GDPR Statement of Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy law that requires organizations to keep data safe, while also giving individuals more control over how their data are used. This protects the personal data of persons located in the EU.

Our Commitment

n-Lorem Foundation is committed to protecting the privacy and security of your personal data. We comply with the requirements of the GDPR and uphold the highest standards of transparency and accountability.

Data Subjects

For the purposes of GDPR, a “data subject”, also referred to as an identifiable natural person, is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This may include clinical research participants, clinical research site staff, or individuals who initiate interactions with n-Lorem (such as patient family members).

How We Process Personal Data

We ensure that personal data are:

• Processed lawfully, fairly, and transparently
• Collected only for specific, explicit, and legitimate purposes
• Limited to what is necessary for those purposes
• Accurate and kept up-to-date
• Retained only for as long as necessary or archived for the purposes of scientific research
• Protected using appropriate technical and organizational measures

Purpose of Data Processing

The key portion of data collection and processing, including personal health data and genetic data, is for the purpose of scientific research through clinical research studies. Subjects participating in clinical research studies provide written informed consent for the collection and analysis of their data. Data will be collected by the local clinical research team, pseudonymized, and submitted to n-Lorem via an Electronic Data Capture (EDC) system. Under Article 6 and 9
of GDPR, this processing is lawful.

Additional processing may include self-submission for communication purposes. This is lawful under Article 5 of GDPR.

Legal Basis for Processing

Our legal basis under GDPR for processing of personal data includes Articles 5, 6, and 9.

Data Security

We implement strong security safeguards to protect personal data against unauthorized access, loss, or misuse. Access to personal data is restricted to those who need it to carry out their duties, and all staff and partners are required to follow strict data protection policies.

Data Retention

We will not keep personal data longer than necessary for the purposes for which it is collected, unless required by law or regulatory obligations, including archival for scientific research purposes (per Article 5). Once data are no longer needed, it will be securely deleted or anonymized.

Data Sharing

We may share personal data with trusted third-party service providers who help us deliver our services. Any sharing is carried out under strict data protection agreements to ensure your information remains secure and is used only for agreed purposes. We do not sell personal data to
third parties.

Pseudonymized data will be submitted to regulatory authorities as required by law. Results including pseudonymized data may also be published in the scientific literature and presented at scientific meetings.

International Data Transfers

Data subjects’ data is transferred to countries outside of the EU/EEA including to the United States. We ensure these transfers are safeguarded by appropriate measures.

Source of Data

In most instances, the collected data will not come directly from the ‘data subjects’. The data originates from healthcare providers involved in the treatment and care of the data subjects, or from other researchers collaborating on the study. Other, less common, data collection will be from voluntary self-submission, mainly contact information.

Data Subjects’ Rights under GDPR

As an individual, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct or update inaccurate or incomplete information
• Erasure: Request deletion of your personal data when it is no longer needed or processed lawfully
• Restriction: Ask us to limit how we use your data in certain cases
• Portability: Obtain and reuse your data across different services
• Objection: Object to certain processing
• Withdraw Consent: Withdraw consent at any time where processing is based on consent.

EU Data Representative

Since data processing is occasional, and does not include, on a large scale, processing of special categories of data, no representative in the EU is required per GDPR Article 27.

Data Protection Impact Assessment (DPIA) and Data Protection Officer (DPO)

Under article 35 of GDPR, a DPIA is not required as n-Lorem is not completing large scale processing of special categories. Similarly, under article 37 of GDPR, a DPO is not required as n-Lorem is not completing large scale processing of special categories.

Contact Us

If you have any questions about how we handle your personal data, or if you would like to exercise your GDPR rights, please email us at [email protected].

Effective Date: March 19, 2026

We cannot do
this alone

We hope that you join us on this journey to discover, develop and provide individualized antisense medicines for free for life for nano-rare patients. The ultimate personalized medicine approach – for free, for life.