This policy was last updated effective February 15, 2022.
II. How Does Insmed Collect Your PII and What Types of PII Does It Collect?
Insmed collects PII about You when You actively provide it to us, such as by completing an online form, responding to a request for information, signing up to receive communications from us, or sending us an email or letter. Some areas of this Site ask You to submit PII in order for You to benefit from the specified features or to participate in a particular activity. On the registration screen for such feature or activity, we clearly label which information is required for registration or participation, and which information is optional and may be given at Your discretion. You may always refuse to provide information to us, but this may lead to our inability to provide You with certain information, products or services or for You to participate in certain activities.
We also may collect PII about You from other sources, such as our business partners; the Internet, including social media websites; the press or other print media; and other organizations or individuals as permitted under applicable law.
Listed below are the types of PII that we may have collected about You. Some of these types of information may not be PII, depending on other information we have access to about You. Each type of information listed below is PII only if the information identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with You or Your household.
The types of PII mentioned below will only be processed by us to the extent allowed under the applicable data privacy laws and/or regulations in Your country.
- Identifiers, such as Your name, postal address, online identifier, Internet Protocol (IP) address, email address, Social Security number, driver’s license number, or other similar identifiers.
- “Customer Records” information (some of which may be identifiers or professional/employment-related information as well), such as Your name, signature, Social Security number, physical characteristics or description, address, telephone number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, medical information, or health insurance information.
- Commercial information, such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or other similar network activity, such as browsing history, search history, information on Your interaction with our website, mobile application(s), or an advertisement. This may include hardware and browser information of Your computer or other online device.
- Geolocation data, such as the physical location of the device You use to connect with us online.
- Sensory data, such as audio, electronic, visual, or similar information.
- Professional or employment-related information, such as Your current or past job history.
- Personal characteristics that are related to classifications legally protected from discrimination, such as race, national origin, ethnicity, marital status, age and gender.
Inferences drawn from other PII, such as a summary we might make based on Your apparent personal preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
III. Our Business Purposes for Collecting PII; How We Use the Information
We may use the PII we collect from You for the following business purposes:
- To communicate with You, including in response to Your inquiries and to fulfill Your requests;
- To provide You with information about our products and services, and to provide You with our products and services.
- To improve the content of the Site, including to customize the Site to Your preferences;
- For our data analysis, product development, and marketing and research purposes;
- To prevent fraud, including by confirming Your identity;
- To maintain and upgrade the security of any data or information collected;
- For risk management and compliance purposes, including to comply with law enforcement and other legal processes;
- For any other purpose you may agree to at or before the time the personal information is collected from You.
IV. How We May Share Personally Identifiable Information
As to any processing undertaken under this paragraph IV, e.g. retention and/or sharing of personal data, such processing will only be undertaken by us to the extent allowed under the applicable data privacy laws and/or regulations in Your country. Besides this, your personal data will not be sold.
We may share the PII we collect as follows:
- Service providers: with whom we engage to assist us with technology support, operational support and other forms of assistance, and whom we bind by contract to protect the confidentiality and security of the PII we share with them;
- Affiliates: entities within the Insmed corporate family, for legally permissible purposes;
- For residents of Japan:
- We may use your personal information jointly with other parties.
- All PII that we collect from you may be jointly used.
- The other parties that may jointly use your personal information are our affiliated companies which are listed here https://www.sec.gov/Archives/edgar/data/1104506/000110450621000005/insm20201231ex211.htm.
- The purposes of joint use are the same as those set forth in section III above.
- The department that will be responsible for the management of your personal information is set forth in section XII below.
- For residents of Japan:
- Business purpose: in the event of a proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our company or its assets, to the proposed or actual acquiring party or assignee;
- Legal purpose: as we believe to be appropriate: (i) when required by applicable law, including laws outside Your country of residence; (ii) to comply with legal process; (iii) to respond to requests from public and government authorities, as far as not in conflict with the applicable laws of Your country; (iv) to enforce the terms and conditions for use of the Sites subject to applicable law, including this Policy; (v) to protect and defend our rights and property subject to applicable law; (vi) to protect the interests of Insmed or others subject to applicable law; and (vii) to permit us to pursue available remedies or limit the damages that we may sustain subject to applicable law.
- For any other purpose You may agree to at or before the time the PII is shared.
In the preceding 12 months, we have shared with our service providers and affiliates Identifiers, Customer Records information, Commercial information, Internet or other similar network activity, Geolocation data, Professional or employment related information, and Inferences drawn from other PII subject to applicable law.
Absent Your consent, we do not sell Your PII and we do not share Your PII with non-affiliated entities for them to use for their own direct marketing purposes. In the preceding 12 months, we have not sold Your PII.
For US residents: Additionally, we do not sell any patient information that is deidentified pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). We may disclose for an above identified business purpose patient information that is deidentified pursuant to the HIPAA expert determination method.
V. Other Information Collection, Use and Sharing
As You navigate through this Site, we may automatically collect (that is, gather without You actively providing the information) certain information using various technologies and means, such as Internet protocol addresses, cookies, Internet tags, web beacons and navigational data collection. For example, Your Internet browser automatically transmits to this Site some of this unidentifiable information, such as the URL of the website You just came from, the Internet Protocol (IP) address, and the browser version Your computer is currently using. This Site may also collect information from Your computer through cookies, HTTP Logging or other technological means.
Cookies are small bits of information that are stored by Your computer’s web browser and are classified as identifying files sent to a computer by a web server. Websites read these uniquely identifying files for future access and enable servers to associate computers to user profiles. HTTP Logging consists of transaction files between a web client and server. You can decide if and how Your computer will accept a cookie by configuring Your preferences or options in Your browser: you can change your browser settings to reject all cookies, accept only certain cookies, or notify you when a cookie is set. Please note that you may need to renew these settings, if you delete your cookies after these preferences are made. These settings also may not apply, if you are using a different computer or internet browser. However, if you choose to reject cookies, you may not be able to use certain online products, services or features on this Site. To learn more about cookies, please visit http://www.allaboutcookies.org.
By using the Site, you are deemed to unambiguously agree to its use of any cookies and similar technologies that you do not disable.
Some web browsers may transmit “do-not-track” signals to the websites with which the user communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. Because there currently is no industry standard concerning what, if anything, websites should do when they receive such signals, Insmed currently does not take action in response to these signals. If and when a final standard is established and accepted, we will reassess how to respond to these signals.
VI. Data Retention; Security
We will retain PII about You for the period necessary to fulfill the purposes outlined in this Policy. We endeavor to use reasonable organizational, technical, and administrative measures to protect the PII we maintain within our organization.
VII. Updates to Your PII
If You would like to update PII that You have provided to us, You may contact us through one of the means listed in the “How to Contact Us” section at the end of this Policy.
VIII. Site Use Limitations and International Data Transfers
Our Sites are not directed to users under the age of 13 and we do not knowingly collect PII online from any person we know to be under the age of 13.
Our Sites are designed for users from, and are controlled and operated by us from the United States. By using our Sites, You consent to the transfer of Your information to the United States, which may have different data protection rules than those of Your country.
IX. Links to Other Websites
Our Sites may provide links to third-party websites. When You click on one of these links, You will be accessing content that is not subject to this Policy. We are not responsible for the information-collection practices of the other websites that You visit, and advise You to review their privacy policies before You provide them with any PII.
X. California Residents’ Privacy Rights
If You are a resident of California, You have certain privacy rights under the California Consumer Privacy Act (“CCPA”). We honor those rights, as described below, and we are prohibited by law from discriminating against You for exercising any of those rights.
A. Right to Know
Subject to certain exceptions, You have the right to know what PII we have collected about You, why we collected it, and the categories of third parties (excluding service providers) with whom we have shared the PII during the past 12 months. (See below on “How to Submit a Request.”) You may request that we provide a description of the categories of PII we have collected (a “Categories Request”) or a request for access to the specific pieces of PII we have collected (a “Specific Pieces Request.”)
If You make a Categories Request, and You do not have any type of account with us, we will need You to provide us with at least two data elements specific to You, such as Your cell phone number or mother’s maiden name (depending on the data elements we already maintain about You), so that we can verify Your identity. After we confirm that Your request is a verifiable consumer request, we will disclose to You:
- The categories of PII we collected about You.
- The categories of sources for the PII we collected about You (e.g., social media websites, government records available to the public, etc.).
- Our business or commercial purpose for collecting that PII.
- The categories of third parties other than service providers (if any) with whom we shared the PII.
If You make a Specific Pieces Request, we need to be sure we have verified Your identity with great certainty to safeguard Your privacy. In order for us to verify Your identity, if You do not have any type of account with us, You will need to provide to us at least three data elements specific to You, together with a signed declaration under penalty of perjury that You are the consumer whose personal information is the subject of the request. After we confirm that Your request is a verifiable consumer request, we will disclose to You:
- The specific pieces of PII we collected about You that You requested.
B. Right to Request Deletion
You have the right to request that we delete any of Your PII that we collected from You and retained. We are not obligated to comply with Your request if we have a legal basis to retain the PII. If You make a request for us to delete PII, and You do not have any type of account with us, we will need You to provide us with at least three data elements specific to You so that we can verify Your identity. Once we receive and confirm that Your request is a verifiable consumer request (see below on “How to Submit a Request”), we will inform You whether we have deleted (and have directed our service providers to delete) Your PII from our records, or whether we are declining to grant Your request to delete due to an exception to the CCPA deletion requirements.
If You are working for or seeking to work for Insmed, or if You are an employee or other representative of a business or other organization that is exploring or engaging in a business-to-business transaction with Insmed, the CCPA currently does not provide You with a “right to know” or “right to request deletion” until January 1, 2023.
D. How to Submit a Request
To request access to or deletion of Your PII as described above, please submit a verifiable consumer request to us by either:
- Calling us at our Privacy Rights toll-free number: 1-844-4-INSMED (1-844-446-7633)
- Sending us an email at firstname.lastname@example.org
- Mailing Your request to:
700 US Highway 202/206
Bridgewater, NJ 08807
Attention: General Counsel
Tel: (908) 977-9900
You may make a request on Your own behalf, and if You are the parent or guardian of a minor child, You also may make a request related to Your child’s PII. If You wish to designate an authorized agent to make a request on Your behalf, please provide us with a signed declaration stating that Your intent is to permit that individual to act on Your behalf and include such individual’s full name, address, email address, and phone number, or Your authorized agent must provide proof that You gave the agent signed permission to submit the request and you must confirm the same with us. That way we will be sure You have fully authorized us to act in accordance with the requests of that individual.
As indicated above, in order to protect Your PII from unauthorized disclosure or deletion at the request of someone other than You or Your legal representative, Insmed requires identification verification before granting any request to provide copies of, know more about, or delete Your PII. We take special precautions to help ensure this. We cannot respond to Your request or provide You with PII if we cannot verify Your identity or authority to make the request and confirm that the PII relates to You. We will only use PII collected in connection with a verifiable consumer request to verify the requestor’s identity or authority to make the request.
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform You of the reason and extension period in writing.
XI. European Union (EU)/European Economic Area (EEA)/United Kingdom (UK) Residents’ Privacy Rights
A. Purposes and legal basis for the processing
When processing Your PII, Insmed always needs a lawful basis, such as: You have given consent to the processing for one or more specific purposes; processing is necessary for the performance of a contract with You or in order to take steps at your request prior to entering into a contract; processing is necessary for compliance with a legal obligation to which we are subject; we have a legitimate interest for processing, except where such interests are overridden by the interests of Your fundamental rights and freedoms.
Where processing is based on ‘consent’ (under article 6(1)(a) GDPR or on explicit consent where special categories of PII are processed (under article 9(2)(a) GDPR, You have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on the consent before its withdrawal. When processing your PII, we don’t use automated decision making.
B. Access, Rectification, Blocking and Deletion Rights
In accordance with applicable law, you may at any time request to access, rectify, complete, update, block, move, or delete your PII, by contacting us at email@example.com.
You have a right to lodge a complaint with the supervisory authority for data protection in your country.
C. International Data Transfers ex EEA/UK
Your PII will be shared with Insmed affiliates including in the U.S. and may also be shared with our service providers, where different levels of privacy protection apply. Insmed puts in place adequate contractual protection to guarantee an appropriate level of protection as required from time to time by applicable law. For more information, please contact us at the address below.
700 US Highway 202/206
Bridgewater, NJ 08807
Attention: General Counsel
Tel: (908) 977-9900
D. EEA/UK Residents
In addition to the email contact information mentioned above, we inform You that our European representative office is located in The Netherlands: Insmed Netherlands B.V., office address: Stadsplateau 7, 3521 AZ Utrecht.
We have appointed a Data Protection Officer (DPO) for our European region (not including the United Kingdom), who is based in Germany. Our DPO can be contacted via: firstname.lastname@example.org. Please specifically mention in your message that your message is for the attention of our DPO.
XII. Japan Residents’ Privacy Rights
A. Rights of Japan Residents.
Subject to applicable law (including certain exceptions and qualifications), as a resident of Japan, you may have certain rights with respect to your information. These rights may include the following:
- Suspension of use and deletion: To request suspension of use or deletion of Your PII that we have collected about you.
- Disclosure: To require that we disclose Your PII that we have collected about you.
- Correction: To correct Your PII that we have collected about you.
B. Exercising Your Rights.
If you would like to exercise any of the rights described above, please contact us at the address below. Please note that depending on your request, we may request proof of your identity and verify such identity, in order to protect Your PII and ensure compliance with all applicable regulations and policies. We may conduct the verification process by email or phone and may ask you to provide personal information such as your name, contact information, and any additional relevant information based on your relationship with us.
700 US Highway 202/206
Bridgewater, NJ 08807
Attention: General Counsel
Tel: (908) 977-9900]
C. International Data Transfers ex Japan
Your PII will be shared with Insmed affiliates including in the U.S. and may also be shared with our service providers, where different levels of privacy protection apply. Insmed puts in place adequate contractual protection to guarantee an appropriate level of protection as required from time to time by applicable law. For more information, please contact us at the address above.