PRIVACY POLICY

Revised and effective: July 30 , 2024

Labstep Ltd. (“Labstep”, “we”, “us”, “our”) takes your privacy seriously and we know you do too. This Privacy Policy (“Policy”) describes how we collect, process, and share PersonalData, your rights & choices, and other important information about how we handle your Personal Data. Additional information for users in certain US states as well as the EEA/UK/Switzerland is available in our Regional Supplements.  

1. SCOPE OF THIS POLICY

This Policy applies to your use of our “Services” which include the following:

• Our website, https://www.labstep.com,and any other websites or services where we link to/post this Policy (including any subdomains or mobile versions, the “Site(s)”);
• Our product and technical support services; and
• Certain aspects of our products and solutions, including the Labstep platform, our all-in-one connected research environment, security frameworks and hosting, and other resources.

Please note: We provide certain services and process information (e.g. ELN and Order Management) on behalf of third parties that have entered into an agreement with us to provide our Services (our “Customers”). We process data on behalf of our Customers as a“service provider” or “processor” and is outside the scope of this Policy.Contact the Customer for more information regarding their processing of your Personal Data.

Similarly, we may link to third party sites, services, or applications (e.g. payment processor). This Policy reflects only how we processPersonal Data through our Services. This Policy does not apply to information processed by or on behalf of our Customers or any other third party. We neither can control nor are responsible for the privacy practices or content of websites or apps operated by any third party. Please see the third party’s privacy policy for more information.

2. CONTROLLER/HOW TO CONTACT US

The party that determines the purposes and means for processing of your Personal Data (“controller”) under this Policy is Labstep Ltd., which is a subsidiary of STARLIMS Corporation (“STARLIMS”). Labstep and STARLIMS acts joint controllers when processing Personal Data subject to this Policy.

The respective responsibilities of each controller have been determined in an agreement, the essence of which is made available upon request. Contact us using the information below for more information. When we act as joint controllers with our affiliates, Labstep Ltd.:

• Supports STARLIMS development teams with respect to IT operations
• Provides support for Customers using the Platform

And STARLIMS:

• Operates the Services and processing of Personal Data through those Services, including the operation of the Platform
• Operates global user accounts
• Send marketing communications to users transacting with that affiliate
• Establishes data retention periods for Human Resources and marketing data and customers
• Receives data rights requests and fulfills requests with respect the Platform
• Provide supplemental technical and customer supports
• Fulfills data rights requests relating to the Site or marketing and supports Labstep in fulfilling data rights requests generally

Labstep and STARLIMS are located at:

STARLIMS Corporation

4000 Hollywood Boulevard, Suite 333, Hollywood, FL, 33021 United States

Labstep Ltd.

Crossgate House, Cross Street, Sale, Cheshire, England, M33 7FT United Kingdom

You may contact our Data Privacy Team at: privacy@starlims.com

3. CATEGORIES AND SOURCES OF PERSONAL DATA

The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”).

A. Categories of Personal Data We Process

The categories of Personal Data we process may include:

Audio/Visual Data - Recordings and images collected from audio files and records, such as voicemails, call recordings, photographs, and the like.

Biographical Data - Data relating to professional and employment history, qualifications, and similar biographic information.

Contact Data - Identity Data we can use to contact you, such as email and physical addresses, phone numbers, company name or name of academic institution, social media or communications platform usernames/handles.

Device / Network Data - Browsing history, search history, and information regarding your interaction with a website, application, or advertisement (e.g.IP Address, MAC Address, SSIDs, application ID/AdID/IDFA, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including cookies and similar technologies or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, first party cookies, third party cookies, web beacons, clear gifs and pixel tags.

General Location Data - Non-precise location data, e.g. location information derived from IP Address, or social media tags/posts.

Identity Data - Information such as your name; address; email address; telephone number; gender; date of birth, age and/or age range; account login details, e.g. username and password, avatar, or other account handles/usernames.

Inference Data - Personal Data generated reflecting your preferences, characteristics, predispositions, behavior, demographics, household characteristics, market segments, likes, favorites and other data or analytics.

Sensitive Personal Data - PersonalData deemed “sensitive” under California or other laws, such as social security, driver’s license, state identification card, or passport number; account log-in and password, financial account, debit card, or credit card number; precise location data; racial or ethnic origin, religious or philosophical beliefs, etc. As described further below, we may collect the following categories of Sensitive Personal Data, subject to exceptions and limitations as required under local law:

• “Government ID Data”- Data relating to official government identification, such as driver’s licenseor passport numbers, including similar Identity Data protected as SensitiveData under applicable law.
• “Payment Data” -Data that includes financial account log‐in information, or financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to such financial account, Information such as bank account details, payment card information, including similar data protected as Sensitive Data under applicable law.

See your Rights & Choices for information on how to opt-out or limit processing of Sensitive Personal Data.

Transaction Data - Information about transactions you make with us through our Services, such as a paid subscription, and similar information.

User Content - Unstructured/free-form data that may include any category of Personal Data, e.g. data that you give us in free text fields such as through our customer chat service.

B. Sources of Personal Data We Process

We collect Personal Data from various sources, which include:

Data you provide us - We receive Personal Data when you provide them to us, when you purchase our products or services, complete a transaction via our Services, or when you otherwise use our Services.

Data we collect automatically - We collect PersonalData about or generated by any device used to access our Services.

Service Providers - We receive Personal Data from third party service providers who collect PersonalData when performing services on our behalf. Our Service providers generally include:

• IT service providers: third parties that provide us with technology or IT services, such as networking, cloud services, software applications, and the like.
• Marketing services: third parties that engage in marketing on our behalf, e.g. marketing agencies.
• Payment processors: third parties that process payments for products and services purchased through our Services.
• Consultants and agents: third parties that operate some or part of our business (such as box offices) on our behalf.

SSO Platforms - We receive PersonalData from providers of third party services that offer “single sign on”services if you use those parties to sign up or log in to our Services.

Social media & advertisers - We receive Personal Data from social media companies, ad networks, and Targeted Advertising vendors when we engage in Targeted Advertising and social media marketing, or if you interact with that social media or other company on or in connection with our Services (e.g. our pages on social media sites).

Data we create or infer - We, certain partners, social media companies, and third parties operating on our behalf, create and infer Personal Data such as Inference Data or Aggregate Databased on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you.

4. DATA PROCESSING CONTEXTS / NOTICE AT COLLECTION

A. Our Platform

i. Generally

We automatically collect and process Device/Network Data, General Location Data, and Inference Data when you access and use Labstep Academia, Labstep Industry, and related products (our “Platform”). We use this Personal Data as necessary to operate our Platform, such as keeping you logged in, delivering content, for information security operations, and our other Business Purposes. We do not process data on our Platform for Targeted Advertising or other commercial purposes.

Please note: We primarily process data on our Platform on behalf of our Customers. For example, when we process data via Platform services such as ELN, LIMS, LES and Order Management, we do so on behalf of our Customers as a “service provider” or“processor.” This processing of Personal Data is outside the scope of this Policy. Contact the Customer for more information regarding their processing of your Personal Data.

ii. Account Registration

We process Identity Data, Inference Data, Device/Network Data, and Contact Data when you register and create an account for our Platform. We process Payment Data if you associate payment information with that account, and we may process User Content if you provide it. Subject to your rights and choices under applicable law, we use this Personal Data to create and maintain your account, to provide the products and services you request, and for our Business Purposes.

Please note: Our Customers may have access to our Platform and can control user accounts, and we may disclose certain Platform account registration data to the relevantCustomer. For example, Customer administrators may have access to user accounts, and may be able to open or close accounts on the Platform, or view access logs for users. Please speak with appropriate Customer administrators for more information regarding how Customers use your Platform account information.

B. Supporting Research Institutions and Companies

We may process Identity data, Contact Data, User Content, and Device/Network Data in connection with laboratory support services and administration through our Customers on our Platform. We may also process anySensitive Personal Data contained in User Content if provided by the Customer(e.g. via lab notes or other open text boxes).

We process this Personal Data as necessary to perform Services on behalf of our Customers, or for our Business Purposes. We do not sell, “Share” or use for Targeted Advertising Personal Data processed in this context. We process Sensitive Personal Data only for Business Purposes permitted under applicable law.

C. Our Website

i. Generally

We process Device/Network Data, Contact Data, Identity Data, General Location Data, and Inference Data when you visit the Site. You may also be able to complete purchases, register for an account, or enroll in Marketing Communications through our Site. We use this Personal Data as necessary to operate our Services, such as keeping you logged in, delivering pages, etc., for our Business Purposes, and our other legitimate interests, such as:

• ensuring the security of our websites, mobile applications and other technology systems; and
• analyzing the use of our Services, including navigation patterns, clicks, etc. to help understand and make improvements to the Services.

We may process this Personal Data for our Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing” under US law.)

ii. Cookies and other tracking technologies

We process Identity Data, Device/Network Data, Contact Data,Inference Data, General Location Data, and other non-Personal Data in connection with our use of cookies and similar technologies on our Services. We may collect this data automatically, subject to your consent as described further below. For further information, visit www.allaboutcookies.org. For a complete list of the cookies we currently use, click here.

We and authorized third parties may use cookies and similar technologies for the following purposes, subject to your consent where required, as described below:

• We automatically collect data using cookies and similar technologies for “essential” purposes necessary for our Services to operate (such as maintaining user sessions, CDNs, and the like). This processing is mandatory.
• Additionally, with your consent or subject to your opt-out right (as applicable), we may collect data using cookies and similar technologies:
  • for “functional” purposes, such as to enable certain features of our Services (for example, to operate our customer chat services, to save your user preferences and language settings);
  • for “analytics” purposes or to improve our Services, such as to analyze the traffic to and on our Services (for example, we can count how many people have looked at a specific page, or see how visitors move around the website when they use it, to distinguish unique visits/visitors to our Services, and what website they visited prior to visiting our website, and use this information to understand user behaviors and improve the design and functionality of the website);
  • for “retargeting,” Targeted Advertising, or other advertising and marketing purposes, including technologies that processInference Data or other data so that we can deliver, buy, or target advertisements which are more likely to be of interest to you;
  • in connection with our integration with “social media” services e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as LinkedIn.

We may also process this Personal Data for our Business Purposes and Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing” under US law).

If you do not want information collected through the use of cookies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu or our Cookie Preferences link. You may need to opt out of third-party services directly via the third party. For example, to opt-out ofGoogle’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out. See your Rights & Choices for more information regarding opt-out rights for cookies and similar technologies.

Third parties may view, edit, or set their own cookies or place web beacons on our websites. We, or third party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in Targeted Advertising using this data. Social Media companies and third parties engaged in Targeted Advertising are third party controllers and may have their own privacy policies and their processing is not subject to this Policy. For a list of current third party providers, please view the cookie list in our Cookie Preferences tool.

Data Retention | Regional Notices | Legal Bases

D. Purchases and Transactions

We process Transaction Data, Identity Data, Payment Data, InferenceData, and Contact Data when you complete a purchase or sale transaction. We do not permanently store your Payment Data, except at your request.

We process this Personal Data as necessary to perform or initiate a transaction with you, process your order, payment, or refund, carryout fulfilment and delivery, document transactions, and for our Business Purposes.

We may process Identity Data, Transaction Data, ContactData, and Device/Network Data for Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing” under US law). We do not sell or “Share” or process Payment Data for Business Purposes not permitted under applicable law.

Third party businesses/controllers may receive your information. Third Party data controllers/businesses (such as payment processors) provide services related to your purchase through our Services. We may disclose Identity Data, Transaction Data, Contact Data, and Device/NetworkData to those third parties to facilitate your purchase. You may also direct us to disclose this data to or interact with these third parties as part of your purchase (which does not involve a sale by Labstep.) For more information, please review the Disclosure/“Sharing” of Personal Data section below.

E. Webinars

We process Identity Data, Contact Data, and Device/NetworkData when you sign up and attend one of our webinars. We process Audio/Visual Data if you ask a question or otherwise participate in a webinar discussion.

We process this Personal Data to confirm your RSVP and attendance to the webinar, deliver programming, and for our Business Purposes. We may process Identity Data,Contact Data, and Device/Network Data for Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing”under US law).

F. Marketing Communications

We process Device/Network Data, Contact Data, Identity Data, and Inference Data in connection with marketing emails, SMS, push notifications, telemarketing, or similar communications, and when you open or interact with those communications (“Marketing Communications”).

You may receive Marketing Communications if you consent and, in some jurisdictions where permitted by law, as a result of account registration, purchase, or other inquiry or transaction that allows us to send marketing communications without consent. Marketing communications will include information such as offers, product recommendations, newsletters, feedback requests, and other information relating to our services or promotional material we believe will interest you.

We process this Personal Data to contact you about relevant products or services and for our Business Purposes.  We may also useDevice/Network Data, Contact Data, Identity Data, and Inference Data for our Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing” under US law). We do not share Contact Data collected as part of Labstep’s SMS marketing campaigns with third parties for their own marketing or Commercial Purposes. See the RegionalData Rights section for information regarding this processing in your jurisdiction.

You can withdraw your consent to receive MarketingCommunications by clicking on the unsubscribe link in an email, or by contacting us. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails. See your Rights & Choices for more information.

G. Contact Us; Customer Service Chat

We collect and process Identity Data, Contact Data, and UserContent when you contact us, e.g. through our phone support, contact form, customer services chat, or through email. If you call us via phone, we may collectAudio/Visual data from a call recording or voicemail.

Please note: our online chat tool may be powered by a third party provider using automated chat features. You acknowledge and consent to the disclosure of your chat communications to that third party.

We process this Personal Data to respond to your request, and communicate with you, as appropriate, and for our Business Purposes. If you consent or if permitted bylaw, we may use Identity Data and Contact Data to send you MarketingCommunications and for our Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing” under US law). See the Regional Data Rights section for information regarding this processing in your jurisdiction.

H. Posts and social media

We process Identity Data, Inference Data, Contact Data, andUser Content you post (e.g. comments, forum and social media posts, etc.) on our Services. We also process Identity Data, Contact Data, and User Content if you interact with or identify us (e.g. if you post User Content that engages with or tags our official accounts.)

We process this Personal Data for our Business Purposes, and Targeted Advertising (which may include targeted advertising, and which may involve data sales or “Sharing” under US law).

Posts may be public, or reposted on our Services. Content you provide may be publicly-available when you post it on our Services, or in some cases, if you reference, engage, or tag our official accounts.

Data Retention | Regional Notices | Legal Bases

I. Job Applications

We process Identity Data, Contact Data, Biographical Data, Inference Data, and User Content in connection with your application for a job or internship.  

We process this Personal Data as necessary to evaluate, establish, and maintain the employment relationship, and for our Business Purposes. We do not sell or “Share” Personal Data processed in this context.  

5. PROCESSING PURPOSES

A. Business Purposes

We and our Service Providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your Rights & Choices, and our legitimate interests. See Legal Basis chart for information about the specific legal basis for processing in our jurisdictions.

We and our Service Providers generally process Personal Data for the following “Business Purposes.”

i. Service Delivery

We process Personal Data as necessary to provide our Services and the products and services you purchase or request. For example, we process Personal Data to authenticate users and their rights to access the Services, as otherwise necessary to fulfill our contractual obligations to you, provide you with the information, features, and services you request, and create relevant documentation.

ii. Internal Processing and Service Improvement

We may use any Personal Data we process through our Services as necessary in connection with our legitimate interests in improving the design of our Service, understanding how our Services are used or function, for customer service purposes, for internal research, technical or feature development, to track use of our Service, QA and debugging, audits, and similar purposes.

iii. Security and Incident Detection

We may process Personal Data in connection with our legitimate interest in ensuring that our Services are secure, identify and prevent crime, prevent fraud, and verify or authenticate users/individuals.Similarly, we process Personal Data on our Services as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns, and characteristics, maintain and analyze logs and process similarPersonal Data in connection with our information security activities.

iv. Compliance and Public Interest

We may also process Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law, for the establishment and defense of legal claims, where we must comply with requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent required or permitted under applicable law. Please see the HowWe Share Personal Data section for more information about how we disclose Personal Data in extraordinary circumstances.

B. Targeted Advertising

In some jurisdictions and subject to your consent where required by law, Labstep affiliates and certain third parties operating on or through our Services, may engage in advertising targeted to your interests based on Personal Data that we or those third parties obtain or infer from your activities across non-affiliated websites, applications, or services in order to predict your preferences or interests (“Targeted Advertising” or “Sharing”).This form of advertising includes various parties and service providers, including third party data controllers, engaged in the processing of Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.

These parties may collect Personal Data such as unique IDs, IP addresses, device information, OS/browser type, and other similar data, as well as information about the ads you see and view, to develop and assess aspects of a profile about you to deliver more relevant advertisements and offers, to determine whether and how ads you see are effective, and to enable and assess advertisements you see from us on other sites. These third parties may augment your profile with demographic and otherInference Data derived from these observations, and may also track whether you view, interact with, and how often you have seen an ad, or whether you complete a purchase for a good or service you were shown in an advertisement. You can control how these third parties use your data, and the ads you see on these platforms, using the tools described in the your Rights and Choices section below.

We generally use Targeted Advertising for the purpose of marketing our Services, and to send Marketing Communications, including by creating custom marketing audiences on third-party websites or social media platforms.

6. DISCLOSURE/SHARING OF PERSONAL DATA

We may share Personal Data with the following categories of third-party recipients and/or for the following reasons. Note, some parties maybe third party controllers who process data subject to their own privacy policy.

Affiliates - we will share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies in order to streamline certain business operations, and in support of our Business Purposes and Targeted Advertising.

Service Providers - We may share yourPersonal Data with service providers who provide certain services or process data on our behalf in connection with our general business operations, product/service fulfilment and improvements, to enable certain features, and in connection with our (or our Service Providers’) Business Purposes. We use service providers in the EU and US, and may be notified from time to time. For example, our service providers may perform services such as:

• Web hosting and technical infrastructure (US and EU)
• Communications services, e.g. messaging, emails (US and EU)
• Authentication(US and EU)
• Helpdesk and support management (US and EU)
• Technical services related to the security and operation of the Platform (US and EU)

Third Party Payment Processor - We share your Personal Data, including Contact details, Financial information, and Cookies, withStripe, Inc. (Privacy policy) when you complete a purchase or sale transaction. Stripe processes payments on our behalf in the EU and US.

Advertisers and Social Media Platforms - We may share certain Personal Data with social media platforms or advertisers in support of our Business Purposes and Targeted Advertising. We may allow these third parties to operate on or through our Services.

Public Disclosure - If you interact with us or our Services in a way that allows for public disclosure of data (e.g. a comment or review, or post on our social media pages) then your information may be made public.

Successors - We may share Personal Data if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions)during the due diligence process for a potential transaction.

Lawful Recipients - In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, in the vital interests of us or any person(such as where we reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety) or in such other circumstances as may be required or permitted by law. These disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

7. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA

If you are located outside the US, we may transfer or process your Personal Data in the US, UK, European Economic Area (EEA), and other jurisdictions where Labstep or our service providers operate. Where required by local law, we ensure your data remains protected in connection with any international transfers. See the “Regional Supplement” section below for more information.

8. YOUR RIGHTS & CHOICES

You may have certain rights and choices regarding thePersonal Data we process. Please note, these rights may vary based on the country or state where you reside, and our obligations under applicable law.See the following sections for more information regarding your rights/choices in specific regions:

• US States/California
• EEA/UK/Switzerland

A. Your Rights

You may have certain rights and choices regarding thePersonal Data we process. See the “Regional Supplement” section below for rights available to you in your jurisdiction. To submit a request, contact our DataPrivacy Team. We verify your identity in connection with most requests, as described below.

B. Verification of Rights Requests

If you submit a request, we typically must verify your identity to ensure that you have the right to make that request, reduce fraud, and to ensure the security of Personal Data. If an agent is submitting there quest on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

We may require that you match personal information we have on file in order to adequately verify your identity. If you have an account, we may require that you log into the account to submit the request as part of the verification process. We may not grant access to certain Personal Data to you if prohibited by law.

C. Your Choices

i. Marketing Communications

You can withdraw your consent to receive MarketingCommunications by clicking on the unsubscribe link in an email (for email), by responding with “OPT-OUT”, "STOP", or other supported unsubscribe message (for SMS), by adjusting the push message settings for our mobile apps using your device operating system (for push notifications), or by contacting us. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.

ii. Withdrawing Your Consent/Opt-Out

You may withdraw any consent you have provided at any time.The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as location-based services, personalizing or making relevant certain types of advertising, or other services conditioned on your consent or choice not to opt-out.

iii. Cookies, Similar Technologies, and TargetedAdvertising

General - If you do not want information collected through the use of cookies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu or our Cookie Preferences link. You may need to opt out of third-party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services with Google directly, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out.

Targeted Advertising - You may opt out or withdraw your consent to Targeted Advertising by contacting us or through our Cookie Preferences link. In some cases, you may be able to opt-out with third parties directly by submitting requests to third party partners, including for the parties listed below

• Google
• Facebook Custom Audience Pixel
• Instagram Ad Choices
• X AudiencePixel
• LinkedIn Visitor opt-out and Member opt-out
• Reddit AdChoices
• Digital Advertising Alliance’s opt-out
• Network Advertising Initiative opt-out

Global Privacy Control (GPC) - Our Services may support certain automated opt-out controls, such as the Global PrivacyControl (“GPC”). GPC is a specification designed to allow Internet users to notify businesses of their privacy preferences, such as opting-out of the sale/”Sharing” of Personal Data.To activate GPC, users must enable a setting or use an extension in the user’s browser or mobile device. Please review your browser or device settings for more information regarding how to enable GPC.

Please note: We may not be able to link GPC requests to your Personal Data in our systems, and as a result, some sales/ of your Personal Data may occur even if GPC is active. See the “Regional Supplements” section below for more information regarding other opt-out rights.

Do-Not-Track - Our Services do not respond to your browser’s do-not-track request.

9. DATA SECURITY

We implement and maintain reasonable security measures to secure your Personal Data from unauthorized processing. While we endeavor to protect our Services and your Personal Data unauthorized access, use, modification and disclosure, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others. When we process information, we may pseudonymize data (i.e. store or use Personal Data using only anon-identifying number) or anonymize data (i.e. store data in a form that is not linked to or reasonably able to identify you personally) in order to protect your Personal Data during processing.

10. CHILDREN

Our Services are neither directed at nor intended for use by persons under the age of 18 and we do not knowingly collect Personal Data from children under 18. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.

11.       DATA RETENTION

We retain Personal Data for so long as it is reasonably necessary to achieve the relevant processing purposes described in this Policy, or for so long as is required by law. What is necessary may vary depending on the context and purpose of processing. We generally consider the following factors when we determine how long to retain data (without limitation):

• Retention periods established under applicable law;
• Industry best practices;
• Whether the purpose of processing is reasonably likely to justify further processing;
• Risks to individual privacy in continued processing;
• Applicable data protection impact assessments;
• IT systems design considerations/limitations; and
• The costs associated continued processing, retention, and deletion.

We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.

12. CHANGES TO OUR POLICY

We may change this Policy from time to time. We will post changes on this page. We will notify you of any material changes, if required, via email or notices on our Services. Your continued use of our Services constitutes your acknowledgement of any revised Policy.

13. Regional Notices

A. US States/California

i. US State & California Privacy Rights & Choices

Under the California Consumer Privacy Act (“CCPA”)and other state privacy laws, residents of certain US states may have the following rights, subject to regional requirements, exceptions, and limitations.

Confirm - Right to confirm whether we process your Personal Data

Access/Know - Right to request any of following: (1) the categories of Personal Data we have collected, sold/“Shared,”or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the purposes for which we collected or sold/“Shared” your Personal Data; (4) the categories of third parties to whom we have sold/“Shared” your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

Portability - Right to request that we provide certain Personal Data in a common, portable format

Deletion - Right to delete certainPersonal Data that we hold about you.

Correction - Right to correct certain Personal Data that we hold about you.

Opt-Out (Sales, Sharing, Targeted Advertising, Profiling) - Right to opt-out of the following:

• If we engage in sales of data (as defined by applicable law), you may direct us to stop selling Personal Data.
• If we engage in Targeted Advertising (aka “Sharing”of personal data or cross-context behavioral advertising,) you may opt-out of such processing.
• If we engage in certain forms of “profiling”(e.g. profiling that has legal or similarly significant effects), you may opt-out of such processing.

Opt-out or Limit Use and Disclosure of Sensitive Personal Data - Right to opt-out of the processing of certain Sensitive Data, or request that we limit certain uses ofSensitive Personal Data. This right does not apply in cases where we only useSensitive Personal Data where necessary, or for certain business purposes authorized by applicable law.

Opt-in/Opt-out of Sale/Sharing of Minors’ Personal Data - To the extent we have actual knowledge that we collect or maintain personal information of a minor under age 16 in California, those minors must opt in to any sales/“Sharing” of personal information (as defined under CCPA), and minors under the age of 13 must have a parent consent to sales/“Sharing” of personal information. All minors have the right to opt-out later at any time.

Non-Discrimination - California residents have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA

List of Direct Marketers - California residents may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.

Remove Minors’ User Content - Residents of California under the age of 18 can delete or remove posts using the same deletion or removal procedures described above, or otherwise made available through theServices. If you have questions about how to remove your posts or if you would like additional assistance with deletion you can contact us using the information below. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the Services.

ii. Submission of Requests

You may submit requests via email to our privacy team at privacy@starlims.com(please our review verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at privacy@starlims.com. We will respond to any request to appeal within the time period required by law.

iii. Categories of Personal Data Disclosed for Business Purposes

For purposes of the CCPA, we have disclosed to ServiceProviders for “business purposes” in the preceding 12 months the following categories of Personal Data, to the following categories of recipients:

iv. Categories of Personal Data Sold, Shared, or Disclosed for Commercial Purposes

For purposes of the CCPA, we have “sold” or “Shared” in the preceding 12 months the following categories of Personal Data in the, to the following categories of recipients:

v. Categories of Sensitive Personal Data Used or Disclosed

For purposes of CCPA, we may use or disclose the followingcategories of Sensitive Personal Data: Government ID Data and Payment Data.However, we do not sell or “Share” Sensitive Personal Data, or use it forpurposes other than those listed in CCPA section 7027(m).

B. EEA/UK/Switzerland

i. Controller

Labstep and STARLIMS acts joint controllers when processing Personal Data subject to this Policy. See Section 2 above for more information.

ii. Rights & Choices

Residents of the EEA, UK, and Switzerland have the following rights. Please review our verification requirements. Applicable law may provide exceptions and limitations to all rights.

Access - You may have a right to access the Personal Data we process.

Consent – To the extent we rely on your consent to process Personal Data, you may withdraw your consent at anytime.

Deletion - You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.

Data Export - You may request that we send you a copy of your Personal Data in a common portable format of our choice.

Restriction - You may request that we restrict the processing of Personal Data to what is necessary for a lawful basis.

Objection - You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:

• for Profiling purposes;
• for direct marketing purposes (we will cease processing upon your objection); and
• involving automated decision-making with legal or similarly significant effects (if any).

Rectification - You may correct anyPersonal Data that you believe is inaccurate.

Regulator Contact - You have the right to file a complaint with regulators about our processing of Personal Data. Should you wish to report a complaint or if you feel that Labstep has not addressed your concern in a satisfactory manner, you may contact the SupervisoryAuthority in your jurisdiction, or the Information Commissioner’s Office as follows:

Information Commissioner’s Office

Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303123 1113 Textphone: 01625545860

iii. Submission of Requests

You may submit requests via email to our privacy team at privacy@starlims.com (please our review verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at privacy@starlims.com.We will respond to any request to appeal within the time period required by law.

iv. Legal Basis for Processing

v. International Transfers

We process data in the United States, and other countrieswhere our subprocessors are located. In cases where we transfer Personal Datato jurisdiction that have not been determined to provide “adequate” protectionsby your home jurisdiction, we will put in place appropriate safeguards toensure that your Personal Data are properly protected and processed only inaccordance with applicable law. Those safeguards may include the use of EUstandard contractual clauses, reliance on the recipient’s Binding CorporateRules program, the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S.Data Privacy Framework, or requiring the recipient to certify to a recognizedadequacy framework. You can obtain more information about transfer measures weuse for specific transfers by contacting us using the information above.

‍