bluebird may provide additional privacy notices to individuals at the time we collect their data. For example, we provide a specific privacy notice to clinical trial participants that describe our privacy practices in connection with conducting clinical trials. This type of an “in-time” notice will govern how we may process the information you provide at that time. For example, our privacy practices in connection with clinical trials are governed by applicable clinical trial protocol(s).
Individuals located in Europe should be sure to read the important information provided here.
Personal Information We Collect
How We Use Your Personal Information
How We Share your Personal Information
Additional Program Terms
International Data Transfer
Other Sites and Services
Notice to European Users
Whose Personal Information We Collect
We collect personal information about the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other healthcare professionals, clinical trial investigators, researchers, pharmacists, users of our Sites, job applicants, and other individuals who interact directly with bluebird or our service providers or business partners.
How We Collect Personal Information
We collect personal information:
Types of Personal Information We Collect
The types of personal information we collect and share depend on the nature of the relationship you have with us and the requirements of applicable laws. We may collect:
We may combine other publicly available information, such as information related to the organization for which you work, with the personal information that you provide through the Services.
Information automatically collected
We may automatically log information about you and your computer or mobile device when you access our Sites. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our Sites. We collect this information about you using cookies.
Please refer to our Cookie Notice for more details.
Do Not Track signals
Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not currently respond to do not track signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
If you use our Sites, we use your personal information to:
We may use your personal information when necessary to facilitate our clinical trials, research, studies, and related activities that support product improvement, including to:
We use your personal information as necessary to provide bluebird Services, including to:
We may send you surveys, promotions or other marketing communications, but you may opt out of receiving them as described in the Opt-out of marketing section below.
To comply with law
We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
To comply with regulatory monitoring and reporting obligations
We use your personal information as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.
With your consent
In some cases, we may ask for your consent to collect, use or share your personal information, such as when required by law or our agreements with third parties.
To create anonymous data for analytics
We may create anonymous data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by excluding information that makes the data personally identifiable to you, and use that anonymous data for our lawful business purposes.
For compliance, fraud prevention and safety
We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may employ third party companies and individuals to perform services on our behalf, including:
Healthcare providers and healthcare professionals and organizations
We may disclose your personal information to partners with whom we jointly develop products or services, in connection with the development and promotion of such products or services. We will ask for your consent before disclosing your information to our business partners where required by applicable law.
We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
Compliance with laws and law enforcement; protection and safety
We may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our websites, mobile apps, products and services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your information, such as if you participate in a special program, activity, event, or clinical trial. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your information. We will honor these additional terms with respect to your information and thus, strongly recommend you review the additional terms prior to participating in any programs.
Changes to your personal information
If you become aware that the personal information we maintain about you is inaccurate, incomplete, misleading, irrelevant or out of date, you may contact us at email@example.com.
Opt-out of marketing
You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email. You may continue to receive service-related and other non-marketing emails.
If you gave us consent to post a testimonial on our Sites, but wish to update or delete it, please contact us at firstname.lastname@example.org.
Choosing not to share your personal information
Where we are required by law to collect your personal information, or where we need your personal information in order to provide you with our Services, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our Services and may need to terminate our relationship with you. We will tell you what information you must provide to us by designating it as required when we request the information or through other appropriate means.
The security of your personal information important to us. We take a number of organizational, technical and physical measures designed to protect the personal information we collect, both during transmission and once we receive it. However, no security safeguards are 100% secure and we cannot guarantee the security of your information.
We do not knowingly collect personal information from children under age 13 in the United States through our Sites. If we learn that we have collected personal information directly from a child under the age of 13 through our Sites, we will delete that information.
bluebird is headquartered in the United States and has affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.
Individuals in the European Union should read the important information provided in the Cross-Border Data Transfer section below about transfer of personal information outside of the European Economic Area.
For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by bluebird. These links are not an endorsement, authorization or representation that we are affiliated with that third party. We do not exercise control over third party websites or services, and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.
bluebird bio, Inc.
Attn: Compliance Officer
60 Binney Street
Cambridge, MA, 02142 USA
Legal bases for processing
The legal bases for our processing of your personal information are described in the table below.
|Processing purpose (click link for details)||Legal basis|
|To provide the Services||Where we have a contract governing this processing purpose, the processing is necessary is perform that contract, or necessary to take steps that you have requested prior to entering into the contract.
In other cases, these processing activities are necessary to protect your, or another person’s, vital interests.
|To perform and administer clinical trials, research and product-improvement activities||Where we have a contract governing this processing purpose, the processing is necessary is perform that contract, or necessary to take steps that you have requested prior to entering into the contract.
Where we process sensitive personal data in connection with this processing purpose, the processing is necessary for scientific or historical research purposes or statistical purposes.
In all other cases, these processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
|To operate our websites and mobile apps
To communicate with you
To create anonymous data for analytics
For compliance, fraud prevention and safety
|These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).|
|To comply with regulatory monitoring and reporting obligations
To comply with law
|Processing is necessary to comply with our legal obligations.|
|With your consent||Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated when we requested the consent or by contacting us.|
Use for new purposes
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.
European data protection laws give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:
You can submit these requests by email to email@example.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.
If we export your personal data from the European Economic Area (“EEA”) to a country outside of it and are required to apply additional safeguards to that personal data under European data protection legislation, we will do so. Such safeguards may include applying the European Commission model contracts for the transfer of personal data to third countries described here. Please contact us for further information about any such transfers or the specific safeguards applied.
Effective as of March 2019