PRIVACY POLICY

Last Updated on May 24, 2022

This Privacy Policy explains how Repare Therapeutics Inc., including all of its subsidiary companies (collectively, “Repare,” “we,” or “us”), handles personal data that we collect through our website: https://www.reparerx.com/ or associated sites or pages (the “Site”). This policy does not address any data collected via any clinical trial conducted by Repare; and data collected in connection with clinical trials will be disclosed in trial-related documentation, such as the Informed Consent Form provided in connection with the trial. The purpose of this Privacy Policy is to explain what personal data we collect, how we use your personal data, and how we share your personal data, as well as explain your statutory rights in certain jurisdictions.

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), please consult the EEA/UK GDPR supplemental notice below.

Personal Data We Collect

Information you provide to us: Personal data you may provide to us through the Site or otherwise includes:

  • Contact data, such as your first and last name, salutation, email address, professional title and company name, and phone number.
  • Demographic information, such as your city, state, country of residence, postal code, and age.
  • Communications that we exchange with you, including when you contact us through the Site, social media, or otherwise.
  • Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
  • Other information which is not specifically listed here, which we will use as described in this Privacy Policy, you decide to share with us or as otherwise disclosed at the time of collection.

Automatic data collection:

  • With your permission where it is required by applicable laws, we and/or our business partners may automatically log information about you, your browser, your computer or mobile device, and your activity on the Site. The information that may be collected automatically includes your computer or mobile device operating system type and version number, manufacturer and model, device identified, browser type, screen resolution, IP address, the Site you visited before browsing to our Site, general location information such as city, state or geographic area; and information about your use of and actions on the Site, such as pages or screens you viewed, how long You spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our business partners may collect this type of information over time and across third-party websites and mobile applications. This information is collected using cookies, and similar tracking technologies. Please consult our Cookie Policy for more information.

How We Use Your Personal Data

We may use your personal data for the following purposes or as otherwise described at the time we collect it:

  • Service delivery. We may use your personal data:
    • to communicate with you about the Site, including by responding to your requests and/or queries about our company and our business activities, and sending announcements, updates, security alerts, and support and administrative messages;
    • to provide you with information and content you have requested, including to provide you access to webcasts, event recordings, newsletters, etc.;
    • to communicate with you about events in which you participate;
    • to ensure access to and maintenance of our Site and to ensure its proper functioning; and
    • to provide, operate, and improve our Site and our business, and to customize your browsing experience.
  • Research and development. We may use your personal data for research and development purposes, including to analyze and improve the service and our business.
  • Marketing. We and our service providers may collect and use your personal data for marketing purposes. We may send you direct marketing communications. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
  • Compliance and protection. We may use your personal data to:
    • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
    • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
    • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
    • enforce the terms and conditions that govern the service; and
    • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft
  • With your consent. In some cases, we may specifically ask for your consent to collect, use or share your personal data, such as when required by law.
  • To create anonymous, aggregated or de-identified data. We may create anonymous, aggregated or de-identified data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous, aggregated or de-identified data by removing information that makes the data identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the service and promote our business.

How We Share Your Personal Data

We may share your personal data with the following parties and as otherwise described in this Privacy Policy or at the time of collection.

  • Affiliates: We may share your personal data with our subsidiaries and affiliates.
  • Business partners and services providers: We may transfer your personal data to our business partners and service providers as necessary for them to provide services to us in connection with our fulfilment of the purpose set out above. For example, we may rely on service providers to host and maintain our Site, perform backup and storage services, and transmit communications.
  • Authorities and others: Where permitted or required by applicable law, we may also need to transfer your personal data to government agencies, regulators (e.g., tax authorities, courts, and government authorities), and private parties as we believe in good faith to be necessary to comply with our legal obligations.
  • Professional Advisors: Where permitted or required by applicable law, we may also need to transfer your personal data to external professional advisors as necessary to defend our legal interests.
  • Organizations Involved in Business Transfers: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, will be transferred to the surviving entity in a merger or the acquiring entity.

 

Your Choices

In this section, we describe the rights and choices available to all users. If you are located in the UK or the EEA, you can find additional information about your rights in the EEA/UK supplemental notice below.

Opt-out of marketing communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.

Cookies. For information about cookies employed by the Site and how to control them, see our Cookie Notice.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Declining to provide information. We need to collect personal data to provide certain services. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.

Cross-Border Data Transfer

We are headquartered in Canada and may use service providers that operate in other countries. The level of legal protection for personal data is not the same in all countries and may differ from the one in which you reside.

If you are located in the UK or the EEA, you should read the information provided in the EEA/UK supplemental notice below about the transfer of personal data outside of the EEA and UK, as applicable.

Retaining Personal Data

Repare will retain personal data only as long as necessary to fulfill the purpose for which such data was collected or as necessary for compliance with a legal obligation to which Repare is subject, or in order to protect your vital interests or the vital interests of another natural person.

If you are located in the EEA or the UK, you can find additional information about our retention policy below.

Securing Personal Data

While we employ a number of technical, organizational and physical safeguards designed to protect the personal data we collect, security risks are inherent in all internet and information technologies, and the transmission of personal data via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted through the Site, and we do not guarantee that your personal data will be secure from accidental loss, unauthorized access, improper use or disclosure.

Children

We are committed to protecting the privacy of children. We do not knowingly collect personal data from children under age 13 through our Site. If we learn that an individual under the age of 13 has volunteered personal or health-related personal data on the Site, or if you become aware that your child has provided us with personal data without your consent, please contact us at the contact data listed below in How to Contact Us and such personal data will be deleted.

How to Contact Us

Any questions, complaints or concerns regarding this Privacy Policy should be directed to Repare using the contact details below:

Privacy Officer
Repare Therapeutics Inc.
7210 Frederic-Banting, Suite 100
Saint-Laurent, Quebec, H4S 2A1

Repare Therapeutics USA Inc.
1 Broadway, 15th Floor
Cambridge, MA 02142

ATTN: Privacy
Email: [email protected]

Changes to This Policy

We may make changes to this Privacy Policy from time to time. To ensure that you are always aware of how we use your personal data, we will update this Privacy Policy from time to time to reflect any changes to our use of your personal data. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Please regularly check these pages for the latest version of this Privacy Policy. In all cases, your use of the Site after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.

Other Sites and Services

The Service may contain links to third party websites, mobile applications, and other online services operated by third parties. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or other online services that are not associated with us. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions nor are they subject to this Privacy Policy. We encourage you to read the privacy policies of each of the other third party websites, mobile applications and online services you visit.

EEA/UK GDPR Supplemental Notice

If you are located in the EEU or UK and access our Site, this EEA/UK GDPR supplemental notice applies to you.

Controller. Repare Therapeutics Inc., 7210 Frederic-Banting, Suite 100, Saint-Laurent, Quebec, H4S 2A1, is the controller of your personal data.

EU representative. MyData-TRUST SA
Boulevard Initialis 7/3, 7000 Mons (Belgium)
Phone number: +32 (0) 65 55 41 20
Email: [email protected]

UK representative. MyData-TRUST SA
Boulevard Initialis 7/3, 7000 Mons (Belgium)
Phone number: +32 (0) 65 55 41 20
Email: [email protected]

Legal bases for processing. The legal bases of our processing of your personal data as described in this Privacy Policy will depend on the type of personal data and the specific context in which we process it. However, the legal bases we typically rely on are set out in the table below. If you have questions about the legal basis of how we process your personal data, contact us at [email protected].

Purposes of processing Legal basis
Service delivery: We may use your personal data to manage our relationship with you, including responding to your request and/or inquiries; providing you access to content or information you requested.
  • If we are legally obligated to respond to your request: our legal obligations.
  • In all other cases: our legitimate interest to develop and communicate about our business.
Research and development: We may use your personal information for research and development purposes, including to analyze and improve the service and our business.
  • Our legitimate interests. We do not use your personal data for these purposes where our interests are overridden by the impact on you.
Marketing and advertising: We and our third party advertising partners may collect and use your personal data for marketing and advertising purposes.
  • Your consent.

Compliance and protection. We may use your personal data to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
  • enforce the terms and conditions that govern the service; and
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
  • If we are legally obligated to do so: our legal obligations.
  • In all other cases: our legitimate interests. We do not use your personal data for these purposes where our interests are overridden by the impact on you.
Actions we take with your consent, such as to understand what may be of interest to you, deliver relevant Site content to you, to measure or understand the effectiveness of the content we serve to you, and to use data analytics to improve our Site
  • Your consent.
Create anonymous, aggregated or de-identified data: We may create anonymous, aggregated or de-identified data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous, aggregated or de-identified data by removing information that makes the data identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the service and promote our business
  • Our legitimate interests. We do not use your personal data for these purposes where our interests are overridden by the impact on you.

Use for new purposes. We may use your personal data for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Retention. We apply a general rule of keeping personal data only for so long as is required to fulfil the purpose for which it was collected. However, in some circumstances, we will retain your personal data for longer periods of time. We will retain personal data for the following purposes: (i) as long as it is necessary and relevant for our operations and to provide our services on our Site, e.g. so that we have an accurate record of your dealings with us in the event of any complaints or challenge; and (ii) to comply with applicable laws, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, and take other actions as permitted by law. When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

Your rights. You have the following rights in relation to the personal data we hold about you:

  • Right of access: You can ask us to provide you with information about our processing of your personal data and give You access to your personal data;
  • Right to rectification: If the personal data we hold about you is inaccurate or incomplete, You are entitled to request to have it rectified;
  • Right to erasure: You can ask us to delete or remove personal data where there is no lawful reason for us continuing to store or process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons that will be notified to you, if applicable, at the time of your request;
  • Right to restrict processing: You can ask us to suspend the processing of your personal data if, (i) you want us to establish the data’s accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Right to object: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  • Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Right to withdraw consent at any time: where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal data or where certain exemptions apply.

To exercise any of these rights, please contact us using the contact details provided above.

Although we urge you to contact us first to find a solution for every concern you may have, you always have the right to lodge a complaint with your competent data protection authority.

Cross-Border Data Transfer. We may transfer your personal data outside of the EEA and/or UK. Some of these recipients are located in countries in respect of which either the European Commission and/or UK Government (as and where applicable) has issued adequacy decisions, in which case, the recipient’s country is recognized as providing an adequate level of data protection under UK and/or European data protection laws (as applicable) and the transfer is therefore permitted under Article 45 of the GDPR.

Some recipients of your personal data may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, the United States is a Restricted Country. Where we transfer your personal data to a recipient in a Restricted Country, we will either:

  • enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time under GDPR Art. 46 by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or
  • rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.

You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal data when this is transferred as mentioned above.