Effective as of November 19, 2020
Instil Bio may provide additional privacy notices to individuals at the time we collect their data. For example, we provide a specific privacy notice to clinical trial participants that describe our privacy practices in connection with conducting clinical trials. This type of an “in-time” notice will govern how we may process the information you provide at that time.
Individuals located in the European Economic Area, United Kingdom or Switzerland (collectively, “Europe”) should read the important information provided here and individuals located in California should review the information provided here.
Personal Information We Collect
Whose Personal Information We Collect
We collect personal information about the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists, and other individuals who interact directly with Instil Bio or its service providers or business partners, including users of websites and mobile applications..
How We Collect Personal Information
We may collect personal information:
- Directly from individuals;
- Through our websites and mobile apps;
- From healthcare professionals;
- From hospitals and medical clinics;
- From contract research organizations and clinical trial investigators;
- From government agencies or public records;
- From third party service providers, data brokers or business partners;
- From industry and patient groups and associations;
- From social media or other public forums (including adverse event information or product quality complaints); and
Types of Personal Information We Collect
The types of personal information we collect depends on the nature of the relationship you have with Instil Bio and the requirements of applicable laws. We may collect:
- Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency), in connection with managing clinical trials, conducting research, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports;
- Personal and business contact information (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information);
- Biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians);
- Professional credentials, educational and professional history, and institutional affiliations;
- Payment-related information we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information);
- If you are a health care professional, we collect information about the programs and activities in which you have participated, your prescribing of our products and the agreements you have executed with us;
- Your photograph, social media handle or digital or electronic signature;
- Publicly available information (such as comments describing support for and experience with Instil Bio products);
- Automatically collected information (such as log information about you and your computer or mobile device when you access our sites. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our sites, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our sites);
We may combine other publicly available information, such as information related to the organization for which you work, with the personal information that you provide to us through our Services.
Changes to your personal information
It is important that the personal information we hold about you is accurate and current. Please let us know if your personal information changes during your relationship with us by emailing firstname.lastname@example.org.
Cookies and Similar Technologies
For information about disabling cookies, visit the Online Tracking Opt-Out Guide.
We may use Flash cookies (which are also known as Flash Local Shared Object (“LSOs”)) on our site to collect and store information about your use of our site. Unlike other cookies, Flash cookies cannot be removed or rejected via your browser settings. If you do not want Flash cookies stored on your computer or mobile device, you may be able to adjust the settings of your Flash player to block Flash LSO storage using the tools contained in the Website Storage Settings Panel. You should refer to the software publisher for instructions on how to complete the above task. Please note that setting the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality of some Flash applications, including, potentially, Flash applications used in connection with our site.
We may also use pixel tags (which are also known as web beacons and clear GIFs) on our site to track the actions of users on our site. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a website, pixel tags are embedded invisibly on webpages. Pixel tags measure the success of our marketing campaigns and compile statistics about usage of the site, so that we can manage our content more effectively.
Do Not Track Signals
Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We do not currently respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
How We Use Your Personal Information
To operate our websites and mobile apps
If you use our websites or mobile apps, we may use your personal information to:
- Operate, maintain, administer, and improve the websites and mobile apps;
- Better understand your needs and interests, and personalize your experience with the websites and mobile apps;
- Provide support and maintenance for our websites and mobile apps;
- Respond to your service-related requests, questions and feedback; and
- Analyze and enhance our communications and strategies (including by identifying when emails sent to you have been received and read, as well as your interactions with us including on our websites and mobile applications).
To perform and administer clinical trials, research and product-improvement activities
We may use your personal information to facilitate our clinical trials, research, studies, and related activities that support patients or our product improvement, including to:
- Staff and manage clinical trials, including by recruiting investigators and participants;
- Track and respond to safety and product quality concerns (including product recalls);
- Support public health initiatives, symposia, conferences, and scientific, educational and volunteer events;
- Facilitate medication adherence programs;
- Define and manage appropriate patient engagement activities, and patient support programs (including to provide co-pay and other financial assistance where available);
- Identify and engage thought leaders and external experts;
- Award scholarships and grants;
- Attribute authorship to academic and promotional materials; and
- Pay for services that healthcare professionals, researchers and other individuals may provide to us.
To provide our products and services
We may use your personal information to provide Instil Bio products and services, including to:
- Manage access to our products, including where access is limited by law to licensed physicians.
To communicate with you
We may send you Instil Bio-related marketing communications such as if you request information from us or participate in our surveys, promotions or events. You may opt out of such communications by emailing email@example.com.
To comply with law
We may use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
To comply with regulatory monitoring and reporting obligations
We may use your personal information as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.
To create anonymous, aggregated, or de-identified data for analytics
We may create anonymous, aggregated, or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous, aggregated, or de-identified data by excluding information that makes the data personally identifiable to you, and use that anonymous data for our lawful business purposes.
For compliance, fraud prevention and safety
We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products and services; (b) comply with our reporting and monitoring obligations (such as those related to adverse events, product complaints, patient safety and financial disclosures); (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
How We Share your Personal Information
Affiliates, Partners, and Subsidiaries
We may employ third party companies and individuals to perform services on our behalf, including:
- Contract research organizations that conduct clinical trials;
- Data storage and analytics;
- Customer service (including our medical information line) and patient support providers (including for product quality and adverse event reporting, patient co-pay assistance, medicine intake adherence programs, etc.);
- Product recall administration;
- Technology services and support (including email and web hosting providers, marketing and advertising technology providers, email and text communications providers, mobile app developers);
- Event planning and travel organizations that help facilitate Instil Bio programs; and
- Payment, shipping and fulfillment service providers.
Business Partners and Other Professionals and Organizations
We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
Compliance with Laws and Law Enforcement; Protection and Safety
We may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our websites, mobile apps, products and services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data, such as if you participate in a special program, activity, event, or clinical trial. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your information. We will honor these additional terms with respect to your information and thus, strongly recommend you review the additional terms prior to participating in any programs.
Access, Review, Update Your Information
If you become aware that the personal information we maintain about you is inaccurate, incomplete, misleading, irrelevant or out of date, or if you would like to access or review your information, you may contact us at firstname.lastname@example.org.
You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email, or by sending an email with the subject line “Unsubscribe” to email@example.com. You may continue to receive service-related and other non-marketing emails.
If you gave us consent to post a testimonial on our sites, but wish to update or delete it, please contact us at firstname.lastname@example.org. We may decline your request in accordance with applicable laws.
Choosing not to share your personal information
Where we are required by law to collect your personal information, or where we need your personal information in order to provide you with our products or services, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our products or services and may need to terminate our relationship with you. We will tell you what information you must provide to us by designating it as required when we request the information or through other appropriate means.
The security of your personal information is important to us. We take a number of organizational, technical, and physical measures designed to protect the personal information we collect, both during transmission and once we receive it. However, no security safeguards are 100% secure and we cannot guarantee the security of your information.
We do not knowingly collect personal information from children under age 16 through our websites or mobile applications. If we learn that we have collected personal information directly from a child under the age of 16 through our websites or mobile applications, we will delete that information as soon as practicable.
When you visit the careers portion of our website, we collect the information that you provide to us in connection with your job application. This includes business and personal contact information, professional credentials and skills, educational and work history, and other information of the type that may be included in a resume. This may also include diversity information that you voluntarily provide. We use this information to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics. We may also use this information to operate our websites, to communicate with you, to comply with law, and as otherwise necessary for compliance, fraud prevention, and safety purposes.
International Data Transfers
Instil Bio is headquartered in the United States and may have affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.
Individuals in the Europe should read the important information provided here about transfer of personal information outside of Europe.
Other Sites and Services
For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by us. These links are not an endorsement, authorization or representation that we are affiliated with that third party. We do not exercise control over third party websites or services, and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.
Attn: Privacy Office
Instil Bio, Inc
5949 Sherry Lane, Suite 820
Dallas, TX 75225
Additional Information for Individuals Who are in Europe
Controller and EU Data Representative
Instil Bio is the controller of your personal information for purposes of European data protection legislation. See the Contact Us section above for contact details. Instil Bio’s EU representative is DPO Centre and can be reached at email@example.com.
Legal basis for processing
|Processing purpose||Legal basis|
|– To provide our products and services||Where we have a contract governing this processing purpose, the processing is necessary to perform that contract, or necessary to take steps that you have requested prior to entering into the contract. In other cases, these processing activities are necessary to protect your, or another person’s, vital interests.|
|– To operate our websites and mobile apps |
– To communicate with you
To create anonymous, aggregated, or de-identified data for analytics
For compliance, fraud prevention and safety
– To perform and administer clinical trials, research and product-improvement activities
|These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).|
|– To comply with regulatory monitoring and reporting obligations |
– To comply with law
|Processing is necessary to comply with our legal obligations|
|With your consent||Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated when we requested the consent or by contacting us at firstname.lastname@example.org.|
Use for new purposes
We will retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.
European data protection laws may give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:
- Access. Provide you with information about our processing of your personal information and give you access to your personal information.
- Correct. Update or correct inaccuracies in your personal information.
- Delete. Delete your personal information.
- Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
- Restrict. Restrict the processing of your personal information.
- Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information.
You can submit these requests by email to email@example.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.
Cross-Border Data Transfer
Whenever we transfer your personal information out of Europe to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the data protection laws, such as the specific contracts approved by the European Commission as providing adequate protection of personal information.
Please contact us at firstname.lastname@example.org for further information on the specific mechanism used by us when transferring your personal information out of Europe.
Notice to California Residents
We are required by the California Consumer Privacy Act of 2018 (“CCPA”) to provide to California residents an explanation of how we collect, use and share their personal Information, and of the rights and choices we offer California residents regarding our handling of the personal information.
Our website is directed to healthcare providers (in their business capacity) who want to learn more about our research and technologies, individuals who are interested in (or who are already) participating in our clinical trials (including as investigators and study staff), current and potential investors in Instil Bio, and candidates who wish to apply for a job with Instil Bio.
The CCPA does not apply to the information we collect in connection with clinical trials, to any health or medical information we collect that is otherwise governed by California’s Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act of 1996, or to information related to our business contacts (including healthcare providers).
California Residents’ Privacy Rights
The CCPA grants individuals whose information is governed by the CCPA the following rights. We extend these rights only to individual investors who provide information on our website.
- Access. You can request a copy of the personal information that we maintain about you.
- Deletion. You can ask us to delete the personal information that we collected or maintain about you.
Please note that the CCPA limits these rights by, for example, prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. If we deny your request, we will communicate our decision to you.
You are entitled to exercise the rights described above free from discrimination.
How to Submit a Request
If you are an investor and you would like to exercise your privacy rights:
- Email email@example.com
Identity verification. The CCPA requires us to verify the identity of the individual submitting a request to access or delete personal information before providing a substantive response to the request.
Authorized agents. Investors who are California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.
California Shine the Law. Under California Civil Code section 1798.83, California residents are entitled to ask us for a notice identifying the categories of personal customer information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit a written request to us via email to firstname.lastname@example.org or 5949 Sherry Lane, Suite 820 Dallas, TX 75225. You must put the statement “Your California Privacy Rights” in your request and include your name, street address, city, state, and ZIP code. We are not responsible for notices that are not labeled or sent properly, or do not have complete information.
Online Tracking Opt-Out Guide
Like many companies online, we use services provided by Google and other companies that use tracking technology. Your choices for opting out of these companies’ use of your personal information for interest-based advertising include:
- Blocking cookies in your browser. Most browsers let you remove or reject cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.
- Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
- Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery or uBlock Origin, and configuring them to block third party cookies/trackers.
- Platform opt-outs. The following advertising partners offer opt-out features that let you opt-out of use of your information for interest-based advertising:
- Google: https://adssettings.google.com
- Advertising industry opt-out tools. You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:
Note that because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt-out on every browser and device that you use.