Skip to main content

Privacy Notice

Last updated April 5, 2024

This Privacy Notice explains the practices that Equillium, Inc. (“Equillium”, “we”, “us”, “our”) follows in connection with the personal data that we collect through this website, when individuals contact us directly or through our clinical trial research.

We may change this Privacy Notice at any time by posting the revised Privacy Notice on this site and indicating the effective date of the revised Privacy Notice.

What Is Personal Data

In the context of the work that Equillium performs, personal data refers to any information that relates to an identified or identifiable individual such as a name, email, mailing address, phone number, professional background, or any information related to an individual’s health for the purpose of clinical trial research.

Personal Data Collection

We collect personal data provided directly by individuals during direct communication with Equillium through email, web forms or by phone. For the purpose of direct communication, we collect name, email address and the reason for the communication.

We collect resumes and cover letters from individuals that apply for a job at Equillium in the United States and other regions such as the European Union.

For the purpose of our research, we do not collect personal data directly. Personal data is collected through the partners (“CRO”, “Site”) that manage the clinical trials that we sponsor. They collect the personal data of the participants of the clinical trial (“Patient”, “Subject”) or as a Site investigator, employee or contractor involved in the clinical trial.

The personal data of Site investigators, employees or contractors is collected through the Clinical Research Organization (“CRO”) that we partner with.

Personal Data Processing

When an individual contacts Equillium, we store name, email address and message for the purpose of replying to the request for contact.

Resumes are reviewed to determine if the individual’s qualifications match the role they are applying for. Equillium will contact the individual if they are a viable candidate.

The Patient or Subject data that we obtain and process from the Site is pseudonymized and managed through an identifier that we cannot link back to the Patient or Subject.

We process the clinical trial Patient or Subject data to analyze the outcomes of the trial, how the Patient or Subject is responding to treatment and to track and document any safety-related events.

The investigator, employee or contractor data that we obtain from the CRO is used to verify the individual’s qualifications, satisfy documentation requirements for the purpose of the clinical trial and to verify their financial disclosures to avoid any conflict of interest.

Legal Basis for Processing

Equillium has identified the legal basis for the processing of personal data in order to comply with different privacy and data protection regulations around the world and specifically to comply with the General Data Protection Regulation (“GDPR”) in the EU.

Equillium will not process (i.e. which includes to collect, store, disclose, share, or otherwise disseminate) personal data unless we have a legal justification to do so. Equillium will only process personal data if:

  • We or the CRO we partner with, have obtained explicit consent from the Patients or Subjects participating in the clinical trial prior to the processing of personal data;
  • If we need an individual’s personal data to perform a contractual obligation to which they are a party to or where they have requested us to complete a contractual request, such as with a consulting or employment agreement.
  • If we need to process personal data to fulfill our legal and regulatory obligations;
  • If we have a legitimate interest that will not put the individual’s fundamental rights and freedoms at risk. Such legitimate interests include monitoring activity on our website to improve the functionality of such website, identification and investigation of fraud, and participation in judicial proceedings to defend or pursue a legal claim or to prosecute illegal acts.

Personal Data Disclosure

Equillium will only disclose personal data without the individual’s consent to the following parties under specific circumstances:

  • To Equillium personnel, if required, to fulfill an individual’s request or review qualifications for a job the individual has applied to;
  • To service providers that support our systems or support the activities of the clinical trial, including the Sites and the CRO that hold personal data about Patients or Subjects and Site investigators, employees or contractors;
  • To law enforcement, regulatory bodies or courts, when we are required to do so under applicable laws and regulations;
  • In connection with the sale or reorganization of all or part of our business, as permitted by applicable law.

Personal Data Security

We collect information about your website visit such as your IP address, what pages you visited and what sections of our website were of most interest to you.

We use cookies and Google Analytics to gain insights into how you as a visitor navigate our website in order to provide you with a better web experience.

If you do not want your web activity to be tracked, our cookie manager provides you with choices as to what cookies you may opt out of.

You may find the cookie manager when you first load our website or by clicking on the cookie icon on the bottom right hand side of your screen.

Personal Data Transfers

Personal data will be transferred to systems that reside in the US. The data will always be protected and in some cases pseudonymized to ensure that the risks to your privacy are minimized.

We have implemented Standard Contractual Clauses with the parties that reside in the EU and that require to transfer personal data to Equillium in the US.

Equillium complies with the requirements of the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and Swiss-US Data Privacy Framework. For more information regarding our adherence to these frameworks, refer to the EU-US – EU-UK – Swiss-US Data Privacy Framework section.

Personal Data Retention

Equillium will not retain individuals’ contact information after their request has been fulfilled.

Equillium will retain resumes for a period up to 1 year if the candidate’s application for the role is not successful in the case an opportunity in the future is more suitable to the individual’s expertise.

Equillium and the Sites that we partner with for the purpose of clinical trials will retain the Patients and Subjects personal data for as long as necessary for the purpose of research. In the case of the clinical trials we will retain the personal data for a minimum 10 years after the study ends in order to comply with applicable legal and regulatory obligations.

Rights About Personal Data

Subject to any exceptions provided by law, individuals have the right to request access to, update or deletion of their personal data.

Individuals also have the right to request restriction of or object to the processing of their personal data. Lastly, they have the right to request to have their data transferred to another organization in a commonly used format.

On each particular case we will inform the individual of the consequences of their request and if there are any exemptions to honoring these requests based on legal, contractual or regulatory requirements or constraints.

During a clinical trial the right to access, update or delete pseudonymized personal data may be limited as permitted by law. Specifically, we need to process clinical trial related personal data in specific ways in order to maintain the reliability and accuracy of the research. This is done for reasons of public interest in public health as well as for archiving purposes in the public interest, scientific or historical research or statistical purposes.

How To Exercise Personal Data Rights

To submit any request to exercise personal data rights individuals may contact us via email at privacy@equilliumbio.com.

Personal Data Breach Notification

Equillium has implemented procedures to manage any suspected personal data breach, and we will make every effort to notify individuals and any required regulator about the breach where we are legally required to do so.

Should we learn of a personal data breach that affects any individual that has had contact with Equillium, we will notify them to explain how the breach may affect them and to provide any advice on how to protect themselves. We will use the email address that we have on file or we will also post a notice on our website for any individuals whose contact information is not available but may be impacted by the breach.

General Data Protection Regulation (GDPR) - European Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Equillium has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

  • by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
  • by writing to EDPO at Regus Paris Champs Elysées, 12/14 rond-point des Champs Elysées, Paris, 75008, France

EU Individuals - Right to Lodge a Complaint With A Supervisory Authority

If Equillium has collected, processed or disclosed the personal data of an individual who resides in the EU and the individual wants to lodge a complaint with a Supervisory Authority (“Data Protection Authority”) they may do so in the Member State where they reside, where they work or where they may have experienced an issue with the processing of their personal data. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en

Data Privacy Framework Compliance

Equillium complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Equillium has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Equillium has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

The Federal Trade Commission has jurisdiction over Equillium’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Data Privacy Framework Complaint Resolution Mechanism

In compliance with the EU-US Data Privacy Framework Principles, the UK Extension to the EU-US DPF and the Swiss-US DPF, Equillium commits to resolve DPF Principles-related complaints about your privacy and our collection and use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints regarding our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF should first contact Equillium at privacy@equilliumbio.com.

Equillium has further committed to refer unresolved privacy complaints under the DPF Principles concerning our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF to an independent dispute resolution mechanism based in the United States, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your complaint involves human resources data transferred to the United States from the European Union, [the United Kingdom, or Switzerland] in the context of the employment relationship, and Equillium does not address it satisfactorily, Equillium commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), [the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner, as applicable] and to comply with the advice given by the DPA panel [ICO, or FDPIC, as applicable] with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB NATIONAL PROGRAMS.

In compliance with the EU-US Data Privacy Framework Principles, the UK Extension to the EU-US DPF and the Swiss-US DPF, Equillium commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-U.S. DPF in the context of the employment relationship.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

 

Onward Transfers to Third Parties

Equillium’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Equillium remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Equillium proves that it is not responsible for the event giving rise to the damage.

Choices and Rights Over Your Personal Data

Pursuant to the Data Privacy Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should direct their query to privacy@equilliumbio.com. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@equilliumbio.com.

California Residents Notice

Equillium does not collect, process, disclose or sell your personal data for marketing purposes or for Equillium’s business benefit.

The personal data collected, processed and disclosed for the purpose of clinical trials is not subject to the California Consumer Privacy Act. However, we welcome your contact requests by reaching out to privacy@equilliumbio.com if you wish to verify if Equillium holds any personal data about you outside of the scope of clinical trials.

Contact Us

If there are any questions regarding the personal data that Equillium or any of our partners collect, process or disclose or if there is any feedback regarding this Privacy Notice, individuals may contact us at privacy@equilliumbio.com.