PhaseBio Privacy Policy

Introduction

PhaseBio Pharmaceuticals, Inc. (“PhaseBio,” “we,” “our” and “us”) recognizes the importance of information privacy and wants you to be familiar with how we collect, use and disclose personal information. This Privacy Policy (this “Policy”) applies to personal information we may collect about you or that you may provide when you visit phasebio.com and any other website that we own or control and which posts or links to this Policy (collectively, our “Websites“), or that we may collect by other means, such as by email or in person at a conference, or otherwise in connection with our business operations (collectively, our “Services”). This Policy discusses our general practices for collecting, using, maintaining, protecting, and disclosing that information, and the rights and choices available to individuals whose information we maintain.

PhaseBio may provide additional privacy notices to individuals at the time we collect their data. For example, this Policy does not apply to information that clinical trial participants provide to us through participation in a clinical trial that is conducted according to applicable informed consent forms and clinical trial protocols. This type of an “in-time” notice will govern how we may process the information you provide at that time.

Please read this Policy carefully to understand our policies and practices regarding your information and how we will treat it.

We provide important information specific to individuals located in the European Union, the European Economic Area, and the United Kingdom (collectively, “Europe”) below. Where we refer to “personal information” or “personally identifiable information” (“PII”) in this Policy, this includes “personal data” as that term is defined in the EU General Data Protection Regulation and implementing legislation (collectively, “GDPR”). The GDPR definition of personal data can be found here.

Table of Contents

• in Europe

Information We Collect About You

We may collect personal information about the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists, users of our Websites, and other individuals who interact with PhaseBio or our service providers or business partners. We may collect PII through your use of the Services including in connection with managing clinical trials, conducting research, managing expanded access (compassionate use) programs (if applicable), and tracking adverse event reports. PII that we may collect may include the following:

• Personal and business contact information (such as name, email address, telephone number, country of residence, job title, employer name, emergency contact information, photograph and digital signature).
• Biographical and demographic information (such as date of birth, gender, race, ethnicity, marital status, and information regarding any parents or legal guardians).
• Professional credentials, educational history, professional history, and institutional affiliations.
• Payment-related information for professional services such as consulting that individuals may provide to us (such as tax identification number and financial account information).
• Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions including medications, and family medical history).
• Usage information such as information about your internet protocol (“IP”) address, browser type, internet service provider, referring/exit pages, platform type, date/time stamp, and number of clicks.
• If you are a health care professional, information about the programs and activities in which you participate and the agreements you have executed with us.
• Commentary regarding your experience with our products or Services.
• Other information you provide to us (such as through emails, on phone calls, or in other correspondence with us or our service providers or business partners).

If you submit any PII relating to other people to us in connection with our Websites, you represent that you have the authority to do so and to permit us to use the information in accordance with this Policy.

How We May Collect Your Information

We may collect information in several ways, including:

• Directly from you: If you contact us, we may collect information through records and copies of your correspondence with us. We may also collect information about you when you respond to our questions via e-mail or feedback forms.
• Through the Websites: Like most standard websites, our Websites use log files, cookies, and internet tags to collect information about your computer and internet connection.
• From third parties: Information that we receive from our business partners and other third parties. For example, we may obtain PII through hospitals, clinics, medical professionals, healthcare providers, clinical research organizations, and clinical trial investigators.

• From industry, government agencies, or public records: Information that we receive from publicly available sources, including adverse event information or product quality complaints.

When we obtain PII through medical professionals or third-party contacts, the medical professional or third-party contact supplying such information may be responsible for the management of notice and consent, where required.

We may also use cookies and server log files to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). This information may be used to analyze trends, administer the site, track your movement in the aggregate, and gather broad demographic information for aggregate use. Note that your browser settings may allow you to send a “Do Not Track” signal to websites you visit. Currently, there is no consensus as to what “Do Not Track” means in this context. We do not currently respond to web browser “Do Not Track” signals. To find out more about “Do Not Track” signals, visit http://www.allaboutdnt.com.

The information we collect automatically is statistical data and may, depending on applicable law, include PII, and we may maintain it or associate it with PII we collect in other ways or receive from third parties. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Websites, pages you viewed, how long you spent on a page, access times, and information about your use of and actions on our Websites. It helps us to improve our Websites by enabling us to speed up your searches, recognize you when you return to our Websites and store information about your preferences.

For more details concerning our automatic collection of your information, see our Cookie Policy.

How We May Use Your Information

To the extent permitted by applicable law, we may use information that we collect:

• To operate, maintain, and administer the Websites (for example, to improve the Websites; personalize your experience with the Websites; to respond to your comments, questions, and service-related requests; and provide support and maintenance for the Websites).
• To operate, maintain, and administer clinical trials, research and product-development activities (for example, to provide and improve the Services; to track and respond to safety and product quality concerns; to provide information about our products and services; to communicate with you about the Services, to attribute authorship to academic and promotional materials; to support public health initiatives, symposia, conferences, as well as scientific, educational, and volunteer events; to facilitate medication adherence programs; to define and manage appropriate patient engagement activities and support programs; and to staff and manage clinical trials).
• To operate the Services, including to manage access to our products (such as, where access is limited by law to licensed physicians) and pay for services that physicians, researchers, or others may provide to us.
• To contact you through email correspondence, including to send you marketing communications and information about promotions or events.
• For research and development to analyze and improve the Services and to develop new products and services.
• To carry out obligations and enforce our rights arising from any contract or other legal obligation.
• To comply with the law and legal process, such as to respond to subpoenas or requests from public and government authorities.
• To comply with regulatory monitoring and reporting obligations such as those related to adverse events, product complaints, patient safety and financial disclosures.
• For compliance, fraud prevention and safety; to protect our operations or those of any of our affiliates; to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and to allow us to pursue available remedies or limit the damages that we sustain; to protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
• To create anonymous, aggregated or de-identified data by removing or not utilizing information that makes the data personally identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Services, the Websites, and promote our business.
• With your consent, where we specifically ask for your consent to collect, use or share your personal information.

How We May Disclose Your Information

To the extent permitted by applicable law, your PII may be disclosed:

• To our corporate affiliates for the purposes described in this Policy.
• To contractors, service providers, and other third parties such as information technology, payment processors, event planning, product recall administration, payment/shipping/fulfillment providers, and travel organizations who we use to support our business such as product and Service support and development, website support, data storage, data analysis, IT services, customer service and other business operations. These third parties may use your information only as we direct and in a manner consistent with this Policy. These third parties are prohibited from using or disclosing your information for any other purpose.
• To clinical research organizations, healthcare organizations or healthcare providers, researchers, institutions, and publishers, in connection with operating our Services.
• To business partners and other professional organizations with whom we jointly develop products or services, in connection with the development and promotion of such products and services. Where required by applicable law, we will ask for your consent before disclosing your information.
• To professional advisors such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
• To any third party in the event of or contemplation of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of any or all portion of our business, assets or stock, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding or in the course of any potential such corporate organizational change.
• To government agencies, law enforcement or others (including private parties) in order to comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• To enforce the terms of any agreements that we may have with you.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of us, you or others.
• With your consent.
• For any other purpose disclosed by us when you provide the information.

We will not disclose any PII to any unaffiliated third party for direct marketing purposes without your consent.

Third-Party Collection, Use, and Disclosure of Your Information

Our Websites contain links to various third-party websites, such as news stories or press releases or the “Investors” portion of our website. These third-party websites may collect PII and other related information. This Policy does not address, and we are not responsible for, the privacy, information or other practices of any third party, including any third party operating any site to which our Websites contain a link. The inclusion of a link on our Websites does not imply endorsement of the linked site by us or any of our affiliates.

Additionally, some content or applications on our Websites may be served by third parties. These third parties may use cookies or other tracking technologies to collect information about you when you use our Website. The information they collect may be associated with your PII or they may collect information, including PII, about your online activities over time and across different websites and other online services.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions, you should contact the responsible provider directly.

Your Choices

We strive to provide you with choices regarding our use and disclosure of PII. Where we are required by applicable law to collect your personal information, or where we need your personal information in order to provide you with our Services, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our Services and may need to terminate our relationship with you. We will tell you what information you must provide to us by designating it as required when we request the information or through other appropriate means. Individuals who are located within Europe can find additional information about their rights below.

We have created mechanisms to provide you with the following control over certain of your information:

• You can set your browser to refuse all or some browser cookies or to alert you when cookies are being sent. However, if you select this setting you may be unable to access certain areas of our Websites. For more information, please see our Cookies Policy.
• If at any time you wish to stop receiving communication from us, please just let us know by contacting us in the manner listed below (see Contact Information) or by clicking the “Unsubscribe” link at the bottom of a marketing communication. You may continue to receive Service-related and other non-marketing emails.

You may request to review, correct, or update your PII by contacting us using the contact information listed below (see Contact Information).

Security

When we collect PII via our Services, information is protected both online and offline. Prevention of unauthorized access or disclosure of data is important to us. Physical, administrative and technical procedures are employed to safeguard all collected information.

Access to PII and other data by our employees is limited, to the extent possible, to those persons or agents of our company that have a specific business purpose for maintaining and processing such information. These individuals are made aware of their responsibilities to protect the security of that information and also uphold the principles of confidentiality and integrity.

Unfortunately, vulnerabilities arise in the realm of technology every day. Although we strive to protect your information, circumstances may compromise that goal. As with any website, please be conscious of your data (including PII) since no security measures are 100% effective.

Changes to Our Privacy Policy

We reserve the right to modify this Policy at any time. If we decide to change this Policy, we will post any changes we make on this page with a notice that this Policy has been updated on the home page of each of our Websites. If we make material changes to this Policy, if required by applicable law, we will attempt to notify you via email (if we have your email address) or another manner that we believe reasonably likely to reach you (which may include posting a new privacy policy on our Websites or a specific announcement on our Websites). Any changes to this Policy will become effective when we post the revised Policy on our Websites. The effective date for this Policy is identified at the top of this page. You are responsible for periodically visiting our Websites and this Policy to check for any changes. In all cases, your continued use of the Websites and Services after the posting of any modified Policy indicates your acceptance of the modified Policy.

Children Under the Age of 16

Our Websites are not intended for children under 16 years of age and we do not knowingly collect PII from children under 16 on our Websites. In the event that we learn that we have collected PII from a child under age 16 through our Websites, we will endeavor to delete that PII as soon as reasonably practicable.

Contact Information

If you have any questions, comments or concerns about this Policy, please contact us by clicking on the “Contact” tab of our Websites, send an email to privacy@phasebio.com or write to us via postal mail at:

PhaseBio Pharmaceuticals, Inc.
Attn: Legal – Privacy
One Great Valley Parkway, Suite 30,
Malvern, PA 19355, USA

Notice to Users in Europe

The information provided in this “Notice to Users in Europe” section applies only to individuals in Europe.

Controller. PhaseBio Pharmaceuticals, Inc. is the controller of your PII covered by this Policy for purposes of the GDPR.

EU representative. As PhaseBio does not have an establishment in Europe, we have appointed a representative based in Spain, who you may address to raise any issues or queries you may have relating to our processing of your PII and/or this Policy more generally.

Our EU representative is: Kaleidoscope Data Privacy Consultants SL. Our EU representative can be contacted directly by email at eea.phasebio@kdpc.es, by mail to Kaleidoscope Data Privacy Consultants SL, Calle Balmes 173, 4-2, Barcelona 08006, Spain or by telephone on + 34 938 004 868. Please note that while, calls will be answered in English, it will be possible to put you on hold while we reach an interpreter for your chosen language. You may be charged your normal international rates.

Legal bases for processing. We use your personal information only as permitted by applicable law. Our legal bases for processing the personal information described in this Policy are identified in the table below.

Processing purpose	Legal basis
To operate, maintain, and administer the Websites	Processing is necessary to perform the contract governing our provision of the Services or to take steps that you request prior to signing up for the Services. If we have not entered into a contract with you, we process your PII based on our legitimate interest in providing the Services you access and request.
To operate, maintain, and administer clinical trials, research, and product-development activities	Where we have a contract governing this processing purpose, the processing is necessary to perform that contract or to take steps that you have requested prior to entering into the contract. In other cases, these processing activities are necessary for scientific research. In all other cases, these processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your PII for our legitimate interests. We do not use your PII for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
·   For research and development ·   To contact you through email correspondence for marketing purposes ·   For compliance, fraud prevention and safety ·   To create anonymous, aggregated or de-identified data	These activities constitute our legitimate interests. We do not use your PII for these activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To comply with law	Processing is necessary to comply with our legal obligations.
With your consent	Processing is based on your consent. Where we rely on your consent, you have the right to withdraw it any time in the manner indicated when you consent.

Use for new purposes. We may use your PII for reasons not described in this Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your PII for an unrelated purpose, we will notify you and explain the applicable legal basis.

Retention Period

We may retain your PII for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or allowed by law or to otherwise fulfill a legal obligation.

Your rights

The GDPR gives you certain rights regarding your PII. If you are located within Europe, you may ask us to take the following actions in relation to your PII that we hold:

• Provide you with information about our processing of your PII and give you access to your PII.
• Update or correct inaccuracies in your PII.
• Delete your PII.
• Transfer a machine-readable copy of your PII to you or a third party of your choice.
• Restrict the processing of your PII.
• Object to our reliance on our legitimate interests as the basis of our processing of your PII that impacts your rights.

You may submit these requests by email to eea.phasebio@kdpc.es or otherwise to the contact details for us or our EU representative provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your PII or our response to your requests regarding your PII, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

International Data Transfer

PhaseBio is headquartered in the United States and has partners and service providers in the United States and in other countries. Whenever we transfer your PII to third parties outside Europe, we take steps to ensure that a similar degree of protection is afforded to it (as would be afforded to PII in Europe). This may, for example, include ensuring that one of the following safeguards is implemented:

• We may transfer your PII to countries that have been deemed to provide an adequate level of protection for PII by the European Commission. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries.
• Where we use service providers outside Europe, we may use specific contracts approved by the European Commission, which give PII the same degree of protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of Personal Data to third countries.
• Where we use service providers based in the U.S., we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to PII shared between Europe and the U.S. For further details, see European Commission: EU-U.S. Privacy Shield.

Cookie Policy

This Cookie Policy explains how PhaseBio Pharmaceuticals, Inc. (“PhaseBio”, “we”, “us” or “our”) uses cookies and similar technologies in connection with the phasebio.com website and any other website that we own or control and which posts or links to this Cookie Policy (collectively, the “Sites”).

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies serve different purposes, like helping us understand how a site is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience.

Our Sites may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them).

We use two broad categories of cookies: (1) first party cookies, served directly by us to your computer or mobile device, which we use to recognize your computer or mobile device when it revisits our Sites; and (2) third party cookies, which are served by service providers or business partners on our Sites, and can be used by these parties to recognize your computer or mobile device when it visits other websites. Third party cookies can be used for a variety of purposes, including site analytics, advertising and social media features.

What types of cookies and similar tracking technologies does PhaseBio use on the Sites?

On the Sites, we use cookies and other tracking technologies in the following categories described in the table below.

Type	Description	Who serves the cookies	How to control them
Analytics	These cookies help us understand how our Services is performing and being used. These cookies may work with web beacons included in emails we send to track which emails are opened and which links are clicked by recipients.	Google Analytics	See ‘your choices’ below. Google Analytics uses its own cookies. You can find out more information about Google Analytics cookies here and about how Google protects your data here. You can prevent the use of Google Analytics relating to your use of our Sites by downloading and installing a browser plugin available here.
Essential	These cookies are necessary to allow the technical operation of our Services (e.g., they enable you to move around on a website and to use its features).	Google Tag Manager WordPress	See ‘your choices’ below.

Other technologies

In addition to cookies, our Sites may use other technologies, such as Flash technology and pixel tags to collect information automatically.

Browser Web Storage

We may use browser web storage (including via HTML5), also known as locally stored objects (“LSOs”), for similar purposes as cookies. Browser web storage enables the storage of a larger amount of data than cookies. Your web browser may provide functionality to clear your browser web storage.

Flash Technology

We may use Flash cookies (which are also known as Flash Local Shared Object (“Flash LSOs”)) on our Sites to collect and store information about your use of our Sites. Unlike other cookies, Flash cookies cannot be removed or rejected via your browser settings. If you do not want Flash LSOs stored on your computer or mobile device, you can adjust the settings of your Flash player to block Flash LSO storage using the tools contained in the Website Storage Settings Panel. You can also control Flash LSOs by going to the Global Storage Settings Panel and following the instructions. Please note that setting the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality of some Flash applications, including, potentially, Flash applications used in connection with our Sites.

Web Beacons

We may also use web beacons (which are also known as pixel tags and clear GIFs) on our Sites and in our HTML formatted emails to track the actions of users on our Sites and interactions with our emails. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a website, pixel tags are embedded invisibly on webpages or within HTML formatted emails. Pixel tags are used to demonstrate that a webpage was accessed or that certain content was viewed, typically to measure the success of our marketing campaigns or engagement with our emails and to compile statistics about usage of the Sites, so that we can manage our content more effectively.

Your choices

Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, the Sites may not work properly.

For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org. If you do not accept our cookies, you may experience some inconvenience in your use of our Sites. For example, we may not be able to recognize your computer or mobile device and you may need to log in every time you visit our Sites.

Users may opt out of receiving targeted advertising on websites through members of the Network Advertising Initiative by clicking here or the Digital Advertising Alliance by clicking here. Users located in Europe may opt out of receiving targeted advertising on websites through members of the European Interactive Digital Advertising Alliance by clicking here, selecting the user’s country, and then clicking “Choices” (or similarly-titled link). Please note that we also may work with companies that offer their own opt-out mechanisms and may not participate in the opt-out mechanisms that we linked above.

If you choose to opt-out of targeted advertisements, you will still see advertisements online but they may not be relevant to you. Even if you do choose to opt out, not all companies that serve online behavioral advertising are included in this list, and so you may still receive some cookies and tailored advertisements from companies that are not listed.

For more information about how we collect, use and share your information, see our Privacy Policy.

Changes

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes.

Questions

If you have any questions about this Cookie Policy, please contact us by email at privacy@phasebio.com.

Last modified April 3, 2020.