ePRO Privacy Policy

Last Updated: 08/23/2019

Introduction

Phathom Pharmaceuticals, Inc. (“we”, “our”, “us”) are committed to protecting and respecting your privacy. We are a pharmaceutical company established in the United States with a registered office at 70 Willow Road, Suite 200, Menlo Park, California 94025, and for the purpose of the General Data Protection Regulation (the “GDPR”), we are the data controller.

This policy sets out the basis on which we will process any personal data or usage information we collect from you, or that you provide to us, in connection with your use of the ePro mobile application technology (the “ePro App”) in connection with the clinical research study we are sponsoring and for which you are participating (“Study”). Please read this policy carefully so that you understand your rights in relation to your personal data, and how we will collect, use and process your personal data. If you do not agree with this Privacy Policy in general or any part of it, you should not access the ePro App and you may not be able to participate in the clinical research study.

What types of information do we collect and how do we use it?

  • Information you give us to create your ePro App Account. You may provide information through the ePro App by creating an account as part of your participation in the Study. This information includes:
    • your email address
    • your mobile telephone number

As it is in our legitimate interests to ensure the proper functioning and use of the ePro App for the Study, we may use your information to:

    • Contact or communicate with you via telephone or email;
  • Technical usage information. When you visit the ePro App, we automatically collect the information sent to us by your mobile phone or other access device. This information includes:
    • your IP address
  • Personal information.  You will provide personal information when you complete the electronic diary through the ePro App as part of your participation in the Study.  This information includes:
    • your health symptoms
    • severity of your health symptoms
    • medications you are taking

As it is in our legitimate interests to process your data to comply with legal obligations to which we, as the controller, are subject and which are necessary for reasons of public interest in the area of public health, we collect this information in order to:

  • conduct the Study protocol during its entire lifecycle and related research activities
  • conduct safety reporting and archiving of data
  • conduct processing operations expressly provided by national and state laws which are related to reliability and safety purposes, including safety reporting, archiving of the data and disclosure of data to national competent authorities
  • conduct data analysis, testing, research, statistical and survey analysis
  • use data outside of the Study for scientific reasons  

How do we share your personal data?

We do not sell, rent or lease your personal information to others. We share your information with selected recipients. These categories of recipients include:

  • clinical research service providers located in the European Economic Area (EEA), United States, United Kingdom of Great Britain and Northern Ireland, and Bulgaria that are engaged to support us in the conduct of the Study
  • server and cloud storage providers located in the United States, and which store your personal data in the United States to store the personal data you provide and for disaster recovery services
  • National competent authorities and regulatory authorities in the EEA, United States, Canada, and other countries in Europe including Albania, Andorra, Bosnia and Herzegovina, Bulgaria, Iceland, Kosovo, Liechtenstein, Monaco, Montenegro, North Macedonia (formerly, Macedonia), Norway, San Marino, Serbia, Switzerland, United Kingdom of Great Britain and Northern Ireland, and Vatican City (Holy See); and any successors to, or new countries created from, any of the foregoing, including any territories or possessions of such countries.

We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:

  • comply with a legal obligation, process or request;
  • enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
  • detect, prevent or otherwise address security, fraud or technical issues; or
  • protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).

We will also disclose your information to third parties:

  • in the event that we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or
  • if we or substantially all of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.

Where do we store your personal data?

The information that we collect from you will be transferred to and stored at/processed in the United States, United Kingdom of Great Britain and Northern Ireland and Bulgaria. Your personal data is also processed by staff operating outside the EEA who work for us or for one of our vendors. Such staff are engaged in, among other things, provision of support services. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this policy.

The personal data that we collect from you may be transferred to, and stored at/processed in the EEA, United States, Canada, and other countries in Europe including Albania, Andorra, Bosnia and Herzegovina, Bulgaria, Iceland, Kosovo, Liechtenstein, Monaco, Montenegro, North Macedonia (formerly, Macedonia), Norway, San Marino, Serbia, Switzerland, United Kingdom of Great Britain and Northern Ireland, and Vatican City (Holy See); and any successors to, or new countries created from, any of the foregoing, including any territories or possessions of such countries by clinical research service providers assisting us in the conduct of the clinical trial protocol, ethics committees national competent authorities and regulatory agencies with jurisdiction over the conduct of the Study and/or the submission of market authorization for the investigational medicine for the Study, under the  Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses), pursuant to Decision 2010/87/EU. Please contact us in accordance with the contact details in “How to Reach Us” below, if you would like to see a copy of the Model Clauses.

The security of your personal data

Unfortunately, the transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through the ePro App or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access or modification.

How long do we store your personal data?

We will retain your information as follows:

  • data collected for the conduct of the Study will be retained until the expiration of the archival period
  • if you contact us via email we will keep your data for as long as needed or permitted in light of the purpose(s) for which it was obtained taking into consideration whether there is a legal obligation to which we are subject
  • your IP address until completion of the Study

Your rights

You have the right to ask us to access the personal data we hold about you and be provided with certain information about how we use your personal data and who we share it with. You also have the right to ask us to correct your personal data where it is inaccurate or incomplete and we will endeavour to do so without undue delay.

In certain circumstances, you have the right to ask us to delete the personal data we hold about you:

  • where you believe that it is no longer necessary for us to hold your personal data;
  • where we are processing your personal data on the basis of legitimate interests and you object to such processing and we cannot demonstrate an overriding legitimate ground for the processing; or
  • where you believe the personal data we hold about you is being unlawfully processed by us.

In certain circumstances, you have the right to ask us to restrict (stop any active) processing of your personal data:

  • where you believe the personal data we hold about you is inaccurate and while we verify accuracy;
  • where we want to erase your personal data as the processing is unlawful but you want us to continue to store it;
  • where we no longer need your personal data for the purposes of our processing but you require us to retain the data for the establishment, exercise or defence of legal claims; or
  • where you have objected to us processing your personal data based on our legitimate interests and we are considering your objection.

In addition, you can object to our processing of your personal data based on our legitimate interests and we will no longer process your personal data unless we can demonstrate an overriding legitimate ground.

To exercise any of these rights above, please contact us in accordance with the contact details in “How to Reach Us” below. In addition, you have the right to complain to the Information Commissioner’s Office or other applicable data protection supervisory authority.

Please note that these rights are limited, for example, where fulfilling your request would adversely affect other individuals or Company trade secrets or intellectual property, where there are overriding public interest reasons or where we are required by law to retain your personal data.

Complaints

In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at the contact details in “How to Reach Us” below and we will endeavour to deal with your request. This is without prejudice to your right to launch a claim with the Information Commissioner’s Office or the data protection supervisory authority in the country in which you live or work where you think we have infringed data protection laws.

Changes

Any changes we will make to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.

How to Reach Us

You can contact us in order to exercise your rights, make inquiries or submit complaints concerning our processing of your personal data.  We will take appropriate steps to address requests, inquiries and complaints.

Contact Details:

Mailing Address: ePro Data Privacy, Phathom Pharmaceuticals, Inc., 70 Willow Road, Menlo Park, California 94025, USA

Email Address: privacy@phathompharma.com