Privacy Policy

Aceragen Inc. (“Aceragen,” “we,” “us,” and “our”) is a rare disease biopharmaceutical company developing novel therapies which can have a positive impact on the lives of patients and families. This privacy policy is designed to help you understand how we collect, use, and share your personal information and to help you understand and exercise your privacy rights.

1. Introduction

Honoring privacy rights is important at Aceragen. This privacy policy describes the main types of personal information we process within our organization, how that information is used and disclosed, and explains our commitments to the individuals whose information we handle. The policy explains in general terms how we seek to comply with data privacy laws and regulations, including but not limited to national laws implementing the European Union (“EU”) General Data Protection Regulation (“Regulation”), the Health Insurance Portability and Accountability Act, and all implementing regulations (HIPAA), all state privacy laws including but not limited to CCPA. This privacy policy applies to personal information processed by us, on our websites, in clinical trials, patient support programs and other online or offline services. To make this privacy policy easier to read, our websites, mobile applications, and other services are collectively called “Services”. Aceragen keeps the possibility to provide additional privacy notices to individuals at the time we collect their personal information. For example, we provide a specific privacy notice to participants that describes our privacy practices in connection with conducting clinical trials. Such notice will govern our use of your personal information related to the clinical trial. The policy does not cover any Aceragen affiliates that operate under their own separate privacy policies.

Aceragen reserves the right to change this privacy policy from time to time at our sole discretion. We will notify you of any material changes through a notification on our website, and such change will only apply to information collected after the revised privacy policy takes effect. Any changes to the policy will become effective immediately after being posted. We encourage you to periodically review the policy to stay informed of changes and on how we are protecting your personal information.

1.1 Structure of the privacy statement

In the introduction of this document, you will find information about Aceragen. Aceragen is the organization responsible for the processing of your data. In the paragraphs below we describe which personal data we process and for which purposes we do this. We also explain for which services we process the data and on which basis we are allowed to do so. The sharing of data with other parties is highlighted, as well as the processing of personal data outside the EU. The security of personal data is addressed along with the treatment of retention periods. Finally, a section has been added on which rights you have as a data subject in the European Union, California or Nevada and the possibility of submitting a complaint or contacting Aceragen.

1.2 What are personal data?

Personal data is any data that can be traced back to a person. Examples are your name, address telephone number and e-mail address. Medical information is a special category of personal data and needs more protection. Sometimes we aggregate or anonymize your personal data so that you are no longer identifiable as a person.

Under the GDPR, the role of research is understood to provide knowledge that can in turn improve the quality of life for several people and improve the efficiency of social services. The GDPR assumes a broad conception of research, including technological development, fundamental and applied research and privately funded research and studies conducted in the public interest in the area of public health. It also recommends that data processing considers the EU’s objective under Article 179(1) Treaty on the Functioning of the European Union (TFEU) of achieving a European Research Area. Aceragen can carry out scientific research based on Article 179(1) TFEU.

1.3 Who is the controller for the processing of personal data?

Aceragen Inc. is the data controller for the processing of personal data.

2. What personal data do we use for our services and products?

2.1 What information do you provide to us?

The categories of personal information we collect depend on how you interact with us, our Services and the requirements of applicable law. For example, we may collect different information depending on whether you are a Clinical Trial Participant, Healthcare Professional, Patient Advocate, or visitor to our website. We collect information that you provide to us. We explain below for each type of data subject what data they provide to us:

Healthcare Professionals

If you are a Healthcare Professional, we collect certain information such as your professional contact information, credential and institutional affiliations information, information about our programs and activities in which you have participated, our interactions with you, published papers, your photograph, and/or prescribing of our products and information in any agreements executed with us.

Enrollment

When you enroll in our Services such as our patient support programs we collect your name, email address, mailing address, phone number, date of birth, insurance information, prescription information, prescribing doctor, and shipment history.

Participants in the Clinical Trial

Aceragen collects medical data from source documents or directly from data subjects who participate in clinical research, by order and according to the instructions of our clients/sponsors. To protect privacy and in accordance with the Good Clinical Practice Guidelines (ICH-GCP), the names of participants and other direct identification data are not linked to documents collected and archived by Aceragen. Instead, obtained medical data is only identified by a code. Only research physicians, research nurses and other authorized personnel who are part of the operational and organizational conduction of a clinical study have access to the personal registration of the participants at the research locations.

Regulatory Information

We are also obligated to collect certain personal information to comply with regulatory requirements, including information relating to any adverse effects you may have experienced when using our products. We collect such information only where you have provided your consent to disclose that information to us, as required by law.

Patient Advocates

If you are a Patient Advocate or affiliated to a Patient Advocacy Group, we collect information such as your name, email address, and phone number.

Your Communications with Us

We collect personal information, such as your name, email address, and business contact information, when you request information about our Services, register for our newsletter, sign up for investor email alerts, request customer or technical support, apply for a job or otherwise communicate with us.

Surveys

We contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include personal information.

Conferences, Trade Shows, and Other Events

We collect personal information from individuals when we attend conferences, trade shows, and other events.

Business Development and Strategic Partnerships

We collect personal information from individuals and third parties to assess and pursue potential business opportunities.

Job Applications

We may post job openings and opportunities on our Services. If you reply to one of these postings by submitting your application, CV and/or cover letter to us, we will collect and use your information to assess your qualifications.

2.2 What data do we collect about you?

It is possible that we obtain personal data automatically when you use our Services, and information from other sources such as third-party services and organizations. See our cookie statement for more information.

2.3 Children’s information

The Services are not directed to children under 13 (or other age as required by local law), however we may collect some information from children if your child participates in a clinical trial. We take additional steps to obtain the parent or guardian’s consent before collecting any information from a child.

If you are a parent or guardian believe your child has provided personal information to us without your consent, you may contact us as described below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it.

3. For what purposes do we use your data?

We use your information for a variety of business purposes, including to provide our Services and for administrative purposes, and in the future, to market our products and Services, as described below.

Provide Our Services

We use your information to fulfill our contract with you and provide you with our Services, such as:

  • Managing your information and accounts;
  • Providing access to certain areas, functionalities, and features of our Services;
  • Answering requests for customer or technical support;
  • Communicating with you about your account, activities on our Services, and policy changes;
  • Processing applications if you apply for a job, we post on our Services;
  • and Allowing you to register for events.

Administrative Purposes

We use your information for various administrative purposes, such as:

  • Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
  • Measuring interest and engagement in our Services;
  • Short-term, transient use, such as contextual customization of ads;
  • Improving, upgrading or enhancing our Services;
  • Developing new products and Services;
  • Ensuring internal quality control and safety;
  • Authenticating and verifying individual identities;
  • Debugging to identify and repair errors with our Services;
  • Auditing relating to interactions, transactions and other compliance activities;
  • Enforcing our agreements and policies; and
  • Complying with our legal obligations.

4. On what legal basis do we use your data?

We will only process (i.e. use) your personal data when the law allows us to, that is, when we have a legal basis for processing. We use your personal data in the following circumstances:

– Performance of a contract – The processing of personal data is necessary for the performance of an agreement to which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract.

– Legal obligation – The processing of personal data is necessary to comply with a legal obligation to which the controller is responsible.

– Legitimate interest – The processing of personal data is necessary for the representation of the legitimate interests of the controller or of a third party. Such an interest may be overridden by the interests of the fundamental rights and freedoms of the data subject which require protection of personal data.

– Consent – The data subject has unambiguously consented to the processing of his or her personal data for one or more specific purposes.

Please see below an overview:

Purpose Legal Basis
Managing your information and accounts Performance of a contract
Providing access to certain areas, functionalities, and features of our Services Performance of a contract
Answering requests for customer or technical support Performance of a contract
Communicating with you about your account, activities on our Services, and policy changes Legitimate interest
Processing applications if you apply for a job, we post on our Services (Potential) Performance of a contract
Allowing you to register for events Consent
Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention Legitimate interest
Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity Legitimate interest
Short-term, transient use, such as contextual customization of ads Legitimate interest
Improving, upgrading or enhancing our Services Legitimate interest
Developing new products and Services Legitimate interest
Ensuring internal quality control and safety Legitimate interest
Authenticating and verifying individual identities Legitimate interest
Debugging to identify and repair errors with our Services Legitimate interest
Auditing relating to interactions, transactions and other compliance activities Legitimate interest, Legal obligation
Enforcing our agreements and policies Performance of a contract, Legitimate interest
Complying with our legal obligations Legal obligation

5. Use of automated individual decision-making

Aceragen does not use automated individual decision-making, as this is not necessary for our services. This means that Aceragen does not do any profiling activities.

6. Do we share your data with other parties?

We disclose your information to third parties for a variety of business purposes, including to provide our Services and to protect us or others. The categories of third parties with whom we may share your information are described below.

Clinical Research Organizations

If you participate in clinical trials and research, the clinical trial sites may disclose any personal information you provide in conjunction with your participation, to the Clinical Research Organization (“CRO”) we have partnered with, that is responsible for organizing the research or conducting the clinical trial. The CRO will hold information provided by the clinical trial sites. We endeavor not to collect clinical trial participant personal information directly, and other than pharmacovigilance data and other required safety data, all information we receive from the clinical trial sites and CROs are required to be de-identified.

Service Providers

We share your personal information with our third-party service providers, including clinical research organizations, specialty pharmacies, companies providing services for our patient support program, and other service providers, who use that information to help us to provide our Services. This includes service providers that provide us with IT support, clinical trial services, hosting, customer service, and related services.

Business Partners

We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information to business partners with whom we jointly offer products or services.

Affiliates

We may share your personal information with our company affiliates.

Advertising Partners

We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.”

APIs/SDKs.

We may use third-party Application Program Interfaces (“APIs”) and software development kits (“SDKs”) as part of the functionality of our Services. For more information about our use of APIs and SDKs, please contact us as set forth below.

Disclosures to protect Aceragen or others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

7. Is your data being transferred outside the EU?

Personal data may be shared across international borders as required to service our global projects. We host personal data based on sponsor requirements as well as local and international regulations. We recognize that many countries have regulations restriction the flow of personal data across international borders. Aceragen has put measures in place to ensure that adequate security is provided to such personal data where legally mandated.

8. How do we secure your data?

We take steps to ensure that your information is treated securely and in accordance with this Privacy policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We have taken appropriate safeguards to require that your personal information will remain protected and require our third-party service providers and partners to have appropriate safeguards as well. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.

9. For how long do we store your data?

We store the personal information we collect as described in this Privacy policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

10. What rights do you have based on the processing of personal data?

10.1 E-mail and telephone communications

If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services or updates to this privacy policy).

10.2 Text Messages

You may opt out of receiving text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us.

10.3 Privacy Rights

Individuals, or data subjects, in the European Union (EU) region have additional rights under GDPR including:
– The right to be informed

– The right of access

– The right of rectification

– The right to erasure (or ‘right to be forgotten’)

– The right to restrict processing

– The right to data portability

– The right to object

– The right not to be subject of automated profiling and decision making.

If you want to use any of your rights, please send an e-mail to privacy@aceragen.com.

Each of the rights are supported by the appropriate procedures within Aceragen that allow the required action to be taken, as required by the GDPR. However even if in general, the data subject has the right to obtain from the controller of personal data the erasure of their personal data (without undue delay), the data subject does not have this right if processing is necessary for scientific research purposes – which means that clinical trials can retain their anonymized data for the full archive period as specified by ICH/FDA-GCP and local regulations even if the data subject requests erasure of their data. Withdrawing the subject’s consent from the clinical trial and treatment does not mean erasure of their personal data from the clinical trial. No further data will be entered into the study database for the subject.

11. Complaint to the competent authority

Aceragen believes it is important to have satisfied data subjects. Even though we do everything to strive for this, it can happen that you are not satisfied. It is possible to file a complaint with supervisory authority in your jurisdiction:

For residents of the European Economic Area:
Website: Berliner Beauftragte für Datenschutz und Informationsfreiheit

Postal address:
Friedrichstraße 219
10969 Berlin

E-mail address: mailbox@datenschutz-berlin.de

In the event that your personal data is covered by the GDPR, the EU representative of Aceragen is Smart Data Company GmbH.

Postal address:
Friedrichstrasse 68
10117 Berlin 917686081534

E-mail address: info@privacycompany.nl

For residents of Switzerland:
Website: Federal Data Protection and Information Commissioner

Postal address:
Feldeggweg 1
CH – 3003 Berne

E-mail address: info@edoeb.admin.ch

For residents of the United Kingdom:
Website: Information Commissioner’s Office

Postal address:
Wycliffe House
WaterLane Wilmslow
Cheshire
SK9 5AF

E-mail address: icocasework@ico.org.uk

For residents of Brazil:
Website: Autoridade Nacional de Proteção de Dados

Postal address:
Esplanada dos Ministérios,
Bloco C, 2º andar,
CEP 70297-400 – Brasília – DF

E-mail address: ouvidoria@anpd.gov.br

12. Supplemental notice for California Resident

This supplemental California privacy notice only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA provides California residents with the right to know what categories of personal information Aceragen has collected about them and whether Aceragen disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:

Category of Personal Information Collected by Aceragen Category of Third Parties Information is Disclosed to for a Business Purpose
Identifiers.
A real name, postal address, Internet Protocol address, email address, or other similar identifiers.
Advertising partners, Government entities, Service providers, Clinical research organizations
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
A name, physical characteristics or description, address, telephone number, education, employment, employment history, medical information, or health insurance information.
Advertising partners, Government entities, Service providers, Clinical research organizations
Protected classification characteristics under California or federal law
Age (40 years or older), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), genetic information (including familial genetic information).
Government entities, Service providers, Clinical research organizations
Internet or other electronic network activity
Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.
Service providers
Professional or employment-related information
Current or past job history or performance evaluations.
Service providers

The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth above.

12.1 “Sales” of Personal Information under the CCPA

For purposes of the CCPA, Aceragen does not “sell” personal information, nor do we have actual knowledge of any “sale” of personal information of minors under 16 years of age.

12.2 Additional Privacy Rights for California Residents

Non-Discrimination

California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.

Authorized Agent

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth below.

Verification

To protect your privacy, we will take steps the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include your name, email address, phone number, or mailing address.

Contact

If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth below. We will process such requests in accordance with applicable laws.

Accessibility

This Privacy Policy uses industry-standard technologies and was developed in line with the World Wide Web Consortium’s Web Content Accessibility Guidelines, version 2.1. If you wish to print this policy, please do so from your web browser or by saving the page as a PDF.

13. Supplemental notice for Nevada Residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at info@Aceragenbio.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A.

14. How to contact us?

If you have any questions, comments, or concerns about our processing activities, please contact us via mail at 15 TW Alexander Drive, Durham, NC 27709, North Carolina. Attention: Data Protection Officer. Our Data Protection Officer can also be contacted at privacy@aceragen.com.

Last updated: 20 of April 2022.