bluebird bio privacy policy
This “Privacy Policy” describes the privacy practices of bluebird bio, Inc. (collectively, “bluebird”, “we”, “us”, or “our”) regarding how we collect, use, disclose and otherwise process personal information, including personal health information, sensitive personal information, and personally identifiable information (collectively, “Personal Information”), in connection with the website(s) and mobile app(s) on which we post or link to this Privacy Policy (the “Sites”) and our products and services (together with the Sites, the “Services”), and explains the rights and choices available to individuals who use our Services (“they”, “their”, “you”, “your”) with respect to their information.
bluebird may provide additional privacy notices to individuals at the time we collect their data. For example, we provide a specific privacy notice to clinical trial participants that describe our privacy practices in connection with conducting clinical trials. This type of an “in-time” notice will govern how we may process the information you provide at that time. For example, our privacy practices in connection with clinical trials are governed by applicable clinical trial protocol(s).
Individuals located in Europe should be sure to read the important information provided below.
Personal Information We Collect
How We Use Your Personal Information
How We Share your Personal Information
Changes to this Privacy Policy
I. Personal Information We Collect
Whose Personal Information We Collect
We collect Personal Information from the following individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other healthcare professionals, clinical trial investigators, researchers, pharmacists, users of our Sites, job applicants, and other individuals who interact directly with bluebird. We may also process Personal Information we received from our business partners.
II. How We Collect Personal Information
We collect Personal Information:
- Directly from individuals
- Through the Sites
- From healthcare professionals
- Hospitals, clinics and other healthcare providers
- From contract research organizations and clinical trial investigators
- From government agencies or public records
- From third party service providers, or business partners
- From industry and patient groups and associations
- From social media or other public forums (including adverse event information and product quality complaints)
III. Types of Personal Information We Collect
The types of personal information we collect and share depend on the nature of the relationship you have with us and the requirements of applicable laws. We may collect:
- Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) that we collect in connection with managing clinical trials, conducting research, formulating and administering gene therapies, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports
- Personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
- Biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians)
- Professional credentials, educational and professional history, and institutional affiliations
- Bank account information we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information)
- If you are a health care professional, we collect information about the programs and activities in which you have participated, your prescribing of our products and the agreements you have executed with us
- Your photograph, social media handle or digital or electronic signature
- Publicly available information (such as comments describing support for and experience with bluebird products or therapies)
- Other information you provide to us (such as in emails, on phone calls, in market research surveys, or in other correspondence with us or our service providers or business partners)
We may combine other publicly available information, such as information related to the organization for which you work, with the personal information that you provide through the Services.
IV. Information automatically collected
We may automatically log information about you and your computer or mobile device when you access our Sites. For example, we may log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our Sites. We collect this information about you using cookies.
Please refer to our Cookie Notice for more details.
V. Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may pseudonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.
VI. Do Not Track Signals
Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not currently respond to do not track signals. To find out more about "Do Not Track," please visit http://www.allaboutdnt.com
VII. How We Use Your Personal Information
We use your Personal Information for the following purposes and as otherwise described to you in this Privacy Policy or at the time of collection:
If you use our Sites, we use your Personal Information to:
- operate, maintain, administer and improve the Sites
- better understand your needs and interests, and personalize your experience with the Sites
- provide support and maintenance for the Sites
- respond to your Service-related requests, questions and feedback
To perform and administer clinical trials, research and product-improvement activities
We may use your Personal Information when necessary to facilitate our clinical trials, research, studies, and related activities that support product improvement, including to:
- staff and manage clinical trials, including by recruiting investigators and participants
- track and respond to safety and product quality concerns (including product recalls)
- support public health initiatives, symposia, conferences, and scientific, educational and volunteer events
- developing our gene therapies
- facilitate medication adherence programs
- define and manage appropriate patient engagement activities, and patient support programs (including to provide co-pay and other financial assistance where available)
- identify and engage thought leaders and external experts
- award scholarships and grants
- attribute authorship to academic and promotional materials
We use your Personal Information as necessary to provide bluebird Services, including to:
- manage access to our products, including where access is limited by law to licensed physicians
- pay for services that physicians, researchers and other individuals may provide to us
- deliver our gene therapies and immunotherapies
We may send you surveys, promotions or other marketing communications, but you may opt out of receiving them as described in the "Opt-out of marketing" section below.
We use your Personal Information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
To comply with regulatory monitoring and reporting obligations
We use your Personal Information as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.
In some cases, we may ask for your consent to collect, use or share your Personal Information, such as when required by law or our agreements with third parties.
To create pseudonymized data for analytics
We may create pseudonymized data from your Personal Information and may then aggregate it with Personal Information from other individuals. We convert Personal Information into pseudonymized data by excluding information that makes the data personally identifiable to you, and use that pseudonymized data for our lawful business purposes, including to track the patient along the stages of treatment, to ensure that a healthcare professional receives our product for use with the correct patient, and in connection with additional treatment-related purposes.
For compliance, fraud prevention and safety
We use your Personal Information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
VIII. How We Share your Personal Information
Affiliates
We may disclose your Personal Information to our subsidiaries and corporate affiliates for purposes consistent with this Privacy Policy.
Service providers
We may contract with third party companies and individuals to perform services on our behalf, including:
- Contract research organizations that conduct clinical trials;
- Data storage and analytics providers;
- Customer service (including our medical information line) and patient support providers (including for product quality and adverse event reporting, patient co-pay assistance, medicine intake adherence programs, etc.);
- Technology services and support (including email and web hosting providers, marketing and advertising technology providers, email and text communications providers, mobile app developers);
- Event planning and travel organizations that help facilitate our programs; and
- Payment, shipping and fulfillment service providers.
We may share your Personal Information with these third parties, which may use your Personal Information only as directed by bluebird and in a manner consistent with this Privacy Policy. Such third parties are prohibited contractually from using or disclosing your Personal Information for any other purpose.
Healthcare providers and healthcare professionals and organizations
We may disclose your Personal Information to healthcare providers and qualified treatment centers in connection with developing and delivering our gene therapies and immunotherapies. We may also share your Personal Information with health care professionals, researchers, institutions, academics, public health organizations, and publishers for purposes consistent with this Privacy Policy.
Business partners
We may disclose your Personal Information to partners with whom we jointly develop products or services, in connection with the development and promotion of such products or services. We will ask for your consent before disclosing your Personal Information to our business partners where required by applicable law.
Professional advisors
We may disclose your Personal Information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
Compliance with laws and law enforcement; protection and safety
We may disclose your Personal Information to government or law enforcement officials or private parties as required by law, and disclose and use such Personal Information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our websites, mobile apps, products and services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
Business transfers
We may sell, transfer or otherwise share some or all of our business or assets, including your Personal Information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy, in which case we will use commercially reasonable efforts to require the recipient to honor this Privacy Policy.
IX. Additional Program Terms
In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your Personal Information, such as if you participate in a special program, activity, event, or clinical trial. These situations will be governed by the specific terms, privacy notices, or consent forms that provide additional information about how we will use your Personal Information. We will honor these additional terms with respect to your Personal Information and thus, strongly recommend you review the additional terms prior to participating in any such programs.
X. Your Rights
Right to request the deletion of your Personal Information
You may contact us at privacy@bluebirdbio.com to request deletion of any or all of your Personal Information that we may have collected or stored. Upon receipt of a verified request, we will delete your requested Personal Information and request that any service provider, affiliate, business partner or other third party with which we have shared such information under this Privacy Policy deletes such personal information. We may request your date of birth, HCP, address, and bluebird bio ID number to enable us to verify your request. If you are a clinical trial participant you will need to make your request directly to the clinical trial administrator, subject to their verification process.
Right to correct your Personal Information
If you become aware that the Personal Information we maintain about you is inaccurate, incomplete, misleading, irrelevant or out of date, you may contact us at privacy@bluebirdbio.com to request that we make such correction. Upon receipt of a verified request, we will make your requested corrections to the Personal Information that we may have and will request that any service provider, affiliate, business partner or other third party with which we have shared such Personal Information under this Privacy Policy makes such corrections.
Right to access your Personal Information
You have the right to request that we provide you with: (i) the categories of your Personal Information we collected or processed; (ii) the sources from which your Personal Information was collected; (iii) the business or commercial purpose for collecting, selling, processing or sharing your Personal Information; (iv) the recipients or categories of recipients to whom we disclosed or shared your Personal Information; and (v) the specific pieces of personal information we have collected about you. Upon receipt of a verified request, we will provide the requested information about your personal information.
Right to know what Personal Information is sold or shared and with whom
You have the rights to request that we provide you with: (i) the categories of your Personal Information that we collected or processed; (ii) the categories of Personal Information that we sold or shared about you and the categories of third parties to whom your Personal Information was sold or shared; and (iii) the categories of Personal Information that we disclosed about you for business purposes and the categories of persons to whom it was disclosed for a business purpose. Upon receipt of a verified request, we will provide the requested information.
Right to opt out of sale or sharing of your Personal Information
You have the right, at any time, to direct us not to sell or share your Personal Information.
Right to limit use and disclosure of sensitive Personal Information
You have the right, at any time, to direct us to limit our use of your sensitive Personal Information to that use which is necessary for us to perform the services or provide the goods reasonably expected by an average consumer who requests such services or goods, to perform the services.
Right to opt-out of marketing
You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email. You may continue to receive service-related and other non-marketing emails.
Testimonials
If you gave us consent to post a testimonial on our Sites, but wish to update or delete it, please contact us at privacy@bluebirdbio.com.
Choosing not to share your Personal Information
Where we are required by law to collect, share or process your Personal Information, or where we need your Personal Information in order to provide you with our Services, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our Services and may need to terminate our relationship with you. We will tell you what information, including any Personal Information, you must provide to us by designating it as required when we request the information or through other appropriate means.
The security of your Personal Information is important to us. We take a number of organizational, technical and physical measures designed to protect the Personal Information we collect, both during transmission and once we receive it. However, no security safeguards are 100% secure and we cannot guarantee the security of your Personal Information.
We do not knowingly collect Personal Information from children under age 13 in the United States through our Sites. If we learn that we have collected Personal Information directly from a child under the age of 13 through our Sites, we will delete that information.
bluebird is headquartered in the United States and may have affiliates and service providers in other locations, and your Personal Information may be transferred to the United States or other locations outside of your state, province, country or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.
Individuals in the European Union should read the important information provided in the Cross-Border Data Transfer section below about transfer of Personal Information outside of the European Economic Area.
For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by bluebird. These links are not an endorsement, authorization or representation that we are affiliated with that third party. We do not exercise control over third party websites or services, and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the Personal Information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.
Changes to this Privacy Policy
We reserve the right to modify this Privacy Policy at any time. We encourage you to periodically review this page for the latest information on our privacy practices. If we make material changes to this Privacy Policy, we will notify you by email or through the Sites as required by applicable law.
If you have any questions or concerns about our Privacy Policy, please contact our Data Protection Officer at:
bluebird bio, Inc.
Attn: Compliance Officer
455 Grand Union Boulevard
Somerville, MA, 02145 USA
privacy@bluebirdbio.com
XI. Notice to European Users
Controller
For commercial patients located in the EU and participants in clinical trials performed in the EU, bluebird is the controller of your Personal Information covered by this Privacy Policy.
Legal bases for processing
The legal bases for our processing of your Personal Information include (1) compliance with a legal obligation, such as required by applicable regulatory and reporting obligations; (2) our contractual performance or to respond to your requests or inquiries; (3) for legitimate interests, such as providing the Services, performing and administering clinical trials, conducting research and product-improvement activities, improving our Sites, for our anti-fraud and safety activities related to the Services or Sites; and/or (4) with your consent.
Use for new purposes
We may use your Personal Information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your Personal Information for an unrelated purpose, we will notify you and explain the applicable legal basis.
Your rights
European data protection laws give you certain rights regarding your Personal Information. You have the following rights in your Personal Information that we control, store, or process:
- Access: You have the right to view and request copies of your Personal Information.
- Rectification: You have the right to request inaccurate or outdated Personal Information be updated or corrected.
- Deletion: You have the right to request that your Personal Information be deleted, subject to certain exemptions based on applicable laws.
- Data portability: You have the right request that your Personal Information be transferred to another controller or provided to them in a machine-readable format.
- Restrict processing: You have the right to request that we restrict or suppress the processing of your Personal Information.
- Withdraw consent: You have the right to withdraw previously given consent to process your Personal Information.
- Object: You have the right to object to our processing of your Personal Information.
You can submit these requests by email to privacy@bluebirdbio.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your Personal Information or response to your requests regarding your Personal Information, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction.
XII. Cross-Border Data Transfer
If we export your Personal Information from the European Economic Area (“EEA”) to a country outside of it and are required to apply additional safeguards to that Personal Information under European data protection legislation, we will do so. Please contact us for further information about any such transfers or the specific safeguards applied.
Last updated: April 2024