FOR PATIENTS

PRIVACY POLICY

Updated: September 20, 2021

Istari Oncology, Inc. (collectively with any subsidiaries or affiliates “We,” “Us,” or the “Company”) is strongly committed to protecting the privacy of your personal information. This privacy policy explains the Company’s data collection and use practices with respect to its website at istarioncology.com (the “Site”). Except as specifically provided below, this Privacy Policy references other information collected by Istari by or through any other means, such as information collected offline. By using the pages in the Site, you agree to the information collection and use practices described in this Privacy Policy. If you do not agree to the terms set forth herein, do not use the Site.

Collection of personal information

We may ask you on this site for information that personally identifies you or provides information about yourself (“personal information”) or allows us to contact you to provide a service or a product or carry out a transaction that you have requested (such as requesting information about our company). The personal information we collect may include your name, your address, your telephone number, your email address and other contact information, and other information about services requested through the Site. You are not required to provide the personal information that we have requested, but, if you choose not to do so, in many cases we will not be able to provide you with our services or respond to questions you may have.

The Site may also collect information about your visit, such as the name of the Internet service provider and the Internet Protocol (IP) address through which you access the Internet; the date and time you access the Site; the pages that you access while at the Site and the Internet address of the website from which you linked directly to the Site. This information is used, among other reasons, to help improve the Site, analyze use trends, and administer the Site.

In addition to the website, Istari collects information about healthcare professionals when they interact with us or our representatives. Istari also collects personal data from a number of third-party data sources, in particular from publicly available sources such as public registers of healthcare professionals, published journals and event materials and from websites of healthcare professionals or their employers. Istari collects and processes such publicly available data only to the extent where the purposes for such collection and processing are compatible with and correspond to the initial purposes for which the respective data are made publicly available. Istari also makes use of third-party data providers to enhance its own knowledge of the healthcare sector. This data will include information about health care providers’ role(s), qualifications, specialty, employer, experience, publications, and other information related to their professions.

Use of personal information

Except as otherwise required by law, the personal information collected on the Site will be used solely to:

  • Operate the Site and to provide the service(s) and/or product(s) or carry out the transaction(s) you have requested or authorized
  • To provide you with more effective customer service
  • Send promotional or advertising materials to you (see opt-out provisions below)
  • To improve the Site and any related Company products or services
  • To make the Site easier to use by eliminating the need for your repeated entry of the same information. In order to offer you a more consistent experience in your interactions with the Company, information collected by the Site may be combined with information collected in connection with other Company products and services

From our website, you may use third party social media widgets/tools/buttons. If you use that functionality, your use is subject to the third party’s privacy policy and terms. As with all links to non-Istari websites/content/services, we recommend that you read the privacy policies and terms associated with third party properties carefully.

We may use your personal data collected in the following ways:

  • Operate our business
  • Deliver our products and services

We may use information we collect directly from you and from outside sources to validate your licensure and eligibility to view such information:

  • For data analysis, to better understand how our products and services impact you and those you care for
  • To track and respond to concerns
  • For fraud prevention and to further develop and improve our products and services
  • To comply with our regulatory monitoring and reporting obligations including those related to adverse events, product complaints and patient safety
  • To process, complete and fulfill your requested transactions
  • To provide customer service and respond to requests or inquiries
  • To communicate with you
  • To tailor our marketing programs and campaigns
  • To provide you with newsletters, articles, alerts, announcements, invitations, and other information about products, brands, health topics and disease states
On what basis do we use your personal data?

For GDPR data subjects: To respond to your requests or inquiries, it is our legitimate interest to retain your information.

We will keep you informed about our trials or other activities that we believe may be of interest to you. Processing is based on your consent, and we will rely on your consent. You have the right to withdraw it anytime in the manner indicated when we requested the consent or by emailing [email protected].

To operate our websites and to create anonymous, aggregated or de-identified data: These processing activities constitute our legitimate interests.

To comply with regulatory monitoring and reporting obligations and to comply with law: Processing is necessary to comply with our legal obligations.

How we share information

The Company may occasionally hire other companies to provide limited services on our behalf, such as website hosting, website design or technical support, mailing/shipping, answering customer questions about products and services, and sending information about our products, special offers, and other services. We will only provide those companies the personal information they need to deliver the service. They are required to maintain the confidentiality of the information and are prohibited from using that information for any other purpose. For example, the Company may share data:

  • To enable third parties to provide services to us. Categories of recipients of data would include health care providers, specialty pharmacies, financial investment service providers, insurance providers, pension administrators and other benefits providers, payroll support services, relocation, tax and travel management services, health and safety experts, and child care providers
  • To comply with our legal obligations, regulations or contracts, or to respond to a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counter-parties to contracts, judicial and governmental bodies
  • In response to lawful requests by public authorities (such as national security or law enforcement)
  • To seek legal advice from external lawyers and advice from other professional advisers such as accountants, management consultants, etc.
  • As necessary to establish, exercise or defend against potential, threatened or actual litigation (such as adverse parties in litigation)
  • Where necessary to protect Istari, your vital interests, such as safety and security, or those of another person
  • In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal/professional advisers)

We may aggregate and/or de-identify data about visitors to our Site or other collection activities and use it for any purpose, including product and service development and improvement activities.

Control of personal information

Except as otherwise described in this Privacy Policy, your personal information will not be shared outside of the Company without your permission.

For persons over the age of 13, providing information about yourself through the Site is free and completely voluntary. No information should be submitted to or posted to the Site by any person under the age of 13 years. The Company does not knowingly collect information from children under 13. If you are under 13 years old, you may not attempt to provide your information through the Site. If the Company determines that contact information has been submitted by a person under age 13, such information will be removed. If you are between the ages of 13 and 17, you may use the Site only with your parent or guardian’s consent; the Company reserves the right to request verification of such parent or guardian’s consent. Personal information of persons between ages 13 and 17 will be collected as described in this Privacy Policy. By submitting your contact information through the Site, you represent that you are age 13 or over.

Retention

We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying legal, accounting, or reporting requirements. We are a United States-based company, and as such you expressly consent to the transfer and storage of your personal data collected through the website to anywhere in the United States where we maintain facilities. In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.

Security of personal information

The Company is strongly committed to protecting the security of your personal information. When you submit personal information on the Site, the Company will take all reasonable efforts in order to protect your personal information. The Company uses certain security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure once it is received. Although we implement reasonable administrative, physical, and electronic security measures designed to protect your personal data from unauthorized access, we cannot ensure the security of any information you transmit to us or guarantee that this information will not be accessed, disclosed, altered, or destroyed. We will make any legally required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored personal data.

Cookies

Upon your acceptance of a cookie from our websites, we may collect information about your visits to the Site without you actively re-submitting acceptance of cookies. In some jurisdictions, we are not permitted to send cookies to the browser of a user without the prior consent of the affected user. In this case, we will seek such consent. The remainder of this section assumes that either the use of cookies is not restricted by applicable law or if it is restricted the individual has explicitly consented to the use of cookies. A cookie is a small text file that is placed on your hard disk by a web page server and that helps the Site to recall your specific information on subsequent visits. The use of cookies simplifies the process of delivering relevant content, eases Site navigation, and provides other similar benefits to users of the Site. When you return to the Site, the information you previously provided can be retrieved, so you can easily use the Site’s features.

You have the ability to accept or decline the use of cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the features of the Site.

Your rights

If you reside in the United Kingdom, EEA, or Switzerland, you may request that we take the following actions in relation to your personal data according to the GDPR:

  • Access. Provide you with information about our processing of your personal data and give you access to your personal data
  • Correct. Update or correct inaccuracies in your personal data
  • Delete. Delete your personal data
  • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice
  • Restrict. Restrict the processing of your personal data
  • Data portability. You have the right to request for the receipt or the transfer to another organization, in a machine-readable form, of your personal data
  • Object. Object to our legitimate interests as the basis of our processing of your personal data
  • Right to withdraw consent. When you have given your explicit consent for the processing of your data, you can withdraw it at any time without justification

You also have the right to lodge a complaint with your local Data Protection Authority or to the Data Protection Authority where the alleged infringement took place.

If you reside in California, you may see our California Consumer Privacy Act Notice, below here.

Marketing communications

You may opt out of marketing-related emails by clicking on a link at the bottom of each such email, or by contacting us at [email protected]. You may continue to receive service-related and other non-marketing emails for which you have not opted out.

Istari Oncology, Inc.
430 Davis Drive, Suite 560
Morrisville, NC 27560
USA

Email: [email protected]

We will request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.

If you reside in the United Kingdom, EEA, or Switzerland and would like to submit a complaint about our use of your personal data or response to your requests regarding your personal data, you may contact our data protection officer Lucas Beal ([email protected]) or submit a complaint to the data protection regulatory authority in your country.

https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Choice/opt out

The Site provides you with the opportunity to choose to receive updates about the Company and any information we may want you to know about. You may be added to the Company’s mailing lists and signed up for certain notifications from the Company when you submit your contact information through the Site. If you would like to be removed from this list and/or opt out of these notifications, please unsubscribe using the instructions in the email or call or write us at the physical address, email address or telephone number listed below. Please allow five (5) business days for processing of your opt-out request.

If you need to correct or update your contact information, or you no longer desire our services, you can do so by contacting us using the contact information set forth below.

Links to other sites

The Site may contain links to other sites that are not affiliated with the Company. Any such link is not, and is not intended to be, an endorsement of such other website or its content and you should review the terms of use and privacy policy of such other website. These websites operate independently of the Company and the Company is not responsible for the privacy practices or the content of such websites.

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time and without notice to you. All such updates shall be effective immediately unless otherwise stated. We encourage you to periodically review this Privacy Policy to stay informed about how we are helping to protect the personal information we collect. Your continued use of the Site constitutes your agreement to this Privacy Policy, as amended from time to time.

Coordination with Terms of Use

This Privacy Policy is intended solely to clarify the Company’s practices with respect to personal information and shall not in any way modify or limit the legal effect of the Terms of Use of the Site. In the event of any conflict between this Privacy Policy and the Terms of Use, the Terms of Use shall control. In particular, the Company will not be liable for any damages or injury (including, without limitation, incidental and consequential damages, personal injury/wrongful death, lost profits, or damages resulting from lost data or business interruption) that result from your use of the Site or your submission of personal information through the Site, even if there is negligence on the part of the Company or its employees. In addition, you agree to defend, indemnify, and hold the Company, its officers, directors, employees, agents, licensors, and suppliers, harmless from and against any claims, actions or demands, liabilities and settlements including without limitation, reasonable attorneys’ fees, resulting from, or alleged to result from, your submission of personal information to the Site or your unlawful collection of personal information of others through use of the Site.

Governing law and venue

This Privacy Policy shall be governed by and interpreted in accordance with the laws of the State of Delaware. Any dispute relating to this Privacy Policy shall be resolved solely in the state or federal courts located in the State of Delaware.

Limitations of Privacy Policy

This Privacy Policy explains data collection and use practices related to the Company’s website and activities specifically covered herein; it may reference other products or services of the Company. Please be aware that this Privacy Policy and any choices you make on the Site will not necessarily apply to personal information you may have provided to the Company in the context of other, separately provided, products or services.

Contact information

The Company welcomes your comments regarding this Privacy Policy. If you believe that the Company has not adhered to this Privacy Policy, please contact us electronically or via postal mail at the following address, and we will use commercially reasonable efforts to promptly determine and remedy the problem, or if you need to contact us for any other reason, you may do so using the following information:

Istari Oncology, Inc.
430 Davis Drive, Suite 560
Morrisville, NC 27560
USA

Email: [email protected]

Additional privacy notices
California

California Residents Under Age 18: If you are a resident of California under age 18 and a registered user of the Services, you may ask us to remove content or data that you have posted to the Services by emailing: [email protected].

Please note that your request does not ensure complete or comprehensive removal of the content or data, if, for example, Istari is required by law to maintain the data.

California Consumer Privacy Act Notice

Updated: September 20, 2021

Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), we provide the following details regarding the categories of Personal Information about California residents (excluding business-to-business and employee data) that we have collected or disclosed within the preceding 12 months:

We collected the following categories of Personal Information:

  • Identifiers, such as name and government-issued identifier (eg, Social Security number)
  • Personal information, as defined in the California safeguards law, such as contact and financial information
  • Characteristics of protected classifications under California or federal law, such as age, gender, medical conditions, and marital status
  • Commercial information, such as transaction information and purchase history
  • Biometric information, such as fingerprints and voiceprints
  • Internet or network activity information, such as browsing history and interactions with our websites
  • Geolocation data, such as device location
  • Audio, electronic, visual and similar information, such as call and video recordings
  • Professional or employment-related information, such as work history and prior employer
  • Education information subject to the federal Family Educational Rights and Privacy Act, such as student records and directory information
  • Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics

We collect this Personal Information directly from California residents themselves, as well as from joint marketing partners, public databases, providers of demographic data, publications, professional organizations, social media platforms, people with whom you are connected on social media platforms, caregivers, companies and other third parties that help us screen and onboard individuals for hiring purposes, and other third parties. For more information on our social media practices, please see here.

We may use this Personal Information to operate, manage, and maintain our business, to provide our products and services, for our employment purposes, and to otherwise accomplish our business purposes and objectives. Our business purposes and objectives include, for example, developing, improving, repairing, and maintaining our products and services; personalizing, advertising, and marketing our products and services; conducting research, analytics, and data analysis; maintaining our facilities and infrastructure; undertaking quality and safety assurance measures; conducting risk and security controls and monitoring; detecting and preventing fraud; performing identity verification; performing accounting, audit, and other internal functions, such as internal investigations; complying with law, legal process, and internal policies; maintaining records; and exercising and defending legal claims.

We disclosed the following Personal Information to our affiliates and third parties, such as our service providers, for our operational business purposes:

  • Identifiers, such as name and government-issued identifier (eg, Social Security number)
  • Personal information, as defined in the California safeguards law, such as contact and financial information
  • Characteristics of protected classifications under California or federal law, such as age, gender, medical conditions, and marital status
  • Commercial information, such as transaction information and purchase history
  • Biometric information, such as fingerprints and voiceprints
  • Internet or network activity information, such as browsing history and interactions with our websites
  • Geolocation data, such as device location
  • Audio, electronic, visual and similar information, such as call and video recordings
  • Professional or employment-related information, such as work history and prior employer
  • Education information subject to the federal Family Educational Rights and Privacy Act, such as student records and directory information
  • Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics

We have not “sold” Personal Information for purposes of the CCPA.

For purposes of this CCPA Notice, “sold” or “sale” means the disclosure of Personal Information for monetary or other valuable consideration but does not include, for example, the transfer of Personal Information as an asset that is part of a merger, bankruptcy, or other disposition of all or any portion of our business.

If you are a California resident, you may request that we:

Disclose to you the following information covering the 12 months preceding your request:

  • The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information
  • The specific pieces of Personal Information we collected about you
  • The business or commercial purpose for collecting Personal Information about you
  • The categories of Personal Information about you that we otherwise shared or disclosed and the categories of third parties with whom we shared or to whom we disclosed such Personal Information
  • Delete Personal Information we collected from you

To make a request for the disclosures or deletion described above, please contact us at [email protected]. In some instances, we may decline to honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another California resident.

You have the right to be free from unlawful discrimination for exercising your rights under the CCPA.

Nevada

Nevada Residents as Covered by Nevada Privacy Law

We do not sell Covered Information as defined under Nevada law. If you would like to make a further inquiry regarding the selling of your Covered Information, as defined under Nevada law, please contact us at [email protected].

Texas

Texas Residents

Pursuant to the Texas Health and Safety Code, Sec. 181.154, please be advised that if we receive any data that identifies you and relates to your past, present or future physical or mental health, healthcare or payment for your healthcare, such data may be subject to electronic disclosure by such means as file transfers or email.

Social Media Community Guidelines

At Istari Oncology, we use social media as part of our commitment to transparency and to support and connect with patients, healthcare professionals, advocates, and other stakeholders. Our goals are to be accurate and authentic and to share information that is important to you. The content we post is for informational and educational purposes only and is not intended to be a substitute for professional medical advice.

We encourage you to interact by following us and discussing relevant topics. However, Istari expects that followers and interactions will be respectful of others. Please read through our Social Media Community Guidelines and check back from time to time because they may change.

  • Istari cannot engage in discussions regarding medical advice, discussion about Istari products, non-Istari products, treatments, or trials due to the highly regulated industry we operate within
  • Istari may occasionally share links to third-party sites, but we do not endorse and are not responsible for content from those websites. Retweeting from Istari does not imply endorsement
  • Istari does not verify, represent, or endorse any opinions expressed by third-party organizations or individuals posting content to our social properties, and any content posted by anyone other than Istari is the responsibility of the submitter and not Istari
  • Istari social media pages are neither designed nor intended to share and record information on possible adverse events to an Istari medication; however, Istari is required to process and report this information to the appropriate regulatory authorities if you do choose to report
Possible adverse event/safety problem with an Istari product?

If you believe you may have experienced an adverse event or other safety problem with an Istari product, please contact your doctor and call Istari at (919) 245-7662. To better understand your experience, Istari may follow up with you to gather more information. Except for regulatory reporting obligations, all information shared with Istari will be kept confidential. You may also report your experience directly to the FDA by visiting www.FDA.gov/medwatch or by calling 1-800-FDA-1088.

If you are participating in an Istari-sponsored clinical trial and believe you have experienced an adverse event or other safety-related problem, please consult with your personal physician and/or study-site healthcare professional immediately.

Possible adverse event/safety problem with a non-Istari product?

If you believe you may have experienced an adverse event or other safety problem with a product that is not manufactured by Istari, please contact your doctor, the product manufacturer, and/or the FDA by visiting www.FDA.gov/medwatch or by calling 1-800-FDA-1088.

Istari will not be able to reply to all tweets, replies or comments. Additionally, we cannot address and may delete comments that are:

  • Profane, defamatory, libelous or contain offensive or demeaning language (including images, videos, and links)
  • Misleading, fraudulent, or deceptive
  • Disparaging or threatening about others
  • About specific products or treatment options
  • Disruptive to the community or are SPAM-like in nature
  • Proprietary, confidential, sensitive or contain nonpublic information about or related to Istari or any other person or company
  • Related to current or future litigation in which Istari is involved
  • Containing links, including those to videos, not owned by Istari
  • Sharing personal information about you and any connection to Istari
  • Discussing ongoing clinical studies, including trial design and protocols, enrollment, efficacy, safety, potential adverse events, side effects or related information

By posting, you are promising that your post complies with these Social Media Community Guidelines. Users who violate these terms may be blocked. Please also be aware that when you publicly comment to Istari on social media, you give us the right to use your ideas and your name/handle or posts in any way including the media, so do not post anything private or confidential.

Istari reserves the right to delete any of our social media platforms and its contents at any time. While these Social Media Community Guidelines cover the most common situations, we cannot anticipate everything. We may take actions not outlined in these Social Media Community Guidelines as deemed necessary and appropriate.

In addition to the privacy policy and terms of use of the third-party social media platform, your use of our social channels is governed by these Social Media Community Guidelines.