Privacy Policy

Last update: January 29th, 2025

‍
1. Recitals

The protection of individuals with regards to the processing of their Personal Data (as defined below) is a fundamental right that Waiv, incorporated under Paris RCS under number 938 797 099 (hereinafter “Waiv ”) takes very seriously.

Waiv processes Personal Data as part of its relations with its visitors, its prospects, partners, clients, employees, job applicants, contacts, investors , services providers, patients, contractors and any users of its website: www.wearewaiv.com (the “Website”) (all together the “Individuals”).

Waiv is firmly committed to conducting its business in accordance with the applicable data protection regulations and, in particular, the General Data Protection Regulation (EU) 2016/679 of April 27th, 2016 (“GDPR”), which aims to protect individuals’ rights with regards to the collection, use, retention, transfer, disclosure and destruction of their Personal Data.

The purpose of this privacy policy (“Privacy Policy”) is to set forth the types of Personal Data Waiv may receive from Individuals’ interactions with Waiv notably through its media platforms.

Waiv strives to ensure adequate protection of Individuals’ Personal Data and to preserve the protection and security of Individuals’ Personal Data, as well as inform and uphold Individuals on their rights.

What Personal Data Waiv is collecting and processing about Individuals? Why is Waiv processing Individuals’ Personal Data? What are the legal basis that entitled Waiv to do so? From what sources does Waiv collect Individuals’ Personal Data? Who are the authorized parties allowed to process Individuals’ Personal Data by Waiv? How does Waiv ensure the security and the protection of Individuals’ Personal Data? How long will Waiv keep Individuals’ Personal Data? What are Individuals’ rights regarding the processing made by Waiv on Individuals’ Personal Data? How can Individuals’ exercise their rights?

Please read the following Privacy Policy carefully and note that the following definitions will apply to this Privacy Policy:

• Data Controller(s): Waiv and its affiliates.
• Data Processor(s): natural person or legal entity who processes Personal Data on behalf of Waiv.
• Data Recipient(s): individual or legal entity who receives Personal Data from Waiv. Data Recipients may therefore also be employees of Waiv or of external entities (e.g. partners such as healthcare organizations or healthcare professionals, suppliers, services providers, clients, exhibitors, banks, agents etc.).
• Data Subject(s): the Individuals.
• Personal Data: refers to any information or pieces of information that can directly or indirectly identify a Data Subject, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

2. Objective

The purpose of this Privacy Policy is to meet the information obligation of Waiv under the GDPR (Article 12 to 14) and to document the rights of the Individuals regarding the processing of their Personal Data.

3. Scope

This Privacy Policy applies to all processing of Individuals’ Personal Data.

Waiv makes every effort to ensure that Personal Data is processed within the framework of strict internal governance. That being said, this Privacy Policy only covers Personal Data of which Waiv is the Data Controller and therefore not any processing that may be established or performed outside the scope of governance specified by Waiv.

The processing of Personal Data may be managed directly by Waiv or via Data Processors specifically designated by Waiv.

This Privacy Policy is independent of any other document that may apply in the context of the contractual relationship between Waiv and the Individuals. Specific privacy and data protection information’s notices and/or consent or non-opposition form, will be communicated to the concerned individuals if necessary, regarding specific situations where Waiv may process Personal Data.

In particular, patients whose pseudonymized data is processed by Waiv as part of its research and developments activities can find further information on this dedicated page on Waiv's website (including the identity of the entity providing their pseudonymized data to Waiv), as well as on Health Data Hub public repository (only in French). Patients may also have further information by contacting the hospital, public or private research organizations, laboratories having collected their data to have a broader view on the process of their data.

4. Purposes

Waiv does not process any Personal Data of Data Subjects if not relating to the Personal Data collected by or for its departments or processed in association with its departments and if it does not comply with the general principles of the GDPR.

Waiv may process Personal Data for the following purposes:

Waiv's business and contractual relationship purposes

• Management of contractual relationships, management of contact relationship, and business development, including without limiting the foregoing for identifying potential contractors, partners, service providers, clients.
• Execution and management of the agreements concluded with Waiv's academic partners (e.g. healthcare organizations such as hospitals, universities, research centers, healthcare professionals), Waiv's non-academic partners (e.g. pharma companies, biotech companies or other corporate partners), Waiv's service providers and/or Waiv's suppliers.
• Implementation and management of invoicing and accounting purposes.

Research and developments activities

• Implementation and management of research and developments activities, including carrying out market research, scientific studies, whether clinical studies, observational studies, post-market studies, or any other kind of scientific research projects (including projects using data already available at Waiv or at Waiv's partners for research purposes, and projects where additional data is derived from available human biological samples available at Waiv's partners).
• In compliance with GDPR, Waiv's may also process personal data issued from cell lines provided by biobanks and/or similar research organisms associated with, which might include genetic data and/or any other kind of sensitive personal data.

Compliance with legal, regulatory, industrial best practices and ethical obligations applicable to Waiv

• Design, development, manufacturing & sales of software as medical devices in support of diagnosis, prognosis, screening in pathology (including activities of vigilance, post-market surveillance, ...).
• Administrative formalities, registration, declarations, or audits, including but not limited to those applicable:
  ■ to the management of the recruitment;
  ■ in the frame of the relationship between Waiv and health care professionals and/or health care organizations and/or academic institutions and/or hospitals in the country where Waiv operates.
• Compliance with the requirements of the industry standards applicable to Waiv and with any applicable Waiv's policies.
• Ensuring the security of Personal Data collected and processed by Waiv.
• Ensure that the Personal Data is processed in accordance with the applicable data protection laws and regulations, including for instance the processing of the first name and the last name of the Data Subjects when they exercised their rights to Waiv in accordance with GDPR to ensure the effective management of their request.

Marketing purposes

• Implementation and management of marketing campaigns, generally via email, SMS, phone, etc. and media advertising.
• Implementation, communication and management of its newsletter.
• Implementation and management of targeted advertising and segmentation.
• Organization and management of events, in which Waiv participates or which Waiv is a sponsor.
• Implementation and management of social selling campaigns (including the collection of data relating to registrations, posts, likes, replies, forwards, comments, opinions, etc.).
• Implementation and management of surveys and statistics.

Management of the recruitments

• Management of the job advertisement and the job application, including the management of the pre-contractual relationship between Waiv and the job applicant.

Management of the Website purposes

• Implementation and management of the Website (case studies, contact forms, etc.).

Management of the platforms and tools made available by Waiv (e.g. Destra)

• Implementation and management of the tools and platforms (user access management, contact forms for support, etc.)
• Implementation and management of surveys and statistics in connection with the platforms and tools provided by Waiv such as Destra.
• Improvement of the tools and platforms made available by Waiv to the users and in particular to the scientific community, notably based on user’s feedback for Destra.

Protect Waiv's rights and interest

• Management of the investigation, pre-litigation, and litigation.
• Protection of Waiv's rights or those of third parties, including intellectual property rights, privacy, safety, and property.
• Protect Waiv against any actions or omissions which are likely to cause harm to Waiv, including fraudulent actions or omissions.

Although the list is intended to be as exhaustive as possible, any new use or modification or withdrawal of any existing processing will be notified to the concerned Data Subjects by the publication of new versions of this Privacy Policy on the Website. Waiv invites the Data Subjects to check online this Privacy Policy on a regular basis to be aware of this new use, modification, or withdrawal of any existing processing.

Waiv is granted by the Individuals with a right to process their Personal Data for the aforementioned purposes. However, any data supplemented by the processing and analysis of Waiv, otherwise known as supplemented data, shall remain the exclusive property of Waiv (usage analysis, statistics, etc.).

5. Lawfulness of the processing conducted by Waiv

The purposes for which Waiv process Personal Data described above are based on the legal basis described below.

The processing is necessary for the purpose of the legitimate interest of Waiv or a third party in the meaning of the GDPR

When Waiv processes Personal Data for its legitimate interest, Waiv shall take into account Data Subject’s fundamental rights and interest to assess if the legitimate interests pursued by Waiv do not create an imbalance with Data Subject’s fundamental rights and interest.

For example, the processing of Personal Data by Waiv is based on its legitimate interest for the following purposes:

• Protect Waiv from fraudulent actions or omissions;
• Implementation and management of research and developments activities;
• Management of contact relationship, and business development;
• Sending newsletters about Waiv to healthcare professionals and/or contractors with whom Waiv have pre-existing relationships in the framework of their professional activities.
• Management, including support, surveys and improvements of the tools and platforms made available to the users and in particular to the scientific community such as Destra.

The processing is necessary for the purpose of the compliance with the legislation applicable to Waiv

Waiv may process Personal Data in order to comply with legal obligations applicable to Waiv.

For example, the processing of Personal Data by Waiv may be based on the compliance with the legal obligations applicable to Waiv for the following purposes:

• Monitoring the adverse event or devices deficiencies of marketed products;
• Transparency regarding Waiv' The Data Subject has given consent of the processing of its Personal Data for one or more specific purposess relationship with healthcare professionals and/or healthcare organizations or academic institutions or hospitals;
• Financial and tax reporting;

The Data Subject has given consent of the processing of its Personal Data for one or more specific purposes

Waiv may process Personal Data for one or more specific purposes for which the Data Subject concerned will have clearly expressed its consent for the processing of its Personal Data for these purposes.

• For example, the communication to Waiv's newsletter to the Data Subject concerned is based on their consent.

The processing is necessary for the purpose of the performance of a contract

Waiv may process Personal Data for the execution of a contract between the Data Subjects (or their employers) and Waiv.

For example, the processing of Personal Data by Waiv may be necessary for the performance of a contract for the following purposes:

• Negotiation of contracts with Waiv's partners, suppliers, service providers, clients;
• Follow-up of Waiv's contractual relationship with its partners, suppliers, service providers, clients, users of Owkin’s platform and/or tools (such as Destra).

The processing is necessary for reasons of public interest

When the applicable law of the Data Subject’s country entitles Waiv to do so, notably in the case of public interest, Waiv may process Personal Data of concerned Data Subjects.

• For example, if in Data Subject’s country the law provides that Waiv may process Data Subject’s Personal Data in the area of public health to ensure a high standards of quality and safety of healthcare and medicinal products or medical devices, Waiv could process Data Subject’s Personal Data in the frame of scientific research projects aiming to improve the products marketed by Waiv or third parties or to develop new medicine products or medical devices.

‍

The Personal Data that Waiv is processing about Data Subjects, includes a wide range of Personal Data and depends on Waiv's relationship with the Data Subjects, as well as the third parties with which Waiv is working, and which may provide Owkin with the access to Personal Data.

For example, Waiv may process the following Personal Data:

Non-technical Personal Data (depending on the circumstances)

• Identity and identification (such as surname, first name, date of birth, pseudonym, client number, username, and password).
• Contact details (such as e-mail, postal address, phone number), notably for sending newsletters.
• Professional data, if applicable (notably the company name, function, as well as all the Personal Data related to candidate for a job offer such as the data related to the professional experiences and the education for the job application).
• Bank details, if required.
• Data relating to current contracts.

Technical Personal Data (depending on the circumstances)

• Data Subjects internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP address, etc.).
• Technical information such as the type of browser and operating system Data subject uses or Data Subject’s device information (unique device identifier, hardware model, operating system and version, mobile network information).

‍

In some cases, notably for its research and development activities, Waiv may need to process sensitive Personal Data, as defined by Article 9 of the GDPR. Waiv takes the protection of this sensitive Personal Data and more broadly the protection of all the Personal Data very seriously and takes all necessary measures, whether contractual, technical or organization to preserve the protection, integrity, and confidentiality of such Personal Data.

As provided above, specific privacy and data protection information’s notices and/or consent or non-opposition form, will be communicated to the concerned Data Subjects if necessary, regarding specific situations where Waiv may process their Personal Data. For clarity, patients whose pseudonymized data is processed by Waiv as part of its research and developments activities can find further information on this dedicated page on Waiv's website (including the identity of the entity providing their pseudonymized data to Waiv), as well as on Health Data Hub public repository (only in French).

6. Personal Data Sources

Personal Data is generally collected from Data Subjects directly (direct collection).

Collection may also be indirect via specialized partners, clients, service providers and suppliers of Waiv but also from hospital, public or private research organizations, laboratories partnering with Waiv, which are authorized to grant access to Waiv or to transfer personal data in compliance with their applicable law and in application of their own privacy and data protection policies.

In such cases, Waiv takes the greatest of care to ensure the quality of data it receives. If Data Subjects have any question related to the initial collection of their Personal Data by the partner, client, services provider, supplier, hospital, public or private research organizations, or laboratories partnering with Waiv (for the sensitive data), where applicable Waiv could invite Data Subjects concerned to contact them directly and/or to refer to their data protection policies.

7. Children’s Personal Data

Waiv's Website is not intended for children under thirteen (13) years old. Waiv does not knowingly process Personal Data from children under the age of thirteen (13) years old through Waiv's Website.

If a parent or a guardian becomes aware that his or her children have provided Personal Data to Waiv through Waiv's Website, he or she should contact Waiv's Data Protection Officer without delay to require the deletion of the Personal Data concerned in accordance with the applicable data protection laws.

For more information on how to contact Waiv's Data Protection Officer, please see Article 15 (“Data Protection Officer”) of this Privacy Policy.

8. Personal Data Recipients

Taking into account the purpose(s) for which Individuals’ Personal Data are processed, Waiv will ensure that Personal Data can only be accessed by authorized internal and external Data Recipients which need to know them.

Waiv's internal Data Recipients

Depending on the purpose(s) of the processing and the Personal Data processed, the Waiv's external Data

Recipient may include:

• Partners of Waiv (e.g. healthcare organizations such as hospitals, research centers, universities, healthcare professionals, services providers, suppliers, pharma companies, biotech companies or other corporate partners);
• Legal or administrative authorities, as required by the applicable laws and regulations to which Waiv may be subject;
• Potential acquirers and other stakeholders in the event of a corporate operation such as a change of control of Waiv, resulting from a capital increase, merger, demerger, or by the total or partial sale of the business activities.

Waiv's External Data Recipients

Depending on the purpose(s) of the processing and the Personal Data processed, the Waiv's external Data Recipient may include:

• Partners of Waiv (e.g. healthcare organizations such as hospitals, research centers, universities, healthcare professionals, services providers, suppliers, pharma companies, biotech companies or other corporate partners);
• Legal or administrative authorities, as required by the applicable laws and regulations to which Waiv may be subject;
• Potential acquirers and other stakeholders in the event of a corporate operation such as a change of control of Waiv, resulting from a capital increase, merger, demerger, or by the total or partial sale of the business activities.

‍

Data Recipients of Personal Data are bound by a confidentiality obligation. In any case, Waiv only provides them with the information strictly needed to process Personal Data in compliance with the purposes identified.

Waiv decides which Data Recipients may access to which Personal Data by means of a contract or internal policies.

Personal Data may also be forwarded to any authority legally entitled to receive it. In such cases, Waiv is not liable the way said authorities access and process the Personal Data but will limit the Personal Data accessed by these authorities to the strict minimum required by such authorities.

Waiv will never sell Personal Data to any third party.

9. Transfer of personal data to third countries or international organization

If as part of the processing activities described above, Waiv needs to transfer Personal Data from Data Subjects established in the European Economic Area (“EEA”) to recipient(s) located outside of the European Economic Area, such as its service providers and/or its partners and/or its affiliates, Waiv will ensure that adequate and appropriate safeguards are implemented as required by the GDPR (e.g. ensuring an adequacy decisions from the European Commission is in force in accordance with Article 45 of the GDPR, or binding legal act or European Commission Standard Contractual Clauses have been signed with the recipient where applicable).

10. Retention period

The retention period of Personal Data is defined by Waiv in accordance with its legal and contractual obligations and, failing this, depending on the specific needs, notably in accordance with the following principles:

Clients and partners’ Personal Data

For the duration of contractual relations with Waiv, which includes the duration of the contract, the terms of the warranties plus five (5) years for legal requirements, without prejudice to storage and retention obligations or the statute of limitations.

Job applicant’s Personal Data

Unless otherwise requested by the job applicant, their Personal Data are processed and stored during two (2) years from the collection of their Personal Data, Waiv may request the job applicant to extend this retention period of two (2) years every (2) years.

The retention period set forth above is without prejudice to the storage and retention obligations or the statute of limitations that may apply to Waiv.

Personal Data relating to contacts and potential clients

Three (3) years from collection of the Personal Data by Waiv or from the last contact made by the potential client or contact.

Information related to bank details (i.e. data related to bank or payment cards)

• until full payment is made or;
• until the goods are received or the service is provided. This period shall be extended by the withdrawal period for distance sales of goods and services.

For the management of the claim, the data related to payment cards may be kept within intermediate storage for evidence purposes in the event of a disputed payments transaction for thirteen (13) months'; following the data of debit. This delay may be extended to fifteen (15) months to take into account the possibility of using deferred payment cards.

‍

After the specified periods, Personal Data is either deleted or retained after anonymization, notably for statistical purposes. It may be retained in the event of pre-litigation and litigation.

Data Subjects are reminded that deletion or anonymization are irreversible operations, and Personal Data cannot be subsequently restored by Waiv. As such, it will no longer be possible to identify any Data Subjects, even indirectly, and any link between you and your data will be deleted. Once Personal Data have been anonymized, no one will be able to link the anonymized data and the initial Personal Data, and Waiv will no longer be able to comply with Data Subject’ requests to exercise their rights as described below.

11. Data Subjects’ Rights

As Data Subjects and in accordance with applicable data protection laws, Individuals are entitled to exercise the following rights:

Confirmation and access right

• Data Subjects are entitled to request Waiv to issue confirmation of whether or not their Personal Data is being processed and will benefit from access rights and a right to request a copy of their Personal Data. Any abuse of this right will be subject to costs that would be borne by the Data Subjects.
• If Data Subjects request a copy of their Personal Data via electronic means, the requested information will be provided in a commonly used electronic format, unless specified otherwise.
• Data Subjects are notified that this access right may not cover confidential information or data for which communication is prohibited by law.
• The access right may not be exercised in an abusive manner, i.e. exercised legally with the sole objective of undermining the proper execution of the service in question.

Updating and rectification rights

• Data Subjects are entitled to request Waiv to rectify their Personal Data, in the event that their Personal Data should be inaccurate, incomplete, or obsolete.

Right to oppose to the processing activities

• Data Subjects are entitled to oppose the processing of their Personal Data, subject to the legal and/or regulatory restriction that may exist with respect to this opposition right.
  For instance, with respect to the newsletter sent by Waiv to the Data Subjects, each of them can opt out at any time by clicking the “unsubscribe” link at the bottom of Waiv's newsletters.

Right to deletion

The deletion right of Data Subject does not apply where processing is conducted in compliance with a legal obligation or if the processing is necessary for the establishment, exercise, or defense of legal claims.

In other circumstances, Data Subjects may request deletion of their data if any of the following criteria are met:

• the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
• if a Data Subject withdraws the consent on which the processing has been based and there exists no other legal basis;
• the Data Subject objects to processing required for Waiv to pursue its legitimate interests and there exists no other pressing and legitimate reason to continue processing;
• the Data Subject objects to the processing of its Personal Data for marketing purposes, including profiling;
• the Personal Data has been processed unlawfully.

In accordance with legislation related to Personal Data’s protection, Data Subjects are notified that this is an individual right that may only be exercised by Data Subjects in relation to their own information.

Rights to restrict processing

Data Subjects are notified that the right to restrict processing is not intended to apply when the processing conducted by Waiv is made in order to comply with laws and regulations applicable to Waiv and/or when the processing of the Personal Data is necessary for the performance of its services.

Personal Data Portability right

Waiv will accede to Personal Data portability requests in the specific circumstances of Personal Data communicated Data Subjects personally, via online services provided by Waiv itself and for purposes based solely on personal consent.

In such cases, the Personal Data will be communicated in a structured and commonly used format able to be read by a machine.

Automated individual decision-making

Waiv does not conduct automated individual decision-making.

Rights after death

Data Subjects are notified that they have the right to issue instructions concerning the retention, deletion, and communication of their data after their death.

‍

Any request related to the exercise of the rights described above shall be subject to a written request sent by e-mail at [dpo@owkin.com] or by post at Legal Department – Waiv – 14-16 Boulevard Poissonnière 75009 Paris - France, accompanied by a copy of a signed identity document. In accordance with data protection laws and regulations, Data Subjects are notified that the rights set forth above are individual rights that may only be exercised by the Data Subjects themselves in relation to their own information, so that for security reasons, Waiv must verify Data Subject’s identity before communicating any Personal Data to the Data Subject concerned. Once the identity has been verified, Waiv will destroy the signed identity document provided by the Data Subjects.

The response time for Data Subject’s request may vary depending on the complexity of the request or if the Data Subject submitted many requests.

Notwithstanding the right of deletion described above, Waiv will retain the Personal Data associated with the deletion request in order to be able to track the deletion request and its management.
‍

12. DATA PROCESSORS

Waiv notifies Data Subjects that it may engage any Data Processor of its choice to process their Personal Data.

In any such case, Waiv ensures that the Data Processor complies with its obligations under applicable data privacy laws and regulations and in particular with the GDPR.

Waiv undertakes to sign a contract with all Data Processor, imposing on the latter the same Personal Data protection obligations that apply to Waiv. Furthermore, Waiv reserves the right to perform an audit on the Data Processor to verify the latter's compliance with its obligations under the GDPR.

13. SECURITY

Waiv has implemented technical and organizational measures to protect the integrity and confidentiality of Data Subjects’ Personal Data. These measures take into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects.

This measure includes for instance security techniques of a physical or logical nature which Waiv judges to be appropriate to prevent the destruction, loss, degradation or unauthorized disclosure of Personal Data in an accidental or illegal manner. The main elements of these measures include notably and without limitation:

• Management of Personal Data access rights;
• Internal back-up;
• Identification processes;
• Security audits;
• Implementation of an IT system security policy;
• Implementation of business continuity and disaster recovery plans;
• Use of security protocols and/or solutions

14. Personal data breach

In the event of any breach of Personal Data, Waiv undertakes to notify competent data supervisory authority (e.g. you can access the list of the competent supervisory authorities within the European Union by visiting the website of the European Data Protection Board) as set out in the GDPR.

Should any such breach present a high level of risk for Data Subjects and the Personal Data has not been protected, Waiv shall:

• Notify the Data Subjects concerned;
• Issue the necessary information and recommendations to the Data Subjects concerned.

15. Data Protection Officer

Waiv has appointed a Data Protection Officer. The contact details of the Data Protection Officer are as follows:

• Name: Patrice NAVARRO – Clifford Chance Law Firm (French);
• E-mail address: dpo@owkin.com;
• Postal address:
  To the attention of Owkin Data Protection Officer
  Legal Department
  Owkin Dx
  14-16 Boulevard Poissonnière, 75009 Paris
  FRANCE.

Should Data Subjects wish to obtain any particular information or pose a specific question, they may contact the Data Protection Officer who will provide a response within a reasonable period in light of the question posed or information requested.

In the event of encountering any problem with the processing of Personal Data, Data Subjects may contact the Data Protection Officer.

16. Processing record

As Data Controller, Waiv undertakes to maintain a record recording of all completed processing activities. This record is a document or software that lists all processing conducted by Waiv in its capacity as Data Controller.

Waiv undertakes to provide any competent supervisory authority on request with all information enabling said authority to verify the compliance of processing with applicable Personal Data protection regulations.

17. Right to submit a complaint to the supervisory authority

Data Subjects concerned by the processing of their Personal Data have the right to submit a complaint to the competent supervisory authority (e.g. you can access to the list of the competent supervisory authorities within European Union by visiting the website of the European Data Protection Board) should they believe that the processing of their Personal Data does not comply with the applicable data protection laws and regulations. The list of the supervisory authority is available at the following address:

• For the countries of the European Union: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en;
• For the United Kingdom: https://ico.org.uk/make-a-complaint/

Waiv cannot guarantee the durability of these URLs, nor the quality of the information contained therein.

18. Amendment to this Privacy Policy

This Privacy Policy may be amended or supplemented at any time in the event of legal or judicial developments, or in response to new uses and any decisions or recommendations issued by the competent supervisory authority or in order to reflect the changes of Waiv's practices.

Any new version of this Privacy Policy will be available on this page. Therefore, Waiv invites the Data Subjects to check this Privacy Policy on a regular basis.

19. For further information

For any further general information about Personal Data protection, please consult the website of the competent supervisory authority (e.g. you can access the list of the competent supervisory authorities within the European Union by visiting the website of the European Data Protection Board).

20. Information relaying to this Privacy Policy

If Data Subjects need any further information or assistance, do not hesitate to contact Waiv at the following address:

• By e-mail at: dpo@owkin.com;

• Or by post at the attention of the Legal Department – Waiv – 14-16 Boulevard Poissonnnière, 75009 Paris - France.