Executive Statement
ElevateBio respects the privacy of the patients, HCPs, colleagues and other third parties with whom we interact. Protecting the Personal Data that we receive from individuals and entities is a responsibility we take very seriously. We comply with all applicable privacy laws and regulations in the collection, protection, and use of this information.
That’s why we have established a comprehensive privacy program designed to help us respect and protect privacy rights. To protect your privacy, ElevateBio will ensure all personal data is handled in a secure way and used only as outlined in the sections below. This privacy policy informs you what personal data we collect, how we use it and the measures we take to keep it safe. This policy is our commitment to privacy and includes provisions on processing of personal data related to clients, consumers, citizens and employees.
This privacy policy applies to all subsidiaries, business units and personal data processing activities under the responsibility of ElevateBio. All business units are accountable for ensuring that personal data is protected in all processes across its entire life cycle, keeping privacy measures top of mind. All of our employees are responsible for compliance with this policy.
Scope
This policy applies to all personal data processed by all employees, contractors and partners doing business on behalf of ElevateBio, as well as all legal entities/all subsidiaries of ElevateBio. This policy excludes joint ventures where there is less than a 50% share by ElevateBio.
ElevateBio will adhere to privacy laws in all jurisdictions where it operates. Any mandatory registration provisions that may exist according to legal requirements must be observed. In case of uncertainty, leaders of legal entities/subsidiaries of Elevatebio and stakeholders must consult the PO and/or general counsel.
Collection of personal data by — and the disclosure to — governmental institutions and authorities will be carried out only on the basis of specific legal provisions. In all cases, this privacy policy imposes those restrictions that are necessary to meet the legal requirements of the respective laws.
Guiding Regulations
GDPR, ISO270001, 22CFR 120,15CFR 730-774, Data Protection Act 2018, etc
Logging Practices
ElevateBio web servers automatically record the Internet Protocol (IP) addresses of visitors. Note, however, that if you have a broadband connection, depending on your individual circumstance, the IP address that we collect may contain data that could be deemed identifiable. This is because, with some broadband connections, your IP address doesn’t change (it is “static”) and could be associated with your personal computer or device.
As well as recording the IP addresses of users, ElevateBio may also keep track of sites that users visited immediately prior to visiting ElevateBio’s website and the search terms they used to find it. The web server keeps track of the pages visited on ElevateBio’s website, the amount of time spent on those pages, the types of searches done on them, and products looked at. Your searches remain confidential and anonymous.
ElevateBio uses this information only for statistical purposes, to find out which pages users find most useful and to improve the website.
ElevateBio servers also capture and store information that your browser transmits. This includes:
- Browser type/version/plug-ins used or security levels
- Operating system used
- Media Access Control (MAC) address
- Screen resolution
- Date and time of the server request
- Location-related data (such as the geographic location of the IP address)
- Volume of data transferred
- Access status (“file transferred,” “file not found” and so on)
This data will be used to generate statistics that help us to further optimize our websites to meet your individual needs. We will not deduce personal information from this data. Depending on the selection of privacy settings upon visiting ElevateBio’s website, additional personal data processing may take place following your preferences.
Cookies
Cookies are small text files that are placed on your computer by websites to track your individual movements on that website over time. At ElevateBio’s, we use the following categories of cookies:
- Essential cookies — These are used to authenticate you, prevent fraud and provide you with the services that you have requested.
- Functional cookies — These are used to remember you and recall your settings or preferences (such as language) when you return to our website. These cookies are not used to track you when you visit other websites.
- Performance cookies — These are used to measure the performance of our website and online services. We use the information gathered from these cookies to improve our sites, as well as the products and services we offer.
Cookies used by ElevateBio may be session-based or persistent. Session-based cookies last only for the duration of a user’s session, while a persistent cookie remains on the user’s hard drive. A persistent cookie can help us recognize you when you return to our website and recall your settings or preferences.
If you do not want a cookie placed on your computer as a result of using a ElevateBio website, you can disable cookies altogether by modifying the preferences section of your web browser. Note that if you do so, some aspects of ElevateBio websites may be unavailable to you. If you choose to accept cookies on your hard drive, but wish to be informed of their appearance, you may turn on a warning prompt by modifying the cookie-warning section also located in the preferences section of your web browser. For additional privacy protection, you may also use your web browser’s “do not track” (DNT) settings, which ElevateBio will adhere to.
Depending on your cookie consent selection of settings upon first visiting the ElevateBio website, tracking cookies, third-party cookies and other technologies such as web beacons may be used to process additional information, enable noncore functionalities on the ElevateBio website and enable referenced third-party functions (such as a social media “share” link).
Web Beacons/Pixels
Elevatebio’s websites may use a technology known as “web beacons” — sometimes called “single-pixel GIFs,” or “pixels” — that allow the sites to collect website log information. These are designed to track pages viewed or messages opened. Website log information is gathered during your visit. We may also include web beacons in promotional email messages to determine whether the messages have been opened.
Do Not Track (DNT)
Our web servers honor the DNT setting in all web browsers that currently support it. This means that you can opt out of our and third-party tracking services, including behavior advertising. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com
External Links Disclaimer
Some of ElevateBio’s websites link to other sites created and maintained by other public- and/or private-sector organizations. ElevateBio provides these links solely for your information and convenience. When you transfer to an outside website, you are leaving the ElevateBio domain, and ElevateBio’s information management policies no longer apply. ElevateBio encourages you to read the privacy statement of each external website that you visit before you provide any personal data.
Security
ElevateBio implements commercially reasonable technical and organizational security controls to protect your personal data against theft, loss or misuse. Your data will be stored in a secure operating environment that is not accessible without authorization. ElevateBio applies mitigation measures following periodic risk assessments to ensure an adequate level of protection of your personal data.
Please note for business continuity and disaster recovery purposes, ElevateBio may store data in a location outside the jurisdiction(s) in which we normally operate. In such scenarios, we will implement all commercially reasonable measures to protect your personal data against theft, loss or misuse.
ElevateBio has put in place appropriate physical, technical and administrative procedures to safeguard and secure the information from loss, misuse, unauthorized access, disclosure, alteration or destruction. ElevateBio cannot guarantee the security of information on or transmitted via the internet.
Inquiries
If you have any questions about our privacy policy or practices, please make inquiries through our “Contact Us” page.
Personal Data About Minors and Children
ElevateBio does not knowingly collect data from or about children under 13. If we learn that we have collected personal data from a child under 13, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at [email protected]
Applicable Law
This privacy policy is governed and will be interpreted in accordance with the laws of the United States of America.
If you use our services and reside outside the United States of America, your information will be transferred to the United States of America and will be processed and stored there under United States of America privacy standards. By using our services and providing information to us, you consent to such transfer to the United States of America and processing there.
Collaboration with Authorities
ElevateBio has appointed and mandated a privacy officer who represents the regulatory authorities inside the ElevateBio organization, and in return represents the ElevateBio organization to regulatory authorities.
ElevateBio’s privacy officer will ensure proper communication with the relevant regulatory authority for privacy. The privacy officer will lead investigative action, complaint handling and data breach notification. The privacy officer will also monitor regulatory changes and consult the regulatory authority where implementation of a regulatory or technological change lead to doubt.
What Personal Data We Use
The types of personal data that ElevateBio collects and shares depends on the nature of the relationship you have with us and the requirements of applicable laws. We may collect:
- Health and medical data (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) that we collect in connection with managing clinical trials, conducting research, formulating and administering gene therapies and immunotherapies, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports
- Personal and business contact data and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
- Biographical and demographic data (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians)Professional credentials, educational and professional history, and institutional affiliations
- Payment-related data we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information)If you are a health care professional, we collect data about the programs and activities in which you have participated, your prescribing of our products and the agreements you have executed with us
- Your photograph, social media handle or digital or electronic signature
- Publicly available information (such as comments describing support for and experience with ElevateBio products or therapies)
- Other information you provide to us (such as in emails, on phone calls, in market research surveys, or in other correspondence with us or our service providers or business partners)
We may combine other publicly available data, such as information related to the organization for which you work, with the personal data that you provide through the Services.
How We Use Personal Data
ElevateBio uses the data collected to provide a safe, efficient and customized experience. Here are some of the details on how we do that:
To operate the website
If you use our website, we use your personal data to:
- operate, maintain, administer and improve the website
- better understand your needs and interests, and personalize your experience with the website
- provide support and maintenance for the website
- respond to your Service-related requests, questions and feedback
To perform and administer clinical trials, research and product-improvement activities
We may use your personal data when necessary to facilitate our clinical trials, research, studies, and related activities that support product improvement, including to:
- staff and manage clinical trials, including by recruiting investigators and participants
- track and respond to safety and product quality concerns (including product recalls)
- support public health initiatives, symposia, conferences, and scientific, educational and volunteer events
- developing our gene therapies and immunotherapies
- facilitate medication adherence programs
- define and manage appropriate patient engagement activities, and patient support programs (including to provide co-pay and other financial assistance where available)
- identify and engage thought leaders and external experts
- award scholarships and grants
- attribute authorship to academic and promotional materials
To provide the Services
We use your personal data as necessary to provide ElevateBio Services, including to:
- manage access to our products, including where access is limited by law to licensed physicians
- pay for services that physicians, researchers and other individuals may provide to us
- deliver our gene therapies and immunotherapies
To comply with law
We use your personal data as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
To comply with regulatory monitoring and reporting obligations
We use your personal data as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.
With your consent
ElevateBio shall not use Personal Data for any purpose except:
- With the explicit consent of the party whose Personal Data was collected;
- As required or permitted by applicable laws or regulations;
- If necessary, to comply with a legal, regulatory, or ethical obligation;
- As consistent with legal and privacy guidance associated with the activity
In some cases, we may ask for your consent to collect, use or share your personal data, such as when required by law or our agreements with third parties.
To create anonymous data for analytics
We may create anonymous data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous data by excluding information that makes the data personally identifiable to you and use that anonymous data for our lawful business purposes.
For compliance, fraud prevention and safety
We use your personal data as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
How Long We Use Personal Data
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) in which case we may use this data indefinitely without further notice to you.
Who Else May Process Personal Data
ElevateBio may share the data collected with third parties to provide a safe, efficient and customized experience. Here are some of the details on how we do that:
- To provide services: ElevateBio may share your personal data with agents, contractors or partners of ElevateBio in connection with services that these individuals or entities perform for or with Elevatebio. These agents, contractors or partners are restricted from using this data in any way other than to provide services for ElevateBio, or for the collaboration in which they and ElevateBio are engaged. For example, some of our products are developed and marketed through joint agreements with other companies. We may, for example, provide your data to agents, contractors or partners for hosting our databases, data processing or mailing you information that you requested.
- To respond to legal requests and prevent harm: ElevateBio reserves the right to share your data to respond to duly authorized information requests of governmental authorities or where required by law. In exceptionally rare circumstances where national, state or company security is at issue (such as terrorist attacks), ElevateBio reserves the right to share our entire database of visitors and customers with appropriate governmental authorities.
We never sell your personal data to third parties, such as marketers, without your consent. We do not provide any personal data to “people finder,” “public directory” or “white pages” sites.
If our company is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your data may be sold or transferred as part of that transaction. The promises in this privacy policy will apply to your data as transferred to the new entity.
Your Right to Access Personal Data
To keep your Personal Data accurate, current, and complete, please contact us as specified below. We will take reasonable steps to update or correct Personal Data in our possession that you have previously submitted via this website.
Please also feel free to contact us if you have any questions about the Company’s Privacy Policy or the data practices of this website.
You may contact us as follows: [email protected]
In addition to the information that is available on ElevateBio’s website, you have the right to access the personal data that ElevateBio holds about you, all subject to the exemptions as contained in applicable laws and regulations. If you request the data, then ElevateBio will assist you. Your identity will need to be confirmed before you are provided with access to personal data. Generally, ElevateBio does not charge for providing information, but if the request requires significant staff time, ElevateBio reserves the right to charge a fee for such requests.
All formal access requests will be directed to the privacy officer, who will then review each request to determine whether ElevateBio will disclose the requested data. The privacy officer will also receive and address all privacy complaints that ElevateBio receives. You may submit these requests by email to [email protected] or our postal address provided on our “Contacts Us” page.You will be notified if access to the records you have requested is granted or denied, and which exemptions apply.
Your Right to Correct or Amend Personal Data
If you believe there is a mistake in your personal data, you have a right to ask for the data to be corrected. Send correction/amendment request to [email protected]
Cross Boarder Data Transfer
If we export your personal data from the European Economic Area (“EEA”) to a country outside of it and are required to apply additional safeguards to that personal data under European data protection legislation, we will do so. Such safeguards may include applying the European Commission model contracts for the transfer of personal data to third countries described here. Please contact us at [email protected] for further information about any such transfers or the specific safeguards applied.
Enforcement and Audit
ElevateBio uses a self-assessment approach to ensure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible, and in conformity with privacy principles.
Complaints
We encourage anyone interested to raise any concerns using the contact information provided in our “Contact Us” page. We will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of personal data.