General Privacy Notice

Last Updated: May 1, 2021

Allay Therapeutics, Inc. and its affiliates (“Allay Therapeutics,” “we,” “our,” and/or “us”) values the privacy of individuals who use our websites, (including www.allaytx.com (our “Site”)).  This privacy policy (the “Privacy Policy”) explains how we collect, use, and share personal information from or about the users of our Site.  By using our Site, you agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy.  Beyond the Privacy Policy, your use of the Site is also subject to our Terms of Use.

Information We Collect

We may collect a variety of personal information from or about you or your devices from various sources, as described below.

A. Information You Provide to Us

Communications.  If you contact us directly, we may receive personal information about you.  For example, when you contact us for more information about Allay Therapeutics or our research, we will receive your name, email address, and the contents of your email.

Careers.  If you decide to apply for a job with us, you may submit your contact information and your resume online.  We will collect the personal information you choose to provide us as part of your job application, such as your contact information, education, and employment experience.  If you apply for a job with us through a third-party platform (such as LinkedIn), we will collect the personal information you make available to us through such third-party platform.

B. Information We Collect When You Use Our Site

Location Information.  When you use our Site, we may infer your general location information (for example, your IP address may indicate your general geographic region).

Device Information.  We may receive information about the device and software you use to access our Site, such as your internet protocol (IP) address, web browser type, operating system version, and device identifiers.

Usage Information.  To help us understand how you use our Site and to help us improve it, we may automatically receive information about your interactions with our Site, like the pages or other content you view, the searches you conduct, and the dates and times of your visits.

Information from Cookies and Similar Technologies.  We and third-party partners may collect information using cookies, pixel tags, or similar technologies.  Our third-party partners, such as analytics partners, may use these technologies to collect information about your online activities over time and across different services.  Cookies are small text files containing a string of alphanumeric characters.  We may use both session cookies and persistent cookies.  A session cookie disappears after you close your browser.  A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to our Site.

Please review your web browser’s “Help” file to learn the proper way to modify your cookie settings.  Please note that if you delete or choose not to accept cookies from the Site, you may not be able to utilize the features of the Site to its fullest potential.

C. Information We Receive from Third Parties

Partners.  We may receive additional personal information about you from third parties such as data or marketing partners and combine it with other personal information we have about you.

How We Use the Information We Collect

We use the personal information we collect:

• To provide, maintain, improve, and enhance our Site;
• To communicate with you, provide you with updates and other information relating to our Site, provide information that you request, respond to comments and questions, and otherwise provide support;
• To find and prevent fraud, and respond to trust and safety issues that may arise;
• For compliance purposes, including enforcing our Terms of Service and other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency; and
• For other purposes for which we provide specific notice at the time the personal information is collected.

How We Share the Information We Collect

We do not share or otherwise disclose personal information we collect from you except as described below or otherwise disclosed to you at the time of the collection. 

Affiliates.  We may share any personal information we receive with our affiliates for any of the purposes described in this Privacy Policy.

Vendors and Service Providers.  We may share any personal information we receive with vendors and service providers retained in connection with the provision of our Site.

Marketing.  We do not rent, sell, or share personal information about you with nonaffiliated companies for their direct marketing purposes unless we have your permission.

Analytics Partners.  We may use analytics services such as Google Analytics to collect and process certain analytics data.  These services may also collect information about your use of other websites, apps, and online resources.  You can learn about Google’s practices by going to https://www.google.com/policies/privacy/partners/ and opt-out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

As Required by Law and Similar Disclosures.  We may access, preserve, and disclose your personal information if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; (b) respond to your requests; or (c) protect your, our, or others’ rights, property, or safety.  For the avoidance of doubt, the disclosure of your personal information may occur if you post any objectionable content on or through the Site.

Merger, Sale, or Other Asset Transfers.  We may disclose and transfer your personal information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our business or assets.

Consent.  We may also disclose personal information from or about you or your devices with your permission.

Your Choices 

Do Not Track.  There is no accepted standard on how to respond to Do Not Track signals, and we do not respond to such signals.

If you choose not to provide us with the information we collect, some features of our Site may not work as intended.

Third Parties

Our Site may contain links to other websites, products, or services that we do not own or operate.  We are not responsible for the privacy practices of these third parties.  Please be aware that this Privacy Policy does not apply to your activities on these third-party services or any personal information you disclose to these third parties.  We encourage you to read their privacy policies before providing any personal information to them.

Security

We make reasonable efforts to protect your personal information by using physical and electronic safeguards designed to improve the security of the personal information we maintain.  However, as no electronic transmission or storage of personal information can be entirely secure, we can make no guarantees as to the security or privacy of your personal information.

Children’s Privacy

We do not knowingly collect, maintain, or use personal information from children under 13 years of age, and no part of our Site is directed to children.  If you learn that a child has provided us with personal information in violation of this Privacy Policy, then you may alert us at privacy@allaytx.com.

International Visitors

Our Site is hosted in the United States and intended for visitors located within the United States.  If you choose to use the Site from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your personal information outside of those regions to the United States for storage and processing.  Also, we may transfer your data from the U.S. to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the Site.  By providing any information, including personal information, on or to the Site, you consent to such transfer, storage, and processing.

Changes to this Privacy Policy

We will post any adjustments to the Privacy Policy on this page, and the revised version will be effective when it is posted.  If we materially change the ways in which we use or share personal information previously collected from you through the Site, we will attempt to notify you through the Site, by email, or other means.

Contact Information

If you have any questions, comments, or concerns about our processing activities, please email us at privacy@allaytx.com or write to us at:

Allay Therapeutics, Inc.
2720 Zanker Road
San Jose, CA 95134

GDPR Privacy Notice

Last updated and effective as of January 3, 2023

This Privacy Notice explains the practices that Allay Therapeutics, Inc. and its affiliates (“Allay”, “we”, “us”, “our”) follow in connection with the personal data that we collect through this website, when you contact us directly and through our research. If you are a visitor to our website, our Terms of Service apply as well.

We may change this Privacy Notice at any time by posting the revised Privacy Notice on this site and indicating the effective date of the revised Privacy Notice. You will be notified of any material changes to this Privacy Notice by email, if you have provided that information to us. We will not materially change the rights you may exercise under this Privacy Notice without your knowledge or, when required, your explicit consent.

WHAT IS PERSONAL DATA?

In the context of the work that Allay performs, personal data refers to any information that relates to an identified or identifiable individual such as a name, email, mailing address, phone number, or any information related to an individual’s health for the purpose of healthcare research.

PERSONAL DATA COLLECTION

We collect personal data provided directly by you during direct communication with any of our representatives through email. We collect your name, email address, and any other information you convey to us through the email you send.

For the purpose of our clinical research, we may collect your personal data either directly, through a clinical research site, or clinical research organization (CRO) that may manage the clinical trials that we sponsor. Clinical research sites or CROs may collect your personal data if you are a participant of the clinical trial or supporting the clinical trial as an investigator, clinical site employee or contractor involved in the clinical trial.

PERSONAL DATA PROCESSING

For the purpose of communicating with you when you call or send us an email, we collect your contact information including name, email address and the nature of your request in order to reply to your inquiry.

The subject data that we obtain and use during a clinical trial is pseudonymized and managed through an identifier that we cannot link back to you. Only the clinical site that collected your personal data can link it with the identifier they provide to us. The data we collect and process or use during a clinical trial , with your consent, includes:

• An identifier to track future data against
• Data concerning your health and how you are during the clinical trial
• Blood and urine sampling results.

The investigator, sub investigator or other clinical site staff, vendor or consultant staff information that we collect during a clinical trial is used to verify the individual’s qualifications, satisfy documentation requirements for their employment or work performed on the clinical trial, and for other administrative purposes relating to their work performed in connection with the clinical trial. The personal data we require to be shared with us regarding prospective investigators, employees, contractors or job candidates that perform work on our clinical trials include:

• Name
• Address
• Curriculum Vitae
• Training records
• Financial disclosures
• Any correspondence between the Clinical Site and the employee or contractor related to their interest in performing work or being employed in connection with the clinical trial.

PURPOSE OF PERSONAL DATA PROCESSING

Allay will process your personal data for the following purposes:

• To communicate with you if you request information from us
• To review the outcomes of the clinical trial
• To review the qualifications of the clinical site investigators, employees and contractors assigned to perform work on the clinical trial.

LEGAL BASIS FOR PROCESSING

In order to comply with different privacy and data protection regulations around the world and specifically to comply with the General Data Protection Regulation (“GDPR”) in the EU and the UK, we require to provide a legal basis for the processing of your personal data.

Allay will not process (meaning disclosure, sharing, or otherwise dissemination of) your personal data unless we have a legal justification to do so. Allay will only process your personal data if:

• We or the clinical sites we partner with, have obtained your explicit consent prior to the processing of your personal data
• If we need your personal data to perform a contractual obligation to which you are a party or where you have requested us to complete a contractual request
• If we need to process your personal data to fulfill our legal and regulatory obligations
• If we have a legitimate interest that will not put your fundamental rights and freedoms at risk. Such legitimate interests include monitoring activity on our website to improve the functionality of such website, identification and investigation of fraud or other impermissible use activity on our website, and participation in judicial proceedings to defend or pursue a legal claim or to prosecute illegal acts.

PERSONAL DATA DISCLOSURE

Allay will only disclose your personal data without your consent to the following parties under specific circumstances:

• To Allay personnel, if required, to fulfill your request
• To service providers that support our systems or support the activities of the clinical trial, including the clinical sites that hold personal data about subjects and investigators, employees or contractors
• To law enforcement, regulatory bodies or courts, when we are required to do so under applicable laws and regulations
• In connection with the sale or reorganization of all or part of our business, as permitted by applicable law.

PERSONAL DATA SECURITY

Allay is committed to protecting the personal data we collect, process and disclose about you. We maintain appropriate safeguards and take reasonable steps to protect your personal data, ensure that we limit its use and that we disclose it only to the parties that have a legitimate reason to have access to it.

We ensure that all the parties that we disclose your personal data to, internal and external to Allay, have contractual obligations to protect the security and the confidentiality of your personal data.

COOKIES

Allay uses cookies while you visit our website. Please refer to our Cookie Policy for details on the types of cookies we use.

PERSONAL DATA TRANSFERS

Your personal data will be transferred to systems that reside in the US and other jurisdictions that may be outside of where you reside. The data will be protected and, in some cases, pseudonymized to ensure that the risks to your privacy are minimized.

We have implemented Standard Contractual Clauses as approved by the EU Commission or by the UK Information Commissioner’s Office with the parties that reside in the EU or UK and that will transfer personal data to Allay in the US and other jurisdictions outside of the EU or UK.

PERSONAL DATA RETENTION

Allay will not retain your contact information after your request for contact has been fulfilled.

Allay and the clinical sites that we partner with for the purpose of clinical trials will retain your personal data for as long as necessary for the purpose of research. In the case of clinical trials this period may be up to 25 years; this is in order to comply with legal and regulatory obligations.

RIGHTS YOU CAN EXERCISE ABOUT YOUR PERSONAL DATA

Subject to any exceptions provided by law, you have the right to request access to, update or deletion of your personal data.

You also have the right to request restriction of or object to the processing of your personal data. And you have the right to request to have your data transferred to another organization in a commonly used format.

On each particular case we will inform you of the consequences of your request and if there are any exemptions to honouring your requests based on legal or contractual requirements and constraints.

During a clinical trial your rights to access, update or delete your pseudonymized personal data may be limited as permitted by law. Specifically, we need to process your data in specific ways in order to maintain the reliability and integrity of the research for reasons of public interest in public health and for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

HOW TO EXERCISE YOUR PERSONAL DATA RIGHTS

To submit any request to exercise your rights concerning your personal data you may contact us via email at privacy@allaytx.com

GENERAL DATA PROTECTION REGULATION (GDPR) – EU REPRESENTATIVE

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Allay Therapeutics has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:

• Using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• Writing to EDPO at Regus Paris- Champs Elysées, 12/14 rond-point des Champs Elysées, Paris, 75008, France.

UK GENERAL DATA PROTECTION REGULATION (GDPR) – UK REPRESENTATIVE

Pursuant to Article 27 of the UK GDPR, Allay Therapeutics has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR by:

• Using the EDPO UK online request form: https://edpo.com/uk-gdpr-data-request/
• Writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

EU/UK INDIVIDUALS – RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If you reside in the EU or the UK and want to lodge a complaint with a Supervisory Authority (Data Protection Authority) you may do so in the Member State where you reside, where you work or where you may have experienced an issue with the processing of your personal data.

CONTACT US

If you have any further questions regarding the personal data that Allay or any of our affiliates or partners collect and process or if you have feedback regarding this Privacy Notice, you may contact us at privacy@allaytx.com