European Platform for Neurodegenerative Diseases (“EPND”) Catalogue and User Interface

PRIVACY STATEMENT

Last Updated: December 11, 2024.

This Privacy Statement explains the collection, use, and disclosure of personal data on the EPND Hub, which serves as a catalogue and user interface to discover and request access to data and/samples from international studies across the neurodegenerative disease spectrum (“Hub”). The Alzheimer’s Disease Data Initiative, Inc. (“AD Data Initiative,” “ADDI” “we,” “us,” or “our”) hosts the Hub as part of the larger platform infrastructure and services provided by the European Platform for Neurodegenerative Diseases (“EPND”). EPND is a consortium of multidisciplinary educators, clinicians, researchers, and scientists enabling scientific breakthroughs for diagnosis, treatment, and prevention of neurodegenerative diseases. With support from the Innovative Medicines Initiative (IMI), EPND is uniting the neurodegenerative disease research community to fuel new discoveries in the field.

In this statement, references to our “services” include the Hub, and other products and services used to support or enable its delivery or functionality. This statement applies to our services that display or reference this statement, but it does not apply to any services that display or reference a different privacy statement.

Table of Contents (click to jump)

  • Personal Data We Collect
  • How We Use Your Personal Data
  • Our Disclosure of Personal Data
  • Your Choices
  • Retention of Personal Data
  • Other Sites, Mobile Applications, and Services
  • Location of Personal Data
  • Security Practices
  • Cookie Policy
  • European Data Protection Rights
  • Changes to this Privacy Statement
  • How to Contact Us
### PERSONAL DATA WE COLLECT The personal data we collect depends on how you interact with us, the functionality you use on the services, and the choices you make.

Information you provide to us. Personal data you provide to us through the services may include:

Name and contact information. We collect name, organization, and contact details such as email address, postal address, and phone number to register and create an account on the Hub. You are only required to provide an email address so that we can fulfill your request to communicate with you and provide the information you are requesting.

Content and files. We collect the study information, documents, or other files you upload to our services, and if you send us email messages or other communications, we collect and retain those communications.

Usage data. We automatically log your activity on our services. For example, we log the URL of the website from which you came to our sites, the pages you viewed, how long you spent on a page, access times, and other details about your use and actions on our website. See the Cookies section below for how we process usage data.

Preferences information. We may collect your preferences for receiving communications about our products, activities, publications, and details about how you engage with our communications.

Other information. We may collect data that is not explicitly listed here but which we will use in accordance with this Privacy Statement or as otherwise disclosed at the time of collection.

Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:

Third-party partners. Third-party researchers, institutions, and organizations, such as your employer, research sponsor, EPND, or other research consortium.

Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.

Publicly available sources. Public sources of information such as open government databases.

When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

HOW WE USE YOUR PERSONAL DATA

We use the personal data we collect for purposes described in this Privacy Statement or as otherwise disclosed to you. For example, we may use any of the categories of personal data we collect for the following purposes:

To operate the services. We use your personal data to:

  • provide, operate, and improve the services;
  • enable the Hub, which facilitates research related to our scientific mission;
  • communicate with you about the services, including by sending you announcements, updates, security alerts, and support and administrative messages; and
  • provide support and maintenance for the services.

Personalization. To understand you and your preferences to enhance your experience and enjoyment using our services.

Research and development. We analyze use of the services to improve the services and to develop and/or improve products and services.

Communications. To send you information, including confirmations, new services or functionality, events, technical notices, updates, security alerts, information you may have requested, and support and administrative messages.

Compliance, fraud prevention, and safety. To comply with the law, we use your personal data as necessary or appropriate to comply with applicable laws, lawful requests, and legal processes, such as responding to subpoenas or requests from government authorities. In addition, we may use your personal data and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to:

  • Protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims);
  • Enforce the terms and conditions that govern the services; and
  • Protect, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity.

Customer support. To provide customer support and respond to your requests, questions, and feedback, we combine data we collect from different sources for these purposes and to give you a more consistent, and personalized experience.

Anonymous data. We may create aggregated and other anonymous data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes to analyze and improve the services and promote our business. If we do create anonymous data, we will take steps to ensure it is not re-identified.

OUR DISCLOSURE OF PERSONAL DATA

We disclose personal data with your consent or as we determine necessary to maintain the Hub or provide the services you have requested or authorized. We do not share your personal data with third parties without your consent, except in the following circumstances or as otherwise described in this Privacy Statement:

Business Partners. We may share your personal data with Gates Ventures, LLC, which helps ADDI by providing technical support, such as troubleshooting site issues and administrative assistance, for purposes consistent with this Privacy Statement.

AD Workbench. You may choose to use your Hub login credentials to access the AD Workbench, in which case, your credentials and certain registration information will be shared with the AD Workbench.

Service providers. We provide personal data to vendors or agents working on our behalf for the purposes described in this statement. Companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data to provide those functions. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses the information at www.google.com/policies/privacy/partners. Additional examples of some of our current service providers as of the date of posting this privacy statement are:

__Company/Service__ __Purpose(s)__ __Provacy Notice__
Company/Service Purpose(s) Privacy Notice
Microsoft Azure Websites, databases, CRM services; all long-term data backups are held within Azure https://privacy.microsoft.com/en-us/privacystatement
Google Analytics Advertising analytics https://policies.google.com/privacy?hl=en-US

Affiliates. We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access helps us to provide our services and operate our business.

Professional advisors. We may disclose your personal data to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.

Other Researchers. If you choose to participate in sharing, we may list your contact information and research projects, areas of interest, or research background with other researchers on the Hub for the purpose of connecting and potentially collaborating.

For compliance, fraud prevention and safety. We may share your personal data for the compliance, fraud prevention and safety purposes described above. We will share your personal data to protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Government Requests. We will access, disclose, and preserve personal data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies. Notwithstanding anything to the contrary in this statement, we may preserve or disclose your information if we believe that it is reasonably necessary to comply with a law, regulation, or legal request or to protect the safety, property, or rights of ADDI or others. However, nothing in this statement is intended to limit any legal defenses or objections that you may have to a third party or government request to disclose your information.

Organizational transfers. We may transfer or otherwise share some or all of our business or assets, including your personal data, in connection with a (potential) organizational transaction such as a merger, consolidation, reorganization, or in the event of dissolution.

YOUR CHOICES

In this section, we describe the choices available to all users. Users who are located within Europe can find additional information about their potential rights below.

Cookies & browser web storage. For information on how to disable cookies and similar technologies used in the services, see the section on Cookies below. Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit www.allaboutdnt.com.

Choosing not to share your personal data. Where we are required by law to collect your personal data, or where we need your personal data to provide the services to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with the services or certain features. We will tell you what information you must provide to receive the services by designating it as required at the time of collection or through other appropriate means.

RETENTION OF PERSONAL DATA

We retain personal data where we have an ongoing legitimate organizational need to do so (for example, to provide you with a service you have requested; to comply with applicable legal, tax or accounting requirements; to establish or defend legal claims; or for fraud prevention). When we have no ongoing legitimate organizational need to process your personal data, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. For example:

  • “Live” user data (username, email, sign-in information) is stored indefinity unless a request is received to remove it.
  • User generated content (comments, documents, or other files) is retained indefinitely unless a request is received to remove it.
  • Backup data (which may contain the above user-specific information) is retained for up to one year.
  • We may also delete data in accordance with set retention policies.

OTHER SITES, MOBILE APPLICATIONS, AND SERVICES

The services may contain links to, or content or features from, other websites and online services operated by EPND or third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages, mobile applications, or online services that are not associated with us. We do not control third-party websites, mobile applications, or online services and are not responsible for their actions. Other websites and services follow different rules regarding collecting, using, and sharing your personal data. We encourage you to read the privacy policies of other websites, mobile applications, and online services you use.

LOCATION OF PERSONAL DATA

The personal data we collect may be stored and processed in your country, region, or any other country where we, our affiliates, subsidiaries, or service providers process data. Currently, we primarily use data centers in the Netherlands, but depending on our processing activity, we may use servers in other locations. The storage location(s) are chosen to operate efficiently and improve performance. In addition, we take measures to protect and secure where data is stored and processed, as described in this statement.

Location of Processing and Transfer of European Personal Data. We transfer personal data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections. To learn more about the European Commission’s decisions on the adequacy of personal data protections, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.

SECURITY PRACTICES

We employ several organizational, technical, and physical safeguards to protect the personal data we collect. However, security risk is inherent in all internet and information technologies, and we cannot guarantee the security of your personal data. To help us protect personal data, we request that you use a strong password if you register with the services and never share your password with anyone or use the same password with other sites or accounts.

COOKIE POLICY

We use cookies, web beacons, mobile analytics, and similar technologies (“Cookies”) to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.

What are Cookies and similar technologies?

Cookies are small text files placed by a website and stored by your browser on your device. A Cookie can later be read when your browser connects to a web server in the same domain that placed the Cookie. The text in a Cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server.

Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own Cookies. In the same way, third-party content on our websites (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content. We also include web beacons in our email messages or newsletters to tell us if you open and act on them.

Mobile analytics are generated by operating systems for mobile devices (iOS and Android) and can be accessed and used by apps in the same way that websites access and use Cookies. Our apps contain software that enables us and our third-party analytics to access these mobile IDs.

How are Cookies categorized?

Cookies are either session Cookies or persistent Cookies. Session Cookies are stored in temporary memory and are not retained after your browser is closed. Persistent Cookies are stored on your device in a folder associated with your browser and are activated again once you visit other sites that can identify that Cookie. Persistent Cookies remain on your device for the duration period set within the Cookie or until they are deleted.

We classify our Cookies into the following categories:

  • Required. Required Cookies are essential for the basic functionality of our website and services. They enable core functions such as page navigation, access to secure areas of the site, and ensuring that the website operates efficiently. Because they are needed for the service’s operation, they are always set to "Active."
  • Functional. Functional Cookies are used to enhance the functionality of the website and provide features that make the user experience better. These Cookies allow our website to remember choices you make such as language preferences and provide personalized features. Overall, these Cookies are not strictly necessary for our website to operate but enhance your experience on our website. You have the option to choose whether to accept or decline these Cookies at your discretion.
  • Analytics. Analytics Cookies are used to gather information about how you interact with our website. These Cookies collect information such as the number of times you and other users visit our website, the source of the visit (e.g., direct traffic or search engine), and the time spent on the page. We use this data to inform how to best improve our website and services. You have the option to choose whether to accept or decline these Cookies at your discretion.
    How do we and our partners use Cookies and similar technologies?

    We, our service providers, and EPND may automatically log information about you, your computer or mobile device, and activity occurring on or through the services. The information that may be collected automatically includes your computer or mobile device operating system type and version number, manufacturer and model; device identifier; browser type; screen resolution; IP address; the website you visited before browsing to our website; general location information such as city, state or geographic area; and information about your use of and actions on the services, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our service providers and EPND may collect this type of information over time and across third-party websites and mobile applications.

    What controls are available?

    There are a range of Cookie and related controls available through browsers, mobile operating systems, and elsewhere. For example:

    Cookie controls. Most web browsers are set to accept Cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject Cookies. If you choose to delete or reject Cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those Cookies may be deleted and may need to be recreated.

    Do Not Track. Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the websites you visit, indicating you do not wish to be tracked. However, there is no common understanding of how to interpret the DNT signal; therefore, *our websites do not respond to browser DNT signals *

    EUROPEAN DATA PROTECTION RIGHTS

    The information provided in this section applies only to individuals in the European Economic Area, Switzerland, and United Kingdom (collectively, “Europe”).

    Controller and Representative. ADDI is the controller of your personal data covered by this Privacy Statement for purposes of European data protection legislation.

    The contact information for our representative in Europe is: Europesupport@alzheimersdata.org.

    Legal bases for processing. We rely on different lawful bases for collecting and processing personal data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfil other legitimate interests.

    Use for new purposes. We may use your personal data for reasons not described in this Privacy Statement where permitted by law, and the reason is compatible with the purpose for which we collected it. If we need to use your personal data for an unrelated purpose, we will notify you and explain the applicable legal basis.

    Your Rights: European data protection laws give you certain rights regarding your personal data. If you are located within Europe, you may ask us to take the following actions in relation to your personal data that we hold:

    • Access. Provide you with information about how we process your personal data and give you access to your personal data.
    • Correct. Update or correct inaccuracies in your personal data.
    • Delete. Delete your personal data.
    • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.
    • Restrict. Restrict the processing of your personal data.
    • Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal data that impacts your rights.

    To make such requests, please use the contact information at the bottom of this statement. We may request specific information to confirm your identity and process your request. However, applicable law may require or permit us to decline your request. We will tell you why if we decline your request, subject to legal restrictions. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns. You can find your data protection regulator here. For additional information, you may also visit https://ico.org.uk.

    CHANGES TO THIS PRIVACY POLICY

    We will update this Privacy Statement when necessary to reflect changes in our services, how we use personal data, or the applicable law. When we post changes to the statement, we will revise the "Last Updated" date at the top of the statement. If we make material changes to the statement, we will provide notice or obtain consent regarding such changes as may be required by law.

    HOW TO CONTACT US

    If you have any questions or comments about this Policy or ADDI's privacy practices, email us at support@alzheimersdata.org or contact our European representative at Europesupport@alzheimersdata.org. You may also contact our DPO at DPO.ADDI@twobirds.com.

    Additionally, if you are located in the EEA or the United Kingdom and have questions about your personal data, you may contact our representative at:

    Bird & Bird GDPR Representative Services SRL Avenue Louise 235 1050 Bruxelles Belgium EUrepresentative.ADDI@twobirds.com DPO.ADDI@twobirds.com

    Bird & Bird GDPR Representative Services UK 12 New Fetter Lane London EC4A 1JP United Kingdom UKrepresentative.ADDI@twobirds.com