Privacy & terms
Redx Privacy Notice
Welcome to Redx Pharma Limited’s privacy policy and transparency notice (this “Notice”).
This Notice informs you how we look after your personal data when you visit our website (regardless of where in the world you visit it from), contains information about our other personal data collection and processing activities and tells you about your data protection and privacy rights and how data protection law protects you.
This Notice is provided in a layered format so you can click through to the specific topics set out below. Please also use the Glossary at the end of this Notice to understand the meaning of the terminology we use.
1. IMPORTANT INFORMATION AND WHO WE ARE
2. THE PERSONAL DATA WE COLLECT ABOUT YOU, THE PURPOSE(S) FOR OUR PROCESSING AND THE LAWFUL GROUND/CONDITION WE RELY ON
3. HOW AND WHERE WE COLLECT YOUR PERSONAL DATA
4. HOW WE USE YOUR PERSONAL DATA
5. DISCLOSURES OF YOUR PERSONAL DATA
6. INTERNATIONAL TRANSFERS
7. PERSONAL DATA SECURITY
8. PERSONAL DATA RETENTION
9. YOUR LEGAL RIGHTS IN RELATION TO YOUR PERSONAL DATA
10. GLOSSARY
1. Important information and who we are
1.1 Purpose of this Notice
This Notice gives you information on how we collect and process your personal data through your use of this website, including any data you may provide through this website, or when we collect your personal data via other channels, either directly from you or indirectly from a third party when:
- You apply for a role in our organisation or submit a speculative CV (“Applicant”);
- You enter into a contract with us and/or your employer enters into a contract with us (“Contractor”);
- You opt-in to receive email communications from us (“Recipient”);
- You indicate an interest in taking part in one of our research studies (“Interested Person”);
- We are looking to establish contact with healthcare professionals eminent in a specialism of interest to us (sometimes called “Key Opinion Leaders”);
- You contact us for any other reason, including business development, media and/or investor relations’ enquiries (“Other Stakeholders”), collectively known as “(Everyone”).
This website is not intended for children. Unless a parent or guardian registers their child as an Interested Person in one of our paediatric research studies. We do not knowingly collect personal data relating to children either directly or indirectly via any channel.
It is important that you read this Notice together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you (“Transparency Information”) so that you are fully aware of how and why we are using your personal data. This Notice supplements any other Transparency Information and is not intended to override it. In particular, if you are a participant in one of our research studies you will receive detailed Transparency Information by way of that study’s ethically approved informed consent form which will set out our specific rights and duties to you as a study participant, including in relation to the study-related personal data which will be collected and generated about you during the study. This Notice does not apply to participants’ research study data. If you are a present or former participant in one of our research studies please refer to the copy of the informed consent form you will have received or contact your study doctor in the first instance. Your study doctor will liaise with us as necessary. This Notice does not apply to our employees either, but it is relevant to our Contractors.
1.2 Controller
Redx Pharma Limited, registered address Block 33, Mereside, Alderley Park, Macclesfield, England SK10 4TG is the controller of and is responsible for your personal data (collectively referred to as “Redx”, “we”, “us” or “our” in this Notice).
We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Notice and our other Transparency Information and our data protection governance programme. If you have any questions, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
1.3 Contact details
Full name of legal entity: Redx Pharma Limited
Email address: privacy@redxpharma.com
Postal address: Block 33, Mereside, Alderley Park, Macclesfield, England SK10 4TG
You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to resolve your concerns before you approach the ICO, so please contact our DPO in the first instance.
Our Article 27 EU GDPR data representative for residents in the EU is: DataRep, Viale Giogio Ribotta 11, Piano 1, Rome, Lazio 00144 Italy.
1.4 Changes to this Notice and our other Transparency Information and your duty to inform us if your personal data needs updating
We keep this Notice and our other Transparency Information under regular review. This version was last updated on 4th July 2024. Historic versions can be obtained by contacting our DPO.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes materially during your relationship with us.
1.5 Third-party links
This website may include links to third-party websites, plug-ins and/or applications. Clicking on those links or enabling those connections may allow third parties to collect or share personal data about you. We do not control these third-party websites and connections and are not responsible for their privacy and data protection practices. When you leave our website, we encourage you to read the privacy policy of every website you visit or that of the controller of the connection you have made.
2. The personal data we collect about you, the purpose for our processing and the lawful ground/condition we rely on
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been permanently removed and the data has been aggregated with other data (“Anonymous Data”).
We may collect, use, store and transfer different kinds of personal data about you depending upon the nature of your relationship with us. Other Transparency Information may give you more detail, but broadly speaking we collect and process the following categories of personal data about the following types of people, for the purpose(s) listed below on the lawful processing grounds/conditions specified. We also identify what our Legitimate Interests are where appropriate.
Note that we may process your personal data based on more than one lawful ground/condition depending on the specific purpose(s) for which we are using it. Please contact us if you need details about the specific lawful ground/condition we are relying on to process your personal data where more than one ground/condition has been set out below.
Purpose/Activity and in-scope individuals | Personal data types | Lawful processing ground(s) / condition(s) (including basis of Legitimate Interests) |
---|---|---|
To register you as a new Applicant, Contractor, Recipient, Interested Person, Key Opinion Leader and/or Other Stakeholder and/or respond to your request | (a) Contact (b) Communications (c) Financial (d) Identity (e) Technical (f) Transaction | (a) Your express Consent (b) Performance of a Contract with you or your employer (c) Necessary for our Legitimate Interests (to conduct and grow our business and respond to your request) (d) Necessary to Comply with a Legal Obligation |
To manage and build our relationship with Applicants, Contractors, Recipients, Key Opinion Leaders and Other Stakeholders including: (a) Managing payments, fees and charges (b) Collect and recover money owed to us and you (c) Notifying you about changes to our terms or Transparency Information (d) informing or updating you in our vision, goals and strategy and our progress | (a) Communications (b) Contact (c) Financial (d) Identity (e) Transaction (f) Sensitive | (a) Your express Consent (b) Performance of a Contract with you or your employer (c) Necessary to Comply with a Legal Obligation (d) Necessary for our Legitimate Interests (to manage and improve our business relationship with you, including paying and recovering debts, skills and knowledge assessments and answering your enquiries) (e) Publicly Available |
To manage this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and delivering relevant website content and information to you and measure or understand the effectiveness of such content and information | (a) Technical | (a) Necessary for our Legitimate Interests (in managing and improving our business, provision of administration and IT services, network security and prevent fraud) (b) Necessary to Comply with a Legal Obligation |
Everyone’s data to fulfil legal and/or regulatory obligations and/or requests | (a) All categories | (a) Comply with a Legal Obligation (b) Legitimate Interests in responding to compelling voluntary requests for information (c) Legal Claims |
Managing Applicants’, Contractors’, Other Stakeholders’ and Key Opinion Leaders’ attendance at our offices and/or corporate events | (a) Contact (b) Financial (c) Identity (d) Transaction (e) Sensitive | (a) Your express Consent (b) Performance of a Contract with you or your employer (c) Comply with a Legal Obligation (d) Vital Interests (e) Publicly Available |
Everyone’s data for the purpose of internal/external audit and compliance purposes | (a) All categories | (a) Legitimate Interests in ensuring compliance with internal policies and procedures and the law/regulations (b) Comply with a Legal Obligation (c) Legal Claims |
This Notice does not govern our employment relationship with our employees which is subject to separate Transparency Information.
We may also collect, use and share Anonymous Data such as statistical or demographic data for any purpose. Anonymous Data could be derived from your personal data but is not considered personal data in data protection law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Transaction Data to calculate the percentage of users accessing a specific website feature.
We keep our collection of any special category Sensitive Data about you to the minimum amount strictly necessary to achieve the legitimate purpose set out in Table 1. We do not collect any information about criminal convictions and offences without Your express Consent.
2.1 If you fail to provide personal data when asked
Where we need to collect personal data because it is Necessary to Comply with a Legal Obligation or for the Performance of a Contract we have with you, and you fail to provide that data when requested, we may not be able to enter or perform the contract we have with you or respond to your enquiry. In this case, we may have to cancel, or not enter, a relationship with you. We will notify you if this is the case at the time.
3. How and where we collect your personal data
We use different methods and channels to collect personal data from and about you including through:
- Direct interactions: you may give us your Communications, Contact, Financial, Identity and Sensitive Data by filling in forms or by corresponding with us by post, ‘phone, email or otherwise.
- Automated technologies or interactions: as you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our Cookie policy for further details.
- Third parties or publicly available sources: We will receive personal data about you from various third parties and public sources as set out below:
-
- Technical Data from the following parties in accordance with our Cookie policy
- analytics providers such as Google Analytics;
- website performance measurers such as Amazon Web Service.
- Contact, Financial and Transaction Data from suppliers of technical, payment and delivery services; and
- Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register.
- Technical Data from the following parties in accordance with our Cookie policy
Our use of automated technologies, indirect collection from third parties and publicly available sources may involve us receiving your personal data from (or sending it) outside of the UK – see section 6 “International Transfers”.
4. How we use your personal data
The circumstances when we rely on Your express Consent as a lawful processing ground/condition are limited (see Table 1). You have the right to withdraw Your express Consent (including objecting to the continued receipt of our direct marketing) at any time by contacting us.
4.2 Direct Marketing and Communications
We will only send you direct marketing communications by email if we have Your express Consent. You can ask us to stop sending you direct marketing messages at any time by using the “UNSUBSCRIBE” functionality contained in each email.
Where you opt-out of receiving direct marketing messages by email, this objection will not automatically apply to personal data provided to us for other personal data processing activities unless you explicitly exercise your right to object by contacting our DPO.
4.3 Cookies
For information about the cookies we use, please see our Cookie policy
4.3 Cookies
We will only use your personal data for the purpose(s) for which we collected it as stated in our Transparency Information, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our DPO.
If we need to use your personal data for an unrelated purpose, we will notify you and either seek Your express Consent or explain the lawful processing ground(s) which allows us to do so.
Please note that we may process your personal data without your knowledge or Your express Consent, in compliance with the above rules, where this is permitted by law or Necessary to Comply with a Legal Obligation.
5. Disclosures of your personal data
We may share your personal data with the parties set out below for the purpose(s) set out in Table 1.
- Internal Third Parties as set out in the Glossary;
- External Third Parties as set out in the Glossary;
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Notice and any other Transparency Information.
We require all Third Parties (excepting Regulators) to respect the security of your personal data and to treat it in accordance with this Notice, any other Transparency Information, the law and the contracts (including the safeguards) we put in place. We do not allow our External Third Party suppliers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. International transfers
We share your personal data with Internal Third Parties. This will involve transferring your data (or providing access to it) outside the UK to the USA. Many of our External Third Parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK too.
Whenever we transfer or permit access to your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for UK personal data. For further details, see A guide to international transfers | ICO.
- Where we transfer your personal data to third parties (excepting Regulators) in non-adequate third countries, we perform the necessary transfer impact assessments and use specific contracts approved for use by the UK’s Secretary of State which give your personal data the same protection it has in the UK (“IDTA”). For further details, see International data transfer agreement and guidance | ICO.
Please contact our DPO if you want further information on the specific mechanism used by us when transferring your personal data out of the UK to non-adequate third countries. Where we have used IDTAs you are entitled to see redacted copies of them. The redactions will only be applied to commercially sensitive aspects of the relationship between us and the third-party.
7. Personal data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other Third Parties who have a business need to know. External Third Party suppliers may only process your personal data on our instructions, and they are subject to a written contract which imposes upon them a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator, including the ICO, of a breach where we are legally required to do so.
8. Personal data retention
How long will we use your personal data for?
We will only retain your personal data for as long as reasonably necessary to fulfil the purpose(s) we collected it for, including for the purposes of satisfying any contractual, legal, regulatory, tax, accounting, financial reporting or other legally permissible requirements (the “Requirements”). We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purpose(s) for which we process it and whether we can achieve those purposes through other means, and the applicable Requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting our DPO.
In some circumstances you can ask us to delete your personal data: see your legal rights section below for further information.
9. Your legal rights in relation to your personal data
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
- Request access to your personal data;
- Request correction of your personal data;
- Request erasure of your personal data;
- Object to processing of your personal data;
- Request restriction of processing your personal data;
- Request transfer of your personal data (portability);
- Right to withdraw Your express Consent.
If you wish to exercise any of the rights set out above, please contact our DPO.
9.1 No fee is usually payable
You will not have to pay a fee to access your personal data (or to exercise any of the other rights listed above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in those circumstances.
9.2 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of the other rights listed above). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
9.3 Time limit for our response
We try to respond to all requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you of our progress and keep you updated.
10. Glossary
- Communications Data: includes your permissions and preferences in receiving direct marketing from or about us.
- Contact Data: includes billing address, home and/or delivery address, email address and telephone numbers.
- Financial Data: includes personal bank account and payment card details.
- Identity Data: includes first name, maiden name, last name, username or similar identifier, title, date of birth, government-issued identifier and gender.
- Technical Data: includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website. It also includes information about how you use our website (pages visited, time spent on each page etc.).
- Transaction Data: includes details about payments to and from you.
- Sensitive Data: includes racial or ethnic origin, religious or philosophical beliefs, genetic data, data concerning health and/or sexual orientation.
LAWFUL BASIS
- Your express Consent: means your demonstrable, freely given, specific, informed and unambiguous indication of your permission for us to collect and process your personal data in accordance with the Transparency Information.
- Legitimate Interests: means the legitimate interest outlined in Table 1. We make sure we consider and balance any potential impact on you (both positive and negative) and your data protection and privacy rights before we process your personal data in our legitimate interests. We do not use your personal data for activities where our interests are overridden by the negative impact on you (unless we have Your express Consent or are otherwise permitted to by law, or it is Necessary to Comply with a Legal Obligation). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting our DPO.
- Performance of Contract: means processing your personal data where it is necessary for the performance of a contract to which you or your employer is a party or to take steps at your or their request before entering into such a contract.
- Necessary to Comply with a Legal Obligation: means processing your personal data where it is necessary for compliance with a legal obligation to which we are subject.
Additional lawful processing conditions: Sensitive Data
- Legal Claims: means processing your special category data because it is necessary for us to establish, exercise or defend legal claims.
- Publicly Available: means processing the special category data which you have volunteered for public consumption e.g. via open public media posts.
- Vital Interests: means processing your sensitive data where it is necessary to protect your (or another individual’s) life or death interests and you are incapable of giving Your express Consent.
THIRD PARTIES
- Internal Third Parties: other companies in the Redx group of companies, a list of which is available from privacy@redxpharma.com;
- External Third Parties:
- Suppliers acting as processors who may be based anywhere in the world including the USA, which provide support services to Redx, including IT and associated services;
- Professional advisers acting as controllers including lawyers, bankers, auditors and insurers, again who may be based anywhere in the world who provide consultancy, banking, legal, auditing, insurance and accounting services;
- HM Revenue & Customs, regulators and other authorities acting as controllers based in countries where Redx has a group company, operations or otherwise conducts business (“Regulators”) who require reporting of processing activities in certain circumstances.
A list of recipients is available from our DPO.
YOUR LEGAL RIGHTS
You have the right to:
- Request access: to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction: of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected, though we may need to verify the accuracy of the new personal data you provide to us.
- Request erasure: of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with the law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing: of your personal data where we are relying on our Legitimate Interests (or those of a third-party) and there is something about your particular situation which makes you want to object to our processing as you feel it impacts on your fundamental rights and freedoms. You also have the absolute right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to continuing processing your information (which overrides your objection).
- Request restriction: of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy;
- Where our use of the data is unlawful, but you do not want us to erase it;
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to its continued use.
- Request the transfer (portability): of your personal data to you or to a third-party. We will provide to you, or a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to personal data which you initially provided Your express Consent for us to use or where we used the information for the Performance of a Contract with you.
- Withdraw consent at any time: where we are relying on Your express Consent as the lawful processing ground to process your personal data. However, this will not affect the lawfulness of any processing carried out before such withdrawal. If you withdraw Your express Consent, we may not be able to continue our relationship with you or the services you or your employer provides to us. We will advise you if this is the case at the time of withdrawal.