Last Updated: 02/05/2021
Phathom Pharmaceuticals, Inc. (“we”, “our”, “us”) are committed to protecting and respecting your privacy. We are a pharmaceutical company established in the United States with a registered office at 100 Campus Drive, Suite 102, Florham Park, NJ 07932, and for the purpose of the General Data Protection Regulation (the “GDPR”), we are the data controller.
What types of information do we collect and how do we use it?
- Information you give us to create your ePro App Account. You may provide information through the ePro App by creating an account as part of your participation in the Study. This information includes:
- your email address
- your mobile telephone number
As it is in our legitimate interests to ensure the proper functioning and use of the ePro App for the Study, we may use your information to:
- Contact or communicate with you via telephone or email;
- Technical usage information. When you visit the ePro App, we automatically collect the information sent to us by your mobile phone or other access device. This information includes:
- your IP address
- Personal information. You will provide personal information when you complete the electronic diary through the ePro App as part of your participation in the Study. This information includes:
- your health symptoms
- severity of your health symptoms
- medications you are taking
As it is in our legitimate interests to process your data to comply with legal obligations to which we, as the controller, are subject and which are necessary for reasons of public interest in the area of public health, we collect this information in order to:
- conduct the Study protocol during its entire lifecycle and related research activities
- conduct safety reporting and archiving of data
- conduct processing operations expressly provided by national and state laws which are related to reliability and safety purposes, including safety reporting, archiving of the data and disclosure of data to national competent authorities
- conduct data analysis, testing, research, statistical and survey analysis
- use data outside of the Study for scientific reasons
How do we share your personal data?
We do not sell, rent or lease your personal information to others. We share your information with selected recipients. These categories of recipients include:
- clinical research service providers located in the European Economic Area (EEA), United States, United Kingdom of Great Britain and Northern Ireland, and Bulgaria that are engaged to support us in the conduct of the Study
- server and cloud storage providers located in the United States, and which store your personal data in the United States to store the personal data you provide and for disaster recovery services
- National competent authorities and regulatory authorities in the EEA, United States, Canada, and other countries in Europe including Albania, Andorra, Bosnia and Herzegovina, Bulgaria, Iceland, Kosovo, Liechtenstein, Monaco, Montenegro, North Macedonia (formerly, Macedonia), Norway, San Marino, Serbia, Switzerland, United Kingdom of Great Britain and Northern Ireland, and Vatican City (Holy See); and any successors to, or new countries created from, any of the foregoing, including any territories or possessions of such countries.
We will share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:
- comply with a legal obligation, process or request;
- enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
- detect, prevent or otherwise address security, fraud or technical issues; or
- protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).
We will also disclose your information to third parties:
- in the event that we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or
- if we or substantially all of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.
Where do we store your personal data?
The information that we collect from you will be transferred to and stored at/processed in the United States, United Kingdom of Great Britain and Northern Ireland and Bulgaria. Your personal data is also processed by staff operating outside the EEA who work for us or for one of our vendors. Such staff are engaged in, among other things, provision of support services. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this policy.
The personal data that we collect from you may be transferred to, and stored at/processed in the EEA, United States, Canada, and other countries in Europe including Albania, Andorra, Bosnia and Herzegovina, Bulgaria, Iceland, Kosovo, Liechtenstein, Monaco, Montenegro, North Macedonia (formerly, Macedonia), Norway, San Marino, Serbia, Switzerland, United Kingdom of Great Britain and Northern Ireland, and Vatican City (Holy See); and any successors to, or new countries created from, any of the foregoing, including any territories or possessions of such countries by clinical research service providers assisting us in the conduct of the clinical trial protocol, ethics committees national competent authorities and regulatory agencies with jurisdiction over the conduct of the Study and/or the submission of market authorization for the investigational medicine for the Study, under the Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses), pursuant to Decision 2010/87/EU. Please contact us in accordance with the contact details in “How to Reach Us” below, if you would like to see a copy of the Model Clauses.
The security of your personal data
Unfortunately, the transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through the ePro App or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organizational measures to safeguard your personal data against loss, theft, and unauthorized use, access, or modification.
How long do we store your personal data?
We will retain your information as follows:
- data collected for the conduct of the Study will be retained until the expiration of the archival period
- if you contact us via email we will keep your data for as long as needed or permitted in light of the purpose(s) for which it was obtained taking into consideration whether there is a legal obligation to which we are subject
- your IP address until completion of the Study
You have the right to ask us to access the personal data we hold about you and be provided with certain information about how we use your personal data and who we share it with. You also have the right to ask us to correct your personal data where it is inaccurate or incomplete and we will endeavor to do so without undue delay.
In certain circumstances, you have the right to ask us to delete the personal data we hold about you:
- where you believe that it is no longer necessary for us to hold your personal data;
- where we are processing your personal data on the basis of legitimate interests and you object to such processing and we cannot demonstrate an overriding legitimate ground for the processing; or
- where you believe the personal data we hold about you is being unlawfully processed by us.
In certain circumstances, you have the right to ask us to restrict (stop any active) processing of your personal data:
- where you believe the personal data we hold about you is inaccurate and while we verify accuracy;
- where we want to erase your personal data as the processing is unlawful but you want us to continue to store it;
- where we no longer need your personal data for the purposes of our processing but you require us to retain the data for the establishment, exercise, or defense of legal claims; or
- where you have objected to us processing your personal data based on our legitimate interests and we are considering your objection.
In addition, you can object to our processing of your personal data based on our legitimate interests and we will no longer process your personal data unless we can demonstrate an overriding legitimate ground.
To exercise any of these rights above, please contact us in accordance with the contact details in “How to Reach Us” below. In addition, you have the right to complain to the Information Commissioner’s Office or other applicable data protection supervisory authority.
Please note that these rights are limited, for example, where fulfilling your request would adversely affect other individuals or Company trade secrets or intellectual property, where there are overriding public interest reasons, or where we are required by law to retain your personal data.
In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at the contact details in “How to Reach Us” below and we will endeavor to deal with your request. This is without prejudice to your right to launch a claim with the Information Commissioner’s Office or the data protection supervisory authority in the country in which you live or work where you think we have infringed data protection laws.
Any changes we will make to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.
How to Reach Us
You can contact us in order to exercise your rights, make inquiries or submit complaints concerning our processing of your personal data. We will take appropriate steps to address requests, inquiries, and complaints.
Mailing Address: ePro Data Privacy, Phathom Pharmaceuticals, Inc., 100 Campus Drive, Suite 102, Florham Park, NJ 07932, USA.
Email Address: email@example.com