COMPASS myPathfinder Privacy Notice

Effective Date: 2nd December 2022

Thank you for using the Compass myPathfinder mobile application (the “app”) and online service. COMPASS Pathfinder Ltd. and affiliates, together with its affiliates (“we,” “us,” or “COMPASS”), works with therapists and other healthcare providers (each a “Provider”) to offer Compass myPathfinder and other home-based treatment solutions to patients (including “you” as used in this notice).

This Privacy Notice (“Notice”) explains our practices for the collection and processing of information from or about you (“Personal Data”) through Compass myPathfinder, any of the online applications or portals associated with Compass myPathfinder, and any other online COMPASS service that links to this Notice (collectively “Applications” or “Compass myPathfinder”). This Notice is unique to the Applications and differs from other COMPASS and COMPASS-affiliate privacy policies and notices. By using the Applications, you indicate that you understand and agree to the practices outlined in this Notice. COMPASS may have other unique privacy notices that apply to certain specific situations, such as privacy notices for specific products and services, such as clinical trials. To the extent you were provided with a different privacy notice or policy and those policies or notices apply, those policies or notices will govern our interactions with you, not this one.

All references to GDPR are to the United Kingdom (UK) and European Union (EU) data protection laws. Reference to GDPR for the UK also includes The Data Protection Act 2018 and other relevant law.

COMPASS Pathfinder Ltd. and affiliates is the data controller of the personal data collected and used in this application. Our registered address is 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom. Any questions relating to this privacy notice can be directed to privacy@compasspathways.com.

What Personal Data Do We Process?

Personal Data: Personal Data is any information that can be used to identify you or that we can link directly to you, such as your name, address, email address, or telephone number. As indicated below, the Personal Data we collect includes health-related data. In some jurisdictions, Personal Data can include indirectly identifying information such as a unique number assigned to a patient by a medical facility or healthcare professional, even absent other identifying information. For patients located in the United States, Personal Data may be considered Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA).

The information below summarises the Personal Data we process, the sources from which we obtain your Personal Data, our purposes for processing your Personal Data, and the potential recipients of your Personal Data. Some jurisdictions require us to state the legal bases for processing your Personal Data, but please note that not all jurisdictions may recognize all legal bases included below.

What do we use your data for:

We use your personal data to:

  1. Provide you with the application
  2. Assist you with the application if you need our support
  3. Gain user feedback (through the application)
  4. Manage the application, including to ensure the security of the data
  5. Develop and improve the application
  6. Add your data to our research data pool

For GDPR, the lawful basis under which we use your personal data for these purposes are:

Personal Data We Process:

Contact Information: We create a unique code which you will use to access the mobile application.

Health Information: Information that you record or provide to the app regarding your treatment, including your sex/gender, treatment dates, medical history and treatment information, patient-reported outcome measures (e.g., responses to questionnaires and surveys) and user activity.

If you agree when installing the app, information regarding your health from Apple HealthKit and/or Google Fit data will be stored, including physical activity, steps, heart rate, blood oxygen, rest periods, and other information collected from those applications*, collected directly from you and from your Provider and through your smartphone and connected device(s) via the Apple HealthKit and/or Google Fit application. The use of information received from Google Fit APIs will adhere to the Google Fit Developer and User Data Policy, including the Limited Use requirements.

Technical Information Data: Internet Protocol (IP) addresses, browser type, browser language, device type, and device location data (masked so as not to give precise location), as well as the date and time you use the Applications, automatically collected certain technical information relating to you and your devices when you visit or use the Applications, processed to provide you with our products and services, communicate with you, detect security incidents, and protect against malicious or illegal activity; and for short-term, transient use, internal app development (including development of , and quality assurance.

Pseudonymised Data: Meeting the definition of pseudonymised data (UK/EU citizens) from your Provider, collected directly from you; through your smartphone and connected device(s) via the Apple HealthKit and/or Google Fit application; and technical information from your devices.

De-identified Data: Meeting the de-identified data definition under HIPPA (US customers) -by removing identifiers required under HIPAA for such data to be considered deidentified from your healthcare Provider, collected directly from you; through your smartphone and connected device(s) via the Apple HealthKit and/or Google Fit application; and technical information from your devices.

Anonymised Data: Data for which your individual personal characteristics have been removed such that you cannot be identified from the data (within the definition provided by GDPR and supervisory authority guidance or requirements).

Use of your data to inform our research:

We also de-identify or pseudonymise your data to inform our research. We create a unique identifier known only to us to do this that will allow us to link all your data in a data pool, including linking to the data where you have taken part in one of our trials. The data are therefore de-identified or pseudonymised to the extent that any ‘clear’ or ‘direct’ identifiers are removed. This data pool is only used by Compass and is not shared with anyone.

We will use your data from the app in the research context to:

We may use outcome data to build machine learning models that can predict a persons response to various types of treatment based on the data collected by the app before treatment begins. This machine learning, or automated processing, will only be used to develop the app and will not have any effect on you.

In so far as this pseudonymised data is personal data as defined in GDPR, your rights are not affected, and you can ask us to stop using this data by emailing privacy@compasspathways.com.

Please note that the research data collected via any trial you were involved in will remain as the provisions of the Data Protection Act 2018 Schedule 2 allow us to keep this data as it may affect the outcomes of the trial research into the psilocybin medication.

We may further process your data in order to anonymise it for future research. Once anonymised in this way, it ceases to be personal data.

*For Apple HealthKit and/or Google Fit data: We only collect and process Personal Data that we receive through your smartphone and connected device(s) via the Apple HealthKit and/or Google Fit application if you choose to allow those applications to share the data with COMPASS. If you do not want us to collect this Personal Data, please do not use these applications or do not choose to allow those applications to share data with us. You can choose to stop sharing this data at any time.

Sharing your data

Compass will only use your information for the purposes above. We will not share your data with other organisations without your permission unless we are required to do so by law. Compass uses service providers such as Amazon Web Services and Atlas MongoDB to host our data and to provide the software that manages the app. All such service providers (or data processors) have signed a contract with us to restrict their use to our purposes and so that they only use your personal data for the uses we set out.

Retention

We will process and store your Personal Data only for the period necessary to achieve the purpose of providing the app to you. Specifically, your Personal Data generally will be stored for up to twenty-five (25) years from the date you last use the Application, subject to longer retention periods required in some circumstances for legal and regulatory purposes. After that period has expired, the corresponding Personal Data is routinely deleted.

If you choose to uninstall the app, we will no longer collect any more data about you, but the data we already have will be kept for us to use unless you specifically ask us to delete it. We will keep a record of the fact that we did this by keeping your unique identifier and the data of deletion.

Cookies and Similar Tools: We also collect some other Personal Data from your mobile device automatically, including technical information. Like many Applications, we use cookies, web beacons, and other similar technologies on our Applications. A cookie is a unique numeric code that we transfer to your computer so that we can keep track of your interests and/or preferences and, among other things, recognize you as a return visitor to our Applications. Web beacons are small pieces of code placed on our Applications that allow us to obtain information about website usage.

The Compass myPathfinder application uses cookies only as strictly necessary or to track your preferences and activity, including:

We process the cookies under the lawful basis of legitimate interests (GDPR Article 6(1)(f)) for the purposes above.

Transfer of Personal Data Across National Borders

The Personal Data we collect may be transferred to and maintained on servers or databases located outside your state, province, country, or other jurisdiction, where the privacy laws may not be as protective as those in your location, including but not limited to the United States.

We enter into agreements with your Provider, our third-party vendors, and with our affiliates to ensure that your Personal Data is protected when crossing national borders. These agreements may include the Standard Contractual Clauses adopted and approved by the United Kingdom and/or European Commission.

Your Rights and How to Exercise Them

You may have a right under your jurisdiction’s data protection laws to the following with respect to some or all of your Personal Data:

To exercise these rights, please submit your request to privacy@compasspathways.com. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

Additionally, you may have the right to lodge a complaint against us. To do so, contact the relevant governing authority in your country of residence.

If you have any complaints, please contact our Data Protection Officer at dpo@compasspathways.com in the first instance. If you are unhappy with our response, if you are a UK citizen you have a right to complain to the Information Commissioner’s Office:

Telephone: 0303 123 1113 Web: https://ico.org.uk/make-a-complaint/

If you are a citizen of a European Economic Area country, you can email our Data Protection representative at datarequest@datarep.com quoting ‘COMPASS Pathways’ in the subject line.

Updating Your Information

In addition to other methods outlined in the Notice, you can update some of your Personal Data by logging into your account and changing that Personal Data. With respect to Personal Data provided to us by your Provider, you may have the right to contact your Provider to update information.

Links to Other Websites

Our Applications may contain links to other websites or applications that are not owned or operated by COMPASS. You should carefully review the privacy policies and practices of these websites or applications before visiting them, as we cannot control and are not responsible for their privacy policies or practices.

Safeguarding Information

We have implemented physical, electronic, and administrative safeguards to protect your Personal Data. However, as is the case with all websites, applications, and online services, we are not able to guarantee security for data collected through our Applications.

Special Note to Patients in the United States

If you are a U.S. patient, please note that this Notice is distinct from your Provider’s HIPAA Notice of Privacy Practices, which describes how your Provider uses and discloses individually identifiable information about your health that it collects, as well as any other privacy practices it applies. COMPASS, as your Provider’s business associate or contracting partner, collects, uses, and disclosures your information on behalf of your Provider in accordance with your Provider’s HIPAA Notice of Privacy Practices and other privacy practices. Reading this Notice and your Provider’s Notice of Privacy Practices will help you understand how information we collect from you through COMPASS Applications or directly from your Provider is used and/or disclosed. If there is any inconsistency between this Notice and your Provider’s Notice of Privacy Practices, your Provider’s Notice applies with respect to that conflict.

Changes to This Privacy Notice

We update this Notice from time to time and will post changes in the Applications. Any changes made in the updated Notice will be effective within 5 days after the updated Notice is posted. You should review this Notice periodically to stay aware of changes, as you will be deemed to have consented to them when you use the Applications after the effective date of those changes.

Contact Us

If you have any questions, please contact us at privacy@compasspathways.com.

© 2022 COMPASS Pathfinder Ltd. and affiliates. All Rights Reserved.