Privacy Policy
This Privacy Notice was last updated on Jan 30th 2024
1.0 Purpose
1.1 The purpose of this Policy is to communicate how CARGO Therapeutics, Inc. (CARGO) collects, uses, and discloses – and its obligation to maintain the privacy and confidentiality of – Personal Data/Personal Information (as defined below) that is obtained when one is accessing the CARGO website and/or other applications, including mobile applications (collectively “Site”), that directly link to this statement. CARGO is also committed to complying with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and other relevant privacy laws.
2.0 Scope
2.1 This Policy applies to all Personal Data/Personal Information collected, processed, or stored by CARGO, including data related to patients, healthcare providers, employees, consultants, contractors, partners, and other individuals with whom CARGO interacts. This Privacy Policy also applies to the operation of this Site. BY ACCESSING OR USING THE SITE, VISITORS TO THIS SITE CONSENT TO CARGO’S COLLECTION, USE, AND SHARING OF VISITORS’ INFORMATION AS SET FORTH IN THIS PRIVACY POLICY. Please read this Policy carefully before using the Site or submitting Personal Data/Personal Information to CARGO. This Policy is incorporated into and subject to the Terms of Use.
3.0 Responsibilities
3.1 The responsibility to take steps designed to ensure compliance with this Policy and applicable data privacy laws rests with all CARGO Representatives.
3.1.1 Only access Personal Data/Personal Information which they have been authorized to access and for which they have a legitimate need to perform their job duties.
3.1.2 Treat all Personal Data/Personal Information as confidential.
3.1.3 Follow computer system access controls as defined in CARGO’s Data Integrity Policy designed to safeguard personal and company data.
4.0 Definitions and abbreviations
4.1 Definitions
Applicable Laws: In relation to any Personal Data/Personal Information collected by CARGO, all applicable legislation regarding the protection of personally identifiable information for individuals or households, including, as applicable, the General Data Privacy Regulation (EU Regulation 2016/679; “GDPR”), and/or other applicable data protection or national, federal, state, or provincial privacy legislation in force, including, where applicable, binding statutes, decisions, guidelines, guidance notes and codes of practice as may be issued from time to time by courts, data protection authorities, and other applicable government authorities.
CARGO Representatives: CARGO officers, directors, employees, contractors, consultants, and vendors.
Confidential Information: Confidential information is any information that is disclosed by one party to another party, that is not public, and that could be harmful if revealed to unauthorized parties. Confidential information can be written, oral, or tangible, and can be designated as confidential or implied by the nature and circumstances of the disclosure. Confidential information is usually protected by laws and contracts.
Computerized System: Any CARGO electronic device and associated software in which Personal Data/Personal Information, or other Confidential Information is entered, stored, manipulated, accessed, and transmitted.
Personal Data/Personal Information: Any information that CARGO Representatives, CARGO or its affiliates (e.g., contracted CROs, Apheresis Centers, clinical trial sites) collect that can be used to identify, locate, or contact the person including, without limitation:
- Contact Information: first and last name, mailing address, telephone number, email address, and other contact information that people choose to provide to CARGO;
- Demographic Information: age, gender, date of birth, location;
- Professional Data: Professional affiliations, specialty, NPI;
- Employment history: job applicant data;
- Information collected through tracking technologies: IP address, geo-location data, cookies, statistical data to monitor utilization of the Site, or other online identifiers
4.2 Abbreviations
CROs: Contract Research Organizations
GDPR: General Data Protection Regulation
HIPAA: Health Insurance Portability and Accountability Act
5.0 Policy statement
5.1 CARGO respects the privacy of visitors to the Site, and of those who interact with CARGO in other ways. At CARGO, all personnel and representatives recognize the need for appropriate protection and management of the Personal Data/Personal Information that is shared with CARGO. It is CARGO’s policy that the Personal Data/Personal Information collected will be used by CARGO for limited purposes. CARGO respects the personal and private nature of this information and is committed to appropriately protecting the Personal Data/Personal Information collected and to using it in compliance with applicable privacy laws, rules and regulations, and the following data protection principles:
- Privacy by design and by default: Personal Data/Personal Information shall be subject to reasonable access controls designed to ensure that Personal Data/Personal Information is stored securely and accessed properly by CARGO Representatives with a need to access such information to do their jobs.
- Lawfulness and transparency: CARGO is committed to (i) only collect Personal Data/Personal Information for specific, legitimate purposes and collected in accordance with Applicable Laws, and (ii) being transparent with patients and other individuals about how CARGO uses their Personal Data/Personal Information.
- Minimal Data Processing: CARGO data processing operations are designed to process only the minimum amount of Personal Data/Personal Information that is necessary for the performance of specific operations that require access to such information.
- Accuracy/quality of personal information: CARGO is committed to compliance with data protection laws that require that Personal Data/Personal Information be accurate based on what is submitted to CARGO and, where necessary, kept up to date.
- Giving effect to Patient rights: CARGO respects the rights of patients participating in CARGO-sponsored clincal trials with respect to the processing of their Personal Data/Personal Information. CARGO will respond to requests from patients to exercise their privacy rights regarding their their Personal Data/Personal Information in accordance with Applicable Law.
- Storage limitations: CARGO will not keep Personal Data/Personal Information for any longer than is reasonably necessary to achieve the purposes for which the Personal Data//Personal Information was collected.
- Data integrity and confidentiality: CARGO has systems in place designed to protect the Personal Data/Personal Information in CARGO’s possession or under CARGO control from misuse, interference, loss, unauthorized access and disclosure, modification, accidental or unlawful destruction and other forms of unlawful processing.
- Compliance with rules relating to data transfers (including international transfers and transfers to third parties): In the event that CARGO needs to transfer Personal Data/Personal Information between different countries, CARGO will do so in a manner designed to ensure that such data are sufficiently protected when transferred.
5.2 Collecting personal information: CARGO collects Personal Data/Personal Information actively and passively. Examples of how Personal Data/Personal Information is collected includes but are not limited to:
- Directly from individuals who provide Personal Data/Personal Information to CARGO
- Registering for a CARGO event, program, newsletter, or other activity or communication
- Signing up for informational or marketing materials
- Visiting CARGO’s websites through cookies and other technological tools to collect data about the visitor’s computer and use of the CARGO website and applications
- Visiting CARGO’s offices
- From a visitor’s browser or device, information generated from online browsing and usage activity, or from public third-party sources such as LinkedIn
- Interacting with CARGO via social media and email
- Responding to inquiries that individuals submit to CARGO
- From healthcare professionals, hospitals, medical clinics, and contract research organizations (CRO) participating in CARGO-sponsored clinical trials
- From third party service providers, data brokers, or business partners
- From industry and patient groups and associations
5.3 Using and Disclosing Personal Data/Personal Information: CARGO does not sell, share, or otherwise distribute Personal Data/Personal Information to third parties for its or their marketing purposes. Subject to the provisions of Applicable Laws, CARGO may use and/or disclose Personal Data/Personal Information for its business purposes and also to meet its regulatory and ethical obligations. Such uses and/or disclosures may include but are not limited to:
- Complying with lawful requests, legal processes, or governmental regulations
- Responding to requests, questions, and feedback
- Improving CARGO’s level of service
- Providing and/or promoting products and services
- Providing and requesting information
- Completing transactions
- Sharing with service providers who act on CARGO’s behalf and are bound by law or contract to protect Personal Data/Personal Information and only use such information in accordance with CARGO’s instructions
- Developing business relationships
- Considering job applications
- Reporting adverse events
- Monitoring and analyzing business operations and website and other applications usage
- Anonymizing data so that it is no longer Personal Data/Personal Information
- Providing access to CARGO sites and facilities
- Administrative and quality assurance purposes
- Protecting against fraud, illegal activity (such as identifying and responding to incidents of hacking or misuse of CARGO’s websites and mobile applications) and claims and other liabilities
- Other lawful purposes described on https://cargo-tx.com
5.4 Your Rights, Data Limitations, and Opt-Out: People have the right to know the Personal Data/Personal Information collected by CARGO and how CARGO uses and/or discloses such information. People can limit the Personal Data/Personal Information provided to CARGO but this may result in inability to access to services and content on the Site.
5.5 Cookies: When visitors come to the CARGO Site, CARGO may collect certain data by automated means, using technologies such as cookies that may be placed on the visitor’s computer. CARGO may collect data about the device used to access the Site, the pages visited, the length of time spent on Site pages, the operating system and platform type, browser type and version, domain, and other system settings, the language the system uses, the country and time zone where the device is located, the date and time the Site is visited, and the IP address of the device used. People can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on their browser.
5.6 Consent to Processing in the United States and Elsewhere: By using this Site, visitors consent to the collection, storage, and processing of their data in the United States and in any country to which CARGO may transfer such data in the course of CARGO’s business operations.
5.7 Policies of Third Parties: This Policy only addresses the use and disclosure of Personal Data/Personal Information by CARGO. CARGO may provide links to outside websites or advertisements for third parties that have their own policies regarding data collection, use and disclosure. The terms of usage and other conditions of use posted on those websites, and not the policies and procedures described here, apply to those websites.
5.8 Children’s Privacy: CARGO is committed to protecting the privacy of children. This Site is not intended for, or designed to attract, children under the age of 13. CARGO does not knowingly collect any Personal Data/Personal Information of anyone under the age of 13, and no Personal Data/Personal Information should be submitted to CARGO through the website by visitors who are less than 13 years old. If it comes to CARGO’s attention that someone under the age of 13 has volunteered Personal Data/Personal Information, or that a healthcare professional has volunteered Personal Data/Personal Information about a patient who is younger than 13, without the given or authorized consent of the holder of parental responsibility over such child, CARGO will promptly, upon relevant notification or request, delete such Personal Data/Personal Information from its systems.
5.9 How to Contact CARGO: Please contact CARGO with any questions or comments about its privacy practices or this Policy by e-mail, telephone, or regular mail at info@cargo-tx.com, or 650-499-8950, or CARGO Therapeutics, Inc., ATTN: General Counsel, 835 Industrial Road, Suite 400, San Carlos, CA 94070.
5.10 General Data Protection Regulation (GDPR) and the Data Protection Act of 2018 (UK GDPR): Citizens of the EU and UK are provided additional rights regarding the management of their Personal Data/Personal Information. These include without limitation:
- Right to request access to the Personal Data/Personal Information provided to CARGO
- Right to request deletion of Personal Data/Personal Information provided to CARGO
- Right to rectify inaccuracies
- Right to be informed of the Personal Data/Personal Information being collected, the reasons why it is being collected, who is collecting it, how long it will be retained, how it is shared and how to file a complaint
- Right to object to the processing of Personal Data/Personal Information
- Right to receive one’s Personal Data/Personal Information in a structured manner, in a standard format and
- Right to withdraw consent for processing of Personal Data/Personal Information
- These rights are to be exercised by EU and UK citizens free of charge unless the request is unfounded, excessive, or otherwise unreasonable, for instance, because it is needlessly duplicative. In some situations, CARGO may refuse to act or may impose limitations on these rights, as permitted by Applicable Law. Individuals making requests regarding the collection and/or use of their Personal Information will be required to provide Personal Information sufficient to verify their identity so that CARGO can appropriately respond to such inquiries.