This Privacy Policy governs the collection and use of personal data by Stealth BioTherapeutics Inc. and its respective subsidiaries and affiliates (“SBT”). Unless specified otherwise, the words “we” “our” or “us” in this Privacy Policy refer to and mean SBT.
At SBT, we understand that various laws and regulations govern data protection and we respect the fact that protecting your privacy is important to you. We also recognize that health and medical information is particularly sensitive. We are committed to protecting and respecting your privacy and that’s why we want to explain our Privacy Policy to you in this statement. Please review this Privacy Policy to learn about how SBT collects, uses, shares and protects information through our website(s) and from other sources (i.e., offline) and your legal rights in relation to your personal data. We are committed to abiding by this Privacy Policy, as well as the requirements of applicable laws, in the operation of our business.
By accessing or browsing our website(s), you confirm that you have read, understood and agree to this Privacy Policy and our Terms of Use in its entirety. If you do not agree with the practices described in this Privacy Policy, you should not use our website(s).
If you have any questions concerning our privacy practices, please contact us as described in Section A, “How to Contact Us.”
A. How to Contact Us
Legal Department
Stealth BioTherapeutics Inc.
123 Highland Ave
Suite 201
Needham, MA 02494
(617) 600-6888
legal@stealthbt.com
B. Personal Data We Collect About You
We may collect, use, store and transfer different categories of personal data and non-personal data about you, which we have grouped together as follows:
• Identity Data – such as first name, maiden name, last name, username or similar identifier, marital status, title, social security number, date of birth and gender;
• Contact Data – such as billing address, delivery address, email address and telephone numbers;
• Financial Data – such as bank account, payment card details, insurance information and payroll data;
• Professional or Employment-related Data – such as employer and employment history;
• Transaction Data – such as details about payments to you and other details regarding services you have received from us;
• Technical Data – such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website(s) or intranet;
• Profile Data – such as information regarding your communication preferences and feedback and survey responses;
• Usage Data – such as information about how you use our website(s), intranet, and other services;
• Marketing and Communications Data – such as your preferences in receiving materials regarding our products and services from us and our third parties and your communication preferences; and
• Special Categories of Personal Data/Sensitive Data – such as details about your race or ethnicity, health and genetic or biometric data and other personal data that may also be considered sensitive personal data pursuant to applicable law.
C. How We Collect Personal Data About You
Direct Interactions.
You may give us your personal data, such as Identity Data, Contact Data and Financial Data by filling in forms or by corresponding with us by mail, phone, e-mail or otherwise. This includes personal data you provide when you, for example:
• Contact us by email, phone or mail, either using the addresses or numbers posted on our website(s) or when you contact our employees directly;
• Sign up on our website(s) to receive clinical, promotional, disease awareness, or other information about products or services we offer or plan to offer in the future;
• Subscribe to receive e-mail notifications or other publications;
• Provide unsolicited information to us;
• Provide information to us as our business partner;
• Apply for employment or consulting opportunities with us or when you become an employee or a consultant; or
• Express interest in participating in our clinical trials or other studies and research programs.
Automated Interactions.
We automatically collect certain types of information such as Technical Data whenever you interact with us on the SBT website(s), use our intranet, and in some e-mails we may send each other. This can include your preferences (like, language and the location you are in). We may also collect information about your visits to the SBT website(s), such as, the length of visits to certain pages and page interaction information. Automatic technologies we use may include web server logs, cookies, pixels and web beacons that are described in more detail below in Section I, “Cookies and Other Tracking Mechanisms.”
Third Parties (or publicly available sources).
We may receive categories of personal data about you from various third parties and public sources as set out below, such as:
• Technical Data from analytics providers such as Google, advertising networks and search information providers;
• Contact Data, Financial Data and Transactional Data from providers of technical, payment and delivery services;
• Identity Data and Contact Data from recruitment agencies;
• Identity Data and Contact Data from publicly available sources;
• Special Categories of Personal Data/Sensitive Data, including health data from Contract Research Organizations (“CROs”) managing our clinical trials on our behalf.
D. Marketing and Analytics
We strive to provide you with choices regarding certain personal data uses, particularly around marketing communications. We may use your Identity Data, Contact Data, Technical Data, Usage Data and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and materials may be relevant for you (we call this marketing). We have established the following personal data control mechanisms:
• Opting in. You will receive marketing communications from us if you have requested information from us and opted in to receive that marketing.
• Consent to third party marketing. We will get your express opt-in consent before we share your personal data with any company outside SBT for marketing purposes.
• Opting out. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or emailing us at legal@stealthbt.com. Remember, however, that even if you opt out of marketing communications, SBT may still e-mail you in order to provide a product or service that you request.
• Cookies. Most web browsers allow some control of most cookies through the browser settings. For additional information about how SBT uses cookies and similar technologies, see Section I, “Cookies and Other Tracking Mechanisms.”
E. How We Use Your Personal Data
SBT and/or the service providers, vendors and other third parties we hire to perform services on our behalf may use your personal data to:
• Comply with or fulfill a request that you have made;
• Respond to a question, comment or concern;
• Maintain and develop our business or professional relationship with you (as applicable);
• Ask you to participate in brief surveys;
• Provide you with services or products;
• Notify you about updates, products and services from SBT, its affiliates, and selected third parties;
• Use data analytics to help us evaluate and modify our existing products and services, to help us develop additional products and services that are likely to be of interest to you and those you care for and for fraud prevention;
• Conduct depersonalized and aggregate statistical studies and research related to our products and services and the use of websites to help us understand trends and needs;
o For example, we may analyze the gender or age of visitors to the website about a particular medication or disease state, and we may use that analysis of aggregate data.
• Recognize you and allow you to log-on to certain pages and features for which you have registered;
• Comply with the law and monitoring and reporting obligations (including those related to adverse events, product complaints and patient safety), respond to legal process and other government or law enforcement agency requests and exercise our legal rights;
• Conduct audits (such as compliance or corporate audits);
• Investigate or respond to issue such as complaints or security threats; and
• Advertise and market our products and services to you, unless you opt-out of receiving these communications.
E-mail a Friend or Colleague: You may choose to send a link or a message to a friend or colleague referring them to the SBT website(s). The e-mail addresses you may provide for a friend will be used to send your friend information on your behalf and will not be collected or used by SBT or other third parties for additional purposes.
Unless otherwise permitted or required by law, we will not process Special Categories of Personal Data/Sensitive Data without your consent and we will not process personal data for purposes not disclosed in this Privacy Policy without your consent.
Individuals located in the European Economic Area (“EEA”) or United Kingdom (“UK”) should see the Supplemental EEA/UK Privacy Policy” in Section P for further information on how we use your personal data.
F. How We Share Your Personal Data
Depending on the specific use(s) set forth above, we may share your personal data with the following groups and individuals:
• Our subsidiaries, related companies or affiliates: we may disclose your personal data to other companies within the SBT family of companies, such as subsidiaries, affiliates and holding companies (if applicable), including Stealth BioTherapeutics Holdings Inc.
• Our partners: we may disclose your personal data to our partners, including other companies and academic institutions, such as those listed or referenced on our website(s).
• Successors or affiliates as part of a business transaction: if we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale, assignment or other transfer of all or a portion of our assets, your personal data and other information may be transferred as part of that transaction.
• Government authorities: we may disclose your personal data with the U.S. Internal Revenue Service, the U.S. Food and Drug Administration, and other government agencies, regulators and authorities.
• Service providers: we may disclose your personal data with third parties who perform services on our behalf and help further our business requirements, including without limitation, for market research, marketing communications, technological maintenance, data storage, data analysis and processing, banking services, and legal services.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We do not sell your personal data.
G. How We Secure Your Information
We have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed while it is under our control. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have implemented procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
H. Links to Other Sites
On our website(s), we may link to third party websites, such as our partner companies, social media sites, academic institutions, government institutions and employment listings, if we believe they offer useful information. For example, to view a job description or apply to an open position, you may be rerouted to a third-party website. This Privacy Policy is no longer applicable when you leave our site by way of a link, and SBT does not control the privacy practices of these third-party sites. Each third party site maintains its own independent privacy policies and procedures, which you should consult before providing any of your personal data. After choosing to move to a third party’s website, you will receive a notification that you are leaving our website(s).
To the extent permitted by law, SBT will not be liable for any loss or damage resulting from the use or misuse of the information in SBT website(s) or any linked non-SBT sites, and all users who access the SBT website(s) or non-SBT linked websites agree to do so at their own risk. Neither SBT nor any other party involved in creating, producing, or delivering the SBT website(s) or any linked non-SBT websites from or to this site shall be liable in any manner whatsoever for any damages of any nature arising out of your access to this site or any linked non-SBT website from SBT website(s), or any errors or omissions in their content.
Please note that linked non-SBT sites may use cookies or other tracking mechanisms. SBT cannot control the use of cookies or other tracking mechanisms by these linked non-SBT websites. For additional information, see Section I, “Cookies and Other Tracking Mechanisms.”
I. Cookies and Other Tracking Mechanisms
We may also collect data about your use of our website(s) through the use of Internet server logs, cookies, tracking pixels, and/or other tracking technologies. As we adopt additional technologies, we may also gather additional information through other methods.
A web server log is a file where website activity is stored. An IP address is a number assigned to your device whenever you access the Internet that allows devices and servers to recognize and communicate with each other. SBT may collect IP addresses to conduct system administration and report aggregate information to affiliates, business partners, service providers and/or vendors to conduct website and application analysis and performance reviews.
A cookie is a small text file that is placed on your device (e.g., your computer) when you visit a website that enables us to: (a) recognize your device; (b) store your preferences and settings; (c) understand the web pages of the website you have visited; (d) perform searches and analytics; and (e) assist with security administrative functions. Cookies perform many functions, such as allowing you to navigate between pages efficiently, remembering your preferences, and generally improving the user experience.
Tracking pixels (sometimes referred to as web beacons, action tags, or clear GIFs) are tiny electronic tags with a unique identifier embedded in websites, online ads, and/or email, and that are designed to provide usage information like ad impressions or clicks, measure popularity of the website and effectiveness of the associated advertising, and to access user cookies. We also may include web beacons in email messages, newsletters, and other electronic communications to determine whether the message has been opened and for other analytics, personalization, and advertising. Since web beacons are used in conjunction with cookies, if you disable cookies, the web beacons will only detect an anonymous website visit. When used in an email, web beacons enable us to know whether you have received the email.
Web beacons, cookies and other tracking technologies automatically collect Technical Data which in some cases may include personal data (e.g., IP addresses). If you voluntarily submit personal data, such as by registering or sending e-mails, these automatic tracking technologies can be used to provide further information about your use of websites to improve their usefulness to you.
Please note that linked third-party websites may also use cookies or other tracking mechanisms. We cannot control the use of cookies or other tracking mechanisms by these third-party websites. For example, when you link from this site to a third-party website, that website may have the ability to recognize that you have come from our site by using cookies. If you have any questions about how third-party websites use cookies or other tracking mechanisms, you should contact such third parties directly.
We may use third-party web analytics services (such as those of Google Analytics) on our website(s) to collect and analyze information about the use of our website, and to engage in auditing, research or reporting. The information (including your IP address) collected by the various analytics technologies described above and will be disclosed to or collected directly by these service providers, who evaluate information, including by noting the third-party website from which you arrive, analyzing usage trends, assisting with fraud prevention, and providing certain features to you. To prevent Google Analytics from using your information for analytics, you may install the Google Analytics Opt-out Browser Add-on by clicking here.
J. How Long We Retain Your Personal Data
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and applicable legal, accounting or reporting requirements.
K. How We Respond to Do Not Track Signals
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Websites linked to this Privacy Policy currently do not recognize or respond to the various web browser DNT signals.
L. Your Choices
SBT may require you to provide certain personal data in order for you to, for example, receive additional product information or information about a disease state. You could decide not to submit any personal data at all by not entering it into any forms or data fields and not using any available personalized services. If you opt-in for particular services or communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in each communication. If you decide to unsubscribe from a service or communication, we will work to remove your information promptly, although we may require additional information before we can process your request.
M. Children’s Privacy
While in some instances we may collect personal data about children with the consent of a parent or guardian, such as clinical activities or for patient support programs, we do not otherwise knowingly solicit data from, or market to, children. If a parent or guardian becomes aware that his or her child has provided us with personal data, he or she should contact us as described in Section A, “How to Contact Us.” We will take reasonable steps to delete such data from our database within a reasonable time.
We do not knowingly collect personal data from children under the age of 13 on our website(s). If we become aware that we have collected personal data from children under the age of 13 on our website(s), we will take reasonable steps to delete it as soon as practicable. If a child provides us with this type of information on our website(s), please contact as described in Section A, “How to Contact Us.”
N. Additional Information for California Residents
(1) Shine the Light Law
California Civil Code Section 1798.83 permits California residents who are individual “customers” of SBT to request certain information regarding SBT’s disclosure of “personal information” to third parties for their direct marketing purposes. To make such a request, please contact us using our contact information listed in Section A, “How to Contact Us.” Be sure to include your name and address, and your email address if you wish to receive a response by email. Otherwise, we will respond by postal mail within the time required by law.
O. Additional Information for Nevada Residents
Section 603A of the Nevada Revised Statutes permits Nevada residents who are SBT “consumers” to at any time, submit a request to an “operator” of a website in Nevada directing the operator not to make any sale of any “covered information” the operator has collected or will collect about the consumer. SBT does not currently “sell” or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email to info@stealthbt.com or calling (617) 600-6888 to opt out of sales and we will record your instructions and incorporate them in the future if our policy changes. We will respond within the time required by law.
P. Supplemental European Economic Area (“EEA”)/United Kingdom (“UK”) Privacy Policy
European Union (“EU”) Regulation (EU) 2016/679 (“EU GDPR”) and the Retained Regulation (EU) 2016/679 (“UK GDPR”) (collectively, the “GDPRs”) require SBT, as the data controller of “personal data,” to provide additional information to individuals who are in the EEA or the UK about the processing of their personal data. If you are an individual located in the EEA or the UK, this Supplemental EEA/UK Privacy Policy applies to you in addition to the provisions above.
(1) How We Use Your Personal Data
We will only use your personal data when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:
Legitimate Interests
We may process your personal data where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, legitimate interests may include:
• Improve our websites, products/services, marketing, customer relationships and experiences
• Engaging you as a new vendor or other service provider, contractor, or employee
• Responding to your inquiries submitted through email, mail, phone, or the SBT website
• To enable you to complete a survey
• To manage our relationships with you
• To administer and protect our business and our websites (including troubleshooting, data analysis, testing, system maintenance, support, fraud prevention, reporting and hosting of data)
• Conduct depersonalized and aggregate statistical studies and research related to our products and services and the use of websites to help us understand trends and needs
Legal Obligation
We may process your personal data where we need to comply with a legal or regulatory obligation. For example, legal obligations may include:
• Complying with safety and adverse event reporting requirements
• Complying with clinical trial practice requirements
Public Interest/Scientific Research
We may process your personal data where necessary for scientific research purposes in the public interest, including conducting of clinical trials.
Performance of a Contract
We may process your personal data when doing so is necessary to enter into or perform a contract.
Consent
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us using the contact information listed in Section A, “How to Contact Us.”
Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need additional details about the specific legal basis we are relying on to process your personal data.
(2) Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
(3) International Transfers of Personal Data
We are based outside the EEA and the UK, so the processing of your personal data may involve a transfer of data outside the EEA or the UK. Whenever we transfer your personal data out of the EEA or UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data;
• We will only transfer your personal data to countries pursuant to binding agreement to and compliance with standard contractual clauses or binding corporate rules, each as approved by the European Commission or other regulators, as applicable;
• We will only transfer your personal data to countries pursuant to the consent of the individual to whom the personal data pertains; or
• We will only transfer your personal data to countries as otherwise authorized by the EEA or UK or permitted by applicable EEA or UK requirements.
(4) How Long We Retain Your Personal Data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it. For additional information, see Section J above, “How Long We Retain Your Personal Data”.
In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
(5) Your Data Protection Rights
This section provides information on the rights that you have under EEA or UK law in relation to your personal data. Under certain circumstances, individuals located in the EEA or UK have the following data protection rights:
• To access their personal data;
• To correct their personal data;
• To erase their personal data;
• To object to the processing of their personal data;
• To restrict the processing of their personal data;
• To transfer their personal data;
• To not be subject to a decision based solely on automated processing, including profiling; and
• To withdraw any consent that they have previously provided for the processing of their personal data.
If you would like to exercise your rights, please let us know by contacting our Data Protection Officer at stealthbt.dpo@mydata-trust.info.
For advice or to make a complaint, you can also contact the applicable Supervisory Authority within the EEA at this link https://edpb.europa.eu/about-edpb/board/members_en or the Information Commissioner’s Office within the UK at this link https://ico.org.uk/make-a-complaint/.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee or refuse to comply with your request if it is clearly unfounded, repetitive or excessive.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Q. Effect of Other Notices
SBT may have additional privacy notices or terms that are tailored and more specific for the different ways your personal data is collected. For example, clinical trial subjects are provided with separate notices related to their personal data collected for the trial. Employment applicants may also be provided with a separate privacy notice.
If you receive a privacy notice provided to you for a specific purpose, the terms of the more specific notice or contract will control to the extent that other notice differs or conflicts with this Privacy Policy.
R. State Privacy Rights
Some state laws may provide residents with specific rights, subject to some limitations, exclusions and the verification of your identity. These rights may include, but not be limited to: (1) the right to know whether SBT is processing your personal data; (2) the right to access the personal data that we process; (3) the right to correct inaccuracies in your personal data that we process; (4) the right to delete your personal data; (5) the right to obtain a copy of your personal data; (6) the right to opt-out of the processing of your personal data for targeted advertising, profiling activity and the sale of personal data; (7) the right to not be discriminated against for exercising your rights; and (8) the right to appeal a decision with regard to a request you make. To exercise your state privacy rights (as applicable), please contact us as described in Section A above, “How to Contact Us”.
SBT is committed to compliance with state privacy laws and continues to monitor developments.
S. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will post an updated version on this website and update the revision date, unless another type of notice is required by applicable law. Your continued use of our website and/or services after any such updates take effect will constitute acceptance of those changes.
LAST REVISED 12/5/2024