AVEO Pharmaceuticals, Inc. (“AVEO”, “we”, “us”, “our”) recognizes that you care how information about you is used and shared, and we appreciate your trust that we will handle your information carefully and sensibly.
As a sponsor of ethically approved clinical trials (“Trial” or “Trials”), we take the protection of personally identifiable information (“Personal Data”) very seriously. When you visit our website or participate or work in one of the Trials that we sponsor, you trust us with your Personal Data. We are committed to keeping that trust. That starts with helping you understand our privacy practices. This Privacy Policy (the “Policy”) describes how we collect and process Personal Data (i) collected via our various websites (including but not limited to www.aveooncology.com and www.fotivda.com) (the “Sites”), (ii) in relation to job applicants, (iii) in the context of the Trials we sponsor and (iv) in the context of our patient assistance programs. Please read this Policy to learn what we are doing with your Personal Data, how we protect it and how you can exercise your privacy rights.
This Privacy Policy (“Policy”) does not apply to Personal Data collected by any other means, or in other contexts, such as Personal Data of AVEO’s employees, contractors, officers, directors or other staff of AVEO.
If we maintain information in a manner that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data and this Policy will not apply to our processing of that information.
Within the scope of this Policy, AVEO generally acts as a data controller for the Personal Data collected and processed while you navigate through our Sites, in relation to job applicants, in the context of the Trials we sponsor and in the context of our patient assistance programs. This means that we alone determine the purpose and means of the processing of your Personal Data.
In some jurisdictions, we are considered a “joint controller” with another organization, such as the study site where a Trial is being conducted. This means that we jointly, together with the other organization, determine the purposes and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with AVEO, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you are participating in.
3.1 Personal Data of Individual Trial Participants
Even though we are a data controller for the Personal Data processed in the context of our Trials, AVEO itself does not have access to identifiable Personal Data, meaning that we are unable to identify you personally from the information we have access to. Personal Data is collected by our contracted parties like a Trial site (the clinic or other healthcare facility where a Trial is being run) or other third parties, such as your doctors or our clinical research organizations. When any information relating to you is shared with us by our contracted parties, it will first be key-coded and replaced with pseudonyms or identifiers (also known as “pseudonymized data”) so that we cannot identify you by any direct personal identifier (such as your name, social security number, address, or telephone number).
The following types of Personal Data may be processed in the context of our Trials and shared with us:
The following types of Personal Data may be processed in the context of our Trials by a Trial site, but would NOT be shared with us:
You can ask your study doctor if you are unsure whether any specific Personal Data that you are being asked to provide is required as part of your participation in a Trial.
3.2 Personal Data of Healthcare Providers
We may process the following types of Personal Data about healthcare providers in the context of our Trials:
3.3 Personal Data for Insurance
We may process the following types of Personal Data about your health insurance in the context of our Trials:
The above-mentioned types of Personal Data may be processed in the context of our Trials by a Trial site, but would NOT be shared directly with us.
3.4 Personal Data of Site Visitors
We may process the following types of Personal Data about Site visitors that contact us via our contact webform:
If you wish to receive information or news alerts from us, we request your name and email address to send the information alerts to you. If you no longer wish to receive our news alerts and informational materials, you may opt-out of receiving them by following the instructions included in each email notifying you of an alert.
We may collect Personal Data from cookies and tags, as described in Section 5 below.
In general, you can browse the Sites without telling us who you are or revealing any Personal Data about yourself. We may track certain information based upon your behavior on the Sites. We use this information to analyze how our Sites are used. Like many websites, from time to time, we automatically gather certain information about our Sites’ traffic and store it in log files. This information does not usually identify a particular individual. It includes:
3.5 Personal Data of Job Applicants
We may process the following types of Personal Data about individuals that apply for a position at AVEO:
We may receive your Personal Data when:
We may process your Personal Data for the purposes of:
We also process your Personal Data for the specific purposes described in the informed consent form provided to you by Trial personnel.
In relation to the information we collect about users of the Sites, this typically does not identify individual users. We use the information we collect to analyze trends, to administer the Sites, to track users’ movements around the Sites and to gather demographic information about our user base. We do not link this automatically collected data to personally identifiable information. However, in certain cases, we may process Personal Data collected via cookies or tags. Please refer to Section 7 below, and to our Cookie Policy, for further information on this.
We may process your Personal Data on the basis of:
Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you will be ineligible to participate in the Trial.
Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfill our contractual obligation towards you.
Where we process Personal Data based on our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests. When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided in Section 15 below.
If you are a participant in a Trial, we process special categories of Personal Data, such as your health status and medical history. Certain data protection laws require that we must have an additional ground to process this type of information. AVEO may process your special categories of Personal Data based on your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above to comply with the requirements of local laws in jurisdictions where we sponsor Trials. If you are a participant in a Trial, please refer to the informed consent form you signed when you joined a Trial for more information about the legal grounds on which we process your Personal Data.
SUMMARY CHART ON HOW WE USE YOUR PERSONAL DATA: PURPOSES AND LEGAL BASES OF THE PROCESSING
How we use and process your Personal Data under the European Union General Data Protection Regulation (“GDPR”) for the purposes and legal bases set out below:
| Use/Purpose | Lawful Basis |
|---|---|
| Communicating with you, providing you with information about our business, and operating and improving our website | AVEO has a legitimate interest to operate its website and communicate with you upon your request (Article 6(1)(f), GDPR). |
| Contact you with respect to clinical trials offered by us which we believe may interest you (including direct marketing) | AVEO has a legitimate interest to operate its website and communicate with you upon your request (Article 6(1)(f), GDPR). Depending on your location, we may also ask for your consent prior to sending you direct marketing. |
| Marketing and advertising about AVEO, our clinical trials, and any future marketing of products and services | Depending on your location, AVEO may also ask for your consent prior to marketing and advertising our clinical trials, products, and services online. |
| Conducting audits and investigations, and to investigate and resolve complaints, grievances or misconduct | AVEO has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR). AVEO has a legal obligation to do so (Article 6(1)(c), GDPR). |
| Preparing for and acting in relation to inquiries, investigations or proceedings, by governmental, administrative, judicial or regulatory authorities, including civil litigation | AVEO has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR). AVEO has a legal obligation to do so (Article 6(1)(c), GDPR). |
Periodically, some pages on our Sites may use “cookies,” which are small files that the site places on your hard drive for identification purposes. These files are used for Site registration and customization the next time you visit our Site. We may also collect information about how you use the Sites using cookies (and other similar technologies), as part of improving the content and functionality of the Site. You should note that cookies cannot read data off your hard drive. Your web browser may allow you to be notified when you are receiving a cookie, giving you the choice to accept it or not. You can also refuse all cookies by turning them off in your browser. By not accepting cookies, some pages may not fully function and you may not be able to access certain information on the Site.
We may also use third party cookies. Third-party cookies are created by domains that are not the Sites (or domain) that you are visiting. These cookies are used for our marketing efforts, as well as to understand your browsing of the Sites, for example, which page you visit or how long you stay on each page. These types of cookies are set by AVEO affiliates and/or vendors we are working with to enhance end user experience or may be used to identify visitors to our Sites.
We may also use Internet Tags such as “pixel tags,” which are small graphic files that allow us to monitor the use of our websites. A pixel tag can collect additional information such as IP address, URL, timestamp, browser type and the cookie identification number.
Please refer to our Cookie Notice for further information about the types of cookies and tags we make use of and how you can disable them in your web browser. Cookie Notice, https://www.aveooncology.com/cookie-notice/.
We will seek to ensure that your Personal Data is always safeguarded. We will retain your Personal Data until we fulfill the purposes listed above, or for as long as we are required to keep it to comply with applicable laws or regulations.
Once your information has been entered into Trial records, we cannot remove it without affecting the accuracy of the Trial and the test results. Some laws require us to keep Trial records for at least twenty-five (25) years after the conclusion of the Trial.
We may share Personal Data with our contracted parties who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in fulfilling the purposes of processing as described in Section 5 above, or as required by law. Our contracted parties include parties providing:
For Site visitors, we may share aggregated demographic information about our user base with third parties that may or may not be affiliated with us, but this information does not identify individual users. We do not link aggregate user data with Personal Data. We share Personal Data with third parties which we rely upon to operate and administer our Sites. We disclose information as needed for these contracted parties to perform their functions, but do not authorize the contracted parties to use the information for other purposes.
We may also use independent advertising companies to provide ads on our behalf across the Internet (“advertising company”). These advertising companies also help us analyze our advertising campaigns and the general usage patterns of visitors to our websites. This is primarily accomplished using cookies and Internet tags. Such companies may place these tags on our Sites or on other websites. Please refer to our Cookie Policy for further information, https://www.aveooncology.com/cookie-notice/.
We may use this information to improve our Sites and our advertising. In order to deliver more relevant content or advertising, or to connect with you via other methods, from time to time we may link the information we receive to your personal information. If we do link such data, it is treated under AVEO’s Policy as Personal Data.
Certain data protection laws (such as the laws in the European Union (“EU”) and United Kingdom (“UK”)) only allow us to transfer Personal Data outside of a particular region if the country that the data is being transferred to offers an adequate level of protection for the Personal Data. AVEO and some of the third parties we share Personal Data with are in countries outside of the EU and the UK. In some cases, the relevant authorities may not have determined that those countries’ data protection laws provide an adequate level of protection for your Personal Data. When these data protection laws apply to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries which are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data. These safeguards may include the standard data protection clauses approved by the European Commission under Article 46(2) of the EU General Data Protection Regulation.
We may also disclose your Personal Data for other reasons. We reserve the right to transfer, disclose or assign your Personal Data in connection with the following events:
If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
We have implemented and will maintain technical, administrative and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration or destruction.
You have specific rights regarding your Personal Data that we collect and process.
For individual patients, please first speak with your study doctor instead of contacting us directly to exercise the rights we explain below.
Right to Know What Happens to Your Personal Data. You have the right to obtain from us all information regarding our data processing activities that concern you (or your child), such as how we collect and use your Personal Data, how long we will keep it and who it will be shared with, among other things. We are informing you of how we process your Personal Data with this Policy.
Right to Know What Personal Data We Have About You. If we process your Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. This means that you have the right to ask us to confirm whether or not we process your Personal Data, and, where that is the case, obtain a copy of or access to your Personal Data and other related information such as:
Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.
Right to Change Your Personal Data. You can also ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have about you, and to complete any incomplete Personal Data.
Right to Delete Your Personal Data. You may ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
Right to Ask Us to Limit How We Process Your Personal Data. You may also have the right to ask that we limit/restrict our processing of your Personal Data (e.g., if you ask us to only use or store your Personal Data for certain purposes). You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate or the processing activity is unlawful.
Right to Ask Us to Stop Using Your Personal Data. You have the right to object to our processing of your Personal Data. We will always strive to fulfill your request. However, please note that there are occasions when doing so may not be possible, like when the law tells us we cannot do that, or where we need your Personal Data to complete the transaction for which we collected the Personal Data.
Right to Withdraw Your Consent. As discussed in Section 6 above, if we requested your consent to process your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in a Trial.
Right to Port or Move Your Personal Data. You may also have the right to “data portability”, which means that you may have the right to ask us to provide you with a copy of your Personal Data. If you exercise this right, we will provide you with a copy of your Personal Data in a structured, commonly used, and machine-readable format.
To exercise any of your privacy rights or raise any other questions, please contact us by using the information in the Contact Us section below. You also have the right to lodge a complaint with a data protection regulator in one or more EEA member States and in the UK.
The website content and services are intended for users over the age of 18. Since it is impossible to determine the age of individuals who navigate to our websites, we encourage the legal guardians to contact us if they confirm unauthorized data provision by their children in order to delete their data. If we learn that a child under 18 has volunteered personally identifying and/or health-related personal information on the website, or that a provider has volunteered information about a patient who is identified as younger than 18, we will delete such information from our active databases in accordance with our deletion policy.
In case we need to collect Personal Data of minors (i.e., under the age of 18), we endeavor to collect such data from their legal guardian provided that a legal basis for collecting such data exists.
If you have any questions about this Policy or our processing of your Personal Data as it relates to a clinical trial, please first speak with your study doctor. If you have any questions about this Policy or our processing of your Personal Data outside of a clinical trial or after you speak with your study doctor, please contact us or our Data Protection Officer directly using the contact details listed in Section 17 below. Upon receipt of your request, please allow up to one (1) month for us to reply.
While you may contact us at any time, our data protection representative can be contacted about matters related to the processing of your Personal Data.
European Union Representative
We have appointed VeraSafe in Spain as our representative in the EU for data protection matters, pursuant to Article 27 of the General Data Protection Regulation. VeraSafe can be contacted on matters related to the processing of Personal Data. If you want to raise a question to us, or otherwise exercise your rights in respect of your Personal Data, you may do so by:
VeraSafe’s privacy policy is accessible at https://verasafe.com/legal-notices/privacy-policy/.
United Kingdom Representative
We have appointed VeraSafe as our representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom, VeraSafe can be contacted in addition to AVEO, only on matters related to the processing of your personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
VeraSafe’s privacy policy is accessible at https://verasafe.com/legal-notices/privacy-policy/.
PLEASE NOTE: When mailing inquiries, it is ESSENTIAL that you address your letters for ‘Data Protection Representative – AVEO Pharmaceuticals, Inc.’ and not ‘AVEO Pharmaceuticals, Inc.’ or your inquiry may not reach the appropriate representative of AVEO. Please refer clearly to AVEO Pharmaceuticals, Inc. in the body of your letter. On receiving your correspondence, We may request evidence of your identity, to ensure your Personal Data and information connected with it is not provided to anyone other than you.
If you have concerns over how any of our data protection representatives will handle your Personal Data that they will require to undertake their representative services, please refer to the respective representative’s privacy policy identified above.
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly at dataprotection@aveo-corporate-2024, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
VeraSafe
Zia Maharaj
100 M Street S.E., Suite 600
Washington, D.C. 20003
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
Tell: +1-617-398-7067
In conjunction with the safeguards stated above, AVEO also complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. AVEO has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF, from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF and with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. While the decision to self-certify and participate in the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once an organization self-certifies to the U.S. Department of Commerce’s International Trade Administration (ITA) and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (the “Principles”), the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, AVEO commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact AVEO at dataprotection@aveo-corporate-2024. If you still have specific privacy concerns that have not been resolved after attempting to address your privacy question or concern with AVEO directly, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse to you free of charge. To file a complaint with the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information at https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.
In compliance with the DPF, AVEO would also like to inform you that we are obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to AVEO and has followed the procedures, subject to conditions, set forth in Annex I of Principles. So, if your concern is not resolved after following the recourse mechanisms described above, you may have the option to select binding arbitration for the resolution of your complaint with respect to PI originating in the EU, the UK, Gibraltar or Switzerland. For more information on binding arbitration, please visit the U.S. Department of Commerce’s website on submitting complaints located here.
As explained above in this Policy, PI may be shared as appropriate with third parties that process information on behalf of, or with, AVEO. Under certain circumstances, AVEO may remain liable for the acts of certain third parties if those third parties process PI originating from the EU, the UK, Gibraltar and/or Switzerland that AVEO discloses to them in a manner that is inconsistent with the Principles.
AVEO is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission for purposes of enforcing compliance with the DPF.
For more information about the DPF or to view AVEO’s U.S. certification on the DPF List, please visit the U.S. Department of Commerce Data Privacy Framework website.
This Policy applies to information collected by our Sites. The Sites may contain links to other sites that are not owned or controlled by AVEO. Please be aware that we are not responsible for the privacy policies of such other sites. We encourage you to be aware when you leave our Sites and to read the privacy policies of each and every website that collects Personal Data.
If we change this Policy, we will publish the revised Policy on our website. We will also update the “Last Modified” date.
Effective on: December 23, 2022
Last Modified on: January 30, 2024