Effective May 19, 2021
Visterra, Inc. (“we” or “Visterra”) recognizes and respects the privacy rights of individuals regarding their personal data. This policy describes how we collect, use, share and secure your personal data and choices and rights you may have regarding your data. This policy applies to personal data that we collect through our websites and from other sources.
Table of Contents
A. How Do We Get Your Personal Data?
B. What Types of Personal Data Do We Collect?
C. How Do We Use Your Personal Data?
D. Who Do We Share Your Personal Data With?
E. How Do We Protect Your Personal Data?
F. Cookies and Web Beacons
G. How We Respond to Do Not Track Signals
A. HOW DO WE GET YOUR PERSONAL DATA?
Directly from you. You may give us personal data through our websites or through other direct interactions with us, for example, when you:
- contact us by email, phone or mail, either using the addresses or numbers posted on our website or when you contact our employees directly;
- enter into a business transaction with us to provide goods or services;
- apply for employment with us or when you become an employee; or
- sign up and/or take part in one of our clinical research programs.
Automatically from your use of our website. As you use our website or intranet, we may automatically collect data about your equipment, browsing patterns and use of our website. We collect this personal data by using cookies, and other similar technologies. See “Cookies and Web Beacons” below for more information.
From third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, such as:
- online analytics providers such as Google Analytics and search information providers;
- providers of technology, payment and delivery-related services;
- recruiters, staffing agencies and employment background search firms;
- government, industry and professional directories; and
- clinical sites, investigators, research organizations and other vendors involved in clinical research in which you enroll and/or participate.
B. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?
We may collect the following types of personal data about you:
- Identity Data such as first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, and social security number.
- Contact Data such as billing address, delivery address, email address, telephone numbers and home address. Financial Data such as bank account, credit card, and payroll data.
- Transaction Data such as details about payments to and from you.
- Online Technical Data such as your internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website or intranet.
- Online Profile Data such as any username and password created to use our website and intranet. Online Usage Data such as information about how you use our website(s) and intranet.
- Other Data such as any other personal data that you provide, submit or give us, including health, genetic and biometric data.
C. HOW DO WE USE YOUR PERSONAL DATA?
We may use your personal data to:
- fulfill your requests and answer your questions;
- process employment applications;
- manage your employment with us, including payroll and benefits enrollment;
- perform contractual obligations and enforce contractual rights under agreements with you;
- improve our websites and intranet (for more information, see “Cookies and Web Beacons” below);
- conduct clinical trials of the investigational products we are developing; and
- comply with legal and regulatory requirements, including those related to clinical trial adverse events and patient safety.
We do not use your personal data for marketing purposes and we do not sell your personal data to other companies or organizations.
D. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
Depending on the specific use(s) set forth above, we may share your personal data with the following groups and individuals:
- Affiliates: our parent company, Otsuka Pharmaceutical Company Ltd., and our other affiliated companies.
- Service providers and business partners: third parties with whom we engage to provide services or products on our behalf (e.g., IT system administrative service companies, data storage companies, data analytics companies, contract research organizations that conduct clinical trials, travel planning companies, payroll and benefits service providers, banks and other payment facilitators, employment background check providers) or with whom we collaborate or work together with to research and develop products and services (e.g., other biotechnology and pharmaceutical companies and academic research institutions).
We do not allow our third-party service providers or business partners to use your personal data for their own purposes and only permit them to access and use your personal data for specified purposes and in accordance with our instructions.
- Professional advisers: advisors (e.g., lawyers, bankers, auditors and insurers) who provide us with consultancy, banking, legal, compliance, insurance and accounting and payroll services.
- Government authorities: the U.S. Internal Revenue Service, the U.S. Food and Drug Administration, and other federal and state government agencies, regulators and authorities.
- Acquirers and successors: third parties to whom we may seek to sell, transfer, or merge parts of our business or our assets, such as through a merger, consolidation, acquisition, reorganization, bankruptcy or dissolution.
E. HOW DO WE PROTECT YOUR PERSONAL DATA?
We have appropriate security measures in place to help prevent your personal data from being lost and protect it from unauthorized access, use, alteration and disclosure. We limit access to your personal data to our employees, agents, contractors and other third parties who have a business need to know your data. They are required to process your personal data only in accordance with our instructions and, except in the case of government authorities, are subject to confidentiality obligations.
We have appropriate procedures in place to help address any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
No measures or procedures can ensure that your personal data is always and completely secure, and accordingly, we cannot guarantee the security of your personal data.
F. COOKIES AND WEB BEACONS
Most internet browsers automatically accept cookies, but if you do not wish to have cookies stored on your computer or device, you can set your browser preferences to refuse them or to alert you when cookies are being sent. In order to disable cookies, please consult your browser’s “help” section for instructions. If you choose to decline cookies, you may not be able to fully experience the features of our website. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
Web beacons are small strings of code that are placed in a web page or in an email message. They are sometimes called “clear GIFs” (Graphics Interchange Format), “GIF tags”, “action tags”, or “pixel tags”. Web beacons are most often used in conjunction with cookies to track activity on our website. For example, when you visit our website, web beacons can notify us of what pages you visited. Since web beacons are used in combination with cookies if you disable cookies the web beacons will only detect an anonymous website visit. When used in an email, web beacons enable us to know whether you have received the email.
G. HOW WE RESPOND TO DO NOT TRACK SIGNALS
Some web browsers can send “do-not-track” signals to websites when you visit them. Our websites and intranet do not respond to “do-not-track” signals.
H. CHILDREN’S PRIVACY
While in some instances we may collect personal data about children with the consent of a parent or guardian, such as for clinical trial-related activities, we do not otherwise knowingly solicit or collect data from children. If a parent or guardian becomes aware that his or her child has provided us with personal data without the parent’s or guardian’s consent, he or she should contact us as described under “How to Contact Us” below. We will take reasonable steps to delete such data from our records.
I. LINKS TO OTHER SITES
For your convenience and information, we may provide links on our websites and intranet to other third-party websites that we do not operate or control. By providing these links we are not endorsing the content, owner or operator of those sites. When you visit other websites by clicking on a link, this policy no longer applies and your use of that site is subject to that site’s privacy policies.
We may update this policy from time to time. If we make any changes, the updated policy will be posted with a revised effective date. You should check this policy periodically for changes.
K. CALIFORNIA PRIVACY RIGHTS
The California Consumer Privacy Act of 2018 (“CCPA”) provides California residents with specific privacy rights, subject to certain limitations and exceptions, regarding their personal information. All terms defined in the CCPA have the same meaning when used in this section of this policy. California residents have the right to:
- Request information about what personal information we have collected, used and shared during the prior 12 months, including categories of personal information, categories of sources of personal information, business purposes for collecting and using personal information and categories of third parties with whom we shared such information
This information is provided in this policy.
- Request a copy of the personal information we have collected about them during the last 12 months.
- Request deletion of their personal information (subject to certain exceptions).
- Opt-out of the sale of their personal information.
- We do not sell personal information.
- Not be discriminated against for exercising their privacy rights under the CCPA.
To submit a request to exercise your rights, contact us at firstname.lastname@example.org.
Before we act on a request, we will verify your identity by asking you to provide certain personal information. This information may include a description of your relationship with Visterra, your first and last name, email address, telephone number and postal address or other personal information that will allow us to verify your identity. You may submit a request through an authorized agent, in which case, we will require your agent to provide us with your written authorization confirming its authority to make the request on your behalf.
The CCPA does not apply to personal information we collect in all circumstances. For example, it does not apply to personal information we collect in connection with conducting clinical trials or certain information governed by HIPAA (the Health Insurance Portability and Accountability Act of 1996. Also, we are not required to delete personal information in certain circumstances.
We will notify you if we deny a request. We will not discriminate against you for exercising your rights under the CCPA.
Applicable laws, including the European General Data Protection Regulation (the “EU GDPR”) in the EEA and the UK GDPR (“UK GDPR”) in the UK, require us to provide the following information about our data processing practices to individuals located in the European Economic Area (“EEA”) or the UK. This section of the policy only applies to individuals located in the EEA or UK.
1. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to so. Most commonly, we will use personal data when needed to:
- perform a contract with you (including negotiating, entering into performing our obligations and exercising our rights under an agreement between you and Visterra);
- protect and pursue our legitimate interests (or those of a third party) where your interests and fundamental rights do not override those interests;
- comply with a legal or regulatory obligation; and
- for scientific research purposes.
We may also use your personal data in the following situations, which are likely to be rare:
- to protect your interests (or someone else’s interests); and
- for the public interest or for official purposes. The table below describes the ways we may use your personal data and the lawful bases we rely on to do so. We may rely on more than one lawful basis to process your personal data. Generally, we do not rely on consent as a legal basis for processing personal data.
The table below describes the ways we may use your personal data and the lawful bases we rely on to do so. We may rely on more than one lawful basis to process your personal data. Generally, we do not rely on consent as a legal basis for processing personal data.
2. CLINICAL TRIAL DATA
We conduct clinical trials within the EEA and UK and use information from trial participants’ medical records and other health data in order to develop our investigational products and improve healthcare. When you agree to participate in one of our clinical trials, as a pharmaceutical organization, we have a legitimate interest in using information relating to your health for purposes of that research. Health data is a special category of data with heightened protections under the EU and UK GDPRs. We process health data collected as part of our clinical trials on the basis that it is necessary for scientific research purposes in accordance with the EU and UK GDPRs. Acting as the data controller for our clinical trials, we use your personal data collected through your participation in our clinical trials to conduct the trial and analyze the results. Your rights to access, change or move your personal data are limited, as we may need to use your personal data for the research to be reliable and accurate. For example, if you withdraw from a clinical trial, we may retain and continue to use your personal data collected prior to your withdrawal.
3. CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
4. INTERNATIONAL TRANSFERS OF PERSONAL DATA
We may transfer your personal data outside the EEA or UK. To ensure a degree of protection similar to that within the EEA or UK, we will only transfer your personal data:
- to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and the UK Information Commissioner’s Office (“ICO”); or
to countries pursuant to:
- binding agreement to, and compliance with, standard contractual clauses or binding corporate rules, each as approved by the European Commission or ICO, as applicable;
- the consent of the individual to whom the personal information pertains; or
- other authorization or permission by the EEA or UK or under applicable EEA or UK requirements (for example, where transfer is necessary for important reasons of public interest, such as adverse event reporting).
5. HOW LONG WE RETAIN YOUR PERSONAL DATA
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, contractual, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the purposes for which we process your personal data and whether we can achieve those purposes through other means; the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorized use or disclosure of your personal data; and applicable legal requirements.
In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use such anonymized data indefinitely without further notice to you.
6. YOUR DATA PROTECTION RIGHTS
Under certain circumstances, individuals located within the EEA and UK have the following data protection rights:
- To access their personal data.
- To correct their personal data.
- To erase their personal data.
- To object to our reliance on our legitimate interests as the basis for processing of their personal data.
- To restrict the processing of their personal data.
- To transfer copies of their personal data.
- To withdraw previously given consent.
To exercise any of the rights set out above, contact us (see “How to Contact Us” below) or, for requests in the EEA or UK related to our VIS649 Phase 2 clinical trial, please send requests to our local data protection representative for the trial:
Covance Clinical and Periapproval Services SPRL
B-1200 Brussels, Belgium
With a local registered affiliate:
Covance Clinical and Periapproval Services SA
Sucursal en Espana
Edificio Iberia Mart II C/Orense 34
91 Planta 28020
In any correspondence with a local data protection representative, please reference “Visterra, Inc.”
You can also contact the appropriate supervisory authority for your EEA country from the list of members of the European Data Protection Board (see https://edpb.europa.eu/about-edpb/board/members_en). In the UK, you can contact the ICO at https://ico.org.uk/global/contact-us/.
You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, if your request is clearly unfounded, repetitive or excessive, we may charge you a reasonable fee to respond or we may deny you request.
We may ask for specific information from you to confirm your identity to ensure that we do not disclose your personal data to someone who does not have a right to receive it. If needed, we may ask for clarification or additional information if your request is not clear to better provide an accurate and timely response.
We try to respond to all legitimate requests within one month of receiving them. Occasionally it may take us longer to respond if your request is particularly complex or you have made multiple requests. In this case, we will notify you and keep you updated on our efforts to respond.