Last Updated and Effective: 31-AUG-2023

1. WELCOME!

This Clinical Trials Privacy Notice (“Notice”) describes how your Personal Data (as defined below) is processed in connection with clinical trials sponsored by Aptose (“Clinical Trials”). Please read this Notice carefully.

Aptose Biosciences Inc. (“Aptose”, “us”, “our”, or “we”) conducts Clinical Trials in connection with the testing and development of Aptose’s pharmaceutical products and services. For more information about the background, purpose and operation of each Trial, please see the Patient/Subject Information Sheet, the Informed Consent Form or other information provided to you when you entered the clinical trial process (“Informed Consent Forms”). Your Informed Consent Forms will take precedence if there is a conflict with this Notice.

2. CONTROLLER; SCOPE

The Trial is operated by Aptose Biosciences Inc., 12770 High Bluff Drive, Suite 120, San Diego, CA 92130, USA. You may contact us regarding data protection matters at dpo@aptose.com. Aptose is the Controller with respect to information that relates to identified or identifiable individuals (“Personal Data”) processed by or on behalf of Aptose in connection with Aptose’s Clinical Trials (“Clinical Trial Data”).

Please note: We contract with external parties such as contract research organizations (“CROs”, an independent company that manages and collects study data on behalf of Aptose), sites (i.e. the location where your Clinical Trial is conducted), or other healthcare or research organizations (e.g. a hospital or university) to collect and process the Clinical Trial Data (collectively, “Operators”).

This Notice applies only to the extent that Aptose or Operators acting on behalf of Aptose process Clinical Trial Data in connection with your participation in a Clinical Trial. This Notice does not apply to Personal Data processed by us or third parties in other contexts or for any other purposes. For information about our website privacy practices, please review our Website Privacy Policy. For information on third-party data practices, please review the applicable third-party privacy policy.

Your participation in an Aptose Clinical Trial indicates your acknowledgement of the practices described in this Notice.

3. COLLECTION AND USE OF PERSONAL DATA

Personal Data We Collect

As part of Clinical Trials, Operators generally collect and process Clinical Trial Data. Typically, Aptose receives and processes only a subset of Clinical Trial Data provided by Operators, and typically does not receive any data that can identify a person directly (Aptose may receive a randomized patient ID, for example). Generally, Clinical Trial Data includes the following categories of Personal Data (note, specific Personal Data elements are examples and may change):

Identity Data - Personal Data about you and your identity, such as your name (in the case of Operators) or unique patient identifiers (in the case of Aptose). Aptose does not collect this information, except for the patient identifier.

Contact Data - Identity Data used to contact an individual, e.g. email address, physical address, or phone number. Such information is only collected by the Operator, and is retained at the location of collection. Aptose or Operator personnel may have access to this data to verify that you are a legitimate study participant.

Inference Data - Personal Data we create or use as part of a profile reflecting your results, aptitudes, or research subject characteristics.

User Content - Personal Data included in content provided by you in any free-form or unstructured format, such as in a free text field of an intake form, in a file or document, or clinical notes.

Sensitive Personal Data - Personal Data deemed “sensitive” under state or international laws, such as social security, driver’s license, state identification card, or passport number; account log-in and password, financial account, debit card, or credit card number; precise location data; racial or ethnic origin, religious or philosophical beliefs, etc. We collect the following categories of Sensitive Personal Data:

• Genetic Data - Data relating to DNA sequences, genetic characteristics or chromosomal anomalies, or other genomic data.
• Government ID Data - Data relating to official government identification, such as driver’s license or passport numbers, including similar Identity Data protected as Sensitive Data under applicable law. As with other Identity Data, Aptose does not receive these data, and they are generally only collected by Operators.
• Health Data - Information about your health or medical history, includes outcomes, conditions, Clinical Trial participation records and outcomes, and similar data.
• Race or Ethnic Origin Data - relating to your race, ethnic, or national origin.

How We Collect Personal Data

We collect Personal Data from various sources based on the context in which the Clinical Trial Data will be processed:

Data we collect from you - We collect Clinical Trial Data from you directly, for example, when you enroll in a Trial, complete an intake or Informed Consent Form, or otherwise interact with us directly. Data we receive from Operators - We receive Clinical Trial Data from Operators who conduct certain aspects of our clinical trials on our behalf. Data we receive from service providers - We receive Clinical Trial Data from service providers performing other services on our behalf (e.g. software or data services).

Data we create and infer - We, and certain partners and third parties operating on our behalf, create and infer Clinical Trial Data such as Inference Data based on our observations or analysis of other Clinical Trial Data processed under this Policy, and we may correlate this data with other data we process about you.

4. DATA PROCESSING CONTEXTS AND PURPOSES

Clinical Trials

When you participate in a Clinical Trial, Operators may process Identity Data, Contact Data, Government ID Data, and User Content during the intake process. Aptose creates and processes only Identity Data consisting of a non-directly identifiable unique identifier (“Patient ID”). In connection with the Clinical Trial, Operators and Aptose will process Sensitive Personal Data, including Genetic Data, Health Data, or Race and Ethnic Origin Data, and may generate Inference Data from such data as part of the Clinical Trial. Aptose associates this data only with your Patient ID.

We process this Clinical Trial Data to support, conduct and evaluate the safety and quality of treatments, treatment efficacy, and patient outcomes in the Clinical Trial, to engage with Operators, to fulfill our statutory obligations with respect to each Clinical Trial, and as described in the applicable Informed Consent Form. We may also process Clinical Trial Data to conduct research and development of our pharmaceutical products, services, and processes, to the extent permitted by applicable law.

We will only process Clinical Trial Data if we have a valid legal justification for doing so. Therefore, we will only process your Clinical Trial Data if:

• you have given your prior consent by signing the Informed Consent Form;
• it is necessary to comply with our legal or regulatory obligations, such as the regulations on conducting clinical studies;
• in furtherance of a public interest or in accordance with specific legal or regulatory authorizations relating to clinical trials, public health, and related matters;
• to conduct research regarding medical treatment, outcomes, and public health, in accordance with applicable legal requirements;
• it is necessary for medical reasons to protect your vital interests or those of another individual (matters of life and death).

We do not engage in automatic decision-making or profiling using Clinical Trial Data.

Regulatory Reporting

Your Clinical Trial Data may be processed to comply with our routine obligations to complete periodic reports to public health authorities, hospitals, governmental authorities, or on behalf of Operators. We may also process Clinical Trial Data to draw conclusions from the results of the Clinical Trial and to receive authorization from relevant regulatory authorities to manufacture, market, or distribute our pharmaceutical and therapeutic products. We may also analyze Clinical Trial Data to create aggregate reports and other data that may be processed and disclosed as part of relevant scientific or medical research.

5. DATA SHARING

Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer Clinical Trial Data to the categories of recipients or in connection with specific business purposes, described below.

Service Providers - We may share Clinical Trial Data with service providers or subprocessors who provide certain services to us, or process data on our behalf, e.g. labs, project management, payment processing, or consulting services.

Operators - We share certain data with the Operators engaged in the provision of the applicable Clinical Trial.

Corporate Events - Your Clinical Trial Data may be disclosed to a third party in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Clinical Trial Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Public Health and Research - We may share Clinical Trial Data with research organizations or public health authorities for research purposes, as and to the extent permitted by the Informed Consent Form and applicable laws. These parties may be third party controllers who process data outside the scope of this Notice and subject to their own privacy policies.

Affiliates - In order to deliver the Clinical Trial, we may share your Clinical Trial Data with any of our current or future affiliated entities, subsidiaries, and parent companies.

Regulatory Disclosures - We may disclose your Clinical Trial Data to governmental authorities for regulatory and supervision purposes.

Legal Disclosures - In limited circumstances, we may, without notice or your consent, access and disclose your Clinical Trial Data, our correspondence with you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, or in the vital interests of us or any person. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Clinical Trial Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Clinical Trial Data to such parties.

6. YOUR RIGHTS & CHOICES

Your Rights

Applicable law may grant you rights in your Clinical Trial Data. These rights vary based on your location, state/country of residence, and may be limited by or subject to our own rights in your Clinical Trial Data. You may submit requests to exercise rights you may have by contacting us at dpo@aptose.com. See the following sections for more information regarding your rights/choices in specific regions: EEA/UK/Switzerland.

Verification Requirement

All rights requests we receive directly must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Clinical Trial Data. For example, we may require that you verify that you have access to the email on file in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

Note: We are able to fulfill rights requests regarding Clinical Trial Data that we control or process. We may not have access to or control over Clinical Trial Data controlled by third parties. Please contact the third party directly to exercise your rights in third party-controlled information.

7. SECURITY

We implement and maintain reasonable security measures to safeguard the Clinical Trial Data you provide us. However, we sometimes share Clinical Trial Data with third parties as noted above, and though we may take certain measures to help ensure the security of your Clinical Trial Data, we do not control third parties’ security processes. We do not warrant perfect security and we do not provide any guarantee that your Clinical Trial Data or any other information you provide us will remain secure.

8. DATA RETENTION

We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for at least as long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate. Please note that we may engage in long-term or longitudinal studies or research that requires the retention of Clinical Trial Data for extended periods, and applicable law may require the retention for extended periods (e.g. EU requirements may require retention of certain clinical trials for 25 years.)

9. INTERNATIONAL TRANSFERS

We operate in and use service providers located in the United States. If you are located outside the U.S., your Clinical Trial Data may be processed in the U.S. The U.S. may not provide the same legal protections guaranteed to Clinical Trial Data in foreign countries. Contact us for more information regarding transfers of data to the U.S.

10. CHANGES TO OUR NOTICE

We may change this Notice from time to time. Please visit this page regularly so that you are aware of our latest updates.

11. CONTACT US

Feel free to contact us with questions or concerns at dpo@aptose.com.

12. REGIONAL SUPPLEMENT

EEA/UK/Switzerland/South Africa

Controller

The controller of Clinical Trial Data relating to residents of the UK/EEA/Switzerland is: Aptose Biosciences Inc., 12770 High Bluff Drive, Suite 120, San Diego, CA 92130, USA.

Rights & Choices

Residents of the EEA, UK, and Switzerland have the following rights. Please review our verification requirements. Applicable law may provide exceptions and limitations to all rights.

Access - You may have a right to access the personal Clinical Trial Data we process.

Rectification - You may correct any personal Clinical Trial Data that you believe is inaccurate.

Deletion - You may request that we delete your Clinical Trial Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.

Data Export - You may request that we send you a copy of your Clinical Trial Data in a common portable format of our choice.

Restriction - You may request that we restrict the processing of personal data to what is necessary for a lawful basis.

Objection - You may have the right under applicable law to object to any processing of Clinical Trial Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:

• for profiling purposes (if any); and
• involving automated decision-making with legal or similarly significant effects (if any).

Regulator Contact - You have the right to file a complaint with regulators about our processing of your Clinical Trial Data. To do so, please contact your local data protection or consumer protection authority.

Submission of Requests

If you are participating in a Clinical Trial, we recommend that you first seek to exercise your Clinical Trial Data rights directly from the Operator, or other party directly administering treatment, as described in the Informed Consent Form or other information provided to you when you entered the Clinical Trial. As we only possess a Clinical Trial-specific Patient ID, we cannot identify all Clinical Trial Data that relates to you without information from the Operator necessary to associate your identity to the Clinical Trial Data processed by Aptose. In some cases, we may not be permitted to complete this request.

At your request, and if permitted by law, we will confirm whether your Clinical Trial Data is being processed in a Clinical Trial and take measures to provide you with any of your Clinical Trial Data that is processed in such a Clinical Trial within a reasonable time.

You have the right to access, rectify, or delete your personal data in the event that it is inaccurate or has been processed in violation of this Notice. We may require payment or refuse your request if this request is manifestly unfounded or excessive, or if compliance with the request would be in conflict with our obligations under applicable law regulating clinical trials. If you withdraw or are asked to be withdrawn from a Clinical Trial, your Clinical Trial Data collected prior to your withdrawal may still be processed along with other Clinical Trial Data collected as part of the Clinical Trial, as stated in the Informed Consent Form.

Access, Rectification, Data Export, Deletion, Restriction, or Correction

Contact us via email to our privacy team at dpo@aptose.com.

Lawful Basis for Processing

Legal Basis	Description of Basis & Relevant Purposes	Relevant Contexts / Purposes / Disclosures
Consent	This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal.	Contexts Clinical Trial Participation Purposes Clinical Trial Execution, Evaluation & Research Disclosures Service Providers Operators Corporate Events Affiliates
Preventive or occupational medicine	This processing relates to data that we process in order to deliver medical services or the provision of healthcare treatment or health services.	Contexts Clinical Trial Participation Purposes Clinical Trial Execution and Evaluation Disclosures Regulatory Disclosure Legal Disclosure
Public interest or research	This processing relates to processes that are necessary in relation to public interests in public health, e.g. to evaluate the quality and safety of healthcare products and services.	Contexts Clinical Trial Participation Purposes Clinical Trial Execution, Evaluation & Research Disclosures Regulatory Disclosure Legal Disclosure
Compliance with legal obligations	This processing is based on our need to comply with legal obligations. We may use your Clinical Trial Data to comply with legal obligations to which we are subject, including to comply with safety, regulatory, or legal process.	Contexts Clinical Trial Participation Purposes Clinical Trial Execution Regulatory Reporting Disclosures Regulatory Disclosure Legal Disclosure

International Transfers

We process data in the United States, and other countries where our subprocessors are located. In cases where we transfer Clinical Trial Data to jurisdiction that have not been determined to provide “adequate” protections by your home jurisdiction, we will put in place appropriate safeguards to ensure that your Clinical Trial Data are properly protected and processed only in accordance with applicable law. Those safeguards may include the use of EU standard contractual clauses, reliance on the recipient’s Binding Corporate Rules program, or requiring the recipient to certify to a recognized adequacy framework. You can obtain more information about transfer measures we use for specific transfers by contacting us using the information above.