Last Updated: December 2022
Welcome to the Privacy Notice (“Notice”) of BridgeBio Pharma, Inc., a company with its registered office at 3160 Porter Drive, Palo Alto, CA 94304, USA, as well as its affiliates and subsidiaries that link to this Notice (collectively, referred to as “BridgeBio”, “we,” “our,” or “us” and “Controller”). BridgeBio is a team of experienced drug discoverers, developers, and innovators working to create life-altering medicines that target well-characterized genetic diseases at their source.
This Notice describes our general practices regarding how we collect, use and disclose “personal data” (i.e., information related to an identified or identifiable person) of patients, caregivers, health care professionals, researchers, research study participants, as well as other individuals with whom we interact, for example representatives of the scientific community, visitors to our online services and sites that link to this Notice, and users of our products and services, including website visitors, job applicants, vendors, service providers, business partners, and investors.
We process the personal data we collect from and about you in accordance with applicable data protection regulations and principles, including U.S. and applicable EU/UK regulations/member state law. We understand the importance of your privacy and are committed to providing appropriate privacy protections to everyone we collect personal data from.
In this Privacy Notice, you will learn about the following:
- research participants and their caregivers;
- healthcare professionals and researchers;
- users of our products and services, including website users;
- contractors, vendors and business partners, and the representatives thereof; and
- representatives of the scientific community.
This Privacy Policy explains our general practices for all data processing, including what information we collect from users when you visit our Sites or apply to and/or participate in a clinical trial, how we use and share that data, and your choices concerning our data practices. Research participants should read this Privacy Policy in conjunction with any informed consent forms, privacy notices, or trial documents that have been provided to you in relation to the collection, use, and transfer of your information. Research participant privacy notices describe in more detail how research participant information will be processed in relation to the study, including the types of information collected, the purposes and legal bases of processing, processing methods, your rights with respect to your information, how long we may retain your information and biological samples (if any), potential international data transfers, if information will be shared with third parties and specific security measures to protect information.
By engaging with the Sites or participating in Research, you agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not access or use the Sites or participate in Research.
1. PERSONAL DATA WE COLLECT, HOW AND THE LEGAL BASIS FOR WHICH WE USE IT
1.1 Research Participants
1.1.1 Important Note on Other Applicable Privacy and Consent Notices for Research Participants
Personal data is collected from participants in BridgeBio’s clinical research projects (“Research”) in the course of delivering those projects (“Research Participants”). If you are a Research Participant, you should read this Notice in conjunction with any informed consent forms, privacy notices, and/or trial documents that are provided to you (and sometimes also to your family members) in relation to the collection, use, and transfer of your personal data for the Research purpose (“Research Notices”). Research Notices describe in more detail how Research Participants’ personal data will be processed in relation to a particular study, including the types of personal data collected, the purposes and legal bases of processing, processing methods, your rights with respect to your personal data, how long your personal data and biological samples (if any) are retained, whether your personal data is transferred internationally, if personal data will be shared with third parties and specific security measures to protect personal data. Please note that Research Notices take precedence over this Notice concerning the processing of personal data of Research Participants. For your convenience, however, we provide a general summary of our information practices with respect to Research Participants below.
1.1.2 Personal Data We Collect from Research Participants
When you choose to serve as a Research Participant, entities that jointly conduct Research-related activities with us, including providers of clinical trial operations services such as trial site personnel, investigators who provide you with investigational drugs, clinical research organizations (“CROs”), various laboratories, imaging centers and others (collectively, referred to as “Research Partners”) collect personal data about you including your name, email address, address, and other contact information. Our Research Partners also collect demographic information (also known as “sensitive data”), such as racial or ethnic origin, gender, age, or information regarding the participant’s sex life, and may also collect information concerning your medical or health conditions, including images and biological samples.
The information that we collect from our Research Partners is received in pseudonymized form, meaning that the information has been configured in such a way so that the personal data within can no longer be attributed to a specific person without the use of additional information (which is kept separate and secure to avoid re-association with the individual). Exceptions to when this information may be received in non-pseudonymized form are rare and include, for instance, where information is needed to be processed following the death of a Research Participant.
Our Research Partners’ use of your personal data is governed by our contracts with them, as well as the Research Partner’s own privacy policies. Each Research Partner will have its own privacy policy and its privacy practices may differ from the practices described in this Notice. Our Research Partners will provide you with their privacy notices when you choose to participate in Research.
1.1.3 How and the Legal Basis for which We Use Personal Data Collected From Research Participants
We use the personal data we collect from Research Participants in the following ways and in accordance with the following legal bases:
To conduct the Research, including performing drug development research and research-related activities such as reporting to industry regulators. For Research purposes, to process your personal data (including sensitive data) we rely on the following legal bases:
- reasons of public interest in the area of public health on the basis of applicable law which provides for suitable and specific measures to safeguard your rights and freedoms, in particular professional secrecy;
- the basis of consent (and for sensitive data, explicit consent). If we have sought your consent (and/or explicit consent) to engage in a certain Research activity, you may withdraw your consent at any time and instruct us to discontinue collecting your personal data;
- for scientific research purposes to the extent allowed under applicable law which shall be proportionate to the aim pursued, respect the essence of your right to data protection and provide for suitable and specific measures to safeguard your fundamental rights and interests; and/or
- as necessary for certain legitimate business interests (for non-sensitive data), which include the following: to send administrative information to you, for example, information regarding the Research trial, or changes to, or termination of the Research.
As necessary to comply with legal, regulatory and government requirements including in order to:
- comply with legal obligations or regulatory obligations and legal process;
- respond to requests from public and government authorities (including public and government authorities outside your country of residence, as necessary in our legitimate business interests as required by applicable law);
As necessary for certain legitimate interests (for non-sensitive data), as listed below, and where our interests are not overridden by your data protection rights, we may use personal data to:
- enforce our legal terms, contracts and other agreements;
- protect our operations or those of any of our affiliates;
- protect our rights, privacy, safety or property, and/or that of our affiliates, you or others;
- pursue available remedies or limit the damages that we may sustain, as required or permitted by the law; and
- monitor safety, manage adverse events, carry out prevention and investigatory activities, and carry out administrative requirements.
As necessary for the performance of our contract with you, including; responding to your requests prior to entering into a contract with you; and tracking our interactions and meetings, such as when you contact us for information and support; providing you with access to online services, applications, and platforms, and allowing you to manage your online accounts, where applicable; and establishing and ensuring ongoing qualification of select clinical trial vendor personnel providing services to us as a result of a contract we may have with you.
1.2 Website Visitors
1.2.1 Personal Data We Collect from Website Visitors
When you access and use our websites or online services that link to this Notice (the “Websites”), we collect the following types of personal data from and about you.
Personal Data You Provide Us. We collect personal data that visitors to the Websites send to us electronically, for example when completing any “free text” boxes in our forms (such as on our “Information Request” or “Contact Us” page), or requesting information or subscribing to emailing lists. While the type of personal data we collect through these methods depends on the nature of your inquiry, it typically includes name, email address, and other contact information. If you register on our Websites, we will also collect information such as a username and password.
1.2.2 How and the Legal Basis for which we Use Personal Data Collected from Website Visitors
As necessary for certain legitimate business interests, which include the following:
- To authenticate users and provide access to the Websites;
- To respond to your inquiries and fulfil your requests for products, services, and information;
- Where you have consented to receive direct marketing communications, or where you have previously purchased similar services or products from us, to send you administrative messages and marketing communications (in accordance with applicable local legal requirements) about products, services, and initiatives that we think may be of interest to you;
- To prevent fraud or criminal activity, misuse of our products or services, and ensure the security of our IT systems, architecture and networks; and
- To (a) comply in good faith with legal obligations and legal processes; (b) respond to requests from public and government authorities including public and government authorities outside your country of residence; (c) enforce our legal terms; (d) protect our operations or those of any of our affiliates; (e) protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (f) allow us to pursue available remedies or limit the damages that we may sustain, as required or permitted by the law.
Note about cookies and tracking technologies. Our Websites use cookies and similar technologies to operate and administer our Websites, analyze usage data, advertise our services, and make it easier for you to use the Websites during future visits. For more information on how we use these types of technologies, please see our Cookies Notice [here].
Do Not Track Signals. . The Websites currently do not respond to “Do Not Track” (“DNT”) signals and operate as described in this Notice whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Notice to describe how we do so.
Links to Other Websites. This Notice only applies to our Websites. The Websites may contain links to other websites not operated or controlled by us (“Third Party Websites”), including social media services such as Twitter, YouTube, Vimeo, or LinkedIn (“Social Media Services”). The information that you share with Third Party sites will be governed by the specific privacy policies and terms of service of the Third-Party sites and not by this Notice. We do not own, control or operate such Third-Party Websites, and we are not responsible for the privacy policies or practices of such Third-Party Websites. By providing these links, we do not imply that we endorse or have reviewed these Third-Party Websites. We encourage you to read the privacy policies of such Third-Party Websites before disclosing personal data on Third Party Websites.
1.3 Key Opinion Leaders and Healthcare Professionals.
1.3.1 Personal Data We Collect from Healthcare Professionals and Key Opinion Leaders
We collect personal data about you as Healthcare Professionals (“HCPs”) and Key Opinion Leaders (“KOLs”) through interactions we have with you, from patient advocacy groups, study sites, from publicly available sources, including public websites, public databases (e.g. public transparency reporting records) referrals, research papers, and professional networking platforms and social media pages (e.g. LinkedIn). If you attend scientific or educational meetings, conferences, symposiums and workshops we sponsor, we also receive information regarding your attendance from the organizations that conduct those events in accordance with the sharing permissions granted to such organizations. For further detail on the organizations from whom we receive information relating to you, please contact our Data Protection Officer using the information in the “Contact Information” section below at any time.
We may occasionally purchase the contact details of HCPs who might be interested in hearing from us. Before purchasing such information, we will check with the vendor that any personal information was originally collected in a compliant manner, to make sure that we only contact people who have actively expressed an interest in receiving information from third parties and where it is lawful to do so (e.g. vendors such as IQVIA, Veeva and/or OpenData etc.). You can access such vendor privacy notices from respective vendor websites. Relevant personal data we may purchase in this instance includes contact details, (academic) title, specialty, work address, phone number work language, type of your practice, your position, current and past engagements, etc.
For HCPs and KOLs based in the EEA, UK and Switzerland, we have a separate privacy notice which you can access [here].
How and the Legal Basis for which We Use Information from Key Opinion Leaders and Healthcare Professionals
Where necessary for BridgeBio’s legitimate interests, as listed below, and where our interests are not overridden by your data protection rights, we may use personal data collected from Key Opinion Leaders and Healthcare Professionals:
- To manage and administer our relationship with you and to respond to your requests;
- To record, investigate and respond to complaints;
- To manage and follow up on Adverse Events reports.
Where necessary to comply with a legal obligation, including sharing your personal data in order to respond to requests from law enforcement authorities.
With your consent, we may use your personal data:
- To provide you with information about our activities or tailored information about a program that you have signed up to;
- To understand our stakeholders’ needs and sentiments and market trends, so that we can improve our products and services (where such communication includes marketing);
- To seek your views on our products and services (where such communication includes marketing);
- we may also request information, pictures and/or videos when organizing events, congresses etc.
1.4 Vendors
1.4.1 Personal Data We Collect from Venders
We collect personal data about vendor employees, contractors and representatives when we contact them about using their products and services or once we have engaged such vendors to perform services on our behalf. Such personal data may include name, job title, and contact information.
1.4.2 How and the Legal Basis for which We Use Personal Data from Vendors
Where necessary for BridgeBio’s legitimate interests, and where our interests are not overridden by your data protection rights, we may use personal data collected from vendors to contact them about their products or services, perform diligence on such products and services, for billing and administrative purposes, and for recordkeeping purposes.
1.5 Job Candidates
1.5.1 Personal Data We Collect from Job Candidates
We collect personal data from job candidates when they apply to positions at BridgeBio, including name, contact information, resume, reference information, and other information submitted as part of the application process.
1.5.2 How and the Legal Basis for which We Use Personal Data of Job Candidates
We may use personal data collected from job candidates to process their applications, schedule interviews, communicate with them, evaluate their candidacy and application materials, contact references, and keep records for our internal human resources purposes. We may retain personal data related to job candidates for our legitimate business purposes and where permitted by applicable law, including to contact candidates about future opportunities, and to comply with legal requirements.
For job candidates based in the EEA, UK and Switzerland, please see our separate candidate privacy notice available [here].
2. SHARING AND DISCLOSURE OF PERSONAL DATA
With your consent, we may share or disclose your personal data at your direction, such as when you specifically authorize a third-party to access personal data that we maintain about you (e.g., your health care provider).
Where necessary for our legitimate interests and where our interests are not overridden by your data protection rights, we may, from time to time, disclose your personal information amongst our affiliates and to third parties for the purposes referred to above including to:
- manage and administer our (or our affiliates’) relationship with you and to respond to your requests;
- protect our operations or those of any of our affiliates;
- protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
There are certain circumstances in which we may share your personal data with third parties without further notice to you, unless required by applicable law, as set forth below:
- Vendors and Service Providers: We disclose your information to other entities providing services on our behalf, including entities providing us with research services, providers of administrative services such as email communication (including appointment reminders, investment information you request through the Websites), event organization and travel agencies, for processing and mailing purposes, customer relationship management, support services, and other business operations such as data storage, data analytics providers (in connection to Website analytics), distributors, IT and data security, legal services etc. Pursuant to our instructions, these parties will access, process or store personal data only in the course of performing their duties to us.
- Business partners and research organizations who collaborate with us in relation to our products and services, such as researchers with who we partner, companies with which we co-develop an investigational drug, etc.
- Business Transfers or Acquisitions: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your personal data may be transferred to a successor or affiliate as part of that transaction along with other assets, to potential acquirers, financiers, and professional advisers in connection with a proposed sale, assignment or other transfer.
- Legal Requirements: If required to do so by law or in response to a government or law enforcement agency, or in the good faith belief that such action is necessary, including but not limited to (a) comply with a legal obligation, (b) protect and defend our rights or property, (c) act in urgent circumstances to protect the personal safety of you, us, or the public, or (d) protect against legal liability.
3. DATA RETENTION
We will keep your personal data for as long as reasonably necessary for the purposes described in this Notice. For instance, for certain processing we will retain your personal data for so long as we have a legitimate business need to do so, or for certain personal data we will retain the processing for such period as is required by law (e.g. for regulatory reporting including to government entities who may oversee the safety and efficacy of Research, legal, tax, accounting or other purposes). For information collected as part of Research, unless otherwise required in order for us to comply with industry regulations or law, we will retain your personal data for at least two years after our drug candidate/treatment has been approved by regulators, or at least two years after an application for approval has been withdrawn.
To determine the appropriate retention period for your personal data, we will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements. For further information in relation to our retention periods please contact our Data Protection Officer using the information in the “Contact Information” section below at any time.
De-identified information. In accordance with applicable legal requirements, we may de-identify personal data collected from and about you so that it can no longer be linked to you or your device. Information that has been de-identified in such a way is no longer subject to this Notice and can be used and shared by us in our discretion, and maintained indefinitely.
4. YOUR RIGHTS AND CHOICES
Your local laws may permit you to:
- request access to and/or a copy of certain personal data we hold about you
- object to the processing of your personal data for direct-marketing purposes (including any direct marketing processing based on profiling)
- request that we update or rectify personal data which is out of date or incorrect
- request that we delete certain personal data which we are holding about you
- oppose, cancel, or restrict the way that we process and disclose certain personal data
- receive and transfer your personal data to a third-party provider of services
- withdraw your consent for the processing of your personal data, which will not affect the lawfulness of processing prior to the withdrawal
We will consider all requests and provide our response within the time period stated by applicable law. Please note, however, that certain personal data may be exempt from such requests in some circumstances, which may include if we need to keep processing your personal data for our legitimate interests, to comply with a legal obligation, or where the personal data provided in connection with Research is necessary in the public interest. For example, in order to safeguard the validity of the Research and comply with regulatory obligations related to clinical trials, we may not be able to delete your Research data even if you decided to stop participating in the Research. If we are unable to comply with your request in full or part, we will confirm this with you and the reasoning behind our position.
Please note that in certain circumstances we will need to provide you with certain information in order for us to comply with legal obligations or to administer our relationship with you. We will inform you where such personal data is required and the consequences of failing to provide such personal data (which may include an inability for us to consider you as a Research Participant or to create an account on our Websites).
We may request you provide us with information necessary to confirm your identity before responding to your request as required or permitted by applicable law. If you would like further information in relation to your legal rights under applicable law, or would like to exercise those rights, please contact our Data Protection Officer using the information in the “Contact Information” section below at any time.
In some circumstances, we may need to route your request to a Research Partner who maintains your personal data in connection with Research to request to exercise your rights.
5. INFORMATION FOR EUROPEAN ECONOMIC AREA (EEA), UK, AND SWISS RESIDENTS
In addition to the above, this section of the Notice applies if you are a resident of the European Economic Area (EEA) (which includes the European Union and the countries of Iceland, Liechtenstein and Norway), the United Kingdom, or Switzerland. Please read specific privacy notices for HCPs/KOLs and job applicants here: Please read specific privacy notices for HCPs/KOLs [here] and job applicants [here].
5.1 Data Controller
BridgeBio and the BridgeBio subsidiary or affiliate that engages directly with you, offers the Website you are using, administers the Research in which you are participating, or otherwise are the data controllers for processing your personal data. To find out our contact details, please see the “Contact Us” section below.
5.2 Data Protection Officer – Contact Details
BridgeBio has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO) for the EEA and the UK and may be reached:
- by using the following email: [email protected]
- by mail at the following address:
Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels, Belgium
If you are an EEA, UK resident, and would like to contact our Data Protection Officer on matters related to the processing of personal data, or otherwise exercise your rights in respect of your personal data (described above), please contact [email protected].
5.3 Data Protection Representative – Contact Details
When required, our appointed Data Protection Representative will be:
-
- For Europe (EEA)
BridgeBio Europe BV
LunA Arena, Herikerbergweg 238,
1101 CM Amsterdam
The Netherlands
Email: [email protected]
- For Europe (EEA)
-
- For the UK
BridgeBio UK Limited
20 Farringdon Street, 8th Floor,
London, EC4A 4AB,
United Kingdom
Email: [email protected]
- For the UK
- For Switzerland
BridgeBio International GmbH
Bahnhofstrasse 100, 8001
Zurich, Switzerland
Email: [email protected]
6. UNITED STATES PRIVACY DISCLOSURE
Please note that we do not currently meet the threshold applicability requirements of U.S. state privacy laws, including the California Consumer Privacy Act (“CCPA”). If we meet those thresholds in the future, we will update this Notice to include applicable disclosures related thereto.
7. COLLECTION OF PERSONAL DATA FROM MINORS
In general, our Websites and services are intended for general audiences and not for minors. No personal data should be submitted to BridgeBio through the website by visitors who are less than 18 years old. If we become aware that we have collected personal data without legally valid parental consent from minors under an age where such consent is required pursuant to applicable law, we will take reasonable steps to delete it as soon as possible. In connection with our Research, we obtain legally adequate parental consent before allowing minors (under the age of majority in their jurisdiction of residence) to serve as Research Participants.
8. CHANGES TO THIS NOTICE
The Websites, our Research, and our business may change from time to time. As a result, we may change this Notice at any time and when we do, we will post an updated version on this page and change the Last Updated date above, unless another type of notice is required by the applicable law. You should consult this Notice regularly for any changes. By continuing to use the Websites, participate in Research, or providing us with information after we have posted an updated Notice, or notified you if applicable, you consent to the revised Notice and practices described in it.
9. INTERNATIONAL USERS AND DATA TRANSFERS
BridgeBio Pharma Inc. is an international organization with affiliates and subsidiaries in and outside the United States. We transfer the personal data we collect about you to within BridgeBio (to other BridgeBio affiliates worldwide) and to third parties. Such data transfers include the transfer of personal data to countries that may not have the same level of data protection as the country in which the personal data initially originated. Where cross-border data transfers occur, we ensure that an adequate level of data protection exists in the recipient country, by executing with third-parties appropriate contractual arrangements for cross-border data transfers to third-party countries for controllers or processors as applicable. For transfers governed by UK and EU GDPR, these- measures will include transfers based on adequacy decisions, EU standard contractual clauses (SCCs), the UK international data transfer agreements and addendum to the EU SCCs supplemented by any supplementary measures as may be required.
10. DATA SECURITY
We have implemented a variety of technological and organizational procedures and measures to protect your personal data from unauthorized access, use and disclosure. However, please note that no method of Internet transmission can be completely secure.
11. CONTACT US – CONTROLLER CONTACT DETAILS
Please feel free to contact us if you have any questions about our Notice or our information practices.
You may contact us as follows: You may send an email to [email protected] or send mail to:
Attn: Legal Department
c/o BridgeBio Pharma, Inc.
3160 Porter Drive
Palo Alto, CA 94304
If you have any concerns or complaints about our data processing activities, we urge you to contact our DPO to attempt to resolve such issues directly with us. However, if applicable, you may make a complaint to the data protection supervisory authority in the country where you are based or seek a remedy through local courts if you believe your rights have been breached.