Privacy Policy

At AlvaMed, Inc. (“AlvaMed,” “we,” “us,” or “our”), we are committed to safeguarding the privacy of our clients, partners, and website users. As a consultancy specializing in compliance, regulatory affairs, and clinical services within the life science industry sector, we handle personal and business information with care and in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

This Privacy Policy explains how we collect, use, share, and protect personal information in our different capacities:

• When AlvaMed acts as a Data Controller: This is typically when we process personal data for our own business purposes, such as managing client relationships, marketing our services, processing data of our website visitors, and managing our personnel.
• When AlvaMed acts as a Data Processor: This is when we process personal data on behalf of our clients as part of the expert consulting services we provide to them. In these cases, our client is the Data Controller.

PART A: ALVAMED AS A DATA CONTROLLER

This section applies when AlvaMed determines the purposes and means of processing your personal data.

A.1. Information We Collect as a Data Controller

When acting as a Data Controller, we may collect and process the following types of personal information:

• Identification and Contact Data: Names, job titles, email addresses, phone numbers, postal addresses, and professional credentials of our clients’ representatives, potential clients, partners, and website users.
• Website Usage Data: IP addresses, browser types, operating system, referring URLs, pages viewed, and dates/times of website visits, collected to improve our website and services. This may involve the use of cookies (please see section A.7 “Cookies and Website Data”).
• Communication Data: Records of our communications with you (e.g., emails, meeting notes).
• Marketing and Engagement Data: Information about your preferences for receiving marketing communications, your interactions with our marketing materials, and event attendance.
• Recruitment Data: Information provided by candidates applying for roles at AlvaMed.

A.2. How We Use Your Information and Our Legal Bases for Processing as a Data Controller

We process this information for the following purposes and based on the following legal grounds:

• To Manage Our Client and Business Relationships: Using identification, contact, and communication data to manage our contracts, provide customer support, and for administrative purposes (Legal Basis: Contractual Necessity, Legitimate Interests).
• For Marketing and Business Development: Using contact and engagement data to send you information about our services, industry insights, or events, where permitted by law or with your consent (Legal Basis: Legitimate Interests, Consent).
• To Improve Our Website and Services: Analyzing website usage data to understand how our website is used and to enhance user experience (Legal Basis: Legitimate Interests, or Consent for certain cookies).
• For Recruitment: Processing recruitment data to assess suitability for roles at AlvaMed (Legal Basis: Legitimate Interests, steps prior to entering a contract).
• To Comply with Legal Obligations: Processing data as required by law (e.g., for tax or accounting purposes) (Legal Basis: Legal Obligation).

A.3. Data Sharing and Disclosure as a Data Controller

When acting as a Data Controller, we share information only under the following circumstances:

• Authorized Personnel: Internally, with AlvaMed personnel who need access to the information to perform their duties.
• Third-Party Service Providers: We may engage trusted third-party service providers to support our operations (e.g., IT hosting, CRM systems, marketing automation tools, analytics providers, legal counsel). These providers are contractually bound to protect your information and process it only for the purposes we specify.
• Legal Requirements: If required by law, court order, or other legal process.

AlvaMed does not sell personal information collected when acting as a Data Controller.

A.4. Data Security (Controller Activities)

We apply the data security commitments outlined in Section C.1 (“Data Security”) to all personal data we process as a Data Controller.

A.5. Data Retention (Controller Activities)

We retain personal information collected as a Data Controller only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. The criteria used to determine our retention periods include the nature of the data, the purposes for which it is processed, and applicable legal or regulatory obligations.

A.6. Your Data Protection Rights (When AlvaMed is the Data Controller)

When AlvaMed is the Data Controller for your personal data, you have significant rights under applicable laws such as GDPR. These may include the right to:

• Access: Request access to the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure (Right to be Forgotten): Request deletion of your personal data under certain conditions.
• Restrict Processing: Request that we limit the processing of your personal data under certain circumstances.
• Data Portability: Request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.
• Object to Processing: Object to the processing of your personal data when it is based on our legitimate interests or for direct marketing purposes.
• Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time.
• Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

To exercise any of these rights concerning data for which AlvaMed is the controller, please contact us at [email protected].

A.7. Cookies and Website Data (Controller Activities)

Our website may use cookies and similar technologies as described in Section C.2 (“Cookies and Website Data”). We are the Data Controller for personal data collected through these technologies for our own website analytics and functionality.

A.8. International Data Transfers (Controller Activities)

Personal data we control may be processed in countries outside of your country of residence, as outlined in Section C.3 (“International Data Transfers”).

A.9. Data Breach Notification (Controller Activities)

In the event of a personal data breach affecting data for which we are the Controller, we will follow the notification procedures outlined in Section C.4 (“Data Breach Notification”).

PART B: ALVAMED AS A DATA PROCESSOR

This section applies when AlvaMed processes personal data on behalf of and under the instruction of our clients (who are the Data Controllers) as part of delivering our consulting services.

B.1. Scope of Processing as a Data Processor

As a Data Processor, AlvaMed processes personal data provided by our clients or collected on their behalf strictly for the purpose of providing the contracted consulting services. These services may include compliance support, regulatory affairs assistance, and clinical services within the life science industry sector.

Our clients, as Data Controllers, are responsible for ensuring they have a lawful basis for the processing of such personal data and for providing necessary privacy information to individuals. Our processing activities are governed by contractual terms with our clients.

B.2. Information We Process as a Data Processor

The types of personal data we process on behalf of our clients may vary depending on the engagement but can include:

• Client Service Data: Business-related documentation, information for regulatory filings, and data related to clinical studies (including potentially sensitive patient data or data of research subjects if provided by the client for processing under their instruction).
• Any other personal data our clients entrust to us for processing in the context of the agreed services.

B.3. How We Use Information as a Data Processor

We process this client-provided data solely:

• To deliver the expert consulting services requested by our client.
• In accordance with the instructions of our client (the Data Controller).
• As stipulated in the contractual agreement with our client.

B.4. Confidentiality and Disclosure as a Data Processor

All personal data processed on behalf of our clients is treated as confidential. We will not disclose this data to third parties except:

• As instructed or permitted by our client (the Data Controller).
• To authorized sub-processors engaged in accordance with our contractual agreement with the client (see Section B.5).
• As strictly required by law, in which case we will, where legally permitted, inform our client of such a requirement.

B.5. Sub-processors

We may engage third-party sub-processors to assist in providing services to our clients. Any such sub-processing will be done in compliance with our contractual obligations to our clients, including any requirements for client notification or consent, and ensuring that sub-processors are bound by appropriate data protection obligations.

B.6. Data Security (Processor Activities)

We apply the data security commitments outlined in Section C.1 (“Data Security”) to all personal data we process on behalf of our clients. Specific security measures may also be governed by our contractual agreement with the client.

B.7. Assistance to Data Controllers

Where AlvaMed acts as a Data Processor, we will, to the extent reasonably possible and as required by our contractual agreements, assist our clients (the Data Controllers) in fulfilling their obligations under applicable data protection laws. This may include assistance with:

• Responding to Data Subject Rights requests related to the data we process on their behalf.
• Data security and data breach notifications.
• Data Protection Impact Assessments (DPIAs), where relevant.

Individuals should direct any requests to exercise their data protection rights concerning data processed by AlvaMed on behalf of a client to that client (the Data Controller) in the first instance.

B.8. Data Retention and Deletion (Processor Activities)

Upon termination of our services to a client, or as otherwise instructed by the client and in accordance with our contractual agreement, we will return or securely delete the personal data we processed on their behalf, unless retention is required by law.

PART C: GENERAL PROVISIONS (APPLICABLE TO BOTH CONTROLLER AND PROCESSOR ACTIVITIES)

C.1. Data Security

We are committed to protecting the security of all personal information we process, whether as a Controller or a Processor. We implement appropriate technical and organizational measures to safeguard data from unauthorized access, use, disclosure, alteration, or destruction. These measures include, but are not limited to, access controls, encryption where appropriate, secure data storage solutions, and staff training on data protection. However, no method of transmission over the Internet or electronic storage is 100% secure.

C.2. Cookies and Website Data

Our website (e.g., www.alvamed.com) may use cookies (small text files placed on your device) and similar technologies to collect website usage data to help us analyze trends, administer the site, track users’ movements, and gather demographic information. Where required by law, we will ask for your consent before placing non-essential cookies. You can typically manage cookie preferences through your browser.

C.3. International Data Transfers

Personal information we process may be transferred to, stored, and processed in countries outside of your country of residence, including the United States. Data protection laws may differ. If we transfer personal data subject to the GDPR outside the European Economic Area (EEA), we will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).

C.4. Data Breach Notification

In the event of a personal data breach, we will take steps to notify the relevant supervisory authority and affected individuals as required by applicable law (including GDPR). When acting as a Processor, we will notify the relevant client (Controller) without undue delay upon becoming aware of a breach affecting their data.

C.5. External Links

Our website may contain links to external sites. We are not responsible for the content or privacy practices of these third-party sites.

C.6. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time. Any changes will be posted on this page with an updated effective date.

C.7. Contact Us

If you have any questions about this Privacy Policy or our data protection practices:

If you are a client and have inquiries related to data where AlvaMed is acting as your Data Processor, please refer to the contact details and procedures outlined in your service agreement with us, or contact your primary AlvaMed representative.

For inquiries related to data where AlvaMed is the Data Controller, or for general inquiries, please contact us at: [email protected].