Privacy Statement

Last Updated February 2020

Almirall, LLC (“Almirall,” “we,” or “us”), a company belonging to Almirall Group, respects your privacy and recognizes the need for appropriate protection and management information you may share with us. The purpose of this Privacy Statement (“Statement”) is to inform you how we may use information collected from you and the choices you have regarding our use of, and your ability to review and correct, the information collected. Because we may revise our privacy policies from time to time, you should periodically visit this page to review this Statement.

Please note that some of the information you provide to us may be considered Protected Health Information (“PHI”) protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and falls outside the scope of other applicable privacy laws, including the California Consumer Privacy Act (“CCPA”). In instances where we are handling your PHI (and therefore subject to HIPAA requirements) we will comply with the requirements of HIPAA applicable to your data, including when we processing safety information or conducting safety assessments or required safety reporting.

I. How We Collect Information

In general, you can visit many of our Sites without telling us who you are or revealing any of your information. We may track the Internet domain address from which people visit our Sites and analyze this data for trends and statistics, but individual users will remain anonymous, unless you voluntarily tell us who you are. The ways that we collect information from you are discussed further below. We may also collect your information through in person meetings or phone calls with our representatives.

Information You Voluntarily Provide:

There may be times when we ask you to provide certain information about yourself through different forms available in the Site or when communicating with one of representatives, such as Identifiers like your name, address, telephone number, and e-mail address, (“Personal Information”), such as when you report an adverse event, ask for information on our products, subscribe to our email alerts, ask for information regarding media or investors relations, give us feedback, express interest in our events or otherwise communicate with us.

Whether or not to provide such Personal Information is completely your own choice; we collect only the Personal Information that you provide to us. In some instances, you may also provide us with certain Commercial Information, such as credit card or payment information, such as when you sign up for the Almirall Advantage patient co pay card. In other instances, you may provide us with PHI or other medical data, such as when you participate in studies involving our products. We handle all such PHI and medical data in accordance with the standards set forth by HIPAA.

Information We Collect From Your Interaction With The Sites:

As you navigate around the Sites, certain information can be passively collected (that is, gathered without your actively providing the information), using various technologies. We and our third-party service providers passively collect information in a variety of ways, including the following:

Cookies

To enable us to provide customized and personalized services, we may use cookies to store and sometimes track information about your interaction with the Sites. A cookie is a small amount of data that is sent to your browser from a Web server and stored on your computer. Cookies allow us to collect information such as browser type, time spent on the Sites, pages visited, and language preferences. If you choose to furnish the Sites with Personal Information (such as your e-mail address), that information could be linked to the data stored in the cookie. You can refuse to accept these cookies by following your browser's instructions; however, if you do not accept them, you may experience some inconvenience in your use of the Sites.

Through your browser

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are: browser type and browser version, operating system used, deferrer URL, host name of the accessing computer, time of the server request and IP address.

Google Analytics

We use third party cookies provided by Google Analytics to assist us in better understanding our website visitors. These cookies collect IP address and usage data, such as the length of time a user spends on a page, the pages a user visits, and the websites a user visits before and after visiting our website. Based on this information, Google Analytics compiles Aggregate Data about website traffic and interactions, which we use to offer better user experiences and tools in the future. For more information on Google Analytics, visit https://support.google.com/analytics.

These data are not combined with other data sources.

II. How We Use the Information We Collect

We use the information we automatically receive from your Web browser to see which pages you visit within the Sites for various business purposes, including:

In some instances, you may provide us with additional Personal Information, including PHI or medical data, such as when you ask questions about our products, participate in a clinical trial, or use our products for medical treatment. In those instances, we will use your PHI for the following purposes, and adhere to the standards set forth by HIPAA:

The information you provide during communications with our representatives may be used by us and our event partners to communicate with you about our upcoming events and/or other events we think may be of interest to you.

The information we collect will be limited to that information necessary to conduct follow up and maintain in compliance of our safety reporting obligations.

III. How We Share Your Information

We will not sell, share, or otherwise distribute your Personal Information except as provided herein.

Third Parties

We may occasionally transfer your Personal Information to third parties who act on our behalf, or in connection with our business, for further processing in accordance with the purposes for which the data was originally collected. Where disclosure of Personal Information to a third party is likely or necessary, further explanation may be provided, where appropriate, at such collection points as to the intended use of the data. We will require that such third parties protect the information and, where appropriate, we will contractually require them to process data transferred only for the purposes expressly authorized by us. Where your PHI or medical data is shared with third parties, we will adhere to the standards set forth by HIPAA and contractually obligate them to do the same.

We may also share your name and email address with our event partners who may later communicate with you about our events and other events that may interest you.

Almirall Affiliates:

We may transmit your Personal Information to our affiliates outside the United States (“Almirall Affiliates”), such as parent company or subsidiaries, for storage purposes only. All such transmissions remain on the systems of Almirall Affiliates, and are not shared with outside parties.

Business Transactions

In the event that we, or any portion of our assets, are acquired or we undergo another transaction in our business, your information may be transferred to the acquiring company or other entity surviving such transaction.

Law Enforcement

We may report to law enforcement agencies any activities that we reasonably believe to be unlawful, or that we reasonably believe may aid a law enforcement investigation into unlawful activity. In addition, we reserve the right to release your information to law enforcement agencies if we determine, in our sole judgment, that either you have violated our policies, or the release of your information may protect the rights, property, or safety of us or another person.

Legal Process

Subject to applicable law, we may disclose information about you (i) if we are required to do so by law, regulation or legal process, such as a subpoena; (ii) in response to requests by government entities, such as law enforcement authorities; (iii) when we believe disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss; or (iv) in connection with an investigation of suspected or actual unlawful activity.

We may also use the information to investigate security breaches or cooperate with authorities pursuant to a legal matter.

Sales of Personal Information

Like most companies, we allow certain third party advertising partners to place tracking technology such as cookies and pixels on our websites. This technology allows these advertising partners to receive information about your activities on our website, which is then associated with your browser or device. These companies may use this data to serve you more relevant ads as you browse the internet. Under some state laws, sharing data for online advertising may be considered a “sale” of information. Except for this limited sharing, we do not sell any of your information. You can opt out of this sharing by clicking on the “Do Not Sell My Info” link on our website.

In certain instances, we may remove your Personal Information and use the other information for historical, statistical, or scientific purposes.

IV. Third Parties and Links To Third Party Sites

This Policy only addresses your interaction with us on our Sites. Our Sites may contain content that is supplied by a third party, and those third parties may collect usage information and your device identifier when pages from the website are served to you. We are not responsible for the data collection and privacy practices employed by any of these third parties or their services and they may be tracking you across multiple sites and may be sharing the results of that tracking with us and/or others. These third-party owners may have their own terms of service, privacy policies or other policies and ask you to agree to the same. Be sure to review any available policies before submitting personally identifiable information to a third-party application or otherwise interacting with it and exercise caution in connection with these applications. We have no control over, and cannot and do not assume responsibility for, the content, privacy policies or practices of such websites or the companies that own them.

V. Security

We seek to use reasonable administrative, technical, and physical safeguards designed to protect Personal Information under our control. For your PHI and medical data, we adhere to the standards set forth by HIPAA. Please be aware that, despite our best efforts, no security measures are perfect or impenetrable and, therefore, we cannot guarantee that your information will remain secure.

VI. Children

Protecting the privacy of children is especially important. Our Sites are not directed to children under 16 years of age and we do not provide services to children, or knowingly collect or solicit personal information from children under 16 years of age. If we learn that Personal Information has been collected on the Sites from persons under 16 years of age, we will take the appropriate steps to delete this information.

VII. Changes To This Statement

We may, in our sole discretion, update this Privacy Policy periodically without prior notice to you to reflect changes in our information practices or with respect to applicable laws. We will post the updated version on our websites and indicate at the top of the Privacy Policy when it was last updated.

VIII. Questions or Comments

If you have any questions or comments about our Privacy Policy, or if you wish to review and correct any personally identifiable information held by us please contact us at: dataprivacyus@almirall.com or 707 Eagleview Blvd, Suite 200, Exton PA 19341.

IX. Additional Privacy Information For California Users

The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

Please make sure you also consult our general privacy policy above for complete information.

Access to Specific Information and Data Portability Rights

You have the right to request that Almirall disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

Deletion Request Rights:

You have the right to request that Almirall delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by any of the following methods:

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

You have the right to direct us to not sell your Personal Information at any time (the “Right to Opt-Out”). Users who opt-in to Personal Information sales may opt-out of future sales at any time.

To exercise the Right to Opt-Out, you (or your authorized representative) may submit a request to us at: CCPA Data Access Request Form.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you may change your mind and opt back in to Personal Information sales at any time by contacting Almirall, LLC at the email address or phone number provided in this notice.

You do not need to create an account with us to exercise your Right to Opt-Out. We will only use Personal Information provided in an opt-out request to review and comply with the request.

Non Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

X. California’s Shine the Light Law:

As referenced in this policy, we do not share your Personal Information with third parties for those third parties’ direct marketing purposes. California Civil Code Section 1798.83 permits California residents who have supplied Personal Information, as defined in the statute, to us to, under certain circumstances, request and obtain certain information regarding disclosure, of Personal Information to third parties for their direct marketing purposes. With any questions about the foregoing, please email us at dataprivacyus@almirall.com.