Clinical Trial Privacy Notice

Last updated on: June 19, 2024 

1.   Introduction and Scope

RayzeBio, Inc. (“RayzeBio”, “we”, “us”, “our”) sponsors ethically approved clinical trials. We take the protection of Personal Data (“Personal Data”) very seriously. Please read this privacy notice (the “Notice”) to learn what we are doing with your Personal Data, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws, such as:

• the European Union General Data Protection Regulation (“GDPR”);
• the Korean Personal Information Protection Act 2011 (“PIPA”);
• the Canadian Personal Information Protection and Electronic Documents Act 2000 (“PIPEDA”);
• the Brazilian General Personal Data Protection Law (“LGPD”); and
• the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
• U.S. State laws, such as the California Consumer Privacy Act of 2018 (“CCPA”) for California residents; the Colorado Privacy Act (“CPA”) for Colorado residents; the Virginia Consumer Data Protection Act (“VCDPA”) for Virginia residents; the Utah Consumer Privacy Act (“UCPA”) for Utah residents; and the Connecticut Data Privacy Act (“CTDPA”) for Connecticut residents. Collectively, these laws and their associated regulations, if any, are referred to as “U.S. State Privacy Laws.”

This Notice describes how we collect, use, disclose, and otherwise process Personal Data of individuals (“data subjects,” “you,” “your”) in connection with conducting clinical trials, early human imaging studies, and compassionate use or expanded access programs (“Trial” or “Trials”).  

We may provide additional and more specific privacy notices to you at the time we collect your data. For example, we may provide specific terms, privacy notices, and consent forms to you at the time we collect your Personal Data in connection with our Trials. Such notices will govern how we process your Personal Data in that context.

Please also see our Terms of Use here.

2.   Our Role With Respect to Your Personal Data

Within the scope of this Notice, RayzeBio generally acts as a data controller or “business” for the Personal Data we process. This means that we decide how and why Personal Data is collected and further processed.

In some jurisdictions, for purposes of our Trials, we may be considered a “joint controller” with another organization, such as the study site (i.e., the hospital, clinic, or other healthcare facility) where the Trial is being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with RayzeBio, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you participated in.

3.   Lawful Bases for Processing

We must have a valid reason to use your Personal Data. This is called the “lawful basis for processing.”

We may process your Personal Data on the basis of:

• Consent. We may ask for your consent to collect and process your Personal Data, including special categories of Personal Data, such as your health status and medical history. Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.
• Contract. We may process your Personal Data to fulfill a contract we have with you. Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfill our contractual obligations towards you.
• Compliance with legal obligations. In some situations, we may need to process your Personal Data in order to comply with applicable laws or regulations, such as the laws regulating the safety and reliability of our Trials.
• Our legitimate interests. In some cases, we process your Personal Data based on our legitimate interests in conducting our Trials. Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests.  
• Public Interest. In some cases, we may process your Personal Data for reasons of public interest in the area of public health, namely ensuring high standards of quality and safety of the medicinal products we are developing. In such cases, the processing of your Personal Data will be conducted on the basis of applicable jurisdictional laws that provide for specific measures to safeguard your rights and freedoms.
• Scientific research. In some situations, we may process your Personal Data in order to conduct scientific research. In these situations, the processing of your Personal Data will be conducted in accordance with applicable jurisdictional laws, including European Union or Member State law, and shall: (1) be proportionate to the aim pursued; (2) respect the essence of the right to data protection; and (3) provide for suitable and specific measures to safeguard your fundamental rights and the interests.

If you are a Trial participant, since we process special categories of Personal Data, such as your health status and medical history, the EU General Data Protection Regulation (“GDPR”) requires that we must have an additional ground to process this type of information. RayzeBio may process your special categories of Personal Data on the basis of your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Trials. If you are a participant in a Trial, please refer to the informed consent form you signed when you joined the Trial for more information about the legal grounds on which we process your Personal Data.

4.   Categories of Data Subjects:

Within the scope of this Privacy Notice, we process Personal Data about the following types of individuals:

• Trial participants, which includes patients receiving medication through our compassionate-use, early access, or expanded access program; and
• healthcare professionals and staff supporting our Trials, including but not limited to Trial investigators, physicians, pharmacists, and academic researchers (referred to as “healthcare providers”).

5.   What Personal Data We Process and How We Obtain It

Even though we are a data controller for the Personal Data processed in the context of our Trials, RayzeBio itself does not have access to identifiable Personal Data of Trial participants, meaning that we are unable to identify you personally from the information we have access to. Personal data is collected by our service providers (like the study site or our clinical research organizations) or other third parties, such as your doctors. When any information relating to you is shared with us by our service providers, it will first be key-coded (also known as “pseudonymized”) so that we cannot identify you by any direct personal identifier (such as your name, social security number, address, or telephone number).

Personal Data We Collect, Process, or Store	Category of Data Subject	Purposes for Which We Process Personal Data	How We Obtain It	Who We Share Personal Data With
Basic Identifying Information such as real name, Patient ID, zip code, email address, telephone number, physical address, gender, or other similar identifiers.	Trial participantsHealthcare providers	Conducting and managing Trials. Enabling your participation in the Trial, as a patient or staff member. Complying with legislation governing Trials. Pharmacovigilance related activities, medical information inquiries and product complaints. Communication with you on the status of the Trial and your questions / queries. Arranging for delivery of drugs to you and collection of unused drugs from you in relation to the Trial. Answering the questions posed by the Trial. Monitoring and reporting on any adverse events related to the Trial, such as side effects. Storing your Personal Data in a database, which is used for future Trial recruitment purposes.Developing new medicinal drugs or health treatments.	You provide it directly to us (including when you provide your Personal Data to one of our service providers acting on our behalf). A study doctor (also known as an “investigator”) at the study site provides it to us. We receive it from the clinical research organization that conducts the Trial on our behalf. Another healthcare provider of yours provides it to us. We receive it from our steering committee members or advisory boards.	Contract/clinical research organization services. Patient recruitment services. Patient travel or concierge services. Safety and pharmacovigilance software and related services. Data storage and archiving software and related services. Data analytics and reporting software and services. Services related to the collection, storage, testing, and transportation of biological material; laboratory services. Services related to the collection, storage, and analysis of patient scans. lSoftware that randomly decides which treatment you will receive during the Trial. Logistics/transport service providers. Electronic data capture software and hardware. If required by law, regulatory authorities, auditors, and ethical committees, for example, as part of an audit or inspection or general oversight activities. Service providers providing IT systems and infrastructure.
Location Information such as your Trial location (i.e., study site) and location of your medical practice	Trial participantsHealthcare providers
Professional and employment related information, such as your qualifications and job titles, affiliations, your professional opinion and feedback regarding our product, Trials, or product development activities	Healthcare providers
Special categories of Personal Data such as physical characteristics or description, genetic information, general medical information, such as your medical history, current health status and reaction to the product/Trial drug or health treatment.	Trial Participants

RayzeBio does not sell or share your Personal Data as those terms are defined under the CCPA. RayzeBio only discloses your Personal Data to third parties as specified within this Privacy Notice. 

If you are a Trial participant, you can ask your study doctor if you are unsure whether or not any specific Personal Data that you are being asked to provide is required as part of your participation in a Trial. The Informed Consent Form you signed consenting to be part of a Trial will also have additional specifications on the types of data being collected in a particular Trial.

We will not collect additional categories of Personal Data without informing you.

Some of the third parties to which we disclose your Personal Data may be located outside of the European Union or the European Economic Area (“EEA”). In some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data. We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to Personal Data when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses approved by the European Commission under Article 46.2 of the GDPR.

6.   How Long We Keep Your Personal Data

We will retain your Personal Data until we fulfil the purposes listed above, or for as long as we are required to keep it to comply with applicable laws or regulations.

Once your information has been entered into the Trial records, we cannot remove it without affecting the accuracy of the Trial and the test results. Some laws require us to keep Trial records for at least 25 years after the conclusion of the Trial. We will ensure that your Personal Data is safeguarded at all times.

7.   Automated Individual Decision-Making

If you participate in a Trial we sponsor, you will be assigned a unique patient identification number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated in the Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.

For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making, including profiling”. But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.

8.   Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data.

9.   What Privacy Rights Do You Have?

If you are a Trial participant, to exercise any of your privacy rights or raise any other questions, please first speak with your study doctor or study site.

You may also contact our Data Protection Officer directly using the contact details listed in Section 13 below.

Right to Know What Happens to Your Personal Data

This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

Right to Know What Personal Data RayzeBio Has About You

If we process your Personal Data, you will have the right to request access to that Personal Data. This means that you have the right to ask us to confirm whether or not we process your Personal Data, and, where that is the case, obtain a copy of or access to your Personal Data and other related information (such as the purposes for which we collected your Personal Data, and the categories of third parties that we share it with).

Right to Correct Your Personal Data

You can also ask us to update or correct, without undue delay, anything that you think is wrong with the Personal Data we have about you, and to complete any incomplete Personal Data.

Right to Ask Us to Limit How We Process Your Personal Data

You may also have the right to ask that we limit/restrict our processing of your Personal Data (e.g., if you ask us to only use or store your Personal Data for certain purposes). You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data

You have the right to object to our processing of your Personal Data. We will always strive to fulfill your request. However, please note that there are occasions when doing so may not be possible, like when the law tells us we cannot do that, or where we need your Personal Data to complete the transaction for which we collected the Personal Data.

Right to Delete Your Personal Data

This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Withdraw Your Consent

As discussed above, if we requested your consent to process your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

Right to Port or Move Your Personal Data

You may also have the right to “data portability”, which means that you may have the right to ask us to provide you with a copy of your Personal Data. If you exercise this right, we will provide you with a copy of your Personal Data in a structured, commonly used and machine-readable format.

Right Related to Automated Decision Making

As explained above, if you participate in a Trial we sponsor, you will be assigned a unique patient identification number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated in the Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.

For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making, including profiling”. But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

HIPAA

If HIPAA applies, you also have:

• the right to request or receive confidential communications from us by alternative means or at a different address;
•  the right to receive a copy of this Notice; and
• The right to file a complaint with the Secretary of the U.S. Department of Health and Human Services.

Verification of Your Identity

In order to correctly respond to your privacy rights requests, we need to confirm that you made the request. Consequently, we may require additional information to confirm that you are who you say you are.

If you are a Trial participant, RayzeBio does not have access to your identifiable Personal Data, meaning that we are unable to identify you or confirm your identity from the information we have access to. As a result, you should contact your study doctor or study site to exercise any of your privacy rights or raise any other questions.

For all other individuals, we will verify your identity by asking for information that matches the information RayzeBio already holds, such as an email address, phone number, or other identifier. We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request.

Verification of Authority

If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us by using our contact details to verify their identity with RayzeBio and confirm with us that they gave you permission to submit this request.

Response Timing and Format of Our Responses

We will confirm receipt of your request in 10 days. Please allow us up to one month to reply to your request starting from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason and extension period in writing. If you are a resident of Brazil and we cannot immediately fulfil your request, we will provide you with reasons why this is not possible. We will send our written response electronically, unless you request that we respond via postal mail, in which case we will do so.

We commit to not charging a fee for processing or responding to your requests unless we consider your request to be excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

10.   Privacy of Children

Our Trials are generally not directed at or intended for use by anyone under the age of 18. We generally do not collect, use, disclose, or otherwise process Personal Data of individuals under the age of 18 in connection with conducting our Trials. However, in the event that a Trial participant or their partner becomes pregnant, we will collect and process information about the birth, which may include Personal Data of the newborn.

11.   Data Integrity and Security

We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction. Some of those measures include encryption and redaction and we also have dedicated teams to look after information security and privacy.

12.   Right to Lodge a Complaint with a Supervisory Authority

If the GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.

Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.

13.   Contact Us

If you have any questions about this Notice or our processing of your Personal Data, please first speak with your study doctor or study site if you are a Trial participant. You may also contact our Data Protection Officer directly using the contact details listed below.

Please allow up to four weeks for us to reply.

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe, LLC
100 M Street S.E., Suite 600
Washington, D.C. 20003
USA

Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. VeraSafe can be contact using the contact form at: https://www.verasafe.com/privacy-services/contact-article-27-representative/, by telephone at: +420 228 881 031, or by postal mail at:

VeraSafe Netherlands BV
Keizersgracht 555
Amsterdam 1017 DR
The Netherlands

14.   Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date.