UPSTREAM BIO, INC.
Privacy Notice
Last Updated: November 19, 2024
Privacy Summary |
|
OUR CONTACT INFORMATION | |
UPSTREAM BIO, INC. Address: 890 Winter Street, Suite 200, Waltham, MA 02451 Email address: info@upstreambio.com Contact details of our Data Protection Officer: VeraSafe LLC, experts@verasafe.com Identity and contact details of the Representative in the EU: click here. Identity and contact details of the Representative in the UK: click here. |
|
GENERAL INFORMATION | |
Do we collect Personal Data? | YES. Some categories include identifiers such as first and last name, communication data, and internet or other similar network activity. Click here to know which categories of Personal Data we collect and how we obtain them. |
TRACKING | |
Do we use cookies or similar tracking technologies on our websites? | YES. Click here to learn more. |
PRIVACY RIGHTS | |
Can you request to receive a copy of the Personal Data we have collected about you? | YES. Click here to learn how. |
Can you request to have your data deleted? | YES. Click here to learn how. |
SECURITY | |
Do we protect your Personal Data? | YES. Click here to learn more about how we protect your Personal Data. |
1. Introduction
Upstream Bio, Inc. (“Upstream Bio”, “we”, “us”, “our”) takes the protection of your personal data (“Personal Data”) very seriously. Please read this privacy notice (the “Notice”) to learn what we are doing with your Personal Data, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws, such as the European Union General Data Protection Regulation (“GDPR”), and the United Kingdom General Data Protection Regulation (“UK GDPR”).
2. What Is Covered by this Privacy Notice?
This Notice addresses data subjects (which includes both individuals and households) whose Personal Data we receive directly through our website and any other sites that link to this Notice, including data subjects who contact us using any of our publicly available contact details.
3. What Is Not Covered by this Privacy Notice?
Human Resources Personal Data
This Notice does not apply to the Personal Data of employees, job applicants, contractors, business owners, directors, officers, and medical staff of Upstream Bio.
Information Which Does Not Constitute Personal Data
If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data and this Notice will not apply to our processing of that information.
Clinical Study Personal Data
This Notice does not apply to the Personal Data of individuals or patients participating in any of our clinical studies, or to any medical staff, investigators, or site personnel involved in or otherwise assisting with conducting the clinical studies. To find out more about how we process the Personal Data of clinical study participants and site personnel, please refer to the Clinical Study Participant Privacy Notice and the EEA Investigators and Site Personnel Notice.
4. What Can You Find in this Notice?
This Notice tells you, among other things:
5. Our Role With Respect to Your Personal Data
Within the scope of this Notice, Upstream Bio acts as a data controller for the Personal Data we process. This means that we decide how and why Personal Data is collected and further processed.
6. What Personal Data We Process and How We Obtain It
The table below describes the categories of Personal Data we collect about you and the sources of the Personal Data.
Personal Data We Collect, Process, or Store | How We Obtain It |
Identifiers and contact details First and last name, job title, email and mailing address, and phone number. |
Directly from you. |
Communications data Information contained in communications that we exchange with you, including when you contact us with questions, feedback, or for any other purpose. |
Directly from you. |
Internet or other similar network activity Browsing history, search history, information on your interaction with our website, device type, device screen size, unique identifiers, Internet Protocol (IP) address, browser information, general location information, such as city, state or geographic area, and any other online activity data. |
We use cookies and other tracking technologies. |
We will not collect additional categories of Personal Data without informing you.
7. Lawful Bases for Processing
To use your Personal Data, we must have a valid reason, which under some laws is called the “lawful basis for processing” or “legal grounds for processing.” In the context of this Notice, we may process your Personal Data based on the following:
If we rely on legitimate interests as the reason for using your Personal Data, you can ask us for more details about why we decided to choose this legal basis. You can contact us using the contact details here. We have set out the relevant lawful basis per purpose of processing your Personal Data in Section 8 below.
8. For What Purposes Do We Use Your Personal Data?
We may process your Personal Data for the following purposes:
9. How Long We Keep Your Personal Data
We retain your Personal Data for as long as needed for the purpose we collected it and any other permitted linked purpose and in accordance with our data retention policies. For example, we will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We retain and use your Personal Data as required to meet legal obligations, resolve disputes, and enforce our agreements and policies. If we use your data for multiple purposes, we keep it until the purpose with the longest retention period expires, discontinuing use for shorter periods.
10. Sharing Personal Data with Third Parties
We share your Personal Data with certain third parties who assist us in operating our website, conducting our business, or servicing you. The categories of third parties to which we may disclose your Personal Data include:
11. International Transfers of Your Personal Data
Some of the abovementioned third parties may be located in countries outside of the European Economic Area (“EEA”), or the United Kingdom (“UK”). If you are in the EEA or the UK, please note that the GDPR and UK GDPR only allows us to transfer Personal Data outside of the EEA or the UK if the country that the data is being transferred to offers an adequate level of protection for the Personal Data which is equivalent to the EU or UK law. In some cases, the European Commission may have determined that the laws of certain countries provide an adequate level of protection to Personal Data. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data.
We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to Personal Data when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the GDPR (or a similarly appropriate contractual transfer mechanism) and the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, as appropriate. For more information about this, please contact our Data Protection Officer using the contact details provided below.
If you are in a country outside of the EEA and the UK, please note that we will only transfer your Personal Data outside of your country in accordance with the applicable laws.
12. Other Disclosures of Your Personal Data
We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties).
We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. In addition, we may also share your Personal Data with our professional advisors, such as our lawyers, auditors, and insurers, where necessary in the course of the professional services that they render to us. Finally, we may disclose your Personal Data to our business partners, subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
We reserve the right to use, transfer, sell, and share anonymous data for any legal purpose. Such data does not include your Personal Data. The purposes may include analyzing usage trends or seeking compatible business partners.
A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide website functionality, authentication (session management), usage analytics (web analytics), remember your settings, and to generally improve our website.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date.
In particular, Upstream Bio uses the following first-party cookies:
Cookie Name | Cookie Type | Purpose | Duration |
wpEmojiSettingsSupports | Strictly necessary | This is a WordPress cookie used to maintain the correct state of fonts, blog/image sliders, color schemes, and other website settings. | Session |
If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our website. For more information, please visit https://www.aboutcookies.org/.
How We Respond to Do Not Track or Opt-Out Signals. You may also set your browser to send a Do Not Track (DNT) signal or Global Privacy Control (GPC) signals. For more information, please visit https://allaboutdnt.com/ and https://globalprivacycontrol.org/. Please note that our website does not currently have the capability to respond to DNT signals and GPC received from web browsers.
14. What Privacy Rights Do You Have?
Depending on what jurisdiction you reside in, you may have specific rights regarding your Personal Data that we collect and process.
Right to Know What Happens to Your Personal Data
This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things. We are informing you of how we process your Personal Data with this Notice.
Right to Know What Personal Data Upstream Bio Has About You
This is called the right of access. This right allows you to (1) get confirmation of whether we process Personal Data about you; (2) ask for full details of the Personal Data we hold about you and certain related information; (3) obtain a copy or access to the Personal Data.
Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.
Right to Change Your Personal Data
This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.
Right to Delete Your Personal Data
This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted.
Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
Right to Ask Us to Limit How We Process Your Personal Data
This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.
Right to Ask Us to Stop Using Your Personal Data
This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party) as the lawful basis for processing.
We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.
Right to Port or Move Your Personal Data
This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our website, so that you can:
We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format.
Verification of Your Identity
In order to correctly respond to your privacy rights requests, we need to confirm that you made the request. Consequently, we may require additional information to confirm that you are who you say you are.
We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request.
Verification of Authority
If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with Upstream Bio and confirm with us that they gave you permission to submit this request.
15. Privacy of Children
Our website is not directed at, or intended for use by, children under the age of 16.
We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction.
17. Right to Lodge a Complaint with a Supervisory Authority
If the GDPR or UK GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.
Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR. In the UK, you can lodge a complaint with the UK Information Commissioner’s Office.
18. Changes to this Notice
If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Last Updated” date. By continuing to use our website after we post any of these changes, you accept the modified Notice.
If you have any questions about this Notice or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to us by email at info@upstreambio.com, or by postal mail at:
Upstream Bio, Inc.
890 Winter Street, Suite 200
Waltham, MA 02451
Please allow up to one month for us to reply.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
United Kingdom Representative
We have appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +44 (20) 4532 2003.
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London
SE1 7TL
United Kingdom
Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
VeraSafe LLC
100 M Street S.E., Suite 600
Washington, D.C.
20003
USA
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/