Last Updated:  August 15, 2025

1. Introduction

Welcome to Joined Bio, Inc. (“We,” “Our,” or “Us”).  We respect your (“You”, “Your”) privacy and are committed to protecting Your personal information.  This Privacy Policy explains how We collect, use, disclose, and safeguard Your information when You visit Our Websites (www.joinedbio.com, www.joined.bio, www.biosampleconnect.com, and other web properties We own) and use Our Patient Portal services.

This Privacy Policy applies to both Our publicly accessible Websites and Our secure, password-protected Patient Portal.  Different levels of privacy protections apply depending on how You interact with Our services.

Important Note About Health Information:  This Privacy Policy covers Personal Information and general account data only.  Health Information collection, use, sharing, retention, and deletion are governed by Our separate “Authorization for the Collection, Use, and Sharing of Health Information” document (Health Data Consent).  If You choose to participate in research matching through Our Patient Portal, You must sign Our separate Health Data Consent, which takes precedence over this Privacy Policy for all Health Information matters.

2. Definitions

• “Website” refers to Our publicly accessible web properties.
• “Patient Portal” refers to Our secure, password-protected online platform accessible only to registered users.
• “Services” refers to both the Website and Patient Portal collectively.
• “Health Information” refers to information about Your health, medical conditions, treatments, and related data.
• “Personal Information” refers to information that identifies You personally but excludes Health Information.

3. How We Collect Information

3.1   Information You Provide to Us

 On Our Website:

• Name, email address, phone number;
• Company name or affiliation;
• Messages and inquiries through contact forms; and
• Any other information You choose to provide.

In Our Patient Portal:

• Account registration information (name, email, phone, date of birth);
• Communication preferences (email, phone, text message);
• Account security information (username, password);
• Profile information and preferences;
• Research study preferences and settings; and
• Support requests and correspondence.

3.2   Information We Collect Automatically

When You visit Our Website or use Our Patient Portal, We automatically collect:

• IP address and device identifiers;
• Browser type and version;
• Operating system information;
• Pages viewed and time spent on pages;
• Referring website addresses;
• Date and time of access; and
• Usage patterns and navigation data.

3.3   Health Information

Health Information is collected and handled exclusively under Our separate Health Data Consent document.  We do not collect Health Information under this Privacy Policy.

4. How We Use Your Information

4.1   Website Information

We use information collected through Our Website to:

• Respond to Your inquiries and contact requests;
• Provide and maintain Our website functionality;
• Analyze website usage and improve Our services;
• Send You information about Our services (with Your consent);
• Detect, prevent, and address technical issues; and
• Comply with legal obligations.

4.2   Patient Portal Information

We use Patient Portal information to:

• Create and manage Your secure account;
• Authenticate Your identity and provide secure access;
• Communicate with You via Your preferred contact methods;
• Enable You to browse research opportunities;
• Manage Your account preferences and settings;
• Provide customer support;
• Improve Our Patient Portal functionality;
• Send account-related notifications and updates; and
• Comply with legal and regulatory requirements.

4.3  Communication Preferences

By creating a Patient Portal account, You consent to receive communications from Us via Your specified preferred contact methods, which may include email, phone calls, text messages, and electronic communications through the Patient Portal.  You may update Your communication preferences at any time through Your account settings.

5. Information Sharing and Disclosure

5.1   General Sharing Practices

We do not sell, trade, or rent Your Personal Information to third parties.  We may share Your Personal Information only in the following circumstances:

Service Providers:  With trusted third-party service providers who assist in Our operations, such as:

• Cloud hosting and data storage providers;
• Email and communication service providers;
• Analytics and website optimization services;
• Customer support platforms; and/or
• Payment processors (for research compensation).

All service providers are bound by contractual obligations to protect Your information and use it only for the purposes We specify.

Legal Requirements:  When required by law, regulation, or legal process, or to:

• Comply with a subpoena, court order, or government request;
• Protect Our rights, property, or safety, or that of Our users;
• Investigate potential violations of our Web Terms of Use; and/or
• Respond to claims of fraud or illegal activity.

Business Transfers:  In connection with any merger, sale, or transfer of Our company or assets, subject to the same privacy protections.

6. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect Your information, including:

• HIPAA-Grade Security:  We maintain security standards consistent with HIPAA requirements, even though We may not be a covered entity for all services;
• Encryption:  Data encryption in transit;
• Access Controls:  Strict access controls and authentication measures;
• Regular Security Assessments:  Ongoing security monitoring and updates;
• Employee Training:  Regular privacy and security training for all personnel; and
• Secure Infrastructure:  Use of secure, SOC 2-compliant hosting providers.

Patient Portal Additional Protections:  Patient Portal data receives enhanced security protections, including secure login protocols and isolated data storage systems.  While We implement strong security measures, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure.  We regularly work to improve Our security practices and promptly address any potential vulnerabilities.

7. Data Retention

Website Data:  We retain information collected through Our Website for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

Patient Portal Account Data:  We retain Patient Portal account information for as long as Your account remains active, plus any additional period required by law or for legitimate business purposes.

Account Deletion:  When You delete Your Patient Portal account, we will delete Your Personal Information in accordance with Our Web Terms of Use and applicable legal requirements.  Some information may be retained for legal, regulatory, or security purposes as described in Our Web Terms of Use.

Health Information:  Health Data retention is handled exclusively under Our separate Health Data Consent document.

8. Your Rights and Choices

8.1   Access and Control

You have the right to:

• Access Your Personal Information we hold about You;
• Correct inaccurate or incomplete information;
• Update Your account information and communication preferences;
• Delete Your account and associated Personal Information;
• Object to certain processing of Your information;
• Request data portability where technically feasible; and
• Withdraw consent where processing is based on consent.

8.2   Communication Preferences

You can control how we communicate with You by:

• Updating your preferences in your Patient Portal account settings;
• Following unsubscribe instructions in emails; and/or
• Contacting Us directly at privacy@joined.bio.

8.3   Patient Portal Account Management

Through Your Patient Portal account, You can:

• View and update Your account information;
• Manage Your communication preferences;
• Control Your research study preferences; and/or
• Delete Your account and data.

9. State-Specific Privacy Rights

9.1   All State Residents

Joined Bio complies with all applicable state privacy laws and provides privacy protections consistent with the highest standards required by state laws, regardless of Your state of residence.

9.2   Specific State Laws

If You are a resident of any state with specific privacy legislation, You may have additional rights under Your state’s laws, including:

• Right to know what Personal Information We collect and how We use it;
• Right to delete Personal Information We have collected;
• Right to correct inaccurate Personal Information;
• Right to opt out of certain data processing activities;
• Right to data portability; and/or
• Right to non-discrimination for exercising Your privacy rights.

To exercise any rights under state privacy laws, please contact Us at privacy@joined.bio.

9.3   European Union (“EU”) and European Economic Area (“EEA”) Residents

If You are located in the EU or EEA, this section applies to You in addition to the other provisions of this Privacy Policy.

Legal Basis for Processing

Under the General Data Protection Regulation (“GDPR”), we process Your personal data based on the following legal grounds:

• Consent: When You provide explicit consent for specific processing activities, such as marketing communications or optional features;
• Contract Performance: To provide Our Patient Portal services and fulfill Our obligations under Our Web Terms of Use;
• Legitimate Interests: For Our legitimate business interests, including:
  • Improving and optimizing Our website and services;
  • Ensuring security and preventing fraud;
  • Analyzing usage patterns to enhance user experience;
  • Communicating about service updates and important information;
• Legal Obligation:  To comply with applicable laws, regulations, and legal processes; and
• Vital Interests:  To protect someone’s life or physical safety in emergency situations.

Your Rights Under GDPR

In addition to the rights described elsewhere in this Privacy Policy, EU/EEA residents have the following rights:

• Right to Access:  Request a copy of the personal data We hold about You;
• Right to Rectification:  Request correction of inaccurate or incomplete personal data;
• Right to Erasure:  Request deletion of Your personal data under certain circumstances;
• Right to Restrict Processing:  Request that We limit how We use Your personal data;
• Right to Data Portability:  Request Your personal data in a structured, commonly used, machine-readable format;
• Right to Object:  Object to processing based on legitimate interests or for direct marketing purposes;
• Right to Withdraw Consent:  Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing based on consent before its withdrawal); and
• Right to Lodge a Complaint:  File a complaint with Your local data protection supervisory authority.

How to Exercise Your Rights

To exercise any of these rights, please contact Us at privacy@joined.bio. We will respond to your request within one (1) month, though this may be extended by two (2) additional months for complex requests.

International Data Transfers

When We transfer Your personal data outside the EU/EEA (including to the United States), We ensure appropriate safeguards are in place:

• Standard Contractual Clauses:  We use Standard Contractual Clauses approved by the European Commission with Our service providers;
• Adequacy Decisions:  We may transfer data to countries that have received adequacy decisions from the European Commission; and
• Additional Safeguards:  We implement supplementary measures as necessary to ensure Your data receives adequate protection.

Data Retention for EU/EEA Residents

We retain Your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Website Contact Forms:  Three (3) years from last contact or until You request deletion;
• Patient Portal Accounts:  For the duration of Your active account plus seven (7) years for regulatory compliance, unless You request earlier deletion;
• Marketing Communications:  Until You unsubscribe or withdraw consent; or
• Legal Compliance:  As required by applicable EU or member state law.

 

Supervisory Authority

You have the right to lodge a complaint with the data protection supervisory authority in Your EU member state. A complete list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en.

Data Protection Contact

For questions specifically related to GDPR compliance or to exercise your rights as an EU/EEA resident, please contact Us at:

Email:  privacy@joined.bio

Subject Line: “GDPR Inquiry – [Your Specific Request]”

Mail:
Joined Bio, Inc.

450 Bedford Street

Suite 2100

Lexington, MA 02420

USA

Attention:  GDPR Compliance

 

10. Cookies and Tracking Technologies

10.1  Website Cookies

Our Website uses cookies and similar tracking technologies to:

• Enhance Your browsing experience;
• Analyze website usage and performance;
• Remember Your preferences; and
• Provide relevant content and features.

10.2  Patient Portal Tracking

Our Patient Portal uses essential cookies and tracking technologies to:

• Maintain Your secure login session;
• Remember Your preferences and settings;
• Ensure platform security and functionality; and
• Analyze usage to improve Our services.

10.3  Your Cookie Choices

You can control cookie preferences through Your browser settings; however, disabling certain cookies may limit Your ability to use some features of Our Services.

11. Children’s Privacy

Our Services are not directed to individuals under eighteen (18) years of age.  We do not knowingly collect Personal Information from children under eighteen (18).  If We learn We have collected information from a child under eighteen (18), We will delete that information promptly.  If You believe We have collected information from a child under eighteen (18), please contact Us immediately.

Exception:  Our Patient Portal may be accessed by authorized representatives or legal guardians of patients, as specified in Our Web Terms of Use.

12. International Data Processing

For EU/EEA Residents:  Please see Section 9.3 above for specific information about Your rights and how We handle international transfers of Your data.  If You are accessing Our Services from outside the United States, please be aware that Your information may be transferred to, stored, and processed in the United States and other countries where Our servers and service providers are located.  These countries may have different data protection laws than Your country of residence. By using Our Services, You consent to this transfer and processing.

13. Relationship to Other Documents

This Privacy Policy works together with Our other legal documents:

• Web Terms of Use:  Governs Your use of Our Services and includes additional privacy-related terms.
• Health Data Consent:  Governs all Health Information collection, use, and sharing for research purposes.
• Study-Specific Informed Consent:  Governs participation in individual research studies.

In case of conflicts between or among documents:

1. Health Data Consent takes precedence for Health Information matters;
2. Study-specific consents take precedence for individual study participation;
3. Web Terms of Use govern service usage and account matters; and
4. This Privacy Policy governs Personal Information not covered by other documents.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in Our practices, technology, legal requirements, or other factors.  When We make changes:

• We will update the “Last Updated” date at the top of this Privacy Policy.
• For Patient Portal users, We will send email notification to Your registered email address for material changes.
• Your continued use of Our Services after changes become effective means You accept the updated Privacy Policy.

For EU/EEA Residents:  For material changes affecting EU/EEA residents, We will provide notice and, where required by law, obtain Your consent before the changes take effect.

We encourage You to review this Privacy Policy periodically to stay informed about how We protect your information.

15. Contact Us

If You have questions, concerns, or requests regarding this Privacy Policy or Our privacy practices, please contact Us at:

Joined Bio

450 Bedford Street

Suite 2100

Lexington, MA 02420

USA

Email:  privacy@joined.bio

For technical support with the Patient Portal, please contact Us at: techsupport@joined.bio.

For questions about Health Information or research participation, please refer to Our Health Data Consent document or contact Us at the above address.

By using Our Services, You acknowledge that You have read, understood, and agree to this Privacy Policy.