HCP & PATIENT PRIVACY NOTICE
HCP & PATIENT PRIVACY NOTICE (“PRIVACY POLICY”)
EFFECTIVE DATE: March 22, 2024
INTRODUCTION AND SCOPE
This Privacy Policy is directed at patients (and/or their caregivers, guardians, parents or representatives, collectively “patients”), health care professionals and other medical professionals such as pharmacists, statisticians, clinical social workers, staff or other representatives of medical offices, hospitals, and academic and medical centers (“HCPs”) who provide Ironwood Pharmaceuticals, Inc. and/or its subsidiaries (“Ironwood”, “we”, “us”, “our”) with personal information and/or personal data (“Personal Information”) we receive for such purposes including but not limited to: (1) requests for corporate, disease state, marketing, medical materials or other information requests; (2) participation in clinical trials or market research; (3) participation in speaker programs; (4) when you are applying to and/or enrolled in our patient support and/or financial assistance programs; (5) providing patient testimonials or other patient related information at Ironwood events; (6) participation on advisory boards; (7) drafting publications or other medical materials; (8) in connection with post-approval pharmacovigilance and adverse events complaints and reports; (9) participation in advocacy or peer-to-peer programs; and (10) consulting activities.
This Privacy Policy describes how Ironwood uses the Personal Information we collect about you and how to exercise your rights.
- This Privacy Policy contains specific sections that may or may not be applicable to you because of where you are located or the type of Personal Information we collect and maintain about you.
- This Privacy Policy may be complemented or supplanted by other privacy policies or information notices that tell you how your Personal Information is used and disclosed in certain other contexts. To the extent that those policies or notices are provided, posted and/or referenced, that different privacy policy or notice, and not this one, will apply to the processing of your Personal Information.
- Our websites, web portals, mobile applications or other digital services (together, our “websites”) may contain links to third-party websites that we do not operate, control or endorse. Once you leave our websites, we are not responsible for the protection and privacy of any information you provide. We recommend that you read the privacy policies of these third-party websites, and if needed, contact the third parties directly for information about their privacy practices.
CATEGORIES OF PERSONAL INFORMATION WE MAY COLLECT AND PROCESS ABOUT YOU
CATEGORIES | EXAMPLES |
IDENTIFICATION INFORMATION | First name, middle name. last name, nickname, initials, date of birth, gender, photographic image(s), identification numbers (e.g., driver’s license number, passport number, social security number, national identity card number, resident identity card number) or copies of Identification Documents (e.g., driver’s license, identity card, passport). |
CONTACT DETAILS | Email address, postal address, or phone number. |
PROFESSIONAL INFORMATION
| CV/Resume, National Provider Identifier Standard (NPI), medical license number, job title, employment status, education background, professional qualifications and related licenses, work experience, professional networks, programs and activities, publications, and awards and influence rankings. |
COMMERCIAL INFORMATION | Prescribing activities (prescription data). |
PRIOR RELATIONSHIP INFORMATION WITH IRONWOOD | Information related to your past collaborations with us, e.g., contacts with our marketing, market access and sale representatives or medical staff, consulting activities, speaker program participation, advisory board participation, clinical trials participation, patient support and assistance program participation, etc. |
FINANCIAL INFORMATION | Information related to amounts invoiced and/or payments made, services provided, travel and expenses, tax-related information, financial disclosures, banking information, W9 information, billing address, and other information collected for regulatory and transparency reporting purposes or to pay you for services or reimburse your expenses. Financial information also includes your insurance information or other personal financial information needed to evaluate whether you may participate in free or lower cost drug discount programs. Such evaluations are performed by Ironwood vendors. |
INFORMATION RELATED TO YOUR USES OF IRONWOOD’S INTERNET, NETWORKS AND DEVICES | We collect information about your use of Ironwood email accounts, the internet, and our computers, phones, and other devices to which you may have been granted access to. |
HEALTH INFORMATION | When completing enrollment or prescription forms, we may collect health information about you. Such information may include, your insurance information, dates of medical procedures, diagnosis codes, medical history, prior therapies or treatment information, allergies, etc. |
DISEASE AND EXPERIENCE INFORMATION | We may collect information from you about your experiences working with us, your experiences with our products or services, and general information about your health condition (e.g., patient reported outcomes). |
OTHER INFORMATION | Other information needed for our relationship or interactions with you, or as required by law, our service providers, or collaborators, or voluntarily provided by you, such as the information you provide in contacts and queries you make to us, communicating preferences, and if provided, information about dietary preferences and other personal information. |
Sensitive Personal Information. Certain Personal Information Ironwood collects about you may be considered Sensitive Personal Information under applicable laws. To protect such Sensitive Personal Information, we will:
- take appropriate security and technical measures to protect and process your Sensitive Personal Information; and
- provide notices and/or obtain your explicit consent for processing your Sensitive Personal Information where required by applicable laws.
Website Information. Our websites automatically collect the following information through cookies and other data collection technologies:
- IP address
- device type
- browser type
- language
- browsing history, and
- information about your interaction with our websites and their services
This information is necessary for the proper functioning of our websites and their services, as well as our internal business analytics purposes, such as audience measurement.
For more information on our cookies and other data collection technologies, please read the OUR COOKIES POLICY section below, or the Privacy Policy applicable to the website you are accessing.
Required Information. Required information will be marked as required at the time of collection of your Personal Information so that you are aware that it is required. If you decide not to provide the required information, Ironwood may not be able to process your Personal Information.
SOURCES OF YOUR PERSONAL INFORMATION
The most common way we collect your Personal Information is directly from you, such as when you contact us via phone, electronically via email or in person; when you complete a form or survey on-line or that we send to you; when you contract with us; when you provide services to us; when you register for an on-line account; or when you request to receive from us corporate, disease state, marketing, medical or other materials, or when you submit a medical information request.
We may also collect your Personal Information from a variety of other sources including but not limited to: our business partners, specialty pharmacies, patient hub, medical information contact center, health insurance companies, your healthcare provider, public sources (such as websites, social media and other digital platforms, publication databases, journals, societies, editorial board websites, national registries, professional directories and third-party healthcare professional databases), or from our third-party vendors and service providers.
In addition, if you use our websites, we may collect information from your computer or other devices through our use of cookies and other data collection technologies.
WHY WE PROCESS YOUR PERSONAL INFORMATION
PURPOSE OF PROCESSING | EXAMPLES OF USES OF YOUR PERSONAL INFORMATION |
MANAGING OUR PERSONAL AND CONTRACTUAL RELATIONSHIP WITH YOU |
|
PROVIDING SERVICES |
|
SENDING OR SHARING COMMUNICATIONS OR OTHER INFORMATION THAT MAY BE OF INTEREST TO YOU |
|
PROVIDING EDUCATIONAL AND AWARENESS INFORMATION |
|
CREATING AND MANAGING YOUR ON-LINE ACCOUNTS ON OUR WEBSITES |
|
MANAGING IRONWOOD EVENTS OR PROGRAMS DEDICATED TO HEALTH PROFESSIONALS OR PATIENTS |
|
LEGAL, COMPLIANCE, AND REGULATORY OBLIGATIONS |
|
OTHER GENERAL USES |
|
Our legal bases for processing your personal information may be: (1) in furtherance of a contract between Ironwood and you; (2) Ironwood’s legitimate business interests; (3) due to a legal or regulatory obligation; or (4) your consent.
We do not undertake any decisions based solely on automated processing of your information, including profiling, unless we inform you as required by applicable laws.
WHO WE SHARE YOUR PERSONAL INFORMATION WITH
We may share your personal information within Ironwood and Ironwood subsidiary companies, business partners, with all authorized third parties with whom we have contracted, judicial, administrative, or regulatory authorities, or as otherwise permitted by applicable laws. The type(s) of personal information we share and our purposes for sharing it depends on the role of the recipient. We do not, however, sell your personal information that we collect about you. For residents of the State of California, U.S.A., we do not share your personal information for internet-based advertising or targeted marketing (see below section for California Residents).
Here are examples of who we share your personal information with and the purposes for sharing it.
RECIPIENTS | PURPOSES |
IRONWOOD, IRONWOOD’S SUBSIDIARY COMPANIES, AND EMPLOYEES | For the purposes set forth in this Privacy Policy, including the global administrative, business, marketing, medical, operational, and technical activities. |
IRONWOOD’S SERVICE PROVIDERS AND VENDORS | For assisting Ironwood in the global administrative, operational and/or technical management of our business, including clinical trials or other research sponsored by Ironwood or one of its partners or collaborators. |
IRONWOOD SECURITY AND TECHNOLOGY PROVIDERS | For assisting Ironwood in protecting Ironwood’s information security network and for administering and maintaining Ironwood’s information security network. |
IRONWOOD BUSINESS PARTNERS AND COLLABORATORS | For administrative, operational and/or technical purposes in the context of Ironwood’s global business and medical activities. |
ADMINISTRATIVE, REGULATORY OR JUDICIARY AUTHORITIES | To comply with legal, regulatory, or compliance obligations; for safety data reporting and other required reporting such as Sunshine law reporting; and for regulatory approvals for our drug products. |
ADVISORS (Accountants, Attorneys, Auditors, etc.) | For administrative, operational, and/or technical purposes in the context of Ironwood global business and medical activities, as well as the management of disputes and other legal matters. |
OTHER PARTIES | Following or during a restructuring, acquisition, debt financing, merger, transfer, sale of assets, or a similar transaction, as well as in case of insolvency, bankruptcy, or receivership where personal data are transferred to one or more third parties as assets of Ironwood as required by law. |
HOW LONG WE RETAIN YOUR PERSONAL INFORMATION
We retain your personal information for as long as it is necessary for us to carry out the purposes for which we collected it as set out in this Privacy Policy unless we are required by law to retain it for a longer period of time. When we determine the appropriate retention period for your personal information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the information, the purposes for which we process the information, whether we can achieve those purposes through other means, and all applicable legal, regulatory, and compliance requirements.
When we communicate with you via email, send newsletters, or respond to your requests to receive information from us, your information may be kept until you decide to unsubscribe and the information you provide via your requests will be kept a least until their complete processing. We will keep a record of your unsubscribe request for as long as is necessary to comply with that request.
In addition, Ironwood will keep your personal information:
- In compliance with Ironwood’s records retention policy.
- For the statute of limitation, if needed for evidentiary purposes.
- For the applicable legal retention periods, in particular regarding commercial, compliance and regulatory matters, or any other mandatory retention period (such as a legal hold or investigation).
WHERE WE PROCESS YOUR INFORMATION AND HOW WE PROTECT IT
Ironwood operates in several countries around the world and your personal information may be accessible to or be shared with our subsidiary companies, authorized service providers, Judicial, administrative, and regulatory parties and agents, advisors, consultants, and representatives in various countries for the purposes specified in this Privacy Policy.
Keep in mind that the data privacy and data protection laws or regulations in certain countries may not provide the same level of protection as those in your country or region. When that is the case, and as required by applicable laws, we take legally required steps to protect your personal information when transferred to another country or region, such as entering into contracts with recipients of your information and implementing additional safeguards.
While we have established reasonable physical, administrative, and technical measures to protect your personal information from unauthorized access or disclosure, we cannot guarantee its absolute security. You should take special care in deciding what information you transmit, upload, send or otherwise submit to us.
YOUR CHOICES AND RIGHTS
You may choose not to provide your personal information to us; however, in doing so, you may not be able to continue your relationship or interactions with us or use certain services, e.g., patient support services.
At any time, you can choose to opt out from our marketing communications by using the unsubscribe feature in any marketing email you have received. If you unsubscribe from marketing, we may still send you email communications that are relationship or transactional in nature.
Under certain laws, such as the European Union’s General Data Protection Regulation (GDPR), The Swiss Data Protection Act, The UK Data Protection Act (UK-GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) or China’s Cybersecurity Law and Personal Information Protection Law (PIPL), including their implementing regulations and national standards, you may have the following rights with respect to your personal information:
- Your right of access. You may have the right to ask us to provide clear, transparent, and understandable information on how we process your personal information, as well as for copies of your personal information. There are some exemptions, which means you may not always receive access to all the personal information we have and process about you.
- Your right to rectification. You may have the right to ask us to correct or rectify information you think is obsolete or inaccurate and the right to ask us to complete information you think is incomplete.
- Your right to deletion of your personal information. You may have the right to ask us to delete your personal information in certain circumstances.
- Your right to restriction of processing. You may have the right to ask us to restrict the processing of your personal information, during a limited period of time, in certain circumstances.
- Your right to object to processing. You may have the right to object to certain processing activities, in which case, Ironwood will no longer process your personal information unless Ironwood demonstrates compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, such as compliance with a legal obligation or for the establishment, exercise or defense of legal claims.
- Your right to data portability. You may have the right to ask that we transfer the information you gave us from one organization to another or give it to you to transfer to another organization.
- Right to withdraw your consent. If we process your personal information based on your consent, you have the right to withdraw your consent, without this withdrawal affecting the lawfulness of the processing operations previously conducted.
- Right to close your account. If you receive our services through on-line accounts, you have the right to close your accounts. We will then delete or anonymize your personal information associated with your accounts unless we are otherwise permitted to retain your personal information under applicable laws.
Depending on your country of residence and the country where the Ironwood entity processing your personal information is established, you may have additional local rights with respect to our processing of your personal information. For example, you may also have the right to raise questions or concerns directly with your local data protection authority. Please note that some of the personal information that we collect and process may be exempt from the rights outlined above.
You can submit your request directly to Ironwood by sending us an email at [email protected].
We will respond to your requests within the time period prescribed by applicable laws. Under certain circumstances, Ironwood may ask you for specific information to confirm your identity and ensure the appropriate exercise of your rights. This is a security measure to safeguard personal information. We will notify you when your request is completed, if we deny your request to exercise your rights (because, for example, an exception applies), or if there is a fee associated with processing your request.
You may designate an authorized agent to exercise your rights on your behalf. In such case, we will also need to verify your agent’s identity and obtain proof of your authorization. We may need to deny a request from an agent whose identity or authorization we cannot verify.
If you believe that Ironwood has processed information in a manner that is unlawful or breaches your rights, or has infringed applicable laws, you may have the right to complain directly to your local data protection authority. Without limiting any rights to complain directly to an authority, we are committed to protecting your personal information, and you may also lodge your complaint(s) directly with us.
We will not discriminate against you for exercising any of your rights that you have under applicable data privacy and data protection laws.
REGIONAL AND STATE SPECIFIC PRIVACY NOTICES
CALIFORNIA
If you are a California Consumer, in the past twelve (12) months, we may have collected the categories of personal information about you described in the CATEGORIES OF PERSONAL INFORMATION WE COLLECT AND PROCESS ABOUT YOU section of this Policy. That information was collected for the purposes described in the WHY WE PROCESS YOUR PERSONAL INFORMATION section of this Policy and may have been shared with the third parties identified in the WHO WE SHARE YOUR PERSONAL INFORMATION WITH section of this Policy.
You can exercise your data subject access rights as described in the YOUR CHOICES AND RIGHTS section of this Policy by sending us an email at [email protected] or you may also call us toll- free at 1-617-621-7722.
Some of the personal information that we collect, share or use may be exempt from California state law because it is regulated by other federal or state laws that apply to us.
We do not sell your personal information, and we do not share your personal information for internet-based advertising or targeted marketing.
ADDITIONAL INFORMATION FOR INDIVIDUALS IN THE EUROPEAN UNION (EU)/EUROPEAN ECONOMIC AREA (EEA), UNITED KINGDOM, OR SWITZERLAND
We are required to comply with the European Union’s and the United Kingdom’s General Data Protection Regulations (“GDPR”), Switzerland’s Federal Act on Data Protection (FADP) and similar applicable local laws with regards to certain personal information we collect. The data controllers of your personal information are the Ironwood entities referenced at the beginning of this Privacy Policy. Please contact us if you have any questions about the controller or controllers of your personal information at: [email protected].
Sensitive Personal Information. We process special categories of personal information (e.g., sensitive personal information that reveals racial, sex or ethnic origin, genetic, biometric and health information, political and trade union affiliations, etc.) only where you give us your explicit consent, or when our processing is for scientific research purposes, necessary to meet a legal or regulatory obligation, in connection with the establishment, exercise or defense of legal claims, or is otherwise expressly permitted by applicable laws.
If we need to collect your personal information by law or under the terms of a contract we have with you and you do not provide the requested information, we may not be able to perform the contract we have or are trying to enter into with you, respond to your information request or otherwise provide services to you.
Data transfers. Ironwood is a global company with offices in the United States and Switzerland. As such, Ironwood may transfer or provide access to your personal information to its subsidiary companies and affiliates, authorized service providers or collaborators or other third parties in these countries and others that may not provide the same level of protection to your personal information as in your country of residence. When we do so, in the absence of an adequacy decision concerning the recipient country, we rely on safeguards such as approved model contracts (for example the EU’s standard contractual clauses or the UK’s international data transfer agreement), after having carried out an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal information is established. For more information about Ironwood’s use of the model contracts, please contact us at: [email protected].
Your Data Subject Rights. Rights you may have under the GDPR and related regulations with regards to the personal information we collect and maintain about you are described in the section YOUR CHOICES AND RIGHTS. Under the GDPR, the exercise of these rights may be limited or delayed dependent upon the legal basis for processing your personal information, for example:
LEGAL BASIS | ACCESS | RECTIFICATION | ERASURE | RESTRICTION | INFORMATION PORTABILITY | OBJECTION |
Consent |
Yes |
Yes | Yes |
Yes | Yes | Withdrawal of consent |
Steps prior to entering into a contract | Yes | Yes | No | |||
Contract | Yes | Yes | No | |||
Legitimate business interest | Yes | No | Yes | |||
Legal obligation | No | No | No |
OUR COOKIE POLICY
Cookies, pixel tags, and other trackers (hereinafter “Cookies”) are small files that allow for storing or retrieving information on your browser or your device (computer, tablet, mobile, etc.) when visiting our websites. Cookies are widely used on websites, mobile applications, software, or emails. When you first visit our websites and again if you delete the Cookies or the Cookies expire or change, you will be asked which Cookies you consent to. In addition to the information below, you may read more about our Cookie Policy on our websites and in our websites’ on-line Privacy Notices.
Cookies do not recognize you personally, but rather the device you use. Cookies simply give information about your browsing activities in order to recognize the device later on in order to improve the browsing experience, save your preferences or even adapt the services offered to you on the websites. To find out more about cookies, including how to see what cookies have been set, visit www.allaboutcookies.org.
We may use the following types of cookies on our websites:
- Necessary Cookies – enable the proper functioning of the websites (security, facilitate browsing, display of the webpage). You may disable Necessary Cookies by changing your browser settings as described below. If you do so, you will still be able to navigate the websites, but some of the websites’ functions may be affected;
- Analytics Cookies – are used to collect information about how visitors use our websites and to improve the websites by collecting information on how you interact with the websites;
- 1. The cookies collect information in a way that does not directly identify anyone, rather they collect information in an aggregated or generalized statistical form, including the number of visitors to the website and where visitors have come to the website from and the pages they visited.
- 2 .One of the analytic cookies we use is Google Analytics. Google’s overview of privacy practices and data safeguards is available at:
- Social Media Cookies – enable you to interact with social plugins on the websites and share content on social networks; and
- Advertising Cookies – enable the placement of advertisements, to measure their effectiveness and to adapt their content to your browsing and your profile.
Most web browsers allow some control of most cookies through the browser settings. For example, there are simple procedures in most browsers that allow you to delete existing cookies. If you want to set your computer or mobile web browser to reject all cookies by default, please visit the home page for your browser for instructions. If you reject all cookies, you may still use our websites; however, this may affect the functionality of some areas of our websites.
In addition, your Internet Protocol (IP) address (an identifying number that is automatically assigned to your computer by your Internet Service Provider) is identified and logged automatically in our server log files whenever you visit our websites, along with the time(s) of your visit(s) and the page(s) that you visited. We use the IP addresses of all visitors to our websites to calculate website usage levels, to help diagnose problems with the website servers, and to administer the websites. We may also use IP addresses to communicate with or block access by visitors who fail to comply with our Terms of Use.
We do not track our website users over time or across third-party websites to provide targeted advertising. At this time, we do not respond to “Do Not Track” signals from your web browser due to the lack of an established industry standard. For more information about “Do Not Track” signals, please visit https://allaboutdnt.com/.
CONTACTING US
You may contact us at any time if you have questions or concerns about this Privacy Policy or our practices. Please send an email to: [email protected].
We will endeavor to respond to your request as soon as reasonably possible in compliance with applicable laws.
To protect your privacy and security, we take reasonable steps to verify your identity before granting access to or making corrections with your personal information. Note that despite any requested removal of or change to your personal information there may be residual information that will remain within our databases and other records.
We strive to accommodate all individuals regardless of disabilities. If you need to receive the information contained in this document in a different format, please contact us at: [email protected].
DPO Consultancy (EEA)
Australiëlaan 12A
5232 BB ‘s-Hertogenbosch
The Netherlands
DPO Consultancy (UK)
1 Lyric Square
Hammersmith, London, W6 0NB