Skip to main content

Privacy Notice

Last updated March 25, 2026

This Privacy Notice explains the practices that Equillium, Inc. (“Equillium”, “we”, “us”, “our”) follows in connection with the personal data that we collect through this website, when individuals contact us directly or through our clinical trial research.

We may change this Privacy Notice at any time by posting the revised Privacy Notice on this site and indicating the effective date of the revised Privacy Notice.

WHAT IS PERSONAL DATA

In the context of the work that Equillium performs, personal data refers to any information that relates to an identified or identifiable individual such as a name, email, mailing address, phone number, professional background, online identifier, or information relating to an individual’s health for the purpose of clinical trial research.

PERSONAL DATA COLLECTION

Personal Data We Collect Directly

The following describes the personal data we collect directly from you and the purposes for which we use it.

Contact and General Inquiries

If you contact Equillium by email, web form, or telephone, we collect your name, email address, the reason for your communication, and any additional information you choose to include in your correspondence.

Careers / Job Applications

If you apply for a job with Equillium, we collect your name, email address, and information related to your application, such as your resume or CV, cover letter, employment history, education history, professional qualifications, and any other information you choose to provide.

Personal Data We Collect Indirectly from Third Parties

The following describes the personal data we receive from third-party sources in connection with the clinical trials we sponsor.

Clinical Trial Participants

For the purpose of our research, we do not collect personal data directly from clinical trial participants. Instead, our contracted Clinical Research Organizations (“CROs”) and clinical trial Sites collect personal data of clinical trial participants (“Patients” or “Subjects”) as part of managing the clinical trials we sponsor.

Clinical trial participant data provided to us by Sites is pseudonymized through the use of a study identifier. Equillium does not receive information that directly identifies individual participants and cannot link the study identifier back to a specific individual.

Clinical Trial Site Personnel

We receive personal data from our CRO partners relating to Site investigators, employees, and contractors involved in our sponsored clinical trials. This information may include name, contact information, professional credentials, and information relating to their role in the clinical trial.

Personal Data We Collect Automatically

When you visit or interact with our websites, we automatically collect certain information about your device and activity, including IP address, approximate location, browser and device information, pages visited, and interactions with website content.

We use cookies, pixels, beacons, and similar technologies to understand how visitors navigate our websites, measure performance, and improve user experience. Where permitted, we also use these technologies to support marketing and advertising activities.

You can manage your cookie preferences through our cookie consent tool and browser settings. For more information, please refer to our Cookie Notice.

PURPOSES FOR COLLECTION AND USE OF PERSONAL DATA

We use the personal data described above for the following purposes:

Communications and Inquiries: To respond to inquiries, communicate with individuals who contact us, and manage our business operations.

Recruitment and Employment: To evaluate applicant qualifications, communicate regarding job applications, manage the recruitment process, and retain applicant information as described in the Personal Data Retention section.

Clinical Trial Management and Research: To sponsor, oversee, and manage clinical trials; analyze clinical trial outcomes; evaluate participant response to treatment; track and document safety-related events; verify investigator qualifications; satisfy documentation and financial disclosure requirements; and comply with applicable legal and regulatory obligations.

Website Operations and Security: To operate, maintain, and improve our website; monitor website usage and performance; enhance user experience; and support security and fraud prevention.

PERSONAL DATA PROCESSING

When an individual contacts Equillium, we store name, email address and message for the purpose of replying to the request for contact.

Resumes are reviewed to determine if the individual’s qualifications match the role they are applying for. Equillium will contact the individual if they are a viable candidate.

The Patient or Subject data that we obtain and process from the Site is pseudonymized and managed through an identifier that we cannot link back to the Patient or Subject.

We process the clinical trial Patient or Subject data to analyze the outcomes of the trial, how the Patient or Subject is responding to treatment and to track and document any safety-related events.

The investigator, employee or contractor data that we obtain from the CRO is used to verify the individual’s qualifications, satisfy documentation requirements for the purpose of the clinical trial and to verify their financial disclosures to avoid any conflict of interest.

LEGAL BASIS FOR PROCESSING

Equillium has identified the legal basis for the processing of personal data in order to comply with different privacy and data protection regulations around the world and specifically to comply with the GDPR in the EU. 

Our legal bases for processing personal data include: 

  • Consent: We or the CRO we partner with have obtained explicit consent from the Patients or Subjects participating in the clinical trial prior to the processing of personal data. 
  • Contractual Necessity: Processing is necessary to perform a contract to which an individual is a party or to take steps at the individual’s request prior to entering a contract, such as in connection with a consulting or employment agreement. Legal Obligation: Processing is necessary to comply with applicable legal and regulatory obligations. 
  • Legitimate Interest: Processing is necessary for our legitimate interests, provided those interests are not overridden by the individual’s fundamental rights and freedoms. Such legitimate interests include monitoring activity on our website to improve the functionality of such website, identification and investigation of fraud, and participation in judicial proceedings to defend or pursue a legal claim or to prosecute illegal acts. 

Equillium will not process (i.e. which includes to collect, store, disclose, share, or otherwise disseminate) personal data unless we have a legal justification to do so. 

PERSONAL DATA DISCLOSURE

Equillium will only disclose personal data without the individual’s consent to the following parties under specific circumstances:

  • To Equillium personnel, if required, to fulfill an individual’s request or review qualifications for a job the individual has applied to;
  • To service providers that support our systems or support the activities of the clinical trial, including the Sites and the CRO that hold personal data about Patients or Subjects and Site investigators, employees or contractors;
  • To law enforcement, regulatory bodies or courts, when we are required to do so under applicable laws and regulations;
  • In connection with the sale or reorganization of all or part of our business, as permitted by applicable law.

PERSONAL DATA SECURITY

Equillium is committed to protecting the personal data we collect, use, and disclose. We maintain appropriate administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

Our safeguards include access controls, role-based permissions, IT security measures such as firewalls, internal policies and training, and restricted access to facilities. Access to personal data is limited to employees and authorized third parties with a legitimate business need to access such information.

We collect information about your website visit such as your IP address, what pages you visited and what sections of our website were of most interest to you.

We use cookies and Google Analytics to gain insights into how you as a visitor navigate our website in order to provide you with a better web experience.

If you do not want your web activity to be tracked, our cookie manager provides you with choices as to what cookies you may opt out of.

You may find the cookie manager when you first load our website or by clicking on the cookie icon on the bottom right hand side of your screen.

PERSONAL DATA TRANSFERS

Personal data will be transferred to systems that reside in the US. The data will always be protected and in some cases pseudonymized to ensure that the risks to your privacy are minimized.

We have implemented Standard Contractual Clauses with the parties that reside in the EU and that require to transfer personal data to Equillium in the US.

Equillium complies with the requirements of the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF). For more information regarding our adherence to these frameworks, refer to the DATA PRIVACY FRAMEWORK sections.

PERSONAL DATA RETENTION

Equillium will not retain individuals’ contact information after their request has been fulfilled.

Equillium will retain resumes for a period up to 1 year if the candidate’s application for the role is not successful in the case an opportunity in the future is more suitable to the individual’s expertise.

Equillium and the Sites that we partner with for the purpose of clinical trials will retain the Patients and Subjects personal data for as long as necessary for the purpose of research. In the case of the clinical trials we will retain the personal data for a minimum 10 years after the study ends in order to comply with applicable legal and regulatory obligations.

RIGHTS ABOUT PERSONAL DATA

Subject to applicable legal exceptions, individuals have the right to request access to, correction of, or deletion of their personal data. Individuals also have the right to request restriction of or object to the processing of their personal data and to request that their data be transferred to another organization in a commonly used format, where applicable.

For individuals in the European Union, the United Kingdom, and Switzerland whose personal data is processed in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF, Equillium acknowledges the right to access personal data that we maintain about you. Upon request, we will provide confirmation as to whether we maintain personal data about you and provide access to such data in accordance with the DPF Principles and applicable law.

During a clinical trial the right to access, update or delete pseudonymized personal data may be limited as permitted by law. Specifically, we need to process clinical trial related personal data in specific ways in order to maintain the reliability and accuracy of the research. This is done for reasons of public interest in public health as well as for archiving purposes in the public interest, scientific or historical research or statistical purposes.

HOW TO EXERCISE PERSONAL DATA RIGHTS

To submit any request to exercise personal data rights individuals may contact us via email at privacy@equilliumbio.com.

CHOICES AND RIGHTS OVER YOUR PERSONAL DATA

In accordance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Equillium provides individuals with the opportunity to opt out of certain disclosures of their personal data to third parties or the use of their personal data for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized.

For sensitive personal data, we will obtain affirmative express consent (opt-in) before disclosing such data to a third party or using it for a purpose other than that for which it was originally collected or subsequently authorized.

To exercise your choice regarding the use or disclosure of your personal data under the DPF, please contact us at privacy@equilliumbio.com.

PERSONAL DATA BREACH NOTIFICATION

Equillium has implemented procedures to manage any suspected personal data breach, and we will make every effort to notify individuals and any required regulator about the breach where we are legally required to do so.

Should we learn of a personal data breach that affects any individual that has had contact with Equillium, we will notify them to explain how the breach may affect them and to provide any advice on how to protect themselves. We will use the email address that we have on file or we will also post a notice on our website for any individuals whose contact information is not available but may be impacted by the breach.

GENERAL DATA PROTECTION REGULATION (GDPR) - EUROPEAN REPRESENTATIVE

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Equillium has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

European INDIVIDUALS - RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If Equillium has collected, processed or disclosed the personal data of an individual who resides in the EU, the UK or Switzerland and the individual wants to lodge a complaint with a Supervisory Authority (“Data Protection Authority”) they may do so in the Member State where they reside, where they work or where they may have experienced an issue with the processing of their personal data. A list of EU Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en. For the UK, please visit: https://ico.org.uk/make-a-complaint/. For Switzerland, please visit: https://www.edoeb.admin.ch/en/contact-2.

DATA PRIVACY FRAMEWORK COMPLIANCE

Equillium complies with the EU-U.S. Data Privacy Framework program (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (“Swiss-U.S. DPF”) (collectively, the “Data Privacy Framework Principles” or “DPF Principles”) as set forth by the U.S. Department of Commerce. Equillium has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the EU in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Equillium has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission (FTC) has jurisdiction over Equillium’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and Equillium is subject to the investigatory and enforcement powers of the FTC.

DATA PRIVACY FRAMEWORK COMPLAINT RESOLUTION MECHANISM

In compliance with the DPF Principles, Equillium commits to resolve DPF Principles-related complaints about your privacy and our collection and use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Equillium at privacy@equilliumbio.com.

Equillium has further committed to refer unresolved privacy complaints under the DPF Principles concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to an independent dispute resolution mechanism based in the United States, DPF Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if your complaint is not satisfactorily addressed, please visit

https://bbbprograms.org/programs/all-programs/dpf-consumers/ for more information and to file a complaint. This service is provided free of charge to you. 

If your complaint involves human resources data transferred to the United States from the European Union, the United Kingdom, or Switzerland in the context of the employment relationship, and Equillium does not address it satisfactorily, Equillium commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable and to comply with the advice given by the DPA panel [ICO, or FDPIC, as applicable] with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. For the UK ICO, please visit: https://ico.org.uk/make-a-complaint/. For the Swiss FDPIC, please visit: https://www.edoeb.admin.ch/en/contact-2. Complaints related to human resources data should not be addressed to the BBB NATIONAL PROGRAMS.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

ONWARD TRANSFERS TO THIRD PARTIES

Equillium’s accountability for personal data that it receives in the United States under the DPF and subsequently transfers to a third party is described in the DPF Principles. Equillium remains responsible and liable under the DPF Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Equillium proves that it is not responsible for the event giving rise to the damage.

CALIFORNIA RESIDENTS NOTICE

Equillium does not collect, process, disclose or sell your personal data for marketing purposes or for Equillium’s business benefit.

The personal data collected, processed and disclosed for the purpose of clinical trials is not subject to the California Consumer Privacy Act. However, we welcome your contact requests by reaching out to privacy@equilliumbio.com if you wish to verify if Equillium holds any personal data about you outside of the scope of clinical trials.

CONTACT US

If there are any questions regarding the personal data that Equillium or any of our partners collect, process or disclose or if there is any feedback regarding this Privacy Notice, individuals may contact us at privacy@equilliumbio.com.