Effective on: November 16, 2024
1. Introduction and Scope
Upstream Bio, Inc. (“Upstream Bio”, “we”, “us”, “our”) sponsors ethically approved clinical studies (each a “Study”, and collectively, the “Studies”). We take the protection of personal information (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individual patients (“Data Subjects”) whose Personal Data we may receive and process in connection with the Studies that we sponsor.
Please read this Notice to learn what we are doing with your Personal Data, how we protect it, and how you can exercise your privacy rights.
This Notice does not apply to Personal Data collected by any other means or in any other contexts, like Personal Data collected through our non-patient facing, general public website(s). This Notice also does not apply to Personal Data of our employees, job applicants, contractors, business owners, officers, directors, or other medical staff, investigators, or site personnel assisting with the Studies.
If we maintain information in a manner that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data and this Notice will not apply to our processing of that information.
2. Controllership
Within the scope of this Notice, Upstream Bio generally acts as a controller for the Personal Data processed in the context of the Studies that we sponsor. This means that we alone determine the purpose and means of the processing of your Personal Data.
In some jurisdictions, we may be considered a “joint controller” with another organization, such as the Study site (e.g., the clinic or other healthcare facility) where the Studies are being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other controllers who might be joint controllers together with Upstream Bio, you may ask your Study doctor or the Study site for further details, specifically relating to the Study in which you are participating.
3. Categories of Personal Data
Even though we are a controller for the Personal Data processed in the context of our Studies, Upstream Bio itself does not have access to identifiable Personal Data, meaning that we are unable to identify you personally from the information we have access to. Personal Data is collected by our service providers like the Study site or other third parties, such as your doctors or our clinical research organizations. When any information relating to you is shared with us by our service providers, it will first be key-coded (also known as “pseudonymized”) so that we cannot identify you by any direct personal identifier (such as your name, social security number, address, or telephone number).
The following types of Personal Data may be processed in the context of our Studies:
You can ask your Study doctor if you are unsure whether or not any specific Personal Data that you are being asked to provide is required as part of your participation in the Study.
4. How We Receive Personal Data
We may receive your Personal Data when:
5. Purpose of Processing
We may process your Personal Data for the purposes of:
We also process your Personal Data for the specific purposes described in the informed consent form provided to you by the relevant Study personnel. If we intend to process your Personal Data for any other purposes not listed above, we will first provide you with information regarding such further processing and the associated purposes.
6. Basis of Processing
We may process your Personal Data on the basis of:
Since we process special categories of Personal Data, such as your health status and medical history, the European Union (“EU”) General Data Protection Regulation (“GDPR”) requires that we must have an additional ground to process this type of information. Upstream Bio may process your special categories of Personal Data on the basis of your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Studies. For more information about the specific grounds on which we process your Personal Data, please refer to the Informed Consent Form relevant to your Study. Please contact our Data Protection Officer for more information about the legal grounds on which we process your Personal Data using the contact details provided below.
7. Automated Individual Decision-Making
If you participate in a Study we sponsor, you will be assigned a unique patient identification number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug or treatment that is being evaluated in the Study, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Study is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.
Other than as mentioned above, we do not, as at the date of this Notice, use automatic decision-making for decisions that may seriously impact you. To the extent that we may do so in the future, you have the “right not to be subject to automatic decision-making, including profiling”. But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.
8. Data Retention
We will retain your Personal Data until we fulfil the purposes listed above, or for as long as we are required to keep it to comply with applicable laws or regulations.
Once your information has been entered into the Study records, we cannot remove it without affecting the accuracy of the Study and the test results. Some laws require us to keep Study records and Personal Data contained in the clinical trial master file for at least 25 years after the conclusion of the Study. We will ensure that your Personal Data is safeguarded at all times.
9. Sharing Personal Data With Third Parties
We may share Personal Data with our service providers who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in fulfilling the purposes of processing as described in Section 5 above, or as required by law. Our service providers include parties providing:
10. International Transfers of Personal Data
Some of the abovementioned third parties may be located in countries outside of the European Economic Area (“EEA”), or the United Kingdom (“UK”). If you are in the EEA or the UK, please note that the GDPR and UK GDPR only allows us to transfer Personal Data outside of the EEA or the UK if the country that the data is being transferred to offers an adequate level of protection for the Personal Data which is equivalent to the EU or UK law. In some cases, the European Commission may have determined that the laws of certain countries provide an adequate level of protection to Personal Data. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data.
We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to Personal Data when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the GDPR (or a similarly appropriate contractual transfer mechanism) and the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, as appropriate. For more information about this, please contact our Data Protection Officer using the contact details provided below.
If you are in a country outside of the EEA and the UK, please note that we will only transfer your Personal Data outside of your country in accordance with the applicable laws.
11. Other Disclosure of Your Personal Data
We may disclose your Personal Data:
If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
12. Data Integrity and Security
We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.
13. Your Privacy Rights
You have specific rights regarding your Personal Data that we collect and process. In this section, we first describe those rights and then we explain how you can exercise them.
Right to Know What Happens to Your Personal Data
This is otherwise known as the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.
We are informing you of how we process your Personal Data with this Notice.
Right to Know What Personal Data Upstream Bio Has About You
This is otherwise known as the “right of access”. This right allows you to ask for full details of the Personal Data we hold on you.
Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.
Right to Change Your Personal Data
This is otherwise known as the “right to rectification”. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.
Right to Delete Your Personal Data
This is otherwise known as the “right to erasure”, “right to deletion”, or the “right to be forgotten”. This right means you can ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons (such as if the law requires us to maintain a record of your participation in a Study). If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
Right to Ask Us to Limit How We Process Your Personal Data
This is otherwise known as the “right to restrict processing”. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.
Right to Ask Us to Stop Using Your Personal Data
This is otherwise known as the “right to object”. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party).
We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.
Right to Port or Move Your Personal Data
This is otherwise known as the “right to data portability”. It is the right to ask for and receive a portable copy of your Personal Data that you have given us, so that you can:
We will provide your Personal Data in a structured, commonly used, and machine readable format. When you request this information electronically, we will provide you a copy in electronic format.
Right Related to Automated Decision Making
Other than as mentioned above, we do not, as at the date of this Notice, use automatic decision-making for decisions that may seriously impact you. However, if we do in the future, for decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect it may have on you or your Personal Data.
Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Study.
Right to Lodge a Complaint with a Supervisory Authority
If the GDPR or UK GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.
Specifically, you can lodge a complaint in the Member State of the EU of your habitual residence, place of work, or the alleged violation of the GDPR. In the UK, you can lodge a complaint with the UK Information Commissioner’s Office (ICO).
Additionally, if you are in a country outside of the EEA and UK, you may have the right to lodge a complaint with the relevant enforcement authorities in your country.
How to Exercise Your Rights
If you want to exercise one or more of your rights mentioned above, please first contact your Study doctor instead of reaching out to us directly. You may also contact our Data Protection Officer, VeraSafe, by sending an email to experts@verasafe.com, or by using the information in the “Contact Us” section below. In order to correctly respond to your privacy rights requests, the Data Protection Officer will need to confirm that you made the request. Consequently, they may require additional information to confirm that you are who you say you are.
The Data Protection Officer will request the minimum amount of information from you as required to verify your request and will only request information that is already held pertaining to you. Any Personal Data you provide related to the request will only be used in order to verify your identity or authority to make the request.
14. Privacy of Children
Our Studies are generally not directed at, or intended for use by, children under the age of 13. However, to extent that a Study participant or their partner becomes pregnant during the course of one of our Studies, we may collect and process Personal Data of the newborn baby. However, we will do so in accordance with the applicable laws.
15. Contact Us
If you have any questions about this Notice or our processing of your Personal Data, please first speak with your Study doctor. Upstream Bio only has access to key-coded or pseudonymized data and will therefore not be able to identify you if we receive a request from you directly. You may also contact our Data Protection Officer directly using the contact details listed in Section 17 below. Please allow up to four weeks for us to reply.
Upstream Bio can be contacted at:
Upstream Bio, Inc.
890 Winter Street, Suite 200
Waltham, MA 02451
Email: info@upstreambio.com
16. Data Protection Representative
While you may contact us at any time, our data protection representative can be contacted about matters related to the processing of your Personal Data.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
United Kingdom Representative
VeraSafe has also been appointed as our representative in the United Kingdom for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
17. Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer. While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
VeraSafe, LLC
100 M Street S.E., Suite 600
Washington, D.C. 20003 USA
Phone: +1 (617) 398-7067
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
18. Changes to this Notice
If we change this Notice, we will publish the revised Notice on our website. We will also update the “Effective” date.