1.1 Structure of the privacy statement
In the introduction of this document, you will find information about Aceragen. Aceragen is the organization responsible for the processing of your data. In the paragraphs below we describe which personal data we process and for which purposes we do this. We also explain for which services we process the data and on which basis we are allowed to do so. The sharing of data with other parties is highlighted, as well as the processing of personal data outside the EU. The security of personal data is addressed along with the treatment of retention periods. Finally, a section has been added on which rights you have as a data subject in the European Union, California or Nevada and the possibility of submitting a complaint or contacting Aceragen.
1.2 What are personal data?
Personal data is any data that can be traced back to a person. Examples are your name, address telephone number and e-mail address. Medical information is a special category of personal data and needs more protection. Sometimes we aggregate or anonymize your personal data so that you are no longer identifiable as a person.
Under the GDPR, the role of research is understood to provide knowledge that can in turn improve the quality of life for several people and improve the efficiency of social services. The GDPR assumes a broad conception of research, including technological development, fundamental and applied research and privately funded research and studies conducted in the public interest in the area of public health. It also recommends that data processing considers the EU’s objective under Article 179(1) Treaty on the Functioning of the European Union (TFEU) of achieving a European Research Area. Aceragen can carry out scientific research based on Article 179(1) TFEU.
1.3 Who is the controller for the processing of personal data?
Aceragen Inc. is the data controller for the processing of personal data.
2. What personal data do we use for our services and products?
2.1 What information do you provide to us?
The categories of personal information we collect depend on how you interact with us, our Services and the requirements of applicable law. For example, we may collect different information depending on whether you are a Clinical Trial Participant, Healthcare Professional, Patient Advocate, or visitor to our website. We collect information that you provide to us. We explain below for each type of data subject what data they provide to us:
If you are a Healthcare Professional, we collect certain information such as your professional contact information, credential and institutional affiliations information, information about our programs and activities in which you have participated, our interactions with you, published papers, your photograph, and/or prescribing of our products and information in any agreements executed with us.
When you enroll in our Services such as our patient support programs we collect your name, email address, mailing address, phone number, date of birth, insurance information, prescription information, prescribing doctor, and shipment history.
Participants in the Clinical Trial
Aceragen collects medical data from source documents or directly from data subjects who participate in clinical research, by order and according to the instructions of our clients/sponsors. To protect privacy and in accordance with the Good Clinical Practice Guidelines (ICH-GCP), the names of participants and other direct identification data are not linked to documents collected and archived by Aceragen. Instead, obtained medical data is only identified by a code. Only research physicians, research nurses and other authorized personnel who are part of the operational and organizational conduction of a clinical study have access to the personal registration of the participants at the research locations.
We are also obligated to collect certain personal information to comply with regulatory requirements, including information relating to any adverse effects you may have experienced when using our products. We collect such information only where you have provided your consent to disclose that information to us, as required by law.
If you are a Patient Advocate or affiliated to a Patient Advocacy Group, we collect information such as your name, email address, and phone number.
Your Communications with Us
We collect personal information, such as your name, email address, and business contact information, when you request information about our Services, register for our newsletter, sign up for investor email alerts, request customer or technical support, apply for a job or otherwise communicate with us.
We contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include personal information.
Conferences, Trade Shows, and Other Events
We collect personal information from individuals when we attend conferences, trade shows, and other events.
Business Development and Strategic Partnerships
We collect personal information from individuals and third parties to assess and pursue potential business opportunities.
We may post job openings and opportunities on our Services. If you reply to one of these postings by submitting your application, CV and/or cover letter to us, we will collect and use your information to assess your qualifications.
2.2 What data do we collect about you?
It is possible that we obtain personal data automatically when you use our Services, and information from other sources such as third-party services and organizations. See our cookie statement for more information.
2.3 Children’s information
The Services are not directed to children under 13 (or other age as required by local law), however we may collect some information from children if your child participates in a clinical trial. We take additional steps to obtain the parent or guardian’s consent before collecting any information from a child.
If you are a parent or guardian believe your child has provided personal information to us without your consent, you may contact us as described below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it.
3. For what purposes do we use your data?
We use your information for a variety of business purposes, including to provide our Services and for administrative purposes, and in the future, to market our products and Services, as described below.
Provide Our Services
We use your information to fulfill our contract with you and provide you with our Services, such as:
- Managing your information and accounts;
- Providing access to certain areas, functionalities, and features of our Services;
- Answering requests for customer or technical support;
- Communicating with you about your account, activities on our Services, and policy changes;
- Processing applications if you apply for a job, we post on our Services;
- and Allowing you to register for events.
We use your information for various administrative purposes, such as:
- Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
- Measuring interest and engagement in our Services;
- Short-term, transient use, such as contextual customization of ads;
- Improving, upgrading or enhancing our Services;
- Developing new products and Services;
- Ensuring internal quality control and safety;
- Authenticating and verifying individual identities;
- Debugging to identify and repair errors with our Services;
- Auditing relating to interactions, transactions and other compliance activities;
- Enforcing our agreements and policies; and
- Complying with our legal obligations.
4. On what legal basis do we use your data?
We will only process (i.e. use) your personal data when the law allows us to, that is, when we have a legal basis for processing. We use your personal data in the following circumstances:
– Performance of a contract – The processing of personal data is necessary for the performance of an agreement to which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract.
– Legal obligation – The processing of personal data is necessary to comply with a legal obligation to which the controller is responsible.
– Legitimate interest – The processing of personal data is necessary for the representation of the legitimate interests of the controller or of a third party. Such an interest may be overridden by the interests of the fundamental rights and freedoms of the data subject which require protection of personal data.
– Consent – The data subject has unambiguously consented to the processing of his or her personal data for one or more specific purposes.
Please see below an overview:
|Managing your information and accounts||Performance of a contract|
|Providing access to certain areas, functionalities, and features of our Services||Performance of a contract|
|Answering requests for customer or technical support||Performance of a contract|
|Communicating with you about your account, activities on our Services, and policy changes||Legitimate interest|
|Processing applications if you apply for a job, we post on our Services||(Potential) Performance of a contract|
|Allowing you to register for events||Consent|
|Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention||Legitimate interest|
|Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity||Legitimate interest|
|Short-term, transient use, such as contextual customization of ads||Legitimate interest|
|Improving, upgrading or enhancing our Services||Legitimate interest|
|Developing new products and Services||Legitimate interest|
|Ensuring internal quality control and safety||Legitimate interest|
|Authenticating and verifying individual identities||Legitimate interest|
|Debugging to identify and repair errors with our Services||Legitimate interest|
|Auditing relating to interactions, transactions and other compliance activities||Legitimate interest, Legal obligation|
|Enforcing our agreements and policies||Performance of a contract, Legitimate interest|
|Complying with our legal obligations||Legal obligation|
5. Use of automated individual decision-making
Aceragen does not use automated individual decision-making, as this is not necessary for our services. This means that Aceragen does not do any profiling activities.
6. Do we share your data with other parties?
We disclose your information to third parties for a variety of business purposes, including to provide our Services and to protect us or others. The categories of third parties with whom we may share your information are described below.
Clinical Research Organizations
If you participate in clinical trials and research, the clinical trial sites may disclose any personal information you provide in conjunction with your participation, to the Clinical Research Organization (“CRO”) we have partnered with, that is responsible for organizing the research or conducting the clinical trial. The CRO will hold information provided by the clinical trial sites. We endeavor not to collect clinical trial participant personal information directly, and other than pharmacovigilance data and other required safety data, all information we receive from the clinical trial sites and CROs are required to be de-identified.
We share your personal information with our third-party service providers, including clinical research organizations, specialty pharmacies, companies providing services for our patient support program, and other service providers, who use that information to help us to provide our Services. This includes service providers that provide us with IT support, clinical trial services, hosting, customer service, and related services.
We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information to business partners with whom we jointly offer products or services.
We may share your personal information with our company affiliates.
We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.”
We may use third-party Application Program Interfaces (“APIs”) and software development kits (“SDKs”) as part of the functionality of our Services. For more information about our use of APIs and SDKs, please contact us as set forth below.
Disclosures to protect Aceragen or others
We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
7. Is your data being transferred outside the EU?
Personal data may be shared across international borders as required to service our global projects. We host personal data based on sponsor requirements as well as local and international regulations. We recognize that many countries have regulations restriction the flow of personal data across international borders. Aceragen has put measures in place to ensure that adequate security is provided to such personal data where legally mandated.
8. How do we secure your data?
By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.
9. For how long do we store your data?
10. What rights do you have based on the processing of personal data?
10.1 E-mail and telephone communications
10.2 Text Messages
You may opt out of receiving text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us.
10.3 Privacy Rights
Individuals, or data subjects, in the European Union (EU) region have additional rights under GDPR including:
– The right to be informed
– The right of access
– The right of rectification
– The right to erasure (or ‘right to be forgotten’)
– The right to restrict processing
– The right to data portability
– The right to object
– The right not to be subject of automated profiling and decision making.
If you want to use any of your rights, please send an e-mail to firstname.lastname@example.org.
Each of the rights are supported by the appropriate procedures within Aceragen that allow the required action to be taken, as required by the GDPR. However even if in general, the data subject has the right to obtain from the controller of personal data the erasure of their personal data (without undue delay), the data subject does not have this right if processing is necessary for scientific research purposes – which means that clinical trials can retain their anonymized data for the full archive period as specified by ICH/FDA-GCP and local regulations even if the data subject requests erasure of their data. Withdrawing the subject’s consent from the clinical trial and treatment does not mean erasure of their personal data from the clinical trial. No further data will be entered into the study database for the subject.
11. Complaint to the competent authority
Aceragen believes it is important to have satisfied data subjects. Even though we do everything to strive for this, it can happen that you are not satisfied. It is possible to file a complaint with supervisory authority in your jurisdiction:
For residents of the European Economic Area:
Website: Berliner Beauftragte für Datenschutz und Informationsfreiheit
E-mail address: email@example.com
In the event that your personal data is covered by the GDPR, the EU representative of Aceragen is Smart Data Company GmbH.
10117 Berlin 917686081534
E-mail address: firstname.lastname@example.org
For residents of Switzerland:
Website: Federal Data Protection and Information Commissioner
CH – 3003 Berne
E-mail address: email@example.com
For residents of the United Kingdom:
Website: Information Commissioner’s Office
E-mail address: firstname.lastname@example.org
For residents of Brazil:
Website: Autoridade Nacional de Proteção de Dados
Esplanada dos Ministérios,
Bloco C, 2º andar,
CEP 70297-400 – Brasília – DF
E-mail address: email@example.com
12. Supplemental notice for California Resident
This supplemental California privacy notice only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA provides California residents with the right to know what categories of personal information Aceragen has collected about them and whether Aceragen disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:
|Category of Personal Information Collected by Aceragen||Category of Third Parties Information is Disclosed to for a Business Purpose|
A real name, postal address, Internet Protocol address, email address, or other similar identifiers.
|Advertising partners, Government entities, Service providers, Clinical research organizations|
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
A name, physical characteristics or description, address, telephone number, education, employment, employment history, medical information, or health insurance information.
|Advertising partners, Government entities, Service providers, Clinical research organizations|
|Protected classification characteristics under California or federal law
Age (40 years or older), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), genetic information (including familial genetic information).
|Government entities, Service providers, Clinical research organizations|
|Internet or other electronic network activity
Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.
|Professional or employment-related information
Current or past job history or performance evaluations.
The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth above.
12.1 “Sales” of Personal Information under the CCPA
For purposes of the CCPA, Aceragen does not “sell” personal information, nor do we have actual knowledge of any “sale” of personal information of minors under 16 years of age.
12.2 Additional Privacy Rights for California Residents
California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth below.
To protect your privacy, we will take steps the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include your name, email address, phone number, or mailing address.
If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth below. We will process such requests in accordance with applicable laws.
13. Supplemental notice for Nevada Residents
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at info@Aceragenbio.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A.
14. How to contact us?
If you have any questions, comments, or concerns about our processing activities, please contact us via mail at 15 TW Alexander Drive, Durham, NC 27709, North Carolina. Attention: Data Protection Officer. Our Data Protection Officer can also be contacted at firstname.lastname@example.org.
Last updated: 20 of April 2022.