Last Edited on June 08, 2022
ALLOVIR and its subsidiaries and affiliates (together, “ALLOVIR,” “we”, “our”, “us”) are committed to protecting and respecting your privacy. The purpose of this Privacy Notice is to provide you with information on how we will collect, use, disclose, protect and otherwise process personal information and to explain the rights and choices available to individuals with respect to their personal information. We are a company established in the United States with a registered Headquarters office at 1100 Winter Street, Waltham, MA 02451, and, for the purposes of the General Data Protection Regulation (the “GDPR”) and similar data protection and privacy laws, we are the data controller.
This Privacy Notice, sets out the basis on which we will process personal information we collect from you, or that you provide to us, in connection with your use of ALLOVIR website, including information provided by you by email (by using the email addresses on our " Contact " page of our website), Social media or online platforms hosted by ALLOVIR (e.g. Company page on LinkedIn or Twitter*) (together, the “Sites” and each a “Site”).
*For the use of social media, ALLOVIR will be joint-controller with LinkedIn and Twitter only for the following activities: accessing and processing statistical aggregate data provided by LinkedIn and Twitter in relation to ALLOVIR Sites. For any other processing on the platform, social media platform shall be considered as the sole data controller. LinkedIn has created an “addendum” to its user agreement for sites for the processing for which it is joint-controller with us. Such agreement is not currently provided by Twitter.
If you have provided personal data through some means other than through our Sites (for example, in connection with a clinical study sponsored by ALLOVIR in Europe in which you participate), you will have received a separate notice concerning your personal data. Please refer to that notice first if you have any concerns about our processing of your personal data, as that notice will contain important information and a designated contact person for concerns. This Privacy Notice does not cover other services that we may offer or provide, and does not cover information we receive from third parties.
By accessing the Site, you agree to be bound by this Privacy Notice. If you do not agree to the terms, please do not use the Site.
Categories of Data Subjects
We process personal data about the people visiting and interacting with our Sites.
Categories of Personal Data
We may process the following types of personal data when you send us an email request:
- Email address;
- Any information you provide by sending us an email.
We may also process aggregate statistical data from Company page on LinkedIn and Twitter.
Depending on your request and on the information provided by you, other purposes or legal bases may be relevant (for example, if we have a legal obligation to process your data). In this case, you will be informed.
Purpose of Processing
We process your personal data for the purposes of communicating with you and responding to requests, inquiries, comments, and suggestions.
Some information related to follower’s visits are collected in an aggregate way by LinkedIn and Twitter. We can access to statistics provided by LinkedIn and Twitter in order to have information on the way our page is consulted.
Basis of Processing
While responding on your request or inquiries, we process personal data on the basis that the processing is necessary for purposes of our legitimate business interest in conducting our business in a manner typical in the pharmaceutical industry. For data processing on LinkedIn and Twitter, we consider that we have legitimate interest to understand the way our page is consulted (e.g. how many times our page is consulted, from which country,…).
We take into account any potential impact and risks to your fundamental rights and freedoms in assessing these purposes. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Data Retention
In the context of visitor support and inquiries, we will process your data for the time necessary to meet your request unless legal or regulatory provisions require us to keep them longer.
Statistical information are stored by LinkedIn and Twitter and consequently subject to their retention policy. We may export statistical reports, but we guarantee that this is only in an anonymous form.
Cookies
Some of the information systems included within the scope of this Notice may use cookies. You have choices with respect to these. The cookies used by this Site can be found here.
Sharing Personal Data with Third Parties
We share personal data with our affiliates and service providers, who process personal data on behalf of ALLOVIR. Such third parties include service providers providing IT systems and infrastructure. If you would like specific information about our service providers who have received your information, please contact us at allovir.dpo@mydata-trust.info and we will provide that information to you.
For aggregate data, data are hosted on LinkedIn and Twitter servers and are subject to their Privacy Policy. We do not share statistical reports that we may own.
International Transfers
We may store and process your personal data in any country or area where we have facilities or where we engage service providers. In some cases, the European Commission may not have recognized an adequacy decision or determined that the legal environment in those countries provides a level of data protection that is essentially equivalent to the level of protection provided under European law. Transfers of your personal data to such service providers are subject to appropriate safeguards, such as the standard contractual clauses (SCCs), as approved by the European Commission. You may contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Data Integrity & Security
ALLOVIR has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your personal data from unauthorized processing such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Your rights to access, correct, restrict, or delete your personal data and object to processing under GDPR
If you are a resident of the EU or EEA, you have the right to information on how your personal data will be used, the right of access to your personal data (e.g., to ask the confirmation that your information is used or ask for a description of the processing), to have it corrected if the personal data we have is incorrect or incomplete, to request that we restrict the processing (while your personal data shall not be used anymore but must be kept by us during this period) or delete your personal data, the right to portability allowing you to retrieve your data in a structured, commonly used, machine-readable format, the right not to be subject to a decision based solely on automated processing and to object to our processing of your personal data.
Note that the exercise of your rights will be subject to a case-by-case analysis by our Data Protection Officer. If you wish to exercise any of these rights, or if you have any concerns about our processing of your personal data, please contact us at allovir.dpo@mydata-trust.info. We may require you to provide certain information to verify that it is you making the request. We will answer you within four weeks.
Privacy of Children
We do not knowingly collect personal data from anyone under 16. In the event that we learn that we have processed personal data from a child under age 16, we may delete the information we have stored as quickly as possible. If you believe that we might have any information from or about a child under 16, please contact us using the information provided below under the heading “Data Protection Officer”.
Supervisory Authority Oversight Under GDPR
Per GDPR, if you are a data subject whose personal data is process, you have the right to lodge a complaint with a data protection authority (“DPA”) in which you have your habitual residence, place of work or the place of the alleged infringement/violation of your rights. If you are in the EEA, find your local DPA here.
Changes to this Privacy Notice
If we make any material change to this Notice, we will post the revised Notice to this web page and update the “Effective on” date to reflect the date on which the new Notice became effective.
Contact Us - Data Protection Officer
If you have any questions about this Notice or for any questions about the processing of your personal data under the GDPR, please contact us via email at allovir.dpo@mydata-trust.info.