FibroGen Privacy Notice

Scope

FibroGen, Inc and its subsidiaries (“FibroGen”) recognize the importance of and are committed to respecting and protecting your privacy. This Privacy Notice applies to our collection and use of “Personal Information” (which means any information from which an individual can be directly or indirectly identified) through our website and through our offline business-related interactions with you not including data from clinical trial data subjects (except where noted below).

Please read this Privacy Notice carefully in order to understand how we process Personal Information. If you do not agree with our use of your Personal Information as described in this Privacy notice, please do not use the Site or otherwise provide Personal Information to us.

Privacy Notice Updates

FibroGen may need to update this Privacy Notice from time to time. If so, FibroGen will post its updated Privacy Notice on our website located at www.fibrogen.com so users are always aware of what personally identifiable information we may collect and how we may use this information. FibroGen encourages you to review this Privacy Notice regularly for any changes. Your continued use of this website will be subject to the then-current Privacy Notice.

Information Collection and Use

You can generally visit our website without revealing any personally identifiable information about yourself. However, to access certain options we may ask you to provide certain personally identifiable information such as, your name, email address, telephone number, professional credentials.  Without providing such personally identifiable information, you may be unable to access certain options and services. We (and our third party partners) generally collect personally identifiable information about you only if you voluntarily provide it to us.  You have the option not to provide any personally identifiable information, but we may not be able to provide you with the requested services.

Note that this Privacy Notice does not apply to information that we may collect through our clinical trials, which are governed by separate terms and agreements that are compliant with EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, and they adhere to the Privacy Shield Principles.

In addition, we automatically collect basic technical information from all visitors to the Site. We collect technical information during your visit to the Site through our automatic data collection tools, which may include cookies and other commonly used technologies. These tools collect certain standard information that your browser sends to the Site such as your browser type and language, access times, and the address of the Site from which you came to the Site. They may also collect information about your Internet Protocol (IP) address, or click stream data within the Site (i.e. the actions taken in connection with the Site). Please see “Cookies and other similar technologies” below for additional detail about the information we collect through cookies and other commonly used technologies.

How we use your Personal Information

Subject to applicable data protection laws, we may use your Personal Information for the following purposes: (i) to provide you with the services and information offered through the Site; (ii) to contact you and respond to your requests and inquiries; (iii) for business administration, including answering questions or inquiries, job submissions, and statistical analysis; (iv) to personalize your visit to the Site and to assist you while you use the Site; (v) to improve the Site by helping us understand who uses the Site; (vi) for fraud prevention and detection and to comply with applicable laws, regulations or codes of practice.

Sharing of your Personal Information

We may provide your personally identifiable information that we collect and the data generated by cookies to a parent, subsidiary or affiliate entity related to FibroGen, partner entities, and the vendors and service agencies that we may engage to assist us. Any organization to which we provide such personally identifiable information is required to respect the security of your personal data and keep your personally identifiable information confidential in accordance with this Privacy Notice. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions

Similarly, we may share your Personal Information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property, or the rights, property or safety of others, including to advisers, law enforcement, judicial and regulatory authorities.

We may also transfer your Personal Information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets, or shares (including in connection with any bankruptcy or similar proceedings.)

The servers used in the operation of the Site automatically identify a computer by its IP address. If we, in good faith, determine that you have or are attempting to misuse or harm the Site, we may investigate and cooperate with appropriate law enforcement to protect our rights or property.

International data transfers

Your Personal Information may be transferred to countries located outside your country or region, including to countries that may not provide a similar or adequate level of protection to that provided by your country or region. For example, if you are located in the European Economic Area (“EEA”), we may transfer your Personal Information to the United States or other countries outside of the EEA. By using the Site or otherwise providing Personal Information to us, you hereby expressly consent to the transfer of your Personal Information outside your country or region.

For our transfer of Personal Information, as well as clinical trial data, from the EEA to any countries not recognized by the European Commission as providing an adequate level of data protection according to EEA standards, we have implemented adequate measures to protect the information, such as our certification to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework for transfers to FibroGen and standard contractual clauses adopted by the European Commission where needed. If you are located in the EEA, you can request more information about these measures by contacting us at the address or email address below.

EU-U.S. Privacy Shield [and Swiss-U.S. Privacy Shield]

FibroGen and its affiliates have self-certified to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (together the “Privacy Shield”) as set forth by the U.S. Department of Commerce, and they adhere to the Privacy Shield Principles (the “Principles”) regarding the processing of Personal Information transferred from organizations in the EU and Switzerland to FibroGen in the U.S. To learn more about the Privacy Shield program, and to view FibroGen’s certification, please visit http://www.privacyshield.gov.

The FibroGen certification covers both “Personal Information” which means any information from which an individual can be directly or indirectly identified, as well as “sensitive Personal Information” which means Personal Information revealing an individual’s racial or ethnic origin, political opinions or membership of political parties or similar movements, religious or philosophical beliefs, membership of a professional or trade organization or union, physical or mental health, including any opinion thereof, sex life, and, where permitted by applicable law, criminal offences and alleged offences, criminal records or proceedings with regard to criminal or unlawful behavior. Where the individual is based in Switzerland, the definition of sensitive Personal Information also includes Personal Information revealing an individual’s ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings. The certification applies to Personal Information, as well as clinical trial data, both in electronic or paper form, including Personal Information and sensitive Personal Information from agents, consultants, contractors, vendors, service providers, business associates, healthcare professionals, patients, clinical trial participants and others.

For sensitive Personal Information, FibroGen will seek explicit (opt-in) consent before the sensitive Personal Information is disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

FibroGen shall remain liable under the Principles if a third party agent uses or discloses Personal Information received from FibroGen in a manner inconsistent with the Principles, unless FibroGen proves that it is not responsible for the event giving rise to the damage.

Your rights

Access

Upon request, and as required by Privacy Shield Principles and applicable law, FibroGen will provide individuals with reasonable access to Personal Information about them. FibroGen will also take reasonable steps to allow individuals to review Personal Information for the purposes of correcting, amending or deleting such information in instances where it Personal Information is demonstrated to be incomplete or inaccurate.

Individuals can contact FibroGen at DPO@FibroGen.com in order to request access or to make inquiries regarding limiting the use and disclosure of Personal Information about them.

Individuals in the EU, Switzerland, and certain other jurisdictions may have certain data subject rights which may be subject to limitations and/or restrictions. These rights may include the right to: (i) request access to and rectification or erasure of their Personal Information; (ii) obtain restriction of processing or to object to processing of their Personal Information; and (iii) the right to data portability.

If you wish to exercise one of the above-mentioned rights, please send us your request via email to: DPO@FibroGen.com. Individuals also have the right to lodge a complaint about the processing of their Personal Information with their local data protection supervisory authority.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.

Security and retention of your Personal Information

The security of your Personal Information is important to us. We take reasonable steps, including technical, administrative and physical safeguards, designed to protect the Personal Information submitted to us from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, no method of security or method of transmission over the Internet is entirely secure. You should always use caution when transmitting Personal Information over the Internet.

We may retain your Personal Information for as long as your account is active or as needed for the specific business purpose for which it was collected. In some cases, we may be required to retain information to comply with laws or regulations or other legal obligations, resolve disputes and enforce our agreements.

Cookies and Other Similar Technologies

Cookies are small text files that are stored on computer hard drives by websites that you visit. There are two general types of cookies, session cookies and persistent cookies. Session cookies are only used during a session online and will be deleted once you leave a website. Persistent cookies have a longer life and will be retained by the website and used each time you visit a website. Both session and persistent cookies can be deleted by you at anytime through your browser settings.

We use the following session and persistent cookies on the Site:

  • Strictly necessary cookies: they are essential in order for visitors to move around the Site and use its features.
  • Analytical / performance cookies: they allow us to recognize and count the number of visitors and to see how visitors move around our Site when they are using it. This helps us to improve the way our Site works, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies: these are used to recognize you when you return to our Site. This enables us to personalize our content for you and remember your preferences.

We may track the total number of visitors to our website or use such information, individually or in the aggregate, to analyze trends, administer the website, track user’s movement, and gather broad demographic information for use. We may share this information with our corporate partners and contracted vendors to assist us in operating the website and to enable them to better understand FibroGen’s business.

Web browsers often allow you to erase existing cookies from your hard drive, block the use of cookies and/or be notified when cookies are encountered. If you elect to block cookies, please note that you may not be able to take full advantage of the features and functions of the Site. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, please visit www.allaboutcookies.org.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies on our website, over which we have no control.

External links

The Site contains links to external Sites operated by third parties. We are not responsible for these third party Sites or the content of such third party sites. Once you have left the Site, we cannot be responsible for the protection and privacy of any information, which you provide. You should exercise caution and look at the privacy notice for the website you visit.

Children

This Site is not directed towards children under 18 years of age nor do we knowingly collect information from children under 18. If you are under 18, please do not use the Site or submit any Personal Information to us. If you believe that we have unintentionally collected Personal Information about your child, you can contact us as described below.

Your California privacy rights

California’s “Shine The Light” law permits California residents to annually request and obtain information free of charge about what Personal Information is disclosed to third parties for third-party direct marketing purposes in the preceding calendar year. FibroGen does not distribute your Personal Information to third parties for third-party direct marketing purposes, except as provided for in this Privacy Notice.

Dispute Resolution

With respect to Personal Information transferred or received pursuant to the Privacy Shield, FibroGen is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In certain instances, FibroGen may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.  In compliance with the Privacy Shield Principles, FibroGen commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield notice should first contact FibroGen at:

Address: 409 Illinois Street, San Francisco, Ca 94158, US
Tel.: (415) 978-1200

Email: DPO@FibroGen.com

FibroGen has further committed to refer unresolved Privacy Shield complaints to JAMS Privacy Shield program, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint.  Contacting JAMS is at no cost to you.  Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any Privacy Shield disputes that have not been resolved by other means