Comprehensive General Privacy Policy

Anspar Foundation
Version 1.0
Last Updated: November 27, 2025

1. Introduction

1.1 About Anspar Foundation

Anspar Foundation ("Anspar," "we," "us," or "our") is a technology development organization that builds applications and systems for healthcare, research, and charitable purposes. We work with partner organizations, including patient advocacy foundations, research institutions, and healthcare providers, to develop technology solutions that advance health outcomes and scientific understanding.

1.2 Purpose of This Policy

This Comprehensive General Privacy Policy ("Policy") describes how Anspar Foundation collects, uses, shares, protects, and retains personal information across all our activities, projects, and services. This Policy applies to:

• Our website(s) and online services
• Applications and software we develop
• Research projects and clinical studies we support
• Interactions with donors, partners, and collaborators
• Employment and contractor relationships

1.3 Modular Policy Structure

This Policy establishes our foundational privacy framework. Because we engage in diverse projects with varying data collection requirements, we use a modular structure:

Comprehensive General Privacy Policy (This Document): Establishes core principles, rights, security standards, and governance that apply to all Anspar activities.

Concise General Privacy Policy: A summary document containing the essential Policy information necessary to comply with GDPR and other regulations.

Project Privacy Addenda: Supplemental documents that specify project-specific data collection, use, sharing, and retention practices. Each addendum incorporates this Policy by reference.

When you use a specific Anspar project or service, both this Policy and any applicable Project Privacy Addendum govern your information. In the event of a conflict between this Policy and a Project Privacy Addendum, the Project Privacy Addendum controls for that specific project, except that a Project Privacy Addendum may not reduce the core protections and rights established in Sections 6 (Your Rights), 7 (Data Security), and 14 (Complaints) of this Policy.

1.4 Regulatory Compliance Framework

This Policy is designed to comply with applicable privacy and data protection laws, including:

• United States Federal Laws: Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health (HITECH) Act; FDA regulations including 21 CFR Part 11
• European Union Laws: General Data Protection Regulation (GDPR) (EU) 2016/679; Clinical Trial Regulation (EU) No 536/2014; EU GMP Annex 11
• California Laws: California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA); California Confidentiality of Medical Information Act (CMIA)
• Other U.S. State Laws: Virginia, Colorado, Connecticut, and other state privacy laws as applicable

Specific regulatory requirements for individual projects are detailed in the applicable Project Privacy Addenda.

1.5 Transferability and Successor Organizations

Anspar Foundation frequently develops technology in partnership with or under contract to other organizations. This Policy is designed to ensure continuity when:

• A project or its technology is transferred to a partner organization
• Anspar's role changes from developer to supporter, or vice versa
• Organizational restructuring occurs

Upon any such transfer, existing consents and authorizations remain valid, the successor organization assumes all applicable obligations, and users are notified but are not required to provide new consent for the transfer itself.

2. Definitions

The following definitions apply throughout this Policy and all Project Privacy Addenda:

"Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes "Personal Data" as defined under GDPR.

"Protected Health Information (PHI)" means individually identifiable health information transmitted or maintained in any form or medium, as defined under HIPAA.

"Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined under GDPR Article 9.

"Sensitive Personal Information" means (under CCPA/CPRA) Personal Information that reveals social security number, driver's license number, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of communications, genetic data, biometric information, health information, or sex life/sexual orientation information.

"Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Data Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

"Business Associate" means a person or entity that performs certain functions or activities involving the use or disclosure of Protected Health Information on behalf of, or provides services to, a Covered Entity, as defined under HIPAA.

"Project" means any application, service, research study, or other initiative undertaken by Anspar Foundation, whether independently or in partnership with other organizations.

"Project Privacy Addendum" means a supplemental privacy document that specifies data practices for a particular Project and incorporates this General Privacy Policy by reference.

3. Information We Collect

3.1 General Categories

Across our activities, Anspar Foundation may collect the following general categories of information. We endeavor to collect only the minimal information necessary to fulfill the service requested. Specific data elements collected for each Project are detailed in the applicable Project Privacy Addendum.

3.1.1 Identity and Contact Information

• Name, email address, postal address, phone number
• Account credentials and authentication information
• Professional or organizational affiliation

3.1.2 Health and Medical Information

For Projects involving health applications or research:

• Patient-reported health data and outcomes
• Medical history and treatment information
• Clinical trial data and assessments
• Quality of life measurements

3.1.3 Technical and Device Information

• Device type, operating system, browser type
• IP address and general location information
• Usage patterns and interaction data
• Error logs and diagnostic information
• Cookies and similar tracking technologies

3.1.4 Financial and Transactional Information

For donors, partners, or vendors:

• Donation history and payment information
• Billing and invoicing details
• Tax-related information as required by law

3.1.5 Communications

• Correspondence with Anspar staff
• Survey responses and feedback
• Support requests and inquiries

3.2 Collection Methods

We collect information through:

• Direct provision: Information you provide when creating accounts, making donations, participating in research, or contacting us
• Automated collection: Technical data collected automatically through cookies, logs, and similar technologies
• Third parties: Information from partner organizations, healthcare providers (with consent), or public sources

3.3 Project-Specific Data Collection

The specific data elements collected for each Project are detailed in the applicable Project Privacy Addendum. Before using any Anspar Project, please review both this Policy and the Project-specific Addendum.

4. How We Use Your Information

4.1 General Purposes

We use Personal Information for the following general purposes across all Projects:

4.1.1 Service Delivery

• Providing, maintaining, and improving our applications and services
• Processing transactions and managing accounts
• Responding to inquiries and providing support
• Personalizing user experience

4.1.2 Research and Development

• Conducting and supporting scientific research
• Developing new features, products, and services
• Analyzing usage patterns to improve user experience
• Generating aggregate insights and statistics

4.1.3 Communications

• Sending service-related notices and updates
• Providing newsletters and educational content (with consent)
• Responding to your requests and feedback

4.1.4 Legal and Compliance

• Complying with legal obligations and regulatory requirements
• Protecting our rights, privacy, safety, or property
• Enforcing our terms and policies
• Preventing fraud and security threats

4.2 Legal Bases for Processing (GDPR)

Under the GDPR, we process Personal Data based on the following legal grounds:

• Consent (Article 6(1)(a)): Where you have given explicit consent for specific processing purposes
• Contract Performance (Article 6(1)(b)): Where processing is necessary to provide services you have requested
• Legal Obligation (Article 6(1)(c)): Where processing is required by applicable law
• Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests and does not override your rights
• Vital Interests (Article 6(1)(d)): Where processing is necessary to protect someone's life

For Special Categories of Personal Data (including health data), we rely on additional legal bases under Article 9, including explicit consent (Article 9(2)(a)) and scientific research purposes (Article 9(2)(j)) with appropriate safeguards.

4.3 Project-Specific Uses

Specific purposes for each Project are detailed in the applicable Project Privacy Addendum.

5. How We Share Your Information

5.1 Categories of Recipients

We may share your information with the following categories of recipients:

5.1.1 Partner Organizations (Opt-In Only)

We do not share your Personal Information with partner organizations by default. Data sharing with partner organizations occurs only when you affirmatively request a service that requires such sharing, and only after you provide explicit consent through a clear consent process.

Types of partner organizations we may work with include:

• Patient Advocacy Foundations: Organizations focused on specific health conditions that may offer patient support services, educational resources, or research programs you choose to participate in
• Research Institutions: Academic or scientific organizations conducting research studies you voluntarily enroll in
• Healthcare Providers: Medical professionals or facilities you direct us to share your information with
• Clinical Trial Sponsors: Pharmaceutical or biotechnology companies conducting clinical trials you choose to participate in

Consent Process: Before any data is shared with a partner organization, you will be presented with a specific consent request that identifies: (1) the partner organization, (2) the specific data to be shared, (3) the purpose of the sharing, and (4) any additional terms. You may decline without affecting your use of our core services.

5.1.2 Service Providers

We engage trusted service providers who assist in our operations:

• Cloud hosting and data storage providers
• Security and monitoring services
• Payment processors
• Analytics providers
• Customer support services

All service providers are bound by contractual obligations (including Business Associate Agreements under HIPAA and Data Processing Agreements under GDPR) that require them to protect your information and limit its use.

5.1.3 Regulatory and Legal Authorities

We may disclose information when required by law or to:

• Comply with legal process (subpoenas, court orders, warrants)
• Respond to regulatory inquiries (FDA, EMA, HHS)
• Protect rights, property, or safety
• Support public health or safety purposes

5.1.4 Successor Organizations

In the event of a merger, acquisition, reorganization, or transfer of assets, your information may be transferred to a successor entity that agrees to be bound by the terms of this Policy.

5.2 No Sale of Personal Information

Anspar Foundation does not sell Personal Information. We do not share data for third-party advertising purposes. Any data sharing is conducted solely for the purposes described in this Policy and applicable Project Privacy Addenda.

5.3 Project-Specific Sharing

Specific data sharing arrangements for each Project are detailed in the applicable Project Privacy Addendum. All partner organization sharing remains opt-in and requires your explicit consent before any data is shared.

6. Your Rights

6.1 Universal Rights

Regardless of your location, you have the right to:

• Access: Request information about what Personal Information we hold about you
• Correction: Request correction of inaccurate information
• Opt-out of marketing: Unsubscribe from promotional communications
• Non-discrimination: Exercise your privacy rights without facing discrimination

6.2 Rights Under HIPAA (U.S. Residents)

If you are a U.S. resident and we maintain your Protected Health Information:

• Right to inspect and obtain a copy of your PHI
• Right to request amendments to your PHI
• Right to an accounting of disclosures
• Right to request restrictions on uses and disclosures
• Right to request confidential communications
• Right to a paper copy of this notice

6.3 Rights Under GDPR (EEA Residents)

If you are in the European Economic Area:

• Access (Art. 15): Obtain confirmation and access to your Personal Data
• Rectification (Art. 16): Correct inaccurate Personal Data
• Erasure (Art. 17): Request deletion under certain circumstances
• Restriction (Art. 18): Limit processing in certain situations
• Portability (Art. 20): Receive your data in a structured, machine-readable format
• Objection (Art. 21): Object to certain processing types
• Withdraw Consent (Art. 7): Withdraw consent at any time
• Lodge Complaint (Art. 77): File a complaint with a supervisory authority

6.4 Rights Under California Law

California residents have the following rights under CCPA/CPRA:

• Right to Know: Learn what Personal Information is collected, used, shared
• Right to Delete: Request deletion of your Personal Information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out: Opt out of sale/sharing (Note: We do not sell data)
• Right to Limit: Limit use of Sensitive Personal Information
• Non-Discrimination: Not be discriminated against for exercising rights

6.5 Exercising Your Rights

To exercise any rights, contact us using the information in Section 13. We will respond within applicable timeframes:

• HIPAA: 30 days (extendable by 30 days)
• GDPR: 1 month (extendable by 2 months)
• CCPA/CPRA: 45 days (extendable by 45 days)

6.6 Limitations on Rights

Certain rights may be limited where permitted by law, including for clinical trial data integrity, regulatory compliance, or legal obligations. Any limitations are specified in the applicable Project Privacy Addendum.

7. Data Security

7.1 Security Safeguards

We implement comprehensive safeguards to protect your information:

7.1.1 Technical Safeguards

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication including multi-factor authentication
• Role-based access controls
• Automated audit logging and intrusion detection
• Regular security assessments and penetration testing
• Secure software development practices

7.1.2 Administrative Safeguards

• Designated Privacy Officer and Security Officer
• Workforce training on privacy and security
• Background checks for personnel with data access
• Documented policies and procedures
• Vendor due diligence and contractual protections
• Incident response and breach notification procedures

7.1.3 Physical Safeguards

• Secure data center facilities
• Workstation security
• Media disposal procedures

7.2 Breach Notification

In the event of a security breach:

• HIPAA: Notification within 60 days of discovery
• GDPR: Notification to authority within 72 hours; to individuals when high risk
• State Laws: In accordance with applicable state requirements

8. Data Retention

8.1 General Retention Principles

We retain Personal Information only as long as necessary for the purposes described in this Policy, to comply with legal obligations, resolve disputes, and enforce agreements.

8.2 Standard Retention Periods

• Account Information: Life of account plus 3 years
• Health Data (non-clinical trial): Active account plus 7 years
• Transaction Records: 7 years for tax and accounting purposes
• Technical Logs: 1 year for operational purposes
• Communications: 3 years from last communication

8.3 Extended Retention for Regulatory Compliance

Certain data is subject to extended retention as required by regulation, including clinical trial data (up to 25 years under EU Clinical Trial Regulation) and FDA-regulated records. Extended retention requirements are specified in applicable Project Privacy Addenda.

8.4 Deletion and Anonymization

When data is no longer required, we securely delete or anonymize it. Anonymized data that cannot be linked to individuals may be retained indefinitely for research and statistical purposes.

9. International Data Transfers

9.1 Data Location

Anspar Foundation is based in the United States. Your data may be processed and stored in the United States and potentially other countries where our service providers operate.

9.2 Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection, we use:

• Standard Contractual Clauses (SCCs): Approved by the European Commission
• EU-U.S. Data Privacy Framework: Where applicable
• Supplementary Measures: Additional technical and organizational protections
• Explicit Consent: Where other mechanisms are unavailable

10. Cookies and Tracking Technologies

10.1 Types of Cookies

Our websites and applications may use:

• Essential Cookies: Required for site functionality and security
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our services

10.2 Your Choices

You can manage cookies through your browser settings. Note that disabling certain cookies may affect functionality. We honor Global Privacy Control (GPC) signals.

11. Children's Privacy

Our general services are not intended for children under 13 (or 16 in certain EU jurisdictions). We do not knowingly collect Personal Information from children without appropriate parental consent.

For Projects involving pediatric participants (such as clinical research), appropriate consent mechanisms are implemented as required by applicable law and specified in the Project Privacy Addendum.

12. Changes to This Policy

We may update this Policy periodically. When we make material changes:

• We will update the "Last Updated" date
• We will post notice on our website
• We may notify you via email for significant changes
• For regulated Projects, we will follow applicable notification requirements

Your continued use of our services after notice constitutes acceptance of the updated Policy.

13. Contact Information

General Privacy Inquiries:

Anspar Foundation
Attention: Privacy Officer
Email: privacy@anspar.org

Data Protection Officer:
Email: dpo@anspar.org

EU Representative (for GDPR):
[To be designated when applicable]

14. Complaints

If you have concerns about how we handle your data:

• Internal: Contact our Privacy Officer or Data Protection Officer
• HIPAA: U.S. Department of Health and Human Services Office for Civil Rights
• GDPR: Your local data protection supervisory authority
• CCPA: California Privacy Protection Agency or California Attorney General

We will not retaliate against you for filing a complaint.

Appendix A: Project Privacy Addendum Framework

Each Project Privacy Addendum should address the following elements:

A.1 Required Addendum Elements

• Project Identification: Name, version, effective date
• Scope: Who the addendum applies to
• Data Controller(s): Identify the Data Controller(s) for the Project
• Data Elements: Specific list of data collected
• Purposes: Project-specific purposes for data use
• Sharing: Project-specific data sharing arrangements
• Retention: Project-specific retention periods
• Special Regulatory Requirements: E.g., FDA, clinical trial regulations
• Rights Limitations: Any permitted limitations on data subject rights
• Contact Information: Project-specific privacy contacts

A.2 Incorporation Clause

Each Project Privacy Addendum must include the following incorporation clause:

This Project Privacy Addendum supplements and incorporates by reference the Anspar Foundation General Privacy Policy (Version [X], Effective [Date]). In the event of conflict between this Addendum and the General Privacy Policy, this Addendum controls for this Project, except that this Addendum may not reduce the core protections established in Sections 6 (Your Rights), 7 (Data Security), and 14 (Complaints) of the General Privacy Policy.

Appendix B: Regulatory Glossary

21 CFR Part 11: FDA regulations on electronic records and signatures.

CCPA/CPRA: California Consumer Privacy Act as amended by California Privacy Rights Act.

Clinical Trial Regulation (EU) No 536/2014: EU regulation on clinical trials for medicinal products.

EU Annex 11: EU GMP guidelines for computerized systems.

GDPR: General Data Protection Regulation (EU) 2016/679.

HIPAA: Health Insurance Portability and Accountability Act of 1996.

HITECH Act: Health Information Technology for Economic and Clinical Health Act.

ICH-GCP: International Council for Harmonisation Good Clinical Practice.

Appendix C: Document Control

Version History:

Version 1.0 – November 27, 2025 – Initial Release

Review Schedule:

This Policy shall be reviewed at least annually and updated as necessary.