KR EN

Privacy Policy

1. Introduction

Voronoi, Inc. (of S-18, 32 Songdogwahak-ro, Yeonsu-gu, Incheon, Republic of Korea, referred to as “Voronoi”, “We", “Our” or “Us”) are committed to protecting the privacy and security of your Personal Data.

This Privacy Notice applies to you if you are:

  • A user of this website (https://voronoi.io);
  • A Voronoi clinical trial participant;
  • A healthcare professional conducting a Voronoi clinical trial;
  • An employee, contractor or other associated party associated with Voronoi;
  • An employee, contractor or other associated party contracted by Voronoi’s Service Providers; or,
  • Any other individual with whom Voronoi may conduct commercial operations.

We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.

2. Definitions

For the purposes of this Voronoi Privacy Notice:

Cookies are small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses.

Data Controller, for the purposes of both UK and EU GDPR, refers to the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data. For the purpose of both UK and EU GDPR, Voronoi is the Data Controller.

Data Processor, for the purposes of both UK and EU GDPR, refers to Voronoi’s Service Providers.

Data Protection Legislation, as defined in the Data Protection Legislation section below.

Personal Data is any information that relates to an identified or identifiable natural person. For the purposes of both UK and EU GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Service refers to the Website, unless otherwise stated.

Service Provider means any natural or legal person who processes the data on behalf of Voronoi. It refers to third-party companies or individuals employed by Voronoi to facilitate the Service, to provide the Service on behalf of Voronoi, to perform services related to the Service or to assist Voronoi in analysing how the Service is used. For the purpose of both UK and EU GDPR, Service Providers are considered Data Processors.

Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

Website refers to the website, accessible from https://voronoi.io

You means the individual accessing or using the Service, or Voronoi, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under both UK and EU GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

3. Data Protection Legislation

Throughout this document we refer to Data Protection Legislation.

European Union (EU) and European Economic Area (EEA)

In the context of the European Union (“EU”) and European Economic Area (“EEA”), Data Protection Legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) as well as any local data protection implementation laws. This includes any replacement legislation coming into effect from time to time.

United Kingdom

In the context of the United Kingdom (“UK”), Data Protection Legislation means the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), the Data (Use and Access) Act 2025 (“DUAA”), and any legislation implemented in connection with the aforementioned legislation.

United States

In the context of the United States of America (“US”), Data Protection Legislation refers to any federal, state, sectoral, or case laws and regulations governing the privacy and security of personal data. This includes applicable state privacy legislation, including, but not limited to, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), as well as other relevant state and federal regulations. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

Republic of Korea

In the context of the Republic of Korea, Data Protection Legislation refers to the Personal Information Protection Act (“PIPA”), the Act on the Use and Protection of Credit Information (“CIA”) and the Act on the Protection and Use of Location Information (“LIA”), as well as other relevant laws which may apply on a sectoral basis. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

Other Jurisdictions

Depending on your jurisdiction, additional Data Protection Legislation may apply. If you have any questions, you can contact our DPO using the details in the Contact Us section below.

Data Controllership

Voronoi is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated. We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. For further details on how you can contact our DPO, please see the Contact Us section below.

4. The information we collect

We only collect Personal Data that we know we will genuinely use and in accordance with the Data Protection Legislation and/or legislation related to clinical trials, such as the EU Clinical Trials Regulation (EU CTR). The type of Personal Data that we will collect on you will depend on whether you are a clinical trial participant, a healthcare professional, an employee, contractor, or consultant, or a user of this website:

Clinical Trial participant (inclusive of any parents, partners, and children)†

  • Your name*
  • Your date of birth*
  • Your year of birth
  • Your age
  • Your gender
  • Your contact information (telephone number or email address)*
  • Where applicable, the name of your legally authorized representative*
  • Where applicable, the name and contact details of your partner*
  • Your pseudonymized unique identification number(s)
  • Your health data
  • Your genetic data
  • Your ethnicity

Healthcare professional (HCP)

  • Your name
  • Your contact information (telephone number, email address, or mailing address)
  • Your employment details
  • Your professional experience
  • Your research information, including interactions with our research and clinical trials
  • Where relevant, your pseudonymized unique identification number(s) (e.g., license no.)
  • Where applicable, your financial information (e.g., bank information)
  • Where applicable, financial disclosure information regarding you, your spouse, and any adult children

Employees, Consultants, and Contractors of Voronoi or Voronoi’s Service Providers

  • Your name
  • Where applicable, your date of birth
  • Your contact information (telephone number, email address, or mailing address)
  • Your employment details
  • Your professional experience
  • Where relevant, your pseudonymized unique identification number(s) (e.g., payroll no.)
  • Where relevant, your financial information (e.g., bank information)
  • Where relevant, your Right to Work information (e.g., nationality)
  • Where relevant, your health data (e.g., sick leave information)

Website User†

  • Where applicable, your name
  • Where applicable, your contact information (email address)
  • Where applicable, your Contact Us form responses
  • Your Usage Data (e.g., your IP address)
  • Information relating to Cookies and Tracking Technologies
* This participant identifiable information is collected by Voronoi’s Research Sites, acting on their behalf as Data Processors. This data may be shared with clinicians, health authorities, ethics bodies and other personnel as authorized by Voronoi, but only where Voronoi is legally obligated to provide this data in accordance with Clinical Trial Regulations and other applicable laws. In certain circumstances, such as where Voronoi, their Contract Research Organization, and/or Trusted Data Processors inspect Research Sites and their activities, Voronoi or the relevant parties may have limited, temporary access to your identifiable medical records. However, in general, Voronoi will not directly receive participant identifiable information and will not instruct their Data Processors to process or share this information other than where the law requires.

† You are under no statutory or contractual requirement or obligation to provide us with your Personal Data; however, we require at least the information above in order for us to deal with you as a Service User in an efficient and effective manner.

5. Cookies, Analytics and Tracking Technologies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service.

You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser. We use both session and persistent Cookies for the purposes set out below:

Tracking and Performance Cookies

Type: Persistent Cookies
Administered by: Third-Parties
Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features, or functionality of the Website to see how our users react to them.

Cookie Name Cookie Description Cookie Type
_ga; _gat; _gid; _ga_[ID] Google Analytics used to store and count pageviews for analytics purposes. Tracking and Performance Cookies

We and the third parties we work with use cookies and similar tracking technologies to collect information about your use of the Services, such as your IP address, browser type, browser version, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Services and other websites, provide customer support, troubleshoot issues with and improve the operation of our Website and Services, and better understand your online activity.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity. For more information on how Google collects and processes data click here. To opt out of tracking by Google Analytics, click here.

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://google.com

6. How we use your information

We may use your information for the following purposes:

Where applicable, the GDPR Lawful Basis and Special Category Personal Data Condition Purpose
Your Consent

GDPR, Article 6(1)(a)
GDPR, Article 9(2)(a)		 Clinical Trial Operations (Your Consent)
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Consent, or where you have consented to Future Research, to collect information from you and process your health information in order to conduct a clinical trial
Legal Obligation to comply with applicable Clinical Trial Law

GDPR, Article 6(1)(c)
GDPR, Article 9(2)(j)		 Clinical Trial Operations (Legal Obligation)
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Legal Obligation, to collect information from you and process your health information in order to conduct a clinical trial
Our Legitimate Interest in conducting scientific research

GDPR, Article 6(1)(f)
GDPR, Article 9(2)(j)		 Clinical Trial Operations (Legitimate Interest)
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Legitimate Interest, to collect information from you and process your health information in order to conduct a clinical trial.
Our Legitimate Interest in conducting clinical activities

GDPR, Article 6(1)(f)		 Clinical (Healthcare Professional Administration)
Where you are a Health Care Professional (HCP) involved in the planning, delivery, or oversight of Voronoi clinical trials, to collect information from you and process your employment information in order to conduct a clinical trial.
Contractual Obligation

GDPR, Article 6(1)(b)		 Employment
Where you are an employee, contractor, or consultant of Voronoi, to collect information from you and make available our Services to you for the purposes of fulfilling our contractual obligations with you.
Our Legitimate Interest in managing our affairs

GDPR, Article 6(1)(f)		 Service Providers (Legitimate Interest)
Where you are an employee, contractor, or consultant of Voronoi’s Service Providers, to collect information from you or your employer and make available our Services to your employer.
Contractual Obligation

GDPR, Article 6(1)(b)		 Service Providers (Contractual Obligation)
Where you are an employee, contractor, or consultant of Voronoi’s Service Providers, to collect information from you and take payment from you, make a payment to you, give you a refund or request a refund.
Our Legitimate Interest in managing our affairs

GDPR, Article 6(1)(f)		 Service Providers (Performance)
Where you are an employee, contractor, or consultant of Voronoi’s Service Providers, to collect information from you or your employer and liaise with your employer about your contact details and/or the nature and performance of your work, as required.
Our Legitimate Interest in providing Services to you

GDPR, Article 6(1)(f)		 Service Provision
To collect information from you and monitor, provide and maintain our Services.
Our Legitimate Interest in providing Services to you

GDPR, Article 6(1)(f)		 Inquiries
To contact you following your inquiry where you have provided your contact information and to reply to any questions, suggestions, issues, or complaints, including any Data Subject Requests, about which you have contacted us.
Our Legitimate Interest in providing a secure platform

GDPR, Article 6(1)(f)		 Security
To collect your Usage Data in order to power our security measures and Services so you can safely access our website and other Services.
Our Legitimate Interest in contacting you about our Services

GDPR, Article 6(1)(f)		 Service Messages
To contact you, where you have provided your contact information, about news and information relating to our Services through Service messages.
Our Legitimate Interest in marketing our Services to you

GDPR, Article 6(1)(f)		 Direct Marketing (Legitimate Interest)
B2B direct marketing to you, where you have provided your contact information, about Services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under the UK PECR and/or EU ePrivacy legislation.
Your Consent

GDPR, Article 6(1)(a)		 Direct Marketing (Consent)
B2B direct marketing to you, where you have provided your contact information, about Services from us where you are a sole trader, partnership or otherwise classified as an individual subscriber and/or the ‘soft opt-in’ does not apply under UK PECR and/or EU ePrivacy legislation.
Vital Interest

GDPR, Article 6(1)(d)
GDPR, Article 9(2)(c)		 Vital Interest
Monitor your health in order to safeguard and protect you, or to act in your vital interest, or the vital interest of a third party.
Legal Obligation, including, but not limited to, our Legal Obligation to comply with Employment Law

GDPR, Article 6(1)(c)
GDPR, Article 9(2)(b)		 Legal Obligation
To comply with our legal obligations, such as retaining any accounting information generated during the course of our interaction for statutory accountancy retention periods.
Our Legitimate Interest in managing any legal claims

GDPR, Article 6(1)(f)
GDPR, Article 9(2)(f)		 Legal Claims
To respond to and defend against legal claims, where you have provided us with information which may give rise to legal claims.

Within the context of the Republic of Korea, we will process your Personal Data where you have consented to this processing, or where we are otherwise permitted to do so under applicable laws and/or required by applicable laws.

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7. Criminal convictions and offences data

Where you are an employee, contractor, or consultant for Voronoi, or a healthcare professional working on one of Voronoi’s clinical trials – or you are a candidate for such a role – and depending on the jurisdiction in which you operate and on the specific role in question, we may collect information about your criminal convictions and offences. We do this to satisfy ourselves that there is nothing in your criminal convictions and offences history which makes you unsuitable for the role. Our roles require a high degree of trust and integrity, and it is therefore best practice to undertake such checks and a pre-requisite in some instances.

We will only collect and use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations, or where we have an overriding legitimate interest to do so and provided we do so in line with our Data Protection Policy. We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.

8. Automated technologies and AI use

As part of our ongoing efforts to improve the efficiency and quality of our research and clinical trial activities, we may use artificial intelligence (AI) tools (“AI tools”) to support data analysis, communication, and system functionality.

Where AI tools are used, we take steps to ensure that personal data is minimised, protected, and processed in accordance with applicable data protection law, and we do not intentionally submit personal data to publicly available AI models without appropriate safeguards.

Our use of AI tools for processing your personal data is carried out on the basis of our Legitimate Interests to conduct clinical research. We balance our interests against your data protection rights and apply appropriate safeguards to protect your personal data.

If you have any questions or concerns about this processing, please contact our Data Protection Officer on the contact email address set out in the Contact Us section.

9. Who we might share your information with

We may share your personal data with other organizations in the following circumstances:

  • From time to time, we may need to share your Personal Data with our affiliates and/or strategic clinical trial partners;
  • If the law or a public authority says we must share the Personal Data;
  • If we need to share Personal Data in order to establish, exercise or defend our legal rights – this includes providing Personal Data to others for the purposes of detecting and preventing fraud; or
  • From time to time, employ the services of other parties for dealing with certain processes necessary for the operation of our services.

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

  • Our Contract Research Organizations (CRO);
  • Our Clinical Trial Data Processors,
  • Our IT Service Providers, such as Microsoft Corporation.

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organization apart from us or further sub-processors who must comply with our Data Processor Agreement. They will hold your Personal Data securely and retain it for the period we instruct.

10. How long we keep your information for

We retain a record of your Personal Data in order to provide you with a high quality and consistent service. We will retain your Personal Data in accordance with the Data Protection Legislation and retain your information for longer than is necessary. Where relevant Data Protection Legislation applies, Voronoi follows a Retention Schedule which outlines how long Voronoi will retain your Personal Data. Voronoi considers the retention period to begin from the point at which Voronoi last contacted you or otherwise reviewed your record to determine whether it was still active, or from the end of the applicable study, contract, or legal obligation, whichever is later, unless otherwise required by law. As such, relevant Data Protection Legislation applies, unless otherwise required by law, your data will be retained for the period specified in the summarized table below and then securely deleted in accordance with our internal policies and procedures.

Purpose Retention Period
Processing data in relation to You as a clinical trial participant 25 years following the conclusion of the clinical trial, as determined by the EU Clinical Trials Regulation
Processing data in relation to You as a Health Care Professional (HCP) involved in the planning, delivery, or oversight of an Voronoi’s clinical trial 25 years following the conclusion of the clinical trial, as determined by the EU Clinical Trials Regulation
Processing data in relation to You as an employee, contractor or other associated party contracted by Voronoi 6 years following the termination of your employment
Processing data in relation to You as an employee, contractor or other associated party contracted by Voronoi’s Service Providers 6 years following the termination of your employment
Processing data in relation to You as a service user of this website 1 year
Processing data in relation to You as any other individual with whom Voronoi may conduct commercial operations 6 years

11. How we keep you updated on our products and services

Where you are a clinical trial participant or a Health Care Professional involved in the planning, delivery, or oversight of an Voronoi clinical trial, we will contact you through our Contracted Research Organization (CRO) where it is necessary to do so.

Where you are an employee of Voronoi, we will contact you through existing Voronoi communication channels, including email, where it is appropriate to do so.

Where you are an employee of Voronoi’s Service Providers, a user of this website who has provided us with your contact information, or any other business contact, we will send you relevant news about our services in a number of ways including by email, but only if we have a Legitimate Interest to do so. Where we do not have a Legitimate Interest, we will not send you marketing communications unless we have asked for, and gained, your consent.

We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity or have not otherwise provided their consent.

Email communications may have an option to unsubscribe – if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences. Alternatively, you can contact our DPO using the contact details provided in the Contact Us section below.

12. Security

We have put in place appropriate technical and organizational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorized way, altered, or disclosed.

We take security measures to protect your information including:

  • Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies);
  • Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
  • Implementing access controls to our information technology; and,
  • Deploying appropriate procedures and technical security measures (including encryption, pseudonymisation, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.

13. International Transfers

Your Personal Data is processed at Voronoi’s operating offices in the Republic of Korea and the United States, and in any other places where the parties involved in the processing are located. This means that this information may be transferred outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when Voronoi shares clinical trials data with Trusted Data Processors, your Personal Data would be stored and processed within third countries. Where EU GDPR and/or UK GDPR apply, Voronoi will ensure that:

  • the security and confidentiality of your Personal Data is secure at all times;
  • any Data Controller receiving your Personal Data has entered into an agreement with Voronoi which contains standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
  • any Data Processor receiving your Personal Data has entered into an agreement with Voronoi which contains the required Data Processor clauses as well as standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.

Where EU GDPR or UK GDPR applies and we transfer your Personal Data outside of the EEA or UK, as applicable, to countries not deemed by the European Commission or UK government, as relevant, to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the European Commission or UK government, as relevant, providing adequate protection of Personal Data. You can obtain a copy of this documentation by contacting our DPO identified in the Contact Us section below.

In other cases, we may seek your explicit consent to internationally transfer your Personal Data. If we do so, we will provide you with more information relating to the transfer at the time.

14. What happens if our business changes hands?

In the event of a sale or transfer of control of part or all of our business, relevant personal data will be transferred to the new owner, who is permitted to use it only for the purposes for which it was originally collected.

15. Third Party websites and links

Our Website may contain links to third-party sites. Voronoi does not control and is not responsible for their privacy policies, content, or actions.

16. Children's privacy

Except where required under clinical trial legislation (e.g., pregnancy during a trial), we do not knowingly collect personal information from children under 13. If discovered, we will make commercially reasonable efforts to delete it.

17. Your rights over your information

17.1 European Union (EU), European Economic Area (EEA) and United Kingdom (UK)

Where EU GDPR and UK GDPR apply, you have certain following rights over your Personal Data. For your protection, and to protect the privacy of others, we may need to verify your identity before completing what you have asked us to do. If you would like to exercise these rights, or if you would like more information about your rights or have any concerns about how we process your personal information, please Contact Us as set out below.

  • 17.1.1 The right to be informed about our collection and use of personal data;
    You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
  • 17.1.2 Right to Access Your Personal Data
    You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes termed 'Data Subject Access Request'. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed. If your request is particularly complex, we may extend this response window to a total of 3 months. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.
  • 17.1.3 Right to Rectify Your Personal Data
    If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. If we shared your Personal Data with others, we will tell them about the correction where possible.
  • 17.1.4 Right to Erasure
    You have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data. If we shared your data with others, we will alert them to the need for erasure where possible.
  • 17.1.5 Right to Restrict Processing
    You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances. We will tell you before we lift any restriction on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible.
  • 17.1.6 Right to Portability
    The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format, where the lawful basis for processing relies upon consent or a contract entered into with you. It also gives them you the right to request that a controller transmits this data directly to another controller.
  • 17.1.7 Right to Object
    You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.
  • 17.1.8 Rights Related to Automated Decision-Making
    You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. Voronoi does not intend to conduct any automated decision-making for your Personal Data. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have otherwise notified you.
  • 17.1.9 Right to Withdraw Consent
    Where the lawful basis for processing is your consent, you have the right to withdraw your consent at any time.
  • 17.1.10 Right to Lodge a Complaint
    Where you are in the EU or EEA, you can lodge a complaint with your country's regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you have any questions about which supervisory authority applies in your jurisdiction, please Contact Us as set out below. In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: https://ico.org.uk/for-the-public. Where you are in the UK, you have the right to lodge a complaint with us at any time. You also have the right to lodge a complaint to the ICO about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

17.2 United States

17.2.1 California Data Protection Legislation

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 ("CCPA") requires that we provide you with a privacy policy of our online and offline information practices and your rights under this law regarding your personal information. We currently collect, share, disclose, and use your personal information. In the 12 months prior to the last updated date of this Privacy Notice, we have collected, shared, disclosed the personal information set out in this Privacy Notice. We may collect personal information directly from California and other US state residents, credit reporting agencies, and/or our third-party service providers. We do not collect all categories of personal information from each source.

17.2.2 California Resident Rights

California residents are afforded the following rights:

  • to delete your personal information, unless we:
    • can prove this to be impossible;
    • it involves disproportionate effort; or
    • it is reasonably necessary for us to maintain records in order to fulfil the transaction(s) for which the personal information was collected;
  • to correct inaccurate personal information held about you;
  • to know what personal information is sold or shared and to whom (this right is fulfilled with the information provided within this Notice);
  • to request specific pieces of information from us;
  • to opt out of the sale or sharing of your personal information;
  • to limit use and disclosure of sensitive personal data; and,
  • to no retaliation following opt-out or exercise of other rights.

If you would like to contact us regarding any of these rights, please Contact Us as set out below. Please note that we may need to verify your identity before processing your request. Rights requests shall be reviewed to see if an exemption allows us to retain the information. We may deny your deletion request if an exemption applies and/or if retaining the information is necessary for us or our Service Provider(s), for example to detect fraudulent activity or comply with a legal obligation. We will delete, de-identify or limit the scope of personal information not subject to an exemption from our records and will direct our Service Providers to take similar action.

17.2.3 Other US Data Protection Legislation

If you are a US resident, we process your personal data in accordance with applicable privacy laws. Several US states have enacted comprehensive privacy statutes, including but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. These laws include provisions aimed at safeguarding consumer rights and outlining business obligations. If you have relevant rights under these laws, you can exercise them by contacting us using the details provided in the Contact Us section as set out below. Our practices are designed to adhere to the highest standards set forth by these laws, ensuring that we respect the privacy rights of all individuals. As the US privacy laws continue to evolve, we will monitor these changes, adjust our privacy practices, and update our Privacy Notice(s), accordingly.

17.2.4 We Do Not Sell Your Personal Information

You have the right to know whether your personal information is being sold. Your personal information is "sold" when it is provided to a third party for monetary or other valuable consideration for a purpose that is not a "business purpose" as set forth in the CCPA or other US state data privacy laws. Please note a "sale" does not include when we disclose your personal information at your direction, or when otherwise permitted under law.

17.2.5 We May Share Your Personal Information

We may "share" your personal data, as defined under California and other applicable US state laws, for personalised advertising purposes and/or for any other purposes outlined in this Privacy Notice.

17.2.6 Do Not Track

Due to varying practices among browser providers and the lack of a market standard, we do not respond to Do Not Track signals at this time.

17.2.7 Non-Discrimination

US state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying goods or services, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer's personal information.

17.3 Republic of Korea

Under PIPA, you have the following rights in relation to your personal information:

  • 17.3.1 Right to be informed
    to receive clear information about the processing of your personal information, including purposes, items, retention periods, and recipients.
  • 17.3.2 Right to consent (and to withhold or withdraw it)
    to decide whether to consent to the collection, use, or provision of your personal information, and to withdraw consent at any time without disadvantage in receiving goods or services (subject to limited exceptions).
  • 17.3.3 Right of access
    to request access to your personal information and to confirmation of how it is being processed.
  • 17.3.4 Right to rectification
    to request correction of inaccurate or incomplete personal information.
  • 17.3.5 Right to erasure
    to request deletion of your personal information, except where retention is required by law.
  • 17.3.6 Right to restrict processing
    to request that processing of your personal information be halted.
  • 17.3.7 Right to data portability
    to request that your personal information be transmitted to you or to a designated third party in a structured format.
  • 17.3.8 Rights regarding automated decision-making
    to request an explanation of, and in certain cases to refuse, decisions made solely by fully automated systems that significantly affect you.
  • 17.3.9 Right to be notified of cross-border transfers
    to be informed of the recipient country, recipient, purpose, items, and retention period before your personal information is transferred overseas.
  • 17.3.10 Right to breach notification
    to be notified without delay if your personal information is affected by a security incident.
  • 17.3.11 Right to designate a representative
    to exercise the above rights through a legal representative or duly authorised agent.
  • 17.3.12 Right to lodge a complaint and seek redress
    to file a complaint with the Personal Information Protection Commission (PIPC), the Korea Internet & Security Agency (KISA) Privacy Call Centre, or the Personal Information Dispute Mediation Committee, and to seek damages through the courts, including via collective data protection legal action.

Where applicable, you can exercise these rights by contacting us using the details provided in the Contact Us section as set out below.

17.4 Other Data Protection Legislation

If you are located in another jurisdiction outside of the EU, EEA, UK, US and Republic of Korea, you may have data protection rights available to you under the applicable Data Protection Legislation of your jurisdiction, such as the right of access, rectification, and/or erasure. If you have relevant rights under these laws, you can exercise them by contacting us using the details provided in the Contact Us section as set out below.

18. Contact Us

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by emailing dpo@voronoi.io. Our EU GDPR Representative is The DPO Centre Europe Limited, who can be contacted via emailing eurep@voronoi.io.

19. Changes to Our Privacy Notice

Thank you for taking the time to read our Privacy Notice. We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this Privacy Notice regularly to keep up-to-date.