Privacy Policy
1 Purpose and Scope
Mestag Therapeutics Limited. (referred to as “Mestag Therapeutics”, “Mestag”, “the Company”, “We, “Our,” or “Us”) are committed to protecting the privacy and security of Your Personal Data.
You (referred to as “You,” “Your,” “Data Subject,” or “User”) means the individual accessing, requesting or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. You may be referred to as the Data Subject or as the User as You are the individual using the Service.
This Mestag Therapeutics Website Privacy Notice may apply to You if You are:
- A Mestag Therapeutics clinical trial participant;
- The partner of a Mestag Therapeutics clinical trial participant;
- The child of a Mestag Therapeutics clinical trial participant;
- A healthcare professional conducting a Mestag Therapeutics clinical trial;
- An employee, contractor, or other associated party associated with Mestag Therapeutics;
- An employee, contractor, or other associated party contracted by Mestag Therapeutics’ Service Providers;
- A service User of this Website (https://www.mestagtherapeutics.com/); or,
- Any other individual with whom Mestag Therapeutics may conduct commercial operations.
If You are an employee or contractor of Mestag Therapeutics, or a candidate applying for a role at Mestag Therapeutics, a supplementary Privacy Notice will be provided to You to address how Mestag Therapeutics processes Your Personal Data.
We have developed this Privacy Notice to inform You of the data We collect, what We do with Your information, what We do to protect it, as well as the rights and choices You may have over Your Personal Data. It is important that You read this notice so that You are aware of how and why We are using such information.
2 Definitions
For the purposes of this Mestag Therapeutics Website Privacy Notice:
| Term | Definition |
|---|---|
| Company | (referred to as either “Mestag Therapeutics,” “Mestag,” “the Company,” “We,” “Us,” or “Our”) refers to Mestag Therapeutics Limited, at Suites 15 & 16 Science Village, Chesterford Research Park, Little Chesterford, Saffron Walden, Cambridgeshire, CB10 1XL, United Kingdom, registered under Company Number 12466144. |
| Data Controller | For the purposes of both UK and EU GDPR, Data Controller refers to the Company as the legal person that alone or jointly with others determines the purposes and means of the processing of Personal Data. For the purpose of both UK and EU GDPR, the Company is the Data Controller |
| Data Processor | For the purposes of both UK and EU GDPR, this refers to the Company’s Service Providers. |
| Data Protection Legislation | Is as defined in the Data Protection Legislation section below |
| Device | Means any device that can access the Service such as a computer, a mobile phone, or a digital tablet. |
| Personal Data | Personal Data is any information that relates to an identified or identifiable individual. For the purposes of both UK and EU GDPR, Personal Data means any information relating to You, such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity. |
| Service | Means any services provided by the Company, including provision of the Website, relevant clinical trials, business-to-business dealings and handling of enquiries received by us. |
| Service Provider | Means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies, Investigator Sites, or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. |
| Usage Data | Refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit). |
| Website | Refers to the Mestag Therapeutics Website, accessible from https://www.mestagtherapeutics.com/. |
3 Data Protection Legislation
Throughout this Privacy Notice We refer to Data Protection Legislation.
3.1 European Union
In the European Union (EU), Data Protection Legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the ePrivacy Directive (Directive 2002/58/EC), as well as any local data protection implementation laws, including any replacement legislation coming into effect from time to time.
3.2 UK
In the United Kingdom (UK), Data Protection Legislation means the Data Protection Act 2018 (“DPA 2018”), United Kingdom General Data Protection Regulation (“UK GDPR”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), the Data (Use and Access) Act 2025, and any legislation implemented in connection with the aforementioned legislation, including any replacement legislation coming into effect from time to time.
3.3 United States
In the United States of America (USA), Data Protection Legislation refers to any federal, state, sectoral, or case laws and regulations governing the privacy and security of personal data. This includes applicable state privacy legislation, including, but not limited to, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); New York’s Shield Act; and Delaware’s Online Privacy and Protection Act (DOPPA), as well as other relevant state and federal regulations. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.
3.4 Other Jurisdictions
Depending on Your jurisdiction, additional Data Protection Legislation may apply. If You have any questions, You can contact Our DPO using the details in the Contact Us section below.
3.5 Data Controllership
Mestag Therapeutics is the Data Controller (“controller”) for the Personal Data We process, unless otherwise stated. We have appointed a Data Protection Officer (DPO) to help Us monitor internal compliance, inform and advise on data protection obligations, and act as a point of contact for data subjects
and supervisory authorities. For further details on how You can contact Our DPO, please see the Contact Us section below.
4 Your Personal Data
We collect Personal Data in accordance with the Data Protection Legislation and/or other relevant legislation such as legislation related to clinical trials (e.g., the EU Clinical Trial Regulations (EU CTR)). The type of Personal Data that We will collect about You will depend on whether You are a clinical trial participant, the partner of a clinical trial participant, the child of a clinical trial participant, a healthcare professional, an employee or contractor of Mestag Therapeutics, an employee or contractor of Mestag Therapeutics’ Service Providers, or a User of this Website.
We collect Personal Data in a variety of ways depending on how You interact with us. This may include through You filling out a form on Our Website, through Your participation in one of Our clinical trials (or through Your partner, child, or parent’s participation), or through You applying for employment with us.
| Data Subject Type | Data Category | Data Fields |
|---|---|---|
| Clinical Trial Participant * | Clinical Trial Participant Identification Information | - Your full name** |
| Clinical Trial Participant Demographic Information | - Your date of birth** - Your age** - Your gender** - Your ethnicity |
|
| Clinical Trial Participant Administration Information | - Your contact details (telephone number and email address)** - Where applicable, Your financial information (e.g., bank account details) |
|
| Clinical Trial Participant Third-Party Information | - Where applicable, the name of Your legally authorized representative** - Where applicable, the name, contact details, and health information of Your partner** - Where applicable, the name, contact details, and health information of Your child** |
|
| Clinical Trial Participant Research Information | - Your pseudonymized unique identification number(s) Clinical Trial Participant Research Information - Your health data, including medical records, medical test results, medical images and scans, family history, biological samples and analysis, etc. - Your genetic data |
|
| Clinical Trial Participant Partner* | Clinical Trial Participant Identification Information | - Your name** |
| Clinical Trial Participant Demographic Information | - Your date of birth** - Your age** - Your gender** - Your ethnicity |
|
| Clinical Trial Participant Administration Information | - Your contact details (telephone number and email address)** | |
| Clinical Trial Participant Third-Party Information | - Where applicable, the name of Your legally authorized representative** - Where applicable, the name, contact details, and health information of Your partner** - Where applicable, the name, contact details, and health information of Your child** |
|
| Clinical Trial Participant Research Information | - Your or Your partner's pseudonymized unique identification number(s) - Your health data - Your genetic data |
|
| Clinical Trial Participant Child* | Clinical Trial Participant Child Identification Information | - Your name** |
| Clinical Trial Participant Child Demographic Information | - Your date of birth** - Your age** - Your gender** - Your ethnicity |
|
| Clinical Trial Participant Child Administration Information | - Your parent's contact details (telephone number and email address)** | |
| Clinical Trial Participant Child Third-Party Information | - Where applicable, the name of Your legally authorized representative** - Where applicable, the name, contact details, and health information of Your parents** |
|
| Clinical Trial Participant Child Research Information | - Your or Your parent's pseudonymized unique identification number(s) - Your health data - Your genetic data |
|
| Healthcare Professional (HCP)* | Healthcare Professional Identification Information | - Your name |
| Healthcare Professional Administration Information | - Your contact details (telephone number, email address, and mailing address) - Your employment details - Where relevant, Your financial information (e.g., bank account details) |
|
| Employees and Contractors of Mestag Therapeutics | Staff Identification Information | - Your name |
| Staff Administration Information | - Your contact details (telephone number, email address, and mailing address) - Your employment details and availability - Your CV - Your training records - Where relevant, Your pseudonymized unique identification number(s) (e.g., payroll number) - Where relevant, Your financial information (e.g., bank account details) - Where relevant, Your Right to Work information (e.g., passport) - Where relevant, Your health data (e.g., sick leave information) - Your emergency contact and next-of-kin information, such as contact telephone numbers, home addresses, relationship details, and preferences recorded in expression of wish documentation. |
|
| Employees and Contractors of Mestag Therapeutics’ Service Providers* | Third-Party Staff Identification Information | - Your name |
| Third-Party Staff Administration Information | - Your contact details (telephone number, email address, and mailing address) - Your employment details and availability - Where relevant, Your CV and training records |
|
| Website User* | Website User Identification Information | - Your name |
| Website User Administration Information | - Your contact details (telephone number and email address) - Your Contact Us form responses |
|
| Website User Internet Information | - Your Usage Data (e.g., Your IP address) - Cookies and Tracking Technologies |
|
| Mestag Therapeutics’ Shareholders and/or Investors | Shareholder/Investor Identification Information | - Your name |
| Shareholder/Investor Administration Information | - Your contact details (telephone number, email address and mailing address) - Your Contact Us form responses |
|
| Shareholder/Investor Financial Information | - Where relevant, information about Your shares or other pertinent financial records |
* You are under no statutory or contractual requirement or obligation to provide Us with Your Personal Data; however, We may require some of the information above in order for Us to deal with You for the purposes requested by You.
**Identifiable Personal Data relating to participants, and where applicable, their partners and children, is collected by Mestag Therapeutics’ Research Sites. This data may be shared with clinicians, health authorities, ethics bodies, and other personnel as authorised by Mestag Therapeutics, but only where Mestag Therapeutics is legally obligated to provide this data in accordance with Clinical Trial Regulations and other applicable laws. Mestag Therapeutics will not directly receive identifiable Personal Data relating to clinical trial participants, or where applicable, their partners and children, and will not instruct Our Data Processors or Research Sites to process or share this information other than where the law requires. If We become aware that We have received identifiable Personal Data relating to participants, or where applicable, their partners and children, We will make commercially reasonable efforts to delete such information from Our records.
4.1 Children’s Privacy
Except for where We are obligated to do so by clinical trial legislation, We do not seek or knowingly collect any Personal Data about children under 13 years of age. If We become aware that We have unknowingly collected Personal Data from a child under the age of 13, We will make commercially reasonable efforts to delete such information from Our database. If You are the parent or guardian of a minor child who has provided Us with Personal Data, You may contact Us using the information in the Contact Us section below, to request it to be deleted.
5 Our Purposes
Under EU GDPR and UK GDPR, the lawful bases We rely on for processing Your information
are:
• GDPR Article 6(1)(a) – Your consent***;
• GDPR Article 6(1)(b) – We have a contractual obligation;
• GDPR Article 6(1)(c) – We have a legal obligation;
• GDPR, Article 6(1)(d) – In order to protect the vital interests of You or a third party;
• GDPR, Article 6(1)(e) – We have a public interest; or,
• GDPR, Article 6(1)(f) – We have a legitimate interest.
***Where the lawful basis for processing is consent, You are able to remove Your consent at
any time. You can do this by contacting Our DPO using the contact details provided in the
Contact Us section below.
We may use and disclose Your information for the purposes described in the below table:
| Data Category | Processing Activity | Lawful Basis (Applicable where EU GDPR or UK GDPR apply) |
|---|---|---|
| Clinical Trial Participant Identification, Demographic, Administration, Third-Party, and Research Information | Where You are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of consent, to collect information from You and process Your health information in order to conduct a clinical trial | Your Consent |
| Clinical Trial Participant Partner Identification, Demographic, Administration, Third-Party, and Research Information | Where You are a partner of a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of consent, to collect information from You and process Your health information in order to conduct a clinical trial | Your Consent |
| Clinical Trial Participant Child Identification, Demographic, Administration, Third-Party, and Research Information | Where You are a child of a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of consent, to collect information from You and process Your health information in order to conduct a clinical trial | Your Consent, or the Consent of Your parents or legal guardians |
| Clinical Trial Participant Identification, Demographic, Administration, and Third-Party Information | Where You are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of legal obligation, to collect information from You and process Your health information in order to conduct a clinical trial | Legal Obligation |
| Clinical Trial Participant Partner Identification, Demographic, Administration, Third-Party, and Research Information | Where You are a partner of a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of legal obligation, to collect information from You and process Your health information in order to conduct a clinical trial | Legal Obligation |
| Clinical Trial Participant Child Identification, Demographic, Administration, Third-Party, and Research Information | Where You are a child of a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of legal obligation, to collect information from You and process Your health information in order to conduct a clinical trial | Legal Obligation |
| -Clinical Trial Participant Identification, Demographic, Administration, and ThirdParty Information - Clinical Trial Participant Partner Identification, Demographic, Administration, Third-Party, and Research Information -Clinical Trial Participant Child Identification, Demographic, Administration, Third-Party, and Research Information | Where You are a clinical trial participant, or the partner or child of a clinical trial participant, to process Your information where We are legally required to do so by applicable laws, including laws pertaining to clinical trials, safety reporting, healthcare, and scientific research | Legal Obligation |
| Healthcare Professional Identification and Administration Information | Where You are a Healthcare Professional (HCP) involved in the planning, delivery, or oversight of Mestag Therapeutics’ clinical trials, to collect information from You and process Your employment information in order to conduct a clinical trial | Our Legitimate Interest in conducting clinical research |
| Healthcare Professional Identification and Administration Information | Where You are a Healthcare Professional (HCP), to collect financial information from You and take payment from You, make a payment to You, give You a refund or request a refund | Contractual Obligation |
| Staff Identification and Administration Information | Where You are an employee of Mestag Therapeutics, to collect information from You and make available Our Services to You | Contractual Obligation |
| Third-Party Staff Identification and Administration Information | Where You are an employee of Mestag Therapeutics’ Service Providers, to collect information from You or Your employer and make available Our services to Your employer | Our Legitimate Interest in managing Mestag Therapeutics' affairs |
| Third-Party Staff Identification and Administration Information | Where You are an employee of Mestag Therapeutics’ Service Providers, to collect financial information from You and take payment from You, make a payment to You, give You a refund or request a refund | Contractual Obligation |
| Third-Party Staff Identification and Administration Information | Where You are an employee of Mestag Therapeutics’ Service Providers, to collect information from You or Your employer and liaise with Your employer about Your contact details and/or the nature and performance of Your work, as required | Our Legitimate Interest in managing Mestag Therapeutics' affairs |
| Website User Identification, Administration and Internet Information | To collect information from You and monitor, provide and maintain Our Service | Our Legitimate Interest in providing Services to You |
| Website User Identification and Administration Information | To contact You following Your enquiry where You have provided Your contact information and to reply to any questions, suggestions, issues, or complaints, about which You have contacted us | Our Legitimate Interest in providing Services to You |
| Website User Internet Information | To collect Your Usage Data in order to power Our security measures and services so You can safely access Our Website and other Services | Our Legitimate Interest in providing a secure platform |
| - Healthcare Professional Identification and Administration Information - Third-Party Staff Identification and Administration Information - Website User Identification and Administration Information -Shareholder/Investor Identification and Administration Information | To contact You, where You have provided Your contact information, about news and information relating to Our Services through service messages | Our Legitimate Interest in contacting You about Our Services |
| - Healthcare Professional Identification and Administration Information - Third-Party Staff Identification and Administration Information - Website User Identification and Administration Information -Shareholder/Investor Identification and Administration Information | B2B direct marketing to You, where You have provided Your contact information, about products and services from Us where You are classified as a corporate subscriber and/or the “soft opt-in” applies under UK PECR or equivalent EU ePrivacy legislation | Our Legitimate Interest in marketing Our Services to You |
| - Healthcare Professional Identification and Administration Information - Third-Party Staff Identification and Administration Information - Website User Identification and Administration Information -Shareholder/Investor Identification and Administration | B2B direct marketing to You, where You have provided Your contact information, about products and services from Us where You are a sole trader, partnership, or otherwise classified as an individual subscriber and/or the “soft opt-in” does not apply under UK PECR or equivalent EU ePrivacy legislation | Your Consent |
| - Healthcare Professional Identification and Administration Information - Third-Party Staff Identification and Administration Information - Shareholder/Investor Identification, Financial, and Administration Information | To retain any accounting information generated during the course of Our interaction for statutory accountancy retention periods Legal Obligation | Legal Obligation |
| Shareholder/Investor Identification, Administration, and Financial Information | To retain any records relating to shares or investments, to communicate with You as shareholders or investors, or take any actions necessary relating to the provision of shares or investments in Our company | Legal Obligation |
| -Clinical Trial Participant Identification, Demographic, Administration, Third-Party, and Research Information - Clinical Trial Participant Partner Identification, Administration, Demographic, Third-Party, and Research Information - Clinical Trial Participant Child Identification, Demographic, Administration, Third-Party, and Research Information - Healthcare Professional Identification and Administration Information - Staff Identification and Administration Information - Third-Party Staff Identification and Administration Information - Website User Identification, Internet, and Administration Information - Shareholder/Investor Identification, Administration and Financial Information | To respond to and defend against legal claims, where You have provided Us with information that may give rise to legal claims | Our Legitimate Interest in exercising, establishing, or defending against legal claims |
| - Clinical Trial Participant Identification, Demographic, Administration, Third-Party, and Research Information - Clinical Trial Participant Partner Identification, Demographic, Administration, Third-Party, and Research Information - Clinical Trial Participant Child Identification, Demographic, Administration, Third-Party, and Research Information - Healthcare Professional Identification and Administration Information - Staff Administration Information - Third-Party Staff Identification and Administration Information - Website User Identification, Administration, and Internet Information - Shareholder/Investor Identification, Administration, and Financial Information | To take any action necessary to protect Your vital interests, or the vital interests of a third party | Your Vital Interests, or the Vital Interest of a third party |
We will use and disclose Your Personal Data for the purposes for which We collected it.
We may use it for another reason if that reason is compatible with the original purpose or is otherwise permitted by the Data Protection Legislation.
If We need to use and/or disclose Your Personal Data for an unrelated purpose, We will, if the Data Protection Legislation requires, notify You, and We will explain the legal basis that allows Us to do so.
6 Sharing Your Personal Data
We may share Your personal data with other organizations in the following circumstances:
- We may need to share Your Personal Data with Our strategic clinical trial partners;
- If the law or a public authority says We must share the Personal Data;
- If We need to share Personal Data in order to establish, exercise, or defend Our legal rights (this includes providing Personal Data to others for the purposes of detecting and preventing fraud);
- We may need to share Your Personal Data if We employ the services of other parties
for dealing with certain processes necessary for the operation of Our services; or - For purposes otherwise permitted under the Data Protection Legislation
We may expand or reduce Our business, and this may involve the sale and/or the transfer of control of all or part of Our business. Any Personal Data that You have provided may, where it is relevant to any part of Our business that is being transferred, be transferred along with that part to the new owner or new controlling party.
We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:
- Our IT Service Providers, such as Microsoft Corporation;
- Contract Research Organizations (CRO);
- Our Clinical Trial Data Processors
We have Data Processor Agreements in place with Our Data Processors to help protect Your Personal Data.
7 Personal Data Retention
We retain a record of Your Personal Data in order to provide You with a high quality and consistent service. We will retain Your Personal Data in accordance with the Data Protection Legislation. Mestag Therapeutics considers the retention period to begin from the point at which We last contacted You or otherwise reviewed Your record to determine whether it was still active, unless otherwise required by law. As such, where EU GDPR and UK GDPR apply, unless otherwise required by law, Your data will be retained for the period specified in the summarized table below and then securely deleted in accordance with Our internal policies and procedures.
| Purpose | Retention Period |
|---|---|
| Processing data in relation to You as a clinical trial participant in the EU/EEA, partner of a clinical trial participant in the EU/EEA, or child of a clinical trial participant in the EU/EEA | 25 years following the conclusion of the clinical trial, as determined by the EU Clinical Trial Regulation (EU-CTR) |
| Processing data in relation to You as a Healthcare Professional (HCP) in the EU/EEA involved in the planning, delivery, or oversight of a Mestag Therapeutics clinical trial | 25 years following the conclusion of the clinical trial, as determined by the EU Clinical Trial Regulation (EU-CTR) |
| Processing data in relation to You as a clinical trial participant outside of the EU/EEA, partner of a clinical trial participant outside of the EU/EEA, or child of a clinical trial participant outside of the EU/EEA | At least 5 years following the conclusion of the clinical trial |
| Processing data in relation to You as a Healthcare Professional (HCP) outside of the EU/EEA involved in the planning, delivery, or oversight of a Mestag Therapeutics clinical trial | At least 5 years following the conclusion of the clinical trial |
| Processing data in relation to You as an employee, contractor, or other associated party contracted by Mestag Therapeutics | 6 years following the termination of Your employment |
| Processing data in relation to You as an employee, contractor, or other associated party contracted by Mestag Therapeutics’ Service Providers | 6 years following the termination of Your employment |
| Processing data in relation to You as a Healthcare Professional (HCP) in the EU/EEA/UK in the context of research, academic, publication, marketing, or commercial opportunities | 6 years |
| Processing data in relation to You as a service user of this Website | 1 year |
| Processing data in relation to You as a Shareholder/Investor | As required by applicable law, or otherwise 6 years following the termination of Your shareholder agreement or investment |
| Processing data in relation to You as any other individual with whom Mestag Therapeutics may conduct commercial operations | 6 years |
8 Communications
- Where You are a clinical trial participant or a Healthcare Professional involved in the planning, delivery, or oversight of a Mestag Therapeutics clinical trial, We will contact You through Our Contracted Research Organization (CRO) where it is necessary to do so.
- Where You are an employee of Mestag Therapeutics We will contact You through existing Mestag Therapeutics communication channels, including email, where it is appropriate to do so.
- Where You are an employee of Mestag Therapeutics’ Service Providers, a User of this Website who has provided Us with Your contact information, or any other business contact, We will send You relevant news about Our services in a number of ways including by email, but only if We have a Legitimate Interest to do so or as otherwise permitted by law (including where We have Your consent).
All email marketing communications will have an option to unsubscribe, and so if You wish to amend Your marketing preferences, You can do so by following the link in the email and updating Your preferences. Alternatively, You can contact Our DPO using the contact details provided in the Contact Us section below.
9 International Transfers
Your Personal Data is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of Your country, province, state, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when Mestag Therapeutics shares clinical trials data with trusted Data Processors, Your Personal Data will be stored and processed within third countries.
Where You are based in the EU, EEA, or UK, Mestag Therapeutics will ensure that:
- Any Data Controller receiving Your Personal Data has entered into an agreement with Us that contains standard data protection clauses as required by UK and/or EU GDPR, or there is an alternative appropriate safeguard in place governing the transfer; and,
- Any Data Processor receiving Your Personal Data has entered into an agreement with Mestag Therapeutics that contains the required Data Processor clauses as well as standard data protection clauses as required by UK and/or EU GDPR, or there is an alternative appropriate safeguard in place governing the transfer.
Where You are based in the UK or EU and We are required to transfer Your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow Us to conduct the transfer in accordance with the Data Protection Legislation. Where applicable, transfers to the United States may also be made to organizations certified under the EU–US Data Privacy Framework with the UK extension where applicable, which has been recognized by the European Commission as providing an adequate level of protection. In addition, where required, Mestag Therapeutics will carry out an impact assessment of the transfer to evaluate whether the laws and practices of the destination country may affect the protections afforded to Your Personal Data.
10 Third Party Website Links
Our Website may contain links to other sites operated by third parties.
We do not control such other sites, and We are not responsible for their content, their Privacy Notices, or their handling of Personal Data. Our inclusion of such links does not imply any endorsement of the content on such sites, or their owners or operators.
Third Party sites will have their own Privacy Notices, policies and use of cookies which We suggest You review in order to understand their procedures for collecting, using and disclosing Personal Data. Any information submitted by You directly to a third party is subject to that third party’s Privacy Notice.
11 Security
Data security is of great importance to Us. We implement appropriate technical and organizational measures to help prevent Your Personal Data from being accidently lost, used, accessed, altered, or disclosed in an unauthorized way. These include;
- Limiting access to Our buildings and resources to only those that We have determined are entitled to be there (by use of passes, key card access, and other related technologies);
- Managing a data security breach reporting and notification process that allows Us to monitor and communicate information on data breaches with You or with the applicable regulator when required to do so by law;
- Regular staff training on Personal Data handling relevant to their role;
- Implementing access controls to Our information technology; and,
- Deploying appropriate procedures and technical security measures (including strict encryption, anonymization, and archiving techniques) to safeguard Your information across all Our computer systems, networks, Websites, and offices.
12 Your Rights
12.1 European Union, European Economic Area, and the United Kingdom
Where EU GDPR and UK GDPR apply, You have the following rights over Your Personal Data:
12.1.1 The Right to Be Informed About Our Collection and Use of Personal Data
You have the right to be informed about the collection and use of Your Personal Data. We ensure We do this via Our internal and external Privacy Notices (including this Privacy Notice). These are regularly reviewed and updated to ensure these are accurate and reflect Our data processing activities.
12.1.2 Right to Access Your Personal Data
You have the right to access the Personal Data that We hold about You in many circumstances, by making a request. This is sometimes termed a “Data Subject Access Request.” If We agree that We are obliged to provide Personal Data to You (or someone else on Your behalf), We will provide it to You or them free of charge and aim to do so within 1 month from when Your identity has been confirmed. We would ask for proof of identity and sufficient information about Your interactions with Us that We can locate Your Personal Data. If You would like to exercise this right, please Contact Us as set out below.
12.1.3 Right to Rectify Your Personal Data
If any of the Personal Data We hold about You is inaccurate, incomplete, or out of date, You may ask Us to correct it. If You would like to exercise this right, please Contact Us as set out below.
12.1.4 Right to Erasure
You have the right to have personal data erased. This is also known as the “right to be forgotten.” The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where We have a legal obligation to retain Your Personal Data. If You would like to exercise this right, please Contact Us as set out below.
12.1.5 Right to Restrict Processing
You have the right to ask Us to restrict the processing of Your personal data. For example, this may be because You have issues with the accuracy of the data We hold or the way We have processed Your data. The right is not absolute and only applies in certain circumstances. If You would like to exercise this right, please Contact Us as set out below.
12.1.6 Right to Portability
The right to portability gives You the right to receive personal data You have provided to a controller in a structured, commonly used, and machine-readable format. It also gives You the right to request that a controller transmits this data directly to another controller. If You would like to exercise this right, please Contact Us as set out below.
12.1.7 Right to Object
You have the right to object to Our processing of some or all of the personal data that We hold about You. This is an absolute right when We use Your data for direct marketing but may not apply in other circumstances where We have a compelling reason to do so, e.g., a legal obligation. If You would like to exercise this right, please Contact Us as set out below.
12.1.8 Rights Related to Automated Decision-Making
You have the right to object to Our processing where a decision is made about You solely based upon automated processing and that has significant or legal effects. Mestag Therapeutics does not intend to conduct any automated decision-making for Your Personal Data. If You would like to contact Us regarding this right, please Contact Us as set out below.
12.1.9 For More Information About Your Privacy Rights
In the EU/EEA, You can find Your country’s regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
If You have any questions about which supervisory authority applies in Your jurisdiction, please Contact Us as set out below.
In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their Website, which You can access here: https://ico.org.uk/for-the-public.
You can make a complaint to any supervisory authority at any time about the way We use Your information. However, We hope that You would consider raising any issue or complaint You have with Us first. Your satisfaction is extremely important to us, and We will always do Our very best to solve any problems You may have. If you would like to make a complaint to us, please Contact Us using the details set out below. We will acknowledge your complaint within 30 days, and respond without undue delay.
12.2 United States – California
12.2.1 California Data Protection Legislation
If You are a California resident, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) requires that We provide You with a privacy policy of Our online and offline information practices and Your rights under this law regarding Your personal information. We collect, share, disclose, and use Your personal information. In the 12 months prior to the last updated date of this Privacy Notice, We have collected, shared, disclosed the personal information set out in the Your Information section above. We may collect personal information directly from California and other USA state residents, credit reporting agencies, and/or Our third-party service providers. We do not collect all categories of personal information from each source.
12.2.2 California Resident Rights
California residents are afforded the following rights:
- to delete Your personal information, unless We:
- can prove this to be impossible;
- it involves disproportionate effort;
- or it is reasonably necessary for Us to maintain records in order to fulfil the transaction(s) for which the personal information was collected;
- to correct inaccurate personal information held about You;
- to know what personal information is sold or shared and to whom (this right is fulfilled with the information provided within this Notice);
- to request specific pieces of information from us;
- to opt out of the sale or sharing of Your personal information;
- to limit use and disclosure of sensitive personal data; and,
- to no retaliation following opt-out or exercise of other rights.
If You would like to contact Us regarding these rights, please Contact Us as set out below. Please note that We may need to verify Your identity before processing Your request. Rights requests shall be reviewed to see if an exemption allows Us to retain the information. We may deny Your deletion request if an exemption applies and/or if retaining the information is necessary for Us or Our Service Provider(s), for example to detect fraudulent activity or comply with a legal obligation. We will delete, de-identify, or limit the scope of personal information not subject to an exemption from Our records and will direct Our Service Providers to take similar action.
12.3 United States – Other Data Protection Legislation
12.3.1 Other USA Data Protection Legislation
If You are a USA resident, We process Your personal data in accordance with applicable USA state data privacy laws, including the CCPA/CPRA described above. This section of Our Privacy Notice contains information required by other USA state data privacy laws and supplements the above section on CCPA/CPRA. Several USA states have enacted comprehensive privacy statutes. These laws include provisions aimed at safeguarding consumer rights and outlining business obligations. If You have relevant rights under these laws, You can exercise them by contacting Us using the details provided in the Contact Us section as set out below. Our practices are designed to adhere to the highest standards set forth by these laws, ensuring that We respect the privacy rights of all individuals. As the USA privacy laws continue to evolve, We will monitor these changes, adjust Our privacy practices, and update Our Privacy Notice(s) accordingly.
12.3.2 We Do Not Sell Your Personal Information
You have the right to know whether Your personal information is being sold. Your personal information is “sold” when it is provided to a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other USA state data privacy laws. Please note a “sale” does not include when We disclose Your personal information at Your direction, or when otherwise permitted under law.
12.3.3 We May Share Your Personal Information
We may “share” Your personal data, as defined under California and other applicable USA state laws, for personalized advertising purposes and/or for any other purposes outlined in this Privacy Notice.
12.3.4 Do Not Track
DNT is a feature offered by some browsers which, when enabled, sends a signal to Websites to request that Your browsing is not tracked, such as by third party advertising networks, social networks and analytics companies. Due to varying practices among browser providers and the lack of a market standard, We do not respond to Do Not Track signals at this time. We will continue to review DNT and other new technologies and may adopt a DNT standard in the future.
12.3.5 Non-Discrimination
USA state privacy laws prohibit businesses from discriminating against You for exercising Your rights under the law. Such discrimination may include denying goods or services, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.12. Contacting Us
If You would like to exercise one of Your rights as set out above, or You have a question or a complaint about this Privacy Notice or the way Your Personal Data is processed, please contact Us by email to: contact@mestagtx.com.
Mestag Therapeutics’ Data Protection Officer can be contacted:
By email: dpo@mestagtx.com
By telephone: +4402037971289
By post: FAO Mestag Therapeutics’ DPO, The DPO Centre Limited, 50 Liverpool Street, London, UK, EC2M 7PY
Mestag Therapeutics’ EU Representative is The DPO Centre Europe Limited, which can be contacted via telephone at: +34 91 905 3074, or email at: eurep@mestagtx.com.
13 Changes to this Privacy Notice
Thank You for taking the time to read this Privacy Notice. We reserve the right to amend this Privacy notice from time to time and will post any revisions on this page. We recommend that You check this Privacy Notice regularly to keep up-to-date.
14 Privacy Notice Review and Effective Date
This policy is effective from 24th of March 2026 and will be reviewed every two years.
15 Version Control
| Version | Updated On | Description of Changes |
|---|---|---|
| V 1.0 | 06 Oct 2020 | New document |
| V 2.0 | 20 Feb 2026 | Comprehensive re-drafting to address new clinical trial processing. |
Appendix A – Data Protection Complaints Form
This form allows you to raise concerns about how Mestag Therapeutics handles your personal data under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025.
Your Personal Data provided in this form will only be used to process your complaint and will be handled in accordance with our Privacy Notice (Privacy Policy » Mestag Therapeutics).
After submission, you will receive an acknowledgement within 30 days. We aim to resolve your complaint promptly. If you are not satisfied with our response, you may contact your relevant Supervisory Authority.
If we require any further information from you to investigate your Data Protection Complaint, we will contact you.
Data Protection Complaints Form
"*" indicates required fields