Last revised and effective as of: November 4, 2020
This Privacy Notice describes the privacy practices of Scholar Rock, Inc. and affiliates, (collectively, “Scholar Rock”). This Privacy Notice describes how we collect, use, store and disclose (together “process”) personal data, and explains the rights and choices available to individuals. This notice applies where we are acting as a data controller with respect to the personal data of our website visitors, mobile applications users, and other individuals who interact directly with Scholar Rock, or its service providers or business partners; in other words, where we determine the purposes and means of processing the personal data.
Scholar Rock may provide additional privacy notices to individuals at the time we collect their data (e.g. clinical trial participants or employment candidates) that describe our privacy practices in connection with specific activities, and will apply to the information you provide at that time, in addition to this notice.
Please note this Privacy Notice does not apply to Scholar Rock’s processing of employee or contractor data.
BY PROVIDING YOUR PERSONAL DATA TO SCHOLAR ROCK OR OTHERWISE USING OUR WEBSITES OR MOBILE APPLICATIONS, YOU ACKNOWLEDGE THAT YOU UNDERSTAND THE TERMS OF THIS PRIVACY NOTICE AND WISH TO CONTINUE TO PROVIDE YOUR PERSONAL DATA FOR THE PURPOSES DESCRIBED.
Whose personal data we collect?
We collect personal data from the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other healthcare professionals, clinical trial investigators, researchers, pharmacists, contractors, consultants, job applicants, volunteers, visitors to our offices, and other individuals who interact directly with Scholar Rock or its service providers or business partners, including users of Scholar Rock websites and mobile applications.
How we collect your personal data
You directly provide Scholar Rock with most of the data we collect. We collect and process your personal data when you:
- Tell us the information in person, via phone, or via email
- Enter your personal data via our websites and mobile apps
- Use or view our websites or mobile applications via your browser’s cookies
Scholar Rock may also receive your pseudo-anonymized data indirectly from the following sources:
- Healthcare professionals, such as your doctors. Your authorization or release will be obtained prior to obtaining this information to the extent required by applicable law
- Research organizations and clinical trial investigators with whom we contract
- Public records
- Third party service providers or business partners with whom we contract
- From recruiters
Types of personal data we collect
The types of personal data we collect include:
- Health and medical information, we collect in connection with managing clinical trials, conducting research, providing patient support programs, and tracking adverse event reports
- Personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
- Biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians)
- Professional credentials, educational and professional history, institutional and government affiliations, background checks, performance reviews, and information of the type included on a resume or curriculum vitae education and work history
- If you are a third party with whom we have or are contemplating a contractual relationship, such as a healthcare professional, we collect publicly-available information related to your practice, such as license information, disciplinary history, prior litigation and regulatory proceedings, and other due diligence related information
- Payment-related information we need to pay for services and products that individuals may provide to us (such as tax identification number and financial account information)
- From healthcare professionals, we collect information about the programs and activities in which you have participated, our interactions with you, and the agreements you have executed with us
- Security and access credentials, such as username and password that may be created in connection with establishing an account on our websites or mobile applications
- Your photograph, social media handle or digital or electronic signature
- If you are a visitor to a Scholar Rock office location, we collect visual images captured on closed circuit television (CCTV)
- Other information you provide to us (such as in emails, on phone calls, through our websites or mobile applications, or in other correspondence)
How we use your personal data
To the extent permitted by applicable local law, we collect your personal data for the following purposes:
- Communicating with you about the products and services we offer, and responding to requests, inquiries, comments, and suggestions
- Analyzing and enhancing our communications and strategies (e.g. effectiveness of emails or our websites and mobile applications)
- Operating, securing, and improving our business (including both physical premises and digital environments)
- Developing and personalizing customer relationship management activities, including the delivery of programs and materials, as well as surveys and market research
- Staffing, facilitating, conducting and managing clinical trials
- Tracking and responding to safety and product quality concerns (including product recalls)
- Complying with regulatory monitoring and reporting obligations (including those related to adverse events, product complaints, spend transparency, and patient safety)
- Defining and managing appropriate patient engagement and enrollment activities
- Identifying, interacting, and engaging with healthcare professionals, including thought leaders and external experts
- Facilitating and improving our recruitment activities (such as processing employment applications, evaluating a job candidate for an employment activity, analyzing trends, and monitoring recruitment statistics)
In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data, such as if you participate in a special program, activity, event, or clinical trial. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your personal data that we collect at that time.
Personal data we share
Scholar Rock will share your personal data with our service providers and third parties with which we contract for the purposes described in either this Privacy Notice or through a specific “in-time” privacy notice provided at the time we collect the information.
The types of individuals or entities with which we share personal data include:
- Scholar Rock affiliates and research partners
- Service providers that perform services on our behalf, including:
- Contract research organizations that conduct clinical trials on our behalf
- Customer service and patient support providers (including for product quality and adverse event reporting etc.)
- Data storage and analytics and technology providers (including technology support, marketing and advertising technology providers)
- Event planning and travel organizations that help facilitate Scholar Rock programs
- Regulators worldwide, as required by law, including in connection with monitoring, review and approval of our studies, products and services, and adverse event reporting
- Healthcare professionals, researchers, academics, and public health organizations
Unless prohibited by applicable law, we may transfer your personal data as part of a corporate business transaction, such as a merger, acquisition, reorganization, joint venture or the sale of our assets. We may also transfer your personal data to a successor entity in the event of insolvency, bankruptcy or receivership.
In addition, we may share your personal data to comply with legal and regulatory requirements, comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, or local authorities, and protect against fraud, illegal activity (such as identifying and responding to incidents of hacking or misuse of our websites and mobile applications), and exercise or defend legal claims.
Cookies and other automated information collection
What are cookies?
Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. For additional information about cookies, visit allaboutcookies.org.
The Automated Information that we collect from time to time includes:
- Details about the devices that are used to access our websites or mobile applications (e.g. IP address, and type of operating system and web browser)
- Dates and times of visits to, and use of, our websites and mobile applications
- Details about your interactions with emails that we may send you, including the links on which you click and your interactions with our linked sites
- Information about how our websites and mobile applications are used (such as the content that is viewed on our websites and how users navigate our pages)
- URLs that refer visitors to our websites
Web browsers may offer users of our websites the ability to disable receiving certain types of cookies; however, if cookies are disabled, some features or functionality of our websites may not function correctly. You can visit www.aboutcookies.org/how-to-control-cookies for information about cookies and how to disable them.
Legal basis for processing data
In some cases, Scholar Rock has a legitimate interest to process your personal data that we collect, such as to operate, evaluate and improve our business; to facilitate and manage clinical trials or other patient advocacy and engagement programs; to promote scholarly research; to support our clinical trial recruitment activities; to facilitate a sale of our assets, merger or acquisition; and fraud prevention. We may also process your personal data as necessary for the protection against criminal offences, safeguarding of domestic law, and the maintenance of a safe workplace for staff.
In other cases, Scholar Rock processes personal data to fulfill our contracts with our business partners, such as healthcare professionals or our research partners.
It may be also necessary for Scholar Rock to process your personal data to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including enforcing the terms and conditions that govern the services we provide.
Scholar Rock’s processing of your health and other associated information may be necessary to comply with our legal obligations, and for reasons of public interest in the area of health or for scientific or historical research purposes, such as with respect to adverse event and product safety reporting.
Scholar Rock may also process your personal data as specifically permitted by applicable legal requirements, such as laws and regulations that authorize Scholar Rock to process your personal data for purposes of conducting clinical trials.
When Scholar Rock relies on consent for the processing of your personal data, we will seek your consent at the time we collect your personal data. For information on how to withdraw consent, please see the “Personal Data Access Rights” section of this Privacy Notice.
International data transfers
We may transfer your personal data to countries other than the country in which the data was originally collected for the purposes described in this Privacy Notice. The countries to which we transfer your personal data may not have the same data protection laws as the country in which you initially provided the information. When we transfer personal data across borders, we consider a variety of requirements that may apply to such transfers, but in any event we will only transfer your personal data to a destination and in a manner that ensures your personal data remains protected to the same or equivalent level as in the country of origin, including executing contracts which commit the recipient to process personal data in accordance with applicable law in the country of origin (e.g. Standard Contractual Clauses published by the EU Commission).
We operate in the United States. Our servers and offices are located in the United States, so your personal data may be transferred to, stored, or processed in the United States.
Personal data access rights
You have the right to exercise the following rights in relation to the personal data that we collected about you. Please note that if your exercise of these rights limits our ability to process your personal data, we may not be able to provide our products or services to you, or to otherwise engage with you going forward.
We will verify the identity of each individual making any request regarding personal data, to help ensure that we provide the information only to individuals to whom the personal data pertains, and allow only those individuals or their authorized representatives to exercise rights with respect to that personal data. In the event we cannot comply fully or at all, with your request, we will notify you of the reasons.
Right to withdraw your consent
Where you provided consent to Scholar Rock to process your personal data, you may withdraw such consent by following the instructions provided at the time of collection or by contacting us using details in the Contact Us section below. In some instances, withdrawing your consent may mean we can no longer provide products or services to you or otherwise engage with you.
Right to access your personal data
You have the right to request Scholar Rock for copies of your personal data that we maintain about you. This includes the right to request us to disclose to you the: categories of personal data we collected about you; categories of sources from which the personal data is collected; business or commercial purpose for collecting your personal information; categories of third parties with whom we share your personal information; and, specific pieces of personal information we collected about you.
Right to rectification
You have the right to request Scholar Rock to correct any errors in your personal data. You also have the right to request us to complete personal data you believe is incomplete.
Right to object to processing of your personal data
You have the right to object to our processing of your personal data.
Right to erasure
You have the right to request that we delete your personal data from our records, under certain conditions.
Right to data portability
You have the right to request that Scholar Rock transfer your personal data that we collected to another organization, or directly to you, under certain conditions.
You have the right to not be discriminated against by Scholar Rock because you exercise any of the above rights.
You have the right to file a complaint with a regulator or data protection supervisory authority in your jurisdiction.
Note about “sales”: Scholar Rock does not “sell” personal data as that term is defined under privacy applicable law. To request further information about this, you can do so by emailing [email protected].
When submitting a request to exercise any of these rights, please describe your relationship with us and your request, with sufficient detail to allow us to properly understand, evaluate, and respond to it. We will need to verify your identity before processing your request, which may require us to request additional personal data from you.
We do not knowingly collect personal data from children under age 13 through our websites or mobile applications. If we learn that we have collected personal data directly from a child under the age of 13 through our websites or mobile applications, we will delete that information.
How we protect personal data
Scholar Rock securely stores your data and maintains reasonable and appropriate administrative, technical and physical security procedures and practices designed to protect the personal data we maintain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. However, we cannot guarantee that the measures we maintain will ensure the security of your personal data. We will keep your personal data in a form that permits identification of you for no longer than is necessary for the purposes for which it was processed.
Links to third-party websites and content
Updates to our privacy notice
You may contact us with questions, comments, or complaints about this Privacy Notice or our privacy practices, or to exercise your rights regarding your personal data processed by us. When raising a request or complaint, please provide sufficient details (including your relationship with us) and any relevant documentation. The contact information for our global Privacy Office:
Attn: Privacy Office
301 Binney Street, 3rd Floor
Cambridge, MA 02142