Privacy Policy

1.1 Purpose of this Privacy Notice

This privacy notice explains how Prima Mente (CFDX Ltd) collects, uses, and protects your personal data when you visit our website, take part in our research studies, use our products and services or otherwise interact with us. It covers all of our processing activities as a data controller, including clinical research studies, AI model development, laboratory operations, and business administration.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy notice supplements those other notices and is not intended to override them.

1.2 Data Controller

Prima Mente (CFDX Ltd) is the data controller and is responsible for your personal data. We have appointed a data protection contact who is responsible for overseeing questions relating to this privacy notice. If you have any questions, including any requests to exercise your data subject rights, please contact them using the details in section 1.3.

1.3 Contact Details

• Legal entity: Prima Mente (CFDX Ltd), UK Registration number: 14890974
• Registered address: 188 York Way, London N7 9AS
• DPO / DP contact: Hannah Madan — DPO@primamente.com
• ICO registration: ZC112984

You have the right to lodge a complaint at any time with the Information Commissioner’s Office (ICO) at www.ico.org.uk, the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

1.4 Changes to this Notice

This version was produced in May 2026. We keep this notice under regular review and will update it whenever there is a material change to our processing activities. The next scheduled review is May 2027.

2.1 Personal Data

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

2.2 Collection, Use, Transfer and Storage

We may collect, use, store, and transfer the following categories of personal data:

• Identity and Contact Data: name, date of birth, address, email address, telephone number, study IDs and participant identifiers.
• Health and Clinical Data: medical history, clinical diagnosis, cognitive test scores, questionnaire responses (e.g. health anxiety index), and electronic health record data. We will only collect this with your explicit consent.
• Biological and Genetic Data (Special Category): blood biomarker results, genotyping results, epigenetic methylation markers, proteomic data, and cell-free DNA (cfDNA). This data is special category data under UK GDPR Article 9. We will only collect this with your explicit consent.
• Audio Data (Special Category): speech recordings captured during clinical trials. Audio is de-identified on-device via pitch shifting before upload. Health inferences may be drawn from this data, making it special category data. We will only collect this with your explicit consent.
• Technical Data: system access logs, IP addresses, browser and device data associated with use of our web-based study portals.
• Business Contact Data: identity and contact information for employees, contractors, suppliers, site staff, and research partners.

We also generate and use aggregated or anonymised data derived from the above (e.g. statistical research outputs). Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

2.3 Children

Our research studies are directed at adult participants. Prima Mente does not knowingly collect personal data relating to children in the context of its research activities.

3.1 Direct Collection from Research Participants

Prima Mente collects personal data directly from research participants and other data subjects through:

• Completion of informed consent forms and participant information processes.
• Study visit activities: blood draws, cognitive assessments, and questionnaires.
• Speech and audio recordings captured via the Prima Mente Study Visit Portal (SVP) on study-provided iPads or participants’ own devices.
• Remote follow-up visits conducted via the SVP.
• Direct correspondence with clinical site staff, employees, suppliers, and partners.

3.2 Collection from Third Parties and Clinical Sites

Prima Mente also receives personal data from:

• NHS Memory Clinics and other approved research sites: electronic health record data and clinical information provided under research agreements.
• C2N Diagnostics (USA): biomarker analysis results derived from plasma samples submitted by Prima Mente.
• Forensic Genomics Innovation Hub (UK): APOE4 genotyping results derived from DNA samples submitted by Prima Mente.
• Cambridge Cognition (CANTAB): cognitive assessment data collected via the CANTAB platform at study sites.

3.3 Automated Collection

Our web and mobile based study portals, applications and cloud infrastructure collect technical data automatically, including access logs, IP addresses, and session data. This information is used for security, audit, and system administration purposes only. In some cases we may use cookies to collect personal data, or that becomes personal data if we combine it with other information.

3.3.1 Cookies and similar technologies

Our website and applications may use cookies, local storage, session storage, and similar technologies to operate securely and reliably.

We use these technologies where necessary to keep users signed in, maintain session security, remember workflow progress, support study or site-specific functionality, and enable authentication through approved providers.

Some applications may also use limited functional storage, such as remembering a selected site, interface preference, or device/printer preference. These technologies are used to support the application experience and are not used for advertising or marketing.

Where third-party services are required for an application to function, such as authentication providers or cognitive testing platforms, those services may set their own cookies or use similar technologies as part of providing the service.

We do not use cookies or similar technologies for advertising, marketing profiling, or third-party behavioural tracking.

If we introduce analytics, advertising, tracking, or other non-essential cookies or similar technologies in the future, we will update this notice and, where required, ask for consent before using them.

3.4 Partnerships / Biobanks / Other

Prima Mente may receive biological, clinical, or research datasets from approved partners under written agreements. Where these datasets contain personal or pseudonymised personal data, we handle them in line with the safeguards set out in this policy and applicable data protection law. Where datasets are anonymised, we document our assessment that the data meets the standard for anonymisation before we use it.

4.1 Purposes and Lawful Bases

We will only use your personal data where the law permits. Most commonly, we will use your personal data in the following circumstances:

• Where we have your consent to use personal data for a particular purpose.
• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

The table below sets out the purposes for which we process your personal data and the lawful bases we rely upon. Note that we may process your personal data for more than one lawful basis depending on the specific purpose.

AI outputs: findings generated by Prima Mente’s AI models are not returned to individual participants or clinicians and are not used to make autonomous clinical decisions. All AI outputs are reviewed by human researchers.

4.2 Change of Purpose

We will only use personal data for the purposes for which it was collected. If it becomes necessary to use personal data for a different purpose, we will assess whether the new purpose is compatible with the original, notify affected individuals where required, and document the legal basis for the new use.

We share personal or pseudonymised data with the parties set out below, where necessary and for the purposes set out in Section 4:

• Third parties who are carrying out services on our behalf.
• Approved academic, hospital, or commercial research partners — anonymised data only, for approved research purposes.
• Professional advisors, regulators, and authorities, where required by law or in connection with legal proceedings.

We do not sell personal data. All third-party processors are required to process data only on Prima Mente’s instructions and in accordance with applicable law.

Data Processing Agreements (DPAs) are in place with all third-party processors. Prima Mente maintains a central register of signed DPAs.

International transfers: where plasma samples and associated pseudonymised identifiers are transferred to processors located in another jurisdiction, an appropriate transfer mechanism (such as Standard Contractual Clauses, an approved data transfer agreement, binding corporate rules, or an adequacy decision) will be in place and documented for each such transfer. Where a specific processor is engaged on the basis of unique regulatory approval, the rationale for processor selection should also be documented to support the necessity and proportionality assessment.

7.1 Security Measures

We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

7.2 Data Breaches

We have procedures to investigate, and respond to suspected personal data breaches. Where legally required, affected data subjects and the ICO will be notified without undue delay (72hrs).

We will only retain personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Good Clinical Practice (ICH E6) requires that certain study-specific data be retained regardless of a deletion request. Where this applies, we will explain it to you at the time of such request.

9.1 Rights Available

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access: data subjects may request a copy of the personal data held about them.
• Right to rectification: data subjects may request correction of inaccurate or incomplete personal data.
• Right to erasure: data subjects may request deletion of personal data where there is no overriding reason for its continued processing. Note that GCP obligations may prevent full erasure of study-specific data.
• Right to restriction: data subjects may request that processing be suspended in certain circumstances.
• Right to transfer: data subjects may request transfer of personal data to themselves or a third party. Prima Mente will provide to the subject or a third party their personal data in a structured, commonly used, machine readable format.
• Right to object: data subjects may object to processing carried out on the basis of legitimate interests.
• Right to withdraw consent: consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

9.2 How to Exercise Rights

Requests to exercise data subject rights should be directed to our Data Protection Officer at DPO@primamente.com. We will respond within one calendar month. No fee is charged unless a request is manifestly unfounded or excessive. We may request proof of identity before fulfilling a request.

10.1 Lawful Bases

• Consent (Art. 6(1)(a) / 9(2)(a)): you have given clear, freely given, specific, informed, and unambiguous consent to processing for one or more specific purposes.
• Scientific research (Art. 9(2)(j) / DPA 2018 Sch.1 para.4): processing of special category data is necessary for scientific research purposes, subject to appropriate safeguards including pseudonymisation.
• Performance of contract (Art. 6(1)(b)): processing is necessary for the performance of a contract to which the data subject is party, or to take pre-contractual steps at their request.
• Legal obligation (Art. 6(1)(c)): processing is necessary to comply with a legal or regulatory obligation (e.g. Good Clinical Practice, HRA requirements).
• Legitimate interests (Art. 6(1)(f)): processing is necessary for Prima Mente’s legitimate interests, provided those interests are not overridden by the data subject’s rights and freedoms.

10.2 Key Terms

• Data controller: the entity that determines the purposes and means of processing personal data. Prima Mente (CFDX Ltd) is the data controller for all activities described in this notice.
• Data processor: a third party that processes personal data on behalf of the data controller, under a Data Processing Agreement.
• Special category data: data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. Prima Mente processes health data, genetic data, and audio data that may reveal health information.
• Pseudonymisation: the processing of personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information held separately.
• UK GDPR: the UK General Data Protection Regulation, as retained in UK law following the UK’s exit from the European Union, supplemented by the Data Protection Act 2018.