Last Updated September 2023
Who We Are
Spark Therapeutics, Inc. (“Spark,” “we,” “our,” or “us”) values your privacy and the protection of your Personal Data. This Privacy Notice (“Notice”) explains how we collect, store, use, share, transfer, delete, and process information collected from or about you known as Personal Data (defined further below in this Notice).
Purpose and Reach of this Privacy Notice
This Notice describes the types of Personal Data that Spark may collect or process, how we may use and disclose that Personal Data, and how you may exercise any rights you may have regarding our processing of your Personal Data.
This Notice applies to Personal Data collected or processed by us:
- Through online activities and services we offer (through websites, web surveys, newsletters, applications, email, online messaging services/channels, and otherwise) (“Online Services”);
- Related to activities we undertake in recruiting participants for participation in clinical trials or activities related to identifying and contracting with study investigators and their staff;
- In connection with post-approval pharmacovigilance and adverse events, complaints, and reports;
- When we provide products or services to you or your doctor, hospital, medical treatment or scanning facility, or other healthcare provider (collectively, “Healthcare Provider,” which refers both to the Healthcare Provider institution, organization, or company, and individuals employed by or working for or with such organization) or, if you are a Healthcare Provider, your patients;
- When you are applying to and/or enrolled in our patient support programs, including (but not limited to) Spark Therapeutics Generation Patient Services;
- When we provide products and services directly to you and in other situations where you interact with us, including but not limited to interacting with us through our telephone customer service centers, though email or SMS/text messages, or by visiting our sites and offices or our events (e.g., tradeshows and conferences) (such products and services, together with Online Services, are collectively, the “Products and Services”);
- When you interact with us in a professional capacity, for example, if you are a Healthcare Provider or an employee of a company with which we do business or provide Products and Services;
- When we undertake employment recruiting activities; or
- Anywhere this Notice is posted or referenced.
Spark may provide you with a different privacy notice in certain specific situations, in which case that privacy notice or policy will apply to the Personal Data collected or processed in that specific situation, rather than this one.
If you provide us with Personal Data of anyone other than yourself (such as a patient or family member), please note that you are responsible for complying with all applicable privacy and data protection laws prior to providing that information to Spark (including obtaining consent, if required).
Please review this Notice carefully. To the extent permitted by applicable law, by providing us your Personal Data or otherwise interacting with us, you are agreeing to this Notice.
What is Personal Data?
“Personal Data” is any information—as electronically or otherwise recorded—that can be used to identify a person or that we can link to or associate with a specific individual.
Personal Data may include information considered sensitive in some jurisdictions, such as biometric information, genetic information, health information, financial account information, specific geolocation, ethnic or racial origin, information concerning your sex life or your sexual orientation, social security number, driver’s license, state identification card, passport number, and other similar information. Data that could be considered Sensitive Personal Data is highlighted with an asterisk (*) in the chart below.
We will process any Personal Data we collect in accordance with applicable law and as described in this Notice (unless, as explained above, a separate policy or notice governs). In some circumstances, if you do not provide us with your Personal Data, certain Products and Services may be unavailable to you.
The below table is a high-level summary of the types of Personal Data we may collect from you. Following that high-level summary is additional detail and information on how we collect, process, and use Personal Data and the potential recipients of your Personal Data, now and in the preceding 12 months. Some jurisdictions require us to state the legal bases for processing your Personal Data, which are included below, but please note that not all jurisdictions may recognize all legal bases. The types of Personal Data we collect and disclose depends on your relationship with Spark. Not all of the categories listed in the following charts may apply to you. If the nature of your relationship with Spark changes, additional categories of Personal Data may also apply.
Personal Data that may be considered sensitive is noted with a “*”.
****This includes the removal of identifiers from protected health information required under the Health Insurance Portability and Accountability Act (“HIPAA”), 45 CFR § 164.514(b)(2), for such data to be considered deidentified. In the course of research, study doctors and authorized personnel may still have access to named subject records collected for such research. We will not attempt to reidentify you or anyone else from this de-identified data, and if we disclose it to third parties, we will require that they commit not to attempting to reidentify you or anyone else from the de-identified data.”
**In limited circumstances, recipients may include, (1) in the event of a sale, assignment, merger, consolidation, corporate reorganization, or transfer, to the buyer, assignee, or transferee; and (2) government or regulatory officials, law enforcement, courts, public authorities, or others when permitted by this Notice or required by law.
****This includes the removal of identifiers from protected health information required under the Health Insurance Portability and Accountability Act (“HIPAA”), 45 CFR § 164.514(b)(2), for such data to be considered deidentified. In the course of research, study doctors and authorized personnel may still have access to named subject records collected for such research. We will not attempt to reidentify you or anyone else from this de-identified data, and if we disclose it to third parties, we will require that they commit not to attempting to reidentify you or anyone else from the de-identified data.
Marketing, Cookies, and Tracking
Marketing Uses, Cookies, and Other Activities
To the extent permitted by applicable law, including in accordance with your consent where required by applicable law, we may engage in the following activities:
- We may use your contact details to contact you to determine whether you would like to initiate a business relationship with us or to send you marketing emails. If you do not wish to receive such marketing emails, you may opt out by declining to receive such emails when registering or in our subsequent communications by following opt-out or unsubscribe instructions included in the email or at other information collection points on the Online Services.
- We may display advertisements to you regarding Products and Services that we believe are relevant to you based on your activities on the Online Services or on other web or digital properties. Such advertisements may be shown on our Online Services or the online services of others. We achieve this by using, and allowing third parties (e.g., Facebook, LinkedIn) to use certain cookies, eTags, pixels, web beacons, and other tracking technologies to track your activities on our Online Services and other online services. For more information about these activities and how to manage or opt out of them, please see our Notice on Cookies.
- We may make customer offers to you based on your activities across different Online Services, including activities on other web or digital properties or your other interactions with Spark that are not via the Online Services (e.g., regional offers based on the location of your office listed on order forms).
- We also perform statistical analyses of the users of our Online Services to improve the functionality, content, design, and navigation of the Online Services.
Processing Using Website Tracking
On certain of our websites, we use Google Analytics, to help us understand how users engage with this and other of our websites. Google Analytics may track your activity on our sites (i.e., the pages you have seen and the links you have clicked on) and helps us measure how you interact with the content that we provide. This information is used to compile reports and to help us improve the sites. The reports we receive disclose website trends without identifying individual visitors. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/, and exercise the opt-out provided by Google by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout or as described in our Notice on Cookies.
Certain web browsers and other programs may transmit “do-not-track” signals to websites with which the browser communicates. Spark’s websites do not currently respond to these “do-not-track” signals.
Where allowed by law, as described above, we use your Personal Data to provide you with targeted advertisements or marketing communications we believe may be of interest to you. In some jurisdictions, you may have the right to opt out of these types of targeted advertisements. See the Opt-out of Sale or Sharing or Processing of Sensitive Data section below to do so.
For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page by going to http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of sharing personal data or opt-out of targeted advertising for any website you visit by clicking on the Your Privacy Choices link located at the bottom of that website.
Additionally, you can opt-out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Opt-out of Sale, Sharing, Targeted Advertising, or Limit the Use of Sensitive Data
Certain of Spark’s practices may be considered the sale or sharing of Personal Data under certain applicable laws. You may have the right to opt-out of the sale of Personal Data, opt-out of sharing of Personal Data for purposes of cross-context behavioral advertising, which in other states is the right to opt-out of targeted advertising, and the right to limit the use of sensitive Personal Data. To exercise these rights, please see the “Your Rights Regarding Your Personal Data” section below.
Interactive Features of our Websites
To the extent we offer any public or group forums on our Products and Services, such as newsfeeds, blogs, message boards, or similar tools (“Interactive Features”), the posts or comments you make may be public and viewed by others. You should use care before posting information about yourself, including Personal Data. You acknowledge and understand that you have no expectation of privacy or confidentiality in the content you submit to Interactive Features over the Products and Services. Except when required to do so by applicable law, we assume no obligation to remove Personal Data you post on our Products and Services, and your disclosure of any Personal Data through the Interactive Features is at your own risk.
Service providers acting on our behalf must execute agreements requiring them to maintain confidentiality and to process Personal Data as necessary to perform their functions in a manner consistent with this Notice, other applicable privacy notices, and as explicitly permitted or required by applicable laws, rules, and regulations.
Combination of Data with Data Received from Third Parties
We may combine information we collect, including Personal Data, with Personal Data that we may obtain from third parties.
Links to Other Websites
Our Products and Services may contain links to other websites, applications, products, or services that are not owned or operated by Spark, such as social media websites and applications like Facebook and Twitter. You should carefully review the privacy policies and practices of other websites, products, and services as we cannot control and are not responsible for privacy policies, notices, or practices of third-party websites, applications, products, and services.
Your Rights Regarding Your Personal Data
Please note that in many circumstances, we cannot effectively do business with you without processing some Personal Data about you (e.g., your contact information). For example, when you contact our customer service representatives, we may require you to provide information to authenticate your identity to assist you with your request. If you are unable to provide this information, we may be unable to process your request.
To the extent that the state in which you live has a data protection law that requires us to offer some or all of the following rights to you, we will provide the following rights to you based on your state’s law:
- To opt-out of sharing your Personal Data for cross-context behavioral advertising or, in other states, to opt-out of targeted advertising;
- To request access to and a copy of your Personal Data, including to provide your Personal Data directly to another organization, i.e., a right to data portability;
- To request to know about the Personal Data we process about you or, in other states, to request to acknowledge our processing of your Personal Data;
- To request that we correct your Personal Data;
- To request that we delete your Personal Data;
- To request that we limit the processing of your Sensitive Personal Data;
- To opt-out of processing of Sensitive Personal Data;
- To appeal the denial of a request; and,
- To lodge a complaint with the data protection authority in your jurisdiction.
To learn if you have the other above rights in the state in which you live and to exercise any of these rights with respect to your Personal Data, please contact firstname.lastname@example.org or call us toll-free at +1 215-220-9300. We will not discriminate against you for exercising any of the rights described above, although we may not be able to continue to provide you Products and Services or it may otherwise affect the way we are able to interact with you.
We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. We may, after receiving your request, require additional information from you to honor your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.
In the event you wish to make a complaint about how we process your Personal Data, please contact us at email@example.com and we will handle your request as soon as possible. Even if you make a complaint to us, you may always lodge a complaint with the relevant authority in your location.
When we receive your Personal Data from our customers and process your Personal Data on their behalf, we do so at their request and subject to their instructions. We do not have control over our customers’ privacy and security practices and processes. If your Personal Data has been submitted to us by a Spark customer and you wish to exercise any of the above-mentioned rights, please contact the relevant customer directly.
Consistent with applicable laws and requirements, Spark has put in place physical, technical, and administrative safeguards designed to protect Personal Data from loss, misuse, alteration, theft, unauthorized access, and unauthorized disclosure consistent with legal obligations and industry practices. However, as is the case with all websites, applications, products, and services, we unfortunately are not able to guarantee security for data collected through our Products and Services. In addition, it is your responsibility to safeguard any passwords, ID numbers, or similar individual information associated with your use of the Products and Services.
How Long Your Personal Data Will Be Retained
We generally retain Personal Data for as long as needed for the specific business purpose or purposes for which it was collected or obtained, and as outlined in this Notice. In some cases, we may be required to retain Personal Data for a longer period of time by law or for other necessary business purposes. Whenever possible, we aim to de-identify the information or otherwise remove some or all information that may identify you from records that we may need to keep for periods beyond the specified retention period. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject that affects the Personal Data; and (iii) whether retention is determined to be necessary or advisable for Spark due to applicable statutes of limitations, litigation, or other legal or regulatory obligations. Spark takes reasonable steps to dispose of Personal Data upon the expiration of retention periods taking into consideration these litigation, legal, or regulatory obligations.
Special Note to Patients
If you are a patient, please note that this Notice is distinct from your Healthcare Provider’s HIPAA Notice of Privacy Practices, which describes how your Healthcare Provider uses and discloses individually identifiable information about your health that it collects, as well as any other privacy practices it applies. Spark collects, uses, and discloses any Personal Data it receives from your Healthcare Provider in accordance with its HIPAA-required agreements with your Healthcare Provider.
Changes to This Privacy Notice
We reserve the right to change this Notice from time to time. We will alert you when changes have been made by indicating the date this Notice was last updated as the date the Notice became effective or as otherwise may be required by law. It is recommended that you periodically revisit this Notice to learn of any changes.
If you have questions or comments about this Notice or about how your Personal Data is processed, please contact us by one of the methods below:
Spark Therapeutics, Inc.
Attention: Head of Corporate Compliance
3737 Market Street, Suite 1300
Philadelphia, PA 19104
Phone: +1 215-220-9300
We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. Note that your request to exercise your data privacy rights must be done through the web form and phone number listed under Your Rights Regarding Your Personal Data. We may, after receiving your request, require additional information from you to honor your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.