For the purposes of the General Data Protection Regulation (EU) 2016/679 (“EEA GDPR”) and the UK General Data Protection Regulation (“UK GDPR”), to the extent applicable, Adverum acts as a data controller for the Personal Information that is processed when you access our Sites or related services.
This Policy applies whether you are a patient, member of the public, visitor, shareholder or investor, member of a regulatory body or authority, vendor or service provider, consultant, contractor, job applicant, or any other individual with whom we engage or who is involved in our business activities.
If you are an employee, vendor, consultant or service provider, there may be additional privacy notices that apply to your Personal Information. Please refer to the information you received from us as an employee for additional privacy notice information, and if you are a vendor, consultant, contractor or service provider, please refer to your contractual agreements with Adverum for additional information.
What Personal Information We Collect
We collect and process the following types of Personal Information:
- Personal Identifiers: Your name, phone number, email address, company or organization you work for.
- Online identifiers: Device ID or Cookie ID.
- Commercial and Financial Information: Payment-related information, such as your bank address or account details and number, tax-related information for business purposes, or other information about you, user account logs, records of services provided, requested documentation, or customer service logs.
- Professional or Employment Information: Employer, job title, academic or research expertise or interests, academic position or title, or affiliated academic institution or entity, CV and resumes.
- Educational Information: Information about education history or background.
- Analytical Information: Pages viewed, referring web page, e-mails from us that you opened, browser type, operating system, IP address, and device information.
- Public Information: We may also collect publicly available information about you from third-party sources, such as the postal service for shipping address verification.
- De-identified and Anonymized Information: Aggregate and/or de-identified information about you; or use suggestions, comments, and ideas that are not personally identifiable.
- Health Information (if permitted by law): We may collect data relating to your health in limited instances, for example, your initials, name, key-coded or pseudonymized data, and other related information necessary for the provision of our products when necessary to protect your health safety or to comply with the law.
We may also receive other Personal Information that you or others provide us or store on our systems, such as in communicating or otherwise interacting with us, providing a reference, or attending an event with us.
Sources of Personal Information
We may collect Personal Information from the following categories of sources:
- From your device or browser
- Directly from you when you provide information (for example, via our “contact us” form)
- From our affiliates, business partners, consultants, vendors, service providers or contractors
- From marketing vendors and advertising networks
- From social media
How We Use the Personal Information We Collect
We may collect and use your Personal information for the following purposes:
- To address your inquiries, concerns, and requests
- To analyze the use of our products and services and improve our products and services
- To develop and provide new products and services
- To conduct research activities alone or together with other third parties
- To conduct our regular commercial activities
- To process job applications
- To maintain the security of our services
- To comply with applicable law
- To protect our or the rights, property, and safety of others
We rely upon legal bases permitted under applicable law to process your Personal Information. The bases upon which we process your Personal Information include the following:
- Pursuance of our legitimate interests, for example, to provide you with information that enables us to answer to inquiries, concerns, and requests, etc. When we process Personal Information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected;
- Performance of any contract we execute with you;
- Compliance with our legal obligations; for example, to respond to legally binding requests from regulators, law enforcement authorities or other government authorities;
- Collection of your consent, when required.
If you are in the EEA or the UK, you may have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. However, we may not be able to fulfill this request in all instances. Please contact us using the contact information below to receive more information, including with respect to the balancing test we have performed in this regard.
Cookies and Analytics
Whom We Share Personal Information With
We may share your Personal Information in the following limited circumstances:
- We may share Personal Information with affiliates, consultants, vendors, contractors and other service providers who we employ to perform tasks on our behalf, such as external scientists and healthcare professionals to review and assist us with healthcare compliance activities and institutions and other organizations with whom we collaborate to support our clinical activities (such as for clinical studies, patient support programs, and so on).
- We may share or disclose your Personal Information to regulatory and health authorities, including governmental bodies (such as the FDA, EMA, NHS), data protection authorities, tax authorities, or courts in case of disputes, when permitted or required by applicable law.
- We may also share your Personal Information with third parties to whom Adverum is legally obligated to provide such information, such as other parties in litigation or legal disputes, guardians, conservators, or individuals with powers of attorney.
How Long We Store Personal Information
We store your Personal Information for the period necessary and proportionate for the specific purpose for which it was collected and to enable us to:
- Comply with record retention requirements under the applicable law;
- Defend or bring any existing or potential legal claims;
- Deal with any requests, complaints, or adverse events reports;
- Maintain business records for analysis and/or audit purposes;
- Manage our relationships with affiliates, business partners, consultants, vendors, service providers or contractors.
How We Protect Personal Information
We aim to protect your Personal Information by implementing and maintaining organizational, technological, contractual, and physical safeguards appropriate to the sensitivity of the Personal Information we hold. We maintain commercially reasonable safeguards to help protect your Personal Information, including assuring that affiliates, consultants, vendors, contractors, and other service providers who access or handle Personal Information on our behalf maintain such safeguards.
Rights Regarding Personal Information
Persons in certain jurisdictions (e.g., the EEA / UK) may have rights under data protection laws that may apply to the Personal Information we hold about those persons and which they may exercise subject to the limitations under applicable law such as the EEA GDPR or UK GDPR. These include for the individuals in the EEA and UK the rights:
- To request access to your Personal Information;
- To request rectification of inaccurate or incomplete Personal Information;
- To request erasure of your Personal Information (a “right to be forgotten”);
- To restrict the processing of your Personal Information in certain circumstances;
- To object to our use of your Personal Information, such as where we have considered such use to be necessary for our legitimate interests and/or in the case of direct marketing activities;
- Where relevant, to request the portability of your Personal Information to a third-party;
- Where you have given consent to the processing of your Personal Information, to withdraw your consent;
- To lodge a complaint with the competent supervisory authority of your country of residence. You may find a list of the contact details of competent authorities in the EEA here: https://edpb.europa.eu/about-edpb/about-edpb/members_enand here for the UK: https://ico.org.uk/.
If you want to access, review, update, rectify, and delete any Personal Information Adverum holds about you, or exercise any other data subject right available under the EEA GDPR or UK GDPR, where applicable, you should contact us via e-mail: email@example.com.
Our Sites are not intended for or directed to individuals under the age of thirteen (13). We do not collect information from any individual we know to be under the age of 13 (or older if your country is more restrictive). If a parent or guardian becomes aware that his or her child has directly provided us with Personal Information, please contact us by using the contact information below.
If our Sites provide links to other websites, these websites may operate independently from us and may have their own privacy notices or policies, which we advise you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content.
International Data Transfers
Adverum is based in the United States of America (“USA”), and we process and store information in the USA. Your Personal Information may also be shared with or accessed by Adverum’s service providers located in countries that provide less protection than your country (such as the USA). In such instances, whenever your Personal Information is transferred to countries outside of the EEA or UK, we will ensure that at least one of the following safeguards is in place:
- The country is one that the European Commission has approved as providing an adequate level of protection for personal data;
- The transfer is subject to a specific derogation in the EEA GDPR, UK GDPR or national laws;
- European-style data transfer agreements (Standard Contractual Clauses) with the recipients.
If you would like further information about the safeguards Adverum has implemented or would like to obtain a copy of the Standard Contractual Clauses, please contact us using the contact details set out below.
Please do not hesitate to contact us if you have any questions regarding the protection of your Personal Information or if you wish to exercise your privacy rights (as described above).
Adverum Biotechnologies, Inc., 100 Cardinal Way, Redwood City, CA 94063
Data Protection Officer: firstname.lastname@example.org
Last Update: April 2023