Privacy Notice

Last Updated: March 25, 2024

We at Generate:Biomedicines (“Generate”) are committed to maintaining and protecting your privacy. This Privacy Notice describes how we collect, use, and disclose your personal information when you visit our website, other digital properties or otherwise interact with us (collectively, the “Services”). Please read this Privacy Notice carefully.

In some instances, we or our representatives may deliver to you a separate privacy notice that applies in specific circumstances. For example, if you participate in a clinical trial sponsored by us, you will receive a separate privacy notice at the time you consent to enroll in the trial that will describe our collection, use, and disclosure of your personal information as part of that trial. In these cases, that separate privacy notice will apply to your personal data, not this Privacy Notice.

If you have any questions about this Privacy Notice or our data practices, please see our contact information below.

How We Collect Your Personal Information

We may collect personal information about you from the following sources:

Directly from you. We may collect information you provide to us directly, such as when you send us a comment or question, or when you request information through our Services.
Through automated and other tracking technologies. We may automatically collect information about you, such as through cookies and other data collection technologies, when you interact with our Services. This may include information about how you use and interact with our Services including communications from us (such as when you open an email/text message you received from us), information about your device, and internet usage information.
From third parties. We may collect information from third parties, such as organizations that support our business, research partners, social media platforms through which you interact with us, and vendors.

We may combine personal information that we receive from various sources for the below purposes.

What Personal Information We Collect

Depending on how you interact with us, we may collect the following categories of personal information from or about you:

Identifiers, such as your name, e‑mail address, and your Internet Protocol (“IP”) address.
Information maintained in our business records, including details about your relationship with us, the research studies or services you are interested in, records of our agreements/your consents we may have collected, and the contents of your communications with us.
Commercial information, such as information about your payment history and other commercial information.
Professional or employment-related information, such as your specialty, practice, and institution, if you interact with us in that capacity.
Protected class and demographic information, such as age, sex, gender, and disability.
Internet and other electronic activity information, such as information about your device (like your operating system, browser type, and language), referring URLs (i.e., websites you navigate to our website from), access times, pages viewed, links clicked, use of our website’s interactive features, and other information about your interactions with our Services.
Geolocation information, such as the non-precise location information that we derive from your IP address.
Inferences drawn from the information we collect about you to create a profile about you reflecting your preferences, such as your professional interests.
Sensitive information, such as information about your health.

How We Use Your Personal Information

We may use the personal information that we collect and maintain for the following purposes:

To provide our Services. We may use your personal information to provide our Services to you, such as responding to your requests and communicating with you.
For internal business purposes. We may use your personal information to operate our business, including to maintain internal business records, enforce our policies and rules, for reporting and auditing, and IT security and administration.
For research, development, and improvement of our Services. We may use your personal information to engage in research and development activities, collecting adverse events, verifying or maintaining the quality or safety of our products, improving our Services, and debugging and repairing errors with our systems, networks, and equipment.
For marketing. We may use your information to send and improve personalized newsletters, surveys, questionnaires, promotions, or information about our offerings.
For legal, safety, or security reasons. We may use your personal information to detect, investigate, and prevent risk, fraudulent events, and other illegal activities, to manage legal claims, subpoenas, and requests in connection with investigations and dispute-resolution processes, as permitted or required by applicable law, and to protect the rights and property of Generate and others.
In connection with a corporate transaction. We may use your personal information if we acquire assets of another business or sell or transfer all or a portion of our business or assets including through a sale in connection with bankruptcy and other forms of corporate change.

We may also anonymize, de-identify, or aggregate your personal information to use for any purpose permitted by law.

How We Disclose Your Personal Information

We may disclose your personal information as follows:

Service providers. We may disclose your personal information to third parties that provide services to us, such as web hosting and analytics, data storage, business support, marketing, and other IT services providers. It is our policy to require our service providers to keep the information confidential and to not use the information outside of our business relationship.
Auditors, advisors, and financial institutions. We may disclose your personal information to auditors for the performance of audit functions, with advisors to receive legal and other advice, and with financial institutions concerning payment and other transactions and services.
Our business partners. We may disclose your personal information to our business partners for events or activities that we oversee or manage jointly, such as a research study. Generally, such business partners are limited to using your personal information for the purposes of an event or activity. We may also disclose your personal information to companies that operate their own cookies and other tracking technologies. We are not responsible for the privacy policies or practices of these companies when they use personal information for their own purposes. We encourage you to familiarize yourself with their privacy policies to understand how they process Personal Data.
Mergers, acquisitions, and bankruptcy. If Generate ever files for bankruptcy or merges with another company, or if Generate decides to buy, sell, or reorganize some part or all of its business, Generate may disclose your personal information to parties involved in the transaction. It is Generate’s practice to seek appropriate protection for personal information disclosed in these types of transactions.
As required by law and other legal-related disclosures. We may disclose your personal information if we believe in good faith that disclosure is necessary: (a) to comply with the law, such as to report possible adverse events or to respond to legal process (e.g., court order, subpoena, search warrant) or other legal requirements of any governmental authority; (b) to protect the integrity of the Services; © to protect and defend our, your, or others’ rights, property, safety or interests; or (d) to detect, prevent, or respond to fraud, intellectual property infringement, violations of our Terms of Use, violations of law, or other misuse of the Services.

Cookies and Similar Technologies

We may collect information on our website by automated means such as through cookies, web beacons, log files, local storage and similar technology (collectively, “cookies”). We use these technologies to uniquely identify visitors and store information or settings in/retrieve such information from the user’s browser/device. The categories of tracking technologies we use generally fall into one of the following categories:

Necessary: We use first party cookies that are essential for the operation of our website and enable its functionality, such as certain security, multimedia and load balancing features.
Statistics and Performance: These cookies allow us to count visits and traffic sources, and understand how you interact with our websites, so we can measure and improve their performance. If you do not allow these cookies we will not know when you have visited our website and will not be able to monitor its performance. We use Google Analytics in limited geographies to gather traffic information to allow us to improve our websites and apps and support their functionality. To prevent these services from receiving your user activity on websites and apps, see https://tools.google.com/dlpage/gaoptout.

All users can consent or decline non-essential cookies through the cookie banner and/or cookie preference center. In addition, if you do not want us to collect information through tracking technologies, you can set your web browser to reject certain cookies. Each browser is different, so you should check your browser’s “Help” menu to learn how to change your cookie preferences. If you reject or block cookies from the Services, the Services may not function as intended.

Some browsers transmit “do-not-track” signals to websites. Our Services do take steps to honor these “do-not-track” signals.

Cookie Declaration

Marketing Communications

You may opt out of receiving marketing communications from us by submitting a request to info@generatebiomedicines.com or using the unsubscribe mechanism at the bottom of our marketing emails.

Retention of Your Personal Information

As a general matter, we may keep your personal information for as long as necessary to fulfill the purposes for which it was collected, such as for the length of the Service we provide to you, or for the period we carry out specific research and a reasonable period thereafter, for example to allow any follow-up services or development activities to run their course. If a law requires us to retain your personal information for a longer period of time, we will comply with that law. We may also retain your personal information as necessary to protect or resolve dispute, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

Security of Your Personal Information

We maintain reasonable physical, technical, and administrative measures designed to protect your personal information. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. While we strive to protect your personal information from unauthorized access, use, or disclosure, Generate cannot and does not ensure or warrant the security of your information.

Links to Other Sites

Some of our Services may contain links to third party websites or services that are not under our control. If you visit another website, we encourage you to review that website’s privacy policy to understand how that website operator will treat your information. Our Privacy Notice does not apply to those other websites.

Children’s Information

Our Services are intended for general audiences and are not directed to minors. We do not knowingly collect information from children under the age of 18 in connection with our website or other online Services.

Updates to Privacy Notice

We reserve the right to update this Privacy Notice from time to time. In certain cases, we will attempt to notify you of updates prior to them taking effect. You are encouraged to review this Privacy Notice regularly to stay informed about our personal information practices and the choices available to you.

Contact Us

For general questions about our privacy practices, please contact us at:

info@generatebiomedicines.com

Generate:Biomedicines

101 South Street, Suite 900

Somerville, MA 02143

United States

Notice to California Residents

This section supplements the information and disclosures contained above. It applies only to California residents about whom we collect personal information as a business under the California Consumer Privacy Act (“CCPA”). Below describes our practices with respect to personal information over the past 12 months:

Generate has collected the categories of personal information listed in “What Personal Information We Collect” above. The purposes for which Generate has collected personal information and the sources of that information are respectively described in “How We Collect Your Information” and “How We Use Your Personal Information” above.
Generate has disclosed personal information for a business purpose to the categories of third parties listed in the “How We Disclose Your Personal Information” section above.
We have only used and disclosed your sensitive information to: (i) perform services or provide goods reasonably expected by an average consumer; (ii) detect security incidents; (iii) resist malicious, deceptive, or illegal actions; (iv) ensure the physical safety of individuals; (v) enable short-term, transient use, including non-personalized advertising; (vi) perform or provide internal business services; or (vii) verify or maintain the quality or safety of a service or device.
Generate has not “shared” your personal information for the purposes of targeted advertising or “sold” personal information. We do not knowingly sell the personal information of minors under the age of 16.

California residents also have the following privacy rights under the CCPA, which are subject to certain legal exception and exemptions:

Right to know and access: You have the right to access and obtain a copy of to the personal information we have collected about you.
Right to correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to delete: You have the right to request that we delete the personal information that we have collected about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your personal information was collected. If we deny your request for deletion, we will let you know the reason why.
Right to opt out of sale/sharing: You have the right to opt out of the sale or sharing of your information. We do not currently sell or share your personal information.
Right to nondiscrimination: You have the right to not be discriminated against for exercising these rights.

To exercise your CCPA rights, contact us at info@generatebiomedicines.com or (888) 547‑1235. We will take steps to verify your identity before processing certain requests. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. We may request additional information about you to verify your identity. We will only use the personal information provided in the verification process to verify your identity or authority to make a request and to track and document request responses unless you initially provided the information for another purpose.

You may be able to use an authorized agent to submit a rights request on your behalf. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your personal information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.

Additional Notice for European Economic Area, Switzerland and the United Kingdom

This section applies only to personal information, which is subject to European Economic Area (“EEA”), United Kingdom (“UK”), or Swiss data protection laws. It supplements the remainder of this Privacy Notice.

Data Controller. Generate is the entity responsible for the processing of your Personal Data as the controller. In some cases, we may make decisions on how your personal information is processed, together with other entities. In these situations, we are jointly responsible for the lawfulness of the specific processing activities as joint controllers and will notify you as necessary.

Legal Bases for Processing. We process personal information for the purposes identified above, based on the following legal bases:

Purpose of use	Personal information processed	Legal bases
Provide our services.	Identifiers; Information maintained in our business records; Commercial information; Professional or employment-related information.	Performance of a contract to which you are a party or taking steps at your request prior to entering into a contract. Our legitimate interests in providing services and maintaining relationships with you. Your consent, when appropriate.
Internal business purposes	Identifiers; Information maintained in our business records; Commercial information; Professional or employment-related information; Internet and other electronic activity information; Geolocation information; Inferences.	Performance of a contract to which you are a party or taking steps at your request prior to entering into a contract. Compliance with a legal or statutory obligation to which we are subject. Our legitimate interest in operating our business. Your consent, when appropriate.
Research, development, and improvement of our Services	All categories.	Our legitimate interest in improving our services. Performance of a contract to which you are a party or taking steps at your request prior to entering into a contract. Compliance with a legal or statutory obligation to which we are subject. Your consent, when appropriate.
Marketing	Identifiers; Information maintained in our business records; Commercial information; Professional or employment-related information; Internet and other electronic activity information; Geolocation information; Inferences.	Our legitimate interest in promoting our brand and products. Your consent, when appropriate.
Legal, safety, or security reasons	All categories.	Compliance with a legal or statutory obligation to which we are subject. Our legitimate interests in complying with our legal obligations, enforcing our policies, and protecting rights, property, and safety of our company and others. Establishment, exercise or defense of legal claims. Protection of vital interests. Your consent, when appropriate.
In connection with a corporate transaction	All categories.	The legitimate interest we and other participating entities have in completing corporate transactions. Your consent, when appropriate.

Your Data Protection Rights. Subject to applicable data protection laws, you may have the following rights concerning your personal information:

Right to Access. You have the right to obtain confirmation from us whether we are processing your Personal Data and related information, as well as the right to obtain a copy of your Personal Data undergoing processing.
Right to Data Portability. You may receive your Personal Data that you have provided to us in a structured, commonly used and machine-readable format.
Right to Rectification. You have the right to request the rectification of inaccurate Personal Data and to have incomplete data completed.
Right to Objection. You have the right to object to the processing of your Personal Data in certain cases, including regarding direct marketing.
Right to Restrict Processing. You may request that we restrict the processing of your Personal Data in certain cases.
Right to Erasure. You may request that we erase your Personal Data in certain cases.
Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority in the country where you reside or where the conduct that is the subject of the complaint occurred.
Right to Refuse or Withdraw Consent. In case we ask for your consent to process your Personal Data, you are free to refuse to give it. If you have given your consent, you may withdraw it at any time without any adverse consequences. The lawfulness of any processing of your Personal Data that occurred prior to the withdrawal of your consent will not be affected.
Right to Not Be Subject to Automated Decision-making. You have the right to not to be subject to a decision based solely on automated processing and to be given more information about why any such decision was made.

You may exercise these rights by contacting us as specified below.

Data protection officer. You can contact our data protection officer using contact details specified below.

Generatebiomedicines.dpo@mydata-trust.info

EU/UK representative. Generate has designated MyData-TRUST as its representative in the EU. Generate has designated MyData-TRUST as its representative in the UK. You can contact the relevant representative at:

Generatebiomedicines.dpr.eu@mydata-trust.info
Generatebiomedicines.dpr.uk@mydata-trust.info

Transfers of your Personal Information out of the European Economic Area, Switzerland and the United Kingdom

We are based in the United States. We may transfer your information to our business partners and service providers that are located in countries other than where you live. By using our Services or otherwise providing personal information to us, you understand that your personal information will be processed in the U.S. and the countries where our services providers are located. These countries may protect your personal information differently (including less) than where you are located. We will ensure that the recipient country is either recognized by the EU/UK/Switzerland authorities as having an equivalent level of data protection, or we will make sure that your personal information is adequately protected by using appropriate safeguards, like EU Standard Contractual Clauses or other mechanisms authorized by the data protection authorities ( including Binding Corporate Rules, approved Codes of Conduct and Certifications). In some cases, the transfer may be based on derogations provided by the EU GDPR/UK GDPR/FADP because the transfer is necessary for important reasons of public interest. Other derogations also exceptionally apply.