Privacy Notice

Privacy Notice – Effective Date: 1 February 2024
Agios Pharmaceuticals, Inc. (“Agios”, “we”, or “our”) recognizes the importance of protecting the privacy of Personal Data we collect in online and offline formats through the Services.

BY PROVIDING YOUR PERSONAL DATA TO AGIOS OR OTHERWISE USING OUR SERVICES, YOU AGREE TO THE TERMS OF THE PRIVACY NOTICE AND OUR TERMS OF USE.

1. SCOPE AND DEFINITIONS
2. INFORMATION WE COLLECT AND USE
3. HOW WE SHARE AND DISCLOSE PERSONAL DATA
4. CHILDREN’S PRIVACY
5. MANAGING COMMUNICATION PREFERENCES
6. REGION-SPECIFIC DISCLOSURES
7. COOKIES
8. LINKS TO OTHER SITES
9. UPDATES TO OUR PRIVACY NOTICES
10. CONTACT US

1. SCOPE AND DEFINITIONS

This Privacy Notice covers the Personal Data we collect through our provision of the Services. Please note this Privacy Notice does not apply to Agios’ processing of employee or contractor Personal Data.

When we say “Personal Data,” we mean data that can be reasonably used to identify a living person, or that reasonably relates to a living person.

When we use the term “Services” we mean to refer collectively to:

• The websites agios.com and any other websites or mobile applications that we own and operate that link to or expressly adopt this Privacy Notice (the “Sites”);
• Prospective Research and employee application processes (“Application Activities”); and
• Our marketing and business development activities, including events we host (such as webinars), social media properties we create, and emails that we send (“Marketing Activities”).

We collect Personal Data about the following types of individuals:

• Physicians and other health care professionals;
• Clinical trial investigators;
• Research participants;
• Researchers;
• Contractors and consultants;
• Job applicants;
• Volunteers; and
• Other individuals who interact directly with Agios or its business partners.

Agios may provide additional privacy notices to individuals at the time we collect their data. For example, we often provide a specific privacy notice to participants in research studies or clinical trials (collectively, “Research”) during the informed consent process that describes our privacy practices in connection with conducting Research. This type of an “in-time” notice will govern how we may process the information you provide at that time instead of this Privacy Notice.

2. INFORMATION WE COLLECT AND USE

a) Information Provided By You

We collect Personal Data that you provide to us through or in connection with the Services or that you give to us in another way. For example:

• If you sign up with us to receive newsletters, we process:
  • Your contact information, such as your name, profession, email address, zip code, and telephone number.
  • Purpose: To manage our communications with you and to inform you about topics that may be of interest to you. If you wish to stop receiving email messages from us, please see the “Managing Communications Preferences” section below.
• If you register with us to specifically receive information about our Research trials, we collect:
  • Your contact information, including your name, email, mailing address, phone number, and whether you are a patient, caregiver, or healthcare professional.
  • Purpose: To contact you with information regarding Research, evaluate your eligibility for the Research and, as appropriate, to invite you to participate in Research.
• If you apply for a job with us, we process:
  • Your application information, including contact information, professional and academic history, and other information you include in your CV/resume or application materials.
  • Purpose: To process and evaluate job applications and eligibility for employment, to communicate with you about your job applications and requests and to facilitate the application process and any pre-contractual steps.
• If you contact us on the phone, through email, or submit comments or questions directly to us or through the Sites, we process:
  • Your name, email, and the information you supply in the comments or questions and the content of your voice messages to us.
  • Purpose: To authenticate you as a user, communicate with you and investigate and respond to your inquiries, including those inquiries for expanded access. At your request, we may use information you provide in your communications to contact you with information regarding Research, evaluate your eligibility for the Research and, as appropriate, to invite you to participate in Research.
• If you register for or attend any events, such as a training, webinar, lecture, seminar, workshop or open house event, we process:
  • Your basic personal data (e.g., name and contact information), and in some instances your professional credentials.
  • Purpose: To register you in the program, authenticate your attendance, administer the event, contact you about your experience and provide information to you about future events that may be of interest to you.
• If you submit a grant request, we process:
  • Your contact information, professional and academic history, financial information and any information relating to your proposed grant request.
  • Purpose: To process and evaluate your grant request, and to communicate with you about your request.

b) Information We Obtain From Third Parties

We collect Personal Data from the following third party sources:

• Business Partners and Service Providers. We collect Personal Data from our service providers and business partners in connection with evaluating candidates for employment, as well as when conducting Marketing Activities.
  • Purpose: To identify potential employment candidates, identify potential Research participants, identify prospective business partners or patient groups, coordinate events and programs and conduct Application Activities and Marketing Activities.
• Publicly Available Sources. We collect Personal Data about you that we do not otherwise have (including contact information, employment-related information and product interest information) from social media platforms (for example, Facebook, Twitter, and Instagram) and other publicly available databases.
  • Purpose: To conduct Application Activities and Marketing Activities to help us understand trends and needs across Research categories or patient groups, analyze your interactions with us, present customized content, and improve our products, services, programs, events, and other offerings.

c) Information We Collect Automatically

We use certain technologies on the Sites to collect information about the device or browser you use to navigate our website.

The technologies we use may include the following:

• Web Logs. Like most websites, we automatically gather certain information about our Site traffic and store it in log files. This information includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data.
  • Purpose: To analyze trends on our Sites, manage and administer the Site content, Application Activities and Marketing Activities, for security and availability of our Sites, to improve the content, overall performance and user experience on the Sites, and for fraud protection and to protect our rights and the rights and safety of individuals.
• Cookies and Other Data Collection Technologies. We and our service providers use cookies, scripts and similar technologies to manage the Sites and to collect information about you and your use of our Sites. For more information on our use of such technologies, please see the section on Cookies below.
• Google Analytics. We use “Google Analytics” to collect information about use of Sites. Google Analytics collects information such as how often users access the Sites, what pages they access when they do so and what other sites they used prior to coming to the Sites.
  • Purpose: We use the information we get from Google Analytics only to improve the Services.
  • To learn more about the use of data collection technologies by Google for analytics and to exercise choice regarding those technologies, please visit the Google Analytics Opt-out Browser Add-on.

d) Additional Purposes for Processing Personal Data

In addition to the above described purposes for the processing of Personal Data, we also process Personal Data for the following legitimate interests:

• Maintaining, improving and delivering the website;
• Communicating with you to provide technical or administrative support;
• Developing new resources and services;
• Conducting, managing and growing our business;
• Defining and managing appropriate patient engagement activities and patient support programs;
• Preventing, investigating and providing notice of fraud, unlawful or criminal activity, unauthorized access to or use of Personal Data, the website or our data systems, and to meet legal, regulatory, judicial and company policy obligations;
• Investigating and resolving disputes and security issues and enforcing our Terms of Use; and
• For any other lawful, legitimate business purposes.

3. HOW WE SHARE AND DISCLOSE PERSONAL DATA

We share Personal Data in the following ways.

• Service Providers: We share Personal Data with service providers who complete transactions or perform services on our behalf, such as health care professionals, contract research organizations or other medical institutions conducting Research on our behalf or in collaboration with us, data storage and analytics providers, recruiters, background check providers, event coordinators, market research providers, technology providers (including technology support providers, email communications providers and web developers) or those providers assisting with Application Activities and Marketing Activities.
• Business Partners: We share Personal Data with business partners with whom we jointly engage in Research, Application Activities, Marketing Activities or the development of products or services, such as in the context of investigator-initiated research, market or industry related research, or research publications. If we share your information with third parties for purposes that are not compatible with applicable privacy notices, we will endeavor to identify the particular third party to you at the time of collecting your data.
• Regulatory, Legal Process, Safety and Terms Enforcement: We may disclose Personal Data to governmental regulatory authorities, including in connection with monitoring, review and approval of our studies, products and services, and adverse event reporting, in response to their requests for such information or to assist in investigations. We may also disclose Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by law, or if we determine its disclosure is necessary to protect the health and safety of you or us, to protect against fraud or credit risk, or to enforce our legal rights or contractual commitments that you have made.
• Business Transfers: We may disclose Personal Data as part of a corporate business transaction, such as a merger, acquisition, joint venture, financing, or sale of company assets and may transfer Personal Data to a third party as one of the business assets in such a transaction. Personal Data may also be disclosed in the event of insolvency, bankruptcy, or receivership.

4. CHILDREN’S PRIVACY

Our Services are not directed to, and we do not intend to or knowingly collect Personal Data online from, children under the age of majority in the countries where the Services are accessed and used without appropriate consent. If you are under the age of majority in your country, do not provide us with any Personal Data either directly or by other means. If you learn that a child has accessed or used the Services without parental permission, please contact us as set forth in the Contact Us section below.

5. MANAGING COMMUNICATION PREFERENCES

If you have signed up to receive information from us (or where permitted by law, if you have provided us or we have obtained your contact information), we may send you email messages, direct mail information, push notifications, or other communications regarding products or services depending on the method of communication selected. You may ask us not to do so when you access our Services or change your preferences by updating any accounts you have with us. At any time, you may elect to discontinue receiving commercial messages from us by following the unsubscribe instructions in the form of the communication you received or by submitting an opt-out request to the contact information set forth in the Contact Us section below.

• Emails: To opt out of receiving marketing communications via email, please click on the unsubscribe link at the bottom of the email that was sent to you or submit an opt-out request to the contact information set forth in the Contact Us section below. Please note that you may continue to receive certain transactional or account-related electronic messages from us.

6. REGION-SPECIFIC DISCLOSURES

a) European Economic Area

For individuals in the European Economic Area (“EEA”) or Switzerland, the following disclosures apply to the processing of your Personal Data.

i. Data Subject Rights

Upon request, we will provide you with information about whether we hold any of your Personal Data, along with any details required to be provided to you under applicable law. In certain cases, you may have the following data protection rights:

• If you wish to access, correct, update or request deletion of your Personal Data, you can do so at any time by contacting us using the contact details provided below.
• In addition, you can object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data. Again, you can exercise these rights by contacting us using the contact details provided below.
• Similarly, if we have collected and process your Personal Data with your consent, then you can withdraw your consent at any time by contacting your primary contact at the company or as set forth in the Contact Us section below. Please include information adequate to identify you, identify your Personal Data, and identify the consent you wish to withdraw. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.

If you have any complaints regarding our privacy practices, you have the right to file the complaint with your local data protection authority.

ii. Legal Basis of Processing

In this section, we identify the lawful ground we rely on for processing Personal Data.

Consent

If Agios relies on consent for the processing of Personal Data, we will provide transparent notice of the purposes for which we seek such consent at the time we collect your Personal Data. If Agios wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU’s General Data Protection Regulation (“GDPR”), Agios may obtain your explicit consent for such processing.

Contractual Necessity

Agios processes Personal Data to fulfill our contracts with our business partners and service providers, such as for rendering payment or communicating with health care professionals or consultants.

Legal Obligation

Agios may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Agios to process Personal Data for purposes of obtaining medical research approvals and spend transparency disclosures.

Public Interest

Agios may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law. If Agios wishes to process any special categories of Personal Data as set out in Article 9(1) of the GDPR, it may do so when necessary for scientific research purposes, medical diagnosis, or the protection of vital interests.

Legitimate Interests

Agios may process Personal Data subject to its own legitimate interests, such as to develop, administer and support Research; to operate, evaluate and improve our business; to facilitate and manage patient advocacy and engagement programs; to promote scholarly research; to support our recruitment activities; or to facilitate a sale of assets or merger or acquisition.

It may be also necessary for Agios to process Personal Data to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including by enforcing the Terms of Use that govern the services we provide.

Compatible Purposes

Agios may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research.

iii. Data Retention

We retain Personal Data for as long as is necessary to accomplish the purposes set out in the Agios Privacy Notice, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.

The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:

• Consent: For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain Personal Data about you erased (see Data Subject Rights above).
• Contractual Necessity: For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.
• Legal Obligation: For the duration of time we are legally obligated to keep the information.
• Public Interest: For the period of time necessary to fulfill the purposes of the business process in the public interest and for any period of time that may be required to document the public interest.
• Legitimate Interests: For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.

We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains information beyond our typical retention period. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

iv. International Data Transfers

Information collected through our Services is maintained in the United States. The countries to which we transfer Personal Data may not have the same data protection laws as the country in which you initially provided the information. By submitting Personal Data to Agios, you agree that Agios may maintain the information in the U.S. and share the Personal Data as described in this Privacy Notice.

If you are a data subject residing in the EEA, Switzerland or the United Kingdom (“UK”), please note that Agios is certified to the EU-US Data Privacy Framework (“DPF”), the Swiss-US DPF and the UK Extension to the EU-US DPF.  The DPF has been determined by the European Commission to provide a mechanism for personal data transfers to the US from the EEA, the UK and Switzerland, that are consistent with EU, UK, and Swiss law US.  You can find further information about our DPF Certification at https://agios.com/data-privacy-framework/ .

b) Notice to California Residents

This Section only applies to users of our Services that reside in the State of California.

For purposes of this Section 6:

• The term “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include publicly available information that is made available from federal, state, or local government records.
• The term “sensitive personal information” means personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership and genetic data. 

Neither personal information nor sensitive personal information includes information collected in a clinical trial conducted in accordance with applicable regulations or guidelines on the protection of human subjects, or anonymized data that cannot be used to identify you.

California privacy rights. In addition to the rights described elsewhere in this Privacy Policy, California residents have the right to: (i) request additional disclosures about the personal information we collect, use, disclose and sell;  (ii) request access to and deletion of your personal information; (iii) request correction of incorrect information (iv) opt out of the sale or sharing of your personal information; (v) limit use and disclosure of sensitive personal information, and (vi) obtain a copy of your personal information. We will not discriminate against you for exercising any of these rights, for example, by charging a different price or denying goods or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to you by the data.

Methods for submitting requests. If you wish to exercise any of these rights, please email privacy@agios.com with the phrase “California Privacy Rights” in the subject line. You may also call us toll-free at 1-866-467-8688 and enter service code 820#, or complete an online form here. We will review your request and respond accordingly. The rights described herein are not absolute, and we reserve all of our rights available to us at law in this regard. Additionally, if we retain your personal information only in de-identified form, we will not attempt to re-identify your data in response to a California privacy rights request.

If you make a request related to personal information about you, you will be required to supply a valid means of identification as a security precaution. We will verify your identity with a reasonably high degree of certainty using the following procedure where feasible: we will match identifying information you provide when making the request to the personal information maintained by us, or use a third-party identity verification service. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. For requests related to particularly sensitive information, we may require additional proof of your identity.

If you make a California privacy rights request through an authorized agent, we will require written proof that the agent is authorized to act on your behalf.

We will process your request within the timeframe provided by applicable law.

Additional Disclosures.

Categories of personal information we collect. In the previous 12 months, Agios has collected the following categories of personal information:

• Identifiers such as names, dates of birth, and contact information;
• Information protected by California Civil Code Section 1798.80, subdivision (e), such as names, contact information, financial information, and health insurance information;
• Characteristics of protected classifications under California or federal law, such as age, ancestry, and medical condition;
• Commercial information such as records of products or services purchased;
• Biometric information such as genetic characteristics;
• Internet or other electronic network activity information; and
• Professional or employment-related information.

Sources from which we collect personal information. Agios may collect personal information from you directly. Agios may also receive personal information about you from third parties or through automated means. For additional information on how we may collect personal information, refer to Section 2 of this Privacy Policy.

Purpose for collecting personal information. Your personal information may be collected or used for the purposes described in Section 2 of this Privacy Policy, as well as for other purposes that may be described to you at the time we collect your personal information.

Categories of third parties with whom we share your personal information. Agios may share your personal information with the third parties described in Section 3 of this privacy policy, as well as with other third parties as may be described to you at the time we collect your personal information.

Sale or Sharing of your personal information. In some instances, Agios allows third parties to use online tracking technologies on Agios websites. Through these tracking technologies, third parties may analyze your browsing behavior, preferences, and site use, and provide you with targeted advertising about products and services based on your interests on other websites. You may opt-out of such sale or sharing of your personal information for the purposes of targeted advertising by updating your preferences using the “Your Privacy Choices” link on our websites.

Disclosures of Personal Information.  In the previous 12 months, Agios has disclosed the following categories of personal information for a business purpose:

• Identifiers;
• Information protected by California Civil Code Section 1798.80, subdivision (e), such as names, contact information, financial information, and health insurance information;
• Characteristics of protected classifications under California or federal law;
• Commercial information such as records of products or services purchased;
• Biometric information such as genetic characteristics;
• Internet or other electronic network activity information; and
• Professional or employment-related information.

Data Retention.  We will only retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying legal, accounting, reporting requirements or as otherwise necessary in accordance with applicable laws.

7. COOKIES

a) How We Use Cookies

We use cookies and related technologies (“Cookies”) to provide Services, gather information when users navigate through the Sites to enhance and personalize the experience, to understand usage patterns, and to improve our Sites, products, and Services.

Cookies on our Sites are generally divided into the following categories:

• Essential Cookies: These cookies are strictly necessary to provide you with features available through our Services and to use some of their features, such as access to secure areas. Because these cookies are strictly necessary to deliver the Services, you cannot refuse them without impacting how our Services function.
• Performance and Functionality Cookies: These cookies are used to enhance the performance and functionality of our Services but are non-essential to their use. However, without these cookies, certain functionality may become unavailable.
• Analytics and Customization Cookies: These cookies collect information that is used to help us understand how our Services are being used or how effective our Marketing Activities are, or to help us customize our Services for you in order to enhance your experience.
• Targeting Cookies: These record your visit to our Sites, the pages you have visited and the links you have followed to recognize you as a previous visitor and to track your activity on the Sites and other Sites you visit. These Cookies qualify as persistent cookies, because they remain on your device for us to use during a next visit to our Sites. You can delete these cookies via your browser settings. See below for further details on how you can control third-party targeting cookies.

We also allow third parties to use Cookies on our Sites to collect information about your online activities over time and across different Sites you visit. This information is used to provide advertising tailored to your interests on Sites you visit, also known as interest based advertising, and to analyze the effectiveness of such advertising.

b) How To Control Cookies

You can review your Internet browser settings, typically under the sections “Help” or “Internet Options,” to exercise choices you have for certain Cookies. For information on how to do this, access the “help” menu on your Internet browser, or access http://www.aboutcookies.org/how-to-control-cookies. Please note, however, that disabling our cookies may result in your inability to take full advantage of all of the features of our Sites.

We support the Self-Regulatory Principles for Online Behavioral Advertising of the Digital Advertising Alliance (“DAA”). To learn more about certain third-party Cookies used for interest-based advertising, including through cross-device tracking, and to exercise certain choices regarding such cookies, please visit the Digital Advertising Alliance, Network Advertising Initiative, Digital Advertising Alliance-Canada, European Interactive Digital Advertising Alliance or your device settings if you have the DAA or other mobile app.

The opt-outs described above are device- and browser-specific and may not work on all devices. If you choose to opt-out through any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.

8. LINKS TO OTHER SITES

Our Sites contains links to other sites that are not owned or controlled by Agios. Please be aware that we are not responsible for the privacy policies of such other sites or how these sites operate or treat your Personal Data. We encourage you to be aware of this when you leave our Sites and to read the privacy policies and terms of use associated with each of these third party sites that collect personally identifiable information.

9. UPDATES TO OUR PRIVACY NOTICES

Agios is continually improving and adding new functionality and features to the Sites. Because of these ongoing improvements, changes in the law and the changing nature of technology, Agios’ data practices will change from time to time. Accordingly, this Privacy Notice is subject to occasional revisions. We will notify you of changes by posting the new Privacy Notice on the Sites and updating the effective date of the Privacy Notice. Such changes to the Privacy Notice will become effective when posted. You acknowledge and agree that it is your responsibility to review this Privacy Notice periodically and become aware of modifications.

The updated Privacy Notice will be effective as of the “Effective Date” date listed at the top of the Privacy Notice.

10. CONTACT US

If you have any questions about this Privacy Notice or concerns about the way Agios processes your Personal Data, or require assistance in managing your privacy choices, please get in touch with us at:

Agios Pharmaceuticals, Inc.
ATTN: Legal Department
88 Sidney Street
Cambridge, MA 02139

Email: privacy@agios.com
Tel: 617-649-8600
Fax: 617-649-8618