Privacy Policy
February 2022
This “Privacy Policy” describes the online privacy practices of Mirum Pharmaceuticals, Inc. and our third parties (collectively, “Mirum”, “we”, “us”, or “our”) in how we collect, use, disclose, and otherwise process personal information, and explains the rights and choices available to individuals with respect to their information.
Mirum may provide additional privacy notices to individuals at the time we collect their data. For example, we provide a specific privacy notice to clinical trial participants that describe our privacy practices in connection with conducting clinical trials. This type of an “in-time” notice will govern how we may process the information you provide at that time.
Whose personal information we collect
We collect personal information about the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists, and other individuals who interact directly with Mirum or its service providers or business partners, including users of websites and mobile applications.
How we collect personal information
We collect personal information:
- Directly from individuals
- Through our websites and mobile apps
- From healthcare professionals
- From contract research organizations and clinical trial investigators
- From government agencies or public records
- From third party service providers, data brokers, or business partners
- From industry and patient groups and associations
Types of personal information we collect
The types of personal information we collect and share depend on the nature of the relationship you have with Mirum and the requirements of applicable laws. We may collect:
- Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) we collect in connection with managing clinical trials, conducting research, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports. Any information that is “protected health information” for purposes of the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) is subject to the HIPAA covered entity’s Notice of Privacy Practices.
- Personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
- Biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians)
- Professional credentials, educational and professional history, and institutional affiliations
- Payment-related information we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information)
- If you are a healthcare professional, we collect information about the programs and activities in which you have participated, your prescribing of our products, and the agreements you have executed with us
- Your photograph, social media handle, or digital or electronic signature
- Publicly available information (such as comments describing support for and experience with Mirum products)
- Other information you provide to us (such as in emails, on phone calls, in market research surveys, or in other correspondence with Mirum or its service providers or business partners).
We may combine other publicly available information, such as information related to the organization for which you work, with the personal information that you provide to us through our Services.
Information automatically collected
We may automatically log information about you and your computer or mobile device when you access or interact with our Sites. For example, we may log your device or computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites, pages you viewed, how long you spent on a page, access times, and information about your use of and actions on our Sites. We collect this information about you using cookies, server logs, web beacons, pixels, and similar technologies about your device, and your use of our Site and services. Please refer to the Cookies and Similar Technologies section for more details.
This California Consumer Privacy Act disclosure (“Disclosure”) is effective as of January 1, 2021. The general Privacy Policy describes the personal information that we collect, the sources from which we collect it, the purposes for which we use it, the limited circumstances under which we share personal information, and with whom we share it. These additional disclosures are required by the California Consumer Privacy Act:
Categories of personal information collected.
The personal information that we collect, or has collected from consumers in the twelve months prior to the effective date of this Disclosure, fall into the following categories established by the California Consumer Privacy Act:
- identifiers such as your name, alias, address, phone numbers, or IP address;
- personal information;
- age, gender, or other protected classifications;
- internet or other electronic network activity information, including content interaction information, such as content downloads, streams, and playback details;
- geolocation data, such as the location of your device or computer;
- professional information, for example data you may provide about your business if you are a prospective customer or healthcare professional; and
behavioral data, such as information about your purchase preferences, if such services are active.
Please review this full Privacy Policy to see all of the data we collect, if not listed above.
Categories of personal information disclosed for a business purpose. The personal information that we disclose to the third parties identified in the “HOW DO WE USE YOUR PERSONAL INFORMATION?” section of this policy in the twelve months prior to the effective date of this Disclosure would or do fall into the following categories established by the California Consumer Privacy Act:
- identifiers such as your name, address, phone numbers, or IP address, for example if we use a third party carrier to deliver services to you;
- personal information, for example if we use a third party information processor;
- your age, gender, or other protected classifications;
- commercial information, such as the details of a product or service you requested if a third party service provider is assisting to provide that product or service to you;
- internet or other electronic network activity information, such as if we use a service provider to help us gather crash reports for analyzing the health of our devices and services;
- geolocation data, such as limiting information to locations where our products are approved;
- audio or visual information, for example if a service provider reviews recordings of customer service phone calls for quality assurance purposes;
- and professional information, for example if we provide your account details to a service provider for follow up on professional information requests.
Right to Request Access to or Deletion of Personal Information: You may have the right under the California Consumer Privacy Act to request information about the collection of your personal information by us, or access to or deletion of your personal information. If you wish to do any of these things, please contact privacy@mirumpharma.com. Depending on your data choices, certain services may be limited or unavailable.
No sale of personal information. In the twelve months prior to the effective date of this Disclosure, Mirum has not sold any personal information of consumers, as those terms are defined under the California Consumer Privacy Act.
No Discrimination. Mirum will not discriminate against any consumer for exercising their rights under the California Consumer Privacy Act.
What Are Cookies?
We may collect information using “cookies.” Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Site.
We use two broad categories of cookies: (1) first party cookies, served directly by us to your computer or mobile device, which we use to recognize your computer or mobile device when it revisits our Site; and (2) third party cookies, which are served by service providers on our Site, and can be used by such service providers to recognize your computer or mobile device when it visits other websites.
Types of Cookies We Use
Functionality Cookies: These cookies allow our Site to remember choices you make when you use our Site. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-select your preferences every time you visit our Site.
Analytics and Performance Cookies: These cookies are used to collect information about traffic to our Site and how users use our Site. The information gathered may include the number of visitors to our Site, the websites that referred them to our Site, the pages they visited on our Site, what time of day they visited our Site, whether they have visited our Site before, and other similar information. We use this information to help operate our Site more efficiently, to gather broad demographic information, monitor the level of activity on our Site, and improve the Site.
Targeted and Advertising Cookies: These cookies track your browsing habits to enable us to show advertising which is more likely to be of interest to you. These cookies use information about your browsing history to group you with other users who have similar interests. Based on that information, third party advertisers can place cookies to enable them to show advertisements which we think will be relevant to your interests while you are on third party websites.
Disabling Cookies
You can typically remove or reject cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings,” “help,” “tools,” or “edit” facility). Many browsers are set to accept cookies until you change your settings.
Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org.
If you do not accept our cookies, you may experience some inconvenience in your use of our Site. For example, we may not be able to recognize your computer or mobile device and you may need to log in every time you visit our Site.
Web Beacons
A web beacon is a technique used on web pages and emails to unobtrusively check that a user has accessed some content. Web beacons are used to help the website owner track the journey of the user navigating through the website or a series of websites. They can be delivered through a web browser or in an email.
Do Not Track Signals
Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not currently respond to do not track signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
To Operate Our Websites and Mobile Apps
If you use our websites or mobile apps, we use your personal information to:
- Operate, maintain, administer, and improve the websites and mobile apps
- Better understand your needs and interests and personalize your experience with the websites and mobile apps
- Provide support and maintenance for our websites and mobile apps
- Respond to your service-related requests, questions, and feedback
To Perform and Administer Clinical Trials, Research, and Product-Improvement Activities
We may use your personal information when necessary to facilitate our clinical trials, research, studies, and related activities that support product improvement, including to:
- Staff and manage clinical trials, including by recruiting investigators and participants
- Track and respond to safety and product quality concerns (including product recalls)
- Support public health initiatives, symposia, conferences, and scientific, educational, and volunteer events
- Define and manage appropriate patient engagement activities and patient support programs (including to provide co-pay and other financial assistance where available)
- Identify and engage thought leaders and external experts
- Award scholarships and grants
- Attribute authorship to academic and promotional materials.
To Provide Products and Services
We use your personal information as necessary to provide Mirum products and services, including to:
- Manage access to our products, including where access is limited by law to licensed physicians
- Pay for services that physicians, researchers, and other individuals may provide to us.
To Communicate With You
If you request information from us or participate in our surveys, promotions, or events, we may send you Mirum-related product or disease-related communications as permitted by law. You will have the ability to opt out of such communications.
To Comply With Law
We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.
To Comply With Regulatory Monitoring and Reporting Obligations
We use your personal information as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.
With Your Consent
We will request your consent to use your personal data where required by law, such as where we use certain cookies or similar technologies or would like to send you certain product-related messages. If we request your consent to use your personal data, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us.
To Create Anonymous Data for Analytics
We may create anonymous data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by excluding information that makes the data personally identifiable to you and use that anonymous data for our lawful business purposes.
For Compliance, Fraud Prevention, and Safety
We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products, and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
Affiliates
We may disclose your personal information to our subsidiaries and corporate affiliates for purposes consistent with this Privacy Policy.
Service Providers
We may employ third-party companies and individuals to perform services on our behalf, including:
- Contract research organizations that conduct clinical trials
- Data storage and analytics
- Customer service (including our medical information line) and patient support providers (including for product quality and adverse event reporting, patient co-pay assistance, medicine intake adherence programs, etc.)
- Product recall administration
- Technology services and support (including email and web hosting providers, marketing and advertising technology providers, email and text communications providers, mobile app developers)
- Event planning and travel organizations that help facilitate Mirum programs
- Payment, shipping, and fulfillment service providers
These third parties may use your information only as directed by Mirum and in a manner consistent with this Privacy Policy and are prohibited from using or disclosing your information for any other purpose.
Business Partners and Other Professionals and Organizations
We may disclose your personal information to partners with whom we jointly develop products or services, in connection with the development and promotion of such products or services. We will ask for your consent before disclosing your information with our business partners where required by applicable law. We may also share your personal information with healthcare professionals, researchers, academics, public health organizations, and publishers for purposes consistent with this Privacy Policy.
We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.
Compliance With Laws and Law Enforcement; Protection and Safety
We may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our websites, mobile apps, products, and services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.
Business Transfers
We may sell, transfer, or otherwise share some or all of its business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization, or sale of assets or in the event of bankruptcy, in which case we will make reasonable efforts to require the recipient to honor this Privacy Policy. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
If you use our websites or mobile apps, we use your personal information to:
- Operate, maintain, administer, and improve the websites and mobile apps
- Better understand your needs and interests and personalize your experience with the websites and mobile apps
- Provide support and maintenance for our websites and mobile apps
- Respond to your service-related requests, questions, and feedback.
Access, Review, and/or Update Your Information
If you become aware that the personal information we maintain about you is inaccurate, incomplete, misleading, irrelevant, or out of date, or if you would like to access or review your information, you may contact us at privacy@mirumpharma.com.
If you are located in the European Union, please refer to the section “Additional Information for European Union Users.”
Opt Out
You may opt out of product- and disease-related communications by clicking the “Unsubscribe” link at the bottom of each such communication or by sending an email with the subject line “Unsubscribe” to privacy@mirumpharma.com. You may continue to receive service-related and other non–product/disease-related emails.
Choosing Not to Share Your Personal Information
Where we are required by law to collect your personal information, or where we need your personal information in order to provide you with our products or services, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our products or services and may need to terminate our relationship with you. We will tell you what information you must provide to us by designating it as required when we request the information or through other appropriate means.
The security of your personal information is important to us. We take a number of organizational, technical, and physical measures designed to protect the personal information we collect, both during transmission and once we receive it.
Mirum complies with the requirements of the US Children’s Online Privacy Protection Act (COPPA) and does not knowingly collect personal information from children under age 13 through our websites or mobile applications. If we learn that we have collected personal information directly from a child under the age of 13 through our websites or mobile applications, we will delete that information.
Mirum is headquartered in the United States and has affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country, or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.
Individuals in the European Union should read the important information provided in the Cross-Border Data Transfer section about transfer of personal information outside of the European Economic Area provided in the Cross-Border Data Transfer sub-section of the section “Additional Information for European Union Users.”
For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by Mirum. These links are not an endorsement, authorization, or representation that we are affiliated with that third party. We do not exercise control over third-party websites or services and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.
We reserve the right to modify this Privacy Policy at any time. We encourage you to periodically review this page for the latest information on our privacy practices. If we make material changes to this Privacy Policy you will be notified via email (if we have your email address) or another manner that we believe reasonably likely to reach you (which may include posting a new privacy policy on our websites or a specific announcement on this page).
Any modifications to this Privacy Policy will be effective upon our posting of the new terms and/or upon implementation of the changes (or as otherwise indicated at the time of posting). In all cases, your continued use of our websites, mobile apps, products, and services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.
If you have any questions or concerns at all about our Privacy Policy, please contact us at:
Mirum Pharmaceuticals, Inc.
Attn: Chief Compliance Officer
989 E Hillsdale Blvd., Suite 300
Foster City, CA 94404
You may also contact us via email at:
privacy@mirumpharma.com
Personal Information
References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European data protection legislation.
Controller and Data Protection Representative
Mirum is the Data Controller of your personal information. For its clinical programs, Mirum ensures the processing of personal data by ClinEdge, LLC is compliant with the European Data Protection Regulations and National Laws. As Mirum is located in the United-States [989 E Hillsdale Blvd., Suite 300, Foster City, CA 94404], Mirum has appointed a Data Protection Representative, MyData-Trust. MyData-Trust can be contacted at:
- mirum.dpr@mydata-trust.info
- MyData-TRUST SA, Boulevard Initialis 7/3, 7000 Mons, Belgium
Legal Bases for Processing
We only use your personal information as permitted by law. We are required to inform you of the legal bases of our processing of your personal information, which are described below. If you have questions about the legal basis of how we process your personal information, contact us at privacy@mirumpharma.com.
To provide our products and services: Where we have a contract governing this processing purpose, the processing is necessary is perform that contract, or necessary to take steps that you have requested prior to entering into the contract. In other cases, these processing activities are necessary to protect your, or another person’s, vital interests.
To perform and administer clinical trials, research, and product-improvement activities: Where we have a contract governing this processing purpose, the processing is necessary is perform that contract, or necessary to take steps that you have requested prior to entering into the contract.
Where we process sensitive personal data in connection with this processing purpose, the processing is necessary for scientific or historical research purposes or statistical purposes.
In all other cases, these processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To operate our websites and mobile apps; communicate with you; create anonymous data for analytics; or for compliance, fraud prevention, and safety: These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To comply with law and regulatory monitoring and reporting obligations: Processing is necessary to comply with our legal obligations.
With your consent: Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated when we requested the consent or by contacting us.
Use for New Purposes
We may use your personal information for reasons not described in this Privacy Policy where permitted by law and when the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.
Retention
We will only retain your personal information for as long as necessary to fullfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.
European data protection laws provide certain rights regarding the collection and processing of personal information. You may ask us to take the following actions in relation to your personal information that we hold:
- Opt-out. Stop sending you direct product- or disease-related communications. You may continue to receive service-related and other non-product/disease communications.
- Provide you with information about our processing of your personal information and give you access to your personal information.
- Update or correct inaccuracies in your personal information.
- Delete your personal information.
- Transfer a machine-readable copy of your personal information to you or a third party of your choice.
- Restrict the processing of your personal information.
- Object to our reliance on our legitimate interests as the basis of our processing of your personal information.
You can submit these requests by email to privacy@mirumpharma.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction.
Whenever we transfer your personal information out of the European Economic Association (EEA) to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the EEA’s data protection laws, such as the specific contracts approved by the European Commission as providing adequate protection of personal information.
For further information on the specific transfer mechanism used by us or to receive a copy, please contact Mirum’s EU Data Protection Officer representative.