What does this notice cover?
BridgeBio Pharma, Inc., along with its affiliates and subsidiaries worldwide (collectively, “BridgeBio”, “we,” “us,” or “our”), is committed to handling personal data responsibly and in accordance with applicable law. This Privacy Notice explains our data collection and processing practices in the context of your relationship to us if you are in the European Economic Area, Switzerland and the United Kingdom. It also describes your data protection rights, including a right to object to some of the processing which we carry. More information about your rights, and how to exercise them, is set out in the “Your choices and rights” section.
Please note that this does not cover your use of our websites as a consumer or investor or involvement in any of our research or clinical trials. You will be presented with different privacy notices in those contexts.
Who is the data controller for your data?
The information in this notice explains the way that all BridgeBio companies process personal data. The data controller for your data will be the BridgeBio company with which you are in contact, as it decides the data processing, and why and how it is being processed. It may exercise this responsibility alone or jointly with other companies in the BridgeBio group, acting as “joint-controllers”.
Other BridgeBio companies, namely BridgeBio Pharma Inc. and BridgeBio International GmbH, may also be separate independent controllers for some of the data we collect. For example, as the BridgeBio company with which you are in contact may share your personal data with such other BridgeBio entities for centralised data processing activities. If you would like more information about which controller is relevant for your personal data, please contact us at the contact details below.
What information do we collect from you?
When you attend and participate in meetings or if you correspond with us, as well as when you register on our website, or when you register for our newsletter, we collect various types of personal data about you, including:
- Your identification information and contact data (e.g. name, first name, last name, gender; email and/or postal address, fixed and/or mobile phone number);
- Your function and professional activities (e.g. title, position, name of employer/institution, specialities, education, awards, publications, congress activities, media and social media activities, links to universities, expertise and contributions to clinical trials, ad boards and other organizations);
- Information about the scientific and medical activities you have with us;
- Your electronic identification information, as may be required for our interactions (e.g. login, access right, password, badge number, IP address, online identifiers/cookies, access and connection times, image recording or sound);
- Profile data, including data that you provide to us for example when you fill in forms or during events you attend, or when your answer questions during a conversation or survey;
- Transaction data including details about payments to and from you (e.g. credit card details; bank account details; tax ID number);
- Recordings, including video and audio recordings undertaken during meetings with you;
- Communications data, including your preferences in receiving communications from us, channels of communication and frequency.
We may also gather personal data about you and your opinion of BridgeBio and/or on BridgeBio products/investigational products and/or services, on the basis of publicly accessible social media content you post about BridgeBio and our products and services.
- Information we receive about you from other sources.
- We work with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, search information providers and social listening providers) and may receive information about you from them.
- We may receive information if you have provided permission to other organisations to share it with us. Before providing permission to such third-party organisations to share your personal data, you should check their privacy notices carefully.
- We may take information from publicly available sources (where possible) to keep your information up to date, for example from professional registration databases.
- We may occasionally purchase the contact details of people who might be interested in hearing from us. Before purchasing such information, we will check with the vendor that your information was originally collected in a compliant manner, to make sure that we only contact people who have actively expressed an interest in receiving information from third parties and where it is lawful to do so. We receive information about your professional life (such as medical specialisation and professional background) from vendors such as IQVIA or Veeva Open Data.
How do we use this information, and what is our legal basis?
We must have a legal basis to process your data. We explain each of these legal bases below. We also set out the purposes for which we process your data.
- Where necessary for BridgeBio’s legitimate interests, as listed below, and where our interests are not overridden by your data protection rights:
- To manage and administer our relationship with you
- To respond to your inquiries and your requests
- To provide you with information about our activities or tailored information about a programme that you have signed up for
- To seek your views on our products and services
- To manage, plan and execute communications and interactions with you, mapping your connections with other stakeholders who are relevant to us;
- To invite you to events and/or company organized meetings sponsored by us (e.g. medical events; advisory boards; speaker events; conferences);
- To implement tasks in preparation of or to perform existing contracts;
- For administrative purposes (e.g. to prepare transcripts and general report summaries of meetings with you);
- For training and quality assurance purposes;
- For the purposes of the establishment, exercise or defence of legal claims;
- To record, investigate and respond to complaints;
- To understand our stakeholders’ needs and sentiments and market trends, so that we can improve our products and services.
Please note that, when processing your personal data based on legitimate interests, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such “legitimate interest” include:
- Identifying key stakeholders to develop a better understanding of their activities and to initiate further contacts with them;
- To develop a proximity and trustful relationship with external stakeholders;
- To understand the markets;
- To ensure that our investigational drugs, the design of our clinical trials correspond to patient needs;
- To sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party.
- Where necessary to comply with a legal obligation such as:
- Regulatory monitoring and reporting obligations, including those related to Adverse Events, product complaints and product safety;
- To respond to requests from law enforcement authorities;
- To comply with anti-corruption and transparency obligations;
- To verify your eligibility to access certain products, services and data that may be provided only to licensed HCPs or other conducting background check to ensure that we are not prevented from working with you.
- With your consent:
- To provide you with information about our activities or tailored information about a programme that you have signed up to;
- We may also request information, pictures and/or videos when organising events, congresses etc.
We may provide you with more specific notices for some of the processing described above and, if we require your consent, will ask for this at the time we collect your personal data.
How do we share this information?
We share information about you for some limited purposes as follows:
- Within the BridgeBio family of companies – we may share your information among the different BridgeBio entities to administer and manage group functions.
- With service providers – these are entities that help perform services on our behalf, such as answering questions about products or services, sending mail and emails, assessment and profiling and when using auditors or other professional advisors. These vendors, which include, without limitation, IT system providers, cloud service providers, database providers, communication & event organization agencies, are required to protect the information we share with them with appropriate organizational and technical safeguards and to use such information as necessary to provide services to us.
- With regulators and other governmental entities – we may access, preserve, and share your information with regulators, law enforcement, or others in response to a valid legal request if we have a good-faith belief that the law required us to do so; or we conclude that such sharing is necessary to detect, prevent, and address fraud, unauthorized use of our systems, prevent violations of our terms, or protect our rights or the rights of others. We may further share your information with government agencies and publicly disclose it in order to comply with our transparency reporting obligations.
- With a partner organisation – if we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register.
- If we merge with another organisation or form a new entity, your personal data may be transferred to that new entity.
How do we operate and transfer data as part of our global business?
As a global company headquartered in the United States, we share data globally, both internally within the BridgeBio family of companies, and externally with our service providers. When we transfer your personal data to other countries, we take steps to ensure your personal data is adequately protected, using transfer mechanisms such as EU-approved standard clauses. A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.
We will retain and process personal data relating to you for three years following the date of our last interaction with you, or longer if required to comply with our legal or regulatory obligations, to resolve disputes or as necessary for our legitimate interests.
How can you exercise your rights provided under applicable data protection laws?
Depending on your jurisdiction, you may have the right, subject to applicable exceptions and adequate verification of your identity, to access, rectify, port (where technically feasible), and delete your data. You may also have the right to object to and restrict certain processing of your data. If you have unresolved concerns, you may have the right to complain to a data protection authority. If you would like to exercise such a right, please contact us at the details below.
How to contact us with questions.
If you have any questions, you can contact our data protection officer at [email protected].
How can you learn about changes to this Notice?
We may change this Notice from time to time. If we make changes to the Notice that are material, we will provide you with notice in accordance with applicable legal requirements.