Privacy Policy

What is the purpose of this document?

Crannmed Limited is a life sciences company, and its subsidiaries and affiliates (hereinafter referred to as “us” or “we”) are committed to protecting your privacy.

Crannmed Limited is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this Privacy Notice.

We have created this Privacy Notice to demonstrate our commitment to fair information practices and its respect for your right to privacy and the protection of privacy. This Privacy Notice describes how we collect, use, disclose, transfer and store your information.

The Privacy Notice explains the following: –

  • How we collect and use your personal data;
  • The purpose and legal basis for collecting your personal data;
  • How we store and secure personal data;
  • Details of third parties with who we share personal data; and
  • What your rights are.

Changes to the Privacy Notice and your duty to inform us of changes

We keep our privacy notice under regular review.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Data Protection Principles

We will comply with data protection law and principles, which means that your data will be:

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • Relevant to the purposes we have told you about and limited only to those purposes;
  • So far as possible, accurate and kept up to date;
  • Kept only as long as necessary for the purposes we have told you about; and
  • Kept securely.

The kind of information we hold about you

In connection with the allotment of shares in the Company and the management of that shareholding we will collect, store, and use the following categories of personal information about you:

  • Your name, address, telephone number, date of birth;
  • Your tax number or other identification number and contact details;
  • Your service with the company, salary and role;
  • The number of shares allotted to you; and
  • Any shares or stock or directorships held by you in the Company, details of all options or any other entitlement to shares awarded, cancelled, exercised, vested, unvested or outstanding.

How is your personal information collected?

Personal data or information means any information about an individual from which that person can be identified.  We will process personal information about you from the following sources:

  • Information collected directly from you by the Company or through other entities in the group.

How we will use information about you

We will only use your personal data when the law allows us to.  Most commonly we will use your personal data in the following circumstances:

  • Where required to perform a contract;
  • Where we need to comply with a legal obligation; and
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Data Sharing

Why might you share my personal information with third parties?

We will only share your personal information with the following third parties for the purposes of administering your shareholding:

  • Revenue Commissioners of Ireland in connection with the Company’s fulfilment of its statutory reporting obligations in relation to the Company and/or to other taxation and regulatory authorities in fulfilment of the Company’s obligations;
  • Third party administrators, nominees, registrars and trustees or other entities in the group for the purposes of administering your shareholding; an
  • Other third parties in the context of the possible sale, investment in or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.

All third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Requirement to Provide Data

You are not under a statutory or contractual duty to provide us with any personal data. However, there are some pieces of information, such as your name and address that you must provide to us so that we can administer your shareholding.  If you do not provide us with this information, we may not be able to administer your shareholding in accordance with your wishes.

Transfers of personal data outside the EEA

Will my data be transferred abroad?

We may transfer the personal information we collect about you to third party countries.

In those circumstances we will ensure that your personal information receives an adequate level of protection and will put in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and Irish laws on data protection.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those agents, advisors, contractors and other third parties who need it to assist in administering your shareholding. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention

How long will you use my personal information for?

We will retain your personal for as long as necessary to administer your shareholding. After this period, we will securely destroy your personal information in accordance with our data protection obligations.

Your legal rights

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”);
  • Request correction of the personal information that we hold about you;
  • Request erasure of your personal information;
  • Object to processing of your personal information where we are relying on a legitimate interest;
  • Request the restriction of processing of your personal information; and/or
  • Complain to the Data Protection Commission (“DPC”), the Irish supervisory authority for data protection issues at We would, however, appreciate the chance to deal with your concerns before you approach the DPC so please contact us in the first instance.

If you have any questions or concerns about your rights, when they apply or our Privacy Notice or data processing; wish to review the information you have supplied to us; request that we correct any errors or update your Personal Data; or if you would like to make a complaint about a possible breach of applicable privacy laws, please contact

We are obliged to respond within a reasonable time frame. In most instances, we will respond within one calendar month. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons why.

You have the right to complain to the Data Protection Commission or another supervisory authority.

You can contact the Office of the Data Protection Commission at: