Privacy Policy

Overview

This Yendou Privacy Policy ("Privacy Policy") applies to the collection, use, transfer, and disclosure of personal information for users of the Yendou platform ("Platform"), a website and application of Yendou GmbH, Rheinsberger Strasse 31, 10435 Berlin, Germany ("Yendou", "we", "our", and/or "us"). We value the privacy of individuals ("you", "your" and/or "users") who use the Platform.

Your Personal Information

We may collect a variety of information from or about you or your devices from various sources, as described below. If you do not provide your information when requested, you may not be able to use the Platform if that information is necessary to provide you with the Platform or if we are legally required to collect it.

When you use the Platform, you may provide us with personal information, such as your name, telephone number, email address, job title, and organization details. You may also provide profile preferences including your availability, communication channel preferences, and connections with other users.

For site networks and contributors, we collect Contributor Data such as site infrastructure details, patient population availability, operational data, and staff personal information (e.g., names, emails, phone numbers, CVs, GCP certifications) for the global site directory.

We may also collect your IP address, web browser type, operating system version, phone or internet carrier, manufacturer, application installation details of the Platform, and device identifiers.

Information Collected from Public Sources

We may collect professional information about clinical investigators, research site staff, and other individuals from publicly available sources, including clinical trial registries (such as clinicaltrials.gov and EU Clinical Trials Register), professional directories, institutional websites, and public databases. This information includes names, contact details, professional qualifications, institutional affiliations, and clinical trial experience. We process this data on the basis of our legitimate interest in maintaining an accurate and comprehensive global site directory (see GDPR section below for legal basis details).

Due to the large volume of publicly available records processed, individual notification to each data subject is not feasible and would involve disproportionate effort within the meaning of GDPR Article 14(5)(b). As an alternative measure, we make this Privacy Policy publicly available, maintain an opt-out mechanism, and review data at least quarterly for accuracy. If your information has been collected from public sources and you wish to access, correct, or request deletion of your data, or to object to this processing, please contact us at privacy@yendou.com. Upon receiving a valid objection, we will cease processing and remove your data from the directory within 30 calendar days, unless we demonstrate compelling legitimate grounds that override your interests. We will inform you of the outcome.

Sensitive Data

The Platform is not designed to collect or process special category data as defined under GDPR Article 9. Users must not intentionally submit special category data (including health data) to the Platform. However, certain user-generated content, such as feasibility questionnaire responses, investigator medical specialties, or patient population information, may incidentally contain health-related information.

Yendou does not monitor user-submitted content for the presence of special category data. Where such data is incidentally present, it has been manifestly made available by the user or sourced from public registries (GDPR Art. 9(2)(e)), and is subject to the same security safeguards described in the Security section of this Policy. Responsibility for ensuring that submitted data is appropriate for the Platform rests with the user or their organization as data controller. Customers are advised to consider the suitability of Platform features for processing data that may contain special category information.

How We Use Your Information

We may use the information we collect for the following purposes and as otherwise described in this Privacy Policy:

• To provide, maintain, improve, and enhance the Platform;
• To create and improve profiles about you or your sites within the Platform that we may share with third parties;
• To personalize your experience on the Platform, such as by providing tailored content, site recommendations, and visibility to business opportunities providers;
• To understand and analyze how you use the Platform and to help us improve it, by collecting information about your use of and interactions within the Platform (pages or content you view, searches you conduct, connections you make, comments and posts, communications via the Platform, services or transactions requested, and dates and times of interactions);
• To communicate with you, provide updates and other information relating to the Platform, respond to comments and questions, and otherwise provide support;
• To facilitate connections with third-party services or applications;
• To generate and publish reports, provide analytics, or support Yendou products that we may provide to Yendou customers and for which we may charge a fee;
• To understand and analyze site data for business benefits, such as enabling access to clinical trial opportunities;
• To find and prevent fraud and respond to trust and safety issues that may arise;
• For compliance purposes, including enforcing our Terms or other legal rights, or as required by applicable laws and regulations or requested by any judicial process or governmental agency; and
• For other purposes for which we provide specific notice at the time the information is collected.

Data Controller and Processor Roles

Yendou acts as a data controller for personal data collected directly from Platform users (e.g., account registration, platform usage) and from public sources (e.g., clinical trial registries). Yendou acts as a data processor for personal data managed by customers on the Platform (e.g., research site and contact data uploaded or maintained by a customer organization).

If your data is managed by a Yendou customer and you wish to exercise your data protection rights, please direct your request to that customer as the data controller. Yendou enters into Data Processing Agreements with customers in accordance with GDPR Article 28. To request a DPA, contact privacy@yendou.com.

Sharing Your Personal Information

We may share personal information about you as described in this Privacy Policy.

Affiliates, Service Providers, and Other Third Parties

We may share personal information about you with our affiliates and subsidiaries and with our service providers for the purpose of providing the Platform. These service providers include cloud infrastructure providers, analytics providers, email delivery providers, collaborative tooling providers, and artificial intelligence (AI) service providers. AI service providers may process certain Platform data, including communications and CRM records, to provide AI-assisted features, which are opt-in and may be enabled or disabled by you or your organization. Data is not pseudonymized or filtered before transmission to AI service providers; customers are responsible for ensuring that data processed by AI-assisted features is appropriate for transmission to third-party providers. Our service providers do not use your data submitted through the Platform for training their own models. A complete list of authorized sub-processors is provided in the Authorized Sub-Processors section below.

Other Users of the Platform

We display your user profile, posts, and site details (e.g., qualification data) on the Platform for other users to view, subject to Visibility Controls and your consents.

As Required By Law and Similar Disclosures

We may access, preserve, and disclose your information if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; (b) respond to your requests; or (c) protect your, our, or others' rights, property, or safety.

Merger, Sale, or Other Asset Transfers

We may transfer your information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company, or we sell, liquidate, or transfer all or a portion of our assets.

Consent

We may also disclose your information with your permission or at your direction, such as granular consents for sharing with all clinical trial provider clients or logo use in marketing.

Cookies and Similar Technologies

We collect information using cookies, pixel tags, and similar technologies. Cookies are small text files containing a string of alphanumeric characters. We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used on subsequent visits to the Platform.

We use cookies that are strictly necessary for the Platform to function, including authentication cookies and cookies that provide essential platform functionality such as feature delivery, error tracking, and operational monitoring. Because these functions are required for the Platform to operate correctly, these cookies do not require separate consent. For details on cookies used on our website, including analytics, see our Cookie Policy.

Third Parties

The Platform may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. This Privacy Policy does not apply to your activities on these third-party sites and services or any information you disclose to these third parties. We encourage you to read their privacy policies before providing any information to them.

Security

The Platform implements security safeguards to protect the personal information it collects and uses. Yendou partners with internationally recognized cloud platform providers, such as Microsoft Azure, to provide the Platform. These cloud providers operate data centers certified against established standards such as ISO 27001 and SOC 2. All data is encrypted in transit and at rest using industry-standard encryption.

The security of your personal information, the service, and the infrastructure it operates on are protected by a combination of security controls provided by our cloud platform provider and additional security measures, monitored by a dedicated Yendou Security Operations team. Yendou is currently undergoing SOC 2 Type II certification. Yendou's data handling practices, including audit logging, access controls, and data integrity measures, are designed to support customers' compliance obligations under ICH Good Clinical Practice (GCP) guidelines. Customers requiring specific GCP compliance commitments should refer to their Master Services Agreement or contact us to discuss a Quality Agreement.

Children's Privacy

We do not knowingly collect, maintain, or use personal information from children under 16 years of age, and no part of the Platform is directed or marketed to children.

HIPAA

The Platform is not designed to store Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), and Yendou is not a Covered Entity or Business Associate by default. Users must not submit PHI to the Platform absent a separately executed Business Associate Agreement (BAA). Aggregate feasibility-level site data (such as patient population counts by therapeutic area) is generally not considered PHI; however, customers are responsible for ensuring that data submitted to the Platform does not contain individually identifiable health information absent a BAA. If your use of the Platform involves PHI, please contact us at privacy@yendou.com to discuss a BAA prior to submitting such data.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following general retention periods apply:

Deletion requests will be honored subject to applicable legal and regulatory hold requirements. In particular, customers in regulated industries (such as clinical research) may be subject to retention obligations under applicable laws and regulations that supersede deletion requests.

Changes to this Privacy Policy

We will post adjustments to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we use or share personal information previously collected from you through the Platform, we will notify you through the Platform, by email, or other form of communication.

Data Breach Notification

Yendou maintains a data breach response procedure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and the relevant supervisory authorities within the timeframes required by applicable law.

Right to Access, Change, or Delete Your Personal Data

If you wish to access, amend, or delete any personal information you have provided to us, you may contact us via email at privacy@yendou.com. You may also direct data protection inquiries to our Data Protection Officer at alexander@yendou.com. We will respond to data subject requests within 30 days, or the applicable statutory period. You also have the right to lodge a complaint with your relevant supervisory authority. For withdrawal of consents (e.g., data sharing or logo use), use platform settings or the same email; revocation triggers immediate cessation and deletion where feasible.

Region-Specific Policies

CCPA / CPRA

This section supplements the rest of our Privacy Policy and applies to all Consumers residing in the state of California under "The California Consumer Privacy Act of 2018" (California Civil Code Sections 1798.100 to 1798.199) as amended by the California Privacy Rights Act of 2020 ("CPRA"), and their implementing regulations (collectively, "CCPA"). For such Consumers, these provisions supersede any divergent or conflicting provisions in the Privacy Policy.

Categories of Personal Information Collected. Yendou collects the following categories: identifiers (name, email address, phone number), professional information (job title, organization, qualifications, CVs, certifications), internet or electronic network activity (IP address, browser type, Platform usage data), and general geolocation data (derived from IP address).

Sale and Sharing. Yendou does not sell or share Personal Information as defined under the CCPA. Personal data made available to customers through the Platform, including curated professional directory information sourced from publicly available registries, is provided as part of Yendou's Platform services and constitutes a disclosure for a business purpose, not a sale.

Your CCPA Rights. As a California Consumer, you have the right to: know what Personal Information we collect, use, and disclose; delete Personal Information we have collected, subject to certain exceptions; correct inaccurate Personal Information; limit the use of sensitive Personal Information; opt out of automated decision-making technology, including profiling, to the extent applicable; and non-discrimination for exercising your privacy rights. To exercise these rights, contact us at privacy@yendou.com. We may verify your identity by matching request details against existing account information, and will respond within 45 days of a verifiable request.

GDPR

This section provides specific information about how the Platform complies with the EU General Data Protection Regulation ("GDPR") and applies to all data subjects residing in the European Union, the United Kingdom, or Switzerland. Our EU Data Protection Officer and Information Security Officer have assessed our obligations as a data controller for the Platform.

Legal Bases for Processing. Yendou processes your personal data on the following legal bases:

Where we rely on legitimate interest, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time. Yendou conducts Data Protection Impact Assessments where required under GDPR Article 35.

Transfers Outside the EEA. Yendou collects and processes your data in the European Economic Area (EEA). Some sub-processors are located outside the EEA, including in the United States. Any transfer of, or access to, personal data outside the EEA is made only using legal mechanisms approved by the EU, such as the EU Standard Contractual Clauses (SCCs) and supplementary technical, organizational, and contractual measures. Copies of the relevant SCCs are available upon request at privacy@yendou.com. For data subjects in the United Kingdom, transfers are governed by the UK International Data Transfer Addendum to the EU SCCs (supervisory authority: the UK Information Commissioner's Office, ICO). For data subjects in Switzerland, transfers are governed by the Swiss Federal Act on Data Protection (nFADP), with the FDPIC as the relevant authority.

Your Rights Under the GDPR. You can exercise your rights under Articles 15-22 GDPR, including the right to access, rectify, restrict, or erase your data, to object to processing, to data portability, and to withdraw consent, free of charge, by contacting privacy@yendou.com. We will respond within one month, extendable by two months for complex requests. The lead supervisory authority for Yendou is the Berliner Beauftragte fur Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).

Automated Decision-Making and Profiling. The Platform may use AI-assisted features to provide recommendations, such as matching research sites to clinical trial opportunities. These features are assistive in nature and do not produce solely automated decisions that have legal or similarly significant effects on individuals. Human review is involved in consequential decisions. You have the right to object to processing based on profiling under Article 21 GDPR. Yendou has voluntarily appointed a Data Protection Officer, who can be contacted at alexander@yendou.com.

LGPD

Law no. 13.709/2018 of Brazil, the Lei Geral de Protecao de Dados Pessoais ("LGPD"), applies to businesses (inside and outside Brazil) that process the personal data of users located in Brazil. The LGPD provides users with rights including confirmation of the existence of processing; access to data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or elimination of unnecessary or excessive data; data portability; elimination of data processed with consent; information about data sharing; information about the consequences of refusing consent; and revocation of consent.

Legal Bases under LGPD (Art. 7). Yendou processes the personal data of users located in Brazil on the bases of consent (Art. 7(I)) for optional features such as AI-assisted features; compliance with legal or regulatory obligations (Art. 7(II)); execution of a contract or preliminary procedures (Art. 7(V)) for core Platform functionality; exercise of rights in proceedings (Art. 7(VI)); and legitimate interest (Art. 7(IX)) for analytics, directory services, and Platform improvements, subject to a balancing test.

International Transfers. Personal data of users located in Brazil may be transferred to countries outside Brazil, including the United States, in compliance with LGPD Arts. 33-36, subject to standard contractual clauses or equivalent safeguards. Yendou's Encarregado (Data Protection Officer), appointed in accordance with LGPD Art. 41, can be contacted at alexander@yendou.com. You may file a complaint with the Autoridade Nacional de Protecao de Dados (ANPD).

Authorized Sub-Processors

The following sub-processors are authorized to process personal data on behalf of Yendou in connection with the Platform.

Yendou will provide at least 30 days' advance notice to affected customers before adding or removing sub-processors. Customers may object to a new sub-processor by contacting privacy@yendou.com within that notice period.