Innoviva Specialty Therapeutics, Inc. and its affiliates (collectively, the “Company,” “we” or “us”) respects your privacy and understands that health is a very personal and private subject. The Company provides this privacy and information practices notice (“Privacy Notice”) to inform you about our online information practices, the kinds of information we may collect, how we use and share that information and how you can correct or change such information. We encourage you to read this Privacy Notice in its entirety before submitting any information. By using the Company’s websites or mobile applications, or submitting or requesting information, you acknowledge that you understand and agree with the provisions of this Privacy Notice.
This Privacy Notice applies to Personal Information that is Processed by the Company in the course of our business, including on Company websites and mobile applications (together with any and all future websites operated by or on behalf of the Company, the “Sites”). All individuals whose responsibilities include the Processing of Personal Information on behalf of the Company are expected to protect that data by adherence to this Privacy Notice. This Privacy Notice is intended to meet requirements globally, including those in North America, Europe, Asia Pacific and other jurisdictions.
2.0 Transparency/Notice–Personal Information We Collect and How We Use and Share It
The types of Personal Information we may collect (directly from you or from third-party sources) and our privacy practices depend on the nature of the relationship you have with the Company and the requirements of applicable law. We endeavor to collect information only relevant for the purposes of Processing. Below are the legal bases and the ways we collect information and how we use and share it.
2.1 Individuals About Whom the Company Collects Personal Information
The Company collects Personal Information regarding its current, prospective and former study patients, employees, visitors and guests (collectively “Individuals”).
2.2 Information the Company Collects
The data we may collect or have collected within the past 12 months from or about Individuals includes information that may be deemed Personal Information. We may also collect other information that is not Personal Information. In addition, if you participate in certain programs, we may collect information regarding your medications, medical history and other healthcare-related information, including, without limitation, Protected Health Information (collectively, “Health Information”), from Individuals or a Third Party. For example, we may indirectly collect information about your health condition, diagnosis and treatment from your healthcare professional, but only where your healthcare professional has obtained your consent to disclose that information to us, as required by law. Any Health Information that is tied to an Individual’s Personal Information will be treated as Personal Information and we will take efforts to maintain its confidentiality.
As you navigate Sites, certain passive information may also be collected or have been collected in the past 12 months, including internet protocol (“IP”) addresses, cookies, navigational data, the name of the domain and host from which you access the Internet, the browser software you use and your operating system, the date and time you access our Sites and the Internet address of the website from which you linked directly to our Sites.
2.3 How the Company Collects Personal Information
The ways that the Company may collect your Personal Information include:
• Through Sites, surveys, business or marketing events, and when delivering programs to you, we may collect Personal Information you provide to us or collect passive information as described in Section 2.2 above.
• When you use Sites, the Company may provide you with opportunities to sign up to receive specific information and may ask for your contact information (including your name, title and email address), so that we can send you specific information about our products and specific health conditions, with your consent.
• When you enroll in a Company program, we may obtain your contact information (including your name, title, and email address), details of your health condition, diagnosis, treatment and prescribing information relating to our products.
• When obligated to collect certain Personal Information to comply with regulatory requirements, including information relating to adverse effects you have experienced when using our products.
2.4 Information from Third-Party Sources
The Company may collect and/or have collected within the past 12 months Personal Information about you from third-party sources to supplement information provided by you. This supplemental information allows us to verify information that you have provided to the Company and to enhance our ability to provide you with information about our business, products and programs. The Company’s agreements with these third-party sources typically limit how the Company may use this supplemental information.
2.5 Research/Survey Solicitations
From time to time, the Company may perform research (online and offline) via surveys. We may engage third-party service providers to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected will be used for research and reporting purposes to help us better serve Individuals by learning more about their needs and the quality of our products and programs. We may share anonymous Individual data for research and analysis purposes.
2.6 How the Company Uses Your Personal Information
Depending on how you interact with the Company, we and our third-party service providers may also use Personal Information in a variety of ways.
2.6.1 Providing Information and Services You Requested
The Company may use the Personal Information about you to provide you information that you may request (e.g., information about products or future programs related to commercialization, or other programs we are offering). The Company may also use your Personal Information to deliver a specific program to you, when you enroll to receive the program. Such use may include: (a) generally managing your information; (b) responding to questions, comments and requests; (c) providing access to certain areas and features of the Company’s Sites; and (d) permitting you to register for events or participate in webinars. In these instances, for the purpose of the European Union’s General Data Protection Regulation (“GDPR”), we base our processing of Personal Information on our fulfillment of our contract with you (Article 6(1)(b) of the GDPR).
2.6.2 Administrative Purposes
2.6.3 Marketing Products and Services
The Company may use the Personal Information about you to provide you with materials about offers, products and programs offered by us, including new content on Company Sites. The Company may provide you with these materials by phone, postal mail, facsimile or email, as permitted by applicable law. If you do not wish us to use your Personal Information for marketing purposes, you may contact us at any time to opt out of the use of your Personal Information for such purposes, as further described below. In these instances, for the purpose of the GDPR, we base our processing on your and our legitimate interests in offering and receiving our services (Article 13 of the e-Privacy Directive), or on consent (Article 6(1)(a) of the GDPR). When our processing of Personal Information is based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before your withdrawal.
2.6.4 Research and Development
The Company may use your Personal Information to create non-identifiable information that we may use alone or in the aggregate with information obtained from other sources, in order to help us to optimally develop new products, processes, and services.
2.6.5 Information Submitted Via Sites
You agree that the Company is free to use the content of any communications submitted by you via the Sites, including any ideas, inventions, concepts, techniques or know-how disclosed therein, for any purpose including developing, manufacturing and/or marketing goods or services. However, the Company does not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first send notice to you that the materials or other information you submit to a particular part of a site will be published or otherwise used with your name on it; or (c) we are required to do so by law.
2.6.6 Social Media
The Company may collect Personal Information to enable people to use online social media resources (e.g., social networks, discussion boards and referral functions to share content and tools) offered either by the Company or a Third Party. We may also enable you to use these social media resources to post or share Personal Information with others. When using social media resources, you should take into careful consideration what Personal Information you share with others.
2.6.7 Sharing Content with Friends or Colleagues
The Company’s Sites may offer various tools and functionality. For example, the Company may provide functionality on its Sites that will allow you to forward or share certain content with a friend or colleague. Email addresses that you may provide for a friend or colleague will be used to send your friend or colleague the content or link you request but will not be collected or otherwise used by the Company or any other Third Parties for any other purpose.
2.6.8 Anonymous Data
The Company may use and share your anonymized information within the Company or with Third Parties for public health, research, analytics, and any other legally permissible purposes.
2.6.9 Court Orders and Legal Investigations
The Company may use and share your Personal Information for the purpose of responding to court orders and legal investigations (when the obligation derives from EU law, under Article 6(1)(c) of the GDPR) or on the legitimate interest of the Company to comply with foreign laws.
2.6.10 Other Uses
The Company may use your Personal Information for other purposes disclosed to you at the time you provide Personal Information or with your consent.
2.7 Direct Mail, Email, and Outbound Telemarketing
Individuals who provide us with Personal Information, or whose Personal Information we obtain from Third Parties, may receive periodic emails, newsletters, mailings or phone calls from us with information on the Company or our business partners’ products and programs or upcoming special offers/events we believe may be of interest. We offer the option to decline these communications at no cost to the individual by following the instructions in Section 3 below.
Like many other websites, the Company and its service providers may employ and have employed within the past 12 months cookies, which are small pieces of computer code that enable Web servers to “identify” visitors, each time an Individual initiates a session on the Company’s Sites. A cookie is set in order to identify Data Subjects; tailor our Sites to you; and provide Site security. Such cookies can only access Personal Information that you have provided on our Sites and cannot be accessed by other sites. These cookies are strictly necessary for the operation of the Company’s Sites, so you do not have the option to accept or decline them individually. However, you may delete cookie files from the device you use to access our Sites at any time by clicking on the Privacy or History tab typically found on the Settings or Options menu in your internet browser. Please be advised that cookies are necessary to provide access to much of the content and many of the features of Sites, so your experience with the Sites may be impacted if you delete these cookies.
2.9 Mobile Devices
The Company may provide websites and online resources that are specifically designed to be compatible and used on mobile devices. The Company will collect and has collected within the past 12 months certain information that your mobile device sends when you use such websites or online resources, like a device identifier, user settings and the operating system of your device.
Mobile versions of the Company’s Sites may require that users log in with an account. In such cases, information about use of each mobile version of the website may be associated with user accounts. In addition, the Company may enable Individuals to download an application, widget or other tool that can be used on mobile or other computing devices. Some of these tools may store information on mobile or other devices. These tools may transmit Personal Information to the Company to enable Data Subjects to access user accounts and to enable the Company to track use of these tools. Some of these tools may enable users to email reports and other information from the tool. The Company may use Personal Information or non-identifiable information transmitted to the Company to enhance these tools, to develop new tools, for quality improvement and as otherwise described in this Privacy Notice or in other notices the Company provides.
2.10 Anonymous Information
The Company may use your Personal Information and other information about you to create anonymized information, such as de-identified demographic information, de-identified location information, information about the computer or device from which you access the Company Site or other online services, or other analyses we create. Anonymized information is used for a variety of functions, including the measurement of visitors’ interest in and use of various portions or features of the Sites. Anonymized information is not Personal Information, and the Company may use such information in several ways, including research, internal analysis, analytics and any other legally permissible purposes. We may share this information within the Company and with Third Parties for our or their purposes in an anonymized form that is designed to prevent anyone from identifying you.
3.0 Choice/Modalities to Opt Out
You have the right to opt out of certain uses and disclosures of your Personal Information, as set out in this Privacy Notice.
Where you have consented to the Company’s Processing of your Personal Information or Sensitive Personal Information, you may withdraw that consent at any time and opt out by sending an email at email@example.com. Additionally, before we use Personal Information for any materially different new purpose not originally authorized by you, we will provide information regarding the new purpose and give you the opportunity to opt out. Where consent of the Data Subject for the Processing of Personal Information is otherwise required by law or contract, the Company will comply with the law or contract.
3.2 Email and Telephone Communications
We maintain telephone “do not call” lists and “do not mail” lists as mandated by law. We process requests to be placed on do not mail, do not phone and do not contact lists within 60 days after receipt, or such shorter time as may be required by law.
3.3 “Do Not Track”
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. The Company does not recognize or respond to browser initiated DNT signals. For information about “do-not-track”, visit http://www.allaboutdnt.org.
3.4 Advertising Choices
While the Company does not currently participate in interest-based advertising, it may in the future use your browsing for interest-based advertising purposes, to the extent allowed by law and, where required by law, after obtaining your consent. If we do so, an opportunity to opt-out of such interest-based advertising will be provided through an AdChoices link.
Advertisements on third-party websites that contain the AdChoices link and that link to this Privacy Notice may have been directed to you based on Personal Information collected by advertising partners over time and across websites. These advertisements provide a mechanism to opt-out of the advertising partners’ use of this information for interest-based advertising purposes.
Even if you opt-out through AdChoices, we may still collect and use Personal Information regarding your activities on our Sites and/or information from the advertisements on third-party websites for non-interest-based advertising purposes, such as to determine the effectiveness of the advertisements.
4.0 Onward Transfer
4.1 Information We Share
The Company does not sell or otherwise disclose and has not sold within the past 12 months Personal Information about you, without providing you with prior notice and an opportunity to opt-out, as required by law. The Company, also, will not sell and has not sold within the past 12 months the Personal Information of minors under 16 years of age to non-affiliated Third Parties without affirmative authorization. The Company requires Third Parties to which it discloses Personal Information to protect Personal Information using substantially similar standards to those required by the Company, and to notify the Company if they make a determination they can no longer meet this obligation.
4.1.1 Service Providers
The Company may share Personal Information with our service providers that we have retained to perform services on our behalf, including service providers who assist with (i) provision of IT and related services and (ii) provision of information and services you have requested.
The Company has executed appropriate contracts with the service providers that prohibit them from using or sharing your personal information except as necessary to perform the contracted services on our behalf or to comply with applicable legal requirements.
4.1.2 Business Partners
The Company may share Personal Information with our business partners to provide you with a product or service that you have requested. The Company may also provide Personal Information to business partners with whom we may jointly offer products or services. In such cases, our business partner’s name will appear, along with the Company’s. The Company requires our business partners to agree in writing to maintain the confidentiality and security of Personal Information they maintain on our behalf and not to use it for any purpose other than the purpose for which the Company provided them.
4.1.3 Information Disclosed for Our Protection and the Protection of Others
We may disclose information about you: (i) if we are required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce the Company’s policies or contracts; (v) to collect amounts owed to the Company; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) if we, in good faith, believe that disclosure is otherwise necessary or advisable.
In addition, from time to time, server logs may be reviewed for security purposes (e.g., to detect unauthorized activity on the Sites). In such cases, server log data containing IP addresses may be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.
4.1.4 Information Disclosed in Connection with Business Transactions
We may disclose or transfer any information we have about you in the event of a proposed or actual purchase, any reorganization, sale, lease, merger, joint venture, assignment, amalgamation or any other type of acquisition, disposal or financing of all or any portion of our business or of any of the business assets or shares (including in connection with any bankruptcy or similar proceeding). Should such an event occur, the Company will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Privacy Notice.
4.1.5 Business Purposes
We may disclose Personal Information to effectuate the business goals for reasons for which you provided the Personal Information.
4.2 Data Transfers
All Personal Information sent or collected via or by the Company may be stored anywhere in the world, including but not limited to, in the United States, in the cloud, our servers, the servers of our affiliates or the servers of our service providers. Any transfers of Personal Information of a Data Subject residing in the European Union outside of the European Economic Area will only be made where appropriate safeguards have been put in place. Your Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request. By providing information to the Company, you consent to the storage of your Personal Information in these locations.
5.0 Modifying your Information
We encourage you to update the information you provide to us, such as providing us with a new mailing or email address, a name change, or a change in the medical conditions that you have notified us about. This will help us continue to provide information to you that best meets your needs.
Where otherwise permitted by applicable law, you may use any of the methods set out in Section 8.0 of this Privacy Notice to request access to, receive (port), restrict Processing, seek rectification or request erasure of Personal Information held about you by the Company. Such requests will be Processed in line with local laws. Although the Company makes good faith efforts to provide Individuals with access to their Personal Information, there may be circumstances in which the Company is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy in the case in question or where it is commercially proprietary. If the Company determines that access should be restricted in any instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, the Company will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.
The Company retains the Personal Information we receive as described in this Privacy Notice for as long as you use our Sites or as necessary to fulfill the purpose(s) for which it was collected, provide our products and programs, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.
The security of all Personal Information provided to the Company is important to us, and the Company takes reasonable steps designed to protect your Personal Information. Unfortunately, no data transmission over the Internet or storage of information can be guaranteed to be 100% secure. As a result, while the Company strives to protect your Personal Information, we cannot ensure or warrant the security of any information you transmit to the Company, and you do so at your own risk. To the maximum extent allowed by applicable law, you agree and acknowledge that the Company shall not be liable or responsible if any information about you is intercepted, accessed, and/or used by an unintended recipient. If you have reason to believe that the security of your communications or personally identifying information has been compromised, please notify us immediately at: firstname.lastname@example.org.
8.0 Redress/Compliance and Accountability
If after reviewing this Privacy Notice, you would like to submit a request or you have any questions or privacy concerns, please contact:
Toll-Free Number: 1-844-680-3975
Innoviva Specialty Therapeutics, Inc.
35 Gatehouse Drive
Waltham, MA 02451
The Company will address your concerns and attempt to resolve any privacy issues in a timely manner, within the time limits set by applicable law.
9.0 Other Rights and Important Information
9.1 Information Regarding Children
Due to the nature of the Company’s business, programs and benefits are not marketed to minors. The Company does not knowingly solicit or collect Personal Information from children under the age of 13 (and in certain jurisdictions under the age of 16). If we learn that we have collected Personal Information from a child under the age of 13 (and in certain jurisdictions under the age of 16), we will promptly delete that information. If you are a parent or guardian and you believe we have inadvertently collected personally identifying information from your child who is under 18, you may contact us by sending an e-mail to email@example.com to request that we delete your child’s information from our records.
9.2 California Privacy Rights
The California Consumer Privacy Act (“CCPA”) provides California residents with certain rights regarding their Personal Information. This section explains these rights and how to make a verifiable consumer request to exercise those rights. You may only make a verifiable consumer request for access or data portability from us twice within a 12-month period, free of charge. You also may request a list of the Third Parties to whom we have disclosed your Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information disclosed to those parties. However, the Company does not share Personal Information with Third Parties for their own marketing purposes.
9.2.1 Right to Know and Access Personal Information Collected, Disclosed, or Sold
California residents may have the right to request that a business that collects Personal Information disclose:
1. The categories of Personal Information it has collected about you within the past 12 months;
2. The categories of sources from which the Personal Information was collected within the past 12 months;
3. The business or commercial purposes for collecting, using, or selling the Personal Information within the past 12 months;
4. The specific pieces of Personal Information we have collected about you within the past 12 months; and
5. The categories of Personal Information that a business collected about you and the categories of Personal Information that a business disclosed about you for a business purpose within the past 12 months.
California residents also may have the right to submit a request that a business that collects Personal Information provide the specific pieces of Personal Information it has collected about you within the past 12 months.
9.2.2 Right to Request Deletion of Personal Information
California residents may have the right to request that a business that collects Personal Information about you (and its Service Provider(s) that process Personal Information about you) delete that Personal Information, unless an exception in the CCPA applies. If the Company cannot grant your deletion request, we will specify the basis for denial.
9.2.3 Right to Non-Discrimination
The Company will not discriminate against you for exercising any of your rights under the CCPA.
9.3 Rights under the GDPR and/or the UK Data Protection Act
If you are a resident of the European Economic Area (“EEA”) or the United Kingdom (“UK”), or if your personal information is processed by one of our affiliates in the EEA or the UK, you have the following rights regarding the Company’s processing of your personal information:
• You have the right to request access to, rectification of, and erasure of your personal information.
• You have the right to object to or to request the restriction of our processing of your personal information.
• You have the right to request the portability of your personal information.
• You have rights with respect to automated decision making or profiling.
Any requests to exercise these rights may only be made effective insofar as the relevant Personal Information and the purposes of data processing are compatible with the exercise of such rights.
If you are dissatisfied with the way we have processed your Personal Information and wish to lodge a complaint, you may contact us, and you also may make a complaint to the supervisory authority of the country where our affiliate has provided you with services or where you reside.
9.4 How to Exercise Your Rights
If you have the rights described above, you may exercise those rights by submitting a verifiable request to us by contacting us using the information outlined in Section 8.0.
Only you or an authorized agent (as described below) may make a verifiable consumer request related to your Personal Information.
9.4.1 How to Authorize an Agent
You may designate an authorized agent to submit your verified consumer request on your behalf, only if the authorized agent has your written permission to do so and you have taken steps to verify your identity directly with us. If you would like to designate an agent for purposes of making a request under the CCPA, your agent must register as such with the California Secretary of State and submit a copy of this registration along with your verified consumer request.
9.4.2 How We Verify Your Request
To respond to a request under the CCPA we must verify your identity or the authority of your authorized agent to make the request. We will only use the Personal Information provided in a verifiable consumer request to verify your identity or the authority of your authorized agent to make the request. Making a verifiable consumer request does not require you to create an account with us.
To allow us to verify your request, please include the following information: name, address, phone number, and email address. We will verify your consumer request by comparing the information you provide to information already in our possession and taking additional steps to minimize the risk of fraud.
9.5 Links to Third-Party Sites
Please note that our Sites may contain links to other websites for your convenience and information. The Company does not control third-party websites or their privacy practices, which may differ from those set out in this Privacy Notice. The Company does not endorse or make any representations about third-party websites. Any Personal Information you choose to give to unrelated Third Parties is not covered by this Privacy Notice. The Company encourages you to review the privacy notice of any company or website before submitting your Personal Information.
9.6 Changes to the Privacy Notice
The Company may update this Privacy Notice from time to time as it deems necessary in its sole discretion. If there are any material changes to this Privacy Notice, The Company will notify you by email or as otherwise required by applicable law and will note the date that any changes become effective at the top of this page. The Company encourages you to review this Privacy Notice periodically to be informed regarding how the Company is using and protecting your information and to be aware of any policy changes. Your continued relationship with the Company after the posting or notice of any amended Privacy Notice shall constitute your agreement to be bound by any such changes. Any changes to this Privacy Notice take effect immediately after being posted or otherwise provided by the Company.
This Privacy Notice shall be implemented by the Company. The Company has put in place mechanisms to verify ongoing compliance with this Privacy Notice. Any employee that violates these privacy principles will be subject to disciplinary procedures.
“Data Subject” is an identified or identifiable natural person. A Data Subject may be an employee, consultant, an individual, or any other natural person.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.
“Personal Information” is any information relating to an identified or identifiable natural person (“Data Subject”), such as title, name, address, age, birth date, phone number, device identifier, IP address, email address and account username and password. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Protected Health Information” is a subset of Personal Information and has the meaning set out in HIPAA, and in particular at 45 C.F.R. § 160.103, as it may be amended from time to time.
“Sensitive Data” or “Sensitive Personal Information” is a subset of Personal Information which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Information includes Personal Information regarding EU-residents that is classified as a “Special Category of Personal Data” under EU law, which consists of the following data elements: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) genetic data; (6) biometric data where Processed to uniquely identify a person; (6) health information; (7) sexual orientation or information about the individual’s sex life; or (8) information relating to the commission of a criminal offense.
“Third Party” is any natural or legal person, public authority, agency or body other than the Data Subject, the Company or the Company’s agents or service providers.