Privacy Policy

Last Updated: January 28, 2021

THIS PRIVACY POLICY APPLIES TO YOUR ACCESS AND USE OF GOLDFINCH BIO, INC., ITS SUBSIDIARIES, AFFILIATES AND AGENTS, (COLLECTIVELY “GOLDFINCH”, OR “WE”, “US” OR “OUR”) WEBSITES owned and controlled by us that link to this Privacy Policy (“WEBSITES”) and relevant alerts and newsletters we may periodically send to you by e-mail (“Marketing Activities”).  BY PROVIDING YOUR PERSONAL DATA TO US AND BY USING THE WEBSITES, YOU CONFIRM THAT YOU HAVE READ AND AGREE TO BE BOUND BY THIS PRIVACY POLICY AND OUR TERMS OF USE.  IF YOU DISAGREE WITH ANY PART OF THIS PRIVACY POLICY OR OUR TERMS OF USE, THEN PLEASE DO NOT USE THE WEBSITES.

This Privacy Policy explains the policies and practices that we have developed to safeguard Personal Data and to comply with applicable data protection laws.  Please read this notice carefully to understand what Personal Data we collect, how we collect it, how we use it, who we may disclose it to, and how you can manage your Personal Data. When we use the term “Personal Data” we mean data and information that reasonably can be used to identify a person, or that reasonably relates to a person. We control and operate the Websites from within the United States of America.  Our online privacy practices are governed by the laws of the United States and the Commonwealth of Massachusetts, which may differ from privacy laws in your state or home country.  By submitting your personal information to us through the Websites, you consent to the transfer of your personal information to any country and its use and disclosure in accordance with applicable U.S. Federal and State laws and with this Privacy Policy.

This Privacy Policy also provides certain region specific disclosures related to our processing of Personal Data of individuals located in European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”), including additional information about Personal Data collected in those regions.

We may change our Privacy Policy, so please check this page periodically, as your continued use of the Websites, after we publish our changes, indicates your acceptance of any changed terms.

Please note that Goldfinch sponsors research, clinical trials and other studies related to the development of precision medicine product candidates for people living with kidney diseases (collectively, “Research”). Goldfinch engages contract research organizations (“CROs”) to facilitate the Research. The CROs provide additional privacy policies to participants during the Research enrollment process that describe Goldfinch’s privacy practices related to conducting such Research. Any privacy policies provided to Research participants by our CROs shall govern how we process the information provided to us at that time.

How We Collect Personal Data

Information You Provide to Us

We collect Personal Data when you choose to share that information with us, such as:

When you communicate with us through our Websites, we collect your contact information, the content of the communication and any other information associated with the communication. At your request, we may use information you provide to respond to your inquiries or requests as appropriate.

When you submit a job application on our Websites, we collect your employment information, including, but not limited to, contact details (email address, telephone number, mailing address, etc.), demographic information, education, work and research history, employment needs and interests, and any other information you choose to provide in your resume or application materials.
When you submit identifiable comments or other content to us, on our Websites, through social media or otherwise, we collect whatever information you supply and use that information to communicate with you, if requested, or otherwise fulfill the purpose of the content submission.

Information We Collect Through Automatic Data Collection Technologies

We use various technologies to collect other types of data that may not directly reveal your identity (“Other Information”). If we associate Other Information with Personal Data, we will treat the combined information as Personal Data in accordance with this Privacy Policy.

Logging Functionality: As is true of most websites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp and/or clickstream data. We generally only use this data for purposes such as security, fraud detection, and protecting our rights.

Cookies and Other Data Collection Technologies: We and our service providers use cookies, scripts, and similar technologies to manage our Websites and to collect information about you and your use of our Site. These technologies help us to recognize you, customize or personalize your experience and analyze the use of our Websites to make them more useful to you. These technologies also allow us to aggregate demographic and statistical data and provide this information to our service providers to facilitate their provision of services. For more information about how we use Cookies and Other Data Collection Technologies and how to control such uses, see below.

How We Use Personal Data

By providing your Personal Data, you agree that, where it is permitted by local law, we may use your Personal Data and any information that we collect about you or that you provide to us, in addition to the uses described above, to:

  • provide and maintain our Websites;
  • provide analysis or valuable information so that we can improve the services;
  • provide you with information that you request from us or that we think would be of interest to you;
  • process and evaluate job applications you submit to us and communicate with you about your job
  • applications and requests;
  • prevent, investigate, or provide notice of fraud, unlawful or criminal activity, or unauthorized access to or use of Personal Data, or website or data systems;
  • or to meet legal obligations;
  • notify you about changes to our Websites generally;
  • carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including our Terms of Use;
  • and/or any other lawful, legitimate business purpose.

How We Share and Disclose Personal Data

We may disclose Personal Data that we collect to the following recipients:

  • Within Goldfinch: We may share your Personal Data within Goldfinch for purposes and uses that are consistent with this Privacy Policy. For example, sharing Personal Data about you to process your job application or facilitate communication between you and a Goldfinch representative and coordinate any necessary data retention.
  • Service Providers: We may disclose your Personal Data to third-party service providers to provide us with services such as website hosting, professional services, including information technology services and related infrastructure, e-mail delivery, auditing and other similar services.
  • Corporate Transactions or Events: We may disclose your information to a third party in connection with a corporate reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or capital, including in connection with any bankruptcy or similar proceedings.
  • Other Legal Reasons: In addition, we may use or disclose your Personal Data as we deem necessary or appropriate: (1) under applicable law, including laws outside your country of residence; (2) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (3) to comply with subpoenas and other legal processes; (4) to pursue available remedies or limit damages we may sustain; (5) to protect our operations or those of any of our affiliates; (6) to protect the rights, privacy, safety or property of Goldfinch, you and others; and (7) to enforce our Terms of Use.

Children under the Age of 13

Our Website is not intended for children under 13 years of age. No one under age 13 may provide any Personal Data to or on the Websites and we do not knowingly collect Personal Data from children under 13. If you are under 13, do not use or provide any information on this Site or register on the Site, use any forums or related features of this Site, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received Personal Data from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us per the “How to Contact Us” section below.

Managing Your Communication Preferences

We may use your Personal Data for Marketing Activities, including to communicate with you about our products, services, and company and to invite your participation in engagement opportunities (e.g., surveys). However, we want to communicate with you only if you want to hear from us. You can unsubscribe from marketing communications by clicking the “Unsubscribe” link included in each message and following the instructions provided on the screen.

Cookies

How we use Cookies:

We use cookies and related technologies (“Cookies”) to gather information when users navigate through the Websites to enhance and personalize the experience, to understand usage patterns, and to improve the operation of our Websites. To find out more about cookies, visit www.aboutcookies.org.

Cookies on our Websites are generally divided into the following categories:

Essential Cookies: These cookies are strictly necessary to provide you with services available through our Websites and to use some of their features. Because these cookies are strictly necessary to operate the Websites, you cannot refuse them without impacting how our Services function.

Performance and Functionality Cookies: These cookies are used to enhance the performance and functionality of our Websites but are non-essential to their use. However, without these cookies, certain functionality of our Websites may become unavailable.

Analytics and Customization Cookies: These cookies collect information that is used to help us understand how our Websites are being used or how effective our marketing campaigns are or to help us customize our Websites for you in order to enhance your experience.

Targeting Cookies: These cookies record your visit to our Websites, the pages you have visited, and the links you have followed to recognize you as a previous visitor and to track your activity on the Websites and other websites you visit. These Cookies qualify as persistent cookies because they remain on your device for us to use during a next visit to our Websites. You can delete these cookies via your browser settings. See below for further details on how you can control third-party targeting cookies.

We also allow third parties to use Cookies on our Websites to collect information about your online activities over time and across different Websites you visit. This information is used to provide advertising tailored to your interests on Websites you visit, also known as interest based advertising, and to analyze the effectiveness of such advertising.

How to control Cookies:

You can review your Internet browser settings, typically under the sections “Help” or “Internet Options,” to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the Websites.

We may use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Site and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. To learn more about the use of Cookies by Google for analytics and to exercise choice regarding those Cookies, you may visit www.google.com/policies/privacy/partners/, and you may opt-out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

The opt-outs described above are device- and browser-specific and may not work on all devices. If you choose to opt-out through any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.

Cross border transfers

Our Website is controlled and operated by us from the United States and is not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. Any information you provide to us through use of our Websites may be stored and processed, transferred between and accessed from the United States and other countries which may not guarantee the same level of protection of Personal Data as the one in which you reside. However, we will handle your Personal Data in accordance with this Privacy Policy regardless of where your Personal Data is stored or accessed.

Links to Other Websites

Occasionally we may provide links to other websites for your convenience and information. These websites operate independently from our Websites and are not under our control. These websites may have their own privacy policies or terms of use, which you should review if you visit any websites linked through our Websites. We are not responsible for the content or use of these unrelated websites.

European Economic Area

For individuals in the European Economic Area, please see the “European Economic Area Disclosures” section below.

How to Contact Us

If you have any queries, questions or concerns about this Privacy Policy or our Personal Data handling practices, please contact us at info@goldfinchbio.com or:

Goldfinch Bio, Inc.
215 First Avenue, 4th floor
Cambridge, Massachusetts 02142
ATTN: Chief Legal Officer

European Economic Area Disclosures

These disclosures (the “EEA Disclosures”) supplement the Goldfinch Privacy Policy.

These EEA Disclosures apply only to our processing of Personal Data within the scope of the General Data Protection Regulation (“GDPR”) from one or more of the European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”), and in addition to the information collected on the Websites, applies to information we may collect in the EEA related to our Research.

Controllers of Personal Data

For the purposes of applicable data protection laws including, without limitation, the General Data Protection Regulation ((EU) 2016/679), Goldfinch Bio is the data controller of any Personal Data we collect from you or that you provide to us.

Additional Information We Collect and Use

We collect Personal Data about the following types of individuals: physicians and other health care professionals, clinical trial investigators, Research participants, researchers, contractors, consultants, job applicants, volunteers, and other individuals who interact directly with us or our business partners.
We collect and use Personal Data in the following ways:

PERSONAL DATA PROVIDED BY YOU

We collect and use Personal Data that you provide to us in the following ways:

Communications. If you communicate with us through our Websites or by email, mail, phone, text, chat, or any other paper or electronic form, we collect your contact information, such as your name, address, email address and phone number, the content of the communication, including any self-identified medical history or medical condition, and the metadata associated with the communication. We use this information to investigate and respond to your inquiries and to communicate with you. At your request, we may use information you provide in your communications to contact you with information regarding Research, to evaluate your eligibility for the Research and, as appropriate, to invite you to participate in Research. If you wish to stop receiving email messages from us, you may do so at any time by clicking “unsubscribe” in any email you receive from us and following the instructions provided on the screen.

Newsletters. If you sign up for a newsletter, we collect your contact information, disease state of interest and communication preferences. We use this information to manage our communications with you. If you wish to stop receiving email messages from us, please email info@goldfinchbio.com.

Employment Applications. If you submit an application for employment, we collect your contact and demographic information, education, work and research history, employment needs and interests, and any other information you choose to provide. We use this information to evaluate your eligibility and candidacy for employment, to communicate with you before, during and after the relevant application process and to facilitate the application process and any pre-contractual steps needed prior to employment.

Events. If you register for any Goldfinch event, such as a training, lecture, seminar, workshop or open house event, we collect your contact and demographic information, including education information and medical or other professional credentials. We require these details in order to register you in the program, administer the event, contact you about your experience and to inform you about future events that may be of interest to you.

Business Partners. If you are a business partner or service provider, such as a health care professional partnering with Goldfinch on Research, or otherwise providing services to Goldfinch, we may collect your contact information, professional credentials, educational and professional history, institutional affiliations, background checks, performance reviews, and information need for the purposes of compensation. We use this information to communicate with you, to staff, administer and facilitate Research, to comply with regulatory monitoring and reporting obligations and to identify and engage with thought leaders and external experts.

DATA WE OBTAIN FROM THIRD PARTY SOURCES

We collect Personal Data from the following third party sources:

Business Partners and Service Providers: We collect information about individuals from our business partners and service providers, including healthcare professionals, contract research organizations, market research providers, industry and patient groups and associations, and recruiters. The information may include contact information, demographic information, health and medical information, educational and professional history, institutional affiliations, background checks and performance reviews. We use this information to administer and facilitate Research, coordinate events and programs, conduct market research and to identify potential employment candidates.

Publicly Available Sources: We collect information about individuals from publicly available sources, such as public comments on Goldfinch and its operations on social media platforms (for example, LinkedIn, Facebook, Twitter, and Instagram) or publicly available research. This information enables us to conduct market research about the company and industry trends, analyze public interactions with Goldfinch, identify experts and improve our programs, events, and other offerings.

OTHER USES OF PERSONAL DATA

In addition to the uses described above, we may use your Personal Data for the following purposes:

  • Communicating with you;
  • Developing new resources and services;
  • Conducting, managing and growing our business;
  • Defining and managing appropriate patient engagement activities;
  • Paying for services that physicians, researchers and other individuals may provide to us;
  • Preventing, investigating and providing notice of fraud, unlawful or criminal activity, unauthorized access to or use of Personal Data, the website or our data systems, and to meet legal, regulatory, judicial and company policy obligations;
  • For any other lawful, legitimate business purposes.

Additional Sharing of Personal Data

We share Personal Data in the following ways:

Service Providers: We share Personal Data with third-party service providers who perform services on our behalf, such as health care professionals, contract research organizations or other medical institutions conducting research on our behalf, data storage and analytics providers, recruiters, background check providers, event coordinators, market research providers, technology providers (including technology support providers, email communications providers and web developers).

Research: We may disclose Personal Data to third-party medical institutions and research institutes for those organizations to perform independent research as permitted by law.

Regulatory or Legal Requirements, Safety and Terms Enforcement: We may disclose Personal Data to governmental regulatory authorities as required by law, including in connection with monitoring, review and approval of our studies, products and services, and adverse event reporting, in response to their requests for such information or to assist in investigations. We may also disclose Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by law, or if we determine its disclosure is necessary to protect the health and safety of you or us, to protect against fraud or credit risk, or to enforce our legal rights or contractual commitments that you have made.

Business Transfers: We may disclose Personal Data as part of a corporate business transaction, such as a merger, acquisition, joint venture, financing, or sale of company assets and may transfer Personal Data to a third party as one of the business assets in such a transaction. We may also disclose Personal Data in the event of insolvency, bankruptcy, or receivership.

Legal Basis for Processing

In this section, we identify the lawful grounds we rely on for processing Personal Data.

Consent

If Goldfinch relies on consent for the processing of Personal Data, we will provide transparent notice of the purposes for which we seek such consent at the time we collect your Personal Data.

If Goldfinch wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU’s General Data Protection Regulation, Goldfinch may obtain your explicit consent for such processing.

For information on how to withdraw consent, please email: info@goldfinchbio.com.

Legitimate Interests

Goldfinch may process Personal Data subject to its own legitimate interests, such as to develop, administer and support our research; to operate, evaluate and improve our business; to facilitate and manage patient advocacy and engagement programs; to promote scholarly research; to support our recruitment activities; or to facilitate a sale of assets or merger or acquisition.

It may be also necessary for Goldfinch to process Personal Data to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including by enforcing the Terms of Use that govern the services we provide.

Contractual Necessity

Goldfinch processes Personal Data to fulfill our contracts with our business partners and service providers, such as for rendering payment or communicating with health care professionals or consultants.

Legal Obligation

Goldfinch may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Goldfinch to process Personal Data for purposes of obtaining medical research approvals, reporting on the safety and reliability of our products and spend transparency disclosures.

Public Obligation

Goldfinch may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law, or for public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, as authorized by applicable law.

If Goldfinch wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU’s General Data Protection Regulation, it may do so when necessary for scientific research purposes or for reasons of public interest in the area of public health.

Compatible Purposes

Goldfinch may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research.

Data Retention

We retain Personal Data pursuant to our records retention program, for as long as is necessary for the purposes set out in these Goldfinch EEA Disclosures, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.

The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:

Consent

For the duration of the time for which we have your consent to process your Personal Data, plus some additional limited period to comply with law (see the “Data Subject Rights” section below).

Legitimate Interests

For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.

Contractual Necessity

For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.

Legal Obligation

For the duration of time we are legally obligated to keep the information.

Public Interest

For the period of time necessary to fulfill the purposes of the business process in the public interest.

Transfers of Information Across Borders

When we transfer your Personal Data to third parties as described in these Goldfinch EEA Disclosures, some of these parties may be located in countries, such as the United States, other than your own, whose privacy and data protection laws may not be equivalent to those in your country of residence. When we transfer your Personal Data to other countries, including the United States, we apply appropriate safeguards, to protect your information and comply with applicable laws. For example, we implement measures such as standard contractual clauses to ensure that any transferred Personal Data remains protected and secure. A copy of these clauses can be obtained by emailing info@goldfinchbio.com. In some cases, we may obtain your consent to the transfer of your Personal Data to other countries.

Data Subject Rights

You may request for us to provide you with information about whether we process your Personal Data, along with any details required to be provided to you under applicable law. In certain cases, you may have the following data protection rights:

  • The right to access, correct, update, or request deletion of your Personal Data;
  • The right to object to the processing of your Personal Data, ask us to restrict processing of your Personal Data, or request Personal Data concerning you in a structured, commonly used and machine-readable format;
  • If we have collected and processed your Personal Data with your consent, then you may withdraw your consent at any time by contacting your primary contact at the company or as set forth in the Contact Us section below. Please include information adequate to identify you, identify your Personal Data, and identify the consent you wish to withdraw. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal; and
  • If you have any complaints regarding our privacy practices, you have the right to file the complaint with your local data protection authority.

Where applicable, you can exercise these rights by emailing: info@goldfinchbio.com.

Contact Us

If you have any queries, questions or concerns about these EEA Disclosures or our Personal Data handling practices, please contact us at info@goldfinchbio.com or:

Goldfinch Bio, Inc.
215 First Avenue, 4th floor
Cambridge, Massachusetts 02142
ATTN: Chief Legal Officer