This Privacy Policy describes how Pregistry processes Personal Data/ personal Information/ Health Information pertaining to natural persons that have enrolled in its studies as participants as well as website visitors. This includes how such data/ Information is collected, stored, accessed, processed, and shared.

This Privacy Policy is provided to you, in line with the following applicable Personal Data Protection Legislation:

● Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from 25 May 2018, having replaced the previous Directive 95/46/EC.

● Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;

● The California Consumer Privacy Act 2018 (CCPA), assembly Bill of the State of California, United States of America, No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the Governor on 28 June 2018. Filed with the Secretary of State on 28 June 2018 and enforceable since 01 January 2020.

● The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule such as health plans, health care clearinghouses, and those health care providers that conduct certain support services, mainly where the natural person is entitled to not allow his/ her Personal Data/ Health Information to be shared with those entities (as an example, any medical expenses paid for the natural person directly do not have to be informed to the health plan provider). These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

The primary goal of processing Personal Data is to allow Pregistry the identification of those natural persons who have joined Pregistry’s studies (as participants) on their own free will and initiative.

Notwithstanding the above-mentioned, study participants may decide to use an alias, meaning not submitting real Personal Data. Pregistry points out that, depending on which Personal Data the Participant choses to use an alias, there may be an impact on the accuracy of the study results; as an example, whereas registering under a different name than the one pertaining to the Participant is innocuous in terms of impact in the study, not disclosing the correct date of last menstrual period or gestational age may negatively impact the study findings.

Pregistry (the organization and its staff members) is aware that Personal Data/ Health Information may represent a risk towards you if accessed by unauthorized third parties. A set of policies, operational processes, and mechanisms (technological and human-based) have been developed, ensuring that the Personal Data entrusted by you to Pregistry will be maintained, handled, and shared in a manner that warrants its security, accuracy, confidentiality, and privacy, hence assuring your Personal Data protection.

Personal Data is exclusively Processed under the scope and purpose of the services described on this Privacy Policy (meaning each study).

With regards to website visitors, Pregistry resorts to Cookies (please check the Cookie Management tool) and, in some cases, the gathered Data may end up enabling the identification of the natural person who has accessed the website (the Data Subject); nevertheless, in so being and since the website visitors have the possibility to disable non-essential cookies, Pregistry acts under Legitimate Interest with the regards to these Personal Data Processing activities or, in jurisdictions where Legitimate Interest does not apply as a valid Legal Basis, the free initiative of the website visitor while fully informed and aware of the Processing that will occur, allows arguing Consent as the applicable Legal Basis.

Every data subject maintains full control over their Personal Data (and, where applicable, their offspring’s), as well as the Personal Data processing activities undertaken by Pregistry (as defined under applicable Personal Data Protection Legislation or specifically the GDPR, where the regime is more protective of the data subject’s rights).

Applicability

Pregistry reserves the right to modify this Privacy Policy at any time by posting updated time-stamped versions on its websites.

The Data Controller

Pregistry is a United States-based company that conducts epidemiological studies on a variety of topics, including the safety of COVID-19 vaccines and therapeutics on pregnant women and their offspring.

Currently, Pregistry is conducting three studies:

● COVID-19 Vaccines International Pregnancy Exposure Registry (C-VIPER) (NCT04705116, EUPAS39096). The objective of this study is to assess the effect of COVID-19 vaccination during pregnancy on obstetric, perinatal, and postnatal outcomes.

● COVID-19 International Drug Pregnancy Registry (COVID-PR). (ENCePP: EUPAS42517 / Clinicaltrials.gov: NCT05013632) The objective of this study is to assess the effect of specific newly-developed COVID-19 medications during pregnancy on obstetric, perinatal, and postnatal outcomes.

● Pregistry International Pregnancy Exposures Registry (PIPER) (NCT05352256, EUPAS46841) To provide early signal of risk after prenatal exposure to medications and vaccines and to define their boundary of safety.

Participants may enroll in one or more studies simultaneously.

Pharmaceutical companies which hold the marketing authorization of either COVID-19 vaccines or therapeutics indicated for COVID-19 may act as financial contributors to a particular study ; however, even in those cases, Personal Data pertaining to participants is never shared by Pregistry with those entities.

All questions or requests regarding the processing of the Personal Data under Pregistry’s control or processing may be addressed to dpo@pregistry.com.

Pregistry’s Data Protection Officer (DPO) contact information:

Mr. Rui Serrano
Country: Portugal
Phone number: +351932579434
Email: dpo@pregistry.com

Pregistry Core Activity – Service Catalogue and Legal Basis

Pregistry’s service consists of allowing pregnant women to enroll in its studies and to provide information and support to those participants.

Under this scope, Pregistry’s Service Catalogue includes the following services and applicable “Legal Basis” for processing Personal Data (respectively):

Study Participant Enrollment

Screening questions are posed to those natural persons who wish to become participants to qualify them as valid contributors or not.

A form is then made available for those natural persons to input their data. The data subject provides a name, phone number and creates a user login (username [email] and a password) and then Pregistry sends a One Time Password (OTP) consisting of a 6-digit code that they need to enter in order to continue to read and understand the Consent Form.

Registered users are then re-directed to the “Profile” stage where they are asked to enter information related to the specific study.

Required Personal Data consist of:

● Name
● Email 1
● Email 2 (Optional)
● Enrolment ID
● Age
● Preferred Language
● Time Zone
● Phone number
● Phone number 2 (Optional)
● Source
● IP Address
● Consent
● Consent name
● Login (password)
● Organization
● Geolocation
● Region
● Country
● City
● Postal Code
● Medical History (Optional)
● Race/Ethnicity
● Call recordings

Reporting Adverse Events

Study participants may at will report adverse events they have experienced (which may or not be causally related to a COVID-19 vaccine or therapeutic indicated for COVID-19), as this is one of the main goals of the studies conducted by Pregistry.

The study participant may report adverse events in scheduled questionnaire modules or, at any time, using a button on the study website for logged-in participants.

Similarly, participants may upload their redacted medical records (and those of their offspring), as medical records are used to improve the accuracy and validity of the information.

Newsletters

Sending out newsletters to those natural persons who have shown interest in receiving them (regardless of participation status in a study).

Processing (Treatment) over Personal Data

Gathering/ Collection

Pregistry exclusively gathers Personal Data directly from the data subjects, at study enrollment and through the data subject’s actions on the platform.

When a data subject uses the Pregistry website, a session cookie file may be placed on their browser device.

Pregistry only uses cookies that record information about the IT architecture and landscape of the device being used by the visitor (e.g., browser, device, etc.); however, that visitor is never identified personally (as a data subject).

IP addresses are exclusively cross-referenced with other data for the purpose of safeguarding both Pregistry, the study results, and the participants from fraud attempts.

For detailed information about cookies in use and similar employed technologies please refer to the Cookies Policy.

Storing

Pregistry is a digital company and Personal Data it requires to operate is exclusively maintained in digital format on its IT systems hosted in the European Union at Amazon Web Services (AWS). Fully anonymized information is hosted in AWS data centers in the United States.

Data in transit and at rest are encrypted. This guarantees their security and confidentiality

Personal Data Sharing

Pregistry only shares fully anonymized data. Pregistry never shares any identifiers that constitute Personal Data.

Recordings

In addition to the interaction over the platform or by email, designated Pregistry staff may speak with you both over the phone or video call using the software Aircall. Due to operational reasons, the phone and video calls are recorded and stored by Pregistry, unless you expressly refuse the recording at the beginning of the call.

Aircall will save the call while fully encrypted also in the European Union.

You should take care not to share any Personal Data that either does not pertain to you or to your child or that are irrelevant to the study when speaking to Pregistry staff over the phone or video call.

Data Minimization

Pregistry takes every reasonable step to ensure that Personal Data under its direct processing activities (as the Controller) is limited to the amount and type that is necessary to the successful execution of the studies.

Personal Data Security, Privacy, and Confidentiality Assurance

Pregistry’s IT landscape is configured and monitored under guidance provided by the strictest security market standards (e.g., ISO 27000 family, Soc2, ITIL, Privacy by Design) and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under applicable Personal Data Protection Legislation for the protection of Personal Data/ personal Information/ Health Information. This is intended to assure confidentiality and privacy under Personal Data processing activities performed by Pregistry itself and its partners within the scope of Pregistryprovided services.

Personal Data Retention

Data retention is a major potential risk generator since, during the period the data are available, they may be accessed by a third party, constituting a Personal Data breach.

Pregistry fixes the data retention period according the duration of each study. Pregistry does not hold to Personal Data for longer than necessary. Additionally, Pregistry ensures that the risk of information being deleted prior to the end of its lifecycle is minimized.

Study participant Personal Data is erased within a maximum of one month (30 days) after leaving/completing the study or one month (30 days) after having asked for their Personal Data to be erased, however, the best effort would be made to erase the Personal Data within 48 hours of the completion of the study or the request, as the case may be.

Data subjects Rights

Under applicable Personal Data Protection Legislation, the data subject has the following set of established rights:

[HIPAA] The right to receive a notice of privacy practices. Please refer to this Privacy Policy plus the information provided to you upon requesting your consent to become a study participant.

[GDPR] Right of access. The right to obtain from the controller confirmation as to whether their Personal Data are being processed, and, if so, to access such Personal Data as well as related information. Pregistry will share the Personal Data over a secure channel, and that (depending on the type of data as well as volume) may necessitate a “password” via an alternative communication channel to the data subject to ensure authorized secure access. Participants may exercise this right by reviewing information on the Pregistry website user account area or by submitting a request asherein defined ahead in this document which is the application process for those data subjects who are not a Pregistry Participant; these requests will be handled by the Data Protection Officer.

[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California residents have the right to:

● Know the categories of personal information we collect and the categories of sources from which we got the information;

● Know the business or commercial purposes for which we collect and share personal information;

● Know the categories of third parties and other entities with whom we share personal information; and

● Access the specific pieces of personal information we have collected about you.

[HIPAA] The right to access and request a copy of medical records. Please refer to the Right of Access under the GDPR.

[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that data subject. Participants may directly amend existing information on the Pregistry website user account area or by submitting a request as here defined ahead in this document, which is the application process for those data subjects who are not Pregistry participants; these requests will be handled by the Data Protection Officer.

[HIPAA] The right to request an amendment to medical records. Please refer to the Right to Rectification (above) under the GDPR.

[GDPR] Right to erasure. The right to have Personal Data pertaining to a data subject that is processed by Pregistry erased and, therefore, to have processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Pregistry from observing such right, in which case the data subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[CCPA] Right to deletion – again similar to the GDPR regime, natural persons who reside in the state of California may, in some circumstances, ask us to delete their Personal Data/ information. We may refuse the exercise of such right if it prevents us from exercising legal defense, if we cannot do so because of a legal obligation or there is the risk that by doing so, we cannot fulfill any current contractual obligations.

[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and impose processing restrictions (in scope and purpose) for Personal Data that pertains to a data subject. When exercising this right, the data subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the data subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[GDPR] The right to object to processing. The right to object to processing activities that have been qualified under this Privacy Policy as arising under the legal basis of Legitimate Interest on the part of Pregistry. The exercise of this right may also occur where the data subject wishes to opt-out from an existing service (and not necessarily to cancel the service). When exercising this right, the data subject must be specific about which processing activities are being requested to cease and the Controller shall provide feedback to the data subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[CCPA] Right to opt out of sales – We do not sell your data.

[GDPR] Right to data portability. The right to receive the Personal Data pertaining to that data subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. Pregistry will share the Personal Data over a secure channel, and that (depending on the type of data as well as volume) may necessitate a “password” via an alternative communication channel to the data subject to ensure authorized secure access. Study participants may directly amend existing information on Pregistry’s website user account area or by submitting a request as here defined above which is the application process for those data subjects who are not Pregistry Study Participants.

[GDPR] Right to be informed about a Personal Data Breach. The data subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of the occurrence of such disclosure or knowledge by Pregistry of potential disclosure, as the case may be.

[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding Pregistry’s processing activities in relation to Personal Data with any of the EU Member States’ data protection Supervisory Authorities. Pregistry is however also available to provide any clarification towards those data subjects who may feel that its processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. A data subject may submit a complaint via the request process as here defined above.

[CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against.. For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide including information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may mean that it takes additional time to fulfil your request.

Any data subject may exercise his/ her rights under GDPR by reaching out to Pregistry’sDPO through the e-mail address dpo@pregistry.com or, while logged in to the platform via the “Exercise of Rights” form.

If you have any questions, complaints or wish to exercise your rights under GDPR, please do make clear on your message:

● Purpose: question; complaint; conformation that this is an exercise of yourdata subject’s rights under GDPR

● What triggered your need to contact us?

● When did the event which triggered the need to contact us take place?

● If you are a a study participant, a mobile phone number or alternative personal e-mail address so we may proceed with a two-factor authentication process.

Why the need to provide alternative personal contact?

Under applicable Personal Data Protection legislation only the data subject may exercise his/ her rights, hence organizations must ensure and document that the data subject or his/ her legal representatives are the ones interacting with the company about his/ her Personal Data.

Glossary

“Data Protection Officer” (DPO) means the natural person within a company who bears the responsibility of ensuring corporate compliance towards GDPR (as defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure to inform them about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with GDPR rules, guidelines and requirements.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates. Both parties understand that the data subject is the sole owner of Personal Data which pertains to them.

“Data subjects’ Rights” means the rights belonging to the data subjects under applicable Personal Data Protection legislation. Please check the section above entitled “How to exercise data subjects’ rights”

“IT Landscape” means the set of IT assets and services of, and at the disposal of, each party that enables their Personal Data processing operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), data center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.

“Legal Basis” means the listed lawful grounds on which a company has to base its Personal Data processing activities under GDPR, namely (but not limited to) having documented: the data subject’s explicit consent towards Personal Data processing activities; the company’s legitimate interest in proceeding with “Personal Data processing activities; accompanying legal obligations that the company must observe and which allows it to proceed with Personal Data processing activities within the framework of the requirements and inherent other obligations; other as per defined under GDPR.

“Partner” means any 3rd party entity towards which each party may operate in order to ensure Personal Data processing activities under a legal basis (as established by GDPR) and within the scope of agreed services.

Personal Data means any data that either on their own, or when cross-referenced with other data, allows the identification of a specific natural person.

“Personal Health Information” has (under the scope of this Privacy Policy) the same meaning as Personal Data (notwithstanding the fact that it still maintains the definition under HIPAA).

“Personal Data processing activities” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).

“Personal Data Breach” means any event or incident (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Processormeans the entity which proceeds with authorized Personal Data processing activities on behalf of the Controller.

“Scientific Method” means a set of principles and empirical processes of discovery and demonstration considered characteristic of or necessary for scientific investigation, generally involving the observation of phenomena, the formulation of a hypothesis concerning the phenomena, experimentation to test the hypothesis, and development of a conclusion that confirms, rejects, or modifies the hypothesis.

“Service Catalog” means the set of services provideded by Pregistry that requires Personal Data processing activities.

“Study” means an organized program followingthe scientific method to research the impact of COVID-19 vaccines and therapeutics indicated for COVID-19, or to carry out other research as may be specified from time to time as herein described in detail above.

“Study Participant” or Participant means a natural person who either being pregnant or having recently given birth decides to join (by enrolling) in one of Pregistry’s studies.

“Sub-processor” means any Processor engaged by any of the parties which performs complementary Personal Data processing activities within the scope of the Services.

Contact Us

If you have any questions or complaints about this Policy, please contact us at dpo@pregistry.com.