Aceragen Inc. (“Aceragen,” “we,” “us,” and “our”) is a rare disease biopharmaceutical company developing novel therapies which can have a positive impact on the lives of patients and families. This privacy policy is designed to help you understand how we collect, use, and share your personal information and to help you understand and exercise your privacy rights.
1. Introduction
Honoring privacy rights is important at Aceragen. This privacy policy describes the main types of personal information we process within our organization, how that information is used and disclosed, and explains our commitments to the individuals whose information we handle. The policy explains in general terms how we seek to comply with data privacy laws and regulations, including but not limited to national laws implementing the Health Insurance Portability and Accountability Act, and all implementing regulations (HIPAA), all state privacy laws including but not limited to CCPA. This privacy policy applies to personal information processed by us, on our websites, in clinical trials, patient support programs and other online or offline services. To make this privacy policy easier to read, our websites, mobile applications, and other services are collectively called “Services”. Aceragen keeps the possibility to provide additional privacy notices to individuals at the time we collect their personal information. For example, we provide a specific privacy notice to participants that describes our privacy practices in connection with conducting clinical trials. Such notice will govern our use of your personal information related to the clinical trial. The policy does not cover any Aceragen affiliates that operate under their own separate privacy policies.
Aceragen reserves the right to change this privacy policy from time to time at our sole discretion. We will notify you of any material changes through a notification on our website, and such change will only apply to information collected after the revised privacy policy takes effect. Any changes to the policy will become effective immediately after being posted. We encourage you to periodically review the policy to stay informed of changes and on how we are protecting your personal information.
1.1 Structure of the privacy statement
In the introduction of this document, you will find information about Aceragen. Aceragen is the organization responsible for the processing of your data. In the paragraphs below we describe which personal data we process and for which purposes we do this. We also explain for which services we process the data and on which basis we are allowed to do so. The sharing of data with other parties is highlighted, as well as the processing of personal data outside the EU. The security of personal data is addressed along with the treatment of retention periods. Finally, a section has been added on which rights you have as a data subject in the European Union, California or Nevada and the possibility of submitting a complaint or contacting Aceragen.
1.2 What are personal data?
Personal data is any data that can be traced back to a person. Examples are your name, address telephone number and e-mail address. Medical information is a special category of personal data and needs more protection. Sometimes we aggregate or anonymize your personal data so that you are no longer identifiable as a person.
2. What personal data do we use for our services and products?
2.1 What information do you provide to us?
The categories of personal information we collect depend on how you interact with us, our Services and the requirements of applicable law. For example, we may collect different information depending on whether you are a Clinical Trial Participant, Healthcare Professional, Patient Advocate, or visitor to our website. We collect information that you provide to us. We explain below for each type of data subject what data they provide to us:
Healthcare Professionals
If you are a Healthcare Professional, we collect certain information such as your professional contact information, credential and institutional affiliations information, information about our programs and activities in which you have participated, our interactions with you, published papers, your photograph, and/or prescribing of our products and information in any agreements executed with us.
Enrollment
When you enroll in our Services such as our patient support programs we collect your name, email address, mailing address, phone number, date of birth, insurance information, prescription information, prescribing doctor, and shipment history.
Participants in the Clinical Trial
Aceragen collects medical data from source documents or directly from data subjects who participate in clinical research, by order and according to the instructions of our clients/sponsors. To protect privacy and in accordance with the Good Clinical Practice Guidelines (ICH-GCP), the names of participants and other direct identification data are not linked to documents collected and archived by Aceragen. Instead, obtained medical data is only identified by a code. Only research physicians, research nurses and other authorized personnel who are part of the operational and organizational conduction of a clinical study have access to the personal registration of the participants at the research locations.
Regulatory Information
We are also obligated to collect certain personal information to comply with regulatory requirements, including information relating to any adverse effects you may have experienced when using our products. We collect such information only where you have provided your consent to disclose that information to us, as required by law.
Patient Advocates
If you are a Patient Advocate or affiliated to a Patient Advocacy Group, we collect information such as your name, email address, and phone number.
Your Communications with Us
We collect personal information, such as your name, email address, and business contact information, when you request information about our Services, register for our newsletter, sign up for investor email alerts, request customer or technical support, apply for a job or otherwise communicate with us.
Surveys
We contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include personal information.
Conferences, Trade Shows, and Other Events
We collect personal information from individuals when we attend conferences, trade shows, and other events.
Business Development and Strategic Partnerships
We collect personal information from individuals and third parties to assess and pursue potential business opportunities.
Job Applications
We may post job openings and opportunities on our Services. If you reply to one of these postings by submitting your application, CV and/or cover letter to us, we will collect and use your information to assess your qualifications.
2.2 What data do we collect about you?
It is possible that we obtain personal data automatically when you use our Services, and information from other sources such as third-party services and organizations. See our cookie statement for more information.
2.3 Children’s information
The Services are not directed to children under 13 (or other age as required by local law), however we may collect some information from children if your child participates in a clinical trial. We take additional steps to obtain the parent or guardian’s consent before collecting any information from a child.
If you are a parent or guardian believe your child has provided personal information to us without your consent, you may contact us as described below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it.
3. For what purposes do we use your data?
We use your information for a variety of business purposes, including to provide our Services and for administrative purposes, and in the future, to market our products and Services, as described below.
Provide Our Services
We use your information to fulfill our contract with you and provide you with our Services, such as:
- Managing your information and accounts;
- Providing access to certain areas, functionalities, and features of our Services;
- Answering requests for customer or technical support;
- Communicating with you about your account, activities on our Services, and policy changes;
- Processing applications if you apply for a job, we post on our Services;
- and Allowing you to register for events.
Administrative Purposes
We use your information for various administrative purposes, such as:
- Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
- Measuring interest and engagement in our Services;
- Short-term, transient use, such as contextual customization of ads;
- Improving, upgrading or enhancing our Services;
- Developing new products and Services;
- Ensuring internal quality control and safety;
- Authenticating and verifying individual identities;
- Debugging to identify and repair errors with our Services;
- Auditing relating to interactions, transactions and other compliance activities;
- Enforcing our agreements and policies; and
- Complying with our legal obligations.
4. On what legal basis do we use your data?
We will only process (i.e. use) your personal data when the law allows us to, that is, when we have a legal basis for processing. We use your personal data in the following circumstances:
– Performance of a contract – The processing of personal data is necessary for the performance of an agreement to which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract.
– Legal obligation – The processing of personal data is necessary to comply with a legal obligation to which the controller is responsible.
– Legitimate interest – The processing of personal data is necessary for the representation of the legitimate interests of the controller or of a third party. Such an interest may be overridden by the interests of the fundamental rights and freedoms of the data subject which require protection of personal data.
– Consent – The data subject has unambiguously consented to the processing of his or her personal data for one or more specific purposes.
Please see below an overview:
Purpose
- Managing your information and accounts
- Providing access to certain areas, functionalities, and features of our Services
- Answering requests for customer or technical support
- Communicating with you about your account, activities on our Services, and policy changes
- Processing applications if you apply for a job, we post on our Services
- Allowing you to register for events
- Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention
- Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity
- Short-term, transient use, such as contextual customization of ads
- Improving, upgrading or enhancing our Services
- Developing new products and Services
- Ensuring internal quality control and safety
- Authenticating and verifying individual identities
- Debugging to identify and repair errors with our Services
- Auditing relating to interactions, transactions and other compliance activities
- Enforcing our agreements and policies
- Complying with our legal obligations
5. Use of automated individual decision-making
Aceragen does not use automated individual decision-making, as this is not necessary for our services. This means that Aceragen does not do any profiling activities.
6. Do we share your data with other parties?
We disclose your information to third parties for a variety of business purposes, including to provide our Services and to protect us or others. The categories of third parties with whom we may share your information are described below.
Clinical Research Organizations
If you participate in clinical trials and research, the clinical trial sites may disclose any personal information you provide in conjunction with your participation, to the Clinical Research Organization (“CRO”) we have partnered with, that is responsible for organizing the research or conducting the clinical trial. The CRO will hold information provided by the clinical trial sites. We endeavor not to collect clinical trial participant personal information directly, and other than pharmacovigilance data and other required safety data, all information we receive from the clinical trial sites and CROs are required to be de-identified.
Service Providers
We share your personal information with our third-party service providers, including clinical research organizations, specialty pharmacies, companies providing services for our patient support program, and other service providers, who use that information to help us to provide our Services. This includes service providers that provide us with IT support, clinical trial services, hosting, customer service, and related services.
Business Partners
We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information to business partners with whom we jointly offer products or services.
Affiliates
We may share your personal information with our company affiliates.
Advertising Partners
We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.”
APIs/SDKs.
We may use third-party Application Program Interfaces (“APIs”) and software development kits (“SDKs”) as part of the functionality of our Services. For more information about our use of APIs and SDKs, please contact us as set forth below.
Disclosures to protect Aceragen or others
We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
7. How do we secure your data?
We take steps to ensure that your information is treated securely and in accordance with this Privacy policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We have taken appropriate safeguards to require that your personal information will remain protected and require our third-party service providers and partners to have appropriate safeguards as well. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.
By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.
8. For how long do we store your data?
We store the personal information we collect as described in this Privacy policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.
9. What rights do you have based on the processing of personal data?
9.1 E-mail and telephone communications
If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services or updates to this privacy policy).
9.2 Text Messages
You may opt out of receiving text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us.
9.3 Privacy Rights
Individuals, or data subjects, in the European Union (EU) region have additional rights under GDPR including:
– The right to be informed
– The right of access
– The right of rectification
– The right to erasure (or ‘right to be forgotten’)
– The right to restrict processing
– The right to data portability
– The right to object
– The right not to be subject of automated profiling and decision making.
If you want to use any of your rights, please send an e-mail to privacy@aceragen.com.
Each of the rights are supported by the appropriate procedures within Aceragen that allow the required action to be taken, as required by the GDPR. However even if in general, the data subject has the right to obtain from the controller of personal data the erasure of their personal data (without undue delay), the data subject does not have this right if processing is necessary for scientific research purposes – which means that clinical trials can retain their anonymized data for the full archive period as specified by ICH/FDA-GCP and local regulations even if the data subject requests erasure of their data. Withdrawing the subject’s consent from the clinical trial and treatment does not mean erasure of their personal data from the clinical trial. No further data will be entered into the study database for the subject.
10. Complaint to the competent authority
Aceragen believes it is important to have satisfied data subjects. Even though we do everything to strive for this, it can happen that you are not satisfied. It is possible to file a complaint with supervisory authority in your jurisdiction:
Aceragen, Inc
15 TW Alexander Drive
Durham, North Carolina 27709
USA
privacy@aceragen.com
11. Supplemental notice for California Resident
This supplemental California privacy notice only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA provides California residents with the right to know what categories of personal information Aceragen has collected about them and whether Aceragen disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:
| Category of Personal Information Collected by Aceragen | Category of Third Parties Information is Disclosed to for a Business Purpose |
|---|---|
| Identifiers. A real name, postal address, Internet Protocol address, email address, or other similar identifiers. |
Advertising partners, Government entities, Service providers, Clinical research organizations |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) A name, physical characteristics or description, address, telephone number, education, employment, employment history, medical information, or health insurance information. |
Advertising partners, Government entities, Service providers, Clinical research organizations |
| Protected classification characteristics under California or federal law Age (40 years or older), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), genetic information (including familial genetic information). |
Government entities, Service providers, Clinical research organizations |
| Internet or other electronic network activity Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement. |
Service providers |
| Professional or employment-related information Current or past job history or performance evaluations. |
Service providers |
The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth above.
11.1 “Sales” of Personal Information under the CCPA
For purposes of the CCPA, Aceragen does not “sell” personal information, nor do we have actual knowledge of any “sale” of personal information of minors under 16 years of age.
11.2 Additional Privacy Rights for California Residents
Non-Discrimination
California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
Authorized Agent
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth below.
Verification
To protect your privacy, we will take steps the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include your name, email address, phone number, or mailing address.
Contact
If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth below. We will process such requests in accordance with applicable laws.
Accessibility
This Privacy Policy uses industry-standard technologies and was developed in line with the World Wide Web Consortium’s Web Content Accessibility Guidelines, version 2.1. If you wish to print this policy, please do so from your web browser or by saving the page as a PDF.
12. Supplemental notice for Nevada Residents
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at info@Aceragenbio.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A.
13. How to contact us?
If you have any questions, comments, or concerns about our processing activities, please contact us via mail at 15 TW Alexander Drive, Durham, NC 27709, North Carolina. Attention: Data Protection Officer. Our Data Protection Officer can also be contacted at privacy@aceragen.com.
Last updated: 1 of August 2022.
