Privacy Statement

Your privacy is important to us. This Privacy Statement informs you about how Impatients N.V., trading under the name “myTomorrows” (referred to in this Privacy Statement as “myTomorrows”, “we”, “our” or “us”) processes your personal data and informs you about your privacy rights. This Privacy Statement relates to the processing of personal data about individuals (referred to in this Privacy Statement as “you” and/or “your”) who visit our website, apply for a position at myTomorrows, use our search engine, or use our platform and referral services as a patient, caregiver or a physician. myTomorrows acts as data controller of the personal data processed in the contexts described in this policy. You may find our contact information and the way(s) in which you may exercise your rights under applicable data protection laws, such as the right to be forgotten or the right to rectify the data we hold about you, in sections 9, 10 and 11 below.

Download a PDF version of this Privacy Statement here.

Depending on the use of our services, myTomorrows is a “controller” or a “processor” within the meaning of the General Data Protection Regulation[1] (“GDPR”). This means that we are sometimes responsible for processing your personal data in accordance with the applicable data protection laws, including the GDPR, UK GDPR and U.S. state privacy laws, including the California Consumer Privacy Act[2] (“CCPA”).

In other cases, we may process personal data on behalf of a client. This is the case when we provide support to you and/or your treating physician in accessing a pre-approval treatment you selected, and we perform pre-screening or other verifications regarding your health on behalf of the biopharma company to assess your eligibility for the treatment. In that case the biopharma company (our client) is responsible for the processing of your personal data, not us. We will make reasonable efforts to inform you if we collect or process your personal data on behalf of a client.

This policy describes myTomorrows’ handling of your personal data as a data controller.

[1] The General Data Protection Regulation refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

[2] The California Consumer Privacy Act refers to Cal. Civ. Code § 1798.100, available here.

We process your personal data. By processing, we mean that myTomorrows may for instance collect, store, use and transfer your personal data, depending on the specific circumstances and context. You can read more about which personal data we process below.

We obtain your personal data in various ways:

• Provided by you. Some data we receive directly from you, for example information you provided during your application for a position at myTomorrows, questionnaires you completed to receive information on possible treatment options, files you uploaded to access a treatment or from correspondence with you, such as with our medical liaisons or through the chat functionality on our website.
• Obtained from third parties. We could also obtain personal data about you from other people or external parties. Examples include your references (if you’re a job applicant) or your treating physician (if you’re a patient-participant) or other parties who are involved with our mutual relationship, such as other healthcare professionals or pharma companies that use our platform. We may also obtain information from public registers of company directors and participating interests.
• Automatically obtained. Some personal data we obtain automatically, for example by using cookies and similar techniques. For more information about cookies and similar techniques, go to our Cookie Statement.
• Derived. Certain personal data we do not receive directly, but can be derived from the information we already have about you.

If you do not provide personal information:

In principle you are under no obligation to provide any information about yourself to us. However, refusal to supply certain information could have a negative influence on, for example, your job application, our service provision to you or the functionality of the services that you use from us.

If the provision of certain personal data is a legal obligation or an essential contractual requirement for concluding an agreement with us, we will separately provide additional information about this for where this is not clear in advance. In this case we will also inform you about the possible consequences if this information is not provided to us.

We have implemented policies and procedures to ensure that within myTomorrows, only employees who have a need to access your information to perform the Services we provide you, or to perform their tasks, have access to your data. For example, only our employees who are involved in medical operations have full access to medical data. Other employees will only have access on an absolute-need-to-know basis, for instance the engineers working on our systems to resolve bugs.

Due to myTomorrows’ internal organization and international dimension, it is possible that employees located outside our Amsterdam headquarters have access to your information. For instance, some of our Patient Navigators are located outside of Europe to ensure we can provide the best possible services to patients worldwide. This means that in some circumstances, your data may be accessed outside of the European Economic Area where it is located.

We only share your personal data with third parties, if:

• This is necessary for the provision of a service or the involvement of the third party. Sub-contractors, for example, will in principle only get access to the personal data that they require for their part of the service provision and will not be allowed to process the data for their own purposes.
• The persons within the third party that have access to the personal data are under an obligation to treat this data confidentially. Where necessary this is also contractually agreed on.
• The third party is obliged to comply with the applicable data protection laws.  We have concluded an agreement with this party that stipulates that the party is obliged to implement and maintain appropriate technical and organizational measures to ensure protection of personal data and the rights of Individuals, and that any transfer of personal data to countries outside the EEA is only legitimized on the basis of an adequacy decision or other appropriate measures.

We may share your personal data on a need-to-know basis with the parties mentioned below. In this context, “need-to-know” means that a party is only granted access to personal data if and insofar as this is required for the services provided by this party.

• Authorized persons, employed or engaged by myTomorrows, who are involved with the processing activity concerned, such as the members of our team you are in contact with, for instance HR for recruitment or medical liaisons for information on treatment options.
• Authorized persons, employed or engaged by affiliated companies and/or parties in the private sector with whom we work and may share certain personal data, such as accountants, payroll agencies and healthcare professionals.
• Authorized persons, employed or engaged by service providers / sub-contractors engaged by myTomorrows, who are involved with the processing activity concerned, such as cloud hosting providers.
• Authorized government institutions. Such as, courts, police, and other law enforcement agencies. We may release information about Individuals when legally required to do so, at the request of governmental institutions conducting an investigation or to verify or enforce compliance with myTomorrows’ policies and the applicable laws. We may also disclose information in this regard whenever we believe disclosure is necessary to protect the rights, property or safety of myTomorrows, or any of our respective business relations.
• Aggregate Information. We may also disclose non-identifying, aggregated statistical information to third parties and / or myTomorrows’ affiliates for a variety of purposes, including work-flow management.

Protecting the Individuals’ privacy and personal data is very important to us. Therefore, myTomorrows has implemented appropriate technical and organizational measures to protect and secure your personal data against violations of the confidentiality, integrity, and availability of data.

MyTomorrows is ISO27001 and is in the process of obtaining the SOC II type I certification. These are international standards for information security that guarantee the implementation of a high level of technical and organizational measures.

Additionally, we have internal policies and procedures in place that describe how we safeguard an appropriate level of technical and organizational security. For instance, a data breach procedure is applicable within myTomorrows, in which is explained how to deal with (potential) data breaches. We will, for example, inform the competent supervisory authority and involved Individuals when this is required based on the applicable law. In addition, we have back-up and restore systems in place for the recovery of your personal data when necessary.

You can contact us if you want additional information about how we protect your personal data. Our contact details are stated at the end of this Privacy Statement.

myTomorrows will in principle not process your personal data in countries outside the European Economic Area (EEA) or UK. In case your data is processed outside the EEA or UK, the transfer is legitimized in the manner described below. You can find an overview of the EEA countries here.

Transfers outside the EEA or UK

The transfer of your personal data to a third party outside the EEA or UK, can in the first place be legitimized based on an adequacy decision adopted by the European Commission or UK Government, in which it decided that the (part within the) third country in question offers an adequate level of data protection. You can find an overview of the adequacy decisions that have been taken here, or here for the UK.

If your personal data is transferred to a country outside the EEA or UK for which there is no adequacy decision in place, we implement the relevant version of the Standard Contractual Clauses (SCCs) in the (prospective) contract with the party involved in the transfer. This is a standard contract approved by the European Commission or UK Government to safeguard the protection of your personal data and in which the parties fill out the appendices to provide relevant information about the processing. Where appropriate, additional safeguards are taken.

You can contact us if you want additional information about the way in which we legitimize the transfer of your personal data to countries outside the EEA or UK. Our contact details are stated at the end of this Privacy Statement.

Your privacy rights may be different depending on the country where you live. For Individuals in the EU and the UK, you will have the following rights under GDPR and the UK GDPR with respect to myTomorrows’ processing of your personal data. Even if you do not live in the EU or the UK, you may still benefit from some of the rights described below. For privacy rights under the CCPA, please see the “Are you located in California (U.S.)?” section.

To what extent you can exercise these rights could depend on the circumstances of the processing, such as the way myTomorrows processes your personal data and the applicable legal ground. For more information about your privacy rights, you can visit the website of the European Commission here. We have included a summary of your privacy rights under the GDPR and UK GDPR below.

If you have any questions, concerns, or complaints, feel free to contact our Data Protection Officer at dataprotection@mytomorrows.com or at the contact details below.

Impatients N.V.
Attn: Data Protection Officer
Anthony Fokkerweg 61
1059 CP Amsterdam
The Netherlands

In addition, you may file a complaint with the Netherlands Data Protection Authority (DPA) if you believe that the processing of your personal data is unlawful. More information about filing a complaint with the Dutch Data Protection Authority (DPA) can be found here.

We provide Services to data subjects located in the United Kingdom and as such, we have taken steps to ensure compliance with the data protection laws applicable in the United Kingdom.

Pursuant to Article 27 of the UK GDPR, myTomorrows has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

– by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
– by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

MyTomorrows is registered with the Information Commissionner’s Office (ICO) under the reference ZB728879.

This section contains disclosures required by the California Consumer Privacy Act (“CCPA”) and applies only to “personal information” that is subject to the CCPA.

Please note that this section is not applicable if you are subject to HIPAA. If you are, you should refer to our terms of use and business associate agreement to understand our respective roles and the measures we have in place to comply with HIPAA[3].

Personal Information We Collect.  In the preceding 12 months, we collected the following categories of personal information about California consumers.  We do not sell personal information.

·       Personal and online identifiers (such as full name, email address, or unique online identifiers);

·       Characteristics of protected classifications under California or federal law (such as race or gender);

·       Medical information, such as medical condition, treatment history and any information relevant to provide our direct-to-patient services, but excluding protected health information as such term is defined under HIPAA;

·       Internet or other electronic network activity information (such as browsing history, search history, interactions with a website, email, application, or advertisement);

·       Professional or employment-related information;

·       Education information;

·       Inferences drawn from the above information about your predicted characteristics and preferences;

·       Other information about you that is linked to the personal information above.

Categories of Sources. We collect personal information from the categories of sources described in the “4. How do we obtain your personal data?” section above.

Why We Collect, Use, and Share California Information. We use and disclose the personal information we collect on website visitors, job applicants, patient-users, patient-participants and healthcare professionals, for our commercial and business purposes, as described in the “3. Which personal data do we process and for what purpose(s)?” section above.

We may use or share information that has been de-identified or aggregated without limitation.

Retention of California Personal Information. In general, myTomorrows does not keep personal data for longer than is necessary in relation to the purposes for which we process your personal data. We may apply (longer) standard retention periods if this is required to comply with minimum statutory retention periods.

Recipients of California Personal Information. We share the categories of personal information described in this Privacy Statement to the categories of third parties described in the “5. Who do we share your data with?” section above.

Your Rights Regarding Personal Information. California residents have certain rights with respect to the personal information collected by businesses.  If you are a California resident, you may exercise the following rights regarding your personal information, subject to certain exceptions and limitations:

a.     The right to know the categories and specific pieces of personal information we collect, use, and disclose about you; the categories of sources from which we collected personal information about you; our purposes for collecting or sharing personal information about you; the categories of personal information about you that we have either sold or disclosed for a business purpose; and the categories of third parties with which we have shared personal information.

a.     The right to request that we delete the personal information we have collected from you.

b.     The right to request correction of inaccurate personal information we maintain about you.

c.     The right to opt out of our sale(s) or sharing of your personal information: myTomorrows will not share your personal information with third parties without your explicit consent as provided in the cookie banner.

d.     The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA.

To exercise any of the above rights, please contact us using the following information and submit the required verifying information, as further described below:

Online at – webform.

California (U.S.A.) Privacy Rights Request Webform

You may have rights with respect to the personal data maintained by myTomorrows, if you are a California resident. You may use this webform to submit a privacy request as further described in our Privacy Statement.

We will respond after you have submitted this form and may request additional information needed to verify your identity and complete your request if needed.

If you wish to exercise certain opt-out rights available to you, please refer to our privacy and cookie statement. If you are an authorized third party acting on behalf of an individual, please submit a written, signed permission from the individual to dataprotection@mytomorrows.com to confirm your authorization.

For more information about how we collect, use, and disclose personal data, please review our Privacy Policy.

Please provide the following information about the individual who is the subject of the request.

Please enable JavaScript in your browser to complete this form.

First name *

Last name *

Zip Code *

Phone number *

Email *

the Phone personal

I would like to submit the following request *

• Request to opt-out of the sale or sharing of personal information
• Request to delete personal information
• Request to know categories of personal information
• Request to obtain specific pieces of personal information

For the "Request to obtain specific pieces of personal information" please specify:

Consent *

• By clicking “Submit,” I hereby certify that the information I have provided is true and accurate, and that I am the individual whose name appears above and to whom the personal information that is the subject of this request relates or that I am legally authorized by that individual to submit this request on his/her behalf. I understand that it may be necessary for myTomorrows to verify the identity of the individual and/or authorized agent for this request, and additional information may be requested for this purpose.

Submit

·       By email at dataprotection@mytomorrows.com

Verification Process and Required Information. Note that we may need to request additional information from you to verify your identity or understand the scope of your request, although you will not be required to create an account with us to submit a request or have it fulfilled.  We will require you to provide, at a minimum, a copy of your Identification, to help us confirm your Identity (or that of your legal representation) before we further respond to your privacy request.

Authorized Agent. You may designate a third party to make a CCPA request on your behalf by designating such a person in writing or through a power of attorney.  We will require the agent to provide us with proof that you have authorized the third party to make requests on your behalf prior to accepting requests from the third party.

Minors’ Rights. We do not have actual knowledge that we sell the personal information of minors under 16 years of age.

Contact for More Information. For questions or concerns about myTomorrows’s Privacy Statement or practices, please contact us by using the information below.

Email: Dataprotection@mytomorrows.com

Mailing address:

Impatients N.V.

Attn: Data Protection Officer

Anthony Fokkerweg 61

1059 CP Amsterdam

The Netherlands

[3] « HIPAA » refers to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the related standards issued by the U.S. Department of Health and Human Services. More information about HIPAA can be found here : https://www.hhs.gov/hipaa/index.html 

We may change this Privacy Statement from time to time to accommodate new technologies, industry practices, regulatory requirements or for other purposes. The latest version can always be consulted on our website. We may also notify you in other ways from time to time about the processing of your personal information.