Privacy

THEA WEBSITE & BUSINESS CONTACT PRIVACY & COOKIES NOTICE

Effective Date: 8^th June 2021

• THIS PRIVACY NOTICE

1. Our Privacy & Cookies Notice

Thea Pharmaceuticals Limited ("we", "us", or " Thea") of IC5 Building, Innovation Way, Keele, Newcastle, England, ST5 5NT take our obligations to protect privacy and personal information very seriously. Please read this Website & Business Contact Privacy & Cookies Notice ("the Notice") carefully as it sets out important information relating to how we handle your personal information. This Notice sets out how we, as data controller, will collect and use personal information, and the choices and rights available to you in connection with our use of your personal information.

1. To whose personal information does this Notice apply?

This Notice describes our practices when using:

• the personal information of business contacts, including:
  • individual and corporate customers (including individual health care professionals and employees of corporate customers such as pharmacies and hospitals); and
  • business partners and employees of our business partners, suppliers of services and other third parties, such as pre-wholesalers, suppliers of IT and delivery services to our operations in the United Kingdom.
• other persons who may visit our Thea websites ("website users").

This Notice will apply whether you have provided the information directly to us or we have obtained it from a different source, such as a third party.

• BUSINESS CONTACTS

1. Sources of business contact information

We collect personal information from our business contacts directly or from the following sources:

• Thea group companies;
• Corporate customers and other business partners;
• Suppliers of goods and services to our UK operations;
• Third party referrals;
• Thea premises or branches;
• Communications with Thea from our website;
• Other public resources such as telephone directories, newspapers, internet sites, commercially available marketing lists, registries or public records; and
• From such other sources where you have given your consent for the disclosure of personal data relating to you, and/or where otherwise lawfully permitted.

1. What personal information we collect about business contacts

The categories of information we collect about business contacts includes:

• Personal/professional details and contact details including name, delivery address, company, workplace/office address, personal and/or work telephone numbers and home and/or work email addresses;
• Where appropriate - various details concerning your professional activity: specialty, pathologies treated, modality and practice of treatment

• Financial details including any payments made and received and tax details, where appropriate;

• Details relating to goods or services provided or purchased;
• Communications by email, telephone, post and other means with our business contacts;
• Image capturing, such as photos and CCTV footage on our sites.
• History of interactions between you and Thea: appointments, meetings, participation in events (including advisory boards), promotional campaigns or programs, visits to our websites and social media, case study submissions, etc.

1. How we use the personal information we collect about business contacts

We use this information for certain activities, including:

• Business planning;
• To fulfil a transaction initiated by a business contact;
• Keeping accounts related to any business or other activity carried on by Thea;
• Keeping records of transactions for the purpose of ensuring that the required payments and/or deliveries are made or services provided;
• Business development;
• Database management;
• Security and crime prevention including fraud and theft prevention or investigation, or other risk management purposes;
• Managing our relationships with pre-wholesalers, and other service providers;
• Compliance with contractual, legal and regulatory obligations; and
• Communication of relevant Thea products, events and other promotions
• Event registration and submission to relevant professional body in order to be able to issue CPD/CET certificates
• For any other purposes that is required or permitted by any law, regulations, guidelines and/or regulatory authorities.

1. Why we use the personal information of business contacts

We use this information because:

• It is necessary for performing our obligations, or exercising our rights, under our contracts with individuals who are business contacts, partners or suppliers;
• It is necessary for compliance with any legal or regulatory obligations that we are subject to;
• We have a legitimate business interest to:
• Manage our business and brand;
• Provide and improve our services in the context of our UK operations;
• Operate our business efficiently;
• Protect our business from crime and other business risks.

A legitimate interest will only apply where we consider that it is not outweighed by a business contact's interests or rights which require protection of their personal data.

• In limited circumstances, such as in the case of marketing, a business contact's consent as required under applicable law.
• Where we rely upon a business contact's consent, they will have the right to withdraw their consent by contacting privacy.uk@theapharma.com

If a business contact requires further information regarding our legitimate interests as applied to their personal information, they may contact privacy.uk@theapharma.com

In certain circumstances, where a business contact does not provide personal information which is required, we will not be able to perform our obligations under the contract with them or may not be able to provide them with services in the context of our UK operations. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the business contact.

1. Recipients of business contact information

We may disclose personal information of business contacts to third parties as follows:

• To other Thea group companies in order to process the data for the above-mentioned purposes;
• Corporate customers and other business partners;
• To suppliers and/or providers of goods and services and other third parties who work on our behalf to service or maintain business contact databases and other IT systems, such as suppliers of the IT systems which we use to process personal information;
• To third parties providing services to us, such as our professional advisors (e.g. auditors and lawyers);
• To competent authorities such as tax authorities, courts, regulators and security or police authorities where required or requested by law or where we consider it necessary; and
• Subject to applicable law, in the event that Thea is merged, sold, or in the event of a transfer of some or all of our assets (including in bankruptcy), or in the event of another corporate change, in connection with such transaction; and
• Other parties in respect of whom you have been given your express consent.

1. Further Information

Please see sections 4 to 8 below for further information concerning our use of personal data.

• WEBSITE USERS AND WEB-RELATED PRIVACY ISSUES

1. What personal information we collect about Thea website users

The categories of information we collect about users of our website include information users provide when they enter information on our website, such as when they provide contact details;

We also collect personal information about the use of our website from users, including:

• Information captured in our web logs such as device information (e.g. device brand and model, screen dimensions), unique identification numbers (e.g. IP address and device ID), and browser information (e.g URL, browser type, pages visited, date/time of access);
• Information captured by our cookies (see Cookies section below).

Thea will not store any financial details (credit or debit card numbers). If a website user makes a purchase directly on the website the card details are not passed to Thea by Paypal.

1. How we use the personal information of Thea website users:

We use personal information of users of our website, including:

• Processing orders;
• Personalising the experience of our website;
• Responding to communications from website visitors;
• Administering the website, investigating any complaints and providing customer service;
• To register delegates for events and to enable issuing of attendance certificates
• If a website user gives consent, to notify them of products, events or special offers that may be of interest to them.

We use personal information about the use of our website for certain activities, including:

• Administering the website;
• Performing statistical and trend analysis understand the user base of our website, and to improve the user experience and performance of our website.

1. Why we use the personal information of website users:

We use personal information of users of our website:

• It is necessary for compliance with any legal or regulatory obligations we are subject to;
• We have a legitimate business interest to:
• Promote our brand and business through our website;
• Monitor, investigate and report any attempts to breach the security of our websites;
• A legitimate interest will only apply where we consider that it is not outweighed by a website user's interests or rights which require protection of their personal data; and
• In limited circumstances, such as in the case of marketing, a website user's consent as required under applicable law.
• Where we rely upon a website user's consent, they will have the right to withdraw their consent by contacting privacy.uk@theapharma.com

We use personal information about the use of our website because:

• It is necessary for compliance with any legal or regulatory obligations that we are subject to;

• We have a legitimate business interest to:

• o Monitor, investigate and report any attempts to breach the security of our websites;

• o Improve the performance and user experience of our websites;

• o Improve our marketing and business development activities.

A legitimate interest will only apply where we consider that it is not outweighed by a website user's interests or rights which require protection of their personal data.

If a website user requires further information regarding our legitimate interests as applied to their personal information, they may contact privacy.uk@theapharma.com

1. Recipients of the personal information of website users:

We may disclose website users' personal information to third party recipients, as follows:

• To other Thea group companies in order to process the data for the above mentioned purposes;
• To third parties who work on our behalf to service or maintain our websites, other suppliers of the IT systems which we use to process personal information, or third parties who provide other technical services;
• To third parties providing services to us, such as our professional advisors (e.g. auditors and lawyers);
• To competent authorities such as tax authorities, courts, regulators and security or police authorities where required or requested by law or where we consider it necessary;

• Subject to applicable law, in the event that Thea is merged, sold, or in the event of a transfer of some or all of our assets (including in bankruptcy), or in the event of another corporate change, in connection with such transaction.

1. Further Information

Our websites and online services are for individuals who are at least 18 years of age. Our online services are not designed to be used by children under the age of 18.

Please see sections 4 to 8 below for further information concerning our use of personal data.

• INTERNATIONAL TRANSFERS

Thea is a subsidiary of Laboratoires Théa SAS, which is a global company and, as such, we may transfer personal information to other Thea group companies or suppliers outside your home jurisdiction. Thea will take all reasonable steps to ensure that personal information is protected and any such transfers comply with applicable law.

Thea may transfer and maintain the personal information of individuals covered by this Notice on servers or databases outside the European Economic Area (EEA). Some of these countries may not have the equivalent level of protection under their data protection laws as in the EEA. We will only do this when it is necessary to respond to queries from residents in the country to which the data is sent.

If we need to transfer personal data outside the EEA, we will take steps to make sure your personal data is protected and safeguarded once it leaves the EEA, in particular the use of Model Clauses approved by the European Commission and permitted under Article 46 of the GDPR.

• RETENTION PERIODS

We will retain your personal information for as long as required to perform the purposes for which the data was collected, depending on the legal basis for which that data was obtained and/or whether additional legal/regulatory obligations mandate that we retain your personal information. We may also retain personal information for the period during which a claim may be made in relation to our dealings with you.

In general terms, this will mean that your personal data will be kept for the duration of our relationship with you and:

1. the period required by tax and company laws and regulations; and
2. as long as it is necessary for you to be able to bring a claim against us and for us to be able to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under local laws.

In certain circumstances, data may need to be retained for a longer period of time, for example, where we are in ongoing correspondence or there is a continuing claim or investigation.

• DATA SUBJECT RIGHTS

What an individual's rights are in relation to the personal data

An individual will have certain rights in relation to their personal data. Some of these rights will only apply in certain circumstances. If an individual would like to exercise, or discuss, any of these rights, they should submit their request in writing or email to privacy.uk@theapharma.com and provide sufficient information to allow us to understand the scope of the request.

• • Consent: if our processing is based on consent, an individual can withdraw their consent at any time by contacting privacy.uk@theapharma.com

• • Access: an individual is entitled to ask us if we are processing their personal data and, if we are, they can request access to their personal data. This enables them to receive a copy of the personal data we hold about them and certain other information about it.

• • Correction: an individual is entitled to request that any incomplete or inaccurate personal data we hold about them is corrected.

• • Erasure: an individual is entitled to ask us to delete or remove personal data in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.

• • Restriction: an individual is entitled to ask us to suspend the processing of their personal data, for example if they want us to establish its accuracy or the reason for processing it.

• • Data Portability: you may request to receive your personal data in a structured, commonly used and machine-readable format and request the transfer of these data to another controller.

• • Objection: where we are processing personal data based on legitimate interests (or those of a third party) an individual may challenge this. However we may be entitled to continue processing personal data based on our compelling legitimate interests or where this is relevant to legal claims. An individual also has the right to object where we are processing personal data for direct marketing purposes.

• • Automated decisions: an individual is entitled to contest any automated decision made about them where this has a legal or similarly significant effect and ask for it to be reconsidered.

• • Supervisory Authority: an individual also has a right to lodge a complaint with a supervisory authority, in particular in the Member State in the European Union where they are habitually resident, where they work or where an alleged infringement of data protection legislation has taken place. In the UK an individual can make a complaint to the Information Commissioner's Office (Tel: 0303 123 1113 or at www.ico.org.uk).

• MISCELLANEOUS

1. Contact Details

If you wish to obtain any further information, or exercise any of the rights set out above you can contact:

Telephone: 0345 521 290

Email: privacy.uk@theapharma.com

1. Security

We have put in place technical and organisational security measures to prevent the loss or unauthorised access of your personal information. However, whilst we have used our best efforts to ensure the security of your data, please be aware that we cannot guarantee the security of information transmitted over the Internet. If you have reasons to believe that your interaction with us is no longer secure, please immediately notify us of the problem by contacting us as set out below.

1. Links

Our Website may contain links to other "non-Thea " websites. We do not control and assume no responsibility for the content, security or the privacy policies and practices on those websites. Thea encourages all users to read the privacy policies of those sites to determine how they protect and use personal information.

1. Changes to this Notice

From time to time, we may change and/or update this Notice. If this Notice changes in any way, we will post an updated version on this website. We recommend you regularly review this website to ensure that you are always aware of our information practices and any changes to such. Any changes to this Notice will go into effect on posting to this page.

• COOKIES AND SIMILAR TECHNOLOGIES

A cookie is a small text file which includes a unique identifier that is sent by a web server to the browser on your computer, mobile phone or any other internet enabled device when you visit an on-line site. Cookies and similar technologies are widely used to make websites work efficiently and to collect information about your online preferences. For simplicity, we refer to all these technologies as "cookies".

Some of our website pages may contain electronic images known as web beacons (also known as clear gifs, tags or pixels) that allow us to count users who have visited our pages. Web beacons collect only limited information, e.g. a cookie number, time and date of a page view, and a description of the page on which the web beacon resides. We may also carry web beacons placed by third party advertisers. These beacons do not carry any information that could directly identify you.

1. How do we use cookies?

We use cookies and other tracking technologies to customise content and advertising, provide social media features and to see how our visitors move through our website. We use this information to make decisions about ways to improve the services we offer you.

We may engage third party tracking and advertising providers such as those named below to act on our behalf to track and analyse your usage of our website through the use of cookies. These third parties collect, and share with us, usage information about visits to our website and, sometimes by correlating this information with other information (e.g. your IP address), measure and research the effectiveness of our advertisements, track page usage, help us target our recommendations and advertising, and track use of our recommendations and advertisements.

1. Cookies and types of cookies what we use

The table below describes the cookies that we use.

If you have any specific queries regarding cookies which are deployed on our website, we maintain a Cookie Register which is available [here] or you can contact privacy.uk@theapharma.com

You can find more information about cookies, behavioural advertising and online privacy at www.allaboutcookies.org or www.youronlinechoices.eu.

8.3 How do I reject cookies?

If you do not want to be tracked by Google Analytics cookies you can opt-out by installing a browser plug-in here: https://tools.google.com/dlpage/gaoptout/

At any time, you can prevent cookies from being set on your browser. For instructions on how to block, delete or disable any cookies, please consult your browser's 'Help' or 'Support' section. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our website.

Please consult the following links for information on cookie management and blocking according to your browser:

Explorer: http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-11.

Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Safari: https://support.apple.com/kb/PH19214?locale=en_GB

You can also find more information and manage cookie storage at: www.youronlinechoices.eu