Data Protection

Controller and Scope

This Data Protection Notice describes how SES-CAB: Science, Evidence & Safety Clinical Advisory Board ("SES-CAB", "we", "us", or "our") processes personal data in connection with the website ses-cab.org and related services that provide evidence-based information on pharmaceuticals, medications, diseases, and supplements. SES-CAB is established in the United States of America and applies this Notice to all users, including patients and professionals. Where the EU/UK General Data Protection Regulation ("GDPR") applies, we process personal data in accordance with GDPR. We also provide disclosures required by U.S. federal and state privacy laws.

Identity and Contact Details of the Controller

Controller: SES-CAB: Science, Evidence & Safety Clinical Advisory Board

Owner: Cheryl Moran

Postal Address: 2901 Los Feliz Blvd, Los Angeles, CA 90039, United States of America

Email: [email protected]

Applicability and Relationship to U.S. Law

SES-CAB is based in the United States and complies with applicable U.S. privacy laws, including state privacy statutes where applicable. Where GDPR applies (for example, to certain individuals located in the EEA/UK in relation to our services), we provide the GDPR rights and information set out in this Notice, alongside U.S. privacy disclosures.

Categories of Personal Data Processed

• Identification and Contact Data: name, email address, postal address, professional affiliation, and similar identifiers.
• Account and Preference Data: account credentials, preferences, saved items, notification settings.
• Communications Content: inquiries, feedback, survey responses, support requests, and related metadata.
• Usage and Device Data: log files, IP address, browser type, device identifiers, pages viewed, time on page, referring/exit pages, and cookie identifiers.
• Professional Data: role, specialty, organization, and interests relevant to pharmaceuticals and clinical information provided voluntarily.
• Sensitive Personal Data (only if voluntarily provided): health-related information contained in inquiries or forms. We do not request protected health information and SES-CAB is not a HIPAA covered entity.
• Inferences: insights derived from the above categories to improve content relevance, subject to applicable law.

Purposes of Processing

• Service Delivery: to operate, maintain, and provide access to evidence-based drug, disease, and supplement information.
• Communications: to respond to inquiries, send service notifications, and (with consent where required) send updates or newsletters.
• Safety and Security: to detect, prevent, and investigate fraud, abuse, and security incidents.
• Analytics and Improvement: to analyze usage, improve site performance, and enhance content relevance and accessibility.
• Compliance and Governance: to comply with legal obligations, enforce terms, and exercise or defend legal claims.
• Research and Statistics: to produce aggregated or de-identified insights about therapies, guidelines, and best practices.

Lawful Bases for Processing under GDPR (where applicable)

• Performance of a Contract: to provide requested services, manage accounts, and respond to user requests.
• Legitimate Interests: to secure our services, prevent abuse, perform analytics, improve content, and engage in limited direct communications, balanced against data subject interests and rights.
• Consent: for non-essential cookies/analytics, newsletters/marketing communications, and any processing of sensitive personal data that a user voluntarily submits.
• Legal Obligation: to comply with applicable laws, regulatory requirements, and lawful requests.

Notice at Collection and U.S. State Privacy Disclosures

We collect the categories of personal information described above for the purposes stated in this Notice. We retain personal information only as long as reasonably necessary for the purposes described, including to meet legal, accounting, or reporting requirements.

• Sale/Sharing of Personal Information: We do not sell personal information and do not share personal information for cross-context behavioral advertising/targeted advertising as defined by applicable U.S. state privacy laws.
• Sensitive Personal Information: If you voluntarily provide health-related information, we use it solely to provide requested services or as otherwise permitted by law. We do not use or disclose sensitive personal information to infer characteristics about you.
• Non-Discrimination: We do not discriminate against individuals for exercising privacy rights.
• Do Not Track and Global Privacy Control: We do not sell or share personal information. If this changes, we will honor applicable opt-out preference signals to the extent required by law.

Data Sources

• Directly from you: information you provide via forms, emails, or account settings.
• Automatically: through cookies and similar technologies when you interact with our website.
• Service Providers and Partners: hosting, analytics, email delivery, and security providers acting on our behalf.
• Public or Professional Sources: publicly available records or professional directories where permitted by law.

Disclosures to Third Parties

We disclose personal data only as necessary for the purposes described above:

• Service Providers/Processors: hosting, analytics, security, and support providers under contractual obligations to process data solely on our instructions.
• Professional Advisors: lawyers, auditors, and insurers under confidentiality obligations.
• Legal and Compliance: to comply with law, enforce terms, or protect rights, safety, and property.
• Corporate Transactions: in the event of a merger, acquisition, or asset transfer, subject to appropriate safeguards.
• Aggregated/De-identified Data: which does not identify individuals.

International Data Transfers

Data may be processed and stored in the United States. Where GDPR applies and data are transferred from the EEA/UK/Switzerland to the United States, we rely on appropriate safeguards such as standard contractual clauses and implement supplementary technical and organizational measures as appropriate.

Cookies and Similar Technologies

We use cookies and similar technologies to enable core functionality, measure site performance, and improve content. Non-essential cookies are used only with consent where required by law. You can manage cookie preferences through your browser settings and, where available, on-site preference tools. Disabling certain cookies may limit functionality.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, or reporting requirements, to maintain business records, and to resolve disputes. Retention periods vary based on data category, purpose, legal obligations, and our legitimate interests.

Security Measures

We implement appropriate administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Children's Data

Our services are not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it. Parents or guardians who believe their child has provided personal information may contact us at [email protected].

Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects concerning individuals.

GDPR Rights (where applicable)

Subject to conditions and exceptions under GDPR, you may have the following rights:

• Access: to obtain confirmation and a copy of your personal data.
• Rectification: to correct inaccurate or incomplete data.
• Erasure: to request deletion in certain circumstances.
• Restriction: to limit processing in certain circumstances.
• Portability: to receive data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Objection: to processing based on legitimate interests, and to direct marketing at any time.
• Withdraw Consent: where processing is based on consent, without affecting prior lawful processing.

How to Exercise GDPR Rights

Submit a request via email to [email protected]. We may need to verify your identity before fulfilling your request. We will respond within one month, extendable as permitted by law due to complexity or volume.

U.S. State Privacy Rights

Depending on your state of residence, you may have rights to:

• Know/Access: the categories and specific pieces of personal information we have collected about you.
• Correct: inaccurate personal information.
• Delete: personal information, subject to exceptions.
• Portability: receive a copy of certain information in a portable format.
• Opt Out: of sale, sharing, or targeted advertising (we do not sell or share personal information as defined by law).
• Limit Use/Disclosure of Sensitive Personal Information: where applicable.
• Appeal: if we deny your request (for states providing an appeal right).

How to Exercise U.S. Rights

Email us at [email protected] with your request and state of residence. We will verify your identity using reasonable methods (e.g., matching information you provide with records we maintain). Authorized agents may submit requests on your behalf where permitted by law, subject to verification and proof of authorization. We will respond within 45 days, extendable as permitted by law.

Processors and Subprocessors

We engage carefully selected service providers to process personal data on our behalf under contractual terms requiring confidentiality, security, and use solely per our instructions.

Data Protection Officer and EU/UK Representative

We have not appointed a Data Protection Officer or EU/UK representative because we are not required to do so under current circumstances. You may contact us with any privacy inquiry at [email protected].

Complaints

If you believe your rights have been infringed, please contact us at [email protected]. Where GDPR applies, you may also lodge a complaint with a competent supervisory authority. Residents of U.S. states with privacy laws may contact their state attorney general or designated authority.

Changes to This Notice

We may update this Notice from time to time to reflect legal, technical, or business developments. We will post the updated version on this page and adjust the effective date below. Material changes will be indicated in a manner consistent with applicable law.

Effective Date

September 15, 2025