Atmo Privacy and Data Protection Policy

1. Purpose

Atmo Biosciences Limited (ACN 626 053 183) and its subsidiary Atmo Biosciences Inc. (“Atmo”, “we”, “our” or “us”) values privacy and is committed to the appropriate handling and protection of personal information consistent with relevant privacy law. This Policy describes how we collect, hold, use, disclose or otherwise handle personal information. This policy also explains our commitment to data management in general, our approach and responsibilities to support the compliant handling of Atmo data.

2. Overview

Atmo Biosciences is a digital health business commercializing an ingestible, gas-sensing capsule that provides insight into gut health. Atmo’s gassensing capsule measures whole and regional gut transit times to aid gastroenterologists in diagnosing gut motility disorders. Our core business and work in digital health is pursued with regard for and in alignment with applicable privacy laws, appropriate information handling and data protection practices.

Atmo is committed to personal information handling practices in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and other applicable privacy laws relevant to our functions and activities in all locations. This Policy outlines our approach to privacy and is modelled on Australian and international requirements.

3. Scope

This policy applies to Atmo and our employees and contractors working for or on our behalf, regardless of location.

4. Definitions and Abbreviations

Data includes business information in any format created, received and maintained, including (but not limited to) emails, documents, web pages, software applications, digital files or recordings.

Health information is any ‘personal information’ about an individual’s health or disability.

Personal information is information (including opinion) or data about an identifiable individual, or an individual who is reasonably identifiable.

Sensitive information or sensitive personal information includes information or an opinion that is also personal information about an individual’s race or ethnicity, political beliefs, political, trade or professional memberships or associations, religious beliefs or affiliations, sexuality, criminal record, ‘health information’ and genetic information. In certain locations we operate, it also includes credit and financial data, government issued identifiers, and precise geolocation.

5. Our Policy

Information we collect

5.1.  In the course of undertaking and completing our business functions and activities, the type of personal information we collect may vary depending on how individuals engage with us. We may collect and hold personal information about current and prospective investors, shareholders, suppliers, clients and prospective clients, contracted service providers, clinical trial and research partners, candidates for employment and employees, and other members of the public who interact with us.

5.2. The type of personal information we collect may include:

  1. name
  2. personal contact details including email, address and phone number
  3. business contact details including email, job title and company
  4. date of birth
  5. tax file number (TFN) or social security number
  6. banking details
  7. marketing preferences
  8. any other information provided to us or authorised by individuals for us to collect as part of their interaction with us.

5.3. We will always collect information directly from the individual where it is reasonable and practicable to do so.

5.4. We may also collect information about individuals from other sources such as contracted service providers who assist us to operate our business, or when the individual has consented to sharing information with us through a third party.

5.5. Where Atmo receives personal information about an individual that is unsolicited or not reasonably necessary for one or more of our functions or activities, it will be deleted or deidentified, or Atmo will notify the individual of its collection, its use, and their rights.

5.6. Individuals can choose to remain anonymous or use a pseudonym where practicable, but this may limit our ability to engage with individuals for the purpose intended.

Sensitive information

5.7. Atmo generally only collects sensitive information or sensitive personal information if we are authorised to or it is required by law.

5.8. If Atmo requires sensitive information for one or more of our functions or activities, we will only collect it from the individual for a specific purpose.

Use of Information

5.9. Our position is that we work with anonymised or de-identified data wherever possible and inpursuit of the principle of data minimisation.

5.10. Atmo will use and share personal information for the purpose for which we have collected it.
This includes:

  1. to perform the functions and activities related to advancing product development and commercialization of our Atmo Capsule
  2. establishing and managing the relationship with our employees and contractors
  3. administering our relationship with our shareholders
  4. administering our relationship with clinical trial and research partners
  5. responding to expressions of interest, information requests and inquiries
  6. managing our contracted service providers
  7. managing our operations including transacting between Atmo entities named under this Policy
  8. to comply with industry standards, our legal and regulatory requirements.

5.11. We may also use and share personal information for a related secondary purpose where the individual reasonably expects, as required by law, or other lawful basis for processing under applicable privacy laws, such as providing information to government departments or agencies
Disclosure to others

5.12. Atmo does not sell, rent or trade personal information to, or with, third parties.

5.13. Where necessary and appropriate, we share personal information with third parties including:

  1. financial institutions
  2. regulatory agencies or government bodies (such as the Therapeutic Goods Administration in Australia, Australian Security and Investments Commission or the Australian Tax Office)
  3. our contracted service providers (e.g., Planet Innovation Pty Ltd) who provide us with a range of professional and business services
  4. information technology vendors
  5. professional advisers (such as recruitment advisers, auditors, accountants, insurers, and lawyers)
  6. externally hosted applications and software subscriptions (for example, for recruitment and onboarding of employees)
  7. as required or authorised by law
  8. or, otherwise where we have consent from individuals.

Rights of individuals

5.14. Individuals have a right to contact us about their privacy concerns or about personal information we may hold about them. Depending on the location of residence and how individuals engage with us, Atmo recognises a range of rights available to individuals under applicable privacy law, including the right to:

  1. to access and correct their personal information
  2. request information about what personal information we hold and any third parties we share their personal information with where it is necessary to fulfil the collection purpose or is otherwise authorised or required by law
  3. request the erasure of personal information in certain circumstances
  4. restrict or object to the use or sharing of personal information
  5. receive personal information in a commonly used, and machine-readable format or to request the transmittance of personal information to another person, entity, agency or other body
  6. withdraw or opt-out at any time where our use or disclosure relies on consent as a lawful basis.

5.15. Individuals can contact us at any time using the details below (section 9: Contacting Us).

5.16. Employees have direct access to their personal information via our human resources platform and can contact the Chief Financial Officer for advice on how to access and correct their personal information.
Storage and protection

5.17. Atmo holds and stores data in hard copy documents or as electronic data in our software or systems, including cloud or other types of electronic storage.

5.18. We use physical and technical safeguards to protect data from interference or unauthorised access, modification, use or disclosure. These include managed access controls to our systems and network, and security measures for access to premises.

5.19. Personal information may be disclosed to third parties in Australia and overseas (such as the United States, New Zealand and countries in the European Economic Area) where it is necessary to perform our core business functions and administer services consistent with this Policy. We take reasonable steps to maintain the integrity and security of any data and personal information to prevent interference, misuse, unauthorised access or loss, such as implementing technical measures for data storage and protection and entering into contractual arrangements with third parties that cover data authorised processing activities, including any cross-border transfer of data, consistent with applicable privacy law.

6. Website privacy

6.1.  Our website (https://atmobiosciences.com) is managed by our service provider, Planet Innovation Pty Ltd. We will only collect personal information through our website if it is provided by an individual to respond to an information request or inquiry.

6.2. Information recorded when users interact with our website includes:

  1. IP address,
  2. location data (where available and not disabled by the user),
  3. the type of web browser used
  4. dates, times, and other user activity.

6.3. In most cases, we will not be able to reasonably identify a visitor to our website from the information collected. However, if cookies or similar technologies are linked with personal information we hold about a user, this cookie information becomes personal information and will be treated in the same manner as the personal information to which it has been linked. A cookie is a small text file that is sent to a device by the user’s web browser which then stores a record of the visit in the web browser used. Cookies enable the proper functioning of our website and assist us to improve our website browsing experience. Users can manage their cookie settings via their web browser privacy settings.

6.4.  Our website also uses interfaces with social media sites such LinkedIn, and links to third-party websites. Atmo is not responsible for the protection of personal information provided to third parties where individuals choose to navigate to them via our website. We recommend users review the privacy policy applicable to the website visited.

7. Data management approach

7.1.  Atmo takes a risk and value-based approach to data management to direct our resources and attention. Our high-value information includes any data that:

  1. is critical to product development and commercialization of our Atmo Capsule
  2. affects the rights and entitlements of our employees and stakeholders
  3. is subject to a high level of scrutiny or has a high likelihood of legal action if not appropriately handled (e.g. data privacy)
  4. involves funding.

7.2. Any compromise of high-value business information will be taken seriously.

8. Responsibilities

8.1. Atmo employees and contractors are required to be familiar with and comply with this Policy and relevant IT security and data management policies as updated from time to time. Any questions or inquiries about this Policy should be directed to the Privacy Officer.

8.2. The Quality and Regulatory Affairs Manager is responsible for reviewing this Policy and developing related procedures and processes to support and give effect to its implementation.

8.3.  Data security concerns must be directed to our IT department for first response and reported to the Quality and Regulatory Affairs Manager.

9. Contacting us

9.1. All privacy-related inquiries or complaints should be directed to the contact details below:
Privacy Officer
Atmo Biosciences Ltd
Ground Floor, 436 Elgar Road, Box Hill
Victoria, 3128
Email: info@atmobiosciences.com

9.2. We will endeavour to respond to all requests within 30 days and may require individuals to verify their identity as part of our management of their request.

9.3. If a complaint remains unresolved or our response is not considered satisfactory, individuals may apply to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au to have the complaint heard and determined, or in some circumstances, the relevant supervisory authority or agency in the country or state in which the individual resides.

10. Change to our Privacy Policy

10.1. This policy will be reviewed every two (2) years or more frequently if operational changes impact privacy and data management compliance. Updates may be published on our website without notice.

10.2. By continuing to use Atmo’s services and our website, individuals are deemed to have accepted any changes to our Privacy Policy.

10.3.  This policy was last updated on 13th November 2023.

POL-003