Data Controller and Data Processor

Nexus’s business customers are the data controllers for most of the information that is entered into the Nexus website or LIS (Lab Inventory Management System), and supporting systems to deliver services. This positions Nexus as the data processor for most information stored and processed by Nexus.

In the case of Nexus’s public website, there are some pieces of information that are collected directly by Nexus to facilitate security, logging, and website performance. These items include IP addresses, and behavior within the Nexus website. For these pieces of information, Nexus acts as the data controller and processor. Additionally, Nexus employs a variety of technologies and partners that periodically act as sub-processors (detailed list below). If users have any questions or concerns about the processing and handling of their personal information, they may reach out to Nexus directly by email at compliance@nexusmedlabs.com.

Types of Data Collected

The Nexus website and supporting applications collect the following types of personal data: cookies, usage data (e.g., page and link clicks, time on page), email address, phone number, first name, last name, province, state, country, ZIP/Postal code, city, address, and company name.

Complete details on each type of personal data collected are provided in the dedicated sections of this Privacy Policy or by specific explanation texts displayed before the data collection.

The Nexus website may collect personal data that the user may freely provide, or, in case of usage data, collect when using this website, the Nexus web application, and its supporting applications.

Users who are uncertain about which personal data is mandatory are welcome to contact Nexus at compliance@nexusmedlabs.com.

Any use of cookies–or other tracking tools–by the Nexus website, the Nexus web application, and its supporting applications serves the purpose of providing the service for which Nexus has been engaged, in addition to any other purposes described in the present document and the Cookie Policy.

Mode, Place, and Methods of Processing the Data

Nexus takes appropriate security measures to prevent unauthorized access, disclosure, modification, or data destruction.

Data is processed using computers or tech-enabled tools, following organizational policies and procedures strictly related to the purposes indicated. In some cases, data may be accessible to Nexus employees involved with the Nexus website’s operation, the Nexus web application (platform), and supporting applications. Data may also be accessible to external parties appointed, if necessary, as data processors or sub-processors by Nexus. External parties may include third-party technical service providers, hosting providers, and IT companies.

Legal Basis of Processing

Nexus may process personal data relating to users if one of the following applies:

• Users have given their consent for one or more specific purposes.

• Provision of data is necessary for the performance of an agreement with the user.

• Processing is necessary for compliance with a legal obligation.

• Processing is necessary for the legitimate interests pursued by the controller or by a third party.

In any case, Nexus will gladly help clarify the specific legal basis that applies to the processing, mainly whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract.

Place

The data is processed at Nexus’s operating offices, hosting facilities, and, for some data, third-party sub-processors. The majority of data is stored and processed within the United States. In some cases, data may be stored within the US or EU via third-party sub-processors.

Depending on the user’s location, data transfers may involve transferring the user’s data to a country other than their own. To find out more about the processing of such transferred data, users can consult the section containing details about the processing of personal data. Users are entitled to learn about cross-border data transfers. If any such transfer occurs, users can find out more by checking the relevant sections of this document or inquiring directly with Nexus.

Retention Time

Personal data is processed and stored for as long as required to fulfill the purpose for which it is collected.

Therefore:

• Personal data collected for the performance of a contract between Nexus and a business customer is retained until such contract has been entirely performed or the business customer asks for the data to be deleted.

• Personal data collected for Nexus’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding Nexus’s legitimate interests within the relevant sections of this document or by contacting Nexus.

Nexus may be allowed to retain personal information for a more extended period whenever the user has given consent to such processing, as long as such consent is not withdrawn. Furthermore, Nexus may be obliged to retain personal data for a more extended period whenever required to perform a legal obligation or upon order of an authority.

Once the retention period expires, the user’s personal data will be securely deleted.

The Purposes of Processing

The data concerning the user is collected to allow Nexus to provide its services, as well as for the following purposes: analytics, user database management, managing contacts and sending messages, handling payments, interaction with external social networks and platforms, remarketing and behavioral targeting, contacting the user, displaying content from external platforms, hosting and backend infrastructure, interaction with live chat platforms, and spam protection.

Users can find further detailed information about such purposes of processing and the specific personal data used for each purpose in the respective sections of this document.

Detailed Information on the Processing of Personal Data

Personal data is collected for the following purposes and using the following services and third parties:

Analytics

The services contained in this section enable Nexus to monitor and analyze web traffic and can be used to keep track of user behavior.

Google Analytics (Google Inc.)

Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilizes the data collected to track and examine the use of this application, to prepare reports on its activities, and to share the reports with other Google services.

Google may use the data collected to contextualize and personalize the ads of its own advertising network.

Personal data collected: cookies and usage data.

Place of processing: US – Privacy Policy

Amazon Web Services (AWS) (Amazon)

Amazon Web Services is a hosting and backend service provided by Amazon.com Inc.

Personal data collected: various types of data as specified in the privacy policy of the service.

Place of processing: See the Amazon privacy policy – Privacy Policy.

Managing Contacts and Sending Messages

This type of service makes it possible to manage a database of email contacts, phone contacts, or any other contact information to communicate with the user.

These services may also collect data concerning the date and time when the message was viewed by the user and when the user interacted with it, such as by clicking on links included in the message.

Spam Protection

This type of service analyzes the traffic of the Nexus website and the Nexus application, potentially containing users’ personal data, with the purpose of filtering it from parts of traffic, messages, and content that are recognized as spam.

Details About the Right to Object to Processing

Where personal data is processed for the public interest, in the exercise of an official authority vested in Nexus or for the legitimate interests pursued by Nexus, users may object to such processing by providing a ground related to their particular situation to justify the objection.

However, users must know that should their personal data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn whether the Nexus is processing Personal Data for direct marketing purposes, users may refer to the relevant sections of this document.

How to Exercise These Rights

Any requests to exercise user rights can be directed to Nexus through the contact details provided in this document (privacy@nexusmedlabs.com). These requests can be exercised free of charge and will be addressed by Nexus as early as possible and always within one month.

Cookie Policy

The Nexus website and Nexus web application use cookies.

To learn more and for a detailed cookie notice, the user may consult the Cookie Policy.

Additional Information about Data Collection and Processing

Legal Action

Users’ personal data may be used for legal purposes by Nexus in court or the stages leading to possible legal action arising from improper use of this application or the related services. The users declare they are aware that Nexus may be required to reveal personal data upon request of public authorities.

Additional Information About Users’ Personal Data

In addition to the information contained in this privacy notice, this application may provide users with additional and contextual information concerning particular services or the collection and processing of personal data upon request.

System Logs and Maintenance

For operation and maintenance purposes, this application and any third-party services may collect files that record interaction with this application (e.g., system logs) using other personal data (e.g., IP Address) for this purpose.

Information Not Contained in This Notice

More details concerning the collection or processing of personal data may be requested from Nexus at any time. Users may use the contact information at the beginning of this document.

How “Do Not Track” Requests are Handled

This application does not support “Do Not Track” requests.

To determine whether any of the third-party services it uses honor “Do Not Track” requests, users should read their privacy policies.

Changes to This Privacy Notice

Nexus reserves the right to make changes to this privacy notice at any time by giving notice to users on this page and possibly within this application or–as far as technically and legally feasible–sending a notice to users via any contact information available to Nexus. Users are strongly recommended to check this page often, referring to the date of the last modification listed at the bottom. Should the changes affect processing activities performed based on the users’ consent, Nexus shall collect new consent from the user where required.

Definitions and Legal References

Personal Data (or Data)

Any information that directly, indirectly, or in connection with other information—including a personal identification number—allows for the identification or identifiability of a natural person.

Usage Data

Information collected automatically through this application (or obtained by services employed in this application)can include: the IP addresses or domain names of the computers utilized, the Uniform Resource Identifier (URI) addresses, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the users’ browser and operating system, the various time details per visit (e.g., the time spent on each page within the application), and the information on the path followed within the application with particular reference to the sequence of pages visited, and other parameters about the device operating system or the users’ IT environment.

User

The individual using this application who, unless otherwise specified, coincides with the data subject.

Data Subject

The natural person to whom the personal data refers.

Data Processor

The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, as described in this privacy notice.

Sub-Processor

This refers to any additional third party who processes personal data on behalf of the data processor in fulfilling contractual obligations and services.

Data Controller

The person, public authority, agency, or other body that determines the purposes and means of processing personal data, including the security measures concerning the operation and use of this application.

This Application

The information technology system that collects and processes the personal data of the user.

Service

The service provided by the Nexus platform or Nexus team.

European Union (EU)

Unless otherwise specified, all references made within this document to the European Union (EU) include all current member states to the European Union and the European Economic Area.

Cookies

Small piece of data stored on the user’s device.

Legal Information

This privacy notice has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

This privacy notice relates to the Nexus website, application, and supporting services unless otherwise stated within this document.