Personal data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If you have any questions concerning C4T’s privacy practices or wish to access or correct personal data that C4T has collected from you, please contact us as described in Section A below (“How to Contact Us”). To keep your personal data accurate, current, and complete, we will take reasonable steps to update or correct personal data in our possession.
A. HOW TO CONTACT US
|Mailing address||Email address||Phone number|
|C4 Therapeutics, Inc.
490 Arsenal Way, Suite 120
Watertown, MA 02472
For questions specifically related to our data collection or processing activities:
|Mailing address||Email address|
|C4 Therapeutics, Inc.
Attention: Legal Department
490 Arsenal Way, Suite 120
Watertown, MA 02472
B. PERSONAL DATA WE COLLECT ABOUT YOU
We may collect, use, store and transfer different categories of personal data and non-personal data about you, which includes:
- Identity Data such as first name, maiden name, last name, username or similar identifier, marital status, title, social security number, date of birth and gender;
- Contact Data such as billing address, delivery address, email address and telephone number(s);
- Financial/Transaction Data such as bank account, payment card details, insurance information, payment information (or other details regarding your transactions with us) and payroll data;
- Professional or Employment-related Data such as employer and employment history;
- Technical Data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website(s) or intranet;
- Profile/Usage Data such as information regarding your communication preferences, feedback and survey responses, and details on how you use our website(s) and other services;
- Marketing and Communications Data such as your preferences in receiving materials regarding our products and services from us and our third parties; and
- Special Categories of Data such as details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
C. HOW WE COLLECT PERSONAL DATA ABOUT YOU
Direct interactions. You may voluntarily give us your personal data, such as Identity Data, Contact Data and Financial/Transaction Data, by filling in forms or by corresponding with us by mail, phone, and email or otherwise. This includes personal data you provide when you, for example:
- Contact us by email, phone or mail, either using addresses or numbers posted on our website(s) or when you contact our employees directly;
- Sign up/register on our website(s) to receive additional information;
- Give us feedback;
- Provide information to us as our business partner;
- Apply for employment or consulting opportunities with us or when you become an employee or a consultant; or
- Express interest in participating in our clinical trials or other studies and research programs.
Automated interactions. As you interact with our website(s) or use our intranet, and in some emails we may send each other, we may automatically collect Technical Data. This can include your preferences (e.g., language and the location you are in). We may also collect information about your visits to the C4T website(s), such as the length of visits to certain pages and page interaction information. Automatic technologies we use may include web server logs, cookies, pixels and web beacons that are described in Section F below (“Cookies and Other Tracking Mechanisms”).
Third parties (or publicly available sources). We may receive categories of personal data about you from various third parties and public sources as set out below, such as:
- Technical Data from analytics providers such as Google, advertising networks and search information providers;
- Contact Data and Financial/Transaction Data from providers of technical, payment and delivery services;
- Identity Data and Contact Data from recruitment agencies or publicly available sources; and
- Special Categories of Data including health data from contract research organizations (“CROs”) managing clinical research on our behalf.
D. HOW WE USE YOUR PERSONAL DATA
C4T and/or the service providers, vendors and other third parties we hire to perform services on our behalf may use your personal data to contact you to obtain more information, provide you with information that you have requested (e.g., information about a particular disease state, product, or clinical trial), use data analytics to help us evaluate and modify our existing products and services, provide additional information that we believe may be of interest to you, or comply with our regulatory and legal obligations, including but not limited to responding to legal process and other government or law enforcement agency requests.
We will only retain your personal data (which includes Personal Information for purposes of the California Consumer Privacy Act (“CCPA”) for as long as necessary to fulfill the purposes for which we collected it. To determine the appropriate retention period for personal data (including Personal Information), we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and applicable legal requirements.
Individuals located in the European Economic Area (“EEA“) or United Kingdom (“UK“), please see the “Supplemental Notice to EEA/UK Data Subjects” for additional information.
E. MARKETING AND ANALYTICS
We strive to provide you with choices regarding certain personal data uses, particularly around marketing communications. We may use your Identity Data, Contact Data, Technical Data and Profile/Usage Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and materials may be relevant for you (we call this marketing). We have established the following personal data control mechanisms:
- Opting in. You will receive marketing communications from us if you have requested information from us and opted-in to receive that marketing material.
- Consent to third-party marketing. We will get your express opt-in consent before we share your personal data with any company outside C4T for marketing purposes.
- Opting out. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you. Remember, however, that even if you opt-out of receiving these marketing communications, C4T may still email you in order to provide a product or service that you request. If you decide to opt-out from any of our services/communications, we will work to remove your information promptly, although we may require additional information before we can process your request.
Online Analytics. We may use third-party web analytics services (such as those of Google Analytics) on our website(s) to collect and analyze the information discussed above, and to engage in auditing, research or reporting. The information (including your IP address) collected by various analytics technologies described in Section F below (“Cookies and Other Tracking Mechanisms”) may be disclosed to or collected directly by service providers, who evaluate information, including by noting the third-party website from which you arrive, analyzing usage trends, assisting with fraud prevention, and providing certain features to you. To prevent Google Analytics from using your information for analytics, you may install the Google Analytics Opt-out Browser Add-on by visiting http://tools.google.com/dlpage/gaoptout.
F. COOKIES AND OTHER TRACKING MECHANISMS
We may also collect data about your use of our website(s) through the use of Internet server logs, cookies, tracking pixels, and/or other tracking technologies. As we adopt additional technologies, we may also gather additional information through other methods.
Cookies are small files that are automatically stored on your computer when you visit a website. Cookies are used to (a) recognize your device; (b) store your preferences and settings; (c) understand the web pages of the website you have visited; (d) perform searches and analytics; and (e) assist with security functions. Cookies perform many functions, such as allowing you to navigate between pages efficiently, remembering your preferences, and generally improving the user experience.
A web server log is a file where website activity is stored. An IP address is a number assigned to your device whenever you access the Internet that allows devices and servers to recognize and communicate with each other. C4T may collect IP addresses to conduct system administration and report aggregate information, which may identify you, to affiliates, business partners, service providers and/or vendors to conduct website and application analysis and performance reviews.
Web beacons are small strings of code that are placed on websites and in email messages, and/or online ads. They are sometimes called “clear GIFs” (Graphics Interchange Format), “GIF tags,” “Action tags,” “tracking pixels” or “pixel tags.” Web beacons are most often used in conjunction with cookies to track activity on our website(s). When used in an email, web beacons enable us to know whether you have received or opened the email and may be used for other analytics, personalization, and advertising.
Web beacons, cookies and other tracking technologies do not automatically obtain your personal data. However, if you voluntarily provide personal data, these automatic tracking technologies may, for example, be used to provide further information about your activities.
Please note that you can change your settings to notify you when a cookie is being set or updated, or to block cookies altogether. For additional information, please consult your browser’s “help” section. If you choose to decline cookies, you may not be able to fully experience the features of our website(s).
G. HOW WE SHARE YOUR PERSONAL DATA
We may share your personal data with the parties set out below for the purposes set out in Section D above (“How We Use Your Personal Data”).
- Internal Parties: Individuals or groups within C4T to operate our business.
- Our partners: our partners, including other companies and academic institutions, such as those listed or referenced on our website(s).
- External Third Parties: third parties who perform services on our behalf and help further our business requirements.
- Professional advisers: advisors (e.g., lawyers, bankers, auditors and insurers) who, for example, may provide consultancy, banking, financial, legal, insurance and accounting and payroll services.
- Government Authorities: The U.S. Federal Communications Commission, U.S. Internal Revenue Service, the U.S. Food and Drug Administration, the U.S. Federal Trade Commission and other government agencies, regulators and authorities (in the U.S. and around the world) as required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of C4T, (iii) act in urgent circumstances to protect the personal safety of users of our website(s) or the public, or (iv) protect against legal liability.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We do not sell your personal data.
H. HOW WE SECURE YOUR PERSONAL DATA
We have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed while it is under our control. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
No Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from our website(s) may not be secure. Therefore, you should take special care in deciding what information you send to us via e-mail. Please keep this in mind when disclosing any personal data to C4T via the Internet.
We have implemented procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where and when we are legally required to do so.
I. HOW WE RESPOND TO “DO-NOT-TRACK” SIGNALS
J. NOTICE TO CALIFORNIA RESIDENTS
California’s Shine the Light Law (California Civil Code Section 1798.83) permits California residents who are individual customers of C4T, once per year, to request certain information regarding its disclosure of “personal information” to third parties for their direct marketing purposes. To make such a request, please contact us using our contact information listed in Section A above (“How to Contact Us”). Be sure to include your name and address and please reference that your request is being made under the California Shine the Light Law. You can include your email address if you want to receive a response by email. Otherwise, we will respond by postal mail within the time required by law.
K. NOTICE TO NEVADA RESIDENTS
Section 603A of the Nevada Revised Statutes permits Nevada residents who are C4T “consumers” to at any time, submit a request to an “operator” of a website in Nevada directing the operator not to make any sale of any “covered information” the operator has collected or will collect about the consumer. C4T does not currently “sell” or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email to firstname.lastname@example.org to opt out of sales and we will record your instructions and incorporate them in the future if our policy changes. We will respond within the time required by law.
L. CHILDREN’S PRIVACY
While in some instances we may collect personal data about children with the consent of a parent or guardian, such as clinical activities or for patient support programs, we do not otherwise knowingly solicit data from, or market to, children. If a parent or guardian becomes aware that his or her child has provided us with personal data, he or she should contact us as described in Section A above (“How to Contact Us”). We will take reasonable steps to delete such data from our database within a reasonable time.
We do not knowingly collect personal data from children under the age of 13 on our website(s). If you have reason to believe that a child under the age of 13 has provided personal data to C4T through our website(s), please contact us as described in Section A above (“How to Contact Us”) and we will take reasonable steps to delete it as soon as practicable.
M. LINKS TO OTHER SITES
N. SOCIAL MEDIA
O. EFFECT OF OTHER NOTICES
C4T may have additional privacy notices or terms that are tailored and more specific for the different ways your personal data is collected. For example, clinical trial subjects are provided with separate notices related to their personal data collected for the clinical trial in which they are participating. Employment applicants may also be provided with a separate privacy notice.