Introduction

MTM Group (“M:M Bio / MTM / “we”, “us” or “our”) understands that your privacy is important to you and that you care about how your personal data is used. This privacy policy sets out how we look after any personal data that we collect from, or is provided to us, by visitors to our website www.moleculetomedicine.com (our “Site”), external third parties with whom we have dealings and who share personal data with us, including but not limited to suppliers and their respective employees/representatives, visitors to our premises, emergency contacts of our employees, employment referees, witnesses of legal documentation and other people who otherwise interact with us (“you”). This privacy policy together with our cookie policy sets out how we look after any personal data that we collect from you, or that you provide to us, when you visit our Site and when otherwise interacting with us. Please read this privacy policy carefully and ensure that you understand it.

1. Information about us

www.moleculetomedicine.com is a site operated by the Molecule to Medicine or “MTM" group (We), comprising the following affiliated and/or associated companies:

M:M Bio Limited, registered in England and Wales under company number 13706785 with its registered office address at 99 Park Drive, Milton, Abingdon, England, OX14 4RY;

M:M Bio Global Services Limited, registered in England and Wales under company number 15361590 with its registered office address at 99 Park Drive, Milton, Abingdon, England, OX144RY;

M:M Bio Global Incubator Limited, registered in England and Wales under company number 15361637 with its registered office address at 99 Park Drive, Milton, Abingdon, England, OX14 4RY15361637; and

M:M Bio Pty Ltd, registered in Australia under company number 655 396 204 with its registered office address at Suite 201, 697 Burke Road, Camberwell, Victoria, 3124, Australia.

Email address: enquiries@m2m.bio MTM is the data controller in respect of your personal data. This means that we are responsible for deciding how we hold and use personal data about you.

2. What personal data do we collect and how do we use it?

We collect personal data so that we can operate effectively and provide you with the best possible service. The information we collect depends on the context of your interactions with us and your interactions with our Site. It also depends on the choices you make; for example, the functions you use and your privacy settings. You may choose not to provide certain information but if you do, and that information is necessary to provide a particular feature, then you may not be able to use that feature. We will only use your personal data where we have a valid lawful basis to do so. The table below summarises what information we collect about you, explains how we intend to use it and what our legal basis is for using it.

External third parties such as CROs, suppliers and their respective employees/representatives

What information will we collect about you?‍

Name and email address, home address, phone number. Employment organisation and address, your role. Zoom recordings: your name and image.‍

How will we collect information about you?

Collected directly from you by email, face-to-face or by telephone when you contact us.

Why are we processing information about you?

To perform essential business operations. To ask you for information about your organisation’s products or services, and for sales and contracting purposes. To evaluate suppliers and respond to supplier tender/bids. To store details used during the procurement process in our record-keeping system. To perform our contractual obligations to you or the organisation for which you work under any applicable contract. To provide requested services, information and product support and respond appropriately to your enquiries. To request feedback.

What is our legal basis for processing information about you?

To allow us to perform a contract with your organisation. To enable us to pursue our legitimate interests to:

• deliver or receive services;
• improve our services;
• protect our rights; and
• establish and/or maintain a business relationship with you (or your employer)

With your consent in relation to Zoom recordings obtained by clicking the accept button when we start to record a meeting.

Visitors to our Site

What information will we collect about you?‍

Name, organisation name, phone number and email address and any other information which you choose to give us

Device and usage data including IP addresses and device identifiers. Device event information including crash logs, hardware settings, browser type and browser language. Location information. Cookies and similar technologies

How will we collect information about you?‍

Collected when you contact us or complete the ‘Contact us’ form on our Site

Automatically collected and stored in our server logs when you interact with our Site. IP addresses may be collected when you complete a ‘contact us’ form.Collected from IP address, GPS and other sensors. For further information on our use of see our Cookie Policy

Why are we processing information about you?‍

To deal with enquiries, correspondence and complaints. To perform essential business operations. To communicate and personalise communications with you regarding information and services that you request from us

To improve user experience of our Site, for example to offer you tailored content. Protect security of our Site and to prevent fraud. To communicate and personalise communications with you regarding information that you request from us. To analyse the traffic to our Site

What is our legal basis for processing information about you?‍

To enable us to pursue our legitimate interests to:

• provide information that you have requested;
• improve our services;
• maintain the security of our computer systems;
• and protect our rights

To enable us to pursue our legitimate interests to:

• understand how our site is used;
• improve user experience of our site
• maintain the security of our computer site and;
• protect our rights

Consent

Visitors to our premises, emergency contacts of our employees, employment referees and witnesses of legal documentation‍

What information will we collect about you?‍

Visitors: name, email address, employment organisation and address, your role, phone number

Witnesses of legal documentation: name, address, occupation

Emergency contacts: name, relationship to employee, contact phone number

Employment references: name, contact number, email address, organisation and job title, opinion about potential employee

How will we collect information about you?‍

Collected when a meeting is arranged. Collected when you give us business cards and other contact information. Collected from you face-to-face or when you communicate with us

Collected directly from you if you witness a signature on a contract

In-case-of-emergency contact details are collected from our employees

Employment reference contact details are collected from our prospective employees

Why are we processing information about you?

To record visitors to our premises. To provide visitors with entrance to and a security pass for the building. To diarise and confirm meetings

To ensure the validity of legal documentation

To communicate with you in the event of an incident concerning an employee who has elected you as next-of-kin or in-case-of-emergency contact

To communicate with you regarding requests for information from you. To gather employment references as part of our hiring process

What is our legal basis for processing information about you?

To comply with a legal obligation to maintain the security/safety of you, our staff and others at our premises. If you fail to provide your personal data on visiting our premises, this may result in you not being permitted entry.To enable us to pursue our legitimate interests to:

• protect the wellbeing and welfare of our staff
• establish and/or maintain a business relationship with you or your employer; and
• provide information on products or services that may be of value to your business

To enable us to pursue our legitimate interests to perform contracts with our customers and other third parties

To comply with a legal obligation to maintain the security/safety of our staff and others at our premises. To enable us to pursue our legitimate interests to protect the wellbeing and welfare of our staff

To enable us to pursue our legitimate interests to carry out background checks on potential employees

More about the information we collect and why

We have a duty to process personal data fairly, lawfully and in a manner that you would expect given the nature of our relationship with you. Where we have a legal basis to use your personal data (as set out in the table above), this policy fulfils that duty by giving you appropriate notice and explanation of the way in which your personal data will be used.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Where consent is required for our use of your personal data, we will ask you to positively opt-in and you may withdraw your consent at any time. If you have any questions or require any further information regarding our use of your personal data, please contact us using the details provided in Part 9.

3. What are your rights?

Under data protection laws, you have the following rights to:

1. Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
2. Request to have your personal data corrected or erased if any of your personal data held by us is inaccurate or incomplete (unless we have the legal right to retain it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
3. Request the restriction of processing of your personal data. You can ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
4. Object to us processing your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground.
5. Change your data processing preferences at any time. If you have changed your mind you can contact us by email at privacy@m2m.bio
6. Request the transfer of your personal data to another party. If you have provided personal data to us directly and we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can also ask us for a copy of that personal data.
7. The right to withdraw consent. This means that, in the limited circumstances where we are relying on your consent as the legal basis for using your personal data for a particular purpose, you are free to withdraw that consent at any time. To withdraw your consent, please contact us by email at privacy@m2m.bio
8. Once we know that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
9. Rights relating to automated decision-making and profiling. However, we do not use your personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 9.

You should be aware that if you ask us to stop processing your personal data in a certain way or erase your personal data, and this type of processing or data is needed to facilitate your use of the Site you may not be able to use the Site as you did before.

It is important that your personal data is kept accurate and up to date. If any of the personal data we hold about you changes, please keep us informed.

Further information about your rights can also be obtained from the Information Commissioner’s Office.

4. How and where do we store your data?

The personal data that we hold about you will only be processed and stored within the United Kingdom or European Economic Area. If we transfer your personal data out of the UK to the EEA, this is on the basis that the EEA is deemed to provide an adequate level of protection for personal data.

Personal information such as your name and email address, and also mobile phone numbers stored in the Breathe HR system, may be viewed by our employees or consultants that are not based in the UK or EEA. This is not a restricted transfer as it is within our company and you can expect a similar degree of protection in respect of your personal information.

Some of the third parties that we work with may transfer your personal information outside the UK and EEA as set out in their privacy notices, such as Google Analytics (listed below). If they do, you can expect a similar degree of protection in respect of your personal information through the use of safeguards such as special contracts approved by the European Commission and the Information Commissioner’s Office.

We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting obligations.

Unless we inform you otherwise (or you request that we erase your personal data) we will retain your personal data for as long as is reasonably necessary to fulfil the relevant purposes set out in this privacy policy and during the period required or permitted by law.

The retention period will be determined by relevant legal and regulatory obligation and/or duration of our relationship with you. We may need to keep personal data related to our contracts with third parties for up to seven years in some circumstances (and in some instances, longer) for legal reasons. Zoom meeting recordings will be kept for up to 60 days and we will delete them promptly when it is no longer necessary for us to retain them. If training sessions are recorded on Zoom, we may keep them for longer for future training purposes to comply with our legal and regulatory obligations.

5. How do we keep your data secure?

Personal data security is essential to us, and to protect your personal data all information that you provide to us is stored on secure servers. We have put in place appropriate measures to protect the security of your information.

The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the information transmitted to our site and you acknowledge that any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access or inadvertent disclosure.

If you receive a password to access any of our systems, you must keep this confidential and you must not share it with anyone else nor use another person’s password.

To learn more about the security measures we put in place click here.

We take the following measures:

• limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know and ensuring that they are subject to duties of confidentiality and will only process your personal data on our instructions;
• we have clear procedures in place for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Information Commissioner’s Office where we are legally required to do so; and
• using secure password generating software to randomly generate passwords to access our systems

6. Do we share your personal data?

You acknowledge that we may share your personal data on the legal basis as set out in the table above or with your consent with selected third party service providers that support us in the performance of the activities set out in the table in Part 2 above, including the following third parties who may process personal data about you for the following purposes:

External third parties such as CROs, suppliers and their respective
employees/representatives and other people who contact or interact with us:

• we use Egnyte for data storage and file sharing purposes. Their privacy policy can be accessed here: https://www.egnyte.com/privacy-policy
• we use Google Mail as our email service provider. Their privacy policy can be accessed here: https://policies.google.com/privacy?gl=GB&hl=en
• we use Zoom in respect of online meetings. Their privacy policy can be accessed here

Visitors to our Site:

• we use Egnyte for data storage and file sharing purposes. Their privacy policy can be accessed here: https://www.egnyte.com/privacy-policy
• we use Google Mail as our email service provider. Their privacy policy can be accessed here: https://policies.google.com/privacy?gl=GB&hl=en
• we use WordPress to host our Site. Their privacy policy can be accessed here: https://automattic.com/privacy/
• we use Google Analytics to provide analytics services on our Site. Their privacy policy can be accessed here: https://policies.google.com/privacy?hl=en

More information about the way we use Google Analytics can be found in our Cookie Policy.

Visitors to our premises, emergency contacts of our employees, employment referees and witnesses of legal documentation:

• we use Egnyte for data storage and file sharing purposes. Their privacy policy can be accessed here: https://www.egnyte.com/privacy-policy

We require all our third-party service providers, to take appropriate and stringent security measures to ensure that your personal data is handled safely in line with our policies.

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.

If we sell, transfer, or merge parts of our business or assets, your personal data may be shared or transferred to a third party.

We may also be legally required to share certain personal data, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority or a regulatory body or where we have another legitimate interest in doing so that is not overridden by your interests and fundamental rights. For example, to protect our customers or to operate and maintain the security of our computer systems.

We may also share Zoom recordings with third parties if you have agreed to this.

7. Other websites

Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.

8. How can you access your personal data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 9 and we have one month to respond.

There is not normally any fee for a subject access request (or to exercise any of the other rights described in Part 3). If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a reasonable fee may be charged to cover our administrative costs in responding. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

This is another appropriate security measure to ensure that personal data are not disclosed to any person who has no right to receive it.

9. How do you contact us or make a complaint?

To contact us about anything to do with your personal data and how we handle it, including to make a subject access request, please contact our data compliance officer, Andrea Richardson, using the following details:

Email address: privacy@m2m.bio
Postal Address: 99 Park Drive, Milton, Abingdon, England, OX14 4RY, UK.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, so please contact us in the first instance, using the details above.

10. Changes to this privacy policy

We may change this privacy policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be posted on our website: https://m2m.bio we recommend that you check this page regularly to keep up-to-date. This privacy policy was last updated on 16th September 2024.

‍