PRIVACY POLICY

Last updated: 14 February 2024

Please Read Carefully Prior to Using This Website

Ultragenyx Pharmaceutical Inc. with registered offices at 60 Leveroni Court, Novato, CA 94949 (hereinafter “Ultragenyx” or “we” or “us” or “our”) respects the privacy of visitors to its websites and values the confidence of its customers, partners, patients, and employees.

This Privacy Policy sets forth Ultragenyx’s practices regarding the collection, use, and disclosure of personal information through this site (the “Website”), and the rights you have in relation to such information. By continuing to use the Website, you acknowledge that Ultragenyx processes your personal information as described in this Privacy Policy. Please read this entire Privacy Policy before using this Website or submitting personal information to Ultragenyx through this Website.

If you submit any personal information relating to another individual to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

This Policy does not apply to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals (see CCPA Notice for Personnel).

Collection & Processing of Personal Information

We have collected the following categories of personal information from consumers, including within the preceding twelve (12) months:

Category Examples Collected
1. Identifiers, such as name, alias, online identifiers, account name, physical characteristics, or description; We collect names, addresses, phone numbers, email addresses, and account names (collectively, “Contact Information”) of patients, caregivers, health care professionals (“HCPs”) and others when you communicate with us or to provide our products and services. We collect identifiers about HCPs, such as license number and NPI number, for regulatory compliance purposes. From our shareholders, we collect the information required for regulatory compliance and communications, such as name, address, Social Security number, and email address. From our HCP shareholders, we also collect the physician type (e.g., MD, DO), specialty, and license and NPI numbers. We may automatically collect your Internet Protocol address when you visit our Sites to improve our products, services, and communications (see More About Cookies below). Yes
2. Contact and financial information, including phone number, address, email address, financial information; We collect names, Contact Information, and professional affiliations of HCPs to provide and promote our products and services, to process grant applications, and for the other business purposes listed below. We collect patients’ and caregivers’ names, Contact Information, physical characteristics or description, and other information to provide and improve our products, services, and communications and for safety, quality and the other business purposes listed below. Yes
3. Medical Information and health insurance information We collect patients’ and caregivers’ medical information to provide and improve our products, services, and communications and for safety, quality and the other business purposes listed below. Yes
3. Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status; We obtain information about patients’ age, gender, language preferences, and diagnosis codes to improve our product quality and safety and for the other business purposes listed below. Yes
4. Commercial information, such as transaction information, payment information, tax withholding information and purchase history; We obtain transactional data pertaining to our products to comply with our legal obligations, to improve our products and services, and for the other business purposes described below. This includes but is not limited to, tax returns, annual income, copay information, and shipment records. Yes
5. Internet or other electronic network activity information, such as browsing history, search history and interactions with our websites or advertisements; We collect information about how HCPs, patients, and other visitors browse or search our Sites, for our brands, or for our products. We use cookies and similar technologies that may identify visitors. (See More About Cookies below.) Yes
6. Geolocation data, such as device location; We collect and use generalized location information to improve our product offerings, to comply with our legal obligations, and for the other business purposes listed below. Yes
7. Professional or employment-related information, such as specialty, education history, professional qualifications, work history and prior employer; We may obtain information about the institutional affiliations and other professional information of HCPs to provide our products and services and for the other business purposes described below. We may obtain information about employers for insurance purposes. Yes
8. Audio, electronic, visual and similar information, such as call and video recordings; If you call us, we may collect an audio recording of the phone conversation or voicemail with you in order to improve our services. We may also collect text or call logs. If you choose to provide it, we may also collect a pronunciation of your name. Yes
9. Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and We may collect information reflecting a person’s preferences, characteristics, or behavior in order to improve or promote our products or services or for the other business purposes described below. Yes

Some of the information we collect may be considered Sensitive Personal Information in some circumstances including:

  • Government identifiers (social security, driver’s license, state identification card, or passport number).
  • Complete account access credentials (usernames, account numbers, or card numbers combined with required access/security code or password).
  • Precise geolocation.
  • Racial or ethnic origin.
  • Religious or philosophical beliefs.
  • Union membership.
  • Genetic data.
  • Mail, email, or text messages contents.
  • Health, sex life, or sexual orientation information.

We collect Sensitive Personal Information in accordance with applicable law. For example, we use Sensitive Personal Information to provide the products and services you request, such as to enroll you in patient assistance programs and related email lists, if you ask us to do so, or for purposes that do not infer characteristics about you. In the event we collect Sensitive Personal Information, we do not use or disclose Sensitive Personal Information for any purpose other than those permitted by applicable law.

Sources from Which We Collect Personal Information

We may obtain the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our Sites using cookies.
  • From third-party service providers. For example, we obtain demographic data from a third-party service provider to use for marketing analytics.
  • From health care providers. We may obtain some personal information if a healthcare provider makes a report to us about one of our products, in compliance with applicable laws.
  • Other Sources. Including advertising networks; internet service providers; data analytic providers; government entities; operating systems and platforms; social networks; or data brokers.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information (i.e., responding to inquiries, payment requests, ordering and delivery processing)
  • To provide, support, and develop our Website, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
  • To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the applicable laws.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users/consumers is among the assets transferred.
  • Otherwise accomplishing our business purposes and objectives.

Categories of Personal Information We Disclose to Vendors & Third Parties

We are committed to maintaining your trust, and we want you to understand when and with whom we may share the information we collect. The third parties with which we may share your personal information include:

  • Authorized U.S., and other foreign third-party vendors and service providers. We may share your information with third-party vendors and service-providers that help us with specialized services, including billing, payment processing, customer service, email deployment, business analytics, marketing, advertising, performance monitoring, hosting, and data processing.
  • Corporate affiliates. We may share your information with our corporate affiliates that are subject to this policy for the purposes set out above.
  • Business transfers. We may share your information in connection with a completed or proposed corporate transaction, such as the sale of all or part of Ultragenyx, a merger, consolidation, asset sale, or in the unlikely event of bankruptcy.
  • Legal purposes. We may disclose information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, or as otherwise may be required or permitted by applicable law, and to protect and defend the rights, interests, health, safety, and security of Ultragenyx, our affiliates, users, or the public.
  • With your consent or at your direction. We may share information for any other purposes disclosed to you at the time we collect the information or pursuant to your consent or direction. Where you choose to post information in the form of public comments, this information shall be accessible by members of the public.

We may transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, liquidation, or other corporate restructuring).

Furthermore, Ultragenyx may share aggregated, non-personally identifiable statistical and other information about users to third parties for legitimate business purposes, including commercial purposes, but in such cases will not identify you or any other specific individual.

We do not disclose personal information of our users to third parties for their direct marketing purposes.

We do not sell personal information or share personal information for cross-context behavioral advertising (targeted advertising).

Automatic Information Collection and Use

Our Website also uses cookies and other tracking technologies to automatically collect information about how you use the Website. For more information about how we and third parties use cookies on our Website, please see our Cookie Policy.

We combine the information we receive when you visit our Website with other information we have collected, including other information we have received from you and information received from publicly and commercially available sources.

Do-Not-Track Signals and Similar Mechanisms:

Some mobile and web browsers transmit “do-not-track” signals to websites. Because of differences in how web browsers incorporate and activate this feature, it’s not always clear whether users intend for these signals to be transmitted, or whether they’re even aware of them. We currently don’t take action in response to these signals.

Data Subject Rights

In accordance with applicable law, you may have the right to request opting out of receiving commercial email messages from us. You can exercise this right by following the instructions contained in those email messages.

You may have certain additional rights available to you under local laws. These may include:

  • Right to Access or Know: You may have the right to know what personal information we have collected about you, including, in some cases, in a portable format, and to receive certain information about our collection and use of your personal information to you.
  • Right to Delete: You may have the right to request that we delete your personal information that we collected from you and retained.
  • Right to Correction: You may request that we correct any inaccurate personal information we maintain about you.

To exercise your rights, please submit a request by either:

Only you, or someone legally authorized to act on your behalf, may make a request to exercise a right related to your personal information. These rights are not absolute. For example, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

If you are not satisfied with how we process your Personal Information, you may address your request to our data protection officer at [email protected], who will investigate your concern. Please enclose a copy of or otherwise specifically reference the decision you want to appeal.

We will not discriminate against you for exercising your rights and choices, although some of the functionality and features available on the Website may change or no longer be available to you. Any difference in the services is related to the value provided.

Retention Period

We will retain your personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you and provide the Service to you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

International Data Transfers

Ultragenyx is a company based in the U.S., and your use of our Website and Service will involve the transfer, storage, and processing of your personal information in U.S. Ultragenyx only transfers your personal information to a third party or overseas when it is satisfied that adequate levels of protection are in place to protect the integrity and security of any information being processed, in compliance with applicable privacy and data protection laws.

For individual resident in the European Economic Area (“EEA”) and United Kingdom (“UK”) only: Some recipients of the information we collect are located outside of the EEA and UK, including in countries that may not provide the same level of data protection as in the country where you reside. Where it is subject to the EU GDPR or its UK equivalent, Ultragenyx shall take appropriate steps to ensure that such recipients are bound to duties of confidentiality and we implement measures such as Standard Contractual Clauses approved by the European Commission to ensure that any transferred personal information, remains protected and secure. A copy of these clauses can be obtained by contacting us at the address listed below in the “Contact information” section.

Use by Minors

We do not knowingly collect any personal information from minors, as defined by applicable law in your jurisdiction, without parental consent, unless permitted by law. If we learn that a minor has provided us with personal information, we will delete it in accordance with the applicable law. We do not knowingly sell or share for cross-context behavioral advertising the personal information of consumers under the age of sixteen.

Visitors below the age of majority in your jurisdiction must obtain permission from their parent or guardian before registering on this Website, sending any personal information, participating in online discussions, or submitting content to this Website. Unless otherwise specified, you must be at least the age of majority in your jurisdiction to participate in any online promotion or contest. Ultragenyx may restrict the ability of any visitor to submit content or to access any part of the Website at Ultragenyx’ sole discretion.

Security

Ultragenyx will apply reasonable and appropriate technical, administrative, and physical safeguards designed to protect the information collected through its websites against loss, interference, misuse, unauthorized access, disclosure, alteration, or destruction. Ultragenyx also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate complete and current, and it seeks to ensure its service providers do the same. However, please be aware that there is always some risk involved when submitting data over the Internet. No such measure is ever 100% effective, we cannot guarantee the security of our database is 100% safe from illegal tampering or “hacking.” If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you have with us has been compromised), please immediately notify us in accordance with the “Contact Information” section below.

Links to Third Party Sites

As a convenience to our visitors, our sites currently contain links to a number of other (non-Ultragenyx) sites that we believe may offer useful information. Such links do not constitute an endorsement by Ultragenyx of those other websites, the content displayed therein, or the persons or entities associated therewith. This Privacy Policy does not apply to those sites. You should contact those sites directly for information on their privacy policies, confidentiality agreements, and data collection/distribution procedures.

Please note that linked non-Ultragenyx sites may also use cookies. Ultragenyx cannot control the use of cookies by these non-Ultragenyx sites. We also want you to know that when you link from this Website to another website, that site may have the ability to recognize that you have come from an Ultragenyx site. If you do not want any other websites to know that you have been on this Website, we recommend that you do not use the links provided in our site. If you have any questions about how third-party sites use cookies, you should contact such third parties directly.

Contact Information

If you have any questions or comments about this notice, the ways in which Ultragenyx collects and uses your information described here, your choices and rights regarding such use, or wish to exercise your rights under California or other laws, please do not hesitate to contact us at:

Phone: 1-888-756-8657

Webform: https://privacyrequest.ultragenyx.com

E-mail: [email protected]

Postal Address:

Ultragenyx Pharmaceutical Inc.
60 Leveroni Court,
Novato, CA 94949

Our data protection officer can also be contacted by email at [email protected] and by post at the same address above, addressed for the attention of the Data Protection Officer.

If you need to access this Policy in an alternative format due to having a disability, please contact [email protected] and 1-888-756-8657.

Modifications

We reserve the right to amend this privacy policy at our discretion and at any time. When we make changes to this privacy policy, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Addendum for Individuals Resident in the EEA and UK

In the event the Website is subject to the EU GDPR or its UK equivalent, besides the rights described above, you may have additional rights. This includes a right to object to our processing of your data, a right not to be subject to automated decision-making having legal or equivalent effects, and a right to restrict our processing of personal information where certain conditions apply. If you would like to exercise or inquire about such rights, you may contact us as indicated in the “Contact Information” section. We will respond to your request consistent with applicable law.

In the table below, we have specified the legal bases we rely upon for specific data processing purposes. Please read this table in conjunction with the section “Collection & Processing of Personal Information” above, which provides additional information on the categories of personal information we collect and process. Where legitimate interests are relied upon, the legitimate interests are to fulfill the processing purpose(s) indicated in that column, or as otherwise specified below.

Processing Purpose(s)

Personal Information Categories

Legal Basis

To fulfill or meet the reason you provided the information (i.e., responding to inquiries, payment requests, ordering and delivery processing)

  • Contractual necessity (for example, when we process payment or address information for delivery purposes)
  • Our legitimate interests (for example, when we respond to an inquiry you have sent to us)

To provide, support, personalize, and develop our Website, products, and services.

  • Internet or other electronic network activity information
  • Contact Information
  • Identifiers
  • Commercial information
  • Geolocation data
  • Inferences

Our legitimate interests.

To create, maintain, customize, and secure your account with us.

  • Identifiers
  • Contact Information
  • Internet or other electronic network activity information
  • Inferences

Our legitimate interests.

To process your requests, purchases, transactions, and payments and prevent transactional fraud.

  • Contact and financial information
  • Identifiers
  • Internet or other electronic network activity information
  • Professional information
  • Inferences
  • Contractual necessity (for example, to process your financial information in relation to a sale of goods)
  • Our legitimate interests

To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

  • Contact and financial information
  • Identifiers
  • Internet or other electronic network activity information
  • Professional information
  • Inferences

Our legitimate interests.

To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message.

  • Internet or other electronic network activity information
  • Identifiers
  • Contact Information
  • Inferences
  • Our legitimate interests to personalize your Website experience and to deliver content and product and service offerings relevant to your interests.
  • Consent where legally required to send you marketing materials.

To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.

  • Internet or other electronic network activity information
  • Identifiers
  • Inferences
  • Professional information
  • Contact Information

Our legitimate interests.

For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.

  • Internet or other electronic network activity information
  • Identifiers
  • Inferences
  • Professional information
  • Contact Information

Our legitimate interests.

To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

Any information required in a valid request or legally binding order from law enforcement, a court, or other governmental authority.

  • Compliance with a legal obligation.
  • Legitimate interests.

As described to you when collecting your personal information or as otherwise set forth in the applicable laws.

Any of the categories of personal information described above.

As applicable:

  • Our legitimate interests.
  • Contractual necessity.
  • Compliance with a legal obligation.
  • Consent.

To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users/consumers is among the assets transferred.

Any of the categories of personal information described above.

  • Our legitimate interests.
  • Compliance with a legal obligation (for example, in the event of a bankruptcy or similar proceeding).

Otherwise accomplishing our business purposes and objectives.

Any of the categories of personal information described above.

As applicable: 

  • Our legitimate interests.
  • Contractual necessity.
  • Compliance with a legal obligation.
  • Consent.

Where we rely on consent as our legal basis for processing your personal information, you may withdraw your consent at any time.

You also have the right to lodge a complaint with your data protection authority.

Supplemental Notice to California Residents

This section supplements the description of our information collection and sharing practices elsewhere in this Privacy Policy to provide additional disclosures to California residents whose personal information Ultragenyx processes pursuant to the California Consumer Privacy Act (“CCPA”). Please note that these disclosures do not apply to information that is not processed under the CCPA.

For information about the categories of personal information we may collect, including in the preceding 12 months, and the sources from which personal information is collected, please see our “Collection & Processing of Personal Information” section above.

For information about the purposes for which we collect personal information, please see our “Use of Personal Information” section above. We may use all the categories of personal information we collect for these purposes, although this may vary based on the nature of the relationship you have with us. You may also learn about our retention practices in our “Retention Period” section above.

For information about the third parties to which we have disclosed personal information, including in the preceding 12 months, please see our “Categories of Personal Information We Disclose to Vendors & Third Parties” section above. We may disclose all the categories of personal information we collect with these third parties, although this may vary based on the nature of the relationship you have with us.

For more information about the rights you have and how to exercise these rights, please see the “Data Subject Rights” section above.

Only you, or someone legally authorized to act on your behalf, may make a request to exercise a right related to your personal information. If you want to make a request as an authorized agent on behalf of a California resident, you may use the submission methods noted above. As part of our verification process, we may request that you provide us with proof that you have been authorized by the California resident on whose behalf you are making the request, which may include signed permission provided by such California resident.

Nevada and Washington Consumer Health Data Privacy Policy

Some of the categories of information we collect, use, and share pursuant to this Privacy Policy may be considered “consumer health data.” Please review the sections above for information about these categories of personal information, the sources from which we collect personal information, and the categories of third parties and affiliates with which we disclose personal information.

Consistent with applicable law, Nevada and Washington residents may have the following rights described above under the “Data Subject Rights” section with respect to their consumer health data. In addition, they may have the following additional rights:

  • Right to Withdraw Consent From Sharing of Consumer Health Data: Consistent with applicable law, you may have the right to withdraw consent from certain activities involving our collection and sharing of you consumer health data. Withdrawing consent does not affect the lawfulness of processing based on consent before it is withdrawn.
  • Right to Cease Collection and Sharing of Consumer Health Data: Consistent with applicable law, you may have the right to instruct us to cease certain activities that involve the collection and sharing of your consumer health data.

To exercise any right you may have, please submit a request as outlined in the “Data Subject Rights” section above.

Subject to applicable law, you may appeal our decision on your data subject requests. Please contact us at [email protected]. Please enclose a copy of or otherwise specifically reference the decision you want to appeal.