PRIVACY POLICY
Last updated: April 2026
California Notice at Collection: See the California privacy rights section below for important information about your rights under applicable California.
This “Privacy Policy” describes the online privacy practices of Mirum Pharmaceuticals, Inc. and our owned and controlled affiliates (collectively, “Mirum,” “we,” “us,” or “our”) in how we collect, use, disclose, and otherwise process personal information, and explains the rights and choices available to individuals with respect to their information.
Mirum may provide additional privacy notices to individuals at the time we collect their data. For example, we provide a specific privacy notice to clinical trial participants that describe our privacy practices in connection with conducting clinical trials. This type of an “in-time” notice will govern how we may process the information you provide at that time. Our personal information practices may vary depending on the nature of our relationship to you. For example, we may collect professional-related data about individuals who are healthcare providers, while for general website visitors, we generally do not collect such data. Please consider the context in which we interact with you when reading this Privacy Policy.
Mirum may process personal information that identifies your past, present, or future health status, or that otherwise constitutes “consumer health data” or equivalent terms as defined by applicable U.S. state laws (“Consumer Health Data”). To the extent such laws apply to your Consumer Health Data, please see our Consumer Health Data Privacy Policy, which supplements this Privacy Policy.
NOTICE TO EUROPEAN USERS: Please see the Notice to European Users section for additional information for individuals located in the European Economic Area or United Kingdom (which we refer to as “Europe” and “European” should be understood accordingly) below.
Personal information we collect
Whose Personal Information we Collect
We may collect personal information about the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other healthcare professionals, clinical trial investigators, researchers, pharmacists, and other individuals who interact directly with Mirum or its service providers or business partners, including users of websites and mobile applications.
How we Collect Personal Information
We may collect personal information from the following sources:
- Directly from individuals
- Through our websites, emails, and mobile apps (each a “Site” and collectively “Sites”)
- From healthcare professionals
- From service providers such as contract research organizations and clinical trial investigators
- From public sources such as government agencies or public records
- From service providers, data providers (such as information services or data licensors), or business partners
- From industry and patient groups and associations
- From business transactions
Types of Personal Information we Collect
The types of personal information we collect and share depend on the nature of the relationship you have with Mirum and the requirements of applicable laws. We may collect:
- Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) we collect in connection with managing clinical trials, conducting research, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports
- Personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
- Biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians)
- Professional credentials, educational and professional history, and institutional affiliations
- Payment-related information we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information)
- If you are a healthcare professional, we collect information about the programs and activities in which you have participated, your prescribing of our products, and the agreements you have executed with us
- Social media information, such as your photograph, social media handle, or digital or electronic signature
- Publicly available information (such as comments describing support for and experience with Mirum products)
- Other communications information you provide to us (such as in emails, on phone calls, in market research surveys, or in other correspondence with Mirum or its service providers or business partners)
We may combine third-party sourced information with the personal information that you provide to us through our Services.
Information Automatically Collected
We, our service providers, and our business partners may automatically log information about you and your computer or mobile device when you access or interact with our Sites or open emails from us. For example, we may log your device or computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites, pages you viewed, how long you spent on a page or an email, access times, and information about your use of and actions on our Sites. We collect this information about you using cookies, server logs, web beacons, pixels, and similar technologies about your device, and your use of our Site and services. Please refer to the Cookies and Similar Technologies section for more details.
Cookies and similar technologies
Some of our automatic data collection is facilitated by cookies and similar technologies. For more information, see our Cookie Policy. We will also store a record of your preferences in respect of the use of these technologies in connection with our services.
How we use your personal information
To Operate Our Websites and Mobile Apps as Well as Our Business
If you use our websites or mobile apps, we use your personal information to:
- Operate, maintain, administer, and improve the websites and mobile apps as well as our business
- Better understand your needs and interests and personalize your experience with the websites and mobile apps
- Provide support and maintenance for our websites and mobile apps
- Respond to your service-related requests, questions, and feedback
To Perform and Administer Clinical Trials, Research, and Product-Improvement Activities
We may use your personal information when necessary to facilitate our clinical trials, research, studies, and related activities that support product improvement, including to:
- Staff and manage clinical trials, including by recruiting investigators and participants
- Track and respond to safety and product quality concerns (including product recalls)
- Support public health initiatives, symposia, conferences, and scientific, educational, and volunteer events
- Define and manage appropriate patient engagement activities and patient support programs (including to provide co-pay and other financial assistance where available)
- Identify and engage thought leaders and external experts
- Award scholarships and grants
- Attribute authorship to academic and promotional materials
To Provide Products and Services
We use your personal information as necessary to provide Mirum products and services, including to:
- Manage access to our products, including where access is limited by law to licensed physicians
- Pay for services that physicians, researchers, and other individuals may provide to us
To Communicate With You
If you request information from us or participate in our surveys, promotions, or events, we may send you Mirum-related product or disease-related communications as permitted by law. You will have the ability to opt out of such communications.
To Comply With Law
We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities or others.
To Comply With Regulatory Monitoring and Reporting Obligations
We use your personal information as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.
For Marketing and Advertising
We, our service providers, and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes:
- Direct marketing. We may send you direct marketing communications and may personalize these messages based on your needs and interests. You may opt-out of our marketing communications as described in the opt-out section below.
- Interest-based advertising. We and our third-party advertising partners may use cookies and similar technologies to collect information about your interaction (including the data described in the Cookies and similar technologies section above) with the service, our communications and other online services over time, and use that information to serve online ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms. You can learn more about your choices for limiting interest-based advertising in the Your choices section of this Privacy Policy.
With Your Consent
We will request your consent to use your personal information where required by law, such as where we use certain cookies or similar technologies or would like to send you certain product-related messages. If we request your consent to use your personal information, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us.
To Create De-identified, Aggregated, or Anonymized Data for Analytics
We may create de-identified, aggregated, or anonymized data from your personal information and other individuals whose personal information we collect. We make personal information into de-identified or anonymized data by excluding information that makes the data personally identifiable to you and use that de-identified, aggregated, or anonymized data for our lawful business purposes. We will not attempt to re-identify any such data to a particular person except as permitted by applicable law.
For Compliance, Fraud Prevention, and Safety
We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products, and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.
Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.
How we share your personal information
Affiliates
We may disclose your personal information to our subsidiaries and corporate affiliates for purposes consistent with this Privacy Policy.
Service Providers
We may employ third-party companies and individuals to perform services on our behalf, such as:
- Contract research organizations that conduct clinical trials
- Data storage and analytics
- Customer service (including our medical information line) and patient support providers (including for product quality and adverse event reporting, patient co-pay assistance, medicine intake adherence programs, etc.)
- Product recall administration
- Technology services and support (including email and web hosting providers, marketing and advertising technology providers, email and text communications providers, mobile app developers)
- Event planning and travel organizations that help facilitate Mirum programs
- Payment, shipping, and fulfillment service providers
Business Partners and Other Professionals and Organizations
We may disclose your personal information to partners with whom we jointly develop products or services, in connection with the development and promotion of such products or services. We will ask for your consent before disclosing your information with our business partners where required by applicable law. We may also share your personal information with healthcare professionals, researchers, academics, public health organizations, and publishers for purposes consistent with this Privacy Policy.
Professional Advisors
We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.
Advertising Partners
Third-party advertising companies for the interest-based advertising purposes described above.
Compliance With Laws and Law Enforcement; Protection and Safety
We may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities or others; (b) enforce the terms and conditions that govern our websites, mobile apps, products, and services; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.
Business Transfers
We may sell, transfer, or otherwise share some or all of its business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization, or sale of assets or in the event of bankruptcy.
Your choices
If you are located in California or Europe, please also refer to the section “California Privacy Rights Notice” and “Additional Information for European Users,” respectively.
Opt Out
You may opt out of product- and disease-related communications by clicking the “Unsubscribe” link at the bottom of each such communication or by sending an email with the subject line “Unsubscribe” to privacy@mirumpharma.com. You may continue to receive service-related and other non–product/disease-related emails.
Choosing Not to Share Your Personal Information
Where we are required by law to collect your personal information, or where we need your personal information in order to provide you with our products or services, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our products or services and may need to terminate our relationship with you. We will tell you what information you must provide to us by designating it as required when we request the information or through other appropriate means.
Security
The security of your personal information is important to us. We take a number of organizational, technical, and physical measures designed to protect the personal information we collect, both during transmission and once we receive it.
Children
Mirum does not knowingly collect personal information from children under age 13 through our websites or mobile applications. If we learn that we have collected personal information directly from a child under the age of 13 through our websites or mobile applications, we will delete that information.
International Data Transfers
Mirum is headquartered in the United States and has affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country, or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.
Individuals in Europe should read the important information provided in the Cross-Border Data Transfer section about transfer of personal information outside of Europe provided in the Cross-Border Data Transfer sub-section of the section “Additional Information for European Users.”
Other Sites and Services
For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by Mirum. These links are not an endorsement, authorization, or representation that we are affiliated with that third party. We do not exercise control over third-party websites or services and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.
Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. We encourage you to periodically review this page for the latest information on our privacy practices. If we make material changes to this Privacy Policy you will be notified via email (if we have your email address) or another manner that we believe reasonably likely to reach you (which may include posting a new privacy policy on our websites or a specific announcement on this page).
Any modifications to this Privacy Policy will be effective upon our posting of the new terms and/or upon implementation of the changes (or as otherwise indicated at the time of posting). In all cases, your continued use of our websites, mobile apps, products, and services after the posting of any modified Privacy Policy indicates your acknowledgement and understanding of the terms of the modified Privacy Policy.
Contact us
If you have any questions or concerns at all about our Privacy Policy, please contact us at:
Mirum Pharmaceuticals, Inc.
Attn: Legal Dept
989 E Hillsdale Blvd., Suite 300
Foster City, CA 94404
You may also contact us via email at:
privacy@mirumpharma.com
California privacy rights notice
Except as otherwise provided, this section applies to residents of California, pursuant to the California Consumer Privacy Act (“CCPA”). This section supplements our general personal information practices described elsewhere in this Privacy Policy.
This section describes how we collect, use, and share Personal Information of residents of California and these users may have with respect to their Personal Information. Please note that not all rights listed below may be afforded to all users and that if you are not a resident of California, you may not be able to exercise these rights. In addition, we may not be able to process your request if you do not provide us with sufficient detail to allow us to confirm your identity or understand and respond to it.
For purposes of this section, the term “Personal Information” has the meaning given to “personal information” or other similar terms and “Sensitive Personal Information” has the meaning given to “sensitive personal information,” or other similar terms in the CCPA, except that in neither case does such term include information exempted from the scope of the CCPA. In some cases, we may provide a different privacy notice to certain categories of residents of these states, such as job applicants, in which case that notice will apply instead of this section.
- Your Privacy Rights. The CCPA may provide residents with some or all of the rights listed below. However, these rights are not absolute. Therefore, we may decline your request in certain cases as permitted by law.
- Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
- The categories of Personal Information that we have collected.
- The categories of sources from which we collected Personal Information.
- The business or commercial purpose for collecting and/or selling Personal Information.
- The categories of third parties with which we share Personal Information.
- The categories of Personal Information that we sold or disclosed for a business purpose.
- The categories of third parties to whom the Personal Information was sold or disclosed for a business purpose.
- Access. You can request a copy of the Personal Information that we have collected about you.
- Appeal. You can appeal our denial of any request validly submitted.
- Correction. You can ask us to correct inaccurate Personal Information that we have collected about you.
- Deletion. You can ask us to delete the Personal Information that we have collected from you.
- Opt-out of Selling or Sharing. You can opt-out of certain processing or “sharing” of personal information; for example, for targeted advertising purposes. You may also have the right to opt-out of other sales of your Personal Information; however, we do not sell your Personal Information for monetary consideration.
- Consumers under 16. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.
- Limit Processing of Sensitive Personal Information. You have the right under the CCPA to limit the processing of certain uses of Sensitive Personal Information; however, we do not plan to use Sensitive Personal Information in a manner in which the right to limit processing applies.
- Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the CCPA.
Right to Information, Access, Correct, and Deletion. You can request to exercise your information, access, correct, and deletion rights by:
- Calling: 650-667-4085
- Emailing: privacy@mirumpharma.com
Right to Opt-Out of the “sharing” of your Personal Information. While we do not sell personal information for money, like many companies, we use services that help deliver interest-based ads to you, as described above. The CCPA may classify our use of some of these services as the “sharing” your Personal Information with the advertising partners that provide the services.
You can submit requests to opt-out of tracking for targeted advertising purposes or other similar sharing of Personal Information by:
- Emailing: privacy@mirumpharma.com
You can also broadcast the Global Privacy Control (GPC) to opt-out for each participating browser system that you use. Learn more at the Global Privacy Control website.
Verification of Identity; Authorized Agents. We may need to verify your identity in order to process your information/know, access, appeal, correction, or deletion requests and reserve the right to confirm your residency. To verify your identity, we may require government identification, a declaration under penalty of perjury, or other information, where permitted by law.
Under the CCPA, you may enable an authorized agent to make a request on your behalf upon. However, we may need to verify your authorized agent’s identity and authority to act on your behalf. We may require a copy of a valid power of attorney given to your authorized agent pursuant to applicable law. If you have not provided your agent with such a power of attorney, we may ask you to take additional steps permitted by law to verify that your request is authorized, such as by providing your agent with written and signed permission to exercise your California privacy rights on your behalf, the information we request to verify your identity, and confirmation that you have given the authorized agent permission to submit the request.
Personal Information That We Collect, Use, and Disclose. We have summarized the Personal Information we collect and may disclose to third parties by reference below to both the categories defined in the “Personal information we collect” section of this Policy above and the categories of Personal Information specified in the CCPA (Cal. Civ. Code §1798.140) and describes our practices currently and during the 12 months preceding the effective date of this Privacy Policy. Information you voluntarily provide to us, such as in free-form webforms, may contain other categories of personal information not described below.
| Personal Information we Collect | CCPA Statutory Category | Categories of Third Parties to Whom we “Disclose” Personal Information for a Business Purpose | Categories of Third Parties to Whom we “Sell” or “Share” Personal Information |
|---|---|---|---|
| Health and medical information | • Identifiers (online) • Identifiers (other) • Commercial information • California customer records | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Patient support partners (to facilitate patient support options and services) • Business partners and other professionals and organizations |
| Personal and business contact information | • Identifiers (online) • Identifiers (other) • California customer records | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations • Patient support partners (to facilitate patient support options and services) |
| Biographical and demographic information | • Identifiers (online) • Identifiers (other) • California customer records | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
| Professional credentials, educational and professional history, and institutional affiliations | • Identifiers (online) • Identifiers (other) • Commercial information • California consumer records • Internet or network information | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
| Data related to healthcare professionals | • Identifiers (online) • Identifiers (other) • Commercial information • California customer records | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations • Patient support partners (to facilitate patient support options and services) |
| Social media information | • Identifiers (online) • Identifiers (other) • Commercial information • California consumer records • Internet or network information | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
| Communications information | • Identifiers (online) • Identifiers (other) • Commercial information • California customer records • Internet or network information | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
| Device data | • Identifiers (other) • Internet or network information | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
| Online activity data | • Identifiers (other) • Commercial information • Internet or network information | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
| Communication interaction data | • Identifiers (online) • Identifiers (other) • Commercial information • California consumer records • Internet or network information | • Affiliates • Service providers • Advertising partners • Professional advisors • Government or law enforcement officials • Business transferees • Business partners and other professionals and organizations | • Advertising partners (to facilitate online advertising) • Business partners and other professionals and organizations |
Additional Information for Nevada Residents. Nevada residents have the right to opt-out of the sale of certain personal information for monetary consideration. While we do not currently engage in such sales, if you are a Nevada resident and would like to make a request to opt out of any potential future sales, please email privacy@mirumpharma.com.
Contact Us. If you have questions or concerns about our privacy policies or information practices, please contact us using the contact details set forth in the How to Contact Us section, above.
Additional information for individuals in Europe
Where this Notice to European Users Applies. The information provided in this ‘Notice to European users’ section applies only to individuals located in the European Economic Area (EEA) (i.e., “Europe” as defined at the top of this Privacy Policy).
Personal Information
References to “personal information” in this Privacy Policy are equivalent to “personal data” as defined by the “GDPR” (i.e., the General Data Protection Regulation 2016/679 (“EU GDPR”) and the EU GDPR as it forms part of the laws of the United Kingdom (“UK GDPR”).
Controller
Mirum is the Data Controller with respect to the processing of your personal information. See the ‘Contact us’ section above for our contact details.
Data Protection Representative
As Mirum is located in the United-States 989 E Hillsdale Blvd., Suite 300, Foster City, CA 94404, we are required by GDPR to appoint representatives.
Mirum has appointed a Data Protection Representative in Europe and the UK, MyData-Trust. MyData-Trust can be contacted at:
- mirum.dpr@mydata-trust.info
- MyData-TRUST SA, Boulevard Initialis 7/3, 7000 Mons, Belgium
Legal Bases for Processing
We describe below the legal bases we rely on in respect of the relevant purposes for which we use your personal information – for more information on these purposes and the data types involved, see the ‘How we use your personal information’ section above and the description of associated data sharing relevant to such purposes set out in the ‘How we share your personal information’ section above.
| Purpose | Categories | Legal Basis |
|---|---|---|
| To Operate Our Websites and Mobile Apps as well as our Business | • Health and medical information • Personal and business contact information • Biographical and demographic information • Professional credentials, educational and professional history, and institutional affiliations • Payment-related information • Social media information • Data related to healthcare professionals • Communications information • Automatically collected information | • Contractual Necessity. • Legitimate interests. We have a legitimate interest in ensuring the ongoing security and proper operation of our services (including, where relevant, responding to any contact via any “contact us” feature or similar), our business and associated IT services, systems, and networks. |
| To Perform and Administer Product-Improvement Activities | • Personal and business contact information • Biographical and demographic information • Professional credentials, educational and professional history, and institutional affiliations • Payment-related information • Social media information • Data related to healthcare professionals • Communications information • Automatically collected information | • Legitimate Interests. We have a legitimate interest in providing you with a good service and analysing how you use it so that we can improve it over time, as well as developing and growing our business. • Consent, in respect of any optional cookies used for this purpose. |
| To Provide Products and Services | • Health and medical information • Personal and business contact information • Biographical and demographic information • Professional credentials, educational and professional history, and institutional affiliations • Payment-related information • Data related to healthcare professionals • Social media information • Communications information • Automatically collected information | • Contractual Necessity. • Legitimate Interests. We have a legitimate interest in providing you with and managing access to our products and paying for services that physicians, researchers, and other individuals may provide to us. |
| To Communicate With You | • Personal and business contact information • Communications information • Automatically collected information | • Legitimate Interests. We have a legitimate interest in communicating with you, including for the furtherance of our business and/or provision of our services to you. |
| To Comply With Law | • Any and all data types relevant in the circumstances | • Compliance with Law. • Legitimate Interests. Where Compliance with Law is not applicable, we have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our rights, property, and/or safety. |
| To Comply With Regulatory Monitoring and Reporting Obligations | • Any and all data types relevant in the circumstances | • Compliance with Law. |
| Marketing | • Personal and business contact information • Biographical and demographic information • Professional credentials, educational and professional history, and institutional affiliations • Social media information • Communications information • Automatically collected information | • Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organization and sending marketing communications for that purpose. • Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications. |
| Advertising | • Automatically collected information | • Consent |
| Further Uses | • Any and all data types relevant in the circumstances | • The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the personal information was collected. • Consent, if the relevant further use is not compatible with the initial purpose for which the personal information was collected. |
| To Create De-identified, Aggregated, or Anonymized Data for Analytics | • Any and all data types relevant in the circumstances | • Legitimate Interests. We have legitimate interest in taking steps to preserve the privacy of our users. |
| For Fraud Prevention and Safety | • Any and all data types relevant in the circumstances | • Legitimate Interests. We have a legitimate interest in ensuring that that our services are compliant and safe, and in preventing fraud. |
Other information
No Obligation to Provide Personal Information. You do not have to provide personal information to us. However, where we need to process your personal information either to comply with applicable law or to deliver our services to you, and you fail to provide that personal information when requested, we may not be able to provide some or all of our services to you. We will notify you if this is the case at the time.
No Sensitive Information. Unless specifically requested, we ask that you not provide us with any sensitive personal information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, criminal background or trade union membership, or biometric or genetics characteristic other than as requested by us as part of the Service) on or through the services, or otherwise to us. If you provide us with any such sensitive personal information to us when you use our services, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through our services.
No Automated Decision-making and Profiling. As part of our services, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.
Your rights
European data protection laws provide certain rights regarding the collection and processing of personal information. You may ask us to take the following actions in relation to your personal information that we hold:
- Opt-out. Stop sending you direct product- or disease-related communications. You may continue to receive service-related and other non-product/disease communications.
- Provide you with information about our processing of your personal information and give you access to your personal information.
- Update or correct inaccuracies in your personal information.
- Delete your personal information.
- Transfer a machine-readable copy of your personal information to you or a third party of your choice.
- Restrict the processing of your personal information.
- Object to our reliance on our legitimate interests as the basis of our processing of your personal information.
You can submit these requests by email to privacy@mirumpharma.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. Although we urge you to contact us first to find a solution for any concern you may have, in addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal information, you can make a complaint to the data protection regulator in your habitual place of residence. The contact information for the data protection regulator in your place of residence can be found here:
- For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
- For users in the UK – the contact information for the UK data protection regulator can be found here: https://ico.org.uk/make-a-complaint/
Cross-border data transfer
We are a U.S.-based company and many of our service providers, advisers, partners, or other recipients of data are also based in the U.S. This means that, if you use our services, your personal information will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe or the UK.
Whenever we transfer your personal information out of Europe or the UK to countries not deemed to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with applicable data protection laws, such as:
- Transfers to Territories with an Adequacy Decision. We may transfer your personal information to countries or territories whose laws have been deemed to provide an adequate level of protection for personal information by the European Commission or UK Government (as and where applicable) (from time to time) or under specific adequacy frameworks approved by the European Commission or UK Government (as and where applicable) (from time to time), such as the EU-U.S. Data Privacy Framework or the UK Extension thereto.
- Transfers to Territories without an Adequacy Decision.
- We may transfer your personal information to countries or territories whose laws have not been deemed to provide such an adequate level of protection (e.g., the U.S.).
- However, in these cases:
- we may use specific appropriate safeguards, which are designed to give personal information effectively the same protection it has in Europe—for example, standard-form contracts approved by relevant authorities for this purpose; or
- in limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your personal information to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’—for example, reliance on your explicit consent to that transfer.
For further information on the specific transfer mechanism used by us or to receive a copy, please contact Mirum’s EU Data Protection Officer representative.