study” means an organized endeavor (which observes the scientific method) to discover the impact of COVID-19 vaccines and therapeutics indicated for COVID-19, as herein described in detail and above in this document. “Study Participant” or Participant means a natural person who either being pregnant or having recently given birth decides to join (by enrolling) in one of Pregistry’s Studies. “Sub-processor” means any Processor engaged by any of the Parties which performs complimentary Personal Data Processing Activities within the scope of the Services.

Contact Us

If you have any questions or complaints about this Policy, please contact us at dpo@pregistry.com.