CLINICAL TRIALS
Vigil Neuroscience, Inc. Privacy Notice  for Clinical Trials 

Effective on: November 10, 2023

1. Introduction  

Vigil Neuroscience, Inc. (“Vigil”, “we”, “us”, “our”) sponsors ethically approved clinical trials (“Trial” or “Trials”). We take the protection of personally identifiable information (“Personal  Data”) very seriously. This Privacy Notice (the “Notice”) addresses individual patients and  medical staff assisting with Trials (“Data Subjects”) whose Personal Data we may receive in  connection with the Trials. Please read this Notice to learn what we are doing with your Personal  Data, how we protect it, and how you can exercise your privacy rights. 

2. Identity and Contact Information 

If you are an individual patient and you have any questions about this Notice or our processing  of your Personal Data, or you would like to exercise your data protection rights, please first speak  with your study doctor. Vigil generally only has access to pseudonymized or “key-coded” data (as  defined in Section 5 below), and we will be unable to identify you if we receive a request from  you directly. 

If you are not an individual patient, please contact us using one of the contact methods below.  Please allow up to one month for us to reply. 

Clinical Trial Sponsor 

Legal entity name: Vigil Neuroscience, Inc. 

Address: 100 Forge Road, Suite 700, Watertown, MA 02472 

Email Address: dataprivacy@vigilneuro.com 

Sponsor’s Data Protection Officer 

VeraSafe, LLC 

Address: 100 M Street S.E., Suite 600, Washington, D.C. 20003 USA 

Phone: +1-617-398-7067 

Email address: experts@verasafe.com

Sponsor’s Data Protection Representative in the EU 

VeraSafe Netherlands BV 

Keizersgracht 555

Amsterdam 1017 DR

The Netherlands 

Phone: +420 228 881 031 

Contact form: www.verasafe.com/privacy-services/contact-article-27-representative 

Sponsor’s Data Protection Representative in the UK 

VeraSafe United Kingdom Ltd. 

37 Albert Embankment, London SE1 7TL, United Kingdom 

Phone: +44 (20) 4532 2003 

Contact form: www.verasafe.com/privacy-services/contact-article-27-representative

3. Scope of this Notice 

What Is Covered by this Notice? 

This Notice specifically addresses and applies to: 

  • individual patients and potential Trial participants in connection with our Trials and use  of our experimental pharmaceutical products and/or future commercialized  pharmaceutical products (if any); 
  • health care providers and other study site personnel, in connection with our Trials.

What Is Not Covered by this Notice? 

  • Human Resources Personal Data 

This Notice does not apply to Personal Data collected by any other means or in different  contexts, such as the Personal Data of our employees, job applicants, contractors,  business owners, officers, directors, or staff of Vigil.  

  • Website Visitors 

This Notice does not apply to Personal Data of the website visitors of www.vigilneuro.com. If you want to learn how we process Personal Data of our website  visitors, please read our website Privacy Policy.  

  • Information Which Does Not Constitute Personal Data 

If we maintain information in a manner that cannot reasonably identify, relate to,  describe, be capable of being associated with, or be linked, directly or indirectly, with a  particular individual or household, such information is not considered Personal Data and this Notice will not apply to our processing of that information. For clarity, this does not  apply to pseudonymized data of Trial participants, which is considered Personal Data and  will be treated as such.

4. Controllership 

Within the scope of this Notice, Vigil generally acts as a data controller for the Personal Data processed in the context of the Trials we sponsor. This means that we alone determine the  purposes and means of the processing of your Personal Data.  

In some jurisdictions, we may be considered a “joint controller” with another organization, such  as the study site (for example, a hospital or medical office) where the Trial is being conducted.  This means that we jointly, together with the other organization, determine the purposes and  means of the processing of your Personal Data. If you would like to know more about any other  data controllers who might be joint controllers together with Vigil, you may ask your study doctor  or the study site for further details specifically relating to the Trial that you are participating in.

5. Categories of Personal Data 

Personal Data of Individual Trial Participants 

Personal Data is collected by the clinic or other healthcare facilities where the Trial is being  conducted or other third parties, such as your general medical practitioner. The personal data  that is collected may include your name, phone number, physical address, email address and  information about your Trial location (i.e., study site). However, even though Vigil is a data  controller for the Personal Data processed in the context of our Trials, Vigil itself does not collect  directly identifiable Personal Data, meaning that we are unable to directly identify you  personally from the information we are collecting.  

When any information relating to you is shared with us, it will first be key-coded (also known as  “pseudonymized”) so that it is only linked to a study patient number and not to any direct  personal identifier (such as your name). The key necessary to decode your information is stored  securely at the Trial location and is not shared with Vigil. 

To comply with legislation governing the Trial, Vigil may appoint a site monitor or inspector to  review your identifiable information at the site or remotely via a secure online portal. The site  monitor and/or inspector will not collect nor remove your information from the site and will not  disclose your identity to Vigil. 

The following types of information listed below are also collected by the healthcare providers at  the site and will be shared with Vigil and our service providers. This information is key-coded and  neither Vigil nor our service providers can identify you from this information: 

  • basic identifying information, such as your unique Trial ID, age, sex, ethnicity, and race; and 
  • health information, such as your medical history, current health status and reaction to  the Trial drug or treatment. 

The Informed Consent Form you signed when you joined the Trial will detail which information  is collected from you, how it will be processed and analysed, and for how long it will be stored.  You can ask your study doctor if you are unsure whether any specific information that you are  being asked to provide is required as part of your participation in the Trial. 

Personal Data of Healthcare Providers Participating in a Trial 

We may collect the following types of Personal Data about healthcare providers in the context of  our Trials: 

  • basic identifying information, such as your first and last name; 
  • contact information, such as your phone number, physical address and email address; 
  • professional and employment-related information, such as your qualifications and job  titles; and/or 
  • location information, such as the location of your testing site and Trial location (i.e., study  site).

6. How We Receive Personal Data 

We receive your Personal Data when: 

  • you provide it directly to us (including when you provide your Personal Data to one of our  service providers acting on our behalf); 
  • a study doctor (also known as an “investigator”) or other healthcare personnel at the  study site provides it to us, or your healthcare provider provides it to us; 
  • we receive it from the clinical research organization that conducts the Trial on our behalf;
  • you visit one of the Trial-specific websites or online portals; and 
  • you provide it to us, the clinical research organization, or a study doctor when you  complete a pre-screening questionnaire to confirm your eligibility to participate in the  Trial.

7. Purposes of Processing 

Personal Data of Individual Trial Participants 

We process the Personal Data of individual Trial participants for the purposes of: 

  • enabling your participation in the Trial; 
  • managing and facilitating the Trial;
  • developing new medicinal drugs or health treatments; 
  • complying with legislation governing Trials; 
  • communicating with you on the status of the Trial; 
  • monitoring and reporting on any adverse events, such as negative side effects; answering the research questions for the Trial and aggregating data to generate statistics  relating to the Trial and/or study drug or health treatment;  
  • disclosing your Personal Data to the appropriate regulatory authorities, auditors, and  ethics committees, if required by law; and/or 
  • processing your requests to exercise your data protection rights. 

We also process your Personal Data for the specific purposes described in the Informed Consent  Form provided to you by Trial personnel. 

Personal Data of Healthcare Providers Participating in a Trial 

We process the Personal Data of healthcare providers in the context of our Trials for the purposes  of: 

  • confirming your qualifications and experience in order to comply with the suitability  requirements for individuals conducting Trials in terms of clinical trials legislation;
  • managing and facilitating the Trial; 
  • communicating with you on matters regarding the Trial;  
  • complying with legislation governing the Trial; and 
  • processing your requests to exercise your data protection rights.

8. Basis of Processing 

We may process your Personal Data on the basis of: 

  • Consent: We may rely on your consent to collect and process your Personal Data, including special categories of Personal Data, such as your health status and medical history. 
  • Contract: We may process your Personal Data to fulfill a contract we have with you.
  • Legitimate Interests: We may process your Personal Data based on our legitimate  interests in facilitating and managing our Trials. 
  • Compliance with Legal Obligations: We may need to process your Personal Data for us  to comply with applicable laws or regulations, such as the laws regulating the safety and  reliability of our Trials. 
  • Public Interest: We may process your Personal Data for reasons of public health interests  to ensure adequate standards of quality and safety of the drugs or treatments we are  developing.

Where we process your Personal Data, based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew  your consent. It will also not affect processing performed on other lawful grounds. If you  withdraw your consent, you may be ineligible to participate in the Trial.  

Where we receive your Personal Data as part of a contract we may have with you, we require  such Personal Data to be able to carry out the contract. Without that necessary Personal Data,  we will not be able to fulfill our contractual obligation towards you. 

Where we process Personal Data on the basis of our legitimate interests, we will always do so  after a careful assessment which requires balancing your right to privacy and our legitimate  interests. You have the right to ask us more about how we decided to choose this legal basis. To  do so, please use the contact details provided in the Identity and Contact Information section  above.  

Since we process special categories of Personal Data, such as your health status, medical history,  race and ethnicity, the EU General Data Protection Regulation (“GDPR”) and the United Kingdom  General Data Protection Regulation (“UK GDPR”) requires that we must have an additional legal  ground to process this type of information. Vigil may process your special categories of Personal  Data on the basis of your explicit consent, where the processing is necessary for reasons of public  interest in the area of public health or where the processing is necessary for archiving purposes  in the public interest, scientific or historical research purposes, or statistical purposes. Where we  rely on your explicit consent, you may withdraw your consent at any time. 

The specific grounds on which we process your Personal Data, including special categories of  data, may vary somewhat from the above in order to comply with the requirements of local laws  in jurisdictions where we sponsor Trials. If you are a participant in a Trial, please refer to the  Informed Consent Form you signed when you joined the Trial for more information about the  legal grounds on which we process your Personal Data. 

9. Automated Individual Decision-Making 

If you participate in a Trial we sponsor, you will be assigned a unique patient identification  number. For a given Trial, this number may be used as part of an automatic process that randomly  determines if you will receive the experimental drug product or treatment that is being evaluated  in the Trial, or if you will receive a different treatment. This type of automated decision-making  is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with  the pharmaceutical industry’s standards.

For decisions that may seriously impact you, you have the “right not to be subject to automatic  decision-making, including profiling". But in those cases, we will always explain to you when we  might do this, why it is happening, and the potential effect on you. 

10. Data Retention 

We will retain your Personal Data for as long as is necessary to fulfill the purpose for which we  collected your Personal Data (listed above) and any other permitted linked purpose, and in  compliance with our data retention policies as applicable from time to time. For example, we will  retain and use your Personal Data to the extent necessary to comply with our legal obligations  (for example, if we are required to retain your data to comply with applicable laws), resolve  disputes, and enforce our legal agreements and policies.  

Once your information has been entered into the Trial records, we cannot remove it without  affecting the accuracy of the Trial and the test results. Some laws require us to keep Trial records for at least 25 years after the conclusion of the Trial. We will ensure that your Personal Data is  safeguarded at all times.  

11. Sharing Personal Data With Third Parties 

We may share Personal Data with our service providers who process Personal Data on our behalf,  and who agree to use the Personal Data only to assist us in fulfilling the purposes of processing  as described in Section 7 above, or as required by law. Our service providers may include parties  providing the following, either currently or in the future: 

  • contract/clinical research organization services; 
  • patient recruitment services;  
  • electronic data capture software and hardware; 
  • laboratory services; 
  • trial oversight, imaging and digital patient services; 
  • quality assurance, safety and pharmacovigilance software and related services; data storage and archiving software and related services; 
  • data analytics and reporting software and services; 
  • services related to the collection, storage, testing, and transportation of biological  material; 
  • software that randomly decides which dose level or treatment you will receive during the  Trial; 
  • file management and security; and 
  • logistics and transport service providers.

12. Transfers of Personal Data from the EU/EEA 

The GDPR only allows us to transfer Personal Data outside of the European Union (“EU”) or the European Economic Area (“EEA”) if the country that the data is being transferred to offers an adequate level of protection for the Personal Data which is equivalent to EU law.  

Vigil is located in the United States. Some of our third-party service providers described above  may also be located in countries outside of the EU/EEA. In some cases, the European Commission  may have determined that the laws of certain countries provide a level of protection to Personal Data. You can see here the list of countries that the European Commission has recognized as  providing an adequate level of protection to Personal Data.  

For transfers of Personal Data to third countries which are not recognized as providing an adequate level of protection, we will only transfer EU Personal Data to third parties in those countries when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the  GDPR.  

13. Transfer of Personal Data from the UK 

The UK GDPR only allows us to transfer Personal Data outside of the United Kingdom (“UK”) if  the country that the data is being transferred to offers an adequate level of protection for the  Personal Data which is equivalent to UK law.  

Some of our third-party service providers described above may also be located in countries  outside of the UK. In some cases, the UK Information Commissioner’s Office (the “ICO”) may have  determined that the laws of certain countries provide a level of protection to Personal Data. 

For transfers of Personal Data to third countries which are not recognized as providing an  adequate level of protection, we will only transfer UK Personal Data to third parties in those  countries when there are appropriate safeguards in place. These safeguards may include  Standard Contractual Clauses or other applicable transfer agreements, such as the International  Data Transfer Agreement, as approved by the ICO. 

14. Other Disclosure of Your Personal Data 

We may disclose your Personal Data:  

  • with regulators or competent authorities, to the extent necessary to comply with  applicable laws, regulations and rules (including, without limitation, federal, state or local  laws);
  • to the extent required by law, or if we have a good-faith belief that we need to disclose  it in order to comply with official investigations or legal proceedings (whether initiated  by governmental/law enforcement officials, or private parties);  
  • if, in the future, we sell or transfer, or consider selling or transferring, part or all of our  company, business, shares or assets to a third party, and we disclose your Personal Data  to such third party in connection with the sale or transfer; or 
  • in the event that we are acquired by, or merged with, a third party entity, or in the event  of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign  your Personal Data in connection with the foregoing events.  

If we have to disclose your Personal Data to governmental/law enforcement officials, we may  not be able to ensure that those officials will maintain the privacy and security of your Personal  Data. 

15. Data Integrity and Security 

We have implemented and will maintain technical, administrative, and physical measures that  are reasonably designed to help protect Personal Data from unauthorized processing. This  includes unauthorized access, disclosure, alteration, or destruction. 

16. Your Data Protection Rights  

You have specific rights regarding your Personal Data that we collect and process.  

For individual patients: to exercise the rights we explain below, please first speak with your study  doctor instead of contacting us directly.  

To exercise your data protection rights, please email us at dataprivacy@vigilneuro.com. Provide  as much information that you consider fit to help us identify you and swiftly treat your request. 

Right to Know What Happens to Your Personal Data 

This is called the “right to be informed”. It means that you have the right to obtain from us all  information regarding our data processing activities that concern you (or your child), such as how  we collect and use your Personal Data, how long we will keep it, and who it will be shared with,  among other things. 

We are informing you of how we process your Personal Data with this Notice. 

Right to Know What Personal Data Vigil Has About You 

This is called the “right of access”. This right allows you to ask for full details of the Personal Data  we hold about you.

Once we receive and confirm that the request came from you or your authorized agent, we will  disclose to you: 

  • the categories of your Personal Data that we process; 
  • the categories of sources for your Personal Data; 
  • our purposes for processing your Personal Data; 
  • where possible, the retention period for your Personal Data, or, if not possible, the criteria  used to determine the retention period; 
  • the categories of third parties with whom we share your Personal Data; if we carry out automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you; 
  • the specific pieces of Personal Data we process about you in an easily sharable format; the categories of parties that received your Personal Data from us;  
  • if we rely on legitimate interests as a lawful basis to process your Personal Data, the  specific legitimate interests; and 
  • the appropriate safeguards used to transfer Personal Data from the EEA to a third  country, if applicable. 

Under some circumstances, we may deny your access request. In that event, we will respond to  you with the reason for the denial.  

Right to Correct Your Personal Data  

This is called the “right to rectification”. It gives you the right to ask us to correct anything that  you think is wrong with the Personal Data we have on file about you (or your child), and to  complete any incomplete Personal Data.  

Right to Delete Your Personal Data 

This is called the “right to erasure”, “right to deletion”, or the “right to be forgotten”. This right  means you can ask for your Personal Data to be deleted. 

Sometimes we can delete your information, but other times it is not possible for either technical  or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also  inform you of our reason for denying your deletion request. 

Right to Ask Us to Limit How We Process Your Personal Data 

This is called the “right to restrict processing”. It is the right to ask us to only use or store your  Personal Data for certain purposes. You have this right in certain instances, such as where you  believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data 

This is called the “right to object”. This is your right to tell us to stop using your Personal Data.  You have this right where we rely on a legitimate interest of ours (or of a third party). You may  also object at any time to the processing of your Personal Data for direct marketing purposes. 

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate  grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to  continue processing your Personal Data to establish, exercise, or defend a legal claim. 

Right to Port or Move Your Personal Data 

This is called the “right to data portability”. It is the right to ask for and receive a portable copy  of your Personal Data that you have given us, so that you can: 

  • move it; 
  • copy it; 
  • keep it for yourself; and/or 
  • transfer it to another organization. 

We will provide your Personal Data in a structured, commonly used, and machine-readable  format. When you request this information electronically, we will give you a copy in electronic  format. 

Right Related to Automated Decision Making 

We sometimes use computers to study your Personal Data. For decisions that may seriously  impact you, you have the right not to be subject to automatic decision-making, including  profiling. But in those cases, we will always explain to you when we might do this, why it is  happening and the effect. 

Right to Withdraw Your Consent 

Where we rely on your consent as the legal basis for processing your Personal Data, you may  withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data  before you withdraw is still lawful. 

As discussed above, if we requested your consent to process your Personal Data, you have the  right to withdraw your consent at any time. However, this will not affect the lawfulness of our  processing before you withdrew your consent. It will also not affect processing performed on  other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the  Trial. 

Right to Lodge a Complaint with a Supervisory Authority 

If the GDPR applies to our processing of your Personal Data, you have the right to lodge a  complaint with a supervisory authority if you are not satisfied with how we process your Personal  Data.  

Specifically, you can lodge a complaint with the competent supervisory authority in the Member  State of the European Union of your habitual residence, place of work, or the alleged violation of  the GDPR, or in the United Kingdom, with the UK Information Commissioner’s Office, in case of  violation of the UK GDPR. 

17. Changes to this Notice 

If we change this Notice, we will publish the revised Notice on our website. We will also update  the “Effective” date.