Privacy Policy

1. Introduction and Overview

Aimwell Bioceutical Systems, Inc. ("AimwellBio," "we," "us," or "our") is committed to protecting your privacy and ensuring you have a positive experience on our website and platform. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information in connection with our SaaS platform, website, and services.

This Privacy Policy applies to information we collect from and about users of our Platform, website visitors, customers, and other individuals with whom we interact. Please read this policy carefully. If you do not agree with our practices, please do not use our Platform or services.

2. Information We Collect

We collect information in various ways:

2.1 Information You Provide Directly

• Account Registration and Credentials: Name, email address, company name, job title, department, phone number, physical address, and authentication credentials when you create an account or request access to the Platform.
• Profile and Preference Information: Biographical information, professional background, research interests, intelligence preferences, therapeutic focus areas, and other details you voluntarily provide to customize your experience.
• Communication Preferences: Your preferences regarding the types of communications you wish to receive, including intelligence updates, product announcements, and educational content.
• Content and Inquiries: Information provided in support requests, feedback forms, feature requests, customer service inquiries, and voluntary survey responses.
• Payment Information: Billing address, invoice details, and purchase history. Payment card information is processed by third-party payment processors and is not stored on our servers.

2.2 Information Collected Automatically

• Usage Data: Records of your interactions with the Platform, including queries submitted, intelligence preferences selected, reports accessed, features used, timestamps, and duration of sessions.
• Device and Browser Information: Device type, operating system, browser type and version, IP address, device identifiers, and unique advertising identifiers.
• Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar tracking technologies to enhance functionality, perform analytics, and improve user experience. See our Cookie Policy for detailed information.
• Log Data: Server logs containing IP addresses, access times, pages viewed, referring URLs, error logs, and other technical data related to your use of the Platform.
• Geolocation Data: General location information derived from IP address, but not precise location unless you specifically enable location services.

2.3 Information from Third Parties

• Business Partners and Integrations: Information provided by partner organizations, integrations, or data providers as part of service delivery.
• Public Sources: Publicly available professional information from business directories, regulatory databases, and academic sources that inform our intelligence products.
• Third-Party Services: Information from analytics providers, cloud infrastructure providers, and authentication services (such as single sign-on providers).
• Referrals: Information about you if referred to us by a colleague or business contact.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery and Platform Operation

• Establishing and maintaining your account and subscription
• Providing access to and operating the Platform and associated services
• Fulfilling your requests for intelligence, reports, and analyses
• Personalizing and customizing your Platform experience based on your preferences and interests
• Enabling features such as saved searches, watchlists, and customized dashboards
• Processing transactions and managing billing and subscription administration
• Providing technical support and customer service

3.2 Intelligence Generation and Analytics

• Creating and improving biopharmaceutical intelligence insights and proprietary analyses
• Conducting aggregated and de-identified research to enhance Platform capabilities
• Analyzing user interaction patterns to identify intelligence trends and improve recommendation algorithms
• Developing new features, tools, and intelligence products based on observed user needs

3.3 Communications and Marketing

• Sending service-related announcements, updates, and security notices
• Delivering educational content, webinars, and training materials relevant to your industry and interests
• Sending marketing communications about new features, offerings, and industry insights (in compliance with applicable law and your preferences)
• Responding to your inquiries and customer service requests
• Conducting surveys, feedback solicitation, and customer satisfaction research
• Notifying you of changes to our services, terms, or policies

3.4 Security and Compliance

• Detecting, investigating, and preventing fraud, abuse, security incidents, and other violations
• Protecting the rights, property, and safety of AimwellBio, our users, and the public
• Enforcing our Terms of Service and other agreements
• Meeting legal, regulatory, and contractual compliance obligations
• Maintaining audit trails and internal security logs
• Responding to legal process, governmental requests, and regulatory inquiries

3.5 Product Development and Improvement

• Analyzing usage patterns, user behavior, and platform performance
• Testing, debugging, and optimizing Platform features and functionality
• Conducting quality assurance and user experience research
• Developing new products, services, and business models

We will not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent and an opportunity to obtain human review.

4. Legal Bases for Processing

We process your personal information on the following legal bases under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and similar regulations:

4.1 Consent

We process certain information (such as marketing communications, non-essential cookies, or detailed preference data) based on your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4.2 Contract Performance

We process information necessary to establish, maintain, and deliver our services under your subscription agreement, including account management, billing, and service provision.

4.3 Legitimate Interests

We process information to pursue legitimate business interests, including:

• Improving and optimizing the Platform and user experience
• Understanding user needs and developing new features
• Conducting analytics and business intelligence
• Preventing fraud and enhancing security
• Maintaining records and complying with internal policies
• Marketing our services to potential customers (subject to opt-out rights)

We conduct balancing tests to ensure our legitimate interests do not override your data protection rights and freedoms.

4.4 Legal Obligations

We process information to comply with applicable laws, regulations, and legal process, including tax obligations, regulatory reporting, and responding to government requests.

4.5 Public Health and Safety

In rare cases, we may process information to protect vital interests or public health, particularly given our biopharmaceutical focus.

5. Data Sharing and Disclosure

We may share your information in the following circumstances:

5.1 Service Providers

We engage third-party service providers to support Platform operations, including:

• Cloud infrastructure and hosting providers (Amazon Web Services, Microsoft Azure, or similar)
• Payment processors and financial service providers
• Email and communication service providers
• Analytics and data analytics providers
• Customer support and CRM platforms
• Security and data protection vendors
• Legal and professional advisors

We require service providers to maintain confidentiality, implement appropriate security measures, and process information only as instructed by us. We execute Data Processing Agreements with service providers as required by applicable law.

5.2 Legal Requirements and Compelled Disclosure

We may disclose information when required by law, court order, subpoena, government request, or similar legal process. We will provide notice to affected individuals when legally permitted and take reasonable steps to challenge overly broad or improper requests.

5.3 Business Transfers

If we are acquired, merge with another entity, file for bankruptcy, or undergo other business reorganization, your information may be transferred as part of that transaction. We will provide notice and seek consent if such transfer materially changes how we use your information.

5.4 With Your Consent

We may share your information with third parties with your explicit consent, such as when you authorize integrations with external platforms or request information sharing with collaborators.

5.5 Aggregated and De-Identified Information

We may share aggregated, anonymized, and de-identified data that cannot reasonably identify you with research partners, industry associations, and other third parties for analysis, benchmarking, and publication purposes.

5.6 No Sale of Personal Information

We do not sell, rent, lease, or trade your personal information to third parties for commercial purposes. We do not share personal information with third parties for their independent marketing purposes without your explicit consent. This commitment applies under all applicable laws, including the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and similar state privacy laws.

6. Data Retention

We retain personal information for the duration necessary to fulfill the purposes for which it was collected, subject to the following principles:

6.1 Retention by Purpose

• Account Information: Retained for the duration of your subscription and for a period of up to seven (7) years thereafter to address regulatory, tax, and audit requirements.
• Transaction and Billing Records: Retained for seven (7) years in accordance with tax and financial record retention obligations.
• Usage and Log Data: Retained for twelve (12) months for security analysis and troubleshooting; backup copies may be retained for up to 24 months.
• Marketing and Communication Data: Retained until you unsubscribe or withdraw consent; opt-out records retained for three (3) years to honor preferences.
• Support and Correspondence: Retained for the duration of the customer relationship and for three (3) years thereafter.
• Cookies and Tracking Data: Retained per our Cookie Policy, typically for up to thirteen (13) months.

6.2 Deletion and De-Identification

Upon expiration of retention periods, we delete or de-identify personal information. If deletion is not feasible (e.g., due to technical limitations), we implement additional security measures to prevent unauthorized access. Certain information may be retained if necessary to comply with law or resolve disputes.

6.3 Data Subject Requests for Deletion

You may request deletion of your personal information at any time (subject to applicable exceptions). We will process deletion requests without undue delay, typically within thirty (30) days, unless a longer retention period is required by law or for legitimate business purposes.

7. Your Rights and Choices

You have the following rights regarding your personal information:

7.1 GDPR Rights (EU/EEA Residents)

If you are located in the European Union, European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

• Right of Access: The right to request access to and receive a copy of your personal information in a structured, commonly used format.
• Right to Rectification: The right to correct inaccurate, incomplete, or outdated personal information.
• Right to Erasure ("Right to Be Forgotten"): The right to request deletion of personal information, subject to legal exceptions.
• Right to Data Portability: The right to obtain your personal information in machine-readable format and transmit it to another organization.
• Right to Restrict Processing: The right to limit how we process your information while we verify its accuracy or lawfulness.
• Right to Object: The right to object to processing for direct marketing purposes and, in some cases, for other legitimate interests.
• Right to Object to Automated Decision-Making: The right to decline automated decision-making with legal consequences and request human review.
• Right to Lodge a Complaint: The right to file a complaint with your local data protection authority (supervisory authority).

7.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: The right to request what personal information we collect, use, share, and sell about you.
• Right to Delete: The right to request deletion of personal information collected from you, subject to exceptions.
• Right to Opt-Out of Sale/Sharing: The right to opt out of the sale or sharing of your personal information. We do not sell personal information; however, you may request confirmation of this and our compliance with your preferences.
• Right to Limit Use: The right to limit our use of sensitive personal information to purposes necessary to provide services.
• Right to Non-Discrimination: The right to non-discriminatory treatment for exercising your privacy rights. We will not deny services, charge higher prices, or provide lower quality service solely for exercising your CCPA/CPRA rights.
• Right to Correct Inaccurate Information: The right to correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Automated Decision-Making: The right to opt out of automated decision-making that produces legal or similarly significant effects.

7.3 Other State Privacy Rights

If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maine, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, Tennessee, Texas, Utah, or Virginia, you may have similar privacy rights under applicable state laws (CPA, CTDPA, DPDPA, VCDPA, and similar statutes). These rights generally include the ability to know, delete, correct, and port your personal information, and to opt out of processing for targeted advertising and sales.

7.4 How to Exercise Your Rights

To exercise any of these rights, please submit a written request to privacy@aimwellbio.com or use our online request form. Include sufficient information to identify your account and describe your request. We will verify your identity and respond within the timeframe required by applicable law (typically 30-45 days). You may designate an authorized agent to make a request on your behalf, provided we receive proper authorization documentation.

7.5 Your Preferences

• Email Preferences: You can manage your communication preferences in your account settings or by clicking "unsubscribe" in any promotional email.
• Cookie Preferences: You can control cookie preferences through your browser settings and our Cookie Preference Center. See our Cookie Policy for details.
• Do Not Track Signals: Some browsers include a "Do Not Track" feature. Our Platform currently does not respond to Do Not Track signals, but we provide other mechanisms for you to control data collection.
• Location Data: You can control location data collection through your device settings.

8. International Data Transfers

AimwellBio is a United States-based company with servers and operations primarily located in the United States.

8.1 Transfers to the United States

If you access our Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States. The United States may not provide the same level of data protection as your home country. By using our Platform, you consent to this transfer.

8.2 Standard Contractual Clauses

For transfers of personal information from the European Union, European Economic Area, the United Kingdom, and Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as appropriate safeguards. We will make available copies of applicable SCCs upon request. We also comply with applicable adequacy and transfer mechanism requirements under UK and Swiss law.

8.3 Data Protection Impact

We implement supplementary technical and organizational measures to ensure an adequate level of protection for international transfers, including encryption, access controls, and contractual commitments with service providers.

9. Security Measures

We implement a comprehensive information security program designed to protect your personal information from unauthorized access, alteration, disclosure, and destruction.

9.1 Technical Security Controls

• Encryption: All data in transit is encrypted using industry-standard TLS/SSL protocols (minimum TLS 1.2). Sensitive data at rest is encrypted using AES-256 or equivalent algorithms.
• Access Controls: We implement role-based access controls (RBAC), principle of least privilege, and multi-factor authentication (MFA) for sensitive systems.
• Network Security: We use firewalls, intrusion detection/prevention systems, and network segmentation to protect infrastructure.
• Database Security: Databases are secured through encryption, access controls, activity monitoring, and regular backups.

9.2 Organizational Safeguards

• Personnel Training: All personnel handling personal information receive regular security and privacy training.
• Access Policies: We maintain strict policies limiting access to personal information to personnel with legitimate business needs.
• Confidentiality Agreements: All employees and contractors sign confidentiality and data protection agreements.
• Incident Response: We maintain an incident response plan to detect, investigate, and respond to security incidents.

9.3 Compliance and Auditing

• SOC 2 Compliance: We are committed to achieving and maintaining SOC 2 Type II certification to demonstrate our security and availability controls.
• Regular Assessments: We conduct periodic security assessments, penetration testing, and vulnerability scans.
• Audit Trails: We maintain comprehensive audit logs of access to and modifications of personal information.

9.4 Limitations

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any unauthorized access.

10. Children's Privacy

Our Platform is not directed to children under the age of sixteen (16), and we do not knowingly collect personal information from children under sixteen without parental consent. Our services are designed for biopharmaceutical professionals and organizations.

If we become aware that we have collected personal information from a child under sixteen without verifiable parental consent, we will promptly delete such information and notify the parent or guardian. Please contact us at privacy@aimwellbio.com if you have concerns about a child's information.

11. Third-Party Links and Services

Our Platform may contain links to third-party websites, applications, and services that are not operated by AimwellBio. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services before providing information or using their services.

If you use our Platform to integrate with third-party services (such as data providers, research tools, or analytical platforms), you are responsible for understanding and complying with those services' terms of use and privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our website with an updated "Last Updated" date
• Sending you an email notification if the changes materially affect how we use your information
• Requesting your consent if required by applicable law

Your continued use of our Platform following the posting of changes constitutes your acceptance of the updated Privacy Policy. Please review this policy periodically to stay informed of any changes.

13. Contact Information

If you have questions about this Privacy Policy, concerns about our privacy practices, wish to exercise your rights, or have a complaint, please contact us at:

Privacy Officer

Email: privacy@aimwellbio.com
Mailing Address:
Aimwell Bioceutical Systems, Inc.
Attn: Privacy Officer
[Company Address]
[City, State ZIP Code]
United States

We will acknowledge your request within 5 business days and respond substantively within the timeframe required by applicable law.

EU/EEA Data Protection Authority Contacts

If you are located in the European Union or European Economic Area and have concerns about our privacy practices, you may lodge a complaint with your local data protection authority (supervisory authority). You can find contact information for your local authority at https://edpb.ec.europa.eu/about-edpb/members_en.

California Attorney General

California residents may contact the California Attorney General's Office for privacy-related complaints:
California Attorney General
300 South Spring Street
Los Angeles, CA 90013
United States

Version History: Version 1.0, Effective March 30, 2026