Possibia

Privacy Policy

Version: 2.7

Last updated: 11/24/2025

Privacy Policy

This Privacy Policy provides information about which personal data (as defined in the General Data Protection Regulation (GDPR)) Possibia AS ("we", "us", "our") processes, what they are used for, and what rights you have as a data subject when you visit or otherwise interact with our website or use our services.

TYPES OF PERSONAL DATA WE PROCESS

We may process the following categories of personal data in connection with offering of our services or visits to our website:

  • Special categories of personal data (sensitive data), such as personal data revealing racial or ethnic origin and data concerning health (e.g., information on clinical trial eligibility).

  • Identity information (e.g., name, surname, IP address).

  • Contact details (e.g., telephone number, postal address, email address).

  • Activities on our website (e.g., pages visited, links clicked).

Our website and services are not intended for children under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.

PURPOSES OF THE PROCESSING AND RELEVANT LEGAL BASES

We process personal data for the following purposes and based on the following legal bases:

Purpose

Legal basis

Handling inquiries from users about clinical trial participation, and sharing information about users with relevant clinical trial sites, to facilitate clinical trial enrollment.

Consent (Article 6(1)(a) GDPR; Article 9(2)(a) (with respect to sensitive data))

Improving our services and the user experience on our website.

Legitimate interest (Article 6(1)(f) GDPR)

Comply with legal obligations (e.g., IT security obligations).

Legal obligation (Article 6(1)(c) GDPR)

Providing personalized and contextual advertising on our website.

Consent (Article 6(1)(a) GDPR)

Communicating with users.

Legitimate interest (Article 6(1)(f) GDPR)

Deploying non-strictly necessary cookies on our website to analyze and improve the user experience on our website.

Consent (Article 6(1)(a) GDPR)

 

RECIPIENTS OF PERSONAL DATA 

We may share personal data with third parties, including:

  • Relevant clinical trial sites.

  • Our IT service providers, including Supabase, AWS, Posthog and Databricks.

  • Public authorities, if necessary to fulfil our legal obligations.

We have entered into data processing agreements with the companies that process personal data on our behalf.

We do not sell personal data to third parties.

DATA STORAGE AND SECURITY

We store personal data only as long as necessary for the specific purposes described in this Privacy Policy. Information processed for clinical trial screening purposes is retained for up to 12 months, unless consent is withdrawn earlier. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, use, or disclosure.

TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA

If we transfer personal data outside the EU/EEA area (e.g., to the USA), we will ensure that the transfer is in accordance with applicable legislation. This means that we will either obtain the necessary consent to the transfer or use other valid transfer mechanisms (e.g., standard contractual clauses), if necessary with additional safeguards. You can obtain a copy of the relevant transfer mechanism by contacting us.

DATA SUBJECT RIGHTS

As a data subject, you have the following rights:

  • The right to access your personal data.

  • The right to obtain the correction of inaccurate or incomplete information.

  • The right to the erasure of your personal data.

  • The right to obtain the restriction of the processing.

  • The right to object to processing based on legitimate interests or for direct marketing purposes.

  • The right to withdraw your consent at any time (when the legal basis for the processing is consent).

  • The right to complain to a Data Protection Authority, including the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority if you are located in another EU/EEA country, if you believe that our processing of personal data is in violation of the applicable data protection legislation.

COOKIES

Our website uses cookies. Information on what kind of cookies we use and how we use them can be found in our Cookie Policy.

CONTACT INFORMATION

We are the data controller with respect to the processing described in this Privacy Policy. Our contact details are: Possibia AS, Gaustadalléen 21, 0349 Oslo, Email: dpo@possibia.com. If you have questions about our processing of your personal data or wish to exercise your rights, you can contact us using the above details.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on our website and updating the effective date. We encourage you to review this Privacy Policy periodically.