Interpretation and definitions

a. Interpretation

For the General Data Protection Regulation (GDPR), chAIron SA (chAIron, the Company, We, Us, or Our) is the Data Controller.

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural.

b. Definitions

For this Privacy Policy:

• Company (the Company, We, Us, or Our, in this Agreement): refers to chAIron SA, registered at Rue de la Grotte 6, 1003 Lausanne, Switzerland.
• Cookies: small files that could be placed on your computer, mobile device, or any other device by a website, containing the details of your browsing history on that website among its many uses.
• Country: refers to Switzerland.
• Data Controller: the GDPR considers the Company as the legal entity that alone or jointly with others determines the purposes and means of the processing of Personal Data.
• Device: means any device that can access the Service such as a computer, a mobile phone, or a digital tablet.
• FADP / nFADP: the Swiss Federal Act on Data Protection (revised, in force 1 September 2023), the primary data-protection law applicable to chAIron SA as a Swiss company.
• GDPR: refers to the General Data Protection Regulation (EU) 2016/679.
• Personal Data: any information that relates to an identified or identifiable individual.
• Representative: the natural or legal person designated under FADP Article 14 to act as a contact point for data subjects and supervisory authorities in Switzerland.
• Service: refers to the Website and the services provided by the Company.
• Service Provider: any natural or legal person who processes data on behalf of the Company, engaged to facilitate the Service, to provide it on the Company’s behalf, or to assist in analysing how it is used.
• Usage Data: refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
• Website: refers to chAIron, accessible from chairon.io.
• You: the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service.
• Cookie Policy: our separate notice describing the cookies and similar technologies used on the Website, available from the site footer.

Introduction

chAIron SA is committed to protecting your privacy and to handling personal data transparently and in accordance with applicable law, including the Swiss Federal Act on Data Protection (FADP), the General Data Protection Regulation (GDPR) and UK GDPR, and other relevant data protection laws.

chAIron provides clinical and strategic real-world-data (RWD) and AI services to life-science and biotech organisations. Wherever possible, our analytical models operate on de-identified data validated by a reputable provider under the HIPAA Privacy Rule, and do not require identifiable personal data.

This Privacy Policy explains what personal data we collect when we act as a data controller, how we use it, the legal bases on which we rely, and the rights available to you.

Scope

This Privacy Policy applies to personal data that chAIron SA processes as a data controller — in particular, data collected through our Website, our marketing and business-development activities, and our recruitment processes.

It does not govern data that we process on behalf of clients in the course of delivering our services, where the client remains the data controller and the client’s own privacy notices apply.

Responsibilities

chAIron is responsible for ensuring that personal data is processed lawfully, fairly, and transparently. All chAIron personnel who handle personal data are required to comply with this Policy and with our internal data-protection procedures. Day-to-day responsibility for overseeing compliance rests with our Data Protection Officer.

Data Protection Officer (DPO)

chAIron has appointed a Data Protection Officer responsible for overseeing compliance with this Privacy Policy and applicable data-protection law, advising on our data-protection obligations, monitoring our processing activities, and acting as a contact point for data subjects and supervisory authorities.

You can contact our Data Protection Officer at contact@chairon.io, or by post at: chAIron SA — Data Protection Officer, Rue de la Grotte 6, 1003 Lausanne, Switzerland.

Our Swiss (FADP) Representative

chAIron SA has appointed Rodrigo Hernandez Canteli as our representative for data-protection matters under the Swiss Federal Act on Data Protection (FADP).

You may contact our representative regarding the processing of your personal data at contact@chairon.io (attn. FADP Representative), or by post at chAIron SA, Rue de la Grotte 6, 1003 Lausanne, Switzerland.

Privacy principles

We process personal data in accordance with the following principles, which mirror Article 5 of the GDPR:

• Lawfulness, fairness, and transparency.
• Purpose limitation — collected for specified, explicit, and legitimate purposes.
• Data minimisation — adequate, relevant, and limited to what is necessary.
• Accuracy — kept accurate and, where necessary, up to date.
• Storage limitation — kept no longer than necessary.
• Integrity and confidentiality — processed securely.
• Accountability — we are responsible for, and able to demonstrate, compliance.

Our two roles: controller and processor

chAIron acts in two distinct roles depending on the data:

• As a data controller — for personal data of which we determine the purposes and means, such as data from visitors to our Website, prospective and current clients, marketing contacts, and job applicants. This Privacy Policy governs that data.
• As a data processor — when we deliver clinical and strategic services, we process data on behalf of, and under the documented instructions of, our clients, who remain the data controller. In these engagements we process data only as the client directs, under a data-processing agreement, and the client’s own privacy notices govern that processing.

Wherever possible, our analytical and AI models operate on de-identified data validated by a reputable provider under the HIPAA Privacy Rule, and do not require identifiable personal data. Where we process data that may be considered personal data, we apply the safeguards described in this Policy and in our internal procedures.

Collecting and using your personal data

Types of data collected

Personal Data. While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you, including:

• Email address.
• First name and last name.
• Usage Data.

Usage Data is collected automatically when using the Service. It may include information such as your device’s Internet Protocol address, browser type and version, the pages you visit, the time and date of your visit, the time spent on those pages, and other diagnostic data.

Use of your personal data

The Company may use Personal Data to provide and maintain the Service; to contact you and respond to your enquiries; to manage prospective and current client relationships; to carry out marketing where permitted by law; to manage recruitment; and to comply with legal obligations.

Sharing your personal data

We may share personal data with Service Providers who process it on our behalf, with affiliates, in connection with a business transfer, where you have given consent, or where required to comply with the law. We require Service Providers to process personal data only on our instructions and to keep it secure.

De-identified health data

The analytical models underpinning our services use de-identified data validated by a reputable provider under the HIPAA Privacy Rule. These models do not require identifiable personal data.

Retention

We retain Personal Data only for as long as necessary for the purposes set out in this Privacy Policy, and to comply with our legal obligations, resolve disputes, and enforce our agreements.

Cookies and tracking technologies

Our Website uses cookies and similar technologies (such as pixels and local storage) to keep the site secure and functional, to remember your preferences, and to understand how the site is used.

• Strictly necessary technologies are required for the site to work. Analytics and other non-essential technologies are used only with your consent, which you can give, refuse, or change at any time through our cookie-consent banner.
• We use Google Analytics to understand site usage. You can opt out via the Google Analytics opt-out browser add-on (tools.google.com/dlpage/gaoptout).
• A full, current list of the cookies we use — including their purpose and duration — is set out in our separate Cookie Policy, available from the footer of every page.

Most browsers also let you block or delete cookies; doing so may affect some site features. Because there is no common industry standard, we do not currently respond to browser “Do Not Track” signals.

International data transfers

Your information may be processed at chAIron’s offices in Switzerland and by service providers located in other countries whose data-protection laws may differ from those in your jurisdiction.

Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on a lawful transfer mechanism — such as a European Commission, Swiss FDPIC, or UK adequacy decision, or Standard Contractual Clauses (with the Swiss and UK addenda where applicable), together with any additional safeguards required — rather than relying on your consent. You may request a copy of the relevant safeguards by contacting us at contact@chairon.io.

Data storage and security

The security of your data is important to us. We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including access controls, encryption where appropriate, and ongoing review of our safeguards. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

Data breach response and notification

We maintain procedures to detect, report, and investigate personal-data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to individuals, we will also inform the affected individuals without undue delay.

Data retention and destruction

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. When personal data is no longer required, we securely delete or anonymise it.

Data subject rights

Depending on the law that applies to you, you may have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. To exercise any of these rights, contact us at contact@chairon.io.

You also have the right to lodge a complaint with a supervisory authority. In Switzerland, that is the Federal Data Protection and Information Commissioner (FDPIC). In the EEA, your local Member-State authority. In the UK, the Information Commissioner’s Office (ICO).

GDPR privacy (legal bases)

Where the GDPR applies, we process your personal data on one or more of the following legal bases:

• Consent — you have given consent for one or more specific purposes.
• Performance of a contract — processing is necessary to perform a contract with you or to take pre-contractual steps at your request.
• Legal obligation — processing is necessary to comply with a legal obligation.
• Vital interests — processing is necessary to protect your vital interests or those of another person.
• Public interest — processing is necessary for a task carried out in the public interest.
• Legitimate interests — processing is necessary for our legitimate interests, where these are not overridden by your rights and freedoms.

You retain the rights described in the section on Data subject rights, and may withdraw consent at any time where processing is based on consent.

Swiss FADP privacy

As a company established in Switzerland, chAIron processes personal data in accordance with the revised Swiss Federal Act on Data Protection (FADP). If you are in Switzerland, you have rights equivalent to those described above — including access, rectification, erasure, and to object to processing — and you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland. Where the GDPR and the FADP both apply, we apply the standard that offers you the greater protection.

U.S. state privacy rights

If you are a resident of a U.S. state with a comprehensive privacy law (such as California, Colorado, Connecticut, Virginia, and others), you may have the right to know, access, correct, delete, and obtain a copy of the personal information we hold about you, and to opt out of any “sale” or “sharing” of personal information and of targeted advertising. We do not sell your personal information.

The categories we may collect are contact identifiers (name, email) and internet or usage data. To exercise any of these rights, contact us at contact@chairon.io; we will not discriminate against you for doing so, and you may appeal a refused request by replying to our response.

Children’s privacy

Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under 16. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 16 without verification of parental consent, We take steps to remove that information from Our servers.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post any changes on this page and update the “Last updated” date above. Where changes are significant, we may provide a more prominent notice. We encourage you to review this Privacy Policy periodically.

Compliance and enforcement

We periodically review our compliance with this Privacy Policy. If you have a concern about our handling of personal data, you may raise it with us, and we will work with you to resolve it. We cooperate with the relevant supervisory authorities in the exercise of their powers.

Contact us

If you have any questions about this Privacy Policy, you can contact us by email at: chAIron Privacy Team — contact@chairon.io. By using our website, you consent to this Privacy Policy.