Privacy

LAST UPDATED: 30 May 2024

1. Introduction

1.1 This Privacy Policy applies to all personal information that Evidentli Pty Ltd (ACN 626 225 947), a company incorporated in New South Wales, Australia (we, us, our, Evidentli) collects in connection with the operation of our software platforms called Evidence Hub and Private Hub (together, the Evidentli Platforms). You can read more about the Evidentli Platforms and our other platforms, including Piano at https://www.evidentli.com/technology.

1.2 We provide the Evidentli Platforms across a number of different countries; we may therefore be subject to different privacy and data protection laws depending on the locations of the individuals identified below under ‘Who we collect personal information from’ (you, your).

1.3 For example, we may be required to comply with one or more of the Australian Privacy Principles (APPs) contained in Schedule 1 to the Australian Privacy Act 1988 (Cth) (Privacy Act AU), the New Zealand Privacy Act 2020(Privacy Act NZ), the Information Privacy Principles (IPPs) contained in Part 3 of the Privacy Act NZ, the UK GDPR and Data Protection Act 2018 (UK Data Protection Law) and the California Consumer Privacy Act 2018 amended byProposition 24, California Privacy Rights Act 2020 (CPRA).

1.4 We are committed to complying with our obligations under all applicable privacy and data protection laws that apply to the collection, disclosure and processing of your personal information.

1.5 If we decide to change this Privacy Policy, we will post the updated version on this webpage so that you will always know what personal information we gather, how we might use that information, where we store it and whether we will disclose it to anyone. Our policy is to be open and transparent about our privacy practices.

2. Evidence Hub and Private Hub

2.1 The Evidentli Platforms are collaborative repositories for health research and discussion. End Users can transfer their work from Piano and other sources into the Evidentli Platforms. End Users can also create workflows and post in forums to enable discussion amongst other End Users.

2.2 Evidence Hub is a software-as-a-service platform hosted by us or on our behalf. In addition to End Users being able to transfer work from Piano to Evidence Hub, they can also connect other software applications to Evidence Hub via APIs or using our open source tool, Hub Agent.

2.3 Private Hub is a private version of Evidence Hub that is installed and hosted by or on behalf of an Evidentli customer in their nominated compatible hosting environment. Unlike Evidence Hub, which is accessible to any person subscribes to Evidence Hub, Private Hub is only accessible by an Evidentli customer's End Users.

3. End User and Other Data Subject personal information

3.1 Evidence Hub is not designed to process any health information about any individual.

3.2 In the course of its normal operations, Piano exchanges meta data with Evidence Hub. Evidence Hub provides version history, collaboration and billing services to Piano. Unlike Piano and Private Hub, Evidence Hub is hosted by Evidentli, not the customer.

3.3 Meta-data is information that is generated in Piano that is not clinical data nor derived from clinical data (i.e aggregate data). Examples of meta-data are:

(a) an analytic workflow;

(b) the inclusion criteria for patients in a study. For example, the statement “all patients with a condition 'SNOMED 44054006; Diabetes mellitus type 2 (disorder)”;

(d) which statistical tests used to compare cohorts, for example “odds ratio”;

(e) the amount of data (in GB) managed by the data warehouse;

(f) the number of users on the system.

3.4 The following are not meta-data and are not exchanged with Evidence Hub:

(a) any information about any patient or clinician, identifying or otherwise;

(b) patient ID number;

(d) aggregate information calculated from any of the above (such as the percentage of male patients).

4. Who we collect personal information from

4.1 In the course of operating Evidence Hub and Private Hub, we collect personal information about:

(a) End Users, being individuals that are our customers' personnel or other individuals so authorised by our customer to access Evidence Hub or Private Hub; and other persons who subscribe to Evidence Hub; and

(b) Other Data Subjects, being individuals other than End Users whose personal information has been entered into an Evidentli Platform by an End User, for example, when using the functionality in Evidence Hub to comment on an analytics object of a Piano workflow.

4.2 The Evidentli Platforms are not targeted at individuals under the age of 18 and we do not knowingly collect data from or about such individuals.

5. The personal information we collect and how we use it

5.1 Categories of Personal Information

We collect the following types of personal information:

(a) information collected when licensing or distributing the Evidentli Platformsor access to them, to a customer: We collect contact details of customer personnel including names and contact information of customer personnel who will become End Users of the Evidentli Platforms; and

(b) information entered into Evidence Hub: If an End User enters any personal information about any Other Data Subjects into Evidence Hub, for example, when using the functionality in Evidence Hub to comment on an analytics object of a Piano workflow, this information will be held in the Evidence Hub database and accessible to us.

(c) user credentials (for web subscriptions): When any person subscribes to Evidence Hub (via the web) we collect their email address, username and full name.

(d) user credentials (for user accounts automatically registered via an API): In some cases, user accounts can be automatically created via an API. In such circumstances we will collect the user's email address, full name, which object handler(s) the user is associated with and the automatically generated username;

(e) anonymous usage data: When any person uses Evidence Hub, we will collect the time and routes of pages being viewed and any interactions with any API. Our logs are anonymised and do not identify any person;

(f) API data: When any of our APIs are used, we collect the API request, the API key (and associated users) and the data associated with any Evidence Hub objects created;

(g) Piano data: Any of the above data may also be collected from Piano where such data is collected in the course of the operation of Piano;

(h) information collected during support and maintenance: in the course of providing our support and maintenance services to any person we may access the person's account and, where applicable, copy or instance of the relevant Evidentli Platform. The Evidentli Platform database includes personal information about End Users and Other Data Subjects.

5.2 We will only use personal information in a lawful manner. In most cases, we only use personal information for the purpose for which it was collected, or where we reasonably consider that we need to use the personal information for another reason and that reason is compatible with or related to the original purpose.

5.3 If we need to use your personal information for an unrelated purpose, where required by applicable law, we will notify you and explain the legal basis which allows us to do so.

5.4 We set out in the table below a description of the ways we use or intend to use your personal information, and the legal bases we rely on to do so.

5.5 Please note that we may process your personal information for more than one lawful ground, depending on the specific purpose for which we are using your data. Please contact us if you require details about the specific legal grounds we are relying on to process your personal information where more than one ground has been specified in the table below.

Data Subject	Type of data	Lawful basis for processing including basis of legitimate interest	Purposes/Activities
End Users	(a) Identity (b) Contact (c) Technical (d) Profile (e) Usage (f) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests, in order to operate, administer and grow our business. (c) Compliance with our legal and statutory obligations. (d) With your consent	(a) To verify your eligibility to use the Evidentli Platforms. (b) To use data analytics to improve the Evidentli Platforms. (c) To make suggestions and recommendations to you about other Evidentli platforms that may be of interest to you. (d) To communicate with you about your current and prospective use of the Evidentli Platforms, including to discuss and implement any software development requirements where applicable. (e) To respond to your queries, complaints, and/or feedback. (f) To provide you with technical support and maintenance services, including telephone and email support.
Data Subjects about whom End Users provide us with their personal information	Categories of personal information as determined by the End User.	(a) Necessary for our legitimate interests, in order to operate, administer and grow our business. (b) Compliance with our legal and statutory obligations.	(a) To provide the functionality of the Evidentli Platforms, including for the purpose of discussing Piano objects and workflows. (b) To improve the Evidentli Platforms. (c) After de-identifying the information, for statistical purposes and to carry out data analytics. (d) To provide support and maintenance services to End Users, including telephone and email support.

5.6 Marketing

(a) You may receive marketing communications from us if you have requested information from us or purchased products and/or services from us and you have not opted out of receiving that marketing communication from us.

(b) We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

(c) You may opt out at any time from the use of your personal information for direct marketing purposes by emailing us or by clicking on the “Unsubscribe” link located on the bottom of any of our marketing emails.

5.7 Aggregated and De-Identified Data

(a) We also collect, use and share de-identified aggregated data such as statistical or demographic data for our business purposes. Aggregated data could be derived from personal information but is not considered personal information because it is not capable, directly or indirectly, of revealing a person's identity. For example, we may aggregate End User usage data to calculate the percentage of End Users accessing a specific feature of the Evidentli Platforms. However, if we combine or connect aggregated data with other information so that it can directly or indirectly identify a person, we treat the combined data as personal information, and will only use it in accordance with this Privacy Policy.

(b) We do not collect any ‘special categories of personal information’ (for the purposes of the UK Data Protection Law) or ‘sensitive personal information’ (for the purposes of the Privacy Act AU) about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. Please do not enter any such information into the Evidentli Platforms.

5.8 Consents

(a) We rely on our customers to obtain all relevant privacy consents and authorisations from End Users and for them and End Users to obtain all relevant privacy consents from any other person (including Other Data Subjects) required by law, in order for the personal information that is entered into the Evidentli Platforms to be collected, disclosed and otherwise processed by us in accordance with this Privacy Policy.

(b) We also rely on our customers to ensure that all personal information about End Users and Other Data Subjects entered into the Evidentli Platforms by such End Users that is held by us is accurate, up to date, complete, relevant and not misleading.

(i) you are authorised by that person to provide their personal information to us, where such authorisation is required by applicable law;

(ii) you have referred them to this Privacy Policy and obtained their express consent to us collecting, using and disclosing their personal information in accordance with this Privacy Policy, where required by applicable law; and

(iii) you have complied with all applicable privacy legislation in collecting and disclosing the personal information to us.

6. If you do not provide your personal information

6.1 We do not permit access to the Evidentli Platforms on an anonymous basis.

6.2 Where we need to collect personal information by law, under the terms of a contract we have with a customer, or in order to identify you as an End User of the Evidentli Platforms, and you do not provide that personal information when requested, we may not be able to perform the contract we have in place with the customer. In this case, you will not be able to continue to use the Evidentli Platforms.

6.3 However, in certain cases, you may object to providing us with certain information. For example, if you are providing us with general feedback about the Evidentli Platforms or making a sales enquiry about the Evidentli Platforms, you may opt to contact us anonymously or use a pseudonym.

7. How we collect your personal information

7.1 Our policy is to not collect personal information by means that are unfair or unreasonably intrusive in the circumstances. It is also our policy to collect personal information directly from the data subject about whom the personal information relates, where it is practicable for us to do so, for example, where you enter personal information of another individual into the Evidentli Platforms. We use different methods to collect data from and about End Users including through:

7.2 Direct Interactions

7.2.1 You may provide us with your personal information by completing forms or by corresponding with us by post, phone, email or otherwise. This includes personal information you provide when you:

(a) enquire about using our products or services;

(b) enter into a business relationship with us;

(d) request marketing materials be sent to you;

(e) enter a competition, promotion or survey; or

(f) give us feedback or contact us.

7.3 Automated technologies or interactions

(a) As you interact with our websites and platforms, we will automatically collect technical data about your equipment, browsing actions and patterns. The type of data we collect includes search, date and time logs, and your interactions with a platform's user interface.

(b) We collect this personal information by using APIs (including via Piano) cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites that use our cookies. Further details about our use of cookies are provided below.

7.4 Third parties or publicly available sources

We may receive personal information about an End User or a Data Subject from various third parties, who may be based outside of your jurisdiction.

7.5 Cookies

(a) We may obtain information about your general internet usage by using cookies. A cookie is a small file which is stored on the hard drive of your computer. They help us to improve our websites and platforms and to deliver a better and more personalised service.

(b) You may block cookies by activating settings on your browser which allow you to refuse the setting of some or all cookies. If you do choose to block all cookies or essential cookies, you may not be able to access all or some parts of our websites or platform.

(c) Most cookies we use are known as session cookies. These cookies will expire whenever you close your browser or shut down your computer. Other cookies used for a specific purpose will expire when that purpose is no longer required.

(d) We use the following cookies:

(i) Strictly necessary cookies: which are required for the operation of our websites and platforms, such as enabling you to log into secure areas of our websites and platforms, submitting comments to Evidence Hub, or using submission forms. (ii) Analytical/performance cookies: which allow us to recognise and count the number of visitors and to see how visitors move around our websites and platform when they are using them. These cookies help us improve our websites and platforms. (iii) Functionality cookies: which are used to recognise you when you return to our websites and platforms and enable us to personalise our content for you and to remember your preferences, such as your choice of language or region.

8. Disclosures of your personal information

8.1 We may share your personal information with the parties set out below. We will require all such third parties to respect the security of your personal information and to treat it in accordance with applicable law.

8.2 Offshore disclosure

(a) There may be circumstances where we need to disclose personal information that we hold to overseas recipients, including our third-party service providers.

(b) We will only do so in respect of overseas recipients who agree to comply with applicable privacy legislation.

8.3 Service providersThird party service providers act as processors of the data and information referred to above in this Privacy Policy. They are provided with access to all such data and information in order to provide us with the following services:

(a) hosting of Evidence Hub (currently Vercel);

(b) hosting of the Evidence Hub database (currently Supabase);

(c) search indexing of the data processed by Evidence Hub and the monitoring and analysis of such data (currently AWS Opensearch);

(d) sending marketing, surveys and feedback requests on our behalf.

8.4 Professional advisers

We may supply personal information to our lawyers, bankers, auditors and insurers who provide consulting, banking, legal, insurance and accounting services, where they need to know the information in order to provide their services to us.

8.5 Regulators and other authorities

We may supply personal information to regulators and other authorities where applicable law requires us to provide the information to them.

8.6 Third party buyers

We may supply personal information to actual or potential third parties that we may elect to sell, transfer or merge parts of our business or assets to or with.

8.7 Third parties with your consent

We may also supply personal information to other third parties with your consent.

8.8 Other disclosures

We may also provide your personal information to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:

(a) for the purposes of obtaining professional advice;

(b) to obtain or maintain insurance;

(c) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(d) to protect or enforce our rights or defend claims;

(e) enforcement of our claims against you or third parties;

(f) the enforcement of laws relating to the confiscation of the proceeds of crime;

(g) the protection of the public revenue;

(h) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(i) the preparation for, or conduct of, proceedings before any court, tribunal, mediator or arbitrator or implementation of the orders and binding decisions of the court, tribunal or arbitrator;

(j) where disclosure is required to protect the safety or vital interests of employees, End Users or property.

9. Data security

9.1 We have put in place industry standard security measures to prevent personal information from being lost, used, misused, accessed in an unauthorised way, altered or disclosed.

9.2 Although we take all reasonable steps to ensure that personal information is stored in a secure operating environment, we cannot guarantee the absolute security of personal information during its transmission or its storage on our systems.

9.3 Further, while we make every effort to ensure the integrity and security of our network and systems, we cannot guarantee that our security measures will prevent third-party hackers from illegally obtaining access to personal information.

9.4 We have procedures to deal with any suspected or actual personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. Data retention

10.1 We will only retain your personal information for as long as reasonably necessary while we have a business relationship with you (or your company), and thereafter where we have an ongoing business need to retain it, as required under law or to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information in the event of a complaint or if we reasonably believe there is a prospect it will be required for the purposes of litigation.

10.2 To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of the personal information, the purposes for which we process the personal information and whether we can achieve those purposes through other means, and any applicable legal, regulatory, tax, accounting or other requirements.

10.3 In some circumstances, you can ask us to delete your data: see ‘Your legal rights’ below for further information.

10.4 We may, where permitted by applicable law, de-identify your personal information (so that it can no longer be associated with you, and is therefore no longer personal information) for research or statistical purposes.

11. Access to and correction of your personal information

11.1 Access to your personal information

(a) We will handle all requests for access to personal information in accordance with our statutory obligations. You can request a copy of your personal information by contacting us using the contact details set out below.

(b) Individuals whose personal information is governed by the Privacy Act NZ are entitled to seek access to and correction of it in accordance with that legislation, including making a request for urgent access, receiving assistance or transfer to another agency that holds your personal information.

(c) If your personal information is governed by the Privacy Act AU or the Privacy Act NZ or where otherwise permitted by applicable law, we may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law. We will not charge you for the making of any request for access.

11.2 Correcting your personal information

(a) We rely on the individuals who provide us with personal information to provide us with accurate, up to date and reliable data, and to update us when personal information that we hold about them is not accurate, up to date or reliable.

(b) You may contact us to make corrections to your personal information. In certain circumstances, our website and platforms allow End Users to update the personal information about them and other data subjects that we hold.

(c) It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

12. Third party websites, plug-ins and applications

12.1 Our websites or platform may include links to third-party websites, plug-ins and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites, plug-ins or applications and are not responsible for their privacy practices. We encourage you to read their privacy policies so that you understand how they may collect and process your personal information.

13. Complaints

13.1 You have the right to make a complaint about our handling of your personal information, or where you are not satisfied with our handling of your complaint by contacting the relevant privacy or information related agency in your jurisdiction:

Australia: Phone: Website: Address:	Australian Information Commissioner 1300 363 992 Enquiry form via https://www.oaic.gov.au/about-us/contact-us GPO Box 5288, Sydney NSW 2001 Australia
UK: Phone: Email: Address: Website:	Information Commissioner 0303 123 1113 icocasework@ico.org.uk Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF United Kingdom https://ico.org.uk/make-a-complaint/
California, USA: Website: Email:	California Privacy Protection Agency https://cppa.ca.gov/webapplications/complaint info@cppa.ca.gov
New Zealand: Phone: Email: Address:	Privacy Commissioner 09-302 8655 (Auckland) / 0800 803 909 (outside Auckland) enquiries@privacy.org.nz PO Box 10-094, Wellington 6143 New Zealand

13.2 If a data subject wishes to make a complaint about a breach of the EU GDPR, they may refer the complaint to the relevant national Data Protection Authority that can be found here: https://edpb.europa.eu/about-edpb/about- edpb/members_en.

13.3 Before you make a complaint to the relevant agency, we would appreciate the opportunity to address your concerns, so please contact us in the first instance. We will endeavour to respond to your complaint as soon as possible and in any event within 30 calendar days.

13.4 Please feel welcome to contact our Privacy Compliance Officer if you have any questions about this Privacy Policy using the following details:

Email: privacy@evidentli.com

Post: Suite 516, 50 Holt Street, Surry Hills NSW 2010

Legal rights under UK Data Protection Law

This section only applies to individuals whose personal information is governed by the UK Data Protection Law. However, we may also elect to apply this section to personal information governed by other law.

Under certain circumstances, individuals whose personal data is governed by the UK Data Protection Law have the following rights in relation to personal information about them:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

If you want us to establish the data's accuracy.
Where our use of the data is unlawful but you do not want us to erase it.
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

You will not usually have to pay a fee to exercise your rights as a data subject. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

Alternatively, we could refuse to comply with your request in these circumstances

Time limit to respond

We aim to respond to all legitimate requests within 30 days. Occasionally it could take us longer than this period if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Legal rights under California Privacy Law

This section only applies to individuals whose personal information is governed by the CPRA. However, we may also elect to apply this section to personal information governed by other law.

1. California residents have a right to request that we disclose what personal information or sensitive personal information we collect from you and whether, and how, we disclose, share, or sell that personal information or sensitive personal information. California residents may also request that we correct or delete any personal information or sensitive personal information collected or maintained by us from you.

2. California residents may also have the right to opt out of the sharing or sale of their personal information or sensitive information upon request. California residents may opt out of having their sensitive personal information used or disclosed for advertising or marketing. Sensitive personal information includes your precise geolocation and the contents of mail, email or text messages, unless we are the intended recipient.

3. To submit a request for a list of the categories of personal information collected from you or to request that we correct or delete your personal information or sensitive personal information, please email us at privacy@evidentli.com.

4. To verify your request, we may request certain information from you to confirm that you are a bona fide End User of the Evidentli Platforms, such as your phone number, Username, email address, city, state, or geographic location. You may also designate an authorised agent to make a request to us to disclose or delete your personal information. To do so, you must provide us with proof that the individual or business has been appointed as your agent, such by providing a signed power of attorney form, and provide accurate responses to any information requested by us that may be necessary to confirm that you are a bona fide End User of the Evidentli Platforms, such as your phone number, Username, email address, city, state, or geographic location. California residents have a right not to receive discriminatory treatment by us for their exercise of these rights conferred under California law.