简体中文

Privacy Notice for Clinical Trial Participants

Effective on: November 21, 2025

Corxel Pharmaceuticals, together with its affiliates (including but not limited to Corxel Pharmaceuticals, Inc. and Corxel Pharmaceuticals Hong Kong Limited) (“Corxel”, “we”, “us”, or “our”) is a clinical-stage biopharmaceutical company dedicated to developing innovative therapies for individuals with cardiometabolic conditions around the world. Corxel is the sponsor of clinical trials ("Clinical Trials"). 

This Privacy Notice (“Privacy Notice”) applies to individuals who participate or apply to participate in our Clinical Trials (“Trial Participant” or “you”). This Privacy Notice explains how we collect, use, store, and process your personal data in the context of our Clinical Trials. We may also give you other privacy notices, including through information contained in informed consent forms for our Clinical Trials, that apply in addition to this Privacy Notice.  

This Privacy Notice does not apply to personal data that we collect by other means, such as through our public website. This Privacy Notice also does not apply to personal data that we collect and process about medical staff, study doctors/investigators, ethics committee members, and other individuals involved in our Clinical Trials. 

1.    Controller
The Corxel legal entity that sponsors the Clinical Trial in which you participate or apply to participate is the data controller of your personal data. The Clinical Trial sponsor's information is disclosed to you in the informed consent form that you will be asked to sign, and in Section 12 of this Privacy Notice. For most of our Clinical Trials, Corxel is the sponsor and data controller. As the data controller we determine why and how your personal data is processed.  Our “processing” includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In some jurisdictions, we are considered a “joint controller” with another organization, such as the site where the Clinical Trial is being conducted (“Trial Site”). A Trial Site can include the hospital, clinic, or research center where the activities of the Clinical Trial are conducted. When we act as a joint controller, it means that we jointly, together with the other organization, determine why and how your personal data is processed. If you would like to know which organizations are joint controllers with Corxel for our Clinical Trials or understand the essence of our arrangement with those organizations, ask your study doctor or the Trial Site for further details. 

2.    Categories of Personal Data
Even though we are a data controller for the personal data collected and processed in the context of our Clinical Trials, Corxel does not have access to your identifiable personal data. This means that we are unable to identify you personally from the information that we have access to. During a Clinical Trial, your personal data is collected by the Trial Site or other third parties, such as doctors, our clinical research organization, or our service providers. When any information relating to you is shared with us, it will first be key-coded (also known as “pseudonymized”) so that we cannot identify you by any direct personal identifier (such as your name, address, or telephone number). We can only identify you using a unique code assigned to you for the purpose of the Clinical Trial. Good Clinical Practice requires the protection of Trial Participant confidentiality, requiring that sponsors of clinical trials, like Corxel, do not see identifying data from individual participants.

We collect and process the following types of personal data in the context of our Clinical Trials:

  • Clinical Trial specific data, including a unique identification number assigned to each Trial Participant in the Clinical Trial, location of the Trial Site that you visit during the Clinical Trial, dates relating to the performance of the Clinical Trial and your participation in it, records of informed consent forms and related documentation.
  • Your age
  •  Electronic data captured from electronic devices you use related to the Clinical Trial, for example where you complete the consent process using an e-consent form (if permitted by local laws)
  • Your sex (male or female) (if permitted by local laws)
  • Your race or ethnicity (if permitted by local laws)
  • Information related to your health, such as your medical history, current health status and reaction to the Clinical Trial drug or treatment. Data from the testing and analysis of your biological samples (blood and urine), images (from NCCT, MRI, CTA/MRA, and CTP/MRP), and monitoring equipment (such as from ECG and CTM) throughout the Clinical Trial. Your weight and height. Data about your sex-life such as whether you are pregnant or your partner’s is pregnant (if applicable). Information about your healthcare providers, such as the identity and contact information of your doctors and health care providers.

The Trial Site or our service providers will also collect the following personal data from you on our behalf for our Clinical Trials, but this data is not disclosed to us:

  • Biographic data, such as your first and last name.
  • Contact data, such as physical address, email address, phone number, emergency contact information.
  • Financial data, such as bank account information.
  • Your health insurance number.

You can ask your study doctor if you are unsure whether or not any specific personal data that you are being asked to provide is required as part of your participation in the Clinical Trial.

3.    How We Collect Your Personal Data
We collect your personal data when:

  • A study doctor (also known as an “investigator”) or other healthcare personnel at the Trial Site provides it to us, or your healthcare provider provides it to us with your permission.
  • We receive it from our clinical research organization that conducts and manages the Clinical Trial on our behalf.
  • You provide it to one of our service providers acting on our behalf, for example when you complete the consent process using an e-consent form.
  • You provide it directly to us.

4.    Purpose of Processing
Throughout our Clinical Trials we process your personal data to give effect to the Clinical Trial. We process your personal data for the following purposes:

  • To recruit you to participate in our Clinical Trial and to assess whether you are eligible to participate in our Clinical Trial.
  • To conduct scientific research and monitor the quality of the research being conducted in our Clinical Trials, including, but not limited to, managing and facilitating the Clinical Trial such as the shipment of your biological samples, archiving and storing documents and personal data relevant to the Clinical Trial master file, to do translational research and medical writing applicable to the Clinical Trial.
  • To evaluate the efficacy of the trial drug. This includes analyzing personal data and biological samples, assessing clinical outcomes, and publishing our findings.
  • To monitor the safety of the trial drug and report on any adverse events, such as negative side effects. This includes reporting any adverse events to applicable authorities.  
  • To comply with legislation and regulations governing the Clinical Trial.
  • To reimburse you for any expenses related to the Clinical Trial.
  • To disclose your personal data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law, including during inspections, monitoring, and if we apply for market approval for our trial drugs.
  • To conduct randomization for our Clinical Trial. This is the process of assigning participants to different treatment groups by chance, ensuring a fair and unbiased comparison.
  • To disclosure data to our licensors, partners, and collaborators in the context of the development and commercialization rights to the trial drug in certain regions (if permitted by law).
  • To defend Corxel's rights and enforce Corxel's policies.

We also process your personal data for any specific purposes described in the informed consent form provided to you by the study doctor at the Trial Site. We request information from you that we require. If you do not provide us with the information, you may not be able to participate in our Clinical Trials.

5.    Basis of Processing
We process your personal data on one or more of the following legal bases:

  • Legitimate Interests: We process your personal data based on our legitimate interests. Corxel has an interest in conducting research, improving its knowledge about the trial drug, facilitating and managing the Clinical Trial. Where we process your personal data on the basis of our legitimate interests, we do so after careful assessment which requires balancing your right to privacy and our legitimate interests. You have the right to request a copy of our assessment.
  • Compliance with Legal Obligations: We process your personal data to comply with applicable laws or regulations, such as the EU Clinical Trials Regulation and applicable local laws.
  • Public Interest in Public Health: We process your personal data for reasons of public health to ensure adequate standards of quality and safety of the drug we are developing.
  • Public Interest, Scientific Research, and Statistical Purposes: We process your personal data when it is necessary for archiving purposes in public interest, scientific or historical research purposes or statistical purposes.
  • Consent: For certain processing, we may ask for your consent. When we process your personal data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in parts of the Clinical Trial. 

The specific grounds on which we process your personal data, including your health data, may vary to comply with the requirements of local laws in the countries where we sponsor the Clinical Trial. Please refer to the informed consent form you signed when you joined the Clinical Trial for more information about the legal grounds on which we process your personal data. 

6.    Data Retention
We will retain your personal data until we fulfill the purposes listed above, or for as long as we are required to keep it to comply with applicable laws or regulations. Once your information has been entered into the Clinical Trial records, we cannot remove it without affecting the accuracy of the trial and the test results. Applicable EU laws require us to keep trial records for at least 25 years after the conclusion of the Trial. We retain your data in accordance with our retention policies.

7.    How We Share Your Personal Data 
We share your personal data with our service providers who process personal data on our behalf, and who agree to use the personal data only to assist us in fulfilling the purposes of processing as described in this Privacy Notice, or as required by law. Our service providers include parties providing:

  • Contract/clinical research organization services
  • Patient recruitment and concierge services
  • Quality assurance, safety and pharmacovigilance software and related services
  • Data storage, sharing, and achieving software and related services
  • Data analytics and reporting software and services
  • Laboratories for data analysis
  • Services related to the collection, storage, testing, and transportation of biological material
  • Interactive response technologies
  • Translation services
  • E-consent services
  • Adverse events safety database

We may disclose your personal data to our affiliates and the following third parties:

  • Regulators, competent authorities, ethics committees, to the extent necessary to comply with applicable laws, regulations, and rules.
  • Our service providers, listed above, as well as our professional advisors such as lawyers, auditors, insurers, and bankers, where applicable.
  • Our licensors, collaborators, and partners that own the development and commercialization rights to our products in certain regions. We only disclose your data to these third parties upon request and if permitted by applicable law.
  • Governmental or law enforcement officials, or private parties, to the extent required by law, or if we have a good-faith belief that we need to disclose it to comply with official investigations or legal proceedings. If we must disclose your personal data to these parties, we may not be able to ensure that those officials will maintain the privacy and security of your personal data.
  • If, in the future, we sell or transfer, or consider selling or transferring, our company, business, shares or assets to a third party, we may disclose your personal data to such third party in connection with the sale or transfer. If we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your personal data in connection with the foregoing events. 

8.    International Transfers of Personal Data
We operate in many countries including the United States, Europe, Australia and more. This means we may transfer or provide access to your personal data to affiliates, service providers or collaborators and others in other countries where the data protection laws may not be as strong as in your own country.

We also take appropriate measures to ensure that your personal data is protected and to ensure that you can exercise your rights in accordance with the laws. We require those who receive your personal data to have appropriate protection measures for your personal data.

Whenever we transfer personal data originating from the European Economic Area or the United Kingdom, we use legal mechanisms, such as the EU 2021 Standard Contractual Clauses approved by the European Commission under Article 46.2 of the GDPR, and UK International Data Transfer Agreement, to ensure the protection of your personal data, in accordance with applicable data protection law. 

We use a combination of contractual, technical, and organizational safeguards to ensure your personal data is secure even when it is transferred to the third countries listed above. Our safeguards include:

  • Pseudonymization: Your personal data is pseudonymized (coded), which means that you will only be identifiable by a unique identification number assigned by the relevant Trial Site to you.
  • Encryption: Your personal data is encrypted in transit and at rest using secure implementation of the Transport Layer Security (TLS) protocol version 1.2 or higher in transit using a minimum of 128-bit encryption.
  • Data Minimization: We only collect and transfer personal data that is necessary to achieve the specific purposes of the Clinical Trial as outlined in the Protocol.
  • Policies and Procedures: We have an internal policy and procedure that guides how we respond to requests from law enforcement and government entities regarding access requests to personal data and our systems.
  • Governance: Our Data Protection Officer is informed of and involved in assessing how we respond to access requests to personal data and our systems. We have appointed specific individuals and teams to handle access requests.

While we have implemented various measures to secure your personal data, there is always a risk that your data could be accessed by law enforcement and government entities in the third countries above. If we are compelled by a public authority, intelligence agency, or law enforcement agency to disclose any of your transferred personal data, we will, as soon as reasonably practicable, notify the Trial Site who will notify you, if we are allowed by law. If we are legally prohibited from notifying you or the Trial Site, we will use all reasonable and lawful efforts to obtain a waiver from this to allow us to communicate as much information to you or the Trial Site as possible. We will also challenge any unlawful, overly broad, or inappropriate request to access your personal data. If we remain compelled to disclose your transferred personal data to the requesting authorities, we will disclose only the minimum amount of personal data necessary to satisfy the request.

If you have further questions about this or would like to request copies of the applicable safeguards used to transfer your data, please contact us.

9.    Data Integrity and Security
We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect personal data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction. For example, we encrypt your data in transit and at rest using Transport Layer Security (TLS) protocol version 1.2 or higher for personal data in transit using 128-bit encryption. We adopt role-based access controls that means access to your personal data is only permitted on an as-needed basis, and our IT team performs annual access reviews of our key systems and applications. We also have established security policies and standards that clearly identify what activities can and cannot be performed, what information is stored, retained, accessed, and used across the organization’s computing resources. If you want to know more about how we secure your personal data, please contact us. 

10.    Your Privacy Rights 
You have certain privacy rights in relation to the personal data that we collect. 

  • You have the right to request access to your personal data. This means that you can ask us to confirm whether or not we process your personal data, and, where that is the case, obtain a copy of or access to your personal data and other related information (such as the purposes for which we collected your personal data, and the categories of third parties that we share it with).
  • You can ask us to correct anything that you think is wrong with the personal data that we have about you, and to complete any incomplete personal data.
  • You have the right to ask that we limit/restrict our processing of your personal data. You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate or the processing activity is unlawful.
  • You have the right to object to our processing of your personal data. We will always strive to fulfill your request. However, we may not be able to fulfill your request if the law restricts us.
  • If we request your consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in parts of the Clinical Trial.
  • You also have the right to data portability, which means that you can ask us to provide you with a copy of your personal data or transfer it to another entity. If you exercise this right, we will provide you with a copy of your personal data in a structured, commonly used and machine-readable format.
  • You have the right to ask us to delete your personal data. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
  • If you participate in a Clinical Trial, you will be assigned a unique identifier number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated in the Clinical Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Clinical Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards. For decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.

To exercise any of your privacy rights, please contact us by using the information in the “Contact Us” section below. You also have the right to complain to your local data protection regulator.

Verification and Authorization: We might need some extra information from you to verify your identity if we are unsure that it is in fact you who has made the privacy request. We will let you know if we do. If somebody else makes a privacy request on your behalf, we will need to verify that they have authority to act on your behalf. We will request signed permission (such as power of attorney) or proof from them. 

Responses to Your Privacy Requests: You are generally entitled to receive a reply from us within 30 days, and in some cases faster than that. In certain exceptional cases, we might extend this to 90 days, but we will inform you of the reason why and the extension period in writing. 

If we cannot satisfy your request, we will explain why in our response.  We will not charge a fee for processing or responding to your requests. However, we may charge a fee if your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

11.    Privacy of Children
Our Clinical Trials are not directed at children. You must be over 18 years old to participate in our Clinical Trials. We may, however, collect personal data about your children if, during the Clinical Trial, you fall pregnant, or your partner falls pregnant. We will only collect personal data about your child with your permission or the permission of the child’s parents or legal guardians.

12.    Contact Us
If you have any questions about this Privacy Notice or our processing of your personal data, you can contact us by emailing [email protected]. You may also contact our Data Protection Officer or Data Protection Representatives. However, we encourage you to first speak with your study doctor to ensure that we do not receive any identifiable information about you during the Clinical Trial. 

Data Protection Officer
You may contact our Data Protection Officer, John Li, on matters related to the processing of personal data. Email: [email protected], attention: “Privacy – Clinical Trials”

Data Protection Representatives
We have appointed VeraSafe Czech Republic s.r.o. as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative, or via telephone at +420 228 881 031, or by mail to Rohanské nábřeží 678/23, Prague 8, 18600, Czech Republic, Databox ID: eicpabq. Attention: “Corxel”.
 
VeraSafe United Kingdom Limited has been appointed as our representative in the United Kingdom for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative, or via telephone at +44 (20) 4532 2003, or by mail to 37 Albert Embankment, London SE1 7TL, United Kingdom. Attention: “Corxel”.

13.    Changes to this Notice
If we change this Notice, we will publish the revised Privacy Notice on our website. We will also update the effective date. 

Developing innovative cardiometabolic therapies globally

Copyright © 2026 CORXEL. All Rights Reserved.
Designed & built by SampsonMay

沪ICP备20017872号-3

沪公网安备31010602008424号