Privacy Notice for Healthcare Professionals

Last Updated: October 2024

Spur Therapeutics Limited and its group companies (“Spur”, “we”, “us”, or “our”) are committed to safeguarding your personal information (or personal data) in line with all applicable laws, including the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). This Privacy Notice provides a global privacy baseline for Healthcare Professionals (HCPs) who may interact with Spur. Some jurisdictions will have different and perhaps more restrictive local implementation of data protection laws. Where such variations exist, these will be set out in country-specific notices.

Spur is a ‘controller’ of your personal data for the purposes of data protection laws. This means that Spur is responsible for deciding how we hold and use personal information about you, as described below. Privacy contact details are supplied at the end of this Privacy Notice.

This Privacy Notice does not form part of any agreement to provide services. We may update this Privacy Notice at any time. If any significant changes are made, we will provide you with an updated copy or notify you of such change as soon as reasonably practical.

It is important that you read and retain this Privacy Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under applicable laws.

---

This Privacy Notice explains:

• What information Spur collects about you
• How does Spur use your personal information?
• How do we use sensitive personal information?
• What are our lawful bases for using your personal information?
• With whom we may share your personal information and where we may transfer it internationally
• How do we protect your personal information?
• How long do we keep your personal information?
• What are your rights regarding your personal information?

What information Spur collects about you

Spur collects and processes information about you that is necessary for managing our relationship with you and for the performance of any services you may provide to Spur. This will vary depending on the way in which you are engaged with Spur and the nature of your relationship with us. This includes:

• Your name, address and contact details, including mailing address, email address, telephone number, date of birth, gender and nationality.

• Employment history, employment status and entitlement to work (as applicable).

• Details of your professional qualifications, skills, education, academic information and your interests, work experience and professional licenses.

• Details of your professional activities, such as prescribing history, networks and affiliations, programs and activities participated in, publications authored or co-authored, awards, board memberships, professional conferences and events and influence rankings.

• Due diligence information about your practice or other information that may be publicly available from sources such as public databases, social media platforms and other third parties, which we may combine with personal information that we already hold.

• Details related to previous interactions with Spur.

• The terms and conditions of your consultancy arrangements with Spur.

• Information about the payments and services that you may provide to Spur, invoices and tax-related information, travel and expenses information, and other monetary and non-monetary transfers of value.

• Details of your bank account and government-issued identification, such as a Social Security Number, National Insurance Number, tax identification number, driving license or passport number.

• Information about any background vetting, where necessary.

• Information about medical or health conditions, including health and safety related incidents and accidents, dietary preferences and requirements, and whether you have a disability for which Spur needs to make reasonable adjustments.

• CCTV footage and other information obtained through electronic means such as swipe card records.

• Information about your use of our information and communications systems.

• Photographs, digital imagery and sound recordings.

Spur may collect this information in a variety of ways. For example, information might be collected through your professional bio or curriculum vitae (CV); obtained from your passport or other identity documents (such as your driving license); from correspondence with you; through interviews, business card, meetings or other assessments; or obtained when you attend a scientific or congress event; and if you provide consultancy services to us, in the course of consultancy-related activities throughout the period that you provide such services.

When you access our website via links in any marketing emails we send you (such as newsletters or information relating to upcoming events), we will collect certain technical and activity information related to your usage of our website, such as your IP address, pages visited, time spent, links clicked, and this data will be linked with your email address. Sometimes this involves the use of cookies. For more information on cookies see our Cookie Policy.

• In some cases, Spur may collect personal information about you from third parties, such as information from:

• Background check providers, information from credit reference agencies, and information from criminal records checks permitted by law;

• Data companies that provide information services in the healthcare sector and related fields, and healthcare provider directories;

• Publicly accessible sources;

• When you interact with us online, such as via social media channels.

Information and data will be stored in a range of different IT systems, including in the Company’s finance system, email systems and databases.

How does Spur use your personal information?

Spur uses your personal information for the purposes set out in this Privacy Notice, or for such other purposes, which are reasonably compatible to those described.

Spur needs to process data to enter into any consultancy agreement it may have with you and to meet its obligations under that agreement. For example, we need to process your personal information to formalize our agreement with you and to pay you in accordance with the terms of our agreement with you. Spur also needs to process your personal information to ensure compliance with our legal obligations.

In other cases, Spur has a legitimate interest in processing personal information before, during and after the end of the relationship with you. This may be where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. We may also use your personal
information where we need to protect your interests (or someone else’s interests), or where it is needed in the public interest.

Processing personal data under the above lawful bases allows Spur to:

• Conduct background vetting processes.

• Maintain accurate and up-to-date consultancy records and contact details and records of your contractual and statutory rights.

• Obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and meets obligations under health and safety law.

• Manage data related to business travel that is required for consultancy arrangements.

• Report on interactions with HCPs/consultants for payment transparency purposes.

• Ensure effective general business administration.

• Identify you as a key opinion leader or expert, influencer or advisor for scientific or medical engagement.

• Conduct and improve our business operations, including collecting information to store in our databases and systems, and keep records related to our relationship with you.
• Manage our interactions with you, including to respond to any inquiries and requests.
• Organise meetings and events online or face to face.
• Collaborate with you on our research and development activities.
• Perform market research and analysis.

• Provide you with information that may be of interest to you.
• Respond to and defend against legal claims.

If you fail to provide certain information when requested, it may restrict our relationship with you. For example, we may not be able to provide you with the services you have requested; we may not be able to give you access to an online event, we may not be able to perform the agreement we have entered into with you (such as paying you); or we may be prevented from complying with our legal obligations.

How do we use sensitive personal information?

Special categories of particularly sensitive personal information include information about your health, racial or ethnic origin, sexual orientation, trade union membership or criminal history, and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

• In limited circumstances, with your explicit written consent.
• Where we need to carry out our legal obligations or exercise rights (for example, in connection with any consultancy arrangement).
• Where it is needed in the public interest.
• Where it is necessary to protect you or another person from harm.
• Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

What are our lawful bases for using your personal information?

We operate under a global privacy framework, most notably the UK GDPR which requires us to demonstrate a lawful basis when processing your personal information.

As further described above, Spur uses your personal information for the following reasons:

• Legitimate business purposes: where we have a legitimate business interest to perform processing on your personal information provided your interests and fundamental rights do not override those interests.
• Contractual: to which you are a party; we may need to process your personal information to provide a product or service you request or hire you to work as a consultant or contractor.
• Legal obligations: there is a legal and/or regulatory obligation to process your personal information and we must comply.
• Consent: in limited circumstances, we may ask you to provide your consent for us to process your personal information and where this is provided you have a right to withdraw this at any time.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

With whom we may share your personal information and where we may transfer it internationally

Your information may be shared internally, including with members of Spur business functions that engage with you, and with other Spur group companies.

Spur also may share your personal information with third parties in order to obtain necessary background vetting records (as applicable). We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Your personal information may also be shared with third parties that process data on Spur’s behalf, for example in connection with invoice processing and payments for services, as applicable.

Spur also may share your personal information with third parties in the context of a sale of some or all its business, financings, re-organisations, or similar corporate activities. Any such sharing will be subject to confidentiality arrangements.

Your personal information may be transferred by Spur entities and by our trusted third-party suppliers to, and otherwise processed in, countries outside the UK, including the United States (U.S.). To the extent the data privacy laws in the countries to which your personal information is transferred may not be equivalent to, or as protective as, the laws in your home country, we will take appropriate steps, in accordance with applicable data protection and privacy laws, to maintain an adequate level of protection and security for your personal information when it is transferred outside of your home country.

How do we protect your personal information?

Spur takes the security of your personal information seriously. Spur has internal policies and controls in place to try to ensure that your information is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. These controls include the use of personal passwords for logging on to Spur’s computer systems.

Where Spur engages third parties to process personal information on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and company measures to ensure the security of information and data. Spur follows the mandate of its Data Privacy Policy and Information Security Policy to ensure it is protecting your personal information and security appropriately.

How long do we keep your personal information?

Spur will hold your personal information only for as long as is reasonably necessary to fulfil the purposes we collected it for, after which, Spur will take reasonable steps to dispose of such personal information. However, we may need to retain your personal information for a longer period of time, for example, in the event of a complaint or if we reasonably believe there is a prospect of a dispute in respect to our relationship with you, or at the end of your consultancy arrangement, in order to meet statutory obligations.

What are your rights regarding your personal Information

Various data privacy laws and regulations provide data subjects with a number of rights with respect to their personal information. Under these laws and regulations, as applicable, you may be entitled to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.
• Withdraw your consent to the processing or your personal information (in limited circumstances where Spur has previously obtained your consent).

If you would like to exercise any of these rights, we request that individuals use email and send their request to privacy@spurtherapeutics.com. The appropriate teams will coordinate to fulfil the request. We try to respond as soon as we can and generally this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will let you know.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you are unsatisfied with how Spur has upheld your data subject rights, you can raise a complaint to the local data protection authority within your jurisdiction.

As stated above, if you do not wish to share personal information with us when asked, this may affect our relationship with you and how we are able to provide our services. If you have a consultancy agreement with Spur, you have obligations to provide Spur with certain personal information. For example, you are required to provide information such as contact details and payment details to enable Spur to enter a consultancy agreement with you. If you do not provide the necessary information, this will hinder Spur’s ability to administer the rights and obligations essential to our relationship with you.

Inform us of change

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Contact Details

Internal

If you have any questions specifically about this Privacy Notice or wish to make a data subject request, we will prefer the request to be tracked by email. Please contact privacy@spurtherapeutics.com, and we will assist you.

Controller Details

Spur Therapeutics Limited

Sycamore House

Gunnels Wood Road, Stevenage

SG1 2BP United Kingdom

Supervisory Authorities

Spur Therapeutics Limited is registered with the relevant data protection authorities. If you are not satisfied with any response that we have provided and wish to raise a concern or issue, please refer to the contact details below.

UK: Information Commissioner’s Office (ICO) https://ico.org.uk/global/contact-us/