BridgeBio HCP Privacy Notice

What does this notice cover?

BridgeBio Pharma, Inc., a company with its registered office at 3160 Porter Drive, Suite 250, Palo Alto, CA 94304, USA, as well as its affiliates and subsidiaries that link to this Notice (collectively, referred to as “BridgeBio”, “we,” “our,” or “us” and “Controller”) is committed to handling personal data (“Personal Data”) responsibly and in accordance with applicable law. This Privacy Notice explains our data collection and processing practices in the context of your relationship with BridgeBio. It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the "Your choices and rights" section. Please note that this Notice does not cover your use of our websites as a consumer or investor or involvement in any of our research or clinical trials. You will be presented with different privacy notices in those contexts.

By contacting BridgeBio or interacting with us, you agree (on behalf of yourself or any individual/legal entity you represent) that you have read, understood, and agree to the practices described in this Notice. This is a notice of our privacy practices; it does not create any agreement between BridgeBio and you.

Who is the data controller for your data?

In addition to BridgeBio Pharma, Inc., your personal data may also be processed by the BridgeBio company with which you are in contact (also acting as a controller), as it decides the data processing, and why and how it is being processed. It may exercise this responsibility alone or jointly with other companies in the BridgeBio group, acting as “joint-controllers”. Other BridgeBio companies, namely BridgeBio Pharma Inc. and BridgeBio International GmbH, may also be separate independent controllers for some of the data we collect. For example, as the BridgeBio company with which you are in contact may share your Personal Data with such other BridgeBio entities for centralised data processing activities. If you would like more information about which controller is relevant for your Personal Data, please contact us at the contact details below.

How do we collect your personal data?

We may collect or obtain Personal Data in the following ways:

  • Directly from you or someone acting directly on your behalf when you attend and participate in meetings or if you correspond with us, as well as when you register on our website, or when you register for our newsletter, we collect various types of personal data about you
  • From third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, search information providers and social listening providers) and may receive information about you from them.
  • From other organisations, if you have provided permission for these organisations to share your Personal Data with us or other like companies. Before providing permission to such third-party organisations to share your personal data, you should check their privacy notices carefully.
  • From publicly available sources (where possible) to keep your Personal Data up to date, for example from professional registration databases.
  • We may occasionally purchase the contact details of people who might be interested in hearing from us. Before purchasing such information, we will check with the vendor that your Personal Data was originally collected in a compliant manner, to make sure that we only contact people who have actively expressed an interest in receiving information from third parties and where it is lawful to do so. We receive information about your professional life (such as medical specialisation and professional background) from vendors such as IQVIA or Veeva Open Data.

What information do we collect from you?

We collect and process different Personal Data about you, as outlined below. For consumers residing in California, the information below relates to the last 12-months only.

  • Your contact information and identification data (e.g. name, first name, last name, gender; email and/or postal address, fixed and/or mobile phone number);
  • Your professional and academic information (e.g. title, position, name of employer/institution, CV or any other information contained in a biography, specialties, education, awards, publications, congress activities, media and social media activities, links to universities, expertise, publications and presentations, and contributions to clinical trials, ad boards and other organizations);
  • Information about the scientific and medical activities you have with us;
  • Your electronic identification information, as may be required for our interactions (e.g. login, access right, password, badge number, IP address, online identifiers/cookies, access and connection times, image recording or sound);
  • Your responses to questionnaires or surveys (including market research surveys);
  • Profile data, including data that you provide to us for example when you fill in forms or during events you attend, or when your answer questions during a conversation;
  • Travel documentation including passport number, flights, hotels, and other information to any travel plans coordinated by or on behalf of BridgeBio for you;
  • Transaction and financial data including details about payments to and from you (e.g. credit card details; bank account details; tax ID number);
  • Photographs and recordings, including video and audio recordings undertaken during meetings with you;
  • Communications data, including your preferences in receiving communications from us, channels of communication and frequency.
  • We may also gather personal data about you and your opinion of BridgeBio and/or on BridgeBio products/investigational products and/or services, on the basis of publicly accessible social media content you post about BridgeBio and our products and services.

How do we use your Personal Data, and, if applicable, what is our legal basis?

We process Personal Data for the following business, commercial, and operational purposes. (If applicable laws require a “legal basis” to process Personal Data, we indicated our legal bases applicable for only those jurisdictions. The legal bases provided herein do not apply in any jurisdictions not requiring such.)

Where necessary for BridgeBio’s legitimate interests, and where our interests are not overridden by your data protection rights:

  • Operating and administration of BridgeBio’s business, including but not limited to supporting safe, responsible, compliant, and ethical business and commercial operations; facilitating quality and safety of our products and research; conducting audits and investigations; managing our financial and other accounts; developing and improving our products; etc. We may use any of the categories of Personal Data, including but not limited to contact information, background information, education history, and photographs and recordings.
  • To manage and administer our relationship with you. We may use any of the categories of Personal Data, including but not limited to contact information, background information, education history, and photographs, video, and audio information.;
  • To conduct questionnaires, surveys, and other inquiries and to process your responses to such, including any follow up actions (unless such activities are processed in accordance with your consent). We may use any of the categories of Personal Data, including but not limited to contact information, background information, professional information, your responses, and photographs and recordings.
  • To respond to your inquiries and your requests. We may use your contact information or any other Personal Data you share with us. Unless otherwise requested by BridgeBio, we request that you do not share any sensitive or health information with us unless we request it under obligations under law;
  • To provide you with information about our activities or tailored information about a programme that you have signed up to (unless such activities are processed in accordance with your consent). You have the right to opt out of communications at any time. We use your contact information, like name, address, email, phone, etc. for this purpose;
  • For market research purposes to better understand your experiences, opinions and perceptions of the disease and treatment or management of patients, as well as to seek your views on our products and services and to better understand our stakeholders’ needs and sentiments and market trends, so that we can improve our products and services. We may use your contact information or any other Personal Data you share with us;
  • To manage, plan, and execute communications and interactions with you, mapping your connections with other stakeholders who are relevant to us. We may use your contact information, your professional information, or any other Personal Data you share with us;
  • To invite you to events and/or company organized meetings sponsored by us (e.g. medical events; advisory boards; speaker events; conferences). We may use your contact information and professional information;
  • For the purposes of the establishment, exercise or defense of legal claims, as well as to record, investigate and respond to complaints. We may use any of the Personal Data described above depending on the nature of the claims or compliant; and
  • To protect certain rights and interests, including but not limited to protecting the health, safety, and security of BridgeBio, its employees, patients, caregivers, HCPs, and the general public; enforcing our legal rights; and pursuing remedies or otherwise taking steps to limit losses and liabilities. We may use your contact information to investigate violations of our contracts or health and medical information in an emergency.

Please note that, when processing your Personal Data based on legitimate interests, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such “legitimate interest” include:

  • Identifying key stakeholders to develop a better understanding of their activities and to initiate further contacts with them;
  • To develop a proximity and trustful relationship with external stakeholders;
  • To understand the markets;
  • To ensure that our investigational drugs, the design of our clinical trials correspond to patient needs; and
  • To sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party.

Where necessary to comply with a legal obligation, such as:

  • Regulatory monitoring and reporting obligations, including those related to Adverse Events, product complaints and product safety. We may use your contact information, health information, and mental and physical characteristics. We process this Personal Data only when required by law and as necessary for reasons of public interest in the area of public health;
  • To respond to requests from law enforcement authorities. We may use your contact information, employment-related information, financial information, contractual information, and other information;
  • To comply with anti-corruption and transparency obligations. We may use your contact information, employment-related information, and financial information; and
  • To verify your eligibility to access certain products, services and data that may be provided only to licensed HCPs or other conducting background check to ensure that we are not prevented from working with you. We may use your contact information, employment-related information, and financial information

Related to contract (include any processing in contemplation of a contract) between us:

  • To implement tasks in preparation of or to perform existing contracts. We may use your contact information, employment-related information, and financial information;
  • Hiring you to provide services or partner with you. We may use your contact information and financial information;
  • Giving donations, grants, and access to products through compassionate use. We may use your contact information, health information, mental and physical characteristics, employment-related information, education history, and demographic information. For access to products through compassionate use, BridgeBio using reasonable efforts to maintain your confidentiality, even from us, as such we rely on your HCP to provide you with any Privacy Notice and provide us with the appropriate limited Personal Data on your behalf; and
  • Other contractual interactions.

In accordance with your consent:

  • To provide you with information about our activities or tailored information about a programme that you have signed up to (where consent is required under applicable law). You have the right to opt out of communications at any time. We use your contact information, like name, address, email, phone, etc. for this purpose;
  • To conduct questionnaires, surveys, and other inquiries and to process your responses to such, including any follow up actions (where consent is required under applicable law). We may use any of the categories of Personal Data, including but not limited to contact information, background information, professional information, your responses, and photographs and recordings; and
  • To collect information from or about you (where consent is required under applicable law), including any requests for information, pictures and/or videos when organising events, congresses, etc. We use your contact information, photographs, audio, video, and sensitive information, such as health and medical information and mental and physical characteristics.

We may provide you with more specific notices for some of the processing described above and, if we require your consent, will ask for this at the time we collect your personal data.

Due to the nature of our business, BridgeBio may be subject to a number of legal requirements, thus requiring BridgeBio to collect and use Personal Data and sensitive information (including health information and mental and physical characteristics) to meet these requirements. When permissible under the law, we will attempt to limit and protection the Processing of your Personal Data to the extent possible, for example, pseudonymizing information, while still complying with our legal obligations. In line with these requirements, we may contact you for further information about the adverse event or quality complaints that you have reported, as well as to provide you feedback on measures taken measures, if requested by you. The information we are requesting is the minimum necessary for BridgeBio to satisfy the regulatory obligations of the US Food and Drug administration (FDA), the European Medicines Agency (EMA) and other applicable regulatory authorities regarding adverse event reporting by pharmaceutical manufacturers.

How do we share this information?

We may, from time to time, share or disclose your Personal Data for the limited purposes as follows:

  • Within the BridgeBio family of companies – we may share your Personal Data among the different BridgeBio entities to administer and manage group functions;
  • With service providers – these are entities that help perform services on our behalf, such as answering questions about products or services, sending mail and emails, conducting surveys and questionnaires, assessment and profiling and when using auditors or other professional advisors. These vendors, which include, without limitation, IT system providers, cloud service providers, database providers, communication & event organization agencies, are required to protect the information we share with them with appropriate organizational and technical safeguards and to use such information as necessary to provide services to us;
  • With regulators and other governmental entities – we may access, preserve, and share your personal data with regulators, law enforcement, or others in response to a valid legal request if we have a good-faith belief that the law required us to do so; or we conclude that such sharing is necessary to detect, prevent, and address fraud, unauthorized use of our systems, prevent violations of our terms, or protect our rights or the rights of others. We may further share your Personal Data with government agencies and publicly disclose it in order to comply with our transparency reporting obligations;
  • With a partner organisation - if we run an event in partnership with other named organisations, your Personal Data may need to be shared. We will be very clear what will happen to your data when you register; and
  • If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data may be transferred to a successor or affiliate as part of that transaction along with other assets, to potential acquirers, financiers, and professional advisers in connection with a proposed sale, assignment or other transfer.

How do we operate and transfer data as part of our global business?

As a global company headquartered in the United States, we share data globally, both internally within the BridgeBio family of companies, and externally with our service providers. When we transfer your personal data to other countries, we take steps to ensure your personal data is adequately protected, using transfer mechanisms such as EU-approved standard contractual clauses. A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

How long do we retain your Personal Data?

We will keep your Personal Data for as long as reasonably necessary for the purposes described in this Notice. For instance, for certain processing we will retain your Personal Data for so long as we have a legitimate business need to do so, or for certain Personal Data we will retain the processing for such period as is required by law (e.g. for regulatory reporting including to government entities who may oversee the safety and efficacy of Research, legal, tax, accounting or other purposes). To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements. For further information in relation to our retention periods please contact us or our Data Protection Officer using the information in the “Contact Information” section below at any time.

How can you exercise your rights provided under applicable data protection laws?

Please note that we do not currently meet the threshold applicability requirements of U.S. state privacy laws, including the California Consumer Privacy Act (“CCPA”). If we meet those thresholds in the future, we will update this Notice to include applicable disclosures related thereto.

Depending on your jurisdiction, your local laws may permit you to:

  • request access to and/or a copy of certain Personal Data we hold about you
  • object to the processing of your Personal Data for direct-marketing purposes (including any direct marketing processing based on profiling) or the sale of your Personal Data
  • request that we update or rectify Personal Data that is out of date or incorrect
  • request that we delete certain Personal Data that we are holding about you
  • oppose, cancel, or restrict the way that we process and disclose certain Personal Data
  • receive and transfer your Personal Data to a third-party provider of services
  • withdraw your consent for the processing of your Personal Data, which will not affect the lawfulness of processing prior to the withdrawal
  • opt out of communications from us at any time by following any Unsubscribe or opt-out instructions in the communication, including selecting the unsubscribe link. We may still need to send you important administrative messages even if you opt out of receiving communications

Automated decision making: BridgeBio does not engage in any Automated Decision making.

Verification (For California Residents Only): When you make a request, please provide your full name (first and last name), email address, city, and state of residence, and which of the right(s) described above that you are requesting. We will verify your request against our records. We cannot fulfill any unverified or incomplete requests.

We do not and will not discriminate against you for exercising your data subject rights, however, we cannot guarantee that all services and features will be available and will not be impacted because of your request.

You may designate an authorized agent to request data subject rights on your behalf by providing a signed and authenticated letter that identifies (i) your agent and (ii) the purposes for and nature of your appointment of an agent. If you are an authorized agent, you must provide the information described in “Verification” hereinabove about the consumer for which you are acting as an agent, as well as your own full name (first and last name), email address, and a letter, signed by the consumer, that appoints you as their agent. In some instances, we may decline to honor your request if an exception applies under applicable law, however we will respond to your request in compliance with applicable law.

We will consider all requests and provide our response within the time period stated by applicable law. Please note, however, that certain Personal Data may be exempt from such requests in some circumstances, which may include if we need to keep processing your Personal Data for our legitimate interests, to comply with a legal obligation, or where the Personal Data provided in connection with Research is necessary in the public interest.

Please note that in certain circumstances we will need to provide you with certain information in order for us to comply with legal obligations or to administer our relationship with you. We will inform you where such Personal Data is required and the consequences of failing to provide such Personal Data.

We may request you provide us with information necessary to confirm your identity before responding to your request as required or permitted by applicable law. If you would like further information in relation to your legal rights under applicable law, or would like to exercise those rights, please contact us or our Data Protection Officer using the information in the “Contact Information” section below at any time.

How do we protect your Personal Data?

We have implemented a variety of technological and organizational procedures and measures to protect your personal data from unauthorized access, use and disclosure. However, please note that no method of Internet transmission can be completely secure. Please take steps to protect yourself, including using and protecting your unique login credentials and passwords, utilizing encryption, personal firewalls, and anti-virus solutions.

How do we treat your Personal Data if you are a minor?

In general, the services described in this Notice are intended for healthcare professionals and not for minors. No Personal Data or inquiries should be submitted to BridgeBio who are less than 18 years old. If we become aware that we have collected personal data without legally valid parental consent from minors under an age where such consent is required pursuant to applicable law, we will take reasonable steps to delete it as soon as possible.

How to contact us with questions.

Please feel free to contact us if you have any questions about our Notice or our information practices.

You may contact us as follows: You may send an email to dataprivacy@bridgebio.com or send mail to:

Attn: Legal Department
c/o BridgeBio Pharma, Inc.
3160 Porter Drive, Suite 250
Palo Alto, CA 94304

If you have any concerns or complaints about our data processing activities, we urge you to contact our DPO to attempt to resolve such issues directly with us. However, if applicable, you may make a complaint to your governmental authority or data protection supervisory authority in the state or country where you are based.

You may also contact our Data Protection Officer. BridgeBio has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO) for the EEA and the UK and may be reached:

  • by using the following email: DPO.BridgeBio@twobirds.com
  • by mail at the following address:

    Bird & Bird DPO Services SRL
    Avenue Louise 235 b 1 1050
    Brussels, Belgium

If you are an EEA, UK resident, and would like to contact our Data Protection Officer on matters related to the processing of personal data, or otherwise exercise your rights in respect of your personal data (described above), please contact dataprivacy@bridgebio.com.

In addition to the above, you may also have the right to lodge a complaint with your Supervisory Authority, if applicable; available here.

If you would like to exercise your rights under U.S. State Privacy Laws, please contact us at dataprivacy@bridgebio.com or call our U.S. toll-free phone number at 1-877-595-8877.

How can you learn about changes to this Notice?

We may change this Notice from time to time. If we make changes to the Notice that are material, we will provide you with notice in accordance with applicable legal requirements.