MedaSystems, Inc.

Privacy Policy

Effective: June 24, 2025

This Privacy Policy (“Policy”) explains how MedaSystems, Inc. uses the personal information that is collected from you when you visit our corporate website or our cloud-based software application (the “Service”).

  1. What is “Personal Information”?
  2. What Information do we Collect?
    1. Data Automatically Collected Through Use of Our Website
    2. Data Automatically Collected Through Use of the Service
    3. Information Submitted by Individuals Through the Website
    4. Information Submitted by Users of the Service
      1. Initial Requests
      2. Invitations to Clinicians to Create a MedaSystems Account
      3. Additional Information Requested by a Customer
      4. Phone Numbers for Two-Factor Authentication (2FA)
  3. How do we collect information from visitors to our website and Users of our Service?
    1. Use of Cookies and Technologies Similar to Cookies
    2. SMS Communications and Opt-In for Two-Factor Authentication
  4. Our Role in Relation to Personal Information
  5. Legal Basis for Processing Personal Information
  6. Choice
  7. How do we keep your information secure?
  8. Corrections or Updates to Information Provided to MedaSystems
  9. Transfer of Data to Third Parties
  10. Transfer or Use of Data Internationally
  11. Data Privacy Framework
  12. Data Retention Period
  13. Marketing
  14. Information Pertaining to Minor Children
  15. Individual Data Protection Rights
    1. General Rights
    2. Rights of Individuals in the European Economic Area, the UK, or Switzerland
    3. Patient Requests About Information Stored by MedaSystems
  16. Changes to Our Privacy Policy
  17. How to Contact Us

I. What is “Personal Information”?

“Personal information” as discussed in this Policy means information about an identifiable individual. Your personal information includes your full name, address, telephone number, date of birth, email address, and any other information that is connected to you, identifies you, or would allow someone to contact you.

II. What Information do we Collect?

A. Data Automatically Collected Through Use of Our Website

MedaSystems automatically collects certain information when individuals access our corporate website. This information does not reveal your specific identity (like your name or contact information). However, it may include device and usage information, such as:

  • IP address
  • Browser
  • Device characteristics
  • Operating system
  • Language preferences
  • Referring URLs
  • Device name
  • Country
  • Geographic location
  • Technical usage data and timestamps

This information is used for security, analytics, and performance purposes. Information is also collected through cookies.

  • Log and Usage Data:

    Includes IP address, device info, browser settings, activity on the website, timestamps, pages and files viewed, searches, feature usage, device event info (like errors), and hardware settings.

  • Device Data:

    Includes information about the computer or device used to access the website. May include IP address, device/app identifiers, location, browser type, hardware, carrier, OS, and configuration.

  • Location Data:

    Collected based on your IP or device location settings. You may disable this feature in your device settings, but it could limit functionality.

B. Data Automatically Collected Through Use of the Service

Includes log and usage data, and local storage files saved in the User’s browser when logged into the Service.

C. Information Submitted by Individuals Through the Website

Includes name, email address, and company name (e.g., submitted via the “Contact Us” page).

D. Information Submitted by Users of the Service

Information shared by healthcare providers, their staff, life science employees, and patients/caregivers when using the Service. Customers instruct MedaSystems how to handle this data. MedaSystems does not manage agreements between physicians and Customers.

1. Initial Requests

  • Physicians:

    Includes name, address, employer, and brief patient history (no PHI). Shared with both MedaSystems and the Customer.

  • Patients/Caregivers:

    MedaSystems only provides anonymized data (e.g., age, gender, diagnosis) to Customers. Identifiable information is retained by MedaSystems.

2. Invitations to Clinicians to Create a MedaSystems Account

Information collected includes name, employer, contact info, mobile number, credentials, and CV. Patients/caregivers cannot create accounts.

3. Additional Information Requested by a Customer

May include treatment history, lab results, images, shipping info, resupply requests, and patient response data. Governed by the Customer’s privacy policy and/or agreements.

4. Phone Numbers for Two-Factor Authentication (2FA)

  • Purpose: Used solely for sending SMS verification codes.
  • Security: Phone numbers are encrypted and securely stored.
  • No Sharing: Not shared, sold, or used for any other purpose.
  • Opt-out: Reply "STOP" to any SMS. May impact access to some features.

III. How do we collect information from visitors to our website and Users of our Service?

A. Use of Cookies and Technologies Similar to Cookies

In addition to collecting information through various fields and forms on the corporate website and in the Service (as described above), we may use “cookies” or similar technologies to collect information about you and your device. Cookies are small pieces of instruction stored on your hard drive or device. They may enhance your experience as you navigate our site. A "session cookie" disappears after you close your web browser, or may expire after a fixed period of time. A "persistent cookie" remains after you close your web browser and may be accessed every time you use our site. We may use both session and persistent cookies on our corporate website. We currently do not use any non-essential cookies in our Service.

By “technologies similar to cookies” we mean any type of data storage and recovery mechanism used on a user’s device for purposes of obtaining information. The most common ones include:

  • Browser local storage: Certain websites use local storage called “sessionStorage” and “localStorage”, as well as the indexed database from the Internet browser to store information.
  • Local storage of browser plug-ins: Includes Flash local storage (“Flash Local Shared Objects”) and Silverlight local storage (“Isolated Objects”).
  • Web beacons: A tracking technique that inserts an image into a website or email. When the image is loaded, the server registers the access, letting us know when a user viewed the page or email. These images are often small or transparent and may not be noticeable.
  • Fingerprinting: A technique combining information from the browser or device to uniquely identify users on future visits.

We currently use browser local storage in our Service to store content information and preferences. On certain sections of our corporate website, we may occasionally use web beacons that allow us to determine when users visited that section of the site.

There may be other tracking technologies now and later devised and used by us in connection with our corporate website. Further, third parties (e.g., Google) may use tracking technologies with our corporate website. We do not control those tracking technologies, and we are not responsible for them. However, be aware that you may potentially encounter third-party tracking technologies in connection with your use of our corporate website, and that this Policy does not apply to the tracking technologies or practices of such third parties.

B. SMS Communications and Opt-In for Two-Factor Authentication

MedaSystems collects phone numbers for the sole purpose of enabling secure two-factor authentication (2FA). By providing your phone number, you explicitly consent to receive SMS messages related to account security. These messages are not used for marketing or other purposes. You may opt-out of receiving SMS messages at any time by replying "STOP" to any message. Opting out may limit your ability to access features of the Service that require 2FA.

IV. Our Role in Relation to Personal Information

In certain situations, we are considered a “Controller” of Personal Information under applicable data protection laws, and in other situations we are considered a “Processor” of Personal Information on behalf of another party (as Controller).

The table below indicates the circumstances in which we are a “Controller” of Personal Information, and the circumstances in which we are a “Processor.”

Situation Our Role
When a patient or caregiver enters Personal Information in the Service in connection with an initial request for access to investigational products We are a “Controller” of that Personal Information
When a physician enters Personal Information (pertaining to themselves or a patient) in connection with an initial request for access to investigational products We are a “Processor” of that Personal Information
When Customers enter Personal Information in the Service in connection with their use of the Service to process requests for access to investigational products We are a “Processor” of that Personal Information
When we handle Personal Information in connection with the execution and administration of our agreements with Customers (including contact details of Customer’s personnel/representatives) We are a “Controller” of that Personal Information
When we handle Personal Information in the creation and maintenance of user accounts on the Service We are a “Controller” of that Personal Information
When we anonymize Personal Information to perform analysis for the purposes of improving the Services We are a “Controller” of that Personal Information

V. Legal Basis for Processing Personal Information

We only process your personal information when we believe it is necessary and we have a valid legal basis to do so under applicable law, such as with your consent, to comply with laws, to provide you with services requested, to fulfill our contractual obligations, to protect your rights, and for our legitimate business interests.

We may use de-identified information created by us without restriction. When we use the term “de-identified information,” we mean information that cannot be used to personally identify you.

We may process your information if you have consented to allow MedaSystems to use your personal information for a specific purpose. You can withdraw your consent at any time by emailing us at privacy@medasystems.com.

More specifically, we may also process your personal information for the following purposes:

  • Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our services or at your request before entering into a contract with you.
  • Legitimate business interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests, rights, and freedoms. For example, we may process your personal information for the purposes described below:
    • To diagnose problems and prevent fraudulent activities
    • To identify usage trends, to understand better how the Service is being used and to make improvements.
    • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
    • To deliver and facilitate the delivery of our Service. We may process your information to provide you with the requested service.
    • To respond to inquiries and offer support. We may use your information to respond to your questions and solve any potential issues you might have with the use of our Service.
    • To send administrative information to you. We may use your personal information to send you product, service, or new feature information, and information about changes to our terms, conditions, and policies.
    • To enable User-to-User communications. We may use your information, specifically your email address, to enable User-to-User communications.
    • To request feedback. We may use your information to request feedback and to contact you about your use of the Service.
    • To protect our Service. We may use your information as part of our efforts to keep the Service safe and secure (for example, for fraud monitoring and prevention).
    • To enforce our Terms of Service and policies
    • To comply with our contract with a Customer. Processing certain of your information may be a necessary component of a contract between MedaSystems and a Customer.
  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. If we receive a subpoena or other lawful request, we may need to inspect the data we hold to determine how to respond, or we may process your information to comply with other legal or regulatory requirements.
  • To save or protect an individual's vital interests. We may process your information when necessary to save or protect an individual's vital interests, such as to protect human life or to prevent harm.

VI. Choice

If personal data covered by this Privacy Policy is to be used for a new purpose that is materially different from the purpose for which the data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in this Policy, MedaSystems will provide individuals with an opportunity to choose whether to have their personal data so used or disclosed. Requests to opt out of such uses or disclosures should be submitted by contacting us as described in the “How to Contact Us” section of this Policy.

Certain personal data—such as information about medical or health conditions, racial or ethnic origin, political opinions, or religious or philosophical beliefs—is considered “Sensitive Information.” MedaSystems will not use Sensitive Information for any purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless MedaSystems has received the individual’s affirmative and explicit consent (opt-in).

VII. How do we keep your information secure?

We aim to protect your personal information through a system of organizational and technical security measures. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

Although we will do our best to protect your personal information, the transmission of personal information to and from our website and the Service is at your own risk. You should only access the website and the Service within a secure environment.

VIII. Corrections or Updates to Information Provided to MedaSystems

  • Corrections/Updates to Information Submitted with an Initial Request: If a User wants to update or correct any information submitted with an Initial Request, they should contact the life sciences company directly, or they may email privacy@medasystems.com and we will assist in processing any changes. If you are a patient/caregiver, and would like to correct, update or delete any personal information that has not been provided to the life sciences company by MedaSystems, you should contact MedaSystems at privacy@medasystems.com.
  • Corrections/Updates to Information Provided When Setting up a MedaSystems Account: If a User would like to correct or delete any of their information after their account has been created, please email privacy@medasystems.com. We will promptly amend or remove any information consistent with this Policy.
  • Corrections/Updates to Information Submitted by Physician Users to Customers: If you are a physician (or staff member) that would like to correct or remove any information uploaded and/or shared with a Customer through the Service, you should do the following in order:
    1. Log in to the Service and attempt to make the correction or deletion yourself;
    2. Contact the Customer directly and ask them to make the correction or deletion;
    3. If necessary, email privacy@medasystems.com and we will assist with processing the request, including providing additional instructions or information.

IX. Transfer of Data to Third Parties

Unless described in this Policy, we do not share, sell, rent, or trade any of your information with third parties for promotional purposes. There may be circumstances in which we share or transfer your information to third parties for business purposes, such as:

  • Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
  • Vendors, Consultants and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include data analysis, email delivery, hosting services, and customer service. We may allow selected third parties to use technology on the Service, enabling them to collect data on our behalf about how you interact with the Service over time. This information may be used to, among other things, analyze data, determine the popularity of certain features, and better understand user activity. We have contracts in place with our data processors, which are designed to help safeguard your personal information. This means they cannot do anything with your personal information unless we have instructed them to do so. They will also not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.
  • Business Partners. We may share your information with our business partners to offer you certain products, services or promotions.
  • Requests from Public Authorities. We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

MedaSystems remains responsible and liable under the EU-U.S. DPF Principles, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles (see below) if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless MedaSystems proves that it is not responsible for the event giving rise to the damage.

X. Transfer or Use of Data Internationally

We may transfer, store, and process your information in the United States, European Economic Area (EEA), the United Kingdom (UK), or Switzerland. If you are accessing the Service from outside these geographic locations, please be aware that these locations may not necessarily have equivalent privacy or data protection laws as those in your country. However, regardless of where your personal information is transferred, we will take all necessary measures to protect your personal information in accordance with this Policy, any applicable data exchange policies of our Customers, requirements of our Customer contracts, and applicable law.

XI. Data Privacy Framework

We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that MedaSystems adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have certified to the U.S. Department of Commerce that MedaSystems adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website at https://www.dataprivacyframework.gov/.

See the list of entities that participate in the Data Privacy Framework here: https://www.dataprivacyframework.gov/list.

For the types of personal data collected, see Section II of this policy. The purposes for which we collect and use Personal Information can be found in Section V of this policy. For information on how to contact us with any inquiries or complaints, please see Section XVI of this policy. The type or identity of third parties to whom we disclose personal information can be found in Section VIII of this policy (including responses to lawful requests from public authorities). For the rights of individuals to access their personal data, see Section XIV.

We commit to subject all personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland to the DPF Principles in reliance on the relevant part(s) of the DPF program. By participating in the Data Privacy Framework, we are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) of the United States.

For disputes or complaints pertaining to data processed under the Data Privacy Framework, we use the independent dispute resolution panel established by the EU DPAs, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and the Swiss Federal Data Protection and Information Commissioner (FDPIC). Under certain conditions, individuals may also invoke a binding arbitration proceeding to resolve disputes.

XII. Data Retention Period

We keep your information for as long as necessary to fulfill the purposes outlined in this Policy unless otherwise required by law. We will only keep your personal information for as long as it is necessary for the purposes set out in this Policy unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements), or as dictated by our contractual obligations to our Customers.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

XIII. Marketing

We will not use your personal information for marketing purposes without your consent. You may revoke or withdraw your consent at any time by contacting us at privacy@medasystems.com.

XIV. Information Pertaining to Minor Children

We do not knowingly collect data from individuals under 18 years of age. By using the website and the Service you represent that you are at least 18. If we learn that personal information has been collected from a user less than 18 years of age, we will deactivate the user account and take reasonable measures to delete such data from our records promptly.

However, the Service may be used to collect de-identified data related to requests for treatment on behalf of a minor. If you become aware of any data we may have collected from a minor (other than in connection with a request for treatment for that individual), please contact us at privacy@medasystems.com.

XV. Individual Data Protection Rights

A. General Rights

Individuals have the following rights pertaining to their personal information:

  • The right to be informed of how their data is collected and processed
  • The right of access to any of their data that has been collected
  • The right of rectification to any inaccurate or incomplete data
  • The right to erasure of any and all data
  • The right to restrict processing to only certain types
  • The right to opt out of receiving SMS messages for two-factor authentication (2FA) at any time
  • The right to data portability so that data can be retained and reused for other purposes
  • The right to object to the use of their data for specific processing activities
  • Rights in relation to automation so that decisions are not made about the user based exclusively on automated processing

You may exercise these rights by emailing us at privacy@medasystems.com.

B. Rights of Individuals in the European Economic Area, the UK, or Switzerland

C.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland and you believe we are unlawfully processing your personal information, in addition to the general rights above, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: https://ec.europa.eu/newsroom/article29/items/612080. If you are located in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html.

Patient Requests About Information Stored by MedaSystems

If you are a patient whose physician requested expanded access treatment using the Service or who is currently receiving treatment, and you would like access to the information about you that has been provided by a User through the Service, contact privacy@medasystems.com, and we will assist you. We will correct, remove, or de-identify any information to the extent we are permitted to do so. However, please note, in all likelihood your physician is in the best position to share with you, or remove, any information about you that has been submitted through the Service.

XVI. Changes to Our Privacy Policy

We will update this notice as necessary to stay compliant with relevant laws. As such, we may update this Policy from time to time. The updated version will be indicated by an updated "Revised" date, and the updated version will be effective as soon as it is accessible.

If we make material changes to this Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Policy frequently to be informed of how we are protecting your Information.

XVII. How to Contact Us

If you have questions or comments about this Policy, you may contact our Data Protection Officer (DPO) by email at privacy@medasystems.com, or by post at the following corporate address:

MedaSystems, Inc.
3475 Edison Way
Suite R
Menlo Park, CA 94025
United States
Phone: (408) 365-4246

If you live in the European Union, the United Kingdom, or Switzerland, you may contact our Local Representatives as follows:

EU - Ireland Representative

Instant EU GDPR Representative Ltd
2 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland
Adam Brogden
contact@gdprlocal.com
Tel: +353 15 549 700

EU residents may also submit a request online here: https://medasystemsinc.gdprlocal.com/eu

UK Representative

GDPR Local Ltd
1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB
Adam Brogden
contact@gdprlocal.com
Tel: +44 1772 217 800

UK residents may also submit a request online here: https://medasystemsinc.gdprlocal.com/uk

Swiss Representative

Data Protection Representative Limited (DataRep)
Leutschenbachstrasse 95, Zurich, 8050, Switzerland
datarequest@datarep.com

Swiss residents may also submit a request online here: www.datarep.com/data-request