Privacy Policy | OrbiMed

Effective January 1, 2020

This Privacy Policy is provided by OrbiMed Advisors LLC (collectively with its affiliates¹and the funds and accounts sponsored or managed by them, “OrbiMed,” “we,” “us,” or “our”). It is intended to describe the personal data² or personal information³(collectively, “Personal Information”) we collect, how we use and share it, and rights you may have regarding this information⁴. This Policy applies to individuals only and may be changed at any time without notice. By accessing the website and our services, you agree to our collection and use of Personal Information as described in this Policy and to our Terms of Use.

1. Types of Personal Information We Collect

The following list describes the general categories of Personal Information we have collected or otherwise received in the past 12 months along with examples of some of the types of information within these categories that may qualify as Personal Information and which we may have collected or otherwise received. It also describes the categories of such information we may continue to collect and our uses of it. The examples are not intended to be comprehensive, and there may be overlap between categories.

Contact information and other identifiers, such as name, signature, postal address, email address, phone number, fax number, account name, Social Security number, tax identification number, photographs, copies of identification documents (e.g., passport, driver’s license), and other similar identifiers

Unique device and online identifiers, such as IP address, device IDs, browsing history, and other similar identifiers

Demographic and association-related information, such as age and date of birth, place of birth, residency information, sex, information on other characteristics of protected classes individuals may provide us, information required for background checks on job applicants once an offer of employment has been extended, family member information, authorized signatories, and information on parties associated with an account⁵

Commercial and financial information, such as records of property, products, or services purchased, obtained, or considered; other investing or consuming histories or tendencies; information on investments, assets, expenses, accounts, net worth, tax information, holdings, account balances, transaction history, utility bills, bank statements, credit history, and trust and estate planning documents

Internet or other electronic activity information, such as information regarding an individual’s interaction with a website or application, and calls and emails sent and received

Geolocational information that may be collected on OrbiMed contractors and vendors as they use OrbiMed systems

Audio, electronic, visual, thermal, or olfactory information, such as photographs, video footage, and voicemail

Educational and professional background information, such as degrees or certifications sought and obtained, other qualifications, references, resumes, information on positions held, work performance and work product, and military service history

We may also receive other Personal Information that you or others provide us or store on our systems, such as in communicating or otherwise interacting with us, providing a reference, or attending an event with us.

2. Sources of Personal Information

In the ordinary course, we collect or otherwise receive the categories of Personal Information above from a variety of sources, including from you directly or from someone who knows you or through automatic collection on our websites. In particular, we may obtain Personal Information: from an individual data subject or a relation of the data subject, such as from personal or business contacts of clients and investors (e.g., financial institutions, advisors, consultants, and other intermediaries or representatives) or other data subjects (e.g., recruiters or references for job applicants); other business contacts of OrbiMed personnel (e.g., financial institutions, service providers, consultants or advisors); research and subscription services; publicly-available sources; governmental agencies, supervisory authorities, and tax authorities; background check companies, credit agencies, or fraud prevention and detection agencies; automated collection on our websites (including through cookies), applications, devices, systems, and networks; or from business and other records legally available to us.

3. Uses of Personal Information

With respect to each of the categories of Personal Information above, we may collect and use the information for the following purposes:

Administering the relationship between and serving investors and clients
Business operations, including but not limited to: securing credit or financing; managing administrative and operational matters; administering our service provider, contractor, and vendor relationships and services; auditing; conducting research and analysis; designing and improving operations, products, and services; and managing risk
Marketing our products and services
Complying with applicable legal or regulatory requirements and OrbiMed policies and contracts, responding to valid legal requests, assessing and investigating compliance, and other legitimate business and commercial purposes
Monitoring, managing, and securing resources, property, and personnel
Enforcing or defending our rights
Recruiting, hiring, performance and talent management
Sharing with third parties that may in the future acquire or be interested in acquiring all or part of our assets or interests in our business, or that may succeed us in carrying on our business or to which our business is transferred
As described to you when collecting the information

We rely upon grounds permitted under applicable law to process your Personal Information. Such grounds include instances where you have given your consent and cases where your consent is not required under applicable law, such as: where we are required to comply with a legal obligation; where necessary for the performance of a contract entered into with you; or where we (or a third party) determine that it is necessary for our legitimate interests, i.e., in operating and managing our business, including, in addition to the purposes noted above, for other legal, personnel, administrative, and management purposes; the prevention and detection of crime; and any other purpose where we or a third party have determined that you have a reasonable expectation that we or a third party would collect or use your Personal Information for such purpose. If you are an individual in the European Economic Area (the “EEA”) / United Kingdom (the “UK”), you have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. However, we may not be able to fulfil such requests.

4. Consequences of Failing To Provide Personal Information

As a regulated financial services firm, we are subject to legal and regulatory obligations that may require us to collect and store your Personal Information, such as the requirements to comply with the applicable law on the prevention of financial crime, tax and regulatory reporting, or the rules on recording and monitoring of communications (as described below). We may also need to collect and use your Personal Information for the purposes of entering into or performance of a contractual arrangement.

There may be various consequences to refusing to provide us with your Personal Information, depending on the purpose for which the information is required. For instance, we may not be able to communicate with you, we may need to terminate any service or other contractual arrangement between us, or—where we have a reasonable suspicion of illegal activity—we may be required to make a report to regulatory or enforcement agencies.

5. Sharing Personal Information

We have disclosed for a business purpose in the last 12 months, and may continue to disclose for a business purpose, each of the categories of Personal Information in Section 1 above.

We may share Personal Information with the following types of third parties:

Our affiliates or other entities that are part of our group or with our clients
Third parties (including regulators and courts) to comply with legal or regulatory obligations or in response to valid legal requests, including to the extent required by law, regulation, subpoena or court order or otherwise in connection with a judicial, administrative or governmental proceeding or as requested by any governmental agency or regulatory authority; to detect and protect against fraud or any technical or security vulnerabilities; or to respond to an emergency or otherwise to protect the rights, property, safety, or security of our business, third parties, or the public
Service providers and trading counterparties to us and our clients, including placement agents or distributors, brokers, banks, trading venues, clearing houses, custodians, corporate services providers, administrators of our funds, providers of customer or client relationship management tools, telecommunications and information technology (“IT”) providers, human resources-related service providers, advisors (including but not limited to tax and legal and compliance advisors), accountants, vendors, and consultants
Business partners and contacts
Any person, as directed by you
Any person to whom we may in the future transfer any of our rights or obligations under any agreement, or in connection with a sale, merger or consolidation of our business or other transfer of our assets, whether voluntarily or by operation of law, or who is otherwise deemed to be our successor or transferee

6. Cookies and Analytics

We may use cookies or similar technologies to capture information about the use of our websites. Accordingly, we may send text files (e.g., “cookies” or other cached files) or images to your web browser to store information on your computer. Such text files and images are used for technical convenience to store information on your computer. For instance, we may use a session cookie to store form information that you have entered so that you do not have to enter such information again. We may use information stored in such text files and images to customize your experience on and monitor use of our websites. You may be able to set your browser to notify you when you receive a cookie. Many web browsers also allow you to block cookies. If you block cookies you may not be able to access certain parts of our websites. You can find information about clearing or blocking cookies at https://www.allaboutcookies.org/.

In particular, we use Google Analytics to evaluate the use of our websites. To get more information about the Personal Information Google collects through this service, and to utilize Google’s opt-out browser add-on, as may be amended from time to time, please refer to Google’s webpages at: https://policies.google.com/privacy, https://policies.google.com/technologies/partner-sites, and https://tools.google.com/dlpage/gaoptout/.

7. International Data Transfers

We may process your Personal Information in the United States, the EEA / UK, and other countries outside the jurisdiction where it was collected that may not offer the same level of data protection as that afforded by the jurisdiction in which you are present. We will process Personal Information (or procure that it be processed) in accordance with the requirements of applicable law, which may include having appropriate contractual undertakings in legal agreements with service providers who process Personal Information on our behalf. Further information in relation to the transfer of Personal Information (including, to countries outside of the EEA / UK) is available on request using the contact details set out below.

8. Retention of Personal Information

We will generally keep Personal Information about you for as long as necessary in relation to the purpose for which it was collected, or for such longer period if required under applicable law or necessary for the purposes of our other legitimate interests.

The applicable retention period will depend on various factors, such as any legal obligation to which we or our service providers are subject, as well as on whether you decide to exercise your right to request the deletion of your Information from our systems. At a minimum, Personal Information about you will generally be retained for the entire duration of any business relationship we may have with you, and generally for a minimum period of five years after the end of the year in which any such relationship is terminated.

We will, from time to time, review the purpose for which we have collected Personal Information about you and decide whether to retain it, update it, or securely delete it, if the Personal Information is no longer required.

9. Minors

Our websites are not directed to persons under age 18 and we do not sell the Personal Information of such individuals.

10. Security Measures

We aim to protect Personal Information by implementing and maintaining reasonable security, such as by using reasonable organizational, technological, and physical safeguards appropriate to the sensitivity of the Personal Information we hold. We take measures, which are at least as strict as the law requires, to safeguard your Personal Information, but we cannot guarantee its absolute security. Please use caution any time you provide information over the internet.

11. Do Not Track Signals

At this time, our websites do not respond to browsers and do not track signals.

12. Rights Regarding Personal Information

A. Data Rights in Certain Jurisdictions

Persons in certain jurisdictions (e.g., the EEA / UK) have rights under data protection laws that may apply to the Personal Information we hold about those persons and which they may exercise. These include:

To request access to your Personal Information
To request rectification of inaccurate or incomplete Personal Information
To request erasure of your Personal Information (a “right to be forgotten”)
To restrict the processing of your Personal Information in certain circumstances
To object to our use of your Personal Information, such as where we have considered such use to be necessary for our legitimate interests and/or in the case of direct marketing activities
Where relevant, to request the portability of your Personal Information to a third party
Where you have given consent to the processing of your Personal Information, to withdraw your consent
To lodge a complaint with the competent supervisory authority

B. California Residents’ Rights

If you are a California resident whose information is covered by the California Consumer Privacy Act (the “CCPA”), you may have the rights described in this Section 12.B of our Privacy Policy, including the right to request access to and deletion of personal information we maintain about you.

Please note that these rights under the CCPA do not apply to information about OrbiMed investors that is covered by the U.S. Gramm-Leach-Bliley Act and implementing regulations, and the California Financial Information Privacy Act, laws which generally apply to nonpublic personal information about individuals who obtain financial products or services from us primarily for personal, family, or household purposes. At this time, the CCPA also includes exemptions from certain of its provisions for information about our personnel (including employees, directors, officers, and contractors) and job applicants, as well as certain information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). Much of the personal information OrbiMed maintains is subject to these exemptions.

For purposes of this section of our Policy, “personal information” is limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.

Right to request disclosure of personal information we collect and share about you

If you are a California resident whose personal information is covered by the CCPA, you may submit a request to us for the following information:

The categories of personal information we have collected about you
The categories of sources from which we collected the personal information
The business or commercial purposes for which we collected or sold the personal information
The categories of third parties with which we shared the personal information
The specific pieces of personal information we collected

You can also submit a request to us for the following information:

The categories of personal information (if any) that we have sold about you, the categories of third parties to which we sold that information, and the category or categories of personal information sold to each third party
The categories of personal information that we disclosed about you for a business purpose

Our responses to such requests will cover the 12-month period preceding our receipt of the request.

Right to request the deletion of personal information we have collected from you

You may also submit a request that we delete personal information about you. If you make such a request, after verifying the request, we will delete the personal information, except for situations where specific information is necessary for us to: provide you with a good or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. We may also retain information where another exception to the deletion requirements in Cal. Civ. Code § 1798.105(d) applies. For instance, the law permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.

Sales of personal information

We do not and will not sell your personal information to third parties. Likewise, we have not sold your personal information in the last 12 months.

How to exercise your California rights

To exercise your right to request the disclosure of your personal information that we collect or share, or to ask us to delete your information, either click here or contact us at (866) 210-8234. Depending on the nature of your request, we may ask you for information to verify your request and identity and a declaration attesting to your identity, signed under penalty of perjury. We will respond to requests for access or deletion as soon as practicable and, in any event, generally not more than within 45 days after receipt of your request. We may extend this period to 90 days in some cases. Please note that you may designate an agent to submit requests on your behalf. Requests can be submitted on behalf of yourself individually or on behalf of your household, provided that we can verify that the request comes from each member of your household.

Non-discrimination

We are committed to complying with the law. If you exercise any of the rights explained in this Policy, we will continue to treat you fairly.

13. Third-Party Links

Our websites may contain links to websites operated by third parties over which we have no control. Should you click on a link to a third-party website, the privacy policy of that website will apply instead of our Privacy Policy. We are not responsible for the content or security of third-party websites.

14. Changes to this Privacy Policy

We reserve the right to amend, alter, or otherwise change this Privacy Policy at our sole and absolute discretion. If we make material changes to the Privacy Policy, we will post notice in this Policy. Use of the website following any such notification constitutes your agreement to follow and to be bound by the amended Privacy Policy.

15. How To Contact Us

If you have any questions or comments about this Privacy Policy, please feel free to contact us at (212) 739-6400 or by e-mail to ;PrivacyPolicy@OrbiMed.com to the attention of our compliance officer. If you would like to assert your privacy rights, you may also call us toll free at (866) 210-8234 or submit a request by clicking here .

Endnotes

¹As used herein, "affiliate" means an entity that controls, is controlled by, or is under common control with another entity.

²"Personal data" is information covered by the EU General Data Protection Regulation (the “GDPR”) in circumstances where the GDPR applies.

³This term refers to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.

⁴This Policy is not intended to cover information that we collect, other than through this website, about our employees.

⁵Please note that we do not seek to collect information on characteristics of protected classifications from job applicants.