Privacy Policy

This Privacy Policy is provided by Adverum Biotechnologies Inc. and its affiliates and subsidiaries (collectively “Adverum,” “our,” “us” or “we”). It is intended to describe how we collect, use, share and process information about you (“Personal Information”) when you visit our website https://adverum.com/ and https://investors.adverum.com/ (“Sites”), when we communicate with you and in the context of our business activities or when you apply for a job with us. It also informs you about your privacy rights and the measures and processes we put in place to protect your data.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“EEA GDPR”) and the Data Protection Act 2018 (“UK GDPR”), to the extent applicable, Adverum acts as a data controller for the Personal Information that is processed when you access our Sites or related services.

This Policy applies whether you are a patient, member of the public, visitor, shareholder or investor, member of a regulatory body or authority, vendor or service provider, consultant, contractor, job applicant, or any other individual with whom we engage or who is involved in our business activities.

If you are an employee, vendor, consultant or service provider, there may be additional privacy notices that apply to your information. Please refer to the information you received from us as an employee for additional privacy notice information, and if you are a vendor, consultant, or service provider, please refer to your contractual agreements with Adverum for additional information.

What Personal Information We Collect

We collect and process the following types of Personal Information:

  • Personal Identifiers: Your name, phone number, email address, company or organization, or online identifiers such as device ID or cookie ID.
  • Commercial and Financial Information: Payment-related information, such as your bank address or account details and number, tax-related information for business purposes, or other information about you, user account logs, records of services provided, requested documentation, or customer service logs.
  • Professional or Employment Information: Employer, job title, academic or research expertise or interests, academic position or title, or affiliated academic institution or entity, CV and resumes.
  • Educational Information: Information about education history or background.
  • Analytical Information: Pages viewed, referring web page, e-mails from us that you opened, browser type, operating system, IP address, and device information.
  • Public Information: We may also collect publicly available information about you from third-party sources, such as the postal service for shipping address verification.
  • De-identified and Anonymized Information: Aggregate and/or de-identify information about you; or use suggestions, comments, and ideas that are not personally identifiable.
  • Health Information (if permitted by law): We may collect data relating to your health in limited instances, for example, your initials, name, key-coded or pseudonymized data, and other related information necessary for the provision of our products when necessary to protect your health safety or to comply with the law.

We may also receive other personal information that you or others provide us or store on our systems, such as in communicating or otherwise interacting with us, providing a reference, or attending an event with us.

Sources of Personal Information

We may collect Personal Information from the following categories of sources:

  • From your device or browser
  • Directly from you when you provide information
  • From our affiliates, business partners, consultants, vendors, service providers or contractors
  • From marketing vendors and advertising networks
  • From social media
How We Use the Personal Information We Collect

We may collect and use your Personal information for the following purposes:

  • To address your inquiries, concerns, and requests
  • To analyze the use of our products and services and improve our products and services
  • To develop and provide new products and services
  • To conduct research activities alone or together with other third parties
  • To conduct our regular commercial activities
  • To process job applications
  • To maintain the security of our services
  • To comply with applicable law
  • To protect our or the rights, property, and safety of others

We rely upon legal bases permitted under applicable law to process your Personal Information. The bases upon which we process your Personal Information include the following:

  • Pursuance of our legitimate interests, for example, to provide you with information that enables us to answer to inquiries, concerns, and requests, etc. When we process Personal Information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected;
  • Performance of any contract we execute with you;
  • Compliance with our legal obligations; for example, to respond to legally binding requests from regulators, law enforcement authorities or other government authorities;
  • Collection of your consent, when required.

If you are in the EEA or the UK, you may have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. However, we may not be able to fulfill this request in all instances. Please contact us using the contact information below to receive more information, including with respect to the balancing test we have performed in this regard.

Cookies and Analytics

As is now common with most websites, we may use cookies or similar technologies to capture information about the use of our Sites and to improve your user experience on our Sites. Accordingly, we may store and retrieve information on your device through the use of cookies and similar technologies. For instance, we may use a session cookie to store form information that you have entered so that you do not have to enter such information again. We may use information stored in such cookies to customize your experience on and analyze use of our Sites. You may be able to set your browser to notify you when you receive a cookie. Many web browsers also allow you to block cookies. If you block strictly necessary cookies, you may not be able to access certain parts of our Sites.

To find out more about what cookies we use and how we use them, please consult our Cookies Policies here (for Investor Relations and Corporate).

Whom We Share Personal Information With

We may share your Personal Information in the following limited circumstances:

  • We may share Personal Information with affiliates, consultants, vendors, contractors and other service providers who we employ to perform tasks on our behalf, such as external scientists and healthcare professionals to review and assist us with healthcare compliance activities and institutions and other organizations with whom we collaborate to support our clinical activities (such as for clinical studies, patient support programs, and so on).
  • We may share or disclose your Personal Information to regulatory and health authorities, including governmental bodies (such as the FDA, EMA, NHS), data protection authorities, tax authorities, or courts in case of disputes, when permitted or required by applicable law.
  • We may also share your Personal Information with third parties to whom Adverum is legally obligated to provide such information, such as other parties in litigation or legal disputes, guardians, conservators, or individuals with powers of attorney.
How Long We Store Personal Information

We store your Personal Information for the period necessary and proportionate for the specific purpose for which it was collected and to enable us to:

  • Comply with record retention requirements under the applicable law;
  • Defend or bring any existing or potential legal claims;
  • Deal with any requests, complaints, or adverse events reports;
  • Maintain business records for analysis and/or audit purposes;
  • Manage our relationships with affiliates, business partners, consultants, vendors, service providers or contractors.
How We Protect Personal Information

We aim to protect your Personal Information by implementing and maintaining organizational, technological, contractual, and physical safeguards appropriate to the sensitivity of the Personal Information we hold. We maintain commercially reasonable safeguards to help protect your Personal Information, including assuring that affiliates, consultants, vendors, contractors, and other service providers who access or handle Personal Information on our behalf maintain such safeguards.

Rights Regarding Personal Information

Data Rights in Certain Jurisdictions

Persons in certain jurisdictions (e.g., the EEA / UK) may have rights under data protection laws that may apply to the Personal Information we hold about those persons and which they may exercise subject to the limitations under applicable law such as the EEA GDPR or UK GDPR. These include for the individuals in the EEA and UK the rights:

  • To request access to your Personal Information;
  • To request rectification of inaccurate or incomplete Personal Information;
  • To request erasure of your Personal Information (a “right to be forgotten”);
  • To restrict the processing of your Personal Information in certain circumstances;
  • To object to our use of your Personal Information, such as where we have considered such use to be necessary for our legitimate interests and/or in the case of direct marketing activities;
  • Where relevant, to request the portability of your Personal Information to a third-party;
  • Where you have given consent to the processing of your Personal Information, to withdraw your consent;
  • To lodge a complaint with the competent supervisory authority of your country of residence. You may find a list of the contact details of competent authorities in the EEA here: https://edpb.europa.eu/about-edpb/about-edpb/members_en and for the UK: https://ico.org.uk/.

If you want to access, review, update, rectify, and delete any Personal Information Adverum holds about you, or exercise any other data subject right available under the EEA GDPR or UK GDPR, where applicable, you should contact us via e-mail: privacy@adverum.com.

Notice to California Residents – Your California Privacy Rights

If you are a California resident whose information is covered by the California Consumer Privacy Act (the “CCPA”), you may have the rights described in this Section of our Privacy Policy, including the right to request access to and deletion of Personal Information we maintain about you.

Please note that these disclosures do not apply to information that is not processed under the CCPA. During the preceding 12 months, Adverum has collected, used, and shared the categories of Personal Information described above in this Privacy Policy. For example, this may include identifiers (e.g., email addresses, IP addresses, and mobile device identifiers), health information, demographic information, geolocation information, and internet or other electronic network activity information. This may also include inferences we draw from the other information we collect. See the other relevant sections of this Privacy Policy for more details.

Under the CCPA, California residents may have the right to request that a business that collects consumers’ Personal Information give consumers additional transparency and access to the specific pieces of Personal Information that the business has collected about the consumer. If you are a California resident, you may request that we disclose to you the following information covering the 12 months preceding your request:

  • The categories of information (“Information”) we collected about you and the categories of sources from which we collected such Information;
  • The specific pieces of Information we collected about you;
  • The business or commercial purpose for collecting Information about you;
  • The categories of Information about you that we otherwise shared or disclosed and the categories of third parties with whom we shared or to whom we disclosed such Information.

California residents also have the right to submit a request for deletion of Information under certain circumstances. Please note that these rights are not absolute. For example, we may not delete Information we are required to retain for regulatory reasons, certain internal business purposes, or where otherwise provided for by law. In addition, we will not respond to a request if we cannot verify you as the requestor.

If you would like to discuss or exercise these rights, please contact us at the details below. We encourage you to contact us to update or correct your Information if it changes or if the Information, we hold about you is inaccurate. We may contact you if we need additional information from you in order to honor your requests.

Please note that we may require additional information from you in order to honor your request, and there may be circumstances where we will not be able to honor your request. For example, if you request deletion, we may need to retain certain Information to comply with our legal obligations or other permitted purposes. We will only use Information provided in a verifiable consumer request to verify your identity or authority to make the request. If you are submitting a request through an authorized agent, the authorized agent must provide us with your signed written permission stating that the agent is authorized to make the request on your behalf. We may also request that any authorized agents verify their identity and may reach out to you directly to confirm that you have provided the agent with your permission to submit the request on your behalf. Consistent with California law, if you choose to exercise your rights, we will not charge you different prices or provide different quality of services unless those differences are related to your information or otherwise permitted by law.

California law requires that a business provide in its privacy policy a list of the categories of Personal Information it has in the preceding 12 months (1) disclosed for a business purpose, and (2) disclosed in exchange for valuable consideration (considered a “sale” under California law, even if no money is exchanged), as well as the categories of third parties to whom each category of Personal Information was disclosed or sold. In accordance with California law:

Categories of Information Disclosed for our Business Purposes Categories of Third Parties to Whom this Information was Disclosed
Personal identifiers Adverum’s affiliates and service providers
Commercial information Adverum’s affiliates and service providers
Internet or other electronic network activity information Adverum’s affiliates and service providers
Geolocation Information Adverum’s affiliates and service providers
Professional or employment-related information Adverum’s affiliates and service providers
Education information Adverum’s affiliates and service providers
Medical Information Adverum’s affiliates and service providers

If you reside in California and have provided your Information to us, you may request information once per calendar year about our disclosures of certain categories of your personally identifiable information to third parties for their direct marketing purposes. Such requests must be submitted to us in writing at privacy@adverum.com.

Children’s Information

Our Sites are not intended for or directed to individuals under the age of thirteen (13). We do not collect information from any individual we know to be under the age of 13 (or older if your country is more restrictive). If a parent or guardian becomes aware that his or her child has directly provided us with Personal Information, please contact us by using the contact information below.

Other Websites

If our Sites provide links to other websites, these websites may operate independently from us and may have their own privacy notices or policies, which we advise you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content.

International Data Transfers

Adverum is based in the United States of America (“USA”), and we process and store information in the USA. Your Personal Information may also be shared with or accessed by Adverum’s service providers located in countries that provide less protection than your country (such as the USA). In such instances, whenever your Personal Information is transferred to countries outside of the EEA or UK, we will ensure that at least one of the following safeguards is in place:

  • The country is one that the European Commission has approved as providing an adequate level of protection for personal data;
  • The transfer is subject to a specific derogation in the EEA GDPR, UK GDPR or national laws;
  • European-style data transfer agreements (Standard Contractual Clauses) with the recipients.

If you would like further information about the safeguards Adverum has implemented or would like to obtain a copy of the Standard Contractual Clauses, please contact us using the contact details set out below.

Changes to This Privacy Policy

We reserve the right to amend, alter, or otherwise change this Privacy Policy at our sole and absolute discretion. If we make material changes to the Privacy Policy, we will post notice in this Policy.

Contact Us

Please do not hesitate to contact us if you have any questions in regard to the protection of your Personal Information or if you wish to exercise your privacy rights (as described above).

Adverum Biotechnologies, Inc., 100 Cardinal Way, Redwood City, CA 94063

Data Protection Officer: privacy@adverum.com

Last Update: November 2022