Consumer Health Data Privacy Policy
Effective as of April 2026.
This Consumer Health Data Privacy Policy describes how Mirum Pharmaceuticals, Inc. (“Mirum,” “we,” “us,” or “our”) and its affiliates process Consumer Health Data that we collect on our websites, as well as associated marketing activities and any other activities described in this Policy (collectively, the “Services”).
This Consumer Health Data Privacy Policy (“Consumer Health Data Privacy Policy”) applies to the extent required by applicable U.S. state laws with respect to “consumer health data” (“Consumer Health Data”) as applicable laws may define that or equivalent terms. This Consumer Health Data Privacy Policy supplements our general Privacy Policy. In the event of a conflict between our Privacy Policy and the Consumer Health Data Privacy Policy, the Consumer Health Data Privacy Policy applies to the extent that it is consistent with applicable U.S. state law.
Consumer Health Data we collect
Consumer Health Data you may provide to us through the Services or otherwise includes:
- Health and medical information, such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency. Any information that is “protected health information” for purposes of the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) is subject to the HIPAA covered entity’s Notice of Privacy Practices.
- Personal and business contact information and preferences, such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information.
- Biographical and demographic information, such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians.
- Social media information, such as your photograph, social media handle, or digital or electronic signature.
- Publicly available information, such as comments describing support for and experience with Mirum products.
- Other communications information you provide to us, such as in emails, on phone calls, in market research surveys, or in other correspondence with Mirum or its service providers or business partners.
Consumer Health Data we collect automatically
When you use our Service, we collect some information through certain technical tracking technologies that may be considered Consumer Health Data. For example:
- Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state, or geographic area.
- Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
- Communication interaction data, such as your interactions with our email, text, or other communications (e.g., whether you open and/or forward emails). We may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.
Consumer Health Data we may create, infer, or generate
We may create, infer, or generate Consumer Health Data from other data we collect, including using automated means to generate information about your likely preferences or other characteristics.
Consumer Health Data we obtain from third-party sources
We also obtain the types of Consumer Health Data described above from third parties. These third-party sources may include, for example:
- Partners, such as specialty pharmacies that connect you to us and commercialization partners.
- Caregivers, such as family members, health care professionals, and relevant medical institutions.
- Data providers, such as industry and patient groups and associations, information services, and data licensors.
- Service providers, such as entities that collect or provide data in connection with the work they do on our behalf.
- Public sources, such as open government databases.
How we use your Consumer Health Data
We use Consumer Health Data for purposes described in this Consumer Health Data Privacy Policy or as otherwise disclosed to you. For example, we use Consumer Health Data for the following purposes:
| Purpose of Use | Categories of Consumer Health Data |
|---|---|
| Service operations: Provide, operate, and secure the Service. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Service personalization: Understanding your needs and interests, personalizing your experience with the Service and our Service-related communications, remembering your selections and preferences as you navigate webpages. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Business administration: Administration and operation of our business and business planning activities, including to analyze, adapt, and improve our business. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Marketing: To provide you with information and services, such as our press releases, social media updates, and our newsletters. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Communications: To deal with any contact you might have with us, including by using the ‘Contact us’ or similar function on the Service or via any other method of communication (e.g., by email or social media), dealing with any issues arising from such contacts (including replying to you), responding to your requests (for instance, if you send us an email), and providing important notices and updates, such as changes to our terms and policies, security alerts, and administrative messages. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Compliance and protection: To comply with applicable laws, lawful requests, and legal process (such as to respond to disclosure orders, as well as demands, investigations, or requests made by regulators, governments, courts, and law enforcement authorities; to protect our, your or others’ rights, privacy, safety, or property (including by making and defending legal claims); to audit our internal processes for compliance with legal and contractual requirements or our internal policies; to enforce the terms of agreements that govern access to the Site; and to prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks and identity theft. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Improvement and analytics: To improve our day-to-day operations, including for internal purposes such as auditing, data analysis and research to help us deliver and improve our Service; to monitor and analyse trends, including your usage and activities on the Service in connection with our products and services; to understand which parts of our Service and services are of the most interest and to improve them; to improve our products and services and our communications to you. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| To create aggregated, de-identified and/or anonymized data: We may create aggregated, de-identified and/or anonymized data from your personal information and other individuals whose personal information we collect. We make personal information into de-identified and/or anonymized data by removing information that makes the data identifiable to you and will not re-identify such data except as otherwise permitted by applicable law. We may use this aggregated, de-identified, and/or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Site and promote our business. | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
| Corporate events: To facilitate or carry out any corporate events, such as investments in or financings of Mirum, public stock offerings, or the sale, transfer, or merger of all or part of our business, assets, or shares (including providing Consumer Health Data to allow third parties to conduct diligence into – and, where relevant, to continue to operate – all or relevant part(s) of our operations). | Health and medical information, personal and business contact information and preferences, biographical and demographic information, social media information, publicly available information, other communications information |
How we share your Consumer Health Data
We may “share” (as applicable U.S. state laws define that term) Consumer Health Data with your consent or as we determine necessary to provide the Service to you, or as otherwise permitted or required by law. For example, we may share your Consumer Health Data to:
Affiliates. We may share your Consumer Health Data with our affiliates: Mirum Pharmaceuticals AG, Mirum Pharmaceuticals International B.V., and its owned European affiliates, Bluejay Therapeutics LLC.
Advertising partners. Third-party advertising companies for the interest-based advertising purposes described above.
Authorities and others. We will access, share, and preserve Consumer Health Data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies. We will also share Consumer Health Data if we believe it is necessary to protect our customers and/or the rights or property of ourselves or others.
Your Consumer Health Data Choices
You may have certain rights to your Consumer Health Data under applicable laws. Any of the rights discussed below may be subject to certain limitations (for example, a monetary charge).
If you wish to exercise these rights, please email us at privacy@mirumpharma.com.
Withdraw Consent. To the extent we rely upon your consent for either our collection or sharing of your Consumer Health Data, you have the right to withdraw such consent from any future collection or sharing.
Access and Confirm. You have the right to ask us to confirm whether we have collected, shared, or sold your Consumer Health Data. Further, you have the right to access (in other words, request a copy of) the Consumer Health Data that we have collected, shared, or sold. You also have a right to access a list of all “third parties” (as applicable U.S. state laws define that term) and affiliates with whom we have shared or sold your Consumer Health Data and receive certain corresponding information.
Correction. You have the right to alert and request us to correct inaccuracies in your Consumer Health Data.
Deletion. You have the right to ask us to delete your Consumer Health Data.
Appeal. You have the right to appeal our denying a right you have attempted to exercise. We will provide details on how to appeal our denial in connection with such action.
To exercise your rights above and make a Consumer Health Data rights request, please email us at privacy@mirumpharma.com. We may need to verify your identity in order to process your request. To confirm your identity, we may ask you to verify personal information we already have on file for you. If we cannot verify your identity based on the information we have on file, we may request additional information from you (such as government identification), which we will only use to verify your identity, and for security or fraud-prevention purposes.
Declining to Provide Information. We need to collect Consumer Health Data to provide certain services. If you do not provide the information we identify as required or mandatory, or if you request that any required Consumer Health Data be deleted or withdraw your consent for future collection or sharing of any required Consumer Health Data, we may not be able to provide those services.
Changes to this Consumer Health Data Privacy Policy
We reserve the right to modify this Consumer Health Data Privacy Policy at any time. If we make material changes to this Consumer Health Data Privacy Policy, we will notify you by updating the date of this Consumer Health Data Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Consumer Health Data Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Consumer Health Data Privacy Policy indicates your acknowledging that the modified Consumer Health Data Privacy Policy applies to your interactions with the Service and our business.
How to contact us
Email: privacy@mirumpharma.com