Privacy Policy
Introduction
Andelyn Biosciences, Inc. (“Andelyn,” “our,” “us,” or “we”) values your privacy and the protection of your personal data. This Policy explains how Andelyn collects, uses, shares, transfers, and processes data collected from or about you.
“Personal Data” is any information that can be used to, directly or indirectly, identify an individual or that can be reasonably expected to link to an individual. This can include information such as a name, address, telephone number, credit card details, email address, ID number, Internet Protocol (“IP”) address of an electronic device used by an individual, or other identifying code (even absent of other identifying information). Statistical, anonymized, or non-identifiable metric data are not considered Personal Data.
Andelyn is a “data controller” (or equivalent under applicable law) responsible for the processing of your Personal Data. In general, our processing of Personal Data is designed to improve the purchasing experience of our customers, to provide relevant information about our products, services, and promotions, to assist with recruitment, and for you when you contact us with your feedback, questions, comments, and/or concerns.
Scope
This Policy describes the types of Personal Data that we may collect, process, or disclose about you and how you may govern this processing by exercising applicable legal rights. This Policy applies to both online and offline information collection, including your use of websites or subdomains operated by us, any mobile applications, when we provide products and/or services to you or notify you about prospective items of interest and in other situations where you interact with us in-person, by telephone, or by mail where this Policy is posted or referenced.
There may be occasion where you have been provided with a circumstance-specific privacy notice that is separate from this Policy, such as privacy notices for specific activities such as recruitment. To the extent you were provided with a different notice, those notices apply and govern our interactions with you. If you provide Personal Data about parties other than yourself, you are responsible for ensuring their knowledge of how we will process their personal data, and, where applicable, obtaining any necessary consents required in advance.
We are committed to processing Personal Data in accordance with applicable laws. Please note that if you do not wish to provide your Personal Data to us, some products and/or services may become unavailable to you. Your use of any or all these platforms indicates you have been notified of our collection, use, transfer, and disclosure of your information as described in this Policy to the extent permitted by applicable law.
Your Information
We connect with individuals for many different reasons. Those interactions may result in us, directly or indirectly, gaining access to Personal Data about you. The below table summarizes how we may collect, process, and use Personal Data, our legal basis for processing your information, and the potential recipients of your information. Please note, not all instances may be applicable in all circumstances.
General Categories of Personal Data Collected
The below table denotes the categories and sources of Personal Data that may be processed under this Policy in addition to the purposes and legal bases for such processing. Please note that the items contained within this table may be shared, received, or processed by Andelyn, our partners that assist us in providing the products or services or help us improve our marketing or administration, persons with the legal right to access the Personal Data, and Parties involved in potential business transactions.
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
---|---|---|---|
First and last name, email address, postal address, phone number, job title, professional license numbers, account username and password, IP address, and national provider identifier or state license number | Directly from you; from your devices; from our business partners; from publicly available sources; from an affiliate of Andelyn | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to offer or provide our products and services; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of assisting medical treatment and/or diagnosis; promoting quality and safety of medical products/ services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
---|---|---|---|
Age, gender, marital status, disability, and date of birth | Directly from you; from your devices; from our business partners; from publicly available sources; from an affiliate of Andelyn | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of assisting medical treatment and/or diagnosis; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
---|---|---|---|
Transaction records, products and services (purchased, obtained, or considered), requested documentation, customer service records, financial transaction history, transfers of value, and financial account number | Directly from you; from your devices; from our business partners; from publicly available sources; from an affiliate of Andelyn | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
---|---|---|---|
Job title or position, employer, National Provider Identifier number, work skills, employment history, graduate degree, certification, specialized training, responses to surveys and questionnaires, and enrollment history for our education and training events, LinkedIn profile | Directly from you; from your devices; from our business partners; from publicly available sources; from an affiliate of Andelyn | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
---|---|---|---|
IP addresses, browser type, browser language, device type, advertising IDs associated with your device (such as Apple’s Identifier for Advertising (IDFA) or Android’s Advertising ID (AAID)), the date and time you use our products and services, Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving our products and services, activity on our products and services and referring websites or applications, data collected from cookies or other similar technologies, and geolocation information | Directly from you; from your devices; from our business partners; from publicly available sources; from an affiliate of Andelyn | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of assisting in medical treatment and/or diagnosis; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
---|---|---|---|
Information regarding your treatment, including your date of birth, sex/gender, treatment dates, medical history, and treatment information, patient-reported outcome measures (e.g., responses to questionnaires and surveys), X-rays, magnetic resonance imaging, medical scans, user activity, pictures and videos of treatment activities, therapy completion and use details, and communications with your Healthcare Provider and/or patient, including audio and/or video from telehealth sessions, allergy information; Medical Insurance Information and details pertaining thereto | Directly from you; from your devices; from our business partners; from publicly available sources; from an affiliate of Andelyn | To provide you with our Products and Services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our Products and Services; to improve our Products and Services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of medical treatment and/or diagnosis; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Disclosure of Your Personal Data
We may have to share your personal data with the parties set out below:
- Service providers who provide IT and system administration services.
- Professional advisers including lawyers, bankers, auditors and insurers.
- Government bodies that require us to report processing activities.
- Third parties to whom we sell, transfer, or merge parts of our business or our assets.
We require all third parties to whom we transfer your data to respect the security of your Personal Data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
Data Security
We have put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorization. Additionally, we monitor our environment for potential vulnerabilities and have implemented controls which require our service providers and other third parties to have appropriate safeguards to protect your Personal Data. We have procedures in place to deal with any suspected personal data breach and may notify you and/or any applicable regulator of a breach if required under applicable law. Despite taking commercially reasonable precautions, no security measures are impenetrable, and no method of data transmission can be guaranteed to be 100% secure from interception or other type of misuse.
Aggregated, Anonymized And De-Identified Data
Andelyn may process anonymized/de-identified data. This is data for which the characteristics that can identify you, directly or indirectly, have been removed such that you are no longer identifiable, and this information is no longer considered Personal Data under data protection laws. We rely on our legitimate business interest, scientific or historical research and/or statistical purposes, consent, or other purposes that may be required or allowed by law as the legal basis to anonymize Personal Data. We may also obtain and use certain types of combined data sets such as demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your Personal Data but does not, directly or indirectly, reveal your identity. For example, we may aggregate certain information technology-related data of yours with others’ data to calculate the percentage of users accessing a specific feature on our website. We may use Aggregated Data for any purpose without restriction. However, if we re-combine or re-connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Policy.
Combining Information
We combine information we collect on the website with information we receive from you in person, by email, or by other forms of communication. We also combine information you provide with information we obtain from third parties, service providers, publicly available sources, and our subsidiaries, affiliates, or related companies.
Information Collected From Children
Our sites and apps are meant for adults. We do not knowingly collect Personal Data from children 17 years old or younger without permission from a parent or legal guardian. If you are a parent or legal guardian and think your child has given us information, you can email or write to us using the details in the Contact Us section below.
Information Storage
We may transfer, process, and store your information to the U.S., Canada, India, European Union [member states], the United Kingdom, or other countries. Our affiliates or other third-party service providers may also transfer, process, or store your information in the U.S. or other countries. Our sites and businesses may be subject to U.S. laws, which may not afford the same level of protection as those in your country.
Cross Boarder Data Transfers
We may transfer your Personal Data to recipients in countries other than the country in which your Personal Data was originally collected. When we transfer your Personal Data in such a manner, we take steps for your data to be protected consistent with the laws and requirements in your country, including the requirements that apply to cross-border data transfers. We implement appropriate technical and organizational measures to provide a level of security appropriate to the risk of protecting your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. As is the case with all websites, applications, products, and services, we unfortunately cannot guarantee security of the data collected at all times.
Sale or Transfer of Data
If we are involved in a sale or transfer of all or some of our business assets or operations via a share or asset transaction, your Personal Data may be transferred to the acquiring organization who will be required to take at least the same or higher standards of care in the treatment of your Personal Data. Should such a sale or transfer occur, if required by law, you will be informed about this and may withdraw your consent to or, as applicable, instigate any other legally available rights as detailed in the Your Rights and Choices section of this Policy with regards to the processing and use of your Personal Data by the transferee.
Cookies, Web Beacons, and Other Tracking Tools
As outlined in the table above your interaction with our websites is an additional source for collecting your information. We may use “cookies”, web beacons, and other technologies to help us evaluate and improve the content or functions of the products or services we provide. We collect your information through several methods:
- Web beacons
- Pixels
- Tags
- Tracking Cookies
- Marketing Cookies
- Analytic Cookies
- Social Media Cookies
Our Cookie Policy provides more detailed information about this topic and how we use cookies to enhance your experience and better serve you.
Third Party Links and Tools
We may link to other sites or apps on our platforms that we do not control. If you click on a third-party link, you will be taken to a platform we do not control. This Policy does not apply to the privacy practices of that website or platform. Read other companies’ privacy policies carefully. We are not responsible for these third parties. Our site may also serve third-party content that contains their own cookies or tracking technologies. We do not control the use of those technologies.
Data Retention
We will retain Personal Data for as long as is necessary to carry out the purposes for which the Personal Data was collected or for the period prescribed by applicable laws, whichever is longer. In considering how long to retain your Personal Data the following are considered:
- The potential risk of harm if the data was subject to unauthorized use or disclosure;
- The volume and sensitivity of the Personal Data;
- Applicable legal requirements; and
- If circumstances have changed such that the purposes for which the Personal Data was collected can be achieved by other means.
When the retention of your Personal Data is no longer required, we will delete or anonymize the Personal Data as per the details provided above.
Your Rights and Choices
Some jurisdictions such have provided individuals with rights in relation to the processing of their Personal Data. These rights are not available to everyone, and they do not necessarily apply in all contexts. Depending on the applicable law or the legal basis, you may have the right to:
- Object to the processing of your Personal Data;
- Request access to your Personal Data;
- Request correction of your Personal Data should your Personal Data be inaccurate, incomplete, or obsolete;
- Request erasure/deletion of your Personal Data;
- Withdraw your consent to future processing where we processed Personal Data on the basis of your consent;
- Request restrictions on the processing of your Personal Data, including restricting the sale of or sharing of your Personal Data;
- Request the transfer of your Personal Data to yourself or a third party;
- Opt-out of certain transfers to third parties.
To exercise a right that you believe you may be entitled to under applicable law, you can contact us directly by submitting a request through this webform or by contacting us using the information provided in the Contact Us section of this Policy. We may need to verify your identity before we fulfil your request or, under applicable law, we may be unable to action your submission. We shall notify you in a timely manner of such decisions or requirements as necessary.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
California Residents. Our California Consumer Rights Notice provides an overview of how consumers in California receive certain privacy rights and protections.
Filing a Complaint. If you are not able to resolve a problem directly with us and wish to make a formal complaint, you can contact your local data protection authority or other enforcement authority.
Contact Us
If you have any questions about this Policy or our data practices, you can write to us at:
1180 Arthur E. Adams Dr.
Columbus, Ohio 43221
Attn: Chief Compliance Officer
Alternatively, you can email us directly at compliance@andelynbiosciences.com.
Policy Updates
From time to time, we may change this Policy and our privacy policies. The most updated copy will be found on our website. Please check our site periodically for updates.