FIRECREST Site Portal Privacy Notice

1. About this Privacy Notice

ICON plc. (of which Firecrest Clinical Solutions is a wholly-owned division thereof) (“Firecrest”, “we”, “us”, “our”) is committed to protecting your privacy.

This Privacy Notice is for users of the Firecrest Site Portal. We provide various technology solutions and services for sites and study teams via the Firecrest Site Portal.

2. Who is the controller of your personal information?

This Privacy Notice explains how ICON, as "controller", processes your personal information for the purposes of:

creating and maintaining your personal account within the Firecrest Site Portal; and
providing technical support in connection with your use of the Firecrest Site Portal.

This means that ICON decides how and why your personal information is used and processed for the above purposes only.

3. Is ICON controller of your study-related personal information?

No, ICON is not a controller of your personal information for the purpose of any specific studies or clinical trials ("Studies"). ICON makes the Firecrest Site Portal available for use in support of Studies conducted by ICON clients such as pharmaceutical companies ("Sponsors"). You may use your personal account in the Firecrest Site Portal to support your participation in these Studies. If you do so, the relevant Sponsor will be the “controller” of all Study-related personal information you submit through the Firecrest Site Portal after you create Firecrest Site Portal account.

4. What personal information do we collect about you?

“Personal information” is any information relating to you which allows you to be identified directly or indirectly. Personal information can include a name, an email address, an identification number or any other details that are specific to you.

Your decision to provide any personal information to us is voluntary. You will not be subject to negative consequences if you do not provide us with your personal information. However, if you choose not to provide us with your personal information, you will not be able to use the Firecrest Site Portal. This may impact your ability to participate in a Study.

If you provide (or permit us to collect) any personal information relating to another person, you are responsible for ensuring that:

this person is made aware of the information in this Privacy Notice; and
this person has given you their consent to you sharing their personal information with us.

Information we obtain from third parties. We may receive your full name, title, email address, telephone number, fax, country location, Study, role, Institution details, from the Sponsor of a Study. This is to enable us to create your Firecrest Site Portal account or to associate your existing account with a new Study. If you choose to utilize single sign on interfaces made available via the Firecrest Site Portal, we may receive your email address and other limited unique identifiers for the purposes of verifying the existence of your Firecrest Site Portal account and to otherwise ensure the integrity of our systems.

Information we obtain from you: We ask you to provide us with certain personal information to enable us to create your personal account within the Firecrest Site Portal. This may include:

Account log-in credentials such as your password for the Firecrest Site Portal;

Authentication data;

meta-data and time-stamped records to certify your completion of mandatory training prior to entering the Firecrest Site Portal for the first time;

Troubleshooting and support data, which is data you provide, or we otherwise collect, to support queries we receive from you. This may include your contact or authentication data, the content of your chats and other communications with us; and

Technical information about your device and your interactions with the Firecrest Site Portal, including your device ID, operating system name and version, browser type, device manufacturer and model, IP address, information about the dates and time your device accesses ICON’s servers, and what parts of the Firecrest Site Portal you use and visit.

5. How do we use your personal information?

We use your personal information only where required for specific purposes:

to create your personal account within the Firecrest Site Portal;
to maintain your personal account within the Firecrest Site Portal;
to respond to your inquiries;
to operate and provide support for your use of the Firecrest Site Portal, including so you can participate in the Studies leveraging the Firecrest Site Portal;
Server-side diagnostics and Firecrest Site Portal performance, including measuring website visits;
to manage and communicate with you regarding your Firecrest Site Portal account. This includes sending you service messages, updates, security alerts, and support messages; and
to comply with our legal obligations. For example, we are required by law to keep certain records for specific periods of time.

We will not use your personal information for purposes that are incompatible with the above purposes, unless it is required or authorized by law, or it is in your vital interest.

6. How will we share your personal information with third parties?

We may disclose personal information we collect about you to other parties:

External technical support providers - We may share your personal information with external service providers (data processors), that provide technical support on our behalf. This is to facilitate our interactions with you and support your use of the Firecrest Site Portal. For example, we share your personal information with Microsoft Azure B2C for system login and authentication purposes and Salesforce who provide our ticketing system.

To our affiliates and subsidiaries – We may share your personal information within our group of companies for the purposes described above.

For legal, security and safety purposes - We may have to share your personal information in response to authorized requests of government authorities or where required by law.

In connection with a corporate transaction - As part of any merger, sale, joint venture, transfer, or other disposal of all or any portion of our business (including as part of any bankruptcy or similar proceedings), we may transfer your personal information to other parties involved in these transactions. Under these circumstances, all parties will enter into a confidentiality agreement to protect personal information and must only use personal information for the purpose it was collected for in the first instance.

With your consent - We may share your personal information with other third parties with your consent.

7. Will we transfer your personal information internationally?

We (or our external service providers) may need to transfer your personal information internationally. This includes to the USA, Canada, United Kingdom, Ireland, Australia, Spain, Italy, Germany, France, Poland, Netherlands, Portugal, and where needed, to other countries too. We will only transfer your personal information for the purposes set out in "How do we use your personal information?". We implement appropriate measures to protect your personal information when we transfer your personal information outside of your home country, such as data transfer agreements that incorporate standard data protection clauses. The data privacy laws in the countries we transfer it to may not be the same as the laws in your home country.

We will apply appropriate safeguards to such transfers as required by applicable law. For example, transfers from the European Economic Area ("EEA") to non-EEA countries will usually be governed by EU-approved “Standard Contractual Clauses” and will be subject to other appropriate security measures. If you are in the EEA, you can obtain a copy of these safeguards by emailing us using our contact details below.

8. For how long do we keep your personal information?

We decide for how long to keep your personal information by looking at the length of our relationship with you, by looking at what is advisable in light of our legal position (due to statutes of limitations), and by looking at whether we need to keep your personal information to respond to or process a question or request from you. We also consider whether there is a requirement to keep your personal information for a period required by law and where we need to do so in connection with legal action or an investigation involving ICON.

We may collect information that is not personal information or convert personal information into information which can no longer be used to identify you (such as through aggregation or anonymization). When we do this, we may use and disclose that information for any purpose, as anonymized data is not covered under data protection laws.

9. How do we protect your personal information?

We use a variety of security measures and technologies to help protect your personal information. We carefully choose our service providers, and check they have security measures and technologies in place to protect your personal information.

However, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of transmissions over the internet, or of our databases. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us using our details at the "Contact us" section below.

10. How do we use Cookies?

"Please see our Cookie Notice."

11. Contact us

You can submit questions, comments or requests to exercise your data protection rights to ICON's Data Protection Officer at data_privacy_officer@iconplc.com. You may also contact ICON's Data Protection Officer by writing to us at:

Global Data Protection Officer

ICON plc South County Business Park

Leopardstown

Dublin 18

D18 X5R3

Ireland

If you feel your data protection rights have been infringed by ICON, you have the right to complain to your local data protection supervisory authority.

If you reside in a non-EEA country, you can lodge a complaint to your national or State body regulating data protection. A good resource for details on data protection authorities from around the world is kept at https://pdpecho.com. We have also set out details on how to contact certain data protection authorities in the country / region-specific sections at the end of this Privacy Notice.

12. How do we update this Privacy Notice?

This Privacy Notice is not a contract, and it does not create any legal rights or obligations. ICON may make changes to this Privacy Notice. For instance, we may need to amend this Privacy Notice if there are changes to relevant laws. Where we have your contact details, we will notify you of any significant changes.

- - - - - - - - - - - - -

13. Additional information for your Jurisdiction

If you are in the European Union, please click here for additional information about your specific privacy rights.

EU DATA SUBJECTS

Why are we allowed to collect and use your personal information?

We use your personal information only where required for specific purposes. The table below sets out the purposes for which we use your personal information and our legal reason for using your personal information in this way.

Purpose	Legal Basis
To allow you to create your personal account within the Firecrest Site Portal.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To maintain your personal account within the Firecrest Site Portal.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To respond to your inquiries.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To operate and provide support for your use of the Firecrest Site Portal, so you can participate in the Studies hosted on the Firecrest Site Portal.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To manage and communicate with you regarding your Firecrest Site Portal account. This includes by sending you service messages, technical notices, updates, security alerts, and support and administrative messages.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To comply with our legal obligations. For example, we are required by law to keep certain records for specific periods of time.	Compliance with a legal obligation.

What are your rights in respect of your personal information?

You have rights in respect of your personal information. The rights available to you depend on our reason for processing your personal information and the local law in your country, and there are exceptions to some rights. Depending on this, you may have:

The right to be informed – if we are processing your personal information, we must inform you of who is processing your personal information, why, how long we will retain it for, and if we are transferring the data to another country.

The right to withdraw consent – if we are processing your personal information on the basis of your consent, you are entitled to withdraw your consent to that processing at any time. If you withdraw your consent, this will not mean any processing we carried out prior to your withdrawal is invalid.

The right of access to your personal information – you can request a copy of the personal information we hold about you.

The right to rectification – you have the right to request that we correct any inaccuracies in the personal information we hold about you and complete any personal information where this is incomplete.

Right to erase your personal information (right to be forgotten) - You have the right to be forgotten in certain circumstances including, for example, where the personal information are no longer needed for the purpose for which they were collected. However, this right does not apply where, for example, processing is necessary to comply with a legal obligation, or for the establishment, exercise or defence of legal claims.

The right to restrict the processing of your personal information - You have the right to ask us to restrict certain processing activities in some circumstances, including, for example, where you challenge the accuracy of the information. Where processing has been restricted, we can only process it for limited purposes such as, for example, the establishment, exercise or defence of legal claims.

The right of data portability - You have the right to have your personal information returned to you or to a third party in certain cases.

The right to object – You have a right to object to the processing of your personal information in certain cases. In such a case we will stop processing your personal information unless we can demonstrate compelling legitimate grounds which override your interest.

To exercise these rights, please follow this link and complete the Data Subject Rights Form or contact us using our contact details in the "Contact Us" section.

If you are a United States resident, please click here for additional information about your specific privacy rights.

UNITED STATES DATA SUBJECTS

You have rights in respect of your personal information. The rights available to you depend on our reason for processing your personal information and the laws in your state, and there are exceptions to some rights. Depending on this, you may have the right to:

obtain confirmation that we hold certain personal information relating to you and the corresponding processing activities, and to verify its content, origin, and accuracy;
access, review, port, delete or anonymize, or to block or withdraw consent to the processing of certain personal information (without affecting the lawfulness of processing based on consent before withdrawal of your consent);
request information about third parties with whom we have shared your personal information;
where relevant, request review of decisions based solely on automated data processing;
where relevant, object to our use of personal information for direct marketing and in certain other situations at any time.

Contact us for more details using our details in the "Contact Us" section. Please note that we need to retain certain personal information as required or permitted by applicable law.

We do not sell your personal information and will not do so without providing you with notice and an opportunity to opt-out of such sale as required by law. We do not engage in targeted advertising.

Notice to California Residents

If you reside in California, we are required by California law to provide you with additional information about how we use and disclose your personal information, and you may have additional rights with regard to how we use your personal information. We have included this California-specific information below.

Categories of Personal Information

Consistent with Section 4 (What personal information do we collect about you?), we may collect certain categories and specific pieces of information about California residents that are considered "personal information" under California law ("CA Personal Information"). Specifically, we may collect identifiers, customer records information, and Internet or other electronic network activity information.

Sources of Personal Information

The sources of your CA Personal Information are in Section 4 (What personal information do we collect about you?).

Uses of Personal Information

The purposes for which we collect CA Personal Information are detailed in Section 5 (How do we use your personal information?).

Sharing Personal Information

The categories of third parties to whom we disclose your CA Personal Information for a business purpose are detailed in Section 6 (How will we share your personal information with third parties?).

Retention of CA Personal Information

We retain your CA Personal Information as detailed in Section 8 (For how long do we keep your personal information?).

California Consumer Rights

If you are a California resident, you have rights in respect of your personal information, and there are exceptions to some rights. Depending on this, if you are a California resident, you may exercise the following rights:

Right to Know. You have the right to request information about the categories of CA Personal Information we have collected about you, the categories of sources from which we collected the CA Personal Information, the purposes for collecting the CA Personal Information, the categories of third parties with whom we have shared your CA Personal Information, and the purpose for which we shared your CA Personal Information. You may also request information about the specific pieces of CA Personal Information we have collected about you. You also have a right to receive information about the CA Personal Information about you that we have "sold" to or “shared” (as such terms are defined under California law) with third parties within the past 12 months.

Right to Delete. You have the right to request that we delete CA Personal Information that we have collected from you.

Right to Correction. You have the right to obtain correction of your CA Personal Information.

Right to Transfer. You have the right to request a transfer of your CA Personal Information to another entity to the extent technically feasible, in a structured, commonly used, machine-readable format.

Limit the Use of Sensitive Personal Information. You have the right to limit the use and disclosure of your sensitive CA Personal Information.

Right to Opt Out. You have the right to opt out of the sale and / or sharing of your CA Personal Information. However, we do not currently sell your CA Personal Information. Should this change at any point in future we will update this Privacy Notice, notify you of any changes, and provide you with the appropriate mechanism to exercise your right to opt-out from the sale of your CA Personal Information. You also have the right to opt-out of being subject to automated decision-making processes, including profiling. However, we do not currently engage in such practices.

You may submit a request to exercise your Californian privacy rights by following this link and completing the Data Subject Rights Form or using our contact details in the "Contact Us" section. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.

Verification. In order to exercise your rights, we will need to obtain information to locate you in our records or verify your identity depending on the nature of the request. When making a request, please provide the following information: first and last name; email address; and type of request you are making.

Authorized Agents. If you choose an authorized agent to make a request on your behalf, they must provide appropriate documentation including written signed permission from you, proof of your identity, and verification of their identity; or a valid, designated power of attorney as defined under the California Probate Code.

Timing. We will respond to requests to delete and requests to know within 45 calendar days, unless we need more time. If this is the case, we will notify you and may take up to 90 calendar days in total to respond to your request.

If you are in Canada, please click here for additional information about your specific privacy rights.

CANADIAN DATA SUBJECTS

Why are we allowed to collect and use your personal information?

We use your personal information only where required for specific purposes. The table below sets out the purposes for which we use your personal information and our legal reason for using your personal information in this way.

Purpose	Legal Basis
To allow you to create your personal account within the Firecrest Site Portal.	Based on your consent
To maintain your personal account within the Firecrest Site Portal.	Based on your consent
To respond to your inquiries.	Based on your consent
To operate and provide support for your use of the Firecrest Site Portal, so you can participate in the Studies hosted on the Firecrest Site Portal.	Based on your consent
To manage and communicate with you regarding your Firecrest Site Portal account. This includes by sending you service messages, technical notices, updates, security alerts, and support and administrative messages.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To comply with our legal obligations. For example, we are required by law to keep certain records for specific periods of time.	Compliance with a legal obligation.

You have the right not to give consent and the right to withdraw consent at any time by contacting us using the contact details in the "Contact Us" section.

Consent to the Collection, Use, and Disclosure of Personal Information: By using our services, you represent to ICON that you have reached the age of majority in the Canadian province in which you live, and this means you can lawfully enter into agreements with ICON and provide your informed and express consent to ICON's collection, use, and disclosure of your personal information. If you have not reached the age of majority in your province of residence, you must not use or access our services or otherwise share your personal information with us, unless your parent (or another person who can lawfully give or refuse consent) has provided us with express consent on your behalf.

Your Privacy Rights: Depending on where you live, you may have certain rights in respect of your personal information. This includes the right to request access to or deletion of your personal information, and the right to withdraw consent at any time. You may also have the right to ask for a copy of the personal information that we hold about you. To exercise any such rights, or to appeal our decisions in response to your exercise of rights, please follow this link and complete the Data Subject Rights Form or contact us using the contact details in the "Contact Us" section.

Accuracy of Personal Information: We will keep your personal information as accurate, complete and up-to-date as necessary for the purposes for which it is to be used under this Privacy Notice.

If you are in South Africa, please click here for additional information about your specific privacy rights.

SOUTH AFRICAN DATA SUBJECTS

Where the personal information relating to an individual is processed in South Africa, the Protection of Personal Information Act, 2013 (POPIA) may apply.

Why are we allowed to collect and use your personal information?

We use your personal information only where required for specific purposes. The table below sets out the purposes for which we use your personal information and our legal reason for using your personal information in this way.

Purpose	Legal Basis
To allow you to create your personal account within the Firecrest Site Portal.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To maintain your personal account within the Firecrest Site Portal.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To respond to your inquiries.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To operate and provide support for your use of the Firecrest Site Portal, so you can participate in the Studies hosted on the Firecrest Site Portal.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To manage and communicate with you regarding your Firecrest Site Portal account. This includes by sending you service messages, technical notices, updates, security alerts, and support and administrative messages.	Performance of a contract between you and ICON (i.e. the Firecrest Site Portal Terms of Use)
To comply with our legal obligations. For example, we are required by law to keep certain records for specific periods of time.	Compliance with a legal obligation.

What are your rights in respect of your personal information?

You have the following rights under POPIA in relation to your personal information, and there are exceptions to some rights. You can exercise these rights by following this link and completing the Data Subject Rights Form or contacting us using the contact details at the "Contact Us" section:

The right to access to your personal information - you can request a copy of the personal information we hold about you and to check that we are lawfully processing it.

The right to rectification – you have the right to request that we correct any inaccuracies in the personal information we hold about you and complete any personal information where this is incomplete, though we may need to verify the accuracy of the new personal information you provide to us.

The right to erasure - you have the right to ask us to delete or remove your personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your personal information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

The right to object to the processing of your personal information - you have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to the processing of your personal information as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, save for processing of your personal information for direct marketing purposes, we may demonstrate that we have compelling legitimate grounds to process your personal information which override your rights and freedoms.

The right to request restriction of the processing of your personal information - you have the right to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the accuracy of your personal information; (b) where our use of your personal information is unlawful but you do not want us to erase it; (c) where you need us to hold the personal information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal information but we need to verify whether we have overriding legitimate grounds to use it.

The right to withdraw your consent - if we are processing your personal information on the basis of your consent, you are entitled to withdraw your consent to that processing at any time. If you withdraw your consent, this will not mean any processing we carried out prior to your withdrawal of consent is invalid.

What should you do if you want to make a complaint?

If you feel your data protection rights have been infringed by ICON, you have the right to complain to your local data protection supervisory authority, in this case the Information Regulator at:

Complaints email:	POPIAComplaints.IR@justice.gov.za
Physical address:	JD House
	27 Stiemens Street
	Braamfontein
	Johannesburg
	2001
Postal address:	P.O.Box 31533
	Braamfontein
	Johannesburg
	2017

If you are in Australia, please click here for additional information about your specific privacy rights.

AUSTRALIAN DATA SUBJECTS

Under Australian laws, "personal information" means information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual who is reasonably identifiable. The following rights will apply to our collection, storage and use of your personal information. These are in addition to the rights outlined above:

Right to know: You have the right to request access to the personal information we have collected about you and request any correction. You may do this by following this link and completing the Data Subject Rights Form or through using our contact details at the "Contact Us" section.

Breach of Australian Privacy Principles: Where there has been unauthorised access to, or unauthorised disclosure of personal information which is likely to result in serious harm to individuals, we will notify the Office of the Australian Information Commissioner, and affected individuals, as required by law.

Right to complain: If you have any concerns or complaints about how we handle your personal information, or if you have any questions about this policy, please contact us using our contact details in the "Contact Us" section. In most cases we will ask that you put your request in writing to us. We will investigate your complaint and will use reasonable endeavours to respond to you in writing within 30 days of receiving the written complaint. If we fail to respond to your complaint within 30 days of receiving it in writing or if you are dissatisfied with the response that you receive from us, you may have the right to make a complaint to the applicable regulator. In Australia you can make a complaint to the Office of the Australian Information Commissioner through www.oaic.gov.au .

Opt-out: If you choose not to provide us with any personal information, please inform us at data_privacy_officer@iconplc.com. If you choose not to provide us with your personal information, you will not be able to use the Firecrest Site Portal which may impact your ability to participate in a Study.

If you are a New Zealand resident, please click here for additional information about your specific privacy rights.

NEW ZEALAND DATA SUBJECTS

If you are a New Zealand resident, you have the following rights in respect of your personal information:

Right of access to your personal information - you may request a copy of the personal information we hold about you.

Right of correction - you may request that we correct any personal information that we hold about you. If we refuse to make the correction, and you have provided us with a statement of correction, we will take steps reasonable in the circumstances to ensure that such statement of correction will always be read with the relevant personal information.

You may submit a request to exercise your privacy rights to us by following this link and completing the Data Subject Rights Form or using our contact details in the "Contact Us" section.

You also have the right to complain to the New Zealand Office of the Privacy Commissioner. For more information, see the Office of the Privacy Commissioner’s website at: https://www.privacy.org.nz/your-rights/making-a-complaint/.

Firecrest Site Portal Privacy Notice