Privacy Notice

Effective Date: 10-Apr-2026

1. PURPOSE

The purpose of this notice is to define to operate and enhance our website, deliver the services and features requested by users, and maintain the security and integrity of our systems. This includes facilitating communication, providing relevant content, improving site performance through analytics, and fulfilling any legal or regulatory requirements. All information is used solely for these specified purposes and is not processed in any manner that is inconsistent with the original intent of its collection.

2. SCOPE

This policy is applicable to all individuals who access, browse, or use the website and its services. If you interact with Atorus or if we collect Personal Data about you this Notice explains what it means for you.

3. REFERENCES

Not Applicable

4. DEFINITIONS

Terminology	Definition
Atorus	Atorus Research Inc., its subsidiaries, directors, employees, and authorized representatives.
User/You	Means any individual or legal entity accessing, browsing, or using the Website.
Data Subject	An identified or identifiable living individual natural person.
Personal Data	Any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
Processing	Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Applicable Data Protection Laws	means all laws, regulations, directives, and guidance relating to the protection of Personal Data applicable to the Processing activities described in this Privacy Notice, including those expressly mentioned.
Anonymized Data	means data that has been irreversibly de-identified such that it cannot reasonably be used to identify an individual.
Aggregated Data	means data combined from multiple sources or individuals that does not identify, and is not reasonably capable of identifying, any individual.
Services	mean the research, consulting, analytical, operational, and related services provided by Atorus Research, including access to its websites, platforms, tools, communications, and professional offerings.
Website	means any website, digital platform, or online property owned, operated, or controlled by Atorus Research, including https://www.atorusresearch.com and any related or successor domains.
Third Party	means any individual or entity other than the User, Atorus Research, or persons authorised to process Personal Data under the direct authority of Atorus Research.
Service Providers	means Third Parties engaged by Atorus Research to perform services on its behalf, including hosting providers, IT Service Providers, analytics providers, and professional advisors, who process Personal Data subject to contractual confidentiality and data protection obligations.
Controller	means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor	means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Customer	The relevant entity that has entered into an Agreement with Atorus to receive the Services, and if applicable, any of its Authorized Affiliates that have signed the Agreement or any Sales Orders related thereto, whether referred to in that Agreement as a Customer, Business Partner and/or Partner.

5. BACKGROUND

The website provides online access to information, services, and digital content to users. To ensure responsible use of the platform and to establish clear rules governing user interactions, it is necessary to define the terms and conditions for accessing and using the website. This policy outlines the expectations, responsibilities, and limitations applicable to users in order to maintain transparency, protect organizational interests, and ensure compliance with applicable laws and regulations.

The Atorus Website provides general, high-level information about the types of professional services that Atorus may offer under separately executed written agreements. No professional, clinical, analytics, data management, managed, or regulated services are provided directly through the Website. Our services include but are not limited to;

Data Management Services :

Infrastructure support
Operational support
Functional Service Provider (FSP) implementation & management

End-to-End System Implementation & Support for Life Sciences

Implementation Services
Business Consulting
Managed Services
Technology Solutions

All services shall be defined in a separate agreement – Statement of Work or Engagement Letter signed in writing by both parties. Nothing in our engagement creates a partnership, joint venture, or employment relationship; we act at all times as an independent contractor.

6. POLICY STATEMENT

6.1. Applicable Laws and Regulatory Compliance

6.1.1. This Privacy Notice has been prepared in accordance with applicable data protection and privacy laws governing the Processing of Personal Data in the jurisdictions in which Atorus Research Inc. operates, conducts research activities, or provides services. The collection, use, storage, disclosure, and other Processing of Personal Data are undertaken in compliance with applicable legal and regulatory requirements, including, as relevant:

The General Data Protection Regulation (Regulation (EU) 2016/679) (“ GDPR ”) and implementing laws of EU Member States;
The United Kingdom General Data Protection Regulation and the Data Protection Act 2018;
The Digital Personal Data Protection Act, 2023 (India), where applicable;
The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“ CCPA/CPRA ”);
Applicable U.S. federal and state privacy, data protection, and information security laws and regulations; and
Other applicable laws, regulations, guidance, and industry standards relating to data protection, privacy, and information security.

6.1.2. Where Personal Data is processed in the context of clinical research, health research, or life sciences activities, such Processing is undertaken in accordance with applicable ethical standards, regulatory requirements, and data protection safeguards, including requirements relating to confidentiality, data minimisation, and security. Where local laws impose additional or more stringent obligations, those obligations shall apply to the extent relevant.

6.1.3. This Privacy Notice is intended to be read alongside applicable data protection laws and does not limit any statutory rights available to individuals under such laws.

6.2. Basic Principles Regarding Data Processing

6.2.1. Atorus processes Personal Data in accordance with all applicable data protection/privacy principles, including but not limited to the GDPR principles which serve as the baseline on which our standards are set.

6.2.2. The GDPR principles are set forth below:

6.2.2.1. Lawfulness, Fairness and Transparency : Atorus processes Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject.

6.2.2.2. Purpose Limitation : Atorus collects Personal Data solely for specified, explicit and legitimate purposes.

6.2.2.3. Data Minimization : Atorus collects Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed and adheres to the principle of data minimization. With the increasing number of countries restricting or disallowing the use of clinical trial subjects’ initials as an identifier, Atorus will no longer collect clinical trial subjects’ initials, except where an Atorus client requires such and the client is compliant with the applicable national and regional laws.

6.2.2.4. Accuracy : Atorus keeps Personal Data accurate and, where necessary, up to date and takes reasonable steps to ensure that inaccurate Personal Data, taking into account the purposes for which the inaccurate Personal Data was processed, are erased or rectified in a timely manner.

6.2.2.5. Storage Period Limitation : Atorus keeps Personal Data for no longer than is necessary for the purposes for which the Personal Data are processed.

6.2.2.6. Integrity and Confidentiality : Atorus uses appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access to, or disclosure. Building Data Protection in Business Activities – In order to demonstrate compliance with the prevailing data privacy principles, Atorus has built data protection into its business activities.

6.3. Personal Data We Collect

Group	Types of Data	Sources	Purposes	Atorus Role	Legal Basis
Visitors / Website Users	Identity and contact, technical data (IP, browser, device, URLs, activity, cookies), Anonymised Data	Directly from you, your devices, security systems and Third Parties	Provide Website/services Communicate, send updates, customize content and detect security incidents Protect against malicious activity, ensure proper use and improve services Administrative purposes Marketing and research Quality assurance	Data Controller	Legitimate interests, consent, required/allowed by law

6.4. The information we collect and how we use it depends on how you interact with us and how you choose to manage your data rights and privacy settings.

6.5. When expressing an interest in obtaining additional information about our products or accessing secure areas of our Websites , we require you to provide the following personal information, but not limited to : Name, company name, email address, mailing address, phone number, support login id and password.

6.6. When you purchase our products, we will ask you to provide billing information. When you register for or attend corporate events, Atorus will ask you to provide basic contact information, billing information, and information on your participation in the events on our websites .

6.7. As you navigate the Company’s Web sites, Atorus may also collect information through the use of commonly used information gathering tools such as web beacons and cookies. Information collected includes standard information from your web browser such as your Internet Protocol (IP) address, browser type, operating system, referring/exit pages, links clicked, and actions taken while browsing.

6.8. When you register for an event, webinar, or in-person session organised by us, we may collect Personal Data such as your name, email address, organisation, job title, professional interests, and other information required for registration, attendance, and post-event engagement.

6.9. We may also record online sessions (with prior notice) for internal use, post-event summaries, or for making event content available to other attendees or registrants.

6.10. We may collect Personal Data in three ways: ( i ) directly from you, (ii) automatically through your interaction with our Services, and (iii) from authorized Third Parties.

6.11. Data You Provide

6.11.1. How you interact with us and the different Services that we offer determine what personal information we collect about you.

Personal identifiers , e.g., name, username, e-mail address, phone number, signatures, etc.
Contact information , e.g., e-mail address, phone number, etc.
Demographic information , e.g., location, language
Authentication data , e.g., usernames and passwords
Professional information , e.g., publications, employer, location, licensure, credentials, work history, education history, specialties, expertise, availability, etc.
Financial information , e.g., payment information and related bank details, etc.
Commercial information , e.g., purchase history, subscription information, transaction details, information about sanctions and restrictions, etc.

6.11.2. Resumes – You have the option of submitting your resume to Atorus. When you send your resume to us, your resume is entered into the database and will be assigned to an Atorus recruiter who may contact you as relevant employment opportunities arise.

6.11.2.1. A recruiter will always speak to you about an opportunity before submitting your resume and will not submit a resume to a client without your prior consent.

6.11.2.2. We may receive information about you from other sources, including publicly available databases or Third Parties from whom we have purchased data, and combine this data with information we already have about you. This helps us to update, expand and analyze our records.

6.11.2.3. If others give us your information, we will only use that information for the specific reason for which it was provided to us.
Examples of the types of personal information that may be obtained from public sources or purchased from Third Parties and combined with information we already have about you, may include: Name, address, email address, phone number, applicable work, and education history.

6.11.3. Customer Data – Our Customers may electronically submit data or information for hosting and Processing purposes (“Customer Data”). Atorus will not review, share, distribute, or reference any such Customer Data except as provided in your contract or mentioned in the Terms of Service, or as may be required by law. In accordance with your contract, Atorus may access Customer Data only for the purpose of providing the Services, preventing or addressing Service or technical problems, at a customer’s request in connection with Customer support matters, or as may be required by law. Atorus may transfer personal information to companies that help us provide our Service. Transfers to subsequent Third Parties are covered by the provisions in this policy regarding notice and choice and the Service agreements with our customers .

6.12. Data We Collect Automatically

6.12.1. When you interact with our websites , digital platforms, emails, or Services, we may automatically collect certain technical and usage-related information. This helps us secure our systems, improve your user experience, and analyze how our platforms are being used. This may include:

IP Address : Your Internet Protocol address, which may also reveal approximate geographic location like city or country.
Usage Data : Details such as the pages you visit, time spent on each page, clicks, scrolls, and navigation paths.
Access Timestamps : When you log in, log out, or visit a particular feature or tool on our platform.
Location Data (if enabled): If you have granted permission, we may collect precise or approximate geolocation data through your device or browser.
Cookies and Tracking Technologies : We use first-Party and Third -Party cookies, web beacons, and tracking pixels.

6.13. Data We Receive from Third Parties

6.13.1. We may receive Personal Data about you from trusted Third Parties especially when it is necessary to deliver a Service, process an application, or comply with a legal obligation. This may include:

Analytics Providers : We receive data from analytics Services (e.g., Google Analytics, HubSpot) about how Users interact with our website, email campaigns, or online content.
Marketing Platforms : If you engage with our content on platforms such as LinkedIn, Facebook, or Twitter, those platforms may share insights or campaign metrics with us. We may also receive lead forms or contact details if you sign up through a social ad.
Employment and Background Verification Vendors : During recruitment or onboarding, we may receive reference checks, criminal record verification, or educational background reports from Third -Party agencies.
Publicly Available Sources : We may collect information that you have made public such as on your professional website, research portals, alumni databases, or public directories.
Regulatory Authorities or Government Agencies : When required, we may receive tax, visa, or compliance-related data from government agencies, embassies, or regulators.
Research and Development Datasets : Occasionally, we may acquire datasets that include audio, video, or other personal identifiers, for the purpose of improving our Services or conducting anonymized research. Where applicable, we do so in strict accordance with the laws of the jurisdiction and we do not attempt to reidentify individuals who may appear therein.

6.13.2. We only receive and process Third -Party data if the source has a valid legal basis for sharing it. We also enter into data sharing or Processing agreements with Third Parties to ensure your data is handled securely.

6.14. PURPOSE OF PROCESSING PERSONAL DATA

6.14.1. We process your Personal Data to deliver, manage, and enhance our Services in a manner that respects your privacy and complies with the applicable privacy laws. The purposes for which we process your Personal Data are based on the type of interaction you have with us, the Services you use, and the permissions you provide. These purposes include:

6.14.1.1. Service Delivery and Account Management : To provide access to our products and Services, create and maintain user accounts, authenticate Users, and manage Service subscriptions.

6.14.1.2. Customer Support and Communication : To respond to your inquiries, feedback, and support requests, and to provide notifications about updates, account activity, or Service availability.

6.14.1.3. Product Improvement and Personalization : To understand how our Services are used, measure engagement, and tailor content, recommendations, and user experiences based on preferences and usage data.

6.14.1.4. Billing and Payment Processing : To facilitate transactions, process payments, manage billing accounts, and send invoices or payment confirmations.

6.14.1.5. Marketing and Promotional Communication : To send you information about new features, products, Services, events, and offers, provided you have given your consent or were permitted under applicable law. You may opt out of marketing communications at any time by unsubscribing from our mails, you can however not opt out of receiving transactional emails related to your use of our products and Services.

6.14.1.6. Analytics and Performance Monitoring : To analyse usage trends, assess the performance of our Services, conduct surveys, and perform data-driven research to improve Service delivery and innovation.

6.14.1.7. Security and Fraud Prevention : To monitor, detect, investigate, and prevent security incidents, fraudulent activities, and violations of our terms or policies.

6.14.1.8. Legal and Regulatory Compliance : To comply with our legal obligations, respond to lawful requests from public authorities, enforce our terms of Service, and protect our legal rights and interests.

6.14.1.9. Research and Development : To develop and test new features and Services, including the use of datasets for algorithmic training or AI development, provided such data usage complies with applicable laws and anonymization protocols.

6.14.2. If we intend to use your Personal Data for any new or materially different purpose not stated in this Privacy Notice, we will inform you in advance and, where required by law, obtain your explicit consent before proceeding.

6.15. LEGAL BASIS FOR PROCESING

6.15.1. We process your Personal Data in accordance with the legal grounds permitted under applicable data protection laws, including the General Data Protection Regulation (GDPR and UK GDPR), the Digital Personal Data Protection Act, 2023 (India), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA).

6.15.2. The legal basis we rely on will depend on the nature of the Personal Data, the context in which it is collected, and the jurisdiction in which we operate. The key legal grounds on which we rely are outlined below:

6.15.2.1. Consent : We may rely on your consent as the lawful basis for Processing Personal Data in specific situations where we request your explicit permission to collect and use your information. This applies, for example, when you subscribe to receive newsletters or promotional content, participate in voluntary surveys or feedback activities, engage in beta-testing programs, or when we use non-essential cookies or similar technologies for analytics and targeted advertising purposes. In these situations, we ensure that consent is freely given, specific to a clear and defined purpose, informed through accessible and transparent disclosures, and provided through an unambiguous affirmative action, such as checking a box or selecting a preference. You have the right to withdraw your consent at any time without affecting the lawfulness of Processing based on consent before its withdrawal. Where applicable, we provide you with simple mechanisms to manage or withdraw your consent, either through your user account settings or by contacting us at [email protected].

6.15.2.2. Performance of a Contract : We process your Personal Data where it is necessary to perform a contract to which you are a Party, or to take steps at your request before entering into such a contract. This includes situations where we provide Services to you as a client, partner institution, vendor, student participant, or employee. For instance, Processing may be required to deliver advisory Services, coordinate student placements, facilitate payroll or benefits, or manage contractual obligations with Third -Party Service providers or universities.

6.15.2.3. Legal Obligation: We may process Personal Data when it is required to comply with a legal or regulatory obligation to which we are subject. This includes compliance with tax and employment laws, immigration regulations, anti-money laundering frameworks, corporate governance rules, data retention requirements, and reporting obligations to competent supervisory or judicial authorities. We may also be required to process Personal Data in response to lawful requests from government bodies or law enforcement agencies.

6.15.2.4. Legitimate Interests: In certain cases, we process Personal Data because it is necessary for our legitimate interests or those of a Third Party, provided those interests are not overridden by your fundamental rights and freedoms. Legitimate interests may include delivering and enhancing our Services, securing our systems and infrastructure, preventing fraud and misuse, conducting internal audits and business analytics, marketing similar Services to existing clients (within legal boundaries), managing client relationships, and ensuring network and information security. When relying on this basis, we conduct a legitimate interest assessment to evaluate the impact on your privacy and apply appropriate safeguards, including transparency and the right to object.

6.15.2.5. Vital Interests : In rare cases, we may process Personal Data to protect someone’s life or physical safety. This legal basis is used only where absolutely necessary , such as during health emergencies, natural disasters, or incidents involving public safety, and when no other lawful basis is available.

6.15.2.6. Compliance with Local Jurisdictions : We may also rely on additional legal grounds as specifically required or permitted under local privacy frameworks. For example:

Under the Digital Personal Data Protection Act, 2023 (India), we may rely on consent or "legitimate use" as permitted under Section 7 for purposes such as employment, compliance with legal obligations, or public interest.
Under the CCPA (California), we process data as a “business” and ensure transparency in our data practices, provide the ability to opt out of the sale or sharing of personal information, and respect consumer rights such as access, deletion, and correction.

6.16. HOW WE SHARE PERSONAL DATA

6.16.1. Atorus does not sell, rent, or lease your personal information, nor do we transfer your personal information internationally as part of our normal business activities.

6.16.2. However, in the course of conducting our business and delivering Services, we may share your Personal Data with carefully selected Third Parties. Such sharing is strictly limited to what is necessary, proportionate, and compliant with applicable data protection laws, including the GDPR, India’s DPDP Act, and the CCPA/CPRA. We ensure that all recipients of Personal Data are subject to appropriate contractual, technical, and organizational safeguards that uphold privacy and confidentiality.

6.16.3. Third-Party Service Providers

6.16.3.1. We may share your Personal Data with trusted Third -Party Service providers who perform Services on our behalf and require access to Personal Data to do so. Including but not limited to these purposes-

Providing Customer Service
Sending marketing communications
Fulfilling subscription Services
Conducting research and analysis
Providing cloud computing infrastructure

6.16.3.2. In all such cases, these Third Parties are bound by strict data Processing agreements that limit their use of Personal Data to specified purposes and require them to maintain adequate security measures.

6.16.3.3. Business Transfers : If Atorus is involved in a merger, acquisition, asset sale, corporate restructuring, or other change in control, Personal Data may be transferred to a successor entity or acquiring organization. In such events, we will ensure that any Personal Data transferred remains subject to privacy commitments that are at least as protective as those outlined in this Notice. Where required by law, we will notify affected individuals and offer the opportunity to opt out or exercise data rights prior to the transfer.

6.16.3.4. Legal Requirements and Regulatory Disclosures: We may disclose your Personal Data when required to do so by applicable law, regulation, legal process, or court order, or in response to lawful requests by public authorities. We may also disclose information when we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of our employees, clients, partners, or the public. Where permissible, we will make reasonable efforts to notify individuals before responding to such requests.

6.16.3.5. Professional Advisors and Auditors: In the course of our legitimate business operations, we may share Personal Data with external advisors such as legal counsel, accountants, auditors, or consultants. This may occur in connection with internal governance reviews, regulatory compliance audits, risk assessments, or dispute resolution proceedings. All such Parties are required to handle data in accordance with strict confidentiality obligations and applicable legal standards.

6.16.3.6. Consent-Based Sharing : Where we have obtained your explicit consent, we may share your Personal Data with Third Parties for purposes beyond the scope of our core Services, such as promotional campaigns, testimonials, or Third -Party research projects. You may withdraw your consent at any time, and we will honour such requests in accordance with applicable laws and contractual commitments. We review all Third -Party relationships regularly and conduct due diligence to ensure that your data is handled securely and lawfully. All data transfers, whether domestic or cross-border, are supported by appropriate contractual and legal safeguards such as Standard Contractual Clauses (SCCs), data Processing agreements, or lawful exemptions under applicable privacy frameworks.

6.17. International Transfers of Personal Data

6.17.1. In the course of providing Services and conducting business, your Personal Data may be transferred to, accessed from, in countries other than your country of residence, including jurisdictions that may not offer the same level of data protection as your own.

6.17.2. We are committed to ensuring that any such international transfer is conducted in full compliance with applicable privacy laws, including the EU and UK General Data Protection Regulations (GDPR), the Digital Personal Data Protection Act, 2023 (India), and CCPA. Where necessary, we implement specific legal, technical, and organizational safeguards to ensure that your Personal Data remains protected regardless of where it is processed.

6.17.3. When we transfer your Personal Data internationally, we take steps to ensure that appropriate safeguards are in place to protect your privacy rights and the integrity of your Personal Data. These safeguards may include:

6.17.3.1. Standard Contractual Clauses (SCCs): We may implement contracts approved by regulators that require recipients to protect Personal Data in accordance with applicable laws.

6.17.3.2. Binding Corporate Rules (BCRs): Where applicable, we adhere to internal policies approved by regulatory authorities to allow international transfers within our corporate group.

6.17.3.3. Certification Mechanisms : In some cases, we may rely on independently certified frameworks that ensure data protection standards, subject to applicable approvals.

6.17.3.4. Consent Where required by law, we will ask for your explicit consent to transfer your data across borders.

6.17.3.5. International Data Transfer Agreement as per ICO, UK: Where Personal Data is transferred outside the UK to a country without an adequacy decision, Atorus uses the International Data Transfer Agreement approved by the UK Information Commissioner’s Office. We may also use the UK Addendum to the EU Standard Contractual Clauses where both UK and EU data are involved.
These tools ensure a legally binding and enforceable mechanism for safeguarding Personal Data. Transfers are further supported by Transfer Risk Assessments and technical and organisational measures such as encryption. Our goal is to ensure that individual rights are protected even when data is transferred internationally. All international transfers are made in compliance with the UK GDPR.

6.17.4. Regardless of where your Personal Data is processed, we apply the protections described in this Privacy Notice and take all necessary steps to comply with applicable legal requirements for international data transfers. If you would like more information about the specific countries to which your Personal Data may be transferred, or the safeguards implemented to protect your information, you may contact us at [email protected].

6.18. Data Retention

6.18.1. We retain Personal Data only for as long as it is necessary to fulfil the purposes for which it was collected, or as required to meet legal, regulatory, or operational obligations.

6.18.2. The specific retention period depends on the nature of the data, the context in which it was collected, and the applicable legal requirements in the jurisdictions where we operate, including the GDPR (EU/UK), India’s DPDP Act, 2023 and the California Consumer Privacy Laws.

6.18.3. If we collect your personal information in order to identify you as a current or potential client or Customer, as part of running our business, we will dispose of your information within a reasonable period after we determine you are no longer a current or potential client or Customer.

6.18.4. In determining the appropriate retention period for Personal Data, we consider several factors, including but not limited to:

The nature, sensitivity, and classification of the data;
The purposes for which the data was collected or subsequently processed, including contractual obligations;
Whether there is a legal or regulatory requirement to retain the data for a defined period (e.g., tax, employment, or corporate law );
Internal operational policies, industry guidelines, and historical recordkeeping practices;
The likelihood of continued interaction or relationship with the user (e.g., active accounts or Service usage );
Potential legal risks or the need to preserve data for dispute resolution or enforcement of our rights.

6.18.5. Once the applicable retention period has expired, or when we no longer need the data for business or legal purposes, we securely delete it or anonymize it in a manner that ensures it cannot be linked back to any individual.

6.19. HOW WE STORE PERSONAL DATA

6.19.1. We store Personal Data in secure digital environments supported by a cloud-based infrastructure, depending on the nature of the data and the Services being provided. Our storage practices are designed to ensure data confidentiality, integrity, and availability in full alignment with global privacy standards.

6.19.2. All data is stored using reputable Third -Party cloud Service providers or data centre operators that maintain industry-leading security certifications. These vendors are contractually bound to maintain robust physical, technical, and organizational safeguards for data they process or store on our behalf.

6.19.3. Our data storage controls include:

Role-based access controls , ensuring that only authorized personnel with a business need can access specific categories of Personal Data;
Encryption in transit and at rest , protecting Personal Data against unauthorized access or interception, whether the data is being transferred or stored;
Secure backups , implemented to ensure data resilience and recoverability in the event of data loss, corruption, or system failure;
Network segmentation and firewall controls , restricting unauthorized connections and enhancing security for sensitive data stores;
Continuous monitoring and auditing , including the use of access logs and anomaly detection tools to proactively manage potential security threats.

6.19.4. We conduct regular reviews of our storage systems to ensure compliance with applicable data protection obligations, including data minimization and storage limitation principles. When Personal Data is no longer required for the purposes for which it was collected or when we are instructed to delete or anonymize it under applicable law it is securely disposed of in accordance with our internal Data Retention Policy.

6.20. Your Rights and Choices

6.20.1. Depending on your country of residence and the applicable data protection laws, you may be entitled to certain rights regarding your Personal Data. These rights vary by jurisdiction but generally include access, correction, deletion, objection to Processing, and portability. We will always honour your rights in accordance with the laws that apply to you, including the EU/UK GDPR, India’s Digital Personal Data Protection Act, 2023 and the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA)

6.20.2. Right to Access : You have the right to request confirmation of whether we process your Personal Data and to obtain a copy of such data in a clear and understandable format. This right allows you to gain transparency about the categories of Personal Data we collect, how we use it, the types of Third Parties with whom it may be shared, and the duration for which it is retained. Upon your request, we will provide:

A summary of the Personal Data we hold about you;
The purposes of Processing;
The categories of Personal Data processed;
The recipients or categories of recipients to whom your data may have been disclosed;
The source of the data, if not collected directly from you;
Where applicable, information about automated decision-making and the logic involved.

6.20.3. Right to rectification : You have the right to request the correction or update of any Personal Data we hold about you that is inaccurate, incomplete, or outdated. This ensures that the information we use and share is accurate and relevant. Depending on the nature of the data and the purpose for which it is processed, you may:

Request that we correct factual inaccuracies (e.g., name, contact details );
Request completion of incomplete data if it is relevant to the Processing context;
Provide supporting information or documentation to facilitate the correction process.

6.20.4. Right to Erasure : You have the right to request the deletion of your Personal Data where there is no compelling reason for us to continue Processing it. You may request erasure of your Personal Data in the following circumstances:

The data is no longer necessary for the purpose for which it was collected or processed;
You withdraw your consent, and there is no other legal basis for Processing;
You object to the Processing and there are no overriding legitimate grounds to continue;
The Personal Data was processed unlawfully;
The data must be erased to comply with a legal obligation.

Please note that this right is not absolute. We may retain certain Personal Data where necessary:

To comply with a legal obligation (e.g., tax, employment, or regulatory requirements)
For the establishment, exercise, or defence of legal claims;
Where retention is required for our legitimate business interests, consistent with applicable law.

6.20.5. Right to Object : You have the right to object to the Processing of your Personal Data when it is based on our legitimate interests or is being used for direct marketing purposes. If you object to direct marketing, we will stop Processing your Personal Data for that purpose immediately. For Processing based on legitimate interests, we will consider your objection and determine whether we have compelling legitimate grounds to continue Processing or whether your rights outweigh those interests.

6.20.6. Right to Data Portability : You have the right to request that we provide you with your Personal Data in a structured, commonly used, and machine-readable format. Where technically feasible, you may also request that we transfer this data directly to another data Controller of your choice. This right applies when the Processing is based on your consent or on a contract and is carried out by automated means.

6.20.7. Right to Withdraw Consent : Where we rely on consent to process your Personal Data, you have the right to withdraw that consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal.

6.20.8. Right to Nominate : Where permitted by applicable law, you have the right to nominate another individual to exercise your Data Subject rights on your behalf in the event of your incapacity or death. To exercise this right, you may be required to provide:

A valid nomination form or legal authorization
Proof of identity of the nominee and supporting documentation
Any additional documentation as required by local regulations.

6.21. Response to Personal Data Breach Incidents

6.21.1. In the event that Atorus learns of a suspected or actual Personal Data Breach, the DPO will perform an internal investigation and take appropriate remedial measures in a timely manner, according to its Data Breach Response and Notification procedure. Where there is any risk to the rights and freedoms of Data Subjects, Atorus shall notify the relevant data protection authorities without undue delay. Where Atorus acts as Processor, it shall notify the Controller of the Personal Data Breach in a timely manner. The DPO will also escalate the Personal Data breach issue to other internal groups for consideration, for example, for assessment as potential serious breaches of GCP by Quality Assurance.

6.22. Organization, Accountability and Audit

6.22.1. The responsibility for ensuring the lawful and appropriate Processing of Personal Data rests with all individuals who work for, or on behalf of, Atorus and who have access to Personal Data processed by Atorus. Atorus ensures that each Processing activity is subject to internal audit specific to the department by an appropriately appointed organizational authority.

6.23. Use Of Artificial Intelligence (A I ) Tools

6.23.1. If Atorus may use Artificial Intelligence (AI) tools in limited contexts such as data analysis , or Service enhancement to improve efficiency and decision support. These tools are designed to assist human decision-making, not replace it. Where AI involves the Processing of Personal Data, we ensure it is done transparently and in compliance with our obligations under the applicable privacy laws.

6.24. Use o f Cookies

6.24.1. Cookies are small data files placed on your device when you visit our site. At Atorus, we use cookies and similar technologies to enhance your experience on our Website , measure performance and marketing effectiveness, and support essential site functionality. For a more detailed view into our cookie usage please visit our Cookie Policy.

6.25. DATA SECURITY AND INTEGRITY

6.25.1. We are committed to protecting the confidentiality, integrity, and availability of Personal Data. To achieve this, we implement a range of technical and organizational security measures designed to prevent unauthorized access, loss, misuse, alteration, or disclosure of your Personal Data.

6.25.2. Protection o f Children Data :

6.25.2.1. Protecting the privacy of children is of paramount importance to Atorus. Our Services and Websites are not directed at, nor intended for use by, children under the age of 16 (or such other age as defined under applicable local laws, such as 13 under CCPA and 18 under India's DPDP Act for specific Processing purposes).

6.25.2.2. We do not knowingly collect, solicit, or process Personal Data from children without verifiable parental consent, unless we are legally required or permitted to do so under applicable laws. If we become aware that we have collected Personal Data from a child without the appropriate consent or legal basis, we will take immediate steps to delete that information.

6.25.2.3. If you believe that we may have collected Personal Data from a child without lawful consent, or if you are a parent or guardian seeking to access, review, or delete your child’s information, please contact us immediately at [email protected] .

6.26. Special Notice to California Residents

6.26.1. The California Consumer Privacy Act (the “ CCPA ”) provides California residents the right, once a year, to receive information about Third Parties with whom Atorus has shared information about you for its marketing purposes during the previous calendar year, and a description of the categories of personal information shared. If you are a California Resident, you may have additional rights under the California Consumer Privacy Act (the “CCPA”). These include:

The right to request that Atorus disclose certain information to you about our collection and use of your personal information over the past 12 months.
The right to know the categories of personal information that we collect, and the categories of sources from which we obtained that information.
The right to know our business or commercial purpose for collecting or selling personal information.
The right to know the categories of Third Parties with whom we share personal information.
The right to object to the sale of Personal Data.
The right to access your own personal information collected by Atorus (also called a data portability request).
The right to equal Service and price, even for consumers who exercise their privacy rights.

6.26.2. ‍ Children's Privacy : Atorus does not collect or maintain information at its websites from those it knows are under 16 years of age, and no parts of its w ebsites are structured to attract anyone under the age of 16.

6.26.3. Sale of Personal Information : In the preceding twelve (12) months, Atorus has not shared for purposes of cross-context behavioural advertising as defined in the CPRA or sold personal information to Third -Parties .

6.26.4. Access to Specific Information and Data Portability Rights : You have the right to request that Atorus disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive your request and confirm your identity, we will disclose to you the information requested, including:

The categories of personal information we collected about you.
The categories of sources of the personal information we collected about you.
Our business purpose for collecting that personal information.
The categories of Third Parties with whom we share that personal information.
The specific pieces of personal information we collected.
Information about any sales of your personal information.

6.26.5. Correction and Deletion Request Rights : You have the right to request that Atorus correct or delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive your request and confirm your identity, we will correct or delete your personal information from our records, unless an exception applies. If an exception applies, you will be notified that the data will not be corrected or deleted, along with specific information about the basis for the exception.

6.26.6. Exercising Access, Data Portability, Correction and Deletion Rights : To exercise the access, data portability, correction and deletion rights described above, please submit a request to us at [email protected]. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a request related to your personal information. You may also make a request on behalf of your minor child. You may only make a request for access or data portability twice within a 12-month period. Your request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail to allows us to properly understand, evaluate, and respond to it.
Provide a means to contact you.
We will only use personal information provided in a CCPA request to verify the requestor’s identity or authority to make the request.

6.26.7. Response Timing : We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing.

6.26.8. Fee : We do not charge a fee to process or respond to your CCPA request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

6.27. Special Notice to Individuals in The European Union (E U )/European Economic Area ( EEA ), United Kingdom, Or Switzerland

6.27.1. We are required to comply with the European Union’s and the United Kingdom’s General Data Protection Regulations (“GDPR”), Switzerland’s Federal Act on Data Protection (FADP) and similar applicable local laws with regards to certain Personal Information we collect. The data Controllers of your Personal Information are Atorus and/or Atorus’s business partners or clients. Please contact us if you have any questions about the Controller or Controllers of your Personal Information at: [email protected] .

6.27.2. Sensitive Personal Information : We process special categories of Personal Information (e.g., Sensitive Personal Information that reveals racial, sex or ethnic origin, genetic, biometric and health information, political and trade union affiliations, etc.) only where you give us your explicit consent, or when our Processing is for scientific research purposes, necessary to meet a legal or regulatory obligation, in connection with the establishment, exercise or defense of legal claims, or is otherwise expressly permitted by applicable laws.

6.27.3. If we need to collect your Personal Information by law or under the terms of a contract we have with you and you do not provide the requested information, we may not be able to perform the contract we have or are trying to enter into with you.

6.27.4. Data transfers : Atorus may transfer or provide access to your Personal Information to its subsidiary companies and affiliates, authorized Service providers or collaborators or other Third Parties in these countries and others that may not provide the same level of protection to your Personal Information as in your country of residence. When we do so, in the absence of an adequacy decision concerning the recipient country, we rely on safeguards such as approved model contracts (for example the EU’s standard contractual clauses or the UK’s international data transfer agreement), after having carried out an assessment of the level of protection of your rights on the territory of the Third country where the recipient of your Personal Information is established. For more information about Atorus’s use of the model contracts, please contact us at: [email protected] .

6.27.5. Residents of the EU and UK may be entitled to additional privacy rights consistent with the General Data Protection Regulation (GDPR). These include:

The right to data portability.
The right of access.
The right to rectification.
The right to erasure.
The right to object or restrict Processing.

Legal Basis:	Right to Access	Right to Rectification	Right To Deletion	Right to Restrict Processing	Right to Data Portability	Right to Object Processing
Consent	Yes	Yes	Yes	Yes	Yes	Yes
In furtherance of Contract	Yes	Yes	Some limits apply	Yes	Yes	No
Atorus’s Legitimate Interests	Yes	Yes	Some limits apply	Yes	No	Unless compelling legitimate grounds exist
Legal Obligation	May be restricted	May be limited if conflicts with obligation	No	May be limited if conflicts with obligations	No	May be limited if there are compelling legal grounds

6.27.6. If Atorus’s Processing of your Personal Data is covered by UK or EU law, you can also lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant EU supervisory authority name and contact detail s under http://ec.europa.eu/justice/dataprotection/bodies/authorities/index_en.htm and the UK supervisory authority contact details under https://ico.org.uk/global/contact-us/ . Though we encourage you to reach out to us first.

6.27.7. International transfers, Processing and storage of personal information : Your Personal Data may be collected, transferred to, and stored by us in the United States and by our affiliates and Third Parties that are based in other countries. This means that your Personal Data may be processed outside your jurisdiction, and in countries that are not subject to an adequacy decision by the European Commission or your local legislature or regulator, and that may not provide for the same level of data protection as your jurisdiction, such as the EEA. We ensure that the recipient of your Personal Data offers an adequate level of protection and security, for instance by entering into the appropriate data Processing agreements and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or another applicable regulator. Where required by applicable law, we will only share, transfer, or store your Personal Data outside of your jurisdiction with your prior consent.

6.27.8. Exercising Personal Data access, portability, and deletion rights : To fulfil your request, please:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot complete your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a request to verify the requestor's identity and/or authority to make the request. We may refuse to act on requests that are insufficiently substantiated, unfounded, or excessive.

6.28. Automated Decision-Making

6.28.1. Atorus does not do any automated decision-making processes that produce legal or similarly significant effects on individuals, as defined under privacy regulations such as the EU/UK GDPR, India’s DPDP Act, and California’s CCPA.

6.28.2. Where we use limited forms of automation such as analysing job applications, user preferences, or engagement data it is strictly for the purpose of enhancing Service efficiency, personalisation, or operational analytics. These processes do not result in decisions that significantly affect your rights or access to Services without meaningful human involvement.

6.28.3. Any profiling or segmentation we perform is done under the following safeguards:

Data used in such activities is limited, proportionate, and pseudonymised or aggregated where possible;
Profiling is not used to make decisions about eligibility, performance, or access to Services without human review;
We do not use profiling for behavioural advertising or sensitive inferences without your consent; and Individuals retain the right to object to profiling, request human intervention, and receive explanations about any such Processing.

6.28.4. Updates To This Privacy Notice

6.28.4.1. We may update this Privacy Notice from time to time to reflect changes in our practices, Services, or internal policies. All updates will be published on this page, along with a revised " Effective Date " date at the top of the Notice.

6.28.4.2. We encourage you to review this Privacy Notice periodically to stay informed about how we handle your Personal Data. Continued use of our website or Services after changes have been made will indicate your acceptance of the updated terms.

6.29. Contact Us

6.29.1. If you have any questions, concerns, or requests regarding this Privacy Notice or the way we process your Personal Data, please reach out to us. We are committed to addressing your queries promptly and transparently.

6.29.2. You can contact us at [email protected]

6.29.3. Depending on your location, you may also have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can address your concern directly.

6.29.4. For all privacy-related inquiries, including data access, correction, withdrawal of consent, or the exercise of your legal rights, please clearly specify the nature of your request in your communication. We may ask you to verify your identity before we process your request in order to protect your data.