Medical Information Privacy Notice
Welcome to the Medical Information Privacy Notice (“Notice”) of BridgeBio Pharma, Inc., a company with its registered office at 3160 Porter Drive, Suite 250, Palo Alto, CA 94304, USA, as well as its affiliates and subsidiaries that link to this Notice (collectively, referred to as “BridgeBio”, “we,” “our,” or “us” and “Controller”). In this Notice, we describe our general medical information practices regarding how we collect, use and disclose “personal data” (i.e., information related to an identified or identifiable person) of patients, caregivers, health care professionals, and any other individuals with whom we interact. BridgeBio is a team of experienced drug discoverers, developers, and innovators working to create life-altering medicines that target well-characterized genetic diseases at their source. We understand the importance of your privacy and are committed to providing appropriate privacy protections to everyone we collect personal data from.
This Notice is intended for individuals who reside in the United States of America and who are 18 years of age or older. By contacting BridgeBio or interacting with us, you agree (on behalf of yourself or any individual/legal entity you represent) that you have read, understood, and agree to the practices described in this Notice. This is a notice of our privacy practices; it does not create any agreement between BridgeBio and you.
I. HOW WE COLLECT YOUR PERSONAL DATA
We may collect or obtain Personal Data from:
- Directly from you or someone acting directly on your behalf
- From your health care professional (“HCP”), including hospitals, clinics, doctors, and other HCPs
- From industry or patient advocacy organizations (“PAO”)
II. WHAT PERSONAL DATA WE COLLECT
During the last 12-months, depending on whether you are a HCP, a patient, or someone contacting BridgeBio on behalf of a patient (caregiver, patient representative, or other), different Personal Data will be collected about you, as outlined below.
Patient: If you are contacting BridgeBio yourself, We will collect the following Personal Data about you:
- Name
- Contact details (such as address, phone number, email address, fax)
- Details of your correspondence, inquiry, or product complaint
- Details of the drug product you were taking, including reason for treatment with the product, details of the product taken, the start and end date of taking the product, the dose, unit and frequency of taking the product
- Details of the side effect(s) experienced, including the start and end date
- Any additional information you choose to provide us
HCP: If you are contacting BridgeBio for yourself or on behalf of a patient, as well as collecting details relating to the patient (see above), We will collect the following Personal Data about you:
- Name
- Profession/Title and employer
- Contact details (such as address, phone number, email address, fax)
- Any additional information you choose to provide us.
Caregiver/Patient Representative/Other: If you are contacting BridgeBio for yourself or on behalf of a patient, as well as collecting details relating to the patient (see above), We will collect the following Personal Data about you:
- Name
- Contact details (such as address, phone number, email address, fax)
- Any additional information you choose to provide us.
If you are a Patient reporting adverse event, BridgeBio may obtain sensitive personal data about you, including details about your physical or mental health, as part of the reporting process and tracking the side effect case you reported.
BridgeBio will reasonably rely on the authority of HCPs and any other individuals to act on your behalf. The Health Insurance Portability and Accountability act of 1996 (HIPAA), 45 C.F.R. # 164.512(b) allows for health professionals to release information concerning adverse events/side effects to pharmaceutical companies.
III. WHY WE COLLECT PERSONAL DATA. (If applicable laws require a “legal basis” to Process Personal Data, we indicate our legal bases applicable for only for those jurisdictions only. The legal bases provided herein only apply in any jurisdictions requiring such.):
III.I. Medical Information Inquiries, Adverse Events, and Quality Complaints
We may collect your Personal Data when you contact us or when an HCP, care giver, or someone else contacts us on your behalf. Such information (including sensitive personal data) will be provided by you or someone directly on your behalf. BridgeBio will use your Personal Data in accordance with applicable regulatory requirements to ensure the safety and quality of our medical products, as required by applicable laws or regulations. Deidentified data may also be used for scientific research and publications.
In line with these requirements, we may contact you for further information about the adverse event or quality complaints that you have reported, as well as to provide you feedback on measures taken measures, if requested by you. The information we are requesting is the minimum necessary for BridgeBio to satisfy the regulatory obligations of the US Food and Drug administration (FDA), the European Medicines Agency (EMA) and other applicable regulatory authorities regarding adverse event reporting by pharmaceutical manufacturers.
Due to the nature of our business, BridgeBio may be subject to a number of legal requirements, thus requiring BridgeBio to collect and use Personal Data and sensitive information (including health information and mental and physical characteristics) to meet these requirements. When permissible under the law, we will attempt to limit and protection the Processing of your Personal Data to the extent possible, for example, pseudonymizing information, while still complying with our legal obligations.
III.II. De-identified information. In accordance with applicable legal requirements, we may de-identify Personal Data collected from and about you so that it can no longer be linked to you. Information that has been de-identified in such a way is no longer subject to this Notice and can be used and shared by us in our discretion and maintained indefinitely.
IV. SHARING AND DISCLOSURE OF PERSONAL DATA
BridgeBio may, from time to time, share or disclose your Personal Data to:
- Affiliates: When necessary, we may disclose your Personal Data amongst our affiliates for the purposes referred to above.
- Vendors and Service Providers: You may disclose directly, or We may transfer or disclose your Personal Data to third parties providing services on our behalf (“Service Providers”), including entities engaged to administer and respond to inquiries, provide support services, provide IT solutions, etc. Pursuant to our instructions, these Service Providers will access, process, or store Personal Data only in the course of performing their duties for us.
- Business partners and research organizations: We may disclose Personal Data or exchange Personal Data with business partners and research organizations who collaborate with us in relation to our products and services, such as researchers with whom we partner, companies with which we co-develop or co-market an investigational drug, etc.
- Business Transfers or Acquisitions: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data may be transferred to a successor or affiliate as part of that transaction along with other assets, to potential acquirers, financiers, and professional advisers in connection with a proposed sale, assignment or other transfer.
- Legal Requirements: If required to do so by law or in response to a government or law enforcement agency, or in the good faith belief that such action is necessary, including but not limited to (a) comply with a legal obligation, (b) protect and defend our rights or property, (c) act in urgent circumstances to protect the personal safety of you, us, or the public, or (d) protect against legal liability.
V. DATA RETENTION
We will keep your Personal Data for as long as reasonably necessary for the purposes described in this Notice. For instance, for certain processing we will retain your Personal Data for so long as we have a legitimate business need to do so, or for certain Personal Data we will retain the processing for such period as is required by law (e.g. for regulatory reporting including to government entities who may oversee the safety and efficacy of Research, legal, tax, accounting or other purposes). To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements. For further information in relation to our retention periods please contact us or our Data Protection Officer using the information in the “Contact Information” section below at any time.
VI. YOUR RIGHTS AND CHOICES
Many jurisdictions, including certain U.S. States, afford data subjects rights. In addition, the State of California affords consumers certain additional rights with respect to Personal Data. Please note that we do not currently meet the threshold applicability requirements of U.S. state privacy laws, including the California Consumer Privacy Act (“CCPA”). If we meet those thresholds in the future, we will update this Notice to include applicable disclosures related thereto.
Depending on your jurisdiction, your local laws may permit you to:
- request access to and/or a copy of certain Personal Data we hold about you
- object to the processing of your Personal Data for direct-marketing purposes (including any direct marketing processing based on profiling) or the sale of your Personal Data
- request that we update or rectify Personal Data that is out of date or incorrect
- request that we delete certain Personal Data that we are holding about you
- oppose, cancel, or restrict the way that we process and disclose certain Personal Data
- receive and transfer your Personal Data to a third-party provider of services
- withdraw your consent for the processing of your Personal Data, which will not affect the lawfulness of processing prior to the withdrawal
- opt out of communications from us at any time by following any Unsubscribe or opt-out instructions in the communication, including selecting the unsubscribe link. We may still need to send you important administrative messages even if you opt out of receiving communications
Verification: When you make a request, please provide your full name (first and last name), email address, city, and state of residence, and which of the right(s) described above that you are requesting. We will verify your request against our records. We cannot fulfill any unverified or incomplete requests.
We do not and will not discriminate against you for exercising your data subject rights, however, we cannot guarantee that all services and features will be available and will not be impacted because of your request.
You may designate an authorized agent to request data subject rights on your behalf by providing a signed and authenticated letter that identifies (i) your agent and (ii) the purposes for and nature of your appointment of an agent. If you are an authorized agent, you must provide the information described in “Verification” hereinabove about the consumer for which you are acting as an agent, as well as your own full name (first and last name), email address, and a letter, signed by the consumer, that appoints you as their agent. In some instances, we may decline to honor your request if an exception applies under applicable law, however we will respond to your request in compliance with applicable law.
We will consider all requests and provide our response within the time period stated by applicable law. Please note, however, that certain Personal Data may be exempt from such requests in some circumstances, which may include if we need to keep processing your Personal Data for our legitimate interests, to comply with a legal obligation, or where the Personal Data provided in connection with Research is necessary in the public interest.
Please note that in certain circumstances we will need to provide you with certain information in order for us to comply with legal obligations or to administer our relationship with you. We will inform you where such Personal Data is required and the consequences of failing to provide such Personal Data.
We may request you provide us with information necessary to confirm your identity before responding to your request as required or permitted by applicable law. If you would like further information in relation to your legal rights under applicable law, or would like to exercise those rights, please contact us or our Data Protection Officer using the information in the “Contact Information” section below at any time.
VII. INFORMATION FOR EUROPEAN ECONOMIC AREA (EEA), UK, AND SWISS RESIDENTS
In addition to the above, this section of the Notice applies if you are a resident of the European Economic Area (EEA) (which includes the European Union and the countries of Iceland, Liechtenstein and Norway), the United Kingdom, or Switzerland. Please read specific privacy notices for HCPs/KOLs here: Please read specific privacy notices for HCPs/KOLs [here].
VIII. HOW TO CONTACT US
VIII.I Please feel free to contact us if you have any questions about our Notice or our information practices.
You may contact us as follows: You may send an email to [email protected] or send mail to:
Attn: Legal Department
c/o BridgeBio Pharma, Inc.
3160 Porter Drive, Suite 250
Palo Alto, CA 94304
If you have any concerns or complaints about our data processing activities, we urge you to contact our DPO to attempt to resolve such issues directly with us. However, if applicable, you may make a complaint to your governmental authority or data protection supervisory authority in the state or country where you are based.
VIII.II. Data Protection Officer – Contact Details
BridgeBio has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO) for the EEA and the UK and may be reached:
- by using the following email: [email protected]
- by mail at the following address:
Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels, Belgium
If you are an EEA, UK resident, and would like to contact our Data Protection Officer on matters related to the processing of personal data, or otherwise exercise your rights in respect of your personal data (described above), please contact [email protected].
IX. COLLECTION OF PERSONAL DATA FROM MINORS
In general, our medical information services are intended for general audiences and not for minors. No Personal Data or inquiries should be submitted to BridgeBio who are less than 18 years old. If we become aware that we have collected personal data without legally valid parental consent from minors under an age where such consent is required pursuant to applicable law, we will take reasonable steps to delete it as soon as possible.
X. INTERNATIONAL USERS AND DATA TRANSFERS
BridgeBio Pharma Inc. is an international organization with affiliates and subsidiaries in and outside the United States. We transfer the Personal Data we collect about you to within BridgeBio (to other BridgeBio affiliates worldwide) and to third parties. Such data transfers include the transfer of Personal Data to countries that may not have the same level of data protection as the country in which the Personal Data initially originated. Where cross-border data transfers occur, we ensure that an adequate level of data protection exists in the recipient country, by executing with third-parties appropriate contractual arrangements for cross-border data transfers to third-party countries for controllers or processors as applicable. For transfers governed by UK and EU GDPR, these- measures will include transfers based on adequacy decisions, EU standard contractual clauses (SCCs), the UK international data transfer agreements and addendum to the EU SCCs supplemented by any supplementary measures as may be required.
XI. DATA SECURITY
We have implemented a variety of technological and organizational procedures and measures to protect your personal data from unauthorized access, use and disclosure. However, please note that no method of Internet transmission can be completely secure. Please take steps to protect yourself, including using and protecting your unique login credentials and passwords, utilizing encryption, personal firewalls, and anti-virus solutions.
XII. CHANGES TO THIS NOTICE
We may change this Notice from time to time without notice. Please check back regularly to stay up to date with the most recent version.
Last Update: August 2024