Privacy Policy
Consumer Health Data Privacy Policy
EU/EEA/UK Healthcare
Professional Privacy Notice
+
x

Introduction

Celcuity Inc. (referred to as “Celcuity”, “We, “Our” or “Us”) is committed to protecting the privacy and security of your personal information.

This Privacy Notice (Notice) applies to Healthcare Professionals (HCPs) and representatives of Healthcare Organisations (HCO) in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK) with whom we interact in connection with our clinical, scientific, and business activities. As the individual whose Personal Data is collected, you may be referred to as the “data subject” throughout this Notice.

Please note that a separate Privacy Policy is available for website users and other third parties, available here.

The purpose of this Notice is to explain:

  • What Personal Data we collect about you;
  • How and why we use it;
  • The lawful basis for processing under applicable Data Protection Legislation;
  • With whom we share your data;
  • How long we retain it; and
  • The rights you have in respect of your Personal Data.

This Notice should be read together with any other privacy communication we may provide to you on specific occasions. When we are collecting or processing Personal Data about you, so that you are aware of how and why we are using such information.

You have been directed to or otherwise sent a copy of this Notice because you are either a Healthcare Professional with whom we engage, or you are acting as a representative or contact person for a healthcare organisation (HCO). This Notice makes you aware of how and why your Personal Data will be used, and how long it will usually be retained for. It provides you with certain information that must be provided under Data Protection Legislation and explains how your Personal Data will be processed. If anything in this Notice conflicts with local law in your jurisdiction, local law prevails.

+
x

Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Aggregated Data: Data derived from your Personal Dara but no longer identifying you (e.g. statistical or demographic data). If Aggregated Data is combined with Personal Data so that you can be identified, we treat it as Personal Data.

Data Controller: The organisation that determines the purposes and means of processing Personal Data. For the purposes of EU GDPR and UK GDPR, Celcuity acts as Data Controller.

Data Protection Legislation: Refers to the EU General Data Protection Regulations (Regulation (EU) 2016/679) (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the UK Data Protection Act 2018, the Privacy and Electronic Communications Regulation 2003 (“PECR”), and any successor or local data protection laws.

Data Processors: Third parties engaged by Celcuity to process Personal Data on our behalf and under our instructions.

+
x

Data Protection Legislation

European Union and European Economic Area
In the European Union (“EU”) and European Economic Area (“EEA”), Data Protection Legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’), the ePrivacy Directive (Directive 2002/58/EC), as well as any local data protection implementation laws, including any replacement legislation coming into effect from time to time.

United Kingdom
In the United Kingdom (“UK”), Data Protection Legislation means the Data Protection Act 2018 (‘DPA 2018’), United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’), the Data (Use and Access) Act 2025 and any legislation implemented in connection with the aforementioned legislation, including any replacement legislation coming into effect from time to time.

Other Jurisdictions
Depending on your jurisdiction, additional Data Protection Legislation may apply. If you have any questions, you can contact our DPO using the details in the Contact Us section below.

Controllership
Celcuity is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated. We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. We have also designated an EU and UK representative. For further details on how you can contact our DPO or representatives, please see the Contact Us section below.

+
x

The Personal Data we collect about you

We may collect the following categories of Personal Data, depending on the nature of our interactions with you:

Personal Data Category Purpose for Data Processing
Contact details (example: your name, nationality, postal address, telephone number, e-mail address)
  • To communicate with you about any proposed clinical trial
  • To respond to your queries.
  • To allow and document the distribution of product samples to you.
  • To invite you to academic, scientific and promotional meetings, events and seminars linked to your medical expertise.
  • To enable us to send direct marketing to you regarding medical and scientific updates, corporate information and/or our products and services.
  • To ask you to participate in surveys.
  • To contact relevant professionals with a view to future collaboration.
  • To manage your participation in the study and the participation of the investigative site.
  • To support applications for approval of the product under investigation.
Identity Information (example: your name, DOB, photographs, driving licence, passport, professional licence number, or government ID number)
  • To verify your identity in the scenario that we invite you to an event or where you may participate in interviews, panel discussions, to act as an ambassador or as speaker on a specialist topic of a study we Sponsor.
Financial Information (example: bank account details, financial information, salary and expenses details)
  • To process payments and reimbursements
  • To comply with tax and financial reporting.
Employment history (example: job titles, location of employment/workplace, employment history, working hours)
  • To retain information of relevant professionals with a view to future collaboration.
  • To ask relevant professionals and institutions if they wish to participate in clinical trials.
  • To assist with identification of any potential conflict of interests where you may have affiliations with specific institutions or entities.
Financial Disclose Information (example: any financial interests that you or your spouse and dependent children may have in the Sponsor or technologies adjacent to the clinical trial, the identities of your spouse and dependent children)
  • To ascertain whether you and/or your spouse and dependent children stand to financially benefit from the success of the clinical trial.
  • To comply with federal, state, or sectoral obligations related to financial disclosure, or to otherwise comply with applicable laws.
Professional Credentials (example: training records, qualifications and professional memberships)
  • To maintain a database of professionals working in areas of interest related to our research.
  • To ensure that the professionals hold appropriate qualifications and professional memberships to be involved with a clinical trial.
  • To allow us to assess and validate your professional expertise, competence and suitability for conducting and/or being involved in the clinical trial.
  • To allow us to verify you meet specific regulatory criteria.
Research-Related Data

(example: research interests and output)
  • This includes details about your professional involvement in other clinical trials, research results, previous studies, and areas of expertise to helps us evaluate your suitability for specific clinical trials.
  • To obtain your feedback and professional insights (including through advisory boards, market research and survey tools) on(i) what is important to you and/or your patients,

    (ii) important trends in patient management in your area of expertise;

    (iii) how Celcuity and our products are perceived by you; and

    (iv) how we can further evolve and customise our services and products
Details for Adverse Event Reporting
  • If you report an adverse event in relation to a Celcuity product, the information you provide (including your name, contact details, professional information and your opinions) will be documented and retained for purposes of dealing with the adverse event and to comply with the law.

We also collect, use, and share Aggregated Data for purposes such as analysing website usage or service performance. Aggregated Data does not identify you directly. However, if we combine or link Aggregated Data with your Personal Data in a way that could identify you, we treat the combined data as Personal Data and handle it in line with this Notice.

+
x

How we collect your Personal Data

We collect Personal Data directly from you when you:

  • Engage with us in connection with clinical trials or research;
  • Communicate with us via phone, email, or other channels;
  • Provide us with professional information such as your CV or publications.

We may also obtain Personal Data from:

  • Publicly available sources
  • Business partners and third-party providers (e.g. professional registries, scientific publications);
    Healthcare Organisations and institutions.

Providing your Personal Data to Celcuity is voluntary but it is necessary if you are to take part in any of our clinical trial activities. Should you choose not to provide your Personal Data to us, your interaction with us may be adversely impacted, you cannot take part in any of our clinical trial activities, and we will not be in a position to perform a contract with you.

+
x

How we use your Personal Data

We will only process your Personal Data when the law allows us to do so. We will have provided you with our lawful basis for processing your Personal Data at the point the information was initially collected from you. We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.

Where the lawful basis for processing is Consent, you are able to remove your consent at any time. You can do this by contacting our DPO using the contact details provided in the Contact Us section below.

We may use your information for the following purposes:

Personal Data Category Lawful Basis Purpose
  • Contact details
 Our Legitimate Interest in contacting you to explore clinical research collaboration opportunities

GDPR, Article 6(1)(f)

 Clinical Research Outreach

Where you are an HCP involved in scientific fields relevant to Celcuity’s clinical research, to contact you to explore the possibility of engaging and collaborating with you further through Celcuity’s clinical research.
  • Contact details
  • Financial information
  • Employment history
  • Professional Credentials
  • Research-Related data
 Our Legitimate Interest in conducting clinical research

GDPR, Article 6(1)(f)

 Clinical Research

Where you are an HCP involved in the planning, delivery, or oversight of Celcuity clinical trials, to collect information from you and process your information, including through the use of artificial intelligence technologies, in order to conduct a clinical trial.
  • Contact details
  • Details for Adverse Event Reporting
 Legal Obligation

GDPR, Article 6(1)(c)

 Adverse Event Reporting

Where you are an HCP involved in the delivery, or oversight of Celcuity clinical trials, to collect information from you and process your information in relation to any Adverse Events that you report relating during the conduct of the clinical trial.
  • Contact details
 Our Legitimate Interest in seeking marketing authorisation for our products

GDPR, Article 6(1)(f)

 Marketing Approval

Where you are an HCP involved in the delivery of and have oversight of the clinical trial to support applications for and to comply with the conditions of any marketing approval granted in respect of any study drug and to assist with any term variations of marketing approvals.
  • Contact details
 Contractual Obligation

GDPR, Article 6(1)(b)

 Communication

Communicating with you and facilitating your communication with others.
  • Contact details
  • Financial information
  • Employment history
  • Financial Disclosure information
  • Professional Credentials
 Legal Obligation

GDPR, Article 6(1)(c)

 Legal Obligations

For the purposes of complying with legal, regulatory and other requirements, including, but not limited to: completing financial disclosures where required, complying with local employment, social security and occupational health laws and regulations; record-keeping and reporting obligations; and, complying with government inspections and other requests from government or other public authorities.
  • Contact details
  • Employment history
  • Financial Disclosure information
  • Professional Credentials
  • Research-Related data
 Vital Interest

GDPR, Article 6(1)(d)

 Vital Interest

Monitor your health in order to safeguard and protect you, or to act in your vital interest, or the vital interest of a third party.
  • Contact details
 Our Legitimate Interest in marketing our Services to you

GDPR, Article 6(1)(f)

 Marketing (Legitimate Interest)

B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under UK PECR and/or EU ePrivacy legislation.
  • Contact details
 Your Consent

GDPR, Article 6(1)(a)

 Marketing (Consent)

B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under UK PECR and/or EU ePrivacy legislation.
  • Contact details
  • Identity Information
 Our Legitimate Interest in contacting you to explore clinical research collaboration opportunities

GDPR, Article 6(1)(f)

 Event Attendance

Where are an HCP and you attend an event attended or hosted by Celcuity as a specialist or expert to discuss the clinical trial at an event or where you may participate in interviews, panel discussions, to act as an ambassador or as speaker on a specialist topic of a study we Sponsor.
  • Contact details
  • Employment details
 Our Legitimate Interest in contacting you to explore clinical research collaboration opportunities

GDPR, Article 6(1)(f)

 Identifying HCP from Public Sources

We may collect personal data about you from publicly accessible sources, both public or private registries, and third-party databases. This may include your professional contact details, employment details, and other relevant background information. We may use this personal data to categorise you by area of specialisation, assess whether you and / or your institution is eligible to participate in clinical studies, and personalise our communications with you.
+
x

Criminal convictions and offences data

Depending on the jurisdiction in which you operate and on your specific role, we may collect information about your criminal convictions and offences. We do this to satisfy ourselves that there is nothing in your criminal convictions and offences history which makes you unsuitable for the role. Our roles require a high degree of trust and integrity, and it is therefore best practice to undertake such checks and a pre-requisite in some instances.

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy. We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.

+
x

Automated technologies and AI use

As part of our ongoing efforts to improve the efficiency, quality of our research and clinical trial activities, we may use artificial intelligence (AI) tools to support data analysis, communication, and system functionality. Some of these third-party software platforms, systems may process your personal data, such as Microsoft o365 suite of applications including Connected Experiences and Microsoft Copilot, an AI tool. Other systems, such as ChatGPT, utilised by us may also include AI features and functionalities that may process your personal data.

Throughout our professional relationship, your personal data may be processed within the Microsoft office 365 suite of applications. This may include processing by Microsoft Copilot AI as part of Microsoft Connected Experiences, in accordance with Microsoft’s privacy and security standards. For more information about how Microsoft may process your personal data, see the Microsoft privacy statement which can be accessed here: https://www.microsoft.com/en-gb/privacy/privacystatement. If you have any questions or concerns about this processing, please contact our Data Protection Officer on the contact email address set out in the Contact Us section.

Our use of AI tools for processing your personal data is carried out on the basis of our Legitimate Interests to conduct clinical research. We balance our interests against your data protection rights and apply appropriate safeguards to protect your personal data.

+
x

The recipients of your Personal Data

Where necessary to fulfil the purposes described in this Notice, Celcuity may disclose your Personal Data to third-parties. Not all of these parties are located in the country where the clinical trial is conducted. Celcuity may therefore transfer your Personal Data to locations outside of your country of residence for the purposes described in this Notice.

Whenever Celcuity shares your Personal Data with third parties, such as companies acting as our authorised agents and service providers, these companies agree to use your Personal Data only for specified purposes and upon our instructions. Furthermore, the recipient will implement and maintain reasonable security procedures and practices appropriate to the nature of your information to protect your Personal Data from unauthorised access, destruction, use, modification or disclosure.

We will share your Personal Data to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate safeguards. Categories of recipients include:

Category of Third-Party Purpose for Disclosure
Our Subsidiaries and affiliated entities
  • Internal business requirements
  • To perform our obligations to you
Service Providers who work for, or provide services to us (including their employees, sub-contractors, officers, such as IT systems providers and IT contractors, payroll and HR system providers, employee expense management providers, pension administration / providers, benefits providers).
  • To support Celcuity’s commercial/business objectives.
  • IT performance-related monitoring, maintenance, or security.
  • Where we use third party services providers who process personal information on our behalf or provide services to us.
Cloud storage solutions
  • To store Celcuity data.
  • To ensure the safety and security of our data.
Law enforcement, government, courts, regulators, governmental or quasi- governmental organisations, tribunals and arbitrators.
  • To comply with our regulatory and legal obligations.
  • Celcuity’s legal duty to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights.
  • For example, Celcuity is required to provide immigration information to the Home Office and any information for the purposes of preventing and detecting fraud or crime (if necessary) to the police.
Professional Advisors, such as insurers, accountants, auditors or lawyers
  • To provide professional/expert advice in connection with our business objectives where necessary in the course of the professional services that they render to us or in connection with the clinical trial.
Other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents.
  • To meet our legal, regulatory and compliance obligations.
  • For example, Celcuity is required to provide tax-related information to HMRC
Any prospective or new Celcuity companies (e.g. if we restructure, or acquire or merge with other companies) or any businesses that buy part of or all of Celcuity (including the rights to the study drug and all related data) to other Celcuity
  • In relation to compliance and completion of pre-merger or acquisition, consolidation, corporate divestiture, restructuring or liquidation/ dissolution due diligence.

If this occurs the new owners of the business will only be permitted to use your information in the same or similar way as set out in this privacy notice.
Potential or future employers
  • Where you have requested that we provide a reference for you to your new employer
Other researchers, research institutions, collaborators, licensees, and strategic partners
    Prior to and during your involvement in the clinical trial, to the extent that it is necessary for the satisfactory conducting of and completion of the clinical trial.
+
x

How long we keep your Personal Data

We will only retain your Personal Data for as long as required under applicable local, state, national and/or international laws, rules and/or regulations, which may be for a period of up to 25 years after completion of the clinical trial and to fulfil the purposes we collected it for, including for the purposes any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event where we receive a complaint and we reasonably believe there is a prospect of litigation in respect to our relationship with you, or there is an investigation and proceedings.

+
x

International transfers of your Personal Data

Celcuity is headquartered in the USA. Accordingly, your Personal Data may be transferred outside of the country in which you interact with Celcuity, including to countries whose data protection laws substantially differ from the country in which you work or reside and may not provide the same level of data protection as in your country of residence. To accomplish the purposes described in this Notice, we may also disclose and transfer Personal Data to personnel and other departments throughout Celcuity, or to service providers and/or collaborators, licensees and strategic partners based overseas. To the extent that your Personal Data is shared with service providers, Celcuity affiliates or other third parties processing Personal Data on our behalf. Which are located outside your country of residence (e.g., your Personal Data may be transferred or accessed by Celcuity and its affiliate entities in the United States of America). Celcuity shall seek to maintain confidentiality as required within the limits of local laws in these countries.

Whenever we are required to transfer your Personal Data out of the UK or EEA, we ensure that at least one of the following safeguards is implemented:

  • transferring your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission1.
  • using specific contracts approved which give Personal Data the same protection it has in Europe including standard data protection clauses approved by the European Commission2 and/or the UK government3 providing adequate protection of Personal Data.

Please contact our DPO using the details in the Contact Us section below if you would like further information on the specific mechanism used by us when transferring your Personal Data out of the EEA or UK.

1For more information, see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
2For more information, see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
3For more information, see: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

+
x

How we protect your Personal Data

Celcuity will implement appropriate technical and organizational security measures necessary to adequately safeguard your Personal Data. These safeguards will include:

  • Access to Personal Data is restricted and provided only where necessary, to those employees, agents, contractors and other third parties who have a business need-to-know.
  • All employees handling Personal Data receive security and data protection awareness training, will only process your Personal Data on our instructions and are subject to a duty of confidentiality.
  • Employees with access to Personal Data are given the least privilege required.
  • We have robust procedures in place to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
  • A disciplinary policy is enforced to prevent unauthorised access.
  • Where technically feasible, data is encrypted in transit and at rest.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Where we do not have a reason or legal obligation to retain your Personal Data, it will be deleted in accordance with the relevant section of our Data Protection Policy.

In some circumstances you can ask us to delete your data: see your legal rights below for further information.

In some circumstances we will anonymise your Personal Data (so that it is no longer your personal information as it cannot be associated with you) for research or statistical purposes, in which case we may use and retain this information indefinitely without further notice to you.

+
x

Your rights regarding your Personal Data

Subject to certain limitations and exclusions under applicable laws, you may be entitled to contact us and request to exercise your rights in respect of your Personal Data. You may have the right to request confirmation as to whether Celcuity is processing your Personal Data, and if so:

  • To request information relating to the categories of data involved, purposes of processing, recipients of your data, retention periods/criteria, and your rights as a Data Subject.
  • To request access to your Personal Data that Celcuity is processing.
  • To request Celcuity rectifies any inaccurate or incomplete Personal Data that Celcuity is processing about you.
  • To request erasure or restriction of processing of any Personal Data that Celcuity is processing about you, subject to certain exceptions.
  • To obtain a copy of your Personal Data in a commonly-used and machine-readable format and have it ported to another data controller.
  • To object to the processing of, your Personal Data in certain circumstances.
  • To request your information not be sold or otherwise disclosed to a third-party.
  • To lodge a complaint with your local Data Protection Authority or Supervisory Authority.

If you are in the UK, you have the right to lodge a complaint directly with us at any time, or you may lodge a complaint with the Information Commissioner’s Office (ICO) https://ico.org.uk/, the UK supervisory authority for data protection.

If you are in the EU or EEA, you also have the right to lodge a complaint at any time with the relevant supervisory authority responsible for data protection. For a list of the relevant supervisory authorities, please see https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

To exercise any of the rights described above, please email us using the details in the Contact Us section below with a description of your request.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

+
x

Your duty to inform us of changes

It is important that the Personal Data we hold about you is accurate and current. You are responsible for making sure the information you give us is accurate and up to date. You must tell us if anything changes, as soon as possible.

+
x

Providing us with other people’s Personal Data

If you give us any Personal Data that does not relate to you (e.g., information about your next of kin/dependants), you must ensure that you have the required legal basis to collect and share their Personal Data. You must also tell them what information you have given to us, and make sure they agree we can use it as set out in this Notice. You must also tell them how they can see what information we have about them, correct any mistakes or request copies of their information.

+
x

Updates to this Privacy Notice

We may change this privacy notice from time to time (for example, if the law changes). Any changes become effective when we publish an update to this Notice. If there are significant changes, we may contact you to notify of the update. We recommend that you check this notice regularly to keep up-to-date.

+
x

Contact Us

If you have any questions about this Notice, the use of your data, or if you would like to make a request to exercise your data protection rights, please contact the Data Protection Officer using the details set out below.

By email: dpo@celcuity.com
By telephone: +4402037971289
By post: Dr. Lawrence Carter, The DPO Centre Ltd., 50 Liverpool Street, London, UK, EC2M 7PY

If you are in the EU or the UK, you can contact Celcuity through our EU Representative or UK Representative.

Celcuity’s EU Representative is The DPO Centre, who can be contacted:

By email: eurep@celcuity.com
By telephone: +34919053074
By post at: Calle Méndez Álvaro 20, Madrid, 28045, Spain

Celcuity’s UK Representative is The DPO Centre, who can be contacted:

By email: ukrep@celcuity.com
By telephone: +442037971289
By post at: 50 Liverpool Street, London, EC2M 7PR