Privacy notice

BenevolentAI Group is committed to conducting its businesses in accordance with all applicable Data Protection laws and regulations in line with the highest standards of ethical conduct. This privacy policy (this “Policy”) sets forth the expected behaviours of BenevolentAI Group practices in relation to the collection, use, retention, transfer, disclosure, and destruction of Personal Data belonging to all BenevolentAI Group contacts (i.e. the “Data Subjects”).

BenevolentAI Group strives to ensure continued and effective implementation of this Policy and expects all stakeholders to share this commitment. This Policy (together with our “Terms” of use and any other document referred to on it) sets out the basis on which any personal data (as defined in Regulation (EU) 2016/679 (the “GDPR”)) that we hold (the “Personal Data”) are processed.

Please read the following carefully to understand our views and practices regarding your Personal Data and how it’s processed. If you have any concerns or need further information, our Data Protection Officer and Compliance Manager (“DPO”) can be contacted directly with the details below:

‍DPO, BenevolentAI Limited
‍4-8 Maple Street, London, W1T 5HD United Kingdom
Phone: +44 (0)2037 819 360
Email: DPO@benevolent.ai

We may collect and process some or all of the following types of Personal Data:

PURPOSE FOR PROCESSING

This section provides more detail on the types of personal information we collect from you, and why.

We source data from providers from time to time which may be combined with information you give to us and information we collect about you. We may use this information and the combined data for the purposes set out in this Policy (depending on the types of data we have received).

‍Pseudonymised Datasets
‍We collect pseudonymised datasets from data suppliers, CROs and collaborators for internal research purposes.

‍Clinical Trial Data
‍We work with vetted CROs and test centres from time to time who provide participant’s pseudonymised data for use in our clinical trials and research. From time to time, these processing may involve special category personal health data. BenevolentAI Group relies on the exception under Articles 9(2)(i) and 9(2)(j); and Article 89(1) of the GDPR (Legitimate Interests, Scientific or Historical Research Purposes) and Schedule(1), Part (1) sections 10 and 19 of the Data Protection Act 2018 (“DPA 2018”) as our lawful basis for processing.

When you subscribe to BAI Group’s newsletter, we will ask for your:

• Names
• Email address, and
• Any other content preferences that can help tailor our messages to your interests

Our use and storage of your data is based on your consent. This means you will receive tailored communication and updates regarding our upcoming events, products, services or opportunities from time to time. You can withdraw your consent or change your preference at any time, by following the ‘Unsubscribe' link on any of our emails or contacting us at hello@benevolent.ai
‍
Event attendees When you register to attend one of our events (including via any of our third-party provider), we will ask for your:

• Names
• Email address, and
• Any other relevant information as determined on an event-by-event basis; such as, job title or work-related email address.

We will collect this information when you enrol to attend an event. Our use and storage of these data is based on your consent. We use the data solely for the purposes of administering the event and send you tailored communication and updates regarding our upcoming events, products, services or opportunities from time to time. We may be required to share such data with third-party organisations where necessary to administer the event effectively.

We often take photographs at our events and those photos may be used on our website, social media, newsletters or other internal or external communications. Please contact us if you have any question or concern regarding the use of such photographs at any time. If you are a speaker at one of our events, we may promote your participation via platforms such as Twitter, LinkedIn and by marketing emails. External platforms may continue to store and use personal information after the event has ended.

When you unsubscribe, your personal data will be automatically removed from the newsletter distribution system. We use Hubspot to provide this service and they process your personal data on our behalf. You can read the Hubspot privacy notice here. Hubspot operates in the United States (“US”), so your information is transferred to, stored, and processed in the US. Hubspot is deemed to have technical and organisational measures in place to ensure the security of your personal data in compliance with the UK GDPR, DPA 2018, and the EU GDPR as outlined in their DPA here. Hubspot is also compliant with the EU-US Privacy Shield framework (albeit such framework being currently invalidated – see below). You can view their certification here.

We rely on Contractual Performance, Public Interest, Legitimate Interest, and Legal Obligation (each as defined in the GDPR) as the lawful basis on which we collect and use your Personal Data. We use your Personal Data to provide you with information about our products, and services and to improve those products and services. We will also use your Personal Data to notify you about changes and events and to ensure that content on our website is presented in the most effective manner for you and your computer.

All the Personal Data we collect from you are used for administrative (HR) and drug discovery purposes. If there is a need to disclose your Personal Data to other third parties, for new purposes outside the original scope or for purposes materially different from that for which they were originally collected, we will ensure that your rights and freedom are not undermined. Where applicable, we will give you the opportunity to decide if your Personal Data should be processed in such a manner. However, note that in certain circumstances, we might be required to disclose your data in response to lawful requests by public authorities, to meet national security, law enforcement, or investigations and we will oblige accordingly.

BenevolentAI Group and its affiliated/trusted third-party suppliers may store your Personal Data within and outside the EEA and the UK. Data protection and privacy laws in the countries to which your Personal Data are transferred may be deemed inadequate under the GDPR. In all cases, BenevolentAI Group takes all steps reasonably necessary to ensure your Personal Data remains protected and secure in compliance with applicable data protection and privacy laws. These measures include data transfer agreements, implementing standard contractual clauses, or International Data Transfer Agreements (“IDTAs”).

We take appropriate technical, organisational, and administrative measures to ensure all Personal Data is kept secure including security measures to prevent Personal Data from being accidentally collected, recorded, organised, structured, stored, altered, retrieved, consulted, used, disclosed by transmission, disseminated or otherwise made available, aligned or combined, restricted, erased or destroyed in an unauthorised manner. We limit access to your Personal Data to those who have genuine business needs and are duly trained for such processing. Those processing your information will do so only in an authorised manner that ensures confidentiality and accountability. We also have procedures in place to deal with any suspected data security breach. We will notify you and all applicable regulators of a suspected data security breach where we are legally required to do so within 72 hours.

Although we do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted through any online means outside the scope of this Policy, therefore any such transmission remains at your own risk as the transmission of information via the internet is not completely secure.

We will retain your Personal Data as follows:

(a) your account data for as long as you keep your account open or as needed to provide you with our products or services;
(b) if you contact us, we will keep your data for 24 months after you contact us; 
(c) your technical usage information may be retained for up to 24 months; and
(d) data on your use of our website and our products or services maybe retained for up to 24 months.

We will also retain and use your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes and enforce our terms and conditions, other applicable terms of service, and our policies. If you stop using our products or services, we will store your information in an aggregated and anonymised format; we may use this information indefinitely without further notice to you. 

For further information, contact our DPO at: DPO@benevolent.ai.

Rights relating to the processing of your Personal Data

‍The DPA 2018, the GDPR, the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronics Communications Regulation (“PECR”) provide you with specific rights relating to your Personal Data that BenevolentAI Group holds and processes at any given time. These rights include:

(a) Right to Access (Data Subject Access Request) – You have the right to access Personal Data we hold about you, how we use it, and who we share it with.
(b) Right to be Informed (Privacy Notices)
(c) Right to Object to Processing – You have the right to object to our processing of your Personal Data
(d) Right to Rectification – You have the right to correct any of your Personal Data we hold that is inaccurate.
(e) Right to Erasure (Right to be Forgotten) – In certain circumstance, you have the right to delete the Personal Data we hold about you.
(f) Right to Restrict Processing – You have the right to require us to stop processing the Personal Data we hold about you, other than for storage purposes, in certain circumstances.
(g) Right to Data Portability – You have the right to receive a copy of the Personal Data we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.

Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests, or where we are required by law to retain your Personal Data. You have the right to object to marketing at any time by [clicking the ‘Unsubscribe’ link on any of our emails or contacting us at hello@benevolent.ai..

‍Data Subject Access Request You can request access to the Personal Data we hold about you using the contact details set out below. Requests should include:

(a) Your full name, address and description of the information that you seek.
(b) Two proof of identification: (i) one photographic ID (a copy of your passport or driving license); and (ii) one proof of address (a recent bill or financial statement showing your current address).

Data Subject Access Requests should be addressed to:

‍DPO, BenevolentAI Limited
4-8 Maple Street, London, W1T 5HD
United Kingdom
Phone: +44 (0)2037 819 360
Email: DPO@benevolent.ai

‍We are obliged by the governing regulations to respond promptly to your request and in any event within one month of receipt. Exceptions may apply for an extended period of two months if the request proves particularly complex in nature, in which case you will be duly informed.

Should we need additional information to identify, validate and/or locate the information requested, we will contact you and wait for your response before we are able to process your request.

The EU-U.S. DPF And The UK Extension To The Eu-U.S. DPF

BenevolentAI Group complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.  BenevolentAI Group has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data Privacy Framework https://www.dataprivacyframework.gov/ 

When sharing data with third parties outside of the UK and EEA, the transfer may be subject to the UK International Data Transfer Agreement (IDTA), or the European Commission's Model Clause (the “Model Clauses”) for transferring personal data to third countries. Alternatively, equivalent contracts issued by the relevant competent authority of the UK may be used. This applies unless the data transfer is to a country that the UK authorities have deemed to provide an adequate level of protection for individuals' personal data rights and freedoms. Please contact our DPO at: should you have any questions.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, BenevolentAI Group commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. All EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact BenevolentAI Group at:

Luxembourg Office
The DPO,
BenevolentAI
9, rue de Bitbourg,
L-1273 Luxembourg,
Grand Duchy of Luxembourg
Phone: +44 (0)2037 819 360
(Monday – Friday)
Email: DPO@benevolent.ai

London, UK Office
The DPO,
BenevolentAI Limited
4 - 8 Maple Street,
London W1T 5HD, United Kingdom
Phone: +44 (0)2037 819 360
(Monday – Friday)
Email: DPO@benevolent.ai

New York, USA Office

The DPO,
Benevolent Technology, Inc.
1 Dock 72 Way, 7th Floor,
Brooklyn, NY 11205, USA
Phone: +1 (929) 295-6550
(Monday – Friday)
Email: DPO@benevolent.ai
We have further committed to cooperating with the panel established by the EU data protection authorities (“DPAs”) and, as applicable, the UK Information Commissioner’s Office (ICO) with regard to unresolved PDF and UK Data Bridge complaints concerning human resources data, de-identified/pseudonymised data sets and de-identified/pseudonymised patient level data, tissues/blood samples that may be transferred from the UK and EU in the context of an employment relationship, business operations, scientific researchand clinical tria purposes. As a UK and an EU Person, you have the option to select binding arbitration under the PDF Panel for the resolution of your complaint under certain circumstances. For further information on this Framework, refer to the Privacy Shield website at: https://www.dataprivacyframework.gov/s/

Under the UK Extension to the EU-U.S. DPF, you have the right to Personal Data that BenevolentAI Group holds about you as stated in “Your Rights” (section 12 above) if it has been processed in violation of the Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to your privacy, or where the rights of other persons would be violated). Requests can be sent to us using the contact information set out above. The Federal Trade Commission has jurisdiction over BenevolentAI Group’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.

As stated in our disclosure commitment (section 8 above), your Personal Data are used for administrative (HR) and drugs discovery research purposes. Where applicable, you will be duly informed if your Personal Data are to be shared with other third parties for any new purpose outside the scope or is materially different from that for which it was originally collected. We will give you the opportunity to choose whether to have your Personal Data disclosed or opt-out. However, note that in certain circumstances where BenevolentAI Group might be required to disclose your Personal Data in response to lawful requests by public authorities, to meet national security or law enforcement or investigations, we will oblige accordingly.

Before any onward transfer of your Personal Data to third parties, we will ensure measures are in place that meets the level of security appropriate to such onward transfer in terms of contract (Model Clauses/IDTAs) or agreement as appropriate to ensure adequacy in line with the provision of the PDF Principles. We will ensure that any third party receiving such Personal Data from us has entered into a written agreement or contract with us requiring that such third party provide at least the same level of privacy protection as the PDF Principles.

If any third party processes Personal Data in a way that does not comply with the terms of this Policy, BenevolentAI Group will take necessary steps to prevent any data breaches. We will ensure that the third-party informs us if they are unable to meet the agreed terms. The contract will clearly state that if such a situation arises, the third-party will stop processing or take appropriate steps to rectify the issue in order to comply with the PDF Principles.

In compliance with the NY SHIELD Act, BenevolentAI Group has implemented adequate data privacy and security safeguards, including:

(a) designating a Data Protection Officer, IT and Information Security personnel;
(b) implemented adequate controls for the protection of personal data;
(c) conducts employee training concerning data protection and cybersecurity;
(d) maintains updated documentation of policy practices and procedures;
(e) implemented an administrative procedure to notify affected individuals in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement; and
(f) implemented an administrative procedure to notify the NY State Attorney General, the department of state, and the state office of information technology services as to the timing, content, and distribution of the notices and an approximate number of affected persons. If you have any questions, please use the contact information detailed on this notice.

Read our full cookie policy here

Our website may contain links to other websites from time to time. Note that this Policy only applies to this website (https://benevolent.com/). Whenever you are redirected or linked to other websites, ensure you read and understand their privacy policies on their use of your Personal Data before consenting. We do not accept any responsibility or liability for external policies. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms, may also be viewable by other users of this website and/or users of those third-party online platforms without limitation as to its use by a third party or by us. Our inclusion of such links does not imply any endorsement of the content on such platforms or of their owners or operators except as disclosed on our website. We expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of Personal Data by third parties. Any information submitted by you directly to these third parties is subject to that third party’s privacy policy.

For concerns or questions about our privacy policy or how we process your data, contact our:

Luxembourg Office:
DPO,
BenevolentAI
9, rue de Bitbourg,
L-1273 Luxembourg,
Grand Duchy of Luxembourg
Phone: +44 (0)2037 819 360
(Monday – Friday)
Email: DPO@benevolent.ai

We believe that we can resolve any query or concern you may raise about our use of your Personal Data. The DPA 2018, the GDPR, the UK GDPR, and the PECR give you the right to lodge a complaint with a supervisory authority, in particular within the EU (or EEA) state where you work, normally live, or where any alleged infringement of data protection laws may have occurred.

The ICO is the supervisory authority for UK and may be contacted at:
‍Online: http://ico.org.uk/concerns/ 
Telephone: 0303 123 1113.

‍BenevolentAI Group keeps this Policy under regular review to continuously capture each emerging requirement. We will place any updates on this webpage.

Last updated: September 2022