Privacy Notice

1.   Introduction and Scope

This privacy notice explains how Avacta Therapeutics collects, uses, stores, shares and protects personal data in connection with our business operations, including through our website at www.avacta.com (the “Site”).

Our registered office is at Scale Space, White City, Imperial College Campus, 58 Wood Lane, London, W12 7RZ, UK. We can be contacted at contact@avacta.com or on +44 (0) 20 3911 0353. Our Data Protection Officer can be contacted at DPO@avacta.com.

We are committed to handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). For the purposes of data protection law, we are the controller of the personal data described in this notice.

2.   Who Does This Notice Apply To?

This notice applies to the processing of personal data of the following categories of individuals with whom we interact during the course of our business:

  • Website visitors: individuals who browse our Site or submit enquiries.
  • Business contacts and correspondents: individuals who correspond with us by email, telephone or post or whom we interact with in a professional capacity.
  • Shareholders and investors: individuals who hold shares in or invest in the company and their representatives.
  • Job applicants: individuals who apply for positions with us, whether directly or through a recruitment agency.
  • Suppliers and service providers: individuals who work for organisations that supply products or services to us, including contractors, consultants and freelancers.
  • Clinical trial investigators and study site personnel: individuals involved in the conduct of clinical trials for which we act as Avacta.
  • Event contacts: individuals whose personal data we collect or receive in connection with industry conferences, scientific meetings or other events that we attend.
  • Visitors to our premises: individuals who attend our offices.

 

Clinical trial participants: if you are a participant (or prospective participant) in one of our clinical trials, please refer to our separate Clinical Trial Participant Privacy Notice, which provides detailed information about how we process your personal data in connection with that research. See Section 12 of this notice for further details.

3.   What Personal Data We Collect

 

3.1. Information You Provide to Us

Depending on the nature of your interaction with us, you may provide us with personal data including:

  • Contact data: your name, email address, telephone number, postal address organisation name and job title.
  • Correspondence: any information you include in emails, contact form submissions, letters or other communications with us.
  • Shareholder and investor data: your name, contact details, shareholding information and any other information you provide in connection with your investment in the company or your attendance at shareholder meetings.
  • Job applicant data: your CV, covering letter, employment history, qualifications, references and any information you provide during an interview or assessment. This may include special category data such as disability information where relevant to reasonable adjustments.
  • Supplier and contractor data: contact details, bank and payment details and information relevant to the services being provided.
  • Clinical trial investigator and study personnel data: name, contact details, clinical qualifications, employment history, financial disclosure information, training records, CVs and correspondence relating to the conduct of clinical trials.
  • Event contact data: name, contact details organisation and job title of individuals we meet or exchange details with at industry conferences, scientific meetings or other professional events.

3.2. Information We Collect Automatically

When you browse our Site, we automatically collect certain technical information, including:

  • Your IP address and Internet Service Provider (ISP)
  • Browser type and version
  • Pages you visit, time spent on pages and navigation patterns
  • The website that referred you to us
  • Information collected through cookies (see Section 9)

3.3. Information We Receive From Third Parties

We may receive personal data about you from third parties, including recruitment agencies acting on your behalf, professional referees, background check providers, clinical trial sites and contract research organisations, share registrars, investor relations service providers and publicly available sources.

4.   How and Why We Process Your Data

Data protection law requires us to have a lawful basis for each way we use your personal data. The table below sets out our processing purposes and the corresponding basis:

Purpose Lawful Basis
Responding to enquiries and managing business correspondence (including email) Legitimate interests: to respond to queries and manage our business relationships.
Managing shareholder and investor relationships, including statutory communications Legal obligation: to comply with the Companies Act 2006 and other applicable legislation. Legitimate interests: to manage investor relationships and provide business updates.
Processing job applications and recruitment Legitimate interests: to assess your suitability for a role.

Contract: where an offer of employment is made.
Managing supplier and service provider relationships Contract: to perform our contractual obligations. Legitimate interests: to manage our business relationships effectively.
Clinical trial management (investigator and site personnel data) Legitimate interests: to manage the conduct of trials and ensure participant safety.

Legal obligation: to meet our regulatory obligations as trial sponsor.
Managing contacts made at industry events and conferences Legitimate interests: to develop professional relationships and stay informed about developments in our field.
Monitoring and improving our website Legitimate interests: to analyse aggregated, non-identifiable usage data to improve our Site.
Ensuring website and premises security (including CCTV and visitor records) Legitimate interests: to keep our Site, premises and personnel safe and secure.
Complying with legal and regulatory obligations Legal obligation: to comply with applicable law, regulation or tax requirements.
Establishing, exercising or defending legal claims Legitimate interests: to protect our legal position where necessary.

 

Where we process special category data (for example, disability information in the context of recruitment), we do so only where we have an additional legal basis under Article 9 of the UK GDPR, such as your explicit consent or where the processing is necessary for reasons of substantial public interest or for carrying out our obligations under employment law.

5.   Email Communications

We use email as a primary means of business communication. When you contact us by email or when we send you communications relating to our business (including shareholder and investor updates, clinical trial-related correspondence and general business correspondence), we process your email address and the content of those communications.

Any email communications we send are for legitimate business purposes, such as responding to your enquiry, providing information you have requested, fulfilling our obligations as trial Sponsor or communicating with you in your capacity as a shareholder, investor, supplier or business contact.

If at any time you wish to stop receiving non-statutory communications from us, you can contact us at contact@avacta.com or DPO@avacta.com and we will ensure your preferences are respected. Please note that we may still need to send you certain communications required by law (for example, statutory shareholder notices).

 

6.   If You Do Not Provide Your Personal Data

Where we need to collect personal data to comply with a legal obligation, to perform a contract with you or to take steps at your request prior to entering into a contract and you do not provide the requested data, we may not be able to proceed. For example, if you do not provide the information we need to process a job application, we may be unable to consider your candidacy. We will notify you if this is the case.

7.   Who We Share Your Data With

We may share your personal data with the following categories of recipients and only to the extent necessary for the purposes described in this notice:

  • IT and hosting providers: trusted providers who store and maintain our Site, IT systems and data.
  • Our US subsidiary: for the business purposes described in this notice.
  • Professional advisers: including legal, accounting and auditing advisers.
  • Share registrars and investor relations service providers: who assist us with maintaining shareholder records and managing investor communications.
  • Recruitment service providers: third-party platforms, agencies and background check providers who assist with recruitment.
  • Clinical trial partners: contract research organisations, laboratories, clinical trial sites and other service providers involved in the conduct of clinical trials for which we are the Sponsor.
  • Regulatory authorities: including the MHRA, FDA and other competent authorities, where required for regulatory compliance.
  • Law enforcement and regulators: where we are required by law to disclose your information or where necessary to enforce our legal rights or comply with a court order.
  • A successor organisation: if we or all of our assets are acquired by or merged with, a third party, personal data we hold will be one of the transferred assets.

 

Any commercial third party with whom we share your personal data will be viewed as a Data Processor and will only be allowed access under the provisions of a Data Processing Agreement.

8.   International Transfers of Your Data

Some of the personal data we collect may be transferred to, stored at, or processed in locations outside the United Kingdom. In particular, we have a subsidiary company based in the United States, our website hosting infrastructure may be located outside the UK and some of the clinical trial service providers and partners we work with operate internationally.

Where we transfer personal data outside the UK to a country that does not benefit from a UK adequacy decision, we put appropriate safeguards in place to ensure your data is protected to a standard essentially equivalent to UK data protection law. These safeguards include:

  • The UK International Data Transfer Agreement (UK IDTA), issued by the UK Information Commissioner’s Office; or
  • The UK Addendum to the EU Standard Contractual Clauses, as approved by the UK Information Commissioner

Where we transfer personal data to a country that does benefit from a UK adequacy decision (for example, EU/EEA member states), no additional transfer mechanism is required.

You can obtain further information about the specific transfer safeguards we use by contacting our Data Protection Officer.

9.   Cookies

Cookies are small text files placed on your device when you visit our Site. We use cookies for the following purposes:

9.1. Strictly Necessary Cookies

These cookies are essential for the Site to function correctly and they do not require your consent.

9.2. Analytical / Performance Cookies

These cookies help us understand how visitors use our Site by collecting information such as pages visited, time spent on pages and how visitors arrived at our Site. These cookies require your consent before they are placed on your device.

9.3. Managing Your Cookie Preferences

Before any non-essential cookies are placed on your device, we will ask for your consent through a cookie consent mechanism on our Site. You will be able to change your preferences at any time through this mechanism or through your browser settings.

10.          How Long We Keep Your Data

We will not retain your personal data any longer than necessary to fulfil the purposes the data was collected for or to fulfil our legal obligations, in line with our Document Retention Policy.

If any personal data is only useful for a short period (e.g. for a specific event or in relation to recruitment), we will not retain it for longer than the period for which it is used by us and as required by law or to defend legal claims. If we receive a job application and the application is unsuccessful, we will hold your data on file for up to 12 months after the end of the relevant recruitment process. At the end of that period, or on your request, your data will be deleted or destroyed. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment.

After the applicable retention period, your data will be securely deleted or irreversibly anonymised.

If you wish to receive further specific information on the applicable retention periods, please reach out to us at DPO@avacta.com.

11.          Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data. Please note that some of these rights are subject to certain conditions and exemptions:

  • Access: you can ask us to confirm whether we hold your personal data and, if so, to provide you with a copy.
  • Rectification: you can ask us to correct inaccurate or incomplete personal data.
  • Erasure: you can ask us to delete your personal data in certain circumstances. This right is limited where retention is required by law.
  • Restriction: you can ask us to restrict processing in certain circumstances, for example while we verify accuracy.
  • Data portability: where we process your data on the basis of consent or contract, you can ask for it in a structured, machine-readable format.
  • Objection: you can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
  • Automated decision-making: you have the right not to be subject to decisions based solely on automated processing that produce significant effects. We do not currently carry out any such decision-making.

To exercise any of these rights, please contact our Data Protection Officer at DPO@avacta.com. We may ask you to verify your identity before acting on your request. We will respond within one month.

12.          Clinical Trial Participants

Avacta Therapeutics acts as the Sponsor of clinical trials. If you are a participant (or prospective participant) in one of our clinical trials, a separate privacy notice applies to the processing of your personal data in connection with that research.

Our Clinical Trial Participant Privacy Notice explains what personal data we collect about trial participants, why we collect it, the legal basis for processing, who we share it with, how we handle international transfers of trial data, retention periods and what rights you have.

You can find our Clinical Trial Participant Privacy Notice here.

If you have any questions about how your data is processed in connection with a clinical trial, please contact our Data Protection Officer at DPO@avacta.com.

13.          Data Security

Your data is stored primarily within our secure network server, which has appropriate security measures in place to protect it from unauthorised access, alteration, loss or misuse.

We have also implemented appropriate data protection policies and procedures to ensure all staff maintain the confidentiality of your data.

Whilst your data is primarily stored and shared within the UK, where it is provided under contract to clients, it may be stored and processed outside of the UK or EEA.

In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we will inform the data protection supervisory authority if there is a risk to your rights and freedoms. If the loss or unauthorised access of your data has potential to cause you harm we will inform you immediately.

14.          How to Raise a Concern or Make a Complaint

If you have any concerns about how we have handled your personal data, please contact our Data Protection Officer at DPO@avacta.com in the first instance.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15.          Changes to This Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

This notice was last updated on 4th June 2026

16.          Law and Jurisdiction

This privacy notice and any disputes arising under or in connection with it are governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.