Your privacy is important to us. This Privacy Notice (“Policy”) explains the manner in which Areteia Therapeutics (“ARETEIA”, “we” and “us”) collects, uses, maintains, and shares information about visitors to our website located at www.areteiatx.com (the “Website”).
At a high level, this Policy applies to ways in which we interact with individuals, which we referred to herein as “Data Subjects”, in connection with our business, including, without limitation:
- directors, officers, employees and other representatives of portfolio companies in which ARETEIA has made an investment or is considering making an investment;
- individual representatives of third-party sellers, placement agents, finders, investment bankers, consultants, lawyers, accountants, advisers and other service providers, whether or not engaged by ARETEIA;
- directors, officers, employees and other representatives of ARETEIA;
- individuals applying for or enquiring about employment with us;
- individuals who consider or do invest with us and their representative agents with whom we interact during the normal course of business; and
- visitors to our websites and users of any digital services we provide.
Please note that we may provide additional privacy notices or similar disclosures in respect of certain entities within ARETEIA, categories of Data Subjects (e.g., certain investors or prospective investors in a fund managed or advised by ARETEIA, certain former or existing employees associated with ARETEIA, etc.), and certain geographies and jurisdictions.
What data do we collect and how?
Personal Data. When we use the term “Personal Data” we mean information that reasonably can be used to identify you as an individual person. In connection with our business, we may collect various types of Personal Data, including, among other things:
- Identifiers such as your name, postal address, tax ID, passport number, internet protocol address, email address, account name, social security number, driver’s license number, mail address, phone number, or other similar identifiers.
- Information classified as personal or protected information by state, federal, or other applicable law.
- Commercial information, including tax information, bank account details, credit card number, money transfers including communications on bank transfers, assets, investor profile, credit history, debts and expenses.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Visual information, including your picture.
- Professional or employment-related information, including your employment history, employer’s name, and remuneration.
- Education information, including your level of education.
We collect this Personal Data in various ways, including:
- Directly from the Data Subject (e.g., when you voluntarily submit information to the Website, or send us an email or other written correspondence).
- Indirectly from other sources (e.g., from public records or from a counterparty in possession of the data).
If you are located outside of the United States, please be aware that the Personal Data we collect will be processed and stored in the United States, a jurisdiction in which the data protection and privacy laws may not offer the same level of protection as those in the country where you reside or are a citizen. Please see below for further information on this for EEA/UK residents.
How and on what basis do we use your Personal Data?
We may use your Personal Data for a variety of purposes, and (to the extent applicable) on the basis of various legal bases, including, but not limited to, the following:
- Complying with legal or regulatory obligations, such as our obligations regarding know-your-client and anti-money laundering due diligence;
- Performing a contract with you or to take steps at your request before entering into a contract, including to: (i) provide you with information regarding ARETEIA products or services; (ii) assist you and answer your requests; (iii) evaluate whether we can offer you a ARETEIA product or service and under what conditions; and (iv) responding to know-your-client and anti-money laundering information requests presented by counterparties with whom we do business on your behalf or for your benefit; and
- Other legitimate business interests, such as:
- Communicating with Data Subjects;
- Performing activities relating to client management, financial management and administration;
- Creating, improving and developing our products and services;
- Conducting market research, surveys, and similar inquiries to help us understand trends, client and Website visitor needs;
- Investigating and resolving disputes and security issues and enforcing our Terms of Service and other agreements;
- Monitoring and auditing compliance with internal policies and procedures, legal obligations and to meet requirements and orders of regulatory authorities; and
- Processing and considering applications for employment, including evaluating and confirming your suitability for the position and accuracy of any information submitted.
We will not use your Personal Data for any purposes inconsistent with this Policy and the purpose for which it was collected, without your permission or otherwise in accordance with applicable law.
We do not sell any Personal Data and have not sold any Personal Data in the past.
With whom do we share your Personal Data?
Within ARETEIA. We share your Personal Data among ARETEIA entities and affiliates for the purposes set forth above. In general, ARETEIA entities and affiliates, in turn, are not permitted to share your information with other non-affiliates entities, except as described herein or otherwise permitted by applicable laws.
To Third Parties. We share your Personal Data with third parties in certain circumstances, including the following:
- Service Providers. We share Personal Data with service providers that perform services on our behalf (e.g., third-party service providers to operate the Website) and with service providers and other counterparties to our clients and investors. These companies may have access to your Personal Data but are permitted to use the information solely to provide the specific service or as otherwise permitted by law. We generally require these providers by contract to keep the information confidential.
- Transaction or Other Corporate Event. Your Personal Data can be disclosed as part of a corporate business transaction, such as a merger, acquisition, joint venture, financing or sale of company assets, including bankruptcy proceedings, or other investment activity, and could be transferred to a third party as one of the business assets in such a transaction. It also can be disclosed in the event of insolvency, bankruptcy or receivership. In such an event, we will post prominent notice of the change in ownership.
- As Required by Law. We also disclose your Personal Data if we are required to make disclosures by applicable law or to the government or private parties in connection with a lawsuit, subpoena, investigation or similar proceeding, or as part of our legislative or regulatory reporting requirements.
How do we protect your Personal Data?
We take seriously the obligation to safeguard your Personal Data. Your Personal Data held by us will be kept confidential in accordance with applicable ARETEIA policies and procedures. We will use all reasonable efforts to ensure that all Personal Data is kept secure and safe from any loss or unauthorized disclosure or use. All reasonable efforts are made to ensure that any Personal Data held by us are stored in a secure and safe place and accessed only by our authorized employees and transferees.
Keeping your Personal Data current
In general, we seek to ensure that we keep your Personal Data accurate and up-to-date. However, you are responsible for, and we kindly request that you inform us of, any changes to your Personal Data (such as a change in your contact details). To update or edit your Personal Data that we have on file, including your communication preferences, please contact us using the contact details set out under the “Contact and Complaints” heading below or by sending an e-mail to [email protected].
How long do we keep your Personal Data?
In general, we will process and store your Personal Data for as long as it is necessary in order to fulfil our contractual, regulatory and statutory obligations, which may differ depending on the relevant ARETEIA entity or jurisdiction. Subject to those qualifications, our goal is to keep such data for no longer than necessary in relation to the purposes for which we collect and use the Personal Data (we refer to the purposes as set forth above). If you have any specific questions in this respect, please feel free to contact us.
Do Not Track
ARETEIA does not track Data Subjects over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (“DNT”) signals. However, some third-party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser allows you to set the DNT signal so that third parties (particularly advertisers) know you do not want to be tracked. You should consult the help pages of your browser to learn how to set your preferences so that websites do not track you.
Contact and Complaints
ARETEIA takes very seriously any complaints we receive about our use of your Personal Data. Questions, comments, requests or complaints regarding the Website, this Policy, the Terms of Service and/or our use of your Personal Data should be addressed to [email protected].
Any Personal Data we receive from you when making a complaint will be treated in accordance with this Policy and only to process the complaint and check on the level of service we provide. Similarly, where inquiries are submitted to us we will only use the information supplied to us to deal with the inquiry and any subsequent issues and to check on the level of service we provide.
Areteiatx.com Website Servers
areteiatx.com is operated from servers in the United States.
Please be aware that a Website may contain links to other websites hosted by third parties. ARETEIA does not control and is not responsible for the content or privacy practices and policies of such third-party websites. We encourage you to be aware when you leave the Website and to read the privacy policies of each third-party website, especially if such website collects Personal Data from you.
Additional Information for Residents of the European Economic Area (the “EEA”) and the United Kingdom (the “UK”)
In addition to the information above, the below information applies to any Data Subject accessing our website whilst resident in the EEA or the UK. For purposes of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 and the UK GDPR (as defined in the UK Data Protection Act 2018 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2018 (SI 2019/419)) (both referred to herein as the “GDPR”):
The applicable data controller for the Website will be:
- ARETEIA whose headquarters is located in the United States at 101 Glen Lennox Dr - Suite 300 - Chapel Hill, NC 27517.
The data controller is responsible for deciding how your Personal Data is processed and protecting it from harm.
GDPR Data Protection Principles
In respect of the collection, holding, storage, use, and processing of your Personal Data:
- We will process the data lawfully, fairly and in a transparent way.
- We will obtain the data only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- The data we collect will be relevant to the purposes we have told you about and limited only to those purposes.
- We will take reasonable steps to ensure that the data is accurate and kept up to date.
- Subject to applicable legal or other requirements, we will keep the data only as long as necessary.
- We will use appropriate technical and/or organizational measures to ensure appropriate security of the data.
Transfer of Personal Data Outside of the UK/EEA
Your personal data will be hosted in the United States and will therefore be transferred and stored outside of the UK or European Economic Area (“EEA”) both inside of our group and to certain third party suppliers, where such information is collected in the EU or UK. For the purpose of applicable EU/UK laws, such third countries (including the U.S.) may not offer the same level of data protection as your country of residence, and additional safeguards may be necessary for such transfers. We ensure that such transfers will be made in accordance with applicable EU/UK data privacy laws, for example using specific contracts approved for use in the EU/UK which give Personal Data the same protection it has in the EU/UK. This may include the EU Standard Contractual Clauses and/or UK Addendum.
GDPR Data Subject Rights
Under the GDPR, in certain circumstances, a UK or EEA-resident Data Subject has certain individual rights with respect to the Personal Data that we hold about them. In particular, you may have the right to:
- Request access to any data held about you;
- Ask to have inaccurate data amended;
- Request data held about you to be deleted, provided the data is not required by ARETEIA to perform a contract, defend a legal claim or to comply with applicable laws or regulations;
- Prevent or restrict processing of data which is no longer required; and
- Request transfer of appropriate data to a third party where this is technically feasible.
Additionally, in the circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
To exercise any of these rights, please contact us using the contact details set out under the “Contact and Complaints” heading above. We may need to request further information from you to help us confirm your identity to help facilitate your request. This is a security measure to ensure that Personal Data is not mistakenly disclosed.
Automated Decision Making
We respect your legal rights not to be subject to decisions that are based solely on automated processing of your Personal Data, including profiling, especially where such processing has legal or other significant effects on you. In establishing and carrying out a business relationship, we generally do not use any automated decision making pursuant to the GDPR. We may process some of your Personal Data automatically, with the goal of assessing certain personal aspects (profiling), such as to comply with legal or regulatory obligations to combat money laundering, terrorism financing, and offenses that pose a danger to assets. We also use assessment tools in order to be able to allow communications and marketing to be tailored as needed, all following applicable EEA or UK law.
Complaints to Local Authorities
As a resident of the EEA or UK, you are also entitled to direct any complaints in relation to our processing of your Personal Data to your national or local data protection supervisory authority.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.
Additional Information for Residents of California
The information below may apply to Data Subjects who are residents of California.
California Data Subject Rights
California’s “Shine the Light” law permits California residents to annually request and obtain information free of charge about what personal information is disclosed to third parties for direct marketing purposes in the preceding calendar year. For more information on these disclosures, please contact us using the contact details set out under the “Contact and Complaints” heading above.
In addition, Data Subjects in California may have a right under the California Consumer Privacy Act (“CCPA”) to request erasure of their Personal Data or access to Personal Data that we have collected in the last twelve (12) months.
You may submit requests for access or erasure of your personal information by contacting us at [email protected].
Individuals who submit requests for access or erasure of personal information will be required to verify their identity by answering certain questions. We will not disclose or delete any information until identity is verified.
If you are making a request for access, we may not be able to provide specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your personal information, your account with us, or our systems or networks.
If you are making a request for erasure, we will ask that you confirm that you would like us to delete your personal information again before your request is addressed.
You may designate an authorized agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honor the request.
Agents who make requests on behalf of individuals, will be required to verify the request by submitting written authorization from the individual. We will not honor any requests from agents until authorization is verified.
Under the CCPA, you cannot be discriminated against for exercising your rights to access or request erasure of their Personal Data.
The Website is intended for general audiences and not for children. Although the Website is not targeted toward children, we are concerned about the safety and privacy of children who use the Internet. If a child under 16 has provided personal information (as defined by the Children’s Online Privacy Protection Act) or personal data (under the GDPR) to us through the Website, a parent or guardian may inform us using the contact details set out under the “Contact and Complaints” heading above, and we will use commercially reasonable efforts to delete it from our database, subject to applicable law and this Policy.