This policy was last updated effective June 1, 2023.
II. How Does Insmed Collect Your PII and What Types of PII Does It Collect?
Insmed collects PII about You when You actively provide it to us, such as by completing an online form, applying for employment, seeking engagement to work with us, as part of Your employment or engagement with us, responding to a request for information, signing up to receive communications from us, or sending us an email or letter. Some areas of the Site ask You to submit PII for You to benefit from the specified features or to participate in a particular activity. On the registration screen for such feature or activity, we clearly label which information is required for registration, application or participation, and which information is optional and may be given at Your discretion. You may always refuse to provide information to us, but this may lead to our inability to provide You with certain information, products or services or for You to apply for employment or participate in certain activities.
We also may collect PII about You from other sources, such as our business partners; the Internet, including social media websites; the press or other print media; and other organizations or individuals as permitted under applicable law.
Listed below are the types of PII that we may collect about You. Some of these types of information may not be PII, depending on other information we have access to about You. Each type of information listed below is PII only if the information identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with You or Your household.
- Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Personal information, such as any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, citizenship, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding Your interaction with an internet website application, or advertisement. This may include hardware and browser information of Your computer or other online device.
- Geolocation data, such as the physical location of the device You use to connect with us online.
- Sensory data, such as audio, electronic, visual, or similar information.
- Professional or employment-related information.
- Characteristics of protected classifications under applicable law such as race, national origin, ethnicity, marital status, age, and gender.
- Inferences drawn from other PII, to create a profile about You reflecting Your apparent preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Education information, defined as information that is not publicly available PII as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
- Sensitive Personal Information, which is PII that reveals Your social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious, political, or philosophical beliefs, or union membership; contents of mail, email, and text messages unless we are the intended recipient of the communication; or genetic data; as well as the processing of biometric information for the purpose of uniquely identifying You; personal information collected and analyzed concerning Your health; and personal information collected and analyzed concerning Your sex life or sexual orientation.
III. Our Business Purposes for Collecting PII; How We Use the Information
We may use the PII we collect from You for the following business purposes:
- To communicate with You, including in response to Your inquiries and to fulfill Your requests.
- To provide You with information about our products and services, and to provide You with our products and services.
- To improve the content of the Site, including to customize the Site to Your preferences.
- For our data analysis, product development, and marketing and research purposes.
- To prevent fraud, including by confirming Your identity.
- To maintain and upgrade the security of any data or information collected.
- For risk management and compliance purposes, including to comply with law enforcement and other legal processes.
- For any other purpose you may agree to at or before the time the PII is collected from You.
Our use of Your Sensitive Personal Information is limited to that use which is necessary to perform the services or activities requested, or otherwise legally permitted. We do not use or disclose Your Sensitive Personal Information for any purpose requiring notice or a method for submitting a request to limit use or disclosure.
IV. How We May Share Personally Identifiable Information
As to any processing undertaken under this paragraph IV, such as retention and/or sharing of personal data, such processing will only be undertaken by us to the extent allowed under the applicable data privacy laws and/or regulations. Besides this, your personal data will not be sold.
We may share the PII we collect as follows:
- Service providers: with whom we engage to assist us with technology support, operational support and other forms of assistance, and whom we bind by contract to protect the confidentiality and security of the PII we share with them.
- Affiliates: entities within the Insmed corporate family, for legally permissible purposes.
- Business purpose: in the event of a proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our company or its assets, to the proposed or actual acquiring party or assignee.
- Legal purpose: as we believe to be appropriate: (i) when required by applicable law, including laws outside Your country of residence; (ii) to comply with legal process; (iii) to respond to requests from public and government authorities; (iv) to enforce the terms and conditions for use of the Sites subject to applicable law, including this Policy; (v) to protect and defend our rights and property subject to applicable law; (vi) to protect the interests of Insmed or others subject to applicable law; and (vii) to permit us to pursue available remedies or limit the damages that we may sustain subject to applicable law.
- For any other purpose You may agree to at or before the time the PII is shared.
Absent Your consent, we do not sell Your PII and we do not share Your PII with non-affiliated entities for them to use for their own direct marketing purposes.
We do not have actual knowledge of selling or sharing the PII of anyone under the age of 16. Additionally, we do not sell any patient information that is deidentified pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). We may disclose for an above identified business purpose patient information that is deidentified pursuant to the HIPAA expert determination method.
V. Other Information Collection, Use and Sharing
As You navigate through the Site, we may automatically collect (that is, gather without You actively providing the information) certain information using various technologies and means, such as Internet protocol addresses, cookies, Internet tags, web beacons and navigational data collection. For example, Your Internet browser automatically transmits to the Site some of this unidentifiable information, such as the URL of the website You just came from, the Internet Protocol (IP) address, and the browser version Your computer is currently using. The Site may also collect information from Your computer through cookies, HTTP Logging or other technological means.
Cookies are small bits of information that are stored by Your computer’s web browser and are classified as identifying files sent to a computer by a web server. Websites read these uniquely identifying files for future access and enable servers to associate computers to user profiles. HTTP Logging consists of transaction files between a web client and server. You can decide if and how Your computer will accept a cookie by configuring Your preferences or options in Your browser. You can change your browser settings to reject all cookies, accept only certain cookies, or notify you when a cookie is set. Please note that you may need to renew these settings if you delete your cookies after these preferences are made. These settings also may not apply, if you are using a different computer or internet browser. However, if you choose to reject cookies, you may not be able to use certain online products, services or features on the Site. To learn more about cookies, please visit http://www.allaboutcookies.org.
By using the Site, you are deemed to unambiguously agree to its use of any cookies and similar technologies that you do not disable.
Some web browsers may transmit “do-not-track” signals to the websites with which the user communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. Because there currently is no industry standard concerning what, if anything, websites should do when they receive such signals, Insmed currently does not take action in response to these signals. If and when a final standard is established and accepted, we will reassess how to respond to these signals.
VI. Data Retention; Security
We will retain PII about You for the period necessary to fulfill the purposes outlined in this Policy and for no longer than is reasonably necessary for that purpose. We endeavor to use reasonable organizational, technical, and administrative measures to protect the PII we maintain within our organization.
VII. Updates to Your PII
If You would like to update PII that You have provided to us, You may contact us through one of the means listed in the “How to Contact Us” section at the end of this Policy.
VIII. Site Use Limitations and International Data Transfers
Our Sites are not directed to users under the age of 13 and we do not knowingly collect PII online from any person we know to be under the age of 13. Although use of our Sites by children is unlikely, if you become aware that a child has provided us with personal information without parental consent, please contact us at firstname.lastname@example.org. If we become aware that a child under 13 has provided us with personal information without parental consent, we will take steps to remove such information and terminate the child’s account.
Our Sites are designed for users from and are controlled and operated by us from the United States. By using our Sites, You consent to the transfer of Your information to the United States, which may have different data protection rules than those of Your country.
IX. Links to Other Websites
Our Sites may provide links to third-party websites. When You click on one of these links, You will be accessing content that is not subject to this Policy. We are not responsible for the information-collection practices of the other websites that You visit, and advise You to review their privacy policies before You provide them with any PII.
X. California Residents’ Privacy Rights
If You are a resident of California, You have certain rights under the California Consumer Privacy Act of 2018 (CCPA), as amended and expanded by the California Privacy Rights Act of 2020 (CPRA), to exercise free of charge. We honor those rights, as described below.
A. Disclosure of PII We Collect About You.
On receipt of a verifiable request from You, You have the right to know the PII we collected about You, including:
- The categories of PII we have collected about You, including Sensitive Personal Information;
- The categories of sources from which the PII is collected;
- Our business or commercial purpose for collecting, selling, or sharing PII, if applicable;
- The categories of third parties (excluding service providers and contractors) to whom we disclose PII, if any; and
- The specific pieces of PII we have collected about You.
Please note that we are not required to provide the PII to You more than twice in a 12-month period.
B. Disclosure of PII Sold, Shared, or Disclosed for a Business Purpose.
In connection with any PII we may sell or share with a third party, if any, or disclose for a business purpose, if any, on receipt of a verifiable request from You, You have the right to know:
- The categories of PII about You that we sold or shared and the categories of third parties (excluding service providers and contractors) to whom the PII was sold or shared, if any; and
- The categories of PII that we disclosed about You for a business purpose and the categories of persons to whom the PII was disclosed for a business purpose, if any.
Insmed does not sell or share Your PII and has not done so in the preceding 12 months.
In the preceding 12 months, for the purposes and reasons identified in Section III, above, we have disclosed to our service providers and affiliates Identifiers, Personal Information, Commercial information, Internet or other similar network activity, Geolocation data, Professional or employment related information, characteristics of protected classifications under applicable law, and Inferences drawn from other PII subject to applicable law.
C. Right to Deletion.
Subject to certain exceptions set out below, on receipt of a verifiable request from You, we will:
- Delete Your PII from our records;
- Notify any service providers or contractors to delete Your PII from their records; and
- Notify third parties to whom we sold or shared Your PII, if any, to delete Your PII unless this proves impossible or involves disproportionate effort.
Please note that we may not delete Your PII if it is necessary to:
- Complete the transaction for which the PII was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by You, or reasonably anticipated by You within the context of our ongoing business relationship with You, or otherwise perform a contract between You and us.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity. Help to ensure security and integrity to the extent the use of Your PII is reasonably necessary and proportionate for those purposes.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer reviewed scientific, historical, or statistical research in the public interest that conforms or adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of ability to complete such research, provided we have obtained Your informed consent.
- To enable solely internal uses that are reasonably aligned with Your expectations based on Your relationship with us and compatible with the context in which You provided the information.
- Comply with a legal obligation.
D. Right to Correction.
You have the right to request correction of inaccurate PII maintained by us about you. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate PII.
We may request documentation from you to determine the accuracy of the information we have maintained. If you provide us documentation either upon our request or through your own initiative, that documentation will only be used or maintained by us for the purpose of correcting your PII and complying with our recordkeeping requirements under the CCPA/CPRA.
We may deny your request if we have previously denied your same request to correct an alleged inaccuracy in the past six (6) months, unless you provide new or additional documentation that the information at issue is inaccurate. As an alternative to correction, we may delete the inaccurate information if it does not negatively impact you or if you consent to this deletion. We reserve the right to deny a request if allowed under law, or if we determine that the contested information is more likely than not accurate, based on the totality of circumstances.
E. Protection Against Discrimination.
You have the right to not be discriminated against by us because You exercised any of Your rights under the CCPA/CPRA. This means we cannot, among other things:
- Deny goods or services to You;
- Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- Provide a different level or quality of goods or services to You;
- Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services; or
- Retaliating against an employee, applicant for employment, or independent contractor for exercising their rights.
F. How to Submit a Verifiable Request to Know, Delete, or Correct.
You may submit a request to us by either:
- Calling us at our Privacy Rights toll-free number: 1-844-4-INSMED (1-844-446-7633)
- Sending us an email at email@example.com
- Mailing Your request to:
700 US Highway 202/206
Bridgewater, NJ 08807
Attention: General Counsel
Tel: (908) 977-9900
You may make a request on Your own behalf, and if You are the parent or guardian of a minor child, You also may make a request related to Your child’s PII.
If You wish to designate an authorized agent to make a request on Your behalf, please provide us with 1) a signed declaration stating that Your intent is to permit that individual to act on Your behalf and include such individual’s full name, address, email address, and phone number, and 2) Your authorized agent must provide proof that You gave the agent signed permission to submit the request and You must confirm the same with us; or Your authorized agent may provide us with a power of attorney pursuant to California Probate Code section 4121 to 4130. That way we will be sure You have fully authorized us to act in accordance with the requests of that individual.
To process a request and to protect Your PII from unauthorized disclosure or deletion at the request of someone other than You or your legal representative, Insmed must verify that the person requesting information, correction, or deletion is the person about whom the request relates. To verify Your identity, if You do not have any type of account with us, we may request up to three data elements about You to compare against our records, together with a signed declaration under penalty of perjury that You are the consumer whose PII is the subject of the request. We cannot respond to Your request or provide You with information if we cannot verify Your identity.
Making a verifiable consumer request does not require You to create an account with us. We will only use information provided in Your request to verify Your identity and process Your request.
Insmed reserves the right to take additional steps as necessary to verify Your identity where we have reason to believe a request is fraudulent. You may be required to submit documentation in support of a request to correct.
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform You of the reason and extension period in writing.
- Sending us an email at firstname.lastname@example.org; or
- Mailing us at:
700 US Highway 202/206
Bridgewater, NJ 08807
Attention: General Counsel
Tel: (908) 977-9900
XI. How to Contact Us
If You have any questions regarding this Policy, please send an email to email@example.com or write to us at:
700 US Highway 202/206
Bridgewater, NJ 08807
Attention: General Counsel
Tel: (908) 977-9900