Privacy Policy

Last Updated: October 2023

General Information

In order to ensure transparency and give you more control over your Personal Data, this privacy policy (“Privacy Policy”) governs how we, Immunai Inc. and its affiliates and subsidiaries (together, “Immunai” “we”, “our” or “us”) use, collect, and store Personal Data we collect or receive from or about you (“you”).

The contact details of the organization responsible for Immunai’s personal data processing activities as are as follows:

Immunai Inc. 430 E 29th St, New York, NY 10016, United States. Email: privacy@immunai.com.

Please read this Privacy Policy carefully, so you can fully understand our practices in relation to Personal Data. “Personal Data” or “Personal Information” means any information that can be used, alone or together with other data, to uniquely identify any living human being. Please note that this is a master privacy policy and some of its provisions only apply to individuals in certain jurisdictions. For example, the legal basis in the table below is only relevant for GDPR-protected individuals.

Important note: Nothing in this Privacy Policy is intended to limit in any way your statutory right, including your rights to a remedy or means of enforcement.

In this policy we provide the following information about how we process personal data:

The circumstances in which we collect personal data;
The types of personal data we collect and the reasons we collect it;
Use of automated decision making;
Use of cookies and similar technologies;
Use of anonymized data;
How long we keep personal data;
How your personal data is shared;
How we protect your personal data
International data transfers;
Your privacy rights;
Privacy information for residents of California
Use by children;
Interaction with Third Party Products;
Contact details of our Data Protection Officer.

The Circumstances in which Immunai Collects Personal Data

Immunai collects personal data in the following circumstances:

When you browse, visit or otherwise interact with our website, http://www.immunai.com (“Website”);
When you contact us e.g. customer support, partnership, need help, to submit a request;
When you attend a marketing event and provide us with your Personal Data and/or you give us your business card;
When you/the company/organization you work for becomes an Immunai Partner or Collaborator and we process your details in relation to this Partnership/Collaboration;
When we process medical research data provided by our Partners and Collaborators as part of the Services we provide to them;
When you use or interact with Immunai’s online products or services;
When we collect and process medical research data for the purpose of conducting our own medical research or improving the accuracy/effectiveness of our products and services;
When you interact with us on our social media profiles (e.g., Twitter, LinkedIn);
When you apply for a job with Immunai or any of its subsidiaries;
When we use the personal data of our service providers, consultants, vendors, finders, agents (e.g. contact details);

You are not required by law to provide us with your Personal Data and providing the same is voluntary. However, if you do not provide us with all or some of your Personal Data, we may not be able to provide you with some or all of our services.

The Types of Personal Data We Collect and Why We Collect It

Specific Personal Data we collect	Purposes for the data collection	Legal basis for processing data where Immunai is the controller of the data (Applicable to GDPR only).
When you browse, visit or otherwise interact with our Website
Data collected from cookies and analytics tools including IP address, location, analytics/usage data e.g. number of times you visit the website, which pages of the website you visit, how long you spent visiting the website. For more information, please read our cookies policy http://www.immunai.com/cookie-notice.	To operate, monitor and analyze the Website, to improve the Website, and provide you with certain functionalities on the Website.	Article 6(1) (a) Consent to use cookies and similar technology that are not essential to the functioning and provision of the Website. Article 6(1) (f) Legitimate interest to use cookies and similar technology essential to the functioning and provision of the Website.
When you contact us
Full name, email address, country of residence, job title, message/comments. Any other information that you choose to provide us with.	To process and answer questions, to process and answer commercial inquiries, to provide you with support.	Article 6(1) (b)Processing is necessary for the performance of a contract e.g. to provide you with support with services we are contracted to provide to you. Article 6(1) (f) Legitimate interest to answer your enquiries and questions.
When you attend a marketing event and provide us with your Personal Data and/or you give us your business card
Full Name, email address, phone number, job title, company name. Any other information that you choose to provide us with.	To establish a business connection with you or the organization you represent, to inform you about Immunai and the services we provide.	Article 6(1) (b) Consent when you provide your information directly to us. Article 6(1) (f) Legitimate interest for certain B2B discussions or lead generation activities.
When you/the company/organization you work for becomes an Immunai Partner or Collaborator and we process your details in relation to this partnership/collaboration
Full Name, business email, company name, job title, business phone number, number of employees, details of any interactions we have with you.	To provide our products and services, to perform the applicable agreement, to comply with legal requirements, to communicate with our Partners and Collaborators.	Article 6(1) (b) Processing is necessary for the performance of a contract e.g. to provide services we are contracted to provide to you/the company organization you work for. Article 6(1) (f) Legitimate interest e.g. to provide you with information about related services.
When you use or interact with Immunai’s online products or services
Name, email address, IP address, product usage and analytics data including: number of logins, downloads, features used, time spent using a product or specific feature.	To understand the way our products and services are used and to improve our products and services.	Article 6(1) (a) Consent to use cookies and similar technology that are not essential to the functioning and provision of the online product or service. Article 6(1) (f) Legitimate interest to use cookies and similar technology essential to the functioning and provision of the online product or service.
When we process medical research data provided by our Partners and Collaborators as part of the Services we provide to them
Immunai patient ID reference, demographic information e.g. patient gender, height, weight. Biological data e.g. blood/tissue samples, disease and treatment information, genetic data.	To provide our products and services, to perform applicable contractual agreements, to comply with legal requirements, to perform scientific medical research.	In most circumstances, Immunai processes this data as a processor of a Partner or a Collaborator, however Immunai processes any data it is required to retain for regulatory purposes as a controller. In this circumstance the following legal bases apply: Article 6(1) (c) Compliance with a legal obligation e.g. laws related to retention and destruction of medical research information. Article 9(2) (g) Substantial public interest conditions e.g. where Immunai is required to retain this data under laws and regulations related to medical research.
When we collect and process medical research data for the purpose of conducting our own medical research or improving the accuracy/effectiveness of our products and services
Immunai patient ID reference, demographic information e.g. patient gender, height, weight. Biological data e.g. blood/tissue samples, disease and treatment information, genetic data.	To perform scientific medical research, to train our AI platform, to provide our products and services, To comply with legal requirements.	Article 6(1) (a) consent to process data for research purposes e.g. where we collect directly from individuals. Article 6(1) (c) Compliance with a legal obligation e.g. laws related to retention and destruction of medical research information. Article 6(1) (f) Legitimate interests to enhance the accuracy and effectiveness of our products and services. Article 9(2) (j) processing for scientific research purposes.
When we use the Personal Data of service providers, consultants, vendors, finders, agents
Full name, email address, company or institute/organization name, role/position, any other Information you decide to provide/supply us with.	To contact our service providers, to perform the applicable agreement.	Article 6(1) (b) processing is necessary for the performance of a contract with a service provider/vendor/finder/agent. Article 6(1) (c) compliance with a legal obligation e.g. tax laws, bookkeeping laws, etc. Article 6(1) (f) legitimate interest e.g. to send communications in relation to prospective contracts with service providers/vendors/providers/agents.
When you interact with us on our social media profiles
Full name, social media handle, comments/queries, any other data you decide to provide to us.	To reply and/or respond to your request, comment or question.	Article 6(1) (f) Legitimate interest (e.g. to respond to your request, comment or question).
When you apply for a job with Immunai or any of its subsidiaries
Name, email address, postal address, resume, work history, LinkedIn In profile, references, interview notes, right to work details.	To process your job application and evaluate your suitability in regards to a role you applied for, to find prospective candidates for open vacancies, to communicate with you about your job application or roles you may be suitable for.	Article 6(1) (a) consent e.g. to keep in touch with you about new vacancies or store your resume in case you may be suitable for future roles.Article 6(1) (f) legitimate interests to find and communicate with suitable candidates for vacant job roles at Immunai and evaluate their competence for such vacant roles.

Finally, please note that some of the abovementioned Personal Data will be used for detecting, taking steps to prevent, and prosecution of fraud or other illegal activity, to identify and repair errors, to conduct audits, and for security purposes. Personal Data may also be used to comply with applicable laws, with investigations performed by the relevant authorities, law enforcement purposes, and/or to exercise or defend legal claims.

Use of Automated Decision Making

Immunai uses Artificial Intelligence (AI) as part of its medical research and related commercial services. This means that any personal data provided to us for research purposes may be subject to automated decision making. If you have the right to opt out of automated decision making under applicable data protection regulations e.g. GDPR and CPRA details on how you can exercise this right are available in the ‘Your Privacy Rights’ section of this policy.

Use of Cookies and Similar Technologies

Immunai uses cookies and similar technologies within its Websites and products. Cookies are files saved on your phone, tablet or computer when you visit a website that collect information about how you use a website or product. Some cookies (e.g. cookies that are essential for a website or product to work) cannot be disabled. You may control and delete these cookies through your browser settings. You can read more in our cookie policy .http://www.immunai.com/cookie-notice.

Immunai uses a tool called “Google Analytics” within its Website and products to collect information about use of the Website. Google Analytics collects information such as how often users visit this Website, what pages they visit when they do so, and what other websites they used prior to coming to this Website. We use the information we get from Google Analytics to maintain and improve the Website and our products. We do not combine the information collected through the use of Google Analytics with Personal Information we collect. Google’s ability to use and share information collected by Google Analytics about your visits to this Website is restricted by the Google Analytics Terms of Service, available at https://marketingplatform.google.com/about/analytics/terms/us/, and the Google Privacy Policy, available at http://www.google.com/policies/privacy/. You may learn more about how Google collects and processes data specifically in connection with Google Analytics at http://www.google.com/policies/privacy/partners/. You may prevent your data from being used by Google Analytics by downloading and installing the Google Analytics Opt-out Browser Add-on, available at https://tools.google.com/dlpage/gaoptout/.

We reserve the right to remove or add new analytic tools.

Use of Anonymized Data

In certain cases, we may anonymize or de-identify your Personal Data. “Anonymous Information” means information which does not enable identification of an individual user, such as aggregated information about the use of our services. We may use and store Anonymous Information and/or disclose it to third parties without restrictions (for example, in order to improve our services and enhance your experience with them).

How Long We Keep Personal Data

Your Personal Data (as described above) will be stored until we no longer need the information to attain the purposes for using information detailed in this policy or for a longer period of time as required according to instructions of relevant laws and proactively delete or anonymize it or until you send a valid deletion request. Please note that we may need to retain data in accordance with data retention laws. We have an internal data retention policy to ensure that we do not retain your Personal Data perpetually.

In some circumstances we may store your Personal Data for longer periods of time, for example (i) where we are required to do so in accordance with legal, regulatory, tax or accounting requirements, or (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges, or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings.

How Your Personal Data is Shared

We may share your Personal Data in the following circumstances:

With our affiliated companies and business partners with whom we jointly offer products or services;
With third party service providers Immunai uses to perform business related tasks on our behalf under our instructions;
To the extent necessary, with regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order;
If, in the future, we sell or transfer, or we consider selling or transferring, some or all of our business, shares or assets to a third party, including without limitation in the context of liquidation, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events, including in the context of negotiating the foregoing;
In the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events, including in the context of negotiating the foregoing;
Where you have provided your consent to us sharing or transferring your Personal Data (e.g., where you provide us with marketing consents or opt-in to optional additional services or functionality).

Subprocessors

Immunai uses the following third party service providers (known as subprocessors) to support the delivery of our services. These subprocessors may process your personal data:

Name	Purpose	Location
Google Cloud Platform	Data storage platform	USA
Google Workspace	Email, calendar, document creation and storage platform	USA and EU
Benchling	Lab and research data platform	USA
Hetzner	Data storage platform	Germany
GENEWIZ/Azenta	Genomics services	USA
Spin.AI	Data backup services	USA
Comeet	Recruitment management platform	USA
OneTrust	Cookie consent management platform	USA, EU

How We Protect Your Personal Data

We have implemented appropriate technical, organizational and security measures designed to protect your Personal Data including encryption, role based access and the implementation of security policies and processes. However, please note that we cannot guarantee that the information will not be compromised as a result of unauthorized penetration to our servers. As the security of information depends in part on the security of the computer, device or network you use to communicate with us and the security you use to protect your user IDs and passwords, please make sure to take appropriate measures to protect this information.

International Data Transfers

Your personal data may be accessed from our main office in Israel. Transfers of personal data from EU/EEA/UK are covered by the European Commission’s Adequacy Decision regarding Israel. You can read more here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

Your personal data may be transferred between Immunai and its subsidiaries (known as ‘the Immunai group’). Transfers within the Immunai group will be covered by an internal processing agreement entered into by members of the Immunai group (an intra-group agreement) which contractually obliges each member to ensure that Personal Data receives an adequate and consistent level of protection wherever it is transferred to.

If you are a European resident and we transfer your Personal Data outside of EU/EEA/UK (for example to third parties who provide us with services), we will obtain contractual commitments from them to protect your Personal Data. Immunai uses standard contractual clauses approved by the European Commission and the UK equivalent where relevant to transfer personal data from the EU/EEA/UK to countries that do not have an adequacy decision from the European Commission.

Your Privacy Rights

The following rights (which may be subject to certain exemptions or derogations) shall apply to individuals where these rights are provided for under applicable local data protection laws e.g. the GDPR/UK GDPR:

The right to access Personal Data held about you;
The right to request that we rectify any Personal Data we hold that is inaccurate or misleading;
The right to request the erasure/deletion of your Personal Data (e.g. from our records). Please note that there may be circumstances in which we are required to retain your Personal Data, for example for the establishment, exercise or defense of legal claims;
The right to object, to or to request restriction, of the processing;
The right to data portability. This means that you may have the right to receive your Personal Data in a structured, commonly used and machine-readable format, and that you have the right to transmit that data to another controller;
The right to object to profiling;
The right to withdraw your consent at any time. Please note that there may be circumstances in which we are entitled to continue processing your data, in particular if the processing is required to meet our legal and regulatory obligations. Also, please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
The right to request certain details of the basis on which your Personal Data is transferred outside the European Economic Area, but data transfer agreements and/or other details may need to be partially redacted for reasons of commercial confidentiality;
The right to lodge a complaint with your local data protection supervisory authority (i.e., your place of habitual residence, place or work or place of alleged infringement) at any time or before the relevant institutions in your place of residence. We ask that you please attempt to resolve any issues with us before you contact your local supervisory authority and/or relevant institution.

You can exercise your rights by contacting us at privacy@immunai.com. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly in accordance with applicable law or inform you if we require further information in order to fulfill your request.

When processing your request, we may ask you for additional information to confirm or verify your identity and for security purposes, before processing and/or honoring your request. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. In the event that your request would adversely affect the rights and freedoms of others (for example, would impact the duty of confidentiality we owe to others) or if we are legally entitled to deal with your request in a different way than initial requested, we will address your request to the maximum extent possible, all in accordance with applicable law.

Privacy information for Residents of California

The following additional information is provided for California residents, including details about the personal information we collect about California consumers and their rights under the California Consumer Privacy Act or “CCPA,” as amended by the California Privacy Rights Act or “CPRA”.

California law requires Immunai to provide the following information to California residents about the personal data we collect 1) the categories and purpose for which we use each category of personal information we collect; and (2) the categories of third parties to which we (a) disclose such personal information for a business purpose, (b) “share” personal information for “cross-context behavioral advertising,” and/or (c) “sell” such personal information.

The CPRA defines “sharing” as sharing information in the context of targeting of advertising to a consumer based on that consumer’s personal information obtained from the consumer’s activity across websites. “Selling” is defined as the disclosure of personal information to third parties in exchange for monetary or other valuable consideration.

Immunai processes the following personal information about California Consumers: Identifiers/contact information;
Commercial information;
Internet or electronic network activity information;
Financial information;
Geolocation information;
Professional or employment-related information;
Audio and visual data;
In limited circumstances where allowed by law, information that may be protected under California or United States law; and
Inferences drawn from any of the above categories.

We collect this information for the business and commercial purposes described above.

The CCPA provides California consumers with the following rights:

The right to request to know more details about the categories or specific personal information we collect (including how we use, disclose, or may sell this information);
The right to delete their personal information;
The right to opt out of any “sales”, to know and opt out of “sharing” of personal information for delivering advertisements on third party websites;
The right not to be discriminated against for exercising these rights.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@immunai.com. We may require you to provide information to verify your identity prior to fulfilling your request.

Our California Do Not Track Notice: Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

Use by Children

We do not offer our products or services for use by children and, therefore, we do not knowingly collect Personal Data from, and/or about children under the age of eighteen (18). If you are under the age of eighteen (18), do not provide any Personal Data to us without involvement of a parent or a guardian. For the purposes of the GDPR, we do not intend to offer information society services directly to children. In the event that we become aware that you provide Personal Data in violation of applicable privacy laws, we reserve the right to delete it. If you believe that we might have any such information, please contact us at privacy@immunai.com.

Interaction with Third Party Products

We enable you to interact with third party websites, mobile software applications and products or services that are not owned or controlled by us (each a “Third Party Service”). We are not responsible for the privacy practices or the content of such Third Party Services. Please be aware that Third Party Services can collect Personal Data from you and use it differently from us. We have no control over what is done with information collected by Third Party Services and therefore we take no responsibility whatsoever for how they gather or use data, share data with third parties or any other action they take with data they have collected. Accordingly, we encourage you to read the terms and conditions and privacy policies of each Third Party Service.

Contact Us

Immunai has appointed a Data Protection Officer (DPO) who is responsible for overseeing data protection best practice within Immunai and its subsidiaries, our DPO’s name is Suzy Bartlett and she can be contacted at privacy@immunai.com. If you have any questions, concerns or complaints regarding our compliance with this notice and the data protection laws, or if you wish to exercise your rights, we encourage you to contact us first.

Updates to the Privacy Policy

This Privacy Policy is updated from time to time to make sure it is up to date and accurate. We therefore, ask you to check back periodically for the latest version of this Privacy Policy. If we implement significant changes to the use of your Personal Data in a manner different from that stated at the time of collection, we will notify you by posting a notice on our Website or by other means as required under relevant local laws. Unless stated otherwise, all changes will go into effect on the day of their publication on our Website or Application.

Headquarters