PRIVACY POLICY

Last Updated on July 23, 2024

This Privacy Policy explains how Repare Therapeutics Inc., including all of its subsidiary companies (collectively, “Repare,” “we,” or “us”), handles personal data that we collect through our website: https://www.reparerx.com/ or associated sites or pages (the “Site”). This Privacy Policy (with the exception of the section titled “Data Privacy Framework” as applicable to individuals located in the European Economic Area (“EEA”) and the United Kingdom (“UK”), does not address any data collected via any clinical trial conducted by Repare; and data collected in connection with clinical trials will be disclosed in trial-related documentation, such as the Informed Consent Form provided in connection with the trial. The purpose of this Privacy Policy is to explain what personal data we collect, how we use your personal data, and how we share your personal data, as well as explain your statutory rights in certain jurisdictions.

If you are located in the EEA or the UK, please consult the EEA/UK GDPR supplemental notice below.

Personal Data We Collect

Information you provide to us: Personal data you may provide to us through the Site or otherwise includes:

  • Contact data, such as your first and last name, salutation, email address, professional title and company name, and phone number.
  • Demographic data, such as your city, state, country of residence, postal code, and age.
  • Communications data that we exchange with you, including when you contact us through the Site, social media, or otherwise.
  • Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
  • Other information, which is not specifically listed here, which we will use as described in this Privacy Policy, you decide to share with us or as otherwise disclosed at the time of collection.

Automatic data collection: We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Service, our communications and other online services, such as:

  • Device and online activity data, such as information about you, your browser, your computer or mobile device, and your activity on the Site. The information that may be collected automatically includes your computer or mobile device operating system type and version number, manufacturer and model, device identified, browser type, screen resolution, IP address, the Site you visited before browsing to our Site, general location information such as city, state or geographic area; and information about your use of and actions on the Site, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our business partners may collect this type of information over time and across third-party websites and mobile applications.
  • Communication interaction data, such as your interactions with our email, phone or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.

Cookies. Some of our automatic data collection is facilitated cookies and similar tracking technologies. Please consult our Cookie Notice for more information.

How We Use Your Personal Data

We may use your personal data for the following purposes or as otherwise described at the time we collect it:

  • Service delivery. We may use your personal data:
    • to communicate with you about the Site, including by responding to your requests and/or queries about our company and our business activities, and sending press releases, announcements, updates, security alerts, and support and administrative messages;
    • to provide you with information and content you have requested, including to provide you access to webcasts, event recordings, newsletters, etc.;
    • to communicate with you about events in which you participate;
    • to ensure access to and maintenance of our Site and to ensure its proper functioning; and
    • to provide, operate, and improve our Site and our business, and to customize your browsing experience.
  • Research and development. We may use your personal data for research and development purposes, including to analyze and improve the service and our business.
  • Marketing. We and our service providers may collect and use your personal data for marketing purposes. We may send you direct marketing communications. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
  • Compliance and protection. We may use your personal data to:
    • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
    • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
    • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
    • enforce the terms and conditions that govern the service; and
    • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft
  • With your consent. In some cases, we may specifically ask for your consent to collect, use or share your personal data, such as when required by law.
  • To create anonymous, aggregated or de-identified data. We may create anonymous, aggregated or de-identified data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous, aggregated or de-identified data by removing information that makes the data identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the service and promote our business.

 

How We Share Your Personal Data

We may share your personal data with the following parties and as otherwise described in this Privacy Policy or at the time of collection.

  • Affiliates: We may share your personal data with our subsidiaries and affiliates.
  • Business partners and services providers: We may transfer your personal data to our business partners and service providers as necessary for them to provide services to us in connection with our fulfilment of the purpose set out above. For example, we may rely on service providers to host and maintain our Site, perform backup and storage services, and transmit communications.
  • Authorities and others: Where permitted or required by applicable law, we may also need to transfer your personal data to government agencies, regulators (e.g., tax authorities, courts, and government authorities), and private parties as we believe in good faith to be necessary to comply with our legal obligations.
  • Professional Advisors: Where permitted or required by applicable law, we may also need to transfer your personal data to external professional advisors as necessary to defend our legal interests.
  • Organizations Involved in Business Transfers: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, will be transferred to the surviving entity in a merger or the acquiring entity.

Your Choices

In this section, we describe the rights and choices available to all users. If you are located in the UK , or the EEA, you can find additional information about your rights in the EEA/UK supplemental notice below.

Opt-out of marketing communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.

Cookies. For information about cookies employed by the Site and how to control them, see our Cookie Notice.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Declining to provide information. We need to collect personal data to provide certain services. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.

Cross-Border Data Transfer

We are headquartered in Canada and have subsidiary companies in the United States and may use service providers that operate in other countries. The level of legal protection for personal data is not the same in all countries and may differ from the one in which you reside.

If you are located in the UK or the EEA, you should read the information provided in the EEA/UK supplemental notice below about the transfer of personal data outside of the EEA and UK, as applicable.

Retaining Personal Data

Repare will retain personal data only as long as necessary to fulfill the purpose for which such data was collected or as necessary for compliance with a legal obligation to which Repare is subject, or in order to protect your vital interests or the vital interests of another natural person.

If you are located in the EEA or the UK, you can find additional information about our retention policy below.

Securing Personal Data

While we employ a number of technical, organizational and physical safeguards designed to protect the personal data we collect, security risks are inherent in all internet and information technologies, and the transmission of personal data via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted through the Site, and we do not guarantee that your personal data will be secure from accidental loss, unauthorized access, improper use or disclosure.

Children

We are committed to protecting the privacy of children. We do not knowingly collect personal data from children under age 16 through our Site. If we learn that an individual under the age of 16 has volunteered personal or health-related personal data on the Site, or if you become aware that your child has provided us with personal data without your consent, please contact us at the contact data listed below in How to Contact Us and such personal data will be deleted.

How to Contact Us

Any questions, complaints or concerns regarding this Privacy Policy should be directed to Repare using the contact details below:

Privacy Officer
Repare Therapeutics Inc.
7717 Frederic-Banting, Building 2, Suite 270
Saint-Laurent, Quebec, H4S 1Z9

Repare Therapeutics USA Inc.
101 Main Street,  Suite 1650
Cambridge, MA 02142

ATTN: Privacy
Email: [email protected]

Changes to This Policy

We may make changes to this Privacy Policy from time to time. To ensure that you are always aware of how we use your personal data, we will update this Privacy Policy from time to time to reflect any changes to our use of your personal data. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Please regularly check these pages for the latest version of this Privacy Policy. In all cases, your use of the Site after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.

Other Sites and Services

The Service may contain links to third party websites, mobile applications, and other online services operated by third parties. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or other online services that are not associated with us. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions nor are they subject to this Privacy Policy. We encourage you to read the privacy policies of each of the other third party websites, mobile applications and online services you visit.

EEA/UK GDPR Supplemental Notice

If you are located in the EEU or UK and access our Site, this EEA/UK GDPR supplemental notice applies to you.

Controller. Repare Therapeutics Inc., 7171 Frederic-Banting, Building 2, Suite 270, Saint-Laurent, Quebec, H4S 1Z9, is the controller of your personal data.

EEU and UK representative. MyData-TRUST SA
Boulevard Initialis 7/3, 7000 Mons (Belgium)
Phone number: +32 (0) 65 55 41 20
Email: [email protected]

Legal bases for processing. The legal bases of our processing of your personal data as described in this Privacy Policy will depend on the type of personal data and the specific context in which we process it. However, the legal bases we typically rely on are set out in the table below. If you have questions about the legal basis of how we process your personal data, contact us at [email protected].

Purposes of processing Categories of personal data involved Legal basis
Service delivery: We may use your personal data to manage our relationship with you, including responding to your request and/or inquiries; providing you access to content or information you requested.
  • Contact data
  • Demographic data
  • Communications data

 
  • If we are legally obligated to respond to your request: our legal obligations.
  • In all other cases: our legitimate interest to develop and communicate about our business.
Research and development: We may use your personal data for research and development purposes, including to analyze and improve the service and our business.
  • Any and all data types relevant in the circumstances
  • Our legitimate interests. We do not use your personal data for these purposes where our interests are overridden by the impact on you.
Marketing and advertising: We and our third party advertising partners may collect and use your personal data for marketing and advertising purposes.
  • Marketing data
  • Demographic data
  • Contact data

 
  • Legitimate Interests. We have legitimate interests in promoting our operations and goals as an organization and sending and posting marketing communications for that purpose.
  • Consent. In circumstances or in jurisdictions where consent is required under applicable laws to the sending and posting of any given marketing communications.

Compliance and protection. We may use your personal data to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
  • enforce the terms and conditions that govern the service; and
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
  • Any and all data types relevant in the circumstances
  • If we are legally obligated to do so: our legal obligations.
  • In all other cases: our legitimate interests. We do not use your personal data for these purposes where our interests are overridden by the impact on you.
Actions we take with your consent, such as to understand what may be of interest to you, deliver relevant Site content to you, to measure or understand the effectiveness of the content we serve to you, and to use data analytics to improve our Site
  • Any and all data types relevant in the circumstances
  • Your consent.
Create anonymous, aggregated or de-identified data: We may create anonymous, aggregated or de-identified data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous, aggregated or de-identified data by removing information that makes the data identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the service and promote our business
  • Any and all data types relevant in the circumstances
  • Our legitimate interests. We do not use your personal data for these purposes where our interests are overridden by the impact on you.

 

Use for new purposes. We may use your personal data for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal data for an unrelated purpose, we will notify you and explain the applicable legal basis.

 

Retention. We apply a general rule of keeping personal data only for so long as is required to fulfil the purpose for which it was collected. However, in some circumstances, we will retain your personal data for longer periods of time. We will retain personal data for the following purposes: (i) as long as it is necessary and relevant for our operations and to provide our services on our Site, e.g. so that we have an accurate record of your dealings with us in the event of any complaints or challenge; and (ii) to comply with applicable laws, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, and take other actions as permitted by law. When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

 

Your rights. You have the following rights in relation to the personal data we hold about you:

  • Right of access: You can ask us to provide you with information about our processing of your personal data and give you access to your personal data;
  • Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified;
  • Right to erasure: You can ask us to delete or remove personal data where there is no lawful reason for us continuing to store or process it, – you also have the right to ask us to delete or remove your personal data where  your have exercised right to object to processing (see below), ;
  • Right to restrict processing: You can ask us to restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
  • Right to object: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  • Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
  • Right to withdraw consent at any time: Where we are relying on consent to process your personal data you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

 

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal data or where certain exemptions apply.

Exercising These Rights. You may submit these requests to the contact details provided above. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal information), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions. 

Your Right to Lodge a Complaint with your Supervisory Authority. Although we urge you to contact us first to find a solution for every concern you may have, you always have the right to lodge a complaint with your competent data protection authority. You can make a complaint to the data protection regulator in your habitual place of residence.

  • For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
  • For users in the UK – the contact information for the UK data protection regulator is below:

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 303 123 1113
Website: https://ico.org.uk/make-a-complaint/

Cross-Border Data Transfer. We are headquartered in Canada and have subsidiary companies in the United States and many of our service providers, advisers, partners or other recipients of data are also based outside Europe. This means that, if you use the Site, your personal data will necessarily be accessed and processed outside Europe.

You may contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Europe. You may have the right to receive a copy of the appropriate safeguards under which your personal data is transferred by contacting us at the contact details provided above.

Data Privacy Framework. Repare Therapeutics USA Inc. (“Repare USA”), complies with the (i) EU-U.S. Data Privacy Framework (EU-U.S. DPF), and (ii) the UK Extension to the EU-U.S. DPF (collectively, the “Data Privacy Framework”)* as set forth by the U.S. Department of Commerce. Repare USA has certified to the U.S. Department of Commerce that Repare Therapeutics USA adheres (i) to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information received from the EU in reliance on the EU-U.S. DPF, and (ii) from the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF (collectively, the “DPF Principles”). If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles, the EU-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework, and to view our certification, please visit the Data Privacy Framework website.

Data processed and purposes of data processing:

  • Sites: When Repare USA relies on the Data Privacy Framework and you visit our website, https://www.reparerx.com/ or associated sites or pages or associated sites or pages (collectively, the “Sites”), Repare USA may collect, use, and disclose categories of personal data received in reliance on the Data Privacy Framework for the purposes described in the Privacy Policy, including the sections entitled “Personal data we collect” and “How we use your personal data.”
  • Clinical trials: When Repare USA relies on the Data Privacy Framework and you participate in a clinical trial as a clinical trial participant or as clinical trial staff (incl. principal investigator), Repare USA may collect, use, and disclose the categories of personal data received in reliance on the Data Privacy Framework for the purposes described in the relevant Clinical Trial Privacy Notice.

This personal data may include for example:

  • Personal data of the clinical trial staff, incl. principal investigator:
    • Name
    • Email address;
    • Telephone number;
    • Contact Address;
    • Job title; and
    • Financial interests.
  • (Key-coded) personal data of the clinical trial participants (including spouses, caregivers and legal guardians):
    • Health and medical history;
    • Medical data collected during study, including biological samples and data for testing biological samples;
    • Results from study procedures (Blood and urine tests, etc.);
    • Date of Birth/Age;
    • Genetic information;
    • Ethnicity and racial origin;
    • Sex life; and
    • Financial information.

Purposes for which the personal data may be processed by Repare USA may include:

  • Performance of clinical trial agreement;
  • Scientific research;
  • Reliability and safety purposes;
  • Regulatory approval from third countries’ regulatory authorities;
  • Publication of the results of the clinical trial; and
  • Future research.

Third parties who may receive personal information: Repare USA uses a limited number of third parties to assist Repare USA in providing its Sites services conducting clinical trials.

  • Sites: The types of third parties with which Repare USA may share personal information received in reliance on the Data Privacy Framework and for which purposes with respect to the Sites are set out in the section of this Privacy Policy entitled “How we share your personal data.”
  • Clinical Trials: The types of third parties with which Repare USA may share personal data received in reliance on the Data Privacy Framework and for which purposes with respect to clinical trials are set out in the Clinical Trial Privacy Notice.

 

For example, third parties that may access or receive personal data may include:

  • Repare affiliates and licensing partners;
  • Cooperating sponsors;
  • Contract research organizations;
  • Ethics Committees and Review Boards;
  • Study monitors and duty controllers, auditors and others who may check study records to ensure the clinical trial is being run properly;
  • National and international supervisory/regulatory authorities, including in the context of verifying trial procedures/data and in the context of adverse event reporting;
  • Study authors and collaborators, journal editorial boards;
  • Service providers (e.g., laboratories, data storage companies, other doctors); and
  • Any actual or potential acquirers (including their representatives) of all or part of Repare’ stock/share capital, business or assets.

 

If recipients to whom Repare USA has disclosed personal information in reliance upon the Data Privacy Framework process it in a manner that does not comply with the DPF Principles, Repare USA may be accountable, unless Repare USA proves that Repare USA is not responsible for the event giving rise to the damage.

 

Inquiries and complaints: In compliance with the Data Privacy Framework, Repare USA commits to resolve DPF Principles-related complaints about our collection or use of your personal information. EEA and UK individuals with inquiries or complaints regarding our handling of personal information received in reliance on the Data Privacy Framework should first contact us by email at [email protected]  or please write to the following address:

Repare Therapeutics USA Inc.
101 Main Street, Suite 1650
Cambridge, MA 02142

 

In compliance with the Data Privacy Framework, Repare USA commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of personal information received in reliance on the Data Privacy Framework.

Additionally, under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. For more information on this option, please see the Data Privacy Framework website: Annex I

Your rights to access, to limit use, and to limit disclosure: Depending upon the context in which Repare USA processes personal information received in reliance upon the Data Privacy Framework, EEA and UK individuals may have rights to access personal information about them, and choices to limit the use and disclosure of their personal information. With our Data Privacy Framework self-certification, Repare USA has committed to respect those rights. Please submit a written request to exercise your rights or choices to the contact information provided in this Privacy Policy (see the section entitled “How to contact us”). Repare USA may request specific information from you to confirm your identity in an effort to respond to your request.

U.S. Federal Trade Commission enforcement: With respect to personal information received or transferred pursuant to the Data Privacy Framework, the U.S. Federal Trade Commission has jurisdiction over Repare USA’s compliance with the Data Privacy Framework.

Compelled disclosure: Repare USA may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

*Repare USA will not rely on the UK Extension to the EU-U.S. Data Privacy Framework until they enter into force, but Repare USA adheres to their required commitments in anticipation of their doing so.