Last updated: 14 February 2024
Please Read Carefully Prior to Using This Website
Ultragenyx Pharmaceutical Inc. with registered offices at 60 Leveroni Court, Novato, CA 94949 (hereinafter “Ultragenyx” or “we” or “us” or “our”) respects the privacy of visitors to its websites and values the confidence of its customers, partners, patients, and employees.
This Policy does not apply to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals (see CCPA Notice for Personnel).
Collection & Processing of Personal Information
We have collected the following categories of personal information from consumers, including within the preceding twelve (12) months:
|1. Identifiers, such as name, alias, online identifiers, account name, physical characteristics, or description;
|We collect names, addresses, phone numbers, email addresses, and account names (collectively, “Contact Information”) of patients, caregivers, health care professionals (“HCPs”) and others when you communicate with us or to provide our products and services. We collect identifiers about HCPs, such as license number and NPI number, for regulatory compliance purposes. From our shareholders, we collect the information required for regulatory compliance and communications, such as name, address, Social Security number, and email address. From our HCP shareholders, we also collect the physician type (e.g., MD, DO), specialty, and license and NPI numbers. We may automatically collect your Internet Protocol address when you visit our Sites to improve our products, services, and communications (see More About Cookies below).
|2. Contact and financial information, including phone number, address, email address, financial information;
|We collect names, Contact Information, and professional affiliations of HCPs to provide and promote our products and services, to process grant applications, and for the other business purposes listed below. We collect patients’ and caregivers’ names, Contact Information, physical characteristics or description, and other information to provide and improve our products, services, and communications and for safety, quality and the other business purposes listed below.
|3. Medical Information and health insurance information
|We collect patients’ and caregivers’ medical information to provide and improve our products, services, and communications and for safety, quality and the other business purposes listed below.
|3. Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
|We obtain information about patients’ age, gender, language preferences, and diagnosis codes to improve our product quality and safety and for the other business purposes listed below.
|4. Commercial information, such as transaction information, payment information, tax withholding information and purchase history;
|We obtain transactional data pertaining to our products to comply with our legal obligations, to improve our products and services, and for the other business purposes described below. This includes but is not limited to, tax returns, annual income, copay information, and shipment records.
|5. Internet or other electronic network activity information, such as browsing history, search history and interactions with our websites or advertisements;
|6. Geolocation data, such as device location;
|We collect and use generalized location information to improve our product offerings, to comply with our legal obligations, and for the other business purposes listed below.
|7. Professional or employment-related information, such as specialty, education history, professional qualifications, work history and prior employer;
|We may obtain information about the institutional affiliations and other professional information of HCPs to provide our products and services and for the other business purposes described below. We may obtain information about employers for insurance purposes.
|8. Audio, electronic, visual and similar information, such as call and video recordings;
|If you call us, we may collect an audio recording of the phone conversation or voicemail with you in order to improve our services. We may also collect text or call logs. If you choose to provide it, we may also collect a pronunciation of your name.
|9. Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and
|We may collect information reflecting a person’s preferences, characteristics, or behavior in order to improve or promote our products or services or for the other business purposes described below.
Some of the information we collect may be considered Sensitive Personal Information in some circumstances including:
- Government identifiers (social security, driver’s license, state identification card, or passport number).
- Complete account access credentials (usernames, account numbers, or card numbers combined with required access/security code or password).
- Precise geolocation.
- Racial or ethnic origin.
- Religious or philosophical beliefs.
- Union membership.
- Genetic data.
- Mail, email, or text messages contents.
- Health, sex life, or sexual orientation information.
We collect Sensitive Personal Information in accordance with applicable law. For example, we use Sensitive Personal Information to provide the products and services you request, such as to enroll you in patient assistance programs and related email lists, if you ask us to do so, or for purposes that do not infer characteristics about you. In the event we collect Sensitive Personal Information, we do not use or disclose Sensitive Personal Information for any purpose other than those permitted by applicable law.
Sources from Which We Collect Personal Information
We may obtain the categories of personal information listed above from the following categories of sources:
- Directly from you. For example, from forms you complete or products and services you purchase.
- Indirectly from you. For example, from observing your actions on our Sites using cookies.
- From third-party service providers. For example, we obtain demographic data from a third-party service provider to use for marketing analytics.
- From health care providers. We may obtain some personal information if a healthcare provider makes a report to us about one of our products, in compliance with applicable laws.
- Other Sources. Including advertising networks; internet service providers; data analytic providers; government entities; operating systems and platforms; social networks; or data brokers.
Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following purposes:
- To fulfill or meet the reason you provided the information (i.e., responding to inquiries, payment requests, ordering and delivery processing)
- To provide, support, and develop our Website, products, and services.
- To create, maintain, customize, and secure your account with us.
- To process your requests, purchases, transactions, and payments and prevent transactional fraud.
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
- To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information or as otherwise set forth in the applicable laws.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users/consumers is among the assets transferred.
- Otherwise accomplishing our business purposes and objectives.
Categories of Personal Information We Disclose to Vendors & Third Parties
We are committed to maintaining your trust, and we want you to understand when and with whom we may share the information we collect. The third parties with which we may share your personal information include:
- Authorized U.S., and other foreign third-party vendors and service providers. We may share your information with third-party vendors and service-providers that help us with specialized services, including billing, payment processing, customer service, email deployment, business analytics, marketing, advertising, performance monitoring, hosting, and data processing.
- Corporate affiliates. We may share your information with our corporate affiliates that are subject to this policy for the purposes set out above.
- Business transfers. We may share your information in connection with a completed or proposed corporate transaction, such as the sale of all or part of Ultragenyx, a merger, consolidation, asset sale, or in the unlikely event of bankruptcy.
- Legal purposes. We may disclose information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, or as otherwise may be required or permitted by applicable law, and to protect and defend the rights, interests, health, safety, and security of Ultragenyx, our affiliates, users, or the public.
- With your consent or at your direction. We may share information for any other purposes disclosed to you at the time we collect the information or pursuant to your consent or direction. Where you choose to post information in the form of public comments, this information shall be accessible by members of the public.
We may transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, liquidation, or other corporate restructuring).
Furthermore, Ultragenyx may share aggregated, non-personally identifiable statistical and other information about users to third parties for legitimate business purposes, including commercial purposes, but in such cases will not identify you or any other specific individual.
We do not disclose personal information of our users to third parties for their direct marketing purposes.
We do not sell personal information or share personal information for cross-context behavioral advertising (targeted advertising).
Automatic Information Collection and Use
We combine the information we receive when you visit our Website with other information we have collected, including other information we have received from you and information received from publicly and commercially available sources.
Do-Not-Track Signals and Similar Mechanisms:
Some mobile and web browsers transmit “do-not-track” signals to websites. Because of differences in how web browsers incorporate and activate this feature, it’s not always clear whether users intend for these signals to be transmitted, or whether they’re even aware of them. We currently don’t take action in response to these signals.
Data Subject Rights
In accordance with applicable law, you may have the right to request opting out of receiving commercial email messages from us. You can exercise this right by following the instructions contained in those email messages.
You may have certain additional rights available to you under local laws. These may include:
- Right to Access or Know: You may have the right to know what personal information we have collected about you, including, in some cases, in a portable format, and to receive certain information about our collection and use of your personal information to you.
- Right to Delete: You may have the right to request that we delete your personal information that we collected from you and retained.
- Right to Correction: You may request that we correct any inaccurate personal information we maintain about you.
To exercise your rights, please submit a request by either:
Only you, or someone legally authorized to act on your behalf, may make a request to exercise a right related to your personal information. These rights are not absolute. For example, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
If you are not satisfied with how we process your Personal Information, you may address your request to our data protection officer at [email protected], who will investigate your concern. Please enclose a copy of or otherwise specifically reference the decision you want to appeal.
We will not discriminate against you for exercising your rights and choices, although some of the functionality and features available on the Website may change or no longer be available to you. Any difference in the services is related to the value provided.
We will retain your personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you and provide the Service to you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).
International Data Transfers
Ultragenyx is a company based in the U.S., and your use of our Website and Service will involve the transfer, storage, and processing of your personal information in U.S. Ultragenyx only transfers your personal information to a third party or overseas when it is satisfied that adequate levels of protection are in place to protect the integrity and security of any information being processed, in compliance with applicable privacy and data protection laws.
For individual resident in the European Economic Area (“EEA”) and United Kingdom (“UK”) only: Some recipients of the information we collect are located outside of the EEA and UK, including in countries that may not provide the same level of data protection as in the country where you reside. Where it is subject to the EU GDPR or its UK equivalent, Ultragenyx shall take appropriate steps to ensure that such recipients are bound to duties of confidentiality and we implement measures such as Standard Contractual Clauses approved by the European Commission to ensure that any transferred personal information, remains protected and secure. A copy of these clauses can be obtained by contacting us at the address listed below in the “Contact information” section.
Use by Minors
We do not knowingly collect any personal information from minors, as defined by applicable law in your jurisdiction, without parental consent, unless permitted by law. If we learn that a minor has provided us with personal information, we will delete it in accordance with the applicable law. We do not knowingly sell or share for cross-context behavioral advertising the personal information of consumers under the age of sixteen.
Visitors below the age of majority in your jurisdiction must obtain permission from their parent or guardian before registering on this Website, sending any personal information, participating in online discussions, or submitting content to this Website. Unless otherwise specified, you must be at least the age of majority in your jurisdiction to participate in any online promotion or contest. Ultragenyx may restrict the ability of any visitor to submit content or to access any part of the Website at Ultragenyx’ sole discretion.
Ultragenyx will apply reasonable and appropriate technical, administrative, and physical safeguards designed to protect the information collected through its websites against loss, interference, misuse, unauthorized access, disclosure, alteration, or destruction. Ultragenyx also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate complete and current, and it seeks to ensure its service providers do the same. However, please be aware that there is always some risk involved when submitting data over the Internet. No such measure is ever 100% effective, we cannot guarantee the security of our database is 100% safe from illegal tampering or “hacking.” If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you have with us has been compromised), please immediately notify us in accordance with the “Contact Information” section below.
Links to Third Party Sites
If you have any questions or comments about this notice, the ways in which Ultragenyx collects and uses your information described here, your choices and rights regarding such use, or wish to exercise your rights under California or other laws, please do not hesitate to contact us at:
Ultragenyx Pharmaceutical Inc. 60 Leveroni Court, Novato, CA 94949
Our data protection officer can also be contacted by email at [email protected] and by post at the same address above, addressed for the attention of the Data Protection Officer.
If you need to access this Policy in an alternative format due to having a disability, please contact [email protected] and 1-888-756-8657.
Addendum for Individuals Resident in the EEA and UK
In the event the Website is subject to the EU GDPR or its UK equivalent, besides the rights described above, you may have additional rights. This includes a right to object to our processing of your data, a right not to be subject to automated decision-making having legal or equivalent effects, and a right to restrict our processing of personal information where certain conditions apply. If you would like to exercise or inquire about such rights, you may contact us as indicated in the “Contact Information” section. We will respond to your request consistent with applicable law.
In the table below, we have specified the legal bases we rely upon for specific data processing purposes. Please read this table in conjunction with the section “Collection & Processing of Personal Information” above, which provides additional information on the categories of personal information we collect and process. Where legitimate interests are relied upon, the legitimate interests are to fulfill the processing purpose(s) indicated in that column, or as otherwise specified below.
Personal Information Categories
To fulfill or meet the reason you provided the information (i.e., responding to inquiries, payment requests, ordering and delivery processing)
To provide, support, personalize, and develop our Website, products, and services.
Our legitimate interests.
To create, maintain, customize, and secure your account with us.
Our legitimate interests.
To process your requests, purchases, transactions, and payments and prevent transactional fraud.
To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
Our legitimate interests.
To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message.
To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
Our legitimate interests.
For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
Our legitimate interests.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
Any information required in a valid request or legally binding order from law enforcement, a court, or other governmental authority.
As described to you when collecting your personal information or as otherwise set forth in the applicable laws.
Any of the categories of personal information described above.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users/consumers is among the assets transferred.
Any of the categories of personal information described above.
Otherwise accomplishing our business purposes and objectives.
Any of the categories of personal information described above.
Where we rely on consent as our legal basis for processing your personal information, you may withdraw your consent at any time.
You also have the right to lodge a complaint with your data protection authority.
Supplemental Notice to California Residents
For information about the categories of personal information we may collect, including in the preceding 12 months, and the sources from which personal information is collected, please see our “Collection & Processing of Personal Information” section above.
For information about the purposes for which we collect personal information, please see our “Use of Personal Information” section above. We may use all the categories of personal information we collect for these purposes, although this may vary based on the nature of the relationship you have with us. You may also learn about our retention practices in our “Retention Period” section above.
For information about the third parties to which we have disclosed personal information, including in the preceding 12 months, please see our “Categories of Personal Information We Disclose to Vendors & Third Parties” section above. We may disclose all the categories of personal information we collect with these third parties, although this may vary based on the nature of the relationship you have with us.
For more information about the rights you have and how to exercise these rights, please see the “Data Subject Rights” section above.
Only you, or someone legally authorized to act on your behalf, may make a request to exercise a right related to your personal information. If you want to make a request as an authorized agent on behalf of a California resident, you may use the submission methods noted above. As part of our verification process, we may request that you provide us with proof that you have been authorized by the California resident on whose behalf you are making the request, which may include signed permission provided by such California resident.
Consistent with applicable law, Nevada and Washington residents may have the following rights described above under the “Data Subject Rights” section with respect to their consumer health data. In addition, they may have the following additional rights:
- Right to Withdraw Consent From Sharing of Consumer Health Data: Consistent with applicable law, you may have the right to withdraw consent from certain activities involving our collection and sharing of you consumer health data. Withdrawing consent does not affect the lawfulness of processing based on consent before it is withdrawn.
- Right to Cease Collection and Sharing of Consumer Health Data: Consistent with applicable law, you may have the right to instruct us to cease certain activities that involve the collection and sharing of your consumer health data.
To exercise any right you may have, please submit a request as outlined in the “Data Subject Rights” section above.
Subject to applicable law, you may appeal our decision on your data subject requests. Please contact us at [email protected]. Please enclose a copy of or otherwise specifically reference the decision you want to appeal.