Elucid Privacy Shield-Compliant Privacy Policy Statement 

Last updated July 30th 2021 

Elucid Bioimaging Inc., (“Elucid,” “we,” “our,” and “us”), complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) from European Union member countries and Switzerland. Elucid has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability. If there is any conflict between the policies in this Elucid Bioimaging Inc. Privacy Shield Policy (“Privacy Shield Policy”) and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/. 

Definitions 

“Data Subject” means the individual to whom any given Personal Data covered by this Privacy Shield Policy refers. 

“Personal Data” means any information relating to an individual residing in the European Union and Switzerland that can be used to identify that individual either on its own or in combination with other readily available data. 

“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life. 

Scope and Responsibility 

Data processed: Elucid Bioimaging complies with the Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from EEA member countries and Switzerland to the U.S. pertaining to: 

Customer Data: 

We may collect Personal Data from individual customers when they purchase our products/services, visit our websites (including www.elucidbio.com) (“Site”), register on our Site, utilize other activities, services, features, or resources we make available on our Site, or when they request information or otherwise communicate with us. 

The Personal Data we collect may vary based on the individual customer’s interaction with our Site, other requests for services, and other means of communication. As a general matter, Elucid Bioimaging collects the following types of Personal Data from its individual customers: name, email address, mailing address, phone number, company and job title. Elucid Bioimaging does not collect any Sensitive Personal Data from its customers. Users of our website may, however, visit our Site anonymously. We will collect Personal Data from customers only if they voluntarily submit such information to us. Customers can always refuse to supply Personal Data, except that it may prevent them from engaging in certain Site related activities. 

We may collect non-personal identification information about Site users whenever they interact with our website. Non-personal identification information may include the browser name, the type of computer and technical information about Site users means of connection to our website, such as the operating system and the Internet service providers utilized and other similar information. 

Our Site may use “cookies” to enhance user experience. User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. Users may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly. 

How we use customer data: 

Elucid Bioimaging Inc. may collect and use customers’ Personal Data for the following purposes: 

  • To deliver and provide products/services, to maintain and support our products, to comply with our contractual obligations related thereto, or to communicate for the purpose of engaging in contractual relations 
  • To register with our Site 
  • To improve our Site – We continually strive to improve our website offerings based on the information and feedback we receive from you. 
  • To improve customer service – Your information helps us to more effectively respond to your customer service requests and support needs. 
  • To send periodic emails – The email address customers provide will only be used to respond to their inquiries, and/or other requests or questions. Customers will only be sent marketing material if they provide their consent to the receipt of such material. 
  • To otherwise comply with applicable legal or regulatory requirements 
  • If we use your Personal Data for a purpose that is materially different than the purpose for which it was collected, we will provide you with the opportunity to opt out. 

How we protect customer data: 

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored 

on our infrastructure. Any sensitive private data exchange is transmitted over an encrypted SSL secured communication channel. 

“Protected Health Information” is protected in two ways. First, secure SSL certificates validated by 3rd parties are used for network transfer, and second, data identifiers are separated between data and identifying information linked by anonymized keys. 

Personal Health Information 

Elucid Bioimaging sells medical image processing software. For certain Elucid Bioimaging products, Elucid Bioimaging serves as a service provider, which may require remote access from the United States to Personal Health Information (PHI) and/or Personal Identification Information of customers’ patients in the EEA and Switzerland. In such cases, we are acting as a data processor. We will process the PHI on behalf of and under the direction of the data controller and will process PHI only as needed to provide technical support services and fulfill contractual obligations. 

How we protect Personal Health Information: 

We have implemented physical, administrative and technical measures and have trained our employees on the necessity of confidentiality. 

Elucid Bioimaging prohibits the practice of transferring, using and storing PHI and PII. Should the need arise to temporarily handle PHI or PII, Elucid Bioimaging adheres to strict data confidentiality procedures implemented within the company to de-identify PHI and PII data. Elucid Bioimaging commits to compliance with strict data confidentiality principles and practice and has implemented measures to assist customers with compliance to data security requirements. 

Elucid Bioimaging has implemented stringent requirements within the company to handle PHI and PII data if made available or obtained by company. Training on procedural instructions specifying how to handle confidential data (such as PHI) is provided to applicable employees, who also sign a statement confirming their understanding of the requirements. Elucid Bioimaging assists customers in securely transferring confidential data via an encrypted SSL transmission to the company, if there is a concern with the product. The strict Company policy is to de-identify PHI data, removing patient identifying information, prior to transmitting securely via SSL encryption, which is stored in secure servers. In addition to these measures, the company has a robust firewall to electronically protect company computers and servers, with access strictly restricted to authorized personnel only with unique login credentials. 

Third Parties 

We do not sell, trade, or rent Personal Data to any other third parties. We may transfer Personal Data to third party agents or service providers for the purposes outlined above. Where required by Privacy Shield, we enter into strict confidentiality agreements with 

those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EEA and Swiss Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. 

We may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them, unless the third party is directly responsible contractually or in tort liability for the event giving rise to the damage. 

Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security, law enforcement, or other governmental requirements. 

Privacy Shield Principles 

Elucid commits to subject to the Privacy Shields’ Principles all Personal Data received by Elucid in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework. 

1. Notice 

Elucid notifies Data Subjects covered by this Choice Privacy Shield Policy about its data practices regarding Personal Data received by Elucid in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that Elucid offers for limiting its use and disclosure of such Personal Data, how Elucid’s obligations under the Privacy Shield are enforced, and how Data Subjects can contact Elucid with any inquiries or complaints. 

2. Choice 

If Personal Data covered by this Privacy Shield Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, Elucid will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: info@elucidbio.com 

If Sensitive Personal Data covered by this Privacy Shield Policy is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently 

authorized, or is to be disclosed to a third party, Elucid will obtain the Data Subject’s explicit consent prior to such use or disclosure. 

3. Accountability for Onward Transfer 

In the event we transfer Personal Data covered by this Privacy Shield Policy to a third party acting as a controller, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Elucid has knowledge that a third party acting as a controller is processing Personal Data covered by this Privacy Shield Policy in a way that is contrary to the Privacy Shield Principles, Elucid will take reasonable steps to prevent or stop such processing. 

With respect to our agents, we will transfer only the Personal Data covered by this Privacy Shield Policy needed for an agent to deliver to Elucid the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Elucid’s obligations under the Privacy Shield Principles; and (iv) require the agent to notify Elucid if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing. 

Elucid remains liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where Elucid is not responsible for the event giving rise to the damage. 

4. Security 

Elucid takes reasonable and appropriate measures to protect Personal Data covered by this Privacy Shield Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data. 

5. Data Integrity and Purpose Limitation 

Elucid limits the collection of Personal Data covered by this Privacy Shield Policy to information that is relevant for the purposes of processing. Elucid does not process such Personal Data in a 

way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject. 

Elucid takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. Elucid takes reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain Personal Data in identifiable form only for as long as it serves a purpose of processing, which includes Elucid’s obligations to comply with professional standards, Elucid’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Privacy Shield Principles for as long as it retains such Personal Data. 

6. Access 

Data Subjects whose Personal Data is covered by this Privacy Shield Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: info@elucidbio.com 

7. Recourse, Enforcement, and Liability 

Elucid’s participation in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks are subject to investigation and enforcement by the Federal Trade Commission. 

In compliance with the Privacy Shield Principles, Elucid commits to resolve complaints about your privacy and our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact Elucid at: info@elucidbio.com 

Elucid has further committed to refer unresolved privacy complaints under the EU-U.S., Swiss-U.S., and Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. 

Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce, the European Commission, and the Swiss Commission. 

Elucid agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Elucid acknowledges that its failure to provide an annual self-certification to the U.S. 

Department of Commerce will remove it from the Department’s list of Privacy Shield participants. 

Changes to this Privacy Shield Policy 

This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield.