GLOBAL DATA PROTECTION PRIVACY POLICY
Effective March 15, 2023, Revised November 4, 2025
SECTION I – PURPOSE AND SCOPE
1.1 This Policy is intended to align with the European Union General Data Protection Regulation (EU GDPR) and the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). The EU-US. DPF, UK Extension, and Swiss-U.S. DPF are collectively referred to as the “DPF”. In order to comply with GDPR we require to provide a legal basis for processing of your personal data.
1.2 This Policy sets out the rules relating to the protection of individuals (customers, and clinical trial participants, and patients), as well as employees, consultants, contractors and vendors within the US, UK, EU, and Switzerland, with regard to the processing of their Personal Data (HR and Non-HR Data) by HepQuant, LLC (“HepQuant“) or on its behalf (hereinafter the “Policy“).
1.3 The implementation of any processing of Personal Data by HepQuant is subject to compliance with this Policy and any other relevant rules or applicable standard operating procedures (“SOPs“) of HepQuant adopted for its implementation. This Policy protects all Personal Data relating to individuals, whether collected by HepQuant or disclosed to HepQuant by a third party.
SECTION II – DEFINITIONS
For the purposes of this Policy, the following terms are defined as follows:
2.1 “Personal Data” means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number (e.g., social security number), location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity (e.g., last name and first name, date of birth, biometrics, DNA, etc.) of that individual. Company registration numbers, generic email addresses (such as info@company.com), and anonymized data are not considered Personal Data.
2.2 “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data).
2.3 “Data Controller” means any Employee or legal entity who has the authority to determine, alone or jointly with others, the purposes, conditions, and means of the processing of Personal Data on behalf of HepQuant.
2.4 “Data Processor” means any Employee or other individual, legal entity, public authority or similar body, including a third party, authorized to process Personal Data on behalf and under the direct authority of the Data Controller.
2.5 “Employee(s)” means any employee of HepQuant.
2.6 “Recipient” means the individual, legal entity, public authority or similar body to which Personal Data are disclosed.
2.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
2.8 “Sensitive Data” means any data that is protected against unwarranted disclosure including genetic data, biometric data, data revealing racial or ethnic origin, data concerning health, sex life or sexual orientation, political opinions, trade-union membership, and religious or philosophical beliefs.
2.9 “Consent” means the freely given, specific, informed, and unambiguous permission expressed by an individual by which such individual agrees to the processing of his/her Personal Data. This consent is given either by a written statement or by a clear affirmative action.
2.10 “Data Protection Officer” means the Employee(s) or department designated, from time to time, by HepQuant to perform the duties listed in this Policy or assigned to such parties by decision of the officers of HepQuant.
2.11 “Data Privacy Framework” means the program developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for Personal Data transfers to the United States from the European Union (“EU”)/European Economic Area, the United Kingdom (“UK”) (and Gibraltar), and Switzerland that are consistent with EU, UK, Swiss law, and such other countries that conform to the framework. In the event privacy laws in other contrived do not comply or are less strict, HepQuant will upload these privacy policies.
2.12 “HR Data” refers to personal information about employees, past or present, collected in the context of the employment relationship. This includes data such as names, addresses, email addresses, telephone numbers, social security numbers, tax ID numbers, job titles, employment history, performance evaluations, disciplinary actions, training records, salary details, bank account numbers, tax information, benefits enrollment, medical records, health insurance details, information related to workplace injuries or illnesses, and sensitive personal information revealing race, ethnicity, religion, sexual orientation, and biometric information.
2.13 “Non-HR Data” refers to personal information collected outside the context of the employment relationship. This includes customer information such as names, addresses, telephone numbers, purchase history, and payment information; business partner data including contract details and communication records with vendors, suppliers, and collaborators; marketing data collected through marketing campaigns, surveys, and website analytics including IP addresses and online identifiers; research data collected for research purposes including patient specimens, clinical trial information, and de-identified health data; and sensitive personal information revealing race, ethnicity, religion, sexual orientation, and biometric information
SECTION III – PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF PERSONAL DATA (NOTICE)
A. Types of Personal Data.
HepQuant collects both HR and Non-HR Data. HR Data includes employee information such as names, addresses, email addresses, telephone numbers, social security numbers, tax ID numbers, and other government-issued identifiers. It also includes employment records like job titles, employment history, performance evaluations, disciplinary actions, and training records; payroll information such as salary details, bank account numbers, tax information, and benefits enrollment; health information including medical records, health insurance details, and information related to workplace injuries or illnesses; and sensitive personal information (SPI) such as data revealing race, ethnicity, religion, sexual orientation, and biometric information.
Non-HR Data collected by HepQuant includes customer information such as names, addresses, telephone numbers, purchase history, and payment information; business partner data including contract details and communication records with vendors, suppliers, and collaborators; marketing data collected through marketing campaigns, surveys, and website analytics including IP addresses and online identifiers; research data collected for research purposes including patient specimens, clinical trial information, and de-identified health data; and sensitive personal information (SPI) such as data revealing race, ethnicity, religion, sexual orientation, and biometric information.
B. Purpose of Collection.
HepQuant shall have the right to process Personal Data provided to HepQuant by the Employee (HR Data) or some other party to enable HepQuant to fulfill its legal and contractual obligations in its capacity as an employer or to take steps at the request of the Employee prior to entering a labor contract. These purposes include but are not limited to Human Resource Management activities carried out as part of the recruitment or the performance of an employment contract and include onboarding, termination of employment, scheduling and recording time, performance, compensation & benefits and training. As it relates to a prospective employment relationship, if a prospect is rejected, his or her data shall be deleted in accordance with HepQuant’s Record Retention Policy, unless specified within the application process.
As it relates to our customers, patients and clinical trial participants (Non-HR Data), and in addition to the above-mentioned purposes, the following purposes may also apply:
To provide and manage our services/treatment; provide test result summaries and/or clinical trial results
To process orders and transactions;
To personalize your experience and provide relevant content/information;
To communicate with you regarding your results, account and service updates;
To improve our website and services; or
To comply with legal obligations and regulations.
C. Types of Third Parties.
Where HepQuant is not the data controller or cannot facilitate the processing of data due to the purpose of its collection, third parties may be identified. The type of third party used in data processing will be assessed to the standards of this Privacy Policy and chosen based on the applicability to process based on the purposes stated in section B.
D. Processing of Personal Data.
3.1. HepQuant shall ensure that Personal Data disclosed to HepQuant are collected and processed according to the principles expressed in this Policy.
3.2. HepQuant is committed to subjecting all Personal Data received from the EU and, as applicable, the UK (including Gibraltar), and Switzerland, to the DPF principles, in reliance on the relevant parts of the DPF program.
3.3. Personal Data shall be processed and used lawfully, fairly, and in a transparent manner (lawfulness, fairness, and transparency).
3.4. Personal Data shall be collected for specified, explicit, and legitimate purposes consistent with HepQuant’s official activities (purpose limitation).
3.5. The Processing of Personal Data shall always be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected and/or further processed (data minimization).
3.6. Personal Data stored by HepQuant should be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that Personal Data which is inaccurate, regarding the purposes for which it is processed, are erased or rectified without delay (accuracy).
3.7. Personal Data shall be kept or stored for no longer than is reasonably necessary for the purposes for which they are processed or in use, or pursuant to HepQuant’s applicable SOPs (storage limitation).
3.8. Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures(integrity and confidentiality).
E. Transfer of Personal Data.
3.9. Personal Data may be transferred within HepQuant on the following conditions:
(i) the Personal Data are necessary for compliance with requirements of the Recipient, or the performance of tasks covered by the activities of the Recipient;
(ii) only the Personal Data necessary for such compliance or performance shall be transferred; and
(iii) the Recipient may process the Personal Data only for the purposes for which they are transferred.
3.10. HepQuant may transfer Personal Data to its partners, affiliated organizations, and other third parties with which HepQuant enters into an agreement, in the following cases where:
(i) HepQuant’s partners, affiliated organizations, or other third parties observe this Policy and any other relevant rules which HepQuant may adopt for its implementation; or
(ii) sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by HepQuant’s partners, affiliated organizations or other third parties, to ensure a continuing level of security and protection consistent with this Policy and any other relevant rules which HepQuant may adopt for its implementation; or
(iii) the concerned individual has explicitly consented to the proposed transfer; or
(iv) the transfer is necessary for the establishment, exercise, or defense of legal claims; or
(v) the transfer is necessary to protect the vital interests of the concerned individual; or
(vi) to allow HepQuant to achieve its legitimate goals and carry out its official activities.
3.11. Data Processors shall comply with the level of security and protection of the Personal Data set forth by this Policy to ensure the protection of the rights of individuals.
3.12. HepQuant will comply with the requirements to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
SECTION IV – RIGHTS OF INDIVIDUALS (CHOICE & ACCESS)
A. Information to be Given to the Individuals.
4.1 Upon request by the concerned individual, HepQuant shall provide the individual with the following information on the Processing of Personal Data to such individual:
(i) the identity and the contact details of the Data Controller;
(ii) the contact details of the Data Protection Officer;
(iii) the purpose of the Processing for which the Personal Data are intended;
(iv) the categories of Personal Data concerned;
(v) the Recipients or category of Recipients of the Personal Data;
(vi) where possible, the contemplated period for which the Personal Data will be stored, or, if not possible, the reason why no such period is fixed;
(vii) where applicable, the fact that HepQuant intends to transfer Personal Data to a partner of HepQuant, an affiliated organization or a third party and the reasons for such transfer; and
(viii) the existence of the right to request access, rectification, or erasure of Personal Data and to submit claims.
4.2 The section above shall not apply where providing such information proves impossible, would involve a disproportionate effort, or is unduly burdensome on HepQuant. In such instances, HepQuant shall take appropriate measures to protect the concerned individuals’ rights and legitimate interests to the extent reasonably possible.
B. Right to Access, Corrections, and Deletion
4.3 Every individual shall have the right to obtain from the Data Controller at any time, on request, confirmation as to whether or not Personal Data relating to such individual are being processed, to the extent identifiable. Every individual shall have the right to access, correct, amend, or delete any personal information we have on file about you.
C. Right to Rectification and Erasure.
4.4 HepQuant offers Individuals the opportunity where appropriate to (“opt-out”) whether their Personal Information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the Individual. HepQuant will not process SPI about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the Individual unless the Individual explicitly consents to the processing (“opt-in”), or as required or permitted, or where not prohibited by law or regulation.
4.5 In some cases, even if an Individual opts‐out of disclosures of their Personal Information, HepQuant may still disclose such Personal Information (i) if we are required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce HepQuant policies or contracts; (v) to collect amounts owed to HepQuant; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in the good faith belief that disclosure is otherwise necessary or advisable. HepQuant also may transfer Personal Information when a material event concerning its business operation(s), assets or shares, such as purchase, disposal, merger, joint venture or acquisition, is proposed or occurs. In such an event, HepQuant will endeavor to direct the transferee to use the Personal Information in a manner that is consistent with this Policy. HepQuant will provide Individuals with reasonable mechanisms to exercise their choices to the extent required by applicable law.
D. Right to Object.
4.6 Every individual shall have at any time the right to submit a request objecting, on grounds relating to his or her particular situation, to the Processing of Personal Data concerning such individual. The Data Controller shall no longer process the Personal Data unless the Data Controller demonstrates that such Processing is necessary for the performance of the task while conducting HepQuant’s official activities or in the framework of its missions or services.
SECTION V – ACCOUNTABILITY, ONWARD TRANSFER, SECURITY, DATA INTEGRITY AND LIMITATIONS
Duties and Responsibilities of the Data Protection Officer.
5.1 The Data Protection Officer shall monitor the application of this Policy.
5.2 HepQuant will remain liable in cases of onward transfers to third parties.
5.3 HepQuant will subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Cooperation of Data Controllers with the Data Protection Officer.
5.4 Data Controller(s) shall cooperate with the Data Protection Officer by assisting the Data Protection Officer and making available any information necessary for the Data Protection Officer to carry out tasks. Data Controller(s) shall involve the Data Protection Officer in the process of designing new information systems and to ensure that measures of data protection are built into those systems from the beginning.
Onward Transfer
5.5 In most situations, transfers to third parties are covered by the provisions in this policy regarding notice and choice. HepQuant does not sell or otherwise disclose individuals’ personal information, except as described in our privacy policies, in a notice provided to individuals at the time of collection, or as individuals explicitly consent. HepQuant may share individuals’ personal information with our service providers, consultants, and affiliates for our and our affiliates’ internal business purposes or to provide individuals with a requested service.
HepQuant will endeavor to only transfer personal information to a third party/agent where such third party/agent has given assurances that it provides at least the same level of privacy protection as required by the DPF Principles and this policy and will notify HepQuant if it makes a determination that it can no longer meet this obligation. HepQuant may, for example, provide an individual’s personal information to agents to host our databases, for data processing services, or to send to that individual the information that he or she requested. Where HepQuant has knowledge that an agent is using or disclosing personal information in a manner contrary to the DPF Principles and/or this policy, HepQuant will take reasonable steps to prevent or stop the use or disclosure. With respect to onward transfers to agents, the DPF requires that, to the extent it is responsible for the event, HepQuant shall remain liable should its agents process personal information in a manner inconsistent with the DPF Principles, and HepQuant accepts and shall follow this principle.
Where HepQuant knows that any third party to whom it has provided personal information is using or disclosing personal information in a manner contrary to this policy and/or the DPF Principles, HepQuant will take reasonable steps to prevent or stop the use or disclosure. With respect to such onward transfers to agents, and to the extent HepQuant is responsible for the event, HepQuant shall remain liable should its agents process personal information in a manner inconsistent with the DPF Principles and this policy.
In circumstances in which HepQuant obtains personal data as a service provider for its clients or affiliates, HepQuant’s clients or affiliates are responsible for protecting individual rights with respect to onward transfers. HepQuant has potential liability in cases of onward transfer to third parties of data of EU individuals received pursuant to the DPF Principles.
Security
5.6 HepQuant will take reasonable and appropriate technical, administrative, and physical measures to protect personal information in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These precautions are designed to account for the risks involved in processing and the nature of the personal information, whether it is in electronic or physical form.
Integrity and Limitations
5.7 HepQuant uses personal information only in ways that align with the purposes for which it was originally collected or subsequently authorized by the individual. HepQuant takes reasonable steps to ensure that the personal information we use is reliable for its intended purpose, accurate, complete, and current for as long as we retain it. Our personnel are responsible for helping maintain accurate, complete, and current personal information.
5.8 Personal data is limited to what is necessary for the purposes of processing. We do not process personal information in ways that are incompatible with the purposes for which it was collected or subsequently authorized. HepQuant ensures that data is relevant and reliable for its intended use, and we take reasonable measures to maintain its accuracy and completeness.
5.9 HepQuant processes personal information that is relevant to the services we provide and only for purposes compatible with those for which the information was collected. In these situations, we work with our customers to ensure they can provide individuals with a way to correct or update their personal information.
SECTION VI – SETTLEMENT OF CLAIMS (RECOURSE, ENFORCEMENT AND LIABILITY)
6.1 Any individual may complain in writing to the Data Protection Officer (ClientServices@HepQuant.com) about any matter relating to such individual’s Personal Data, including any Personal Data Breach.
6.2 The Data Protection Officer shall notify officers of HepQuant or designated department of HepQuant regarding any such complaint received.
6.3 The Data Protection Officer must acknowledge receipt in writing and decide, with input and approval of those identified in Section 6.2, on the complaint within sixty (60) days of receipt. The Data Protection Officer may extend the time limit by thirty (30) days if the complaint requires further assessment. In such case, the Data Protection Officer shall give notice to the complainant.
SECTION VII – DATA PRIVACY FRAMEWORK & COMPLAINT RESOLUTION MECHANISM
7.1. HepQuant complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. HepQuant has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. HepQuant has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
7.2. The Federal Trade Commission has jurisdiction over HepQuant’s compliance with the EU-U.S. DPF and the UK Extensions, and the Swiss U.S. DPF.
7.3. In compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss U.S. DPF, HepQuant commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact HepQuant at: clientservices@hepquant.com.
7.4. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, HepQuant commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resource personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
7.5. HepQuant further commits to resolve complaints by providing an independent dispute resolution mechanism. In compliance with the EU-US DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, HepQuant commits to refer unresolved complaints concerning our handling of Non-HR Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF to JAMS, an alternative dispute resolution provided based in the United States. JAMS’ independent recourse mechanism applies only to Non-HR Data disputes. If you do not receive timely acknowledgement of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit: https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
7.6. If any request remains unresolved, Individuals may, under certain circumstances, have a right to invoke binding arbitration under the DPF. For additional information, see https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.
SECTION VIII – REVIEW AND AMENDMENT
8.1 HepQuant may at any time adopt specific rules and/or guidelines on any matter related to this Policy.
8.2 This Policy may be amended at any time upon the decision of the Managers or Officers of HepQuant.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.