Please note that Goldfinch sponsors research, clinical trials and other studies related to the development of precision medicine product candidates for people living with kidney diseases (collectively, “Research”). Goldfinch engages contract research organizations (“CROs”) to facilitate the Research. The CROs provide additional privacy policies to participants during the Research enrollment process that describe Goldfinch’s privacy practices related to conducting such Research. Any privacy policies provided to Research participants by our CROs shall govern how we process the information provided to us at that time.
How We Collect Personal Data
Information You Provide to Us
We collect Personal Data when you choose to share that information with us, such as:
When you communicate with us through our Websites, we collect your contact information, the content of the communication and any other information associated with the communication. At your request, we may use information you provide to respond to your inquiries or requests as appropriate.
When you submit a job application on our Websites, we collect your employment information, including, but not limited to, contact details (email address, telephone number, mailing address, etc.), demographic information, education, work and research history, employment needs and interests, and any other information you choose to provide in your resume or application materials.
When you submit identifiable comments or other content to us, on our Websites, through social media or otherwise, we collect whatever information you supply and use that information to communicate with you, if requested, or otherwise fulfill the purpose of the content submission.
Information We Collect Through Automatic Data Collection Technologies
LoggingFunctionality: As is true of most websites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp and/or clickstream data. We generally only use this data for purposes such as security, fraud detection, and protecting our rights.
How We Use Personal Data
By providing your Personal Data, you agree that, where it is permitted by local law, we may use your Personal Data and any information that we collect about you or that you provide to us, in addition to the uses described above, to:
provide and maintain our Websites;
provide analysis or valuable information so that we can improve the services;
provide you with information that you request from us or that we think would be of interest to you;
process and evaluate job applications you submit to us and communicate with you about your job
applications and requests;
prevent, investigate, or provide notice of fraud, unlawful or criminal activity, or unauthorized access to or use of Personal Data, or website or data systems;
or to meet legal obligations;
notify you about changes to our Websites generally;
and/or any other lawful, legitimate business purpose.
How We Share and Disclose Personal Data
We may disclose Personal Data that we collect to the following recipients:
Service Providers: We may disclose your Personal Data to third-party service providers to provide us with services such as website hosting, professional services, including information technology services and related infrastructure, e-mail delivery, auditing and other similar services.
Corporate Transactions or Events: We may disclose your information to a third party in connection with a corporate reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or capital, including in connection with any bankruptcy or similar proceedings.
Children under the Age of 13
Our Website is not intended for children under 13 years of age. No one under age 13 may provide any Personal Data to or on the Websites and we do not knowingly collect Personal Data from children under 13. If you are under 13, do not use or provide any information on this Site or register on the Site, use any forums or related features of this Site, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received Personal Data from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us per the “How to Contact Us” section below.
Managing Your Communication Preferences
We may use your Personal Data for Marketing Activities, including to communicate with you about our products, services, and company and to invite your participation in engagement opportunities (e.g., surveys). However, we want to communicate with you only if you want to hear from us. You can unsubscribe from marketing communications by clicking the “Unsubscribe” link included in each message and following the instructions provided on the screen.
Cookies on our Websites are generally divided into the following categories:
Essential Cookies: These cookies are strictly necessary to provide you with services available through our Websites and to use some of their features. Because these cookies are strictly necessary to operate the Websites, you cannot refuse them without impacting how our Services function.
Performance and Functionality Cookies: These cookies are used to enhance the performance and functionality of our Websites but are non-essential to their use. However, without these cookies, certain functionality of our Websites may become unavailable.
Analytics and Customization Cookies: These cookies collect information that is used to help us understand how our Websites are being used or how effective our marketing campaigns are or to help us customize our Websites for you in order to enhance your experience.
Targeting Cookies: These cookies record your visit to our Websites, the pages you have visited, and the links you have followed to recognize you as a previous visitor and to track your activity on the Websites and other websites you visit. These Cookies qualify as persistent cookies because they remain on your device for us to use during a next visit to our Websites. You can delete these cookies via your browser settings. See below for further details on how you can control third-party targeting cookies.
How to control Cookies:
You can review your Internet browser settings, typically under the sections “Help” or “Internet Options,” to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the Websites.
The opt-outs described above are device- and browser-specific and may not work on all devices. If you choose to opt-out through any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.
Cross border transfers
Links to Other Websites
European Economic Area
For individuals in the European Economic Area, please see the “European Economic Area Disclosures” section below.
How to Contact Us
Goldfinch Bio, Inc.
215 First Avenue, 4th floor
Cambridge, Massachusetts 02142
ATTN: Chief Legal Officer
European Economic Area Disclosures
These EEA Disclosures apply only to our processing of Personal Data within the scope of the General Data Protection Regulation (“GDPR”) from one or more of the European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”), and in addition to the information collected on the Websites, applies to information we may collect in the EEA related to our Research.
Controllers of Personal Data
For the purposes of applicable data protection laws including, without limitation, the General Data Protection Regulation ((EU) 2016/679), Goldfinch Bio is the data controller of any Personal Data we collect from you or that you provide to us.
Additional Information We Collect and Use
We collect Personal Data about the following types of individuals: physicians and other health care professionals, clinical trial investigators, Research participants, researchers, contractors, consultants, job applicants, volunteers, and other individuals who interact directly with us or our business partners.
We collect and use Personal Data in the following ways:
PERSONAL DATA PROVIDED BY YOU
We collect and use Personal Data that you provide to us in the following ways:
Communications. If you communicate with us through our Websites or by email, mail, phone, text, chat, or any other paper or electronic form, we collect your contact information, such as your name, address, email address and phone number, the content of the communication, including any self-identified medical history or medical condition, and the metadata associated with the communication. We use this information to investigate and respond to your inquiries and to communicate with you. At your request, we may use information you provide in your communications to contact you with information regarding Research, to evaluate your eligibility for the Research and, as appropriate, to invite you to participate in Research. If you wish to stop receiving email messages from us, you may do so at any time by clicking “unsubscribe” in any email you receive from us and following the instructions provided on the screen.
Newsletters. If you sign up for a newsletter, we collect your contact information, disease state of interest and communication preferences. We use this information to manage our communications with you. If you wish to stop receiving email messages from us, please email firstname.lastname@example.org.
Employment Applications. If you submit an application for employment, we collect your contact and demographic information, education, work and research history, employment needs and interests, and any other information you choose to provide. We use this information to evaluate your eligibility and candidacy for employment, to communicate with you before, during and after the relevant application process and to facilitate the application process and any pre-contractual steps needed prior to employment.
Events. If you register for any Goldfinch event, such as a training, lecture, seminar, workshop or open house event, we collect your contact and demographic information, including education information and medical or other professional credentials. We require these details in order to register you in the program, administer the event, contact you about your experience and to inform you about future events that may be of interest to you.
Business Partners. If you are a business partner or service provider, such as a health care professional partnering with Goldfinch on Research, or otherwise providing services to Goldfinch, we may collect your contact information, professional credentials, educational and professional history, institutional affiliations, background checks, performance reviews, and information need for the purposes of compensation. We use this information to communicate with you, to staff, administer and facilitate Research, to comply with regulatory monitoring and reporting obligations and to identify and engage with thought leaders and external experts.
DATA WE OBTAIN FROM THIRD PARTY SOURCES
We collect Personal Data from the following third party sources:
Business Partners and Service Providers: We collect information about individuals from our business partners and service providers, including healthcare professionals, contract research organizations, market research providers, industry and patient groups and associations, and recruiters. The information may include contact information, demographic information, health and medical information, educational and professional history, institutional affiliations, background checks and performance reviews. We use this information to administer and facilitate Research, coordinate events and programs, conduct market research and to identify potential employment candidates.
Publicly Available Sources: We collect information about individuals from publicly available sources, such as public comments on Goldfinch and its operations on social media platforms (for example, LinkedIn, Facebook, Twitter, and Instagram) or publicly available research. This information enables us to conduct market research about the company and industry trends, analyze public interactions with Goldfinch, identify experts and improve our programs, events, and other offerings.
OTHER USES OF PERSONAL DATA
In addition to the uses described above, we may use your Personal Data for the following purposes:
Communicating with you;
Developing new resources and services;
Conducting, managing and growing our business;
Defining and managing appropriate patient engagement activities;
Paying for services that physicians, researchers and other individuals may provide to us;
Preventing, investigating and providing notice of fraud, unlawful or criminal activity, unauthorized access to or use of Personal Data, the website or our data systems, and to meet legal, regulatory, judicial and company policy obligations;
For any other lawful, legitimate business purposes.
Additional Sharing of Personal Data
We share Personal Data in the following ways:
Service Providers: We share Personal Data with third-party service providers who perform services on our behalf, such as health care professionals, contract research organizations or other medical institutions conducting research on our behalf, data storage and analytics providers, recruiters, background check providers, event coordinators, market research providers, technology providers (including technology support providers, email communications providers and web developers).
Research: We may disclose Personal Data to third-party medical institutions and research institutes for those organizations to perform independent research as permitted by law.
Regulatory or Legal Requirements, Safety and Terms Enforcement: We may disclose Personal Data to governmental regulatory authorities as required by law, including in connection with monitoring, review and approval of our studies, products and services, and adverse event reporting, in response to their requests for such information or to assist in investigations. We may also disclose Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by law, or if we determine its disclosure is necessary to protect the health and safety of you or us, to protect against fraud or credit risk, or to enforce our legal rights or contractual commitments that you have made.
Business Transfers: We may disclose Personal Data as part of a corporate business transaction, such as a merger, acquisition, joint venture, financing, or sale of company assets and may transfer Personal Data to a third party as one of the business assets in such a transaction. We may also disclose Personal Data in the event of insolvency, bankruptcy, or receivership.
Legal Basis for Processing
In this section, we identify the lawful grounds we rely on for processing Personal Data.
If Goldfinch relies on consent for the processing of Personal Data, we will provide transparent notice of the purposes for which we seek such consent at the time we collect your Personal Data.
If Goldfinch wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU’s General Data Protection Regulation, Goldfinch may obtain your explicit consent for such processing.
Goldfinch may process Personal Data subject to its own legitimate interests, such as to develop, administer and support our research; to operate, evaluate and improve our business; to facilitate and manage patient advocacy and engagement programs; to promote scholarly research; to support our recruitment activities; or to facilitate a sale of assets or merger or acquisition.
Goldfinch processes Personal Data to fulfill our contracts with our business partners and service providers, such as for rendering payment or communicating with health care professionals or consultants.
Goldfinch may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Goldfinch to process Personal Data for purposes of obtaining medical research approvals, reporting on the safety and reliability of our products and spend transparency disclosures.
Goldfinch may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law, or for public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, as authorized by applicable law.
If Goldfinch wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU’s General Data Protection Regulation, it may do so when necessary for scientific research purposes or for reasons of public interest in the area of public health.
Goldfinch may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research.
We retain Personal Data pursuant to our records retention program, for as long as is necessary for the purposes set out in these Goldfinch EEA Disclosures, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.
The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:
For the duration of the time for which we have your consent to process your Personal Data, plus some additional limited period to comply with law (see the “Data Subject Rights” section below).
For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.
For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.
For the duration of time we are legally obligated to keep the information.
For the period of time necessary to fulfill the purposes of the business process in the public interest.
Transfers of Information Across Borders
When we transfer your Personal Data to third parties as described in these Goldfinch EEA Disclosures, some of these parties may be located in countries, such as the United States, other than your own, whose privacy and data protection laws may not be equivalent to those in your country of residence. When we transfer your Personal Data to other countries, including the United States, we apply appropriate safeguards, to protect your information and comply with applicable laws. For example, we implement measures such as standard contractual clauses to ensure that any transferred Personal Data remains protected and secure. A copy of these clauses can be obtained by emailing email@example.com. In some cases, we may obtain your consent to the transfer of your Personal Data to other countries.
Data Subject Rights
You may request for us to provide you with information about whether we process your Personal Data, along with any details required to be provided to you under applicable law. In certain cases, you may have the following data protection rights:
The right to access, correct, update, or request deletion of your Personal Data;
The right to object to the processing of your Personal Data, ask us to restrict processing of your Personal Data, or request Personal Data concerning you in a structured, commonly used and machine-readable format;
If we have collected and processed your Personal Data with your consent, then you may withdraw your consent at any time by contacting your primary contact at the company or as set forth in the Contact Us section below. Please include information adequate to identify you, identify your Personal Data, and identify the consent you wish to withdraw. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal; and
If you have any complaints regarding our privacy practices, you have the right to file the complaint with your local data protection authority.