Last Updated and Effective: 31-AUG-2023

1. WELCOME!

This Privacy Policy (“Policy”) is here to help you understand how we collect, use, disclose, and process your Personal Data (as defined below) through our Site. We also describe your choices and rights with respect to how we process that Personal Data. Please read this Policy carefully.

2. WHO WE ARE

The Site is operated by Aptose Biosciences Inc., 12770 High Bluff Drive, Suite 120, San Diego, CA 92130, USA (“Aptose”, “us”, “our”, or “we”). We may be reached by email at dpo@aptose.com

3. SCOPE & ACKNOWLEDGEMENT

This Policy applies to our website located at https://www.aptose.com/ and any other website, application, or services where we post or link to this Policy (the “Site(s)”). For data collection, use, and disclosure of Personal Data related to our clinical trials, please review our Clinical Trials Privacy Policy.

This Policy does not apply to information processed by third parties, for example, when you visit a third-party website or interact with third-party sites, except to the extent those parties collect or process information on our behalf. Please review any relevant third party’s privacy policy for information regarding their privacy practices.

NOTE: your use of our Site indicates your acknowledgement of the practices described in this Policy.

Collection and Use of Personal Data

Personal Data We Collect

In order to provide our Site, we may collect and process information that relates to identified or identifiable individuals (“Personal Data”). We collect and process the following categories of Personal Data (note, specific Personal Data elements are examples and may change):

Identity Data - Personal Data about you and your identity, such as your name or IP address.

Contact Data - Identity Data used to contact an individual, e.g., email address, physical address, or phone number.

Device/Network Data - Personal Data relating to your device, browser, or application e.g., device identifiers, identifiers from cookies, session history and Site navigation metadata, and other data generated through applications and browsers, including via cookies and similar technologies.

General Location Data - Non-precise location data, e.g., location information derived from IP addresses.

Inference Data - Personal Data we create or use as part of a profile reflecting your preferences, characteristics, aptitudes, market segments, likes, favorites or your interests.

User Content - Personal Data included in content provided by users of the Site in any free-form or unstructured format, such as in a “contact us” box, free text field, in a file or document, or messages to us.

How We Collect Personal Data

We collect Personal Data from various sources based on the context in which the Personal Data will be processed:

Data we collect from you - We collect Personal Data from you directly, for example, when you input information into an online form, or contact us directly.

Data collected automatically - We may collect certain Personal Data automatically. For example, we collect Device/Network Data automatically using cookies and similar technologies when you use our Site, access our Site, or when you open our marketing communications.

Data we receive from service providers - We receive Personal Data from service providers performing services on our behalf.

Data we create and infer - We, certain partners and third parties operating on our behalf, create and infer Personal Data such as Inference Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you.

4. DATA PROCESSING CONTEXTS / NOTICE AT COLLECTION

Site Use

When you use our Site, we automatically collect and process Identity Data and Device/Network Data. We use this data as necessary to initiate or fulfill your requests for certain features or functions through our Site, such as delivering pages, logging activities for security purposes, etc. We may also process this Personal Data for our Business Purposes.

Cookies and Similar Tracking Technologies

We process Identity Data, Device/Network Data, Contact Data, Inference Data, and General Location Data in connection with our use of cookies and similar technologies on our Sites. We may collect this data automatically.

We and authorized third parties may use cookies and similar technologies for the following purposes:

  • for “essential” purposes necessary for our Sites to operate (such as maintaining user sessions, content delivery, and the like);
  • for “functional” purposes, such as to enable certain features of our Sites (for example, to allow a customer to view our Site in another language); and
  • for “analytics” purposes and to improve our Sites, such as to analyze the traffic to and on our Sites (for example, we can count how many people have looked at a specific page, or see how visitors move around the Site when they use it, to distinguish unique visits/visitors to our Sites, and what website they visited prior to visiting our Site, and use this information to understand user behaviors and improve the design and functionality of the Site);

We may also process this Personal Data for our Business Purposes. See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies and in relation to Online Advertising.

Third parties may view, edit, or set their own cookies or place web beacons on our Sites. We, or third-party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may combine this data with data that they receive from their own services. Third parties have their own privacy policies, and their processing is not subject to this Policy.

Informational or Promotional Emails

We may process Identity Data, Device/Network Data and Contact Data in connection with email communications relating to our Site, or if we send you promotional communications. You may receive such email communications if you contact us, choose to receive them, or interact with us in way that allows us to send you those communications. We may also automatically collect Device/Network Data when you open or interact with those communications so that we can better understand engagement with our communications. We may also process this Personal Data for our Business Purposes.

Contacting Us

When you contact us though the Site using a contact us box or via email, we process Personal Data such as Identity Data, Device/Network Data, and any Personal Data contained within any User Content. We use Identity Data, Contact Data, and User Content as necessary to communicate with you about the subject matter of your request and related matters. We may also process this Personal Data for our Business Purposes.

5. PURPOSES OF PROCESSING

Business Purposes

In addition to the processing described above, we generally process Personal Data for several common purposes in connection with our business (‘Business “Purposes”). Please see below for more information regarding the purposes for which we process your Personal Data.

Operate our Site and Fulfill Obligations - We process any Personal Data as is necessary to provide the Site, and as otherwise necessary to fulfill our obligations to you, e.g., to provide you with the information, features, and Site you request.

Internal Processes and Service Improvement - We may use any Personal Data we process through our Site as necessary in connection with our improvement of the design of our Site, understanding how the Site is used or functions, for customer service purposes, in connection with the creation and analysis of logs and metadata relating to Site use, and for ensuring the security and stability of the Site. Additionally, we may use Personal Data to understand what parts of our Site are most relevant to users, how users interact with various aspects of our Site, how our Site performs or fails to perform, etc.

Security and Incident Detection - We may process any Personal Data we collect in connection with our legitimate business interest in ensuring that our properties and locations are secure, identify and prevent crime, prevent fraud, and ensure the safety of our users. Similarly, we process Personal Data on our Site as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information security activities.

Personalization - We process certain Personal Data as necessary to personalize our Site. For example, aspects of the Site may be customized to you so that it displays your account information and other appearance or display preferences, to display content that you have interacted with in the past, or to display content that we think may be of interest to you based on your interactions with our Site and other content. This processing may involve the creation and Personal Data that we infer based on your preferences.

Aggregate Analytics - We process Personal Data as necessary in connection with our creation of aggregate analytics relating to how our Site is used, the pages and content users view, and to create other reports regarding the use and performance of our Site, and other similar information and metrics. The resulting aggregate data will not contain information from which an individual may be readily identified.

Compliance, Safety & Public Interest - Note that we may, without your consent or further notice to you, and to the extent required or permitted by law, process any Personal Data subject to this Policy for purposes determined to be in the public interest or otherwise required by law. For example, we may process information as necessary to fulfil our legal obligations, to protect the vital interests of any individuals or otherwise in the public interest, or as required by a public authority. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.

Corporate Events - Your Personal Data may be processed as part of routine corporate operations, as part of corporate reorganizations, or any business transition, such as a merger, acquisition, liquidation, or sale of assets.

Other Processing of Personal Data - If we process Personal Data in connection with our Site in a way not described in this Policy, this Policy will still apply generally (e.g., with respect to your rights and choices) unless otherwise stated when you provide it.

6. DATA SHARING

Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer data to the categories of recipients or in connection with specific business purposes, described below.

Service Providers - In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other business interests, we may share Personal Data with service providers or subprocessors who provide certain services to us, or process data on our behalf. For example, we may use third party hosting providers to host our sites or content, and we may disclose information as part of our own internal operations, such as security operations, internal research, etc.

Corporate Events - Your Personal Data may be disclosed to a third party in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Affiliates - In order to streamline certain business operations and develop products and Site that better meet the interests and needs of our customers, we may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies.

Legal Disclosures - In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, our correspondence with you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, or in the vital interests of us or any person. Note, these disclosures may be made publicly (such as in SEC filings) or to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

7. YOUR RIGHTS & CHOICES

Your Rights

Applicable law may grant you rights in your Personal Data. These rights vary based on your location, state/country of residence, and may be limited by or subject to our own rights in your Personal Data. You may submit requests to exercise rights you may have by contacting us at dpo@aptose.com.

Note: We are able to fulfill rights requests regarding Personal Data that we control or process. We may not have access to or control over Personal Data controlled by third parties. Please contact the third party directly to exercise your rights in third party-controlled information.

Verification Requirements

All rights requests we receive directly must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. For example, we may require that you verify that you have access to the email on file in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

Your Choices

You may have the following choices regarding the Personal Data we process, to the extent required under applicable law:

Consent - If you consent to our processing of Personal Data, you may withdraw your consent at any time by contacting us at dpo@aptose.com. We will respond to your request in the time required under applicable law.

Email Marketing - You have the choice to opt-out of or withdraw your consent to email marketing communications. You may exercise your choice via the links in our communications.

Cookies & Similar Tech - If you do not want information collected through the use of cookies and similar technologies, you can manage/deny cookies and certain similar technologies using your browser’s settings menu or through our cookie settings. You must opt out of the use of some third-party Sites directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit, visit Google Analytics Terms of Use, the Google Privacy Policy, or Google Analytics Opt-out.

8. SECURITY

We implement and maintain reasonable security measures to safeguard the Personal Data you provide us. However, we sometimes share Personal Data with third parties as noted above, and though we may take certain measures to help ensure the security of your Personal Data, we do not control third parties’ security processes. We do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.

9. DATA RETENTION

We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.

10. MINORS

Our Site is neither directed at nor intended for use by minors under the age of majority in the relevant jurisdiction. Further, we do not knowingly collect Personal Data from such individuals. If we learn that we have inadvertently done so, we will promptly delete it.

11. INTERNATIONAL TRANSFERS

We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be processed in the U.S. The U.S. may not provide the same legal protections guaranteed to Personal Data in foreign countries. Contact us for more information regarding transfers of data to the U.S.

12. CHANGES TO OUR POLICY

We may change this Policy from time to time. Please visit this Policy regularly so that you are aware of our latest updates. Your use of the Site following notice of any changes indicates acceptance of any changes.

13. CONTACT US

Feel free to contact us with questions or concerns at dpo@aptose.com.

14. REGIONAL SUPPLEMENT: EEA/UK/SWITZERLAND/SOUTH AFRICA

Controller

The controller of Personal Data relating to residents of the UK/EEA/Switzerland/South Africa is: Aptose Biosciences Inc., 12770 High Bluff Drive, Suite 120, San Diego, CA 92130, USA

Rights & Choices

Residents of the EEA, UK, and Switzerland have the following rights. Please review our verification requirements. Applicable law may provide exceptions and limitations to all rights.

Access - You may have a right to access the Personal Data we process.

Rectification - You may correct any Personal Data that you believe is inaccurate.

Deletion - You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.

Data Export - You may request that we send you a copy of your Personal Data in a common portable format of our choice.

Restriction - You may request that we restrict the processing of personal data to what is necessary for a lawful basis.

Objection - You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:

  • for profiling purposes (if any);
  • for direct marketing purposes (if any); and
  • involving automated decision-making with legal or similarly significant effects (if any).

Regulator Contact - You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.

Submission of Requests

Access, Rectification, Data Export, Deletion, Restriction, or Correction

  • Contact us via email to our privacy team at dpo@aptose.com.
  • Please provide a detailed explanation of your request and what you would like Aptose to do. If possible, the submission should be in English. If your submission is in a local language, we cannot guarantee that our response will be in that same language.

Lawful Basis for Processing

Legal Basis Description of Basis & Relevant Purposes Relevant Contexts / Purposes / Disclosures
Performance of a contract The processing of your Personal Data is strictly necessary in the context in which it was provided, e.g. to provide the Site or perform an agreement you have with us, to provide our products or services to you, or to process your requests. Contexts
  • Contexts where Personal Data is processed for purposes listed below
  • Cookies and other tracking technologies (strictly necessary)
Purposes
  • Operation of Site and Fulfilment of Requests
Disclosures
  • Public Disclosure
  • Service Providers
Legitimate interests This processing is based on our legitimate interests. For example, we rely on our legitimate interest to administer, analyze, and improve our Services, to operate our business, including through the use of service providers and subcontractors, to send you notifications about our Services or your subscriptions, for archiving, recordkeeping, statistical and analytical purposes, and to use your Personal Data for administrative, fraud detection, audit, training, security, or legal purposes. See the Business Purposes of Processing section above for more information regarding the nature of processing performed on the basis of our legitimate interests. Contexts
  • Contexts where Personal Data is processed for specified legitimate interests or purposes listed below
Purposes
  • Internal Processing and Service Improvement
  • Security and Incident Detection
  • Aggregated Analytics
  • Corporate Events
  • Marketing Communications
Disclosures
  • Affiliates
  • Service Providers
  • Data Aggregators
  • Successors
  • Lawful Recipients
Consent This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal. Contexts
Contexts where Personal Data is processed for purposes listed below:
  • Cookies and other tracking technologies (except strictly necessary)
  • Marketing communications
Compliance with legal obligations This processing is based on our need to comply with legal obligations. We may use your Personal Data to comply with legal obligations to which we are subject, including to comply with legal process. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for compliance purposes. Business Purposes
  • Compliance, Safety, Public Interest
Disclosures
  • Lawful Recipients
Performance of a task carried out in the public interest This processing is based on our need to protect recognized public interests. We may use your Personal Data to perform a task in the public interest or that is in the vital interests of an individual. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for such purposes. Business Purposes
  • Compliance, Safety, Public Interest
Disclosures
  • Lawful Recipients

International Transfers

We process data in the United States, and other countries where our subprocessors are located. In cases where we transfer Personal Data to jurisdiction that have not been determined to provide “adequate” protections by your home jurisdiction, we will put in place appropriate safeguards to ensure that your Personal Data are properly protected and processed only in accordance with applicable law. Those safeguards may include the use of EU standard contractual clauses, reliance on the recipient’s Binding Corporate Rules program, or requiring the recipient to certify to a recognized adequacy framework. You can obtain more information about transfer measures we use for specific transfers by contacting us using the information above.