European Privacy Policy


While we are based in the United States, our Services may be accessed by residents of the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”). The following European Privacy Notice applies to our processing of personal data of residents of the EEA, Switzerland, and the UK (“you”).

Elevar is the controller of the personal data we hold about you in connection with your use of the Services. This means we determine and are responsible for how your personal data is used.

  • Please note that this European Privacy Notice does not apply to personal data processed by our CRO partners during our Studies. Such processing of your personal data is done in accordance with the privacy notices of our CRO partners.


A. Personal Data We Collect and How We Use It

We collect, use and otherwise process personal data as set out in the “The Information We Collect and the Sources of Such Information” and “How We Use Your Information” sections of our Privacy Policy. If you choose not to provide such personal data, you may not be able to use the Sites, participate in the Studies, or otherwise engage in the Services.

B. Legal Basis of Processing

We will generally use and process your information on the basis of your explicit consent, our legitimate interests or legal obligations, and for scientific research purposes or for reasons in the public interest in conducting clinical trials and performing valuable scientific and medical research pursuant to Articles 6 and 9 of the General Data Protection Regulation (“GDPR”) and/or the UK GDPR.

C. Retention of Your Personal Data

We keep your information for no longer than necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws.

The criteria used to determine the period for which personal data about you will be retained varies depending on the legal basis under which we process the personal data:

  • Legitimate Interests. Where we are processing personal data based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of data subjects.
  • Consent. Where we are processing personal data based on your consent, we generally will retain the information for the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain of your data erased (please see the Your Privacy Rights section below).
  • Contract. Where we are processing personal data based on contract, we generally will retain the information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship.
  • Legal Obligation. Where we are processing personal data based on a legal obligation, we generally will retain the information for the period of time necessary to fulfil the legal obligation.
  • Legal Claim. We may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

In all cases, in addition to the purposes and legal bases, we consider the amount, nature and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of your personal data.

D. Recipients of Personal Data

We may share your personal data with the recipients as set out in the “How We Share and Disclose Your Information” section of our Privacy Policy.


Your personal data may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations, including the United States. In the event of such a transfer, we ensure that: (i) the personal data is transferred to countries recognized as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission. If you wish to enquire further about these safeguards used, please contact us using the details set out at the end of this European Privacy Notice.


You have the right to make the following requests with respect to the personal data that we hold:

  • Access your personal data;
  • Delete, or request deletion or erasure of, your personal data without delay if the continued processing of that personal information is not justified;
  • Object to or restrict processing of your personal data;
  • Request portability of your personal data; 
  • Object to automated decision making; and
  • Correct or update your personal data that is inaccurate or incomplete.

We may not be able to fulfill requests in all instances, and where we are unable to fulfill a request, we will provide an explanation as to why. In any case, we will respond to your request in accordance with the requirements of applicable law.

Right to Withdraw Consent

Where we rely on your consent for processing of your personal data, you also have the right to withdraw your consent to such processing, subject to certain limitations at law. Where applicable, you may withdraw your consent by contacting us at

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Submitting Requests

All communications, inquiries or requests surrounding your information rights or complaints under European Union General Data Protection Regulation (European commission Regulation 2016/679 or “GDPR”) can be addressed to the attention of our privacy team at or by postal mail to:

VeraSafe Internal Legal Department
100 M Street S.E., Suite 600
Washington, D.C. 20003

We may need to verify your identity before processing your request, which may require us to obtain additional personal data from you. In certain circumstances, we may decline a request to exercise the rights described above.

Right to Lodge a Complaint

You also have the right to lodge a complaint to your local data protection authority. If you are based in the European Union, information about how to contact your local data protection authority is available here. If you are based in the UK or Switzerland, your local data protection authorities are the UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner.