Privacy Policy

Last Updated: May 20, 2024

SCOPE

This Privacy Policy applies to personal information processed by Fulcrum Therapeutics, Inc. (“Fulcrum,” “we,” “us,” and “our”) in the course of our business, as collected on our website (the “Site”) and via other related online or offline offerings (collectively, the “Services”).

PERSONAL INFORMATION WE COLLECT

This Privacy Policy covers our use of “personal information.” When we say “personal information,” we mean information that relates to you and can identify you as an individual. Personal information does not include data that has been de-identified or aggregated such that you can no longer be identified.

When you use our Services, we may collect the following kinds of information:

Information You Provide to Us.

Registration. When you register for certain services on the Site we may ask you to provide personal information.

Communications with Us. We may collect personal information from you such as email address, phone number, or mailing address when you request information about our Services, request customer or technical support, or otherwise communicate with us.

Interactive Features. Fulcrum may offer interactive features such as commenting functionalities, blogs, review forums, and social media pages. Fulcrum and other individuals who use our Services may collect the information you submit or make available through these interactive features. Any information shared on the public sections of these channels will be considered “public” and may not be subject to the privacy protections referenced herein.

Surveys. We may contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include personal information.

CV/Cover Letter. We may post job openings and opportunities on the Site. If you reply to one of these postings by submitting your CV and/or cover letter to us, we will collect and process the information contained therein to assess your suitability, aptitude, skills, and qualifications for employment with Fulcrum.

Conferences and Trade Shows. We may attend conferences and trade shows where we collect personal information from individuals who interact with or express an interest in Fulcrum and/or the Services. If you provide us with any information at one of these events, we will use it for the purposes for which it was collected.

Information We Collect Through Your Use of the Services.

We may collect certain information automatically when you use the Services. This information may include your Internet protocol (IP) address, user settings, IMEI, MAC address, Technologies including cookie identifiers, mobile advertising and other unique identifiers, mobile carrier, details about your browser, operating system or device, location information (including inferred location based off your IP address), Internet service provider, pages that you visit while using the Services, analytics information, and other information about how you use the Services.

Cookies, Web Beacons, and Personalized Advertising. We, as well as third parties that provide content, advertising, or other functionality on the Services, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through the Services. Technologies are essentially small data files placed on your computer, tablet, mobile phone, or other devices that allow us and our partners to record certain pieces of information whenever you visit or interact with the Services.

  • Cookies are small text files placed in visitors’ device browsers to store their preferences. Most browsers allow you to block and delete cookies. However, if you do that, the Services may not work properly.
  • Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded on the Services that collects information about users’ engagement. The use of a pixel allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Information from Other Sources.

We may obtain information about you from other sources, including through third-party services and organizations to supplement information provided by you. For example, if you access our Services through a third-party application, such as a social networking service or a third-party login service, we may collect information about you from that third party that you have made available via your privacy settings.

HOW WE USE YOUR INFORMATION.

We process personal information for a variety of business purposes, including:

To Provide the Services or Information Requested.

  • Provide you with materials you have requested;
  • Respond to inquiries, questions, comments, and other requests;
  • Provide access to certain areas, functionalities, and features of our Services;
  • Answer requests for customer or technical support; and
  • Allow you to register for events.

Administrative Purposes.

  • Measure interest and engagement in the Services;
  • Improve our products and Services;
    • Develop new products and services;
    • Prevent potentially prohibited or illegal activities; and
    • Enforce our Terms of Use.

Marketing Our Products and Services. We may use personal information to tailor and provide you with content and advertisements. We may provide you with these materials as permitted by applicable law.

Some of the ways we market to you include email campaigns and “interest-based” or “personalized advertising.”

If you have any questions about our marketing practices or if you would like to opt out of the use of your personal information for marketing purposes, you may contact us at any time as set forth below.

De-identified and Aggregated Information Use. We may use personal information and other information about you to create de-identified and/or aggregated information, such as de- identified demographic information, de-identified location information, de-identified or aggregated trends, reports, or statistics, de-identified or aggregated information about the computer or device from which you access our Services, or other analyses we create. De- identified and aggregated information is not personal information, and we may use and disclose such information in a number of ways, including research, internal analysis, analytics, and any other legally permissible purposes.

Technologies. Our uses of such Technologies fall into the following general categories:

  • Operationally Necessary. This includes Technologies that allow you access to our Services that are required to identify irregular behavior, prevent fraudulent activity and improve security or that allow you to make use of our functions;
  • Performance Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how our visitors use the Services;
  • Functionality Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services and keeping track of your specified preferences or past pages viewed;
  • Advertising or Targeting Related. We may use first-party or third-party Technologies to develop and deliver content, including ads relevant to your interests, on our Services or on third-party sites.

Other Uses. Fulcrum may use personal information to pursue legitimate interests, such as direct marketing, research (including marketing research), network and information security, and fraud prevention. In addition, Fulcrum may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

HOW WE DISCLOSE YOUR INFORMATION.

We Use Service Providers. We may share any personal information we collect about you with our third-party service providers. The types of service providers to whom we entrust personal information include service providers for: (i) the provision of the Services; (ii) the provision of information, products, and other services you have requested; (iii) marketing and advertising;
(iv) payment processing; (v) customer service activities; and (vi) the provision IT and related services.

APIs and Software Development Kits. We may use third party APIs and software development kits (“SDKs”) as part of the functionality of our Services. APIs and SDKs may allow third parties including advertising partners to collect your personal information to provide content that is more relevant to you. For more information about our use of APIs and SDKs, please contact us as set forth below.

Information Shared with Other Users. When you use the Services (in particular, our interactive features), you may share certain personal information with other users. Please be aware that Fulcrum has little or no control over how individuals may use the information you share.

Affiliates. We may share personal information with our affiliated companies.

Business Partners. We may provide personal information to business partners to provide you with a product or service you have requested. We may also provide personal information to business partners with whom we jointly offer products or services.

Interest-Based or Personalized Advertising. Through our Services, Fulcrum may allow third- party advertising partners to set Technologies and other tracking tools to collect information regarding your activities and your device (e.g., your IP address, mobile identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit third party services within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.” If you prefer not to share your personal information with third party advertising partners, you may follow the instructions below.

Disclosures to Protect Us or Others. We may access, preserve, and disclose your personal information if we believe doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our or others’ rights, property, or safety; (iii) to collect amounts owed to us; (iv) when we believe disclosure is necessary or appropriate to prevent financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (v) if we, in good faith, believe that disclosure is otherwise necessary or advisable.

Merger, Sale, or Other Asset Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be sold or transferred as part of such a transaction as permitted by law and/or contract.

INTERNATIONAL DATA TRANSFERS.

You agree that all information processed by us may be transferred, processed, and stored anywhere in the world, including but not limited to, the United States and other countries.

Fulcrum Therapeutics, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of
Commerce. Fulcrum Therapeutics, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Fulcrum Therapeutics, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Fulcrum Therapeutics, Inc. by contacting Curtis Oltmans, Chief Legal Officer, at [email protected].

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Fulcrum Therapeutics, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DP and the UK Extension to the EU-U.S. DPF to the International Centre for Dispute Resolution, the international division of the American Arbitration Association, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the International Centre for Dispute Resolution, the international division of the American Arbitration Association, are provided at no cost to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

The Federal Trade Commission has jurisdiction over Fulcrum Therapeutics Inc.’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.

Onward Transfers
When Fulcrum transfers personal data to a third party that is acting as an agent, it enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles of the Data Privacy Framework and that such third-party will notify Fulcrum if it makes a determination that it can no longer meet this obligation. Third parties acting as agents that Fulcrum engages include, but are not limited to, business partners or consultants that are utilized to assist Fulcrum perform the services for which it was retained by the customer with respect to complying with governing laws and codes and that Fulcrum carries out in accordance with the foregoing and pursuant to the purposes for which the information was initially collected. Fulcrum does not share personal information with non-agent third parties.

Fulcrum may disclose personal information to the following types of organizations:

To our third-party service providers such as website hosting providers, information technology providers, payment services providers, and/or communication providers.
To parties in a litigation, judicial or administration bodies in the US or a foreign jurisdiction, dispute resolution providers, and/or regulatory bodies in the US or a foreign jurisdiction.
To a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
To respond to lawful requests from public authorities, including public and government authorities outside your country of residence, including to meet national security, public interest or law enforcement requirements.
We may transfer your personal data outside the European Economic Area (“EEA”). To ensure a degree of protection similar to that within the EEA, we will only transfer your personal data:

To countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or
To countries:
Pursuant to binding agreement to and compliance with standard contractual clauses or binding corporate rules, each as approved by the European Commission;
Pursuant to the consent of the individual to whom the personal information pertains; or
As otherwise authorized by the EEA or permitted by applicable EEA requirements.
In cases of onward transfers to third parties of personal information of EU and/or UK individuals received pursuant to the Data Privacy Framework, Fulcrum is potentially liable if the third-party processes such personal information in a manner inconsistent with the Data Privacy Framework, unless Fulcrum proves that it is not responsible for the event giving rise to the damage.

YOUR CHOICES.

General. You may have the right to object to or opt out of certain uses of your personal information. Where you have consented to the processing of your personal information, you may withdraw that consent at any time by contacting us as described below.

Email Communications. If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Policy).

Technologies and Personalized Advertising. If you would like to opt-out of the Technologies we employ on the Services, you may do so by blocking, disabling, or deleting them as your browser or device permits. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android and iOS.

The online advertising industry also provides websites from which you may opt-out of receiving targeted ads from advertisers that participate in self-regulatory programs. You can access these, and also learn more about targeted advertising and consumer choice and privacy, at www.networkadvertising.org/managing/opt_out.asp, http://youronlinechoices.eu and www.aboutads.info/choices/.

Please note you must separately opt out in each browser and on each device.

Do Not Track”. Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

INDIVIDUAL RIGHTS IN PERSONAL INFORMATION.

In accordance with applicable law, you may have the right to: (i) request confirmation of whether we are processing your personal information; (ii) obtain access to or a copy of your personal information; (iii) receive an electronic copy of personal information that you have provided to us, or ask us to send that information to another company (the “right of data portability”); (iv) restrict our uses of your personal information; (v) seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; and (vi) request erasure of personal information held about you by Fulcrum , subject to certain exceptions prescribed by law. If you would like to exercise any of these rights, please contact us as set forth below.

We will process such requests in accordance with applicable laws. To protect your privacy, Fulcrum will take steps to verify your identity before fulfilling your request.

DATA RETENTION.

We retain the personal information we receive as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

SECURITY OF YOUR INFORMATION.

We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, the Internet cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unintentional disclosure.

By using the Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by sending a notice through the Services or by sending an e-mail to you.

THIRD PARTY WEBSITES/APPLICATIONS.

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for the privacy practices or content of such other websites or applications. Visiting these other websites or applications is at your own risk.

CHILDREN’S INFORMATION.

The Services are not directed to children under 13 (or other age as required by local law), and we do not knowingly collect personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us as set forth below. If we learn that we have collected any child’s personal information in violation of applicable law, we will promptly take steps to delete such information.

CALIFORNIA PRIVACY RIGHTS.

California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties. Except as otherwise provided in this

Privacy Policy, Fulcrum does not share personal information with third parties for their own marketing purposes.

SUPERVISORY AUTHORITY.

If you are located in the European Economic Area, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law.

CHANGES TO OUR PRIVACY POLICY.

We may revise this Privacy Policy from time to time in our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use the Services after the new Privacy Policy takes effect.

CONTACT US.

If you have any questions about our privacy practices or this Privacy Policy, please contact us at:

Fulcrum Therapeutics
26 Landsdowne Street
Cambridge, MA 02139

Tel: +1 617-651-8851
Email: [email protected]

EU and UK Privacy Policy

The controller for processing of personal data in relation to our studies and clinical trials (“Studies” or in single cases the “Study”) and on our website https://www.fulcrumtx.com (“Website”) is Fulcrum Therapeutics (“we” or “Fulcrum”), 26 Landsdowne Street, Cambridge, MA 02139, +1 617 651 8851, [email protected].
In order to be able to carry out the Studies as well as provide the Website we need to process certain personal data. We highly value the protection of those personal data and observe applicable data protection provisions, including those of the General Data Protection Regulation (“GDPR”).

In the course of some of our Studies, we may be involved in processing of personal data together with joint controllers. We will inform data subjects of the identity of the respective joint controllers in the relevant Study and make available to the data subjects the essence of the arrangement with such joint controllers.

This privacy policy (“Privacy Policy”) describes how we process personal data that you provide to us or that we collect about you. In particular, we will inform you in detail which personal data we collect, for which purposes we use them, with whom we share them and which control and information rights you may have.

I. General Information

1. Data Protection Officer and EU and UK Representatives

You can reach our European legal representative under:
Rivacy GmbH Mexikoring 33
22297 Hamburg
[email protected]
You can reach our UK legal representative:
Rivacy Ltd.
87, Warriner Gardens Unit G1/G2
London, SW11 4DX
[email protected]

2. Definitions

“Personal data” means any information relating to an identified or identifiable natural person. This includes your email address, name, user behavior, etc.
“Processing” means any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means (such as their collection or storage).

3. Data security

Taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for your rights and freedoms, we take appropriate technical and organizational measures in accordance with Art. 32 of the GDPR to ensure a level of protection appropriate to the risk.

4. Retention period

4.1 We will retain your personal data only as long as necessary to attain the purpose of their processing as described herein. We will delete them afterwards unless we are legally entitled or obliged to retain them further. Regarding the Studies, we will inform you of the particular retention periods applicable to the Study-specific processing of personal data.
4.2 After the end of a Study, your personal data may also be of importance for other scientific research in subjects related to the Study. According to your prior approval and the local ethical committee approval in this regard, we may use your data and bodily material to perform other scientific research. In that case, we will inform you of such further processing of your personal data. If the information is anonymized (i.e. that you are not identifiable from the information) we may use such information for other scientific research with the proper approval of the ethical committee.

5. Your rights

You have the right

  • to access your personal data processed by us;
  • to rectify your personal data if inaccurate;
  • to erase personal data concerning you (‘right to be forgotten’);
  • to restrict the processing of personal data;
  • to receive your personal data processed by us in a structured, commonly used and machine-readable format where the processing is based on consent or with regard to a contract relationship with you (‘right to data portability’).

You also have the right to object to the processing of personal data concerning you where the processing of personal data is based on Art. 6(1)(f) of the GDPR on grounds relating to your particular situation.

You may exercise these rights by contacting us through the contact information above. You always have the right to lodge a complaint with a supervisory authority.

6. Contacting us

If you contact us (e.g. via our contact information mentioned above), we process the personal data you have provided (e.g. your name and e-mail address) in order to answer your questions (Art. 6(1)(f) of the GDPR).

II. Studies

Our goal is to develop new medicines to deliver a new future for patients and their families by transforming gene regulation in genetically defined diseases. Before a new drug is ready for the market, it needs to be tested. In order to do so and to assess potential risks and benefits for patients, we carry out a broad range of Studies.
As part of these Studies, we process personal data as described in this section II.

1. Categories of personal data and data subjects

1.1 Usually, the participants in our Studies (“Participant(s)”) are patients that suffer from the condition we try finding a cure or medicine for, which can ease the impairments they are suffering from. Depending on the specific Study, we also allow enrollment of healthy Participants. We inform the Participants of such eligibility criteria before we carry out the respective Study.
1.2 Depending on the specific Study, we process the following categories of personal data of the Participants:

  1. General Participant information (i.e. first name, last name, address including country of residence, telephone number, email address, birth year, sex/gender, childbearing potential [for females only], ethnicity, race, hand dominance, employment, education);
  2. Type and stage of the disease the Participant is suffering from or whether he or she is a healthy volunteer;
  3. Genetic confirmation of disease (if applicable);
  4. Medical and surgical history (i.e. date of diagnosis, treatment approaches, dates for start and stop of treatments, whether ongoing or not);
  5. Condition the Participant is in before the Study has started and during the Study regarding general health and lifestyle (blood pressure, pulse rate, respiratory rate, temperature, height, weight, body mass index, ECG values, perceived well-being, any abnormalities found on medical history and physical examination are recorded);
  6. Condition the Participant is in before and during the study regarding their disease under investigation, if applicable (for example, presence and severity of functional impairment and disability, signs and symptoms, impact on daily life and activities, etc.);
  7. Period in which the Study is carried out (including start and end date), site, and information whether Participant took part in the study, completed the study, or screened failed;
  8. Study phases that have been carried out with the Participant;
  9. Primary purpose of the Study (e.g., treatment, supportive care) and treatment chosen for that purpose;
  10. Test methods and procedures (details to be provided with regard to the specific Study);
  11. Fluid or tissue sampling method (e.g., blood, urine, muscle) and sample data (details to be provided with regard to the specific Study);
  12. Dates and times of collection of blood and/or urine or other specimens such as tissue samples;
  13. Attendance times to the clinic and times under evaluation;
  14. Specific Drug candidates under evaluation or placebos dispensed and taken during the Study and specific doses received and compliance with the assigned treatment;
  15. Occurrence and reported side effects, if any, their severity and estimated relationship to administered study treatment or study procedures, actions taken, outcome;
  16. Study results (i.e. how Participants have reacted to tested treatments, interventions or natural history of the condition, when applicable);
  17. Concomitant medications taken during the study, with start date, stop date, dose, frequency and route of administration, indication, adverse events (if any).

We will inform all Participants in each Study of which of their personal data we process.

6.2 We also may process additional or different personal data if the respective Study requires so. In this case, we inform the Participant respectively before processing such data in the respective Study.
6.3 If there is no more slot available to participate in one particular Study, we may put a Participant under our full discretion on a stand-by list in case another Participant can no longer participate in the Study.

2. Purpose of the processing of personal data

The reason why we process personal data is our main goal: We want to make a positive impact in the lives of patients and families impacted by severe disease. For each Study, we are working closely with patient groups who we consider partners in our search to better understand the disorders they suffer from and to develop breakthrough medicines. For every Study we start, we regard partnership with patient groups as essential to our work.
Our unique and differentiated approach addresses the genetic cause of disease. In our initial efforts, we will be focusing on monogenic diseases that arise due to a faulty regulation of a single gene. This approach leads us to the questions we need to ask, the tests and trials we need to carry out and thus, to the personal data we need to process.

7. Legal basis of the processing

As much of the personal data we process as part of our Studies must be considered special categories of personal data according to Art. 9 of the GDPR, we generally process these data based on the respective Participant’s informed consent (Art. 6(1)(a) and Art. 9(2)(a) of the GDPR).
Where the member states of the European Union have made use of their competence to provide for an additional justification and/or additional requirements for the processing of special categories of personal data, we may process the respective data based on such additional legal basis.

8. Encoding of personal data

A code is assigned to each Participant. This code serves as a reference where we do not process plain names along with Study insights or results. Nonetheless, we store the codes in case we need to identify a Participant for safety or regulatory reasons, e.g., in light of the results of the Study.

9. Transfers of personal data

9.1 Depending on the respective Study, we may transfer encoded personal Participant data, either raw data or analysed data, either along with the Participant’s code identity or without it, to particular recipients, e.g., regulatory agencies, vendors, payor agencies, scientific advisors, consultants, at scientific meetings, with patient groups, and in publications. Those recipients may act as processors, joint or separate controllers in the specific case or be entitled to receive the relevant data by law. We will inform the Participants of such transfers.
9.2 Study results are prepared into clinical study reports (“CSRs”) that are stored in the company servers. The CSRs only contain aggregated data and can be used for regulatory submissions.
9.3 Results of Studies are presented using aggregated data only (without reference to the code or any other clear identifier) within Fulcrum, to investors, patient groups, scientific and clinical advisors, and as posters and publications. They are also posted in the clinicaltrials.gov portal or other clinical trial registries as required. Sometimes key study results are reported in press releases.
9.4 Fulcrum never shares identifiable data of the Participants unless required by applicable law.
9.5 If we need to share personal data of the Participants with other parties involved in the specific Study for a particular Study-related purpose, we will inform the Participants before we begin with the Study.

III. Processing in connection with our Website

In connection with our Website, we process personal data as described in this section III.

1. Processing of personal data when using the Website for informational purposes

When you visit the Website for informational purposes without providing personal data actively by using a particular function of the Website your browser transmits personal data to our server by using log files. These log files transmit the following information to us:

  • IP address
  • Date and time of visit
  • URLs of pages visited
  • Number of pages visited
  • Last activity date and time
  • Referral website and information
  • Type, language and version of browser
  • Device ID

We process these personal data in order to allow the use of our Website (e.g., by adapting our Website to the requirements of your device). The legal basis for this processing of personal data is Art. 6(1)(f) of the GDPR, as the recording of the data serves our legitimate interest in ensuring the stability and security of the Website.

10. Processing of personal data when contacting us

When you contact us in connection to a contractual relationship with us, we process your personal data (such as your email address or telephone number, as well as your specific concern), to address your concern, answer any questions, or provide general information with regard to our services. The legal basis for this processing is Art. 6(1)(b) of the GDPR.
When you contact us as a third party with no connection to any (potential or future) contractual relationship (e.g., along with a complaint or with regard to a specific clinical trial, a drug in development or a particular disease), we process the personal data you disclose to us (such as your email address or telephone number, as well as your specific concern) to answer your questions or remedy your complaint. The legal basis for this processing is Art. 6(1)(f) of the GDPR, with our legitimate interest being to respond to your request.

11. Cookies

We use cookies on our Website. Cookies are small text files that are stored on your device. Some cookies serve to store preferences and are deleted after the end of the browser session, i.e. after closing the browser, so-called session cookies. Other cookies serve to adapt the Website to user needs and remain on the end device, so-called persistent cookies.
In your browser settings, you can allow cookies for individual cases, limit the acceptance of cookies to certain cases or generally exclude them and activate the automatic deletion of cookies when closing the browser. If you deactivated the use of cookies, the functionality of this Website may be restricted.
We use the cookies listed below on our Website:

Cookie identifier Provider Purpose Storage period Opt-out
_ga (Google Analytics) Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043 USA Stores information on the Website activities of the user 2 years https://tools.google.com/dlpage/gaoptout?hl=en

11.1 Google Analytics
We use functions of the web analysis service Google Analytics on our Website. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
Google Analytics uses cookies (see above). The information generated by the cookie about your use of this Website is transferred to a Google server and stored there. We have activated the IP pseudonymization function on this Website. As a result, your IP address will be shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area prior to transmission to the USA. Only in exceptional cases the full IP address will be transmitted to a Google server in the United States and truncated there. On our behalf, Google will use this information for the purpose of evaluating your use of this Website, compiling reports on website activity and providing other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google.
We have concluded a data processing agreement with Google. Data transmission therefore is privileged in accordance with Art. 28 of the GDPR.
Google Analytics cookies are stored based on (and only after you gave) your consent, Art. 6(1)(a) of the GDPR. You may withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
11.2 Google Search Console
We use the Google Search Console to monitor the Website technically for possible errors. The Google Search Console is a free service from Google that allows us to monitor and manage our presence in the Google search index. It gives us access to much of the data and information Google has about our Website. With regard to data protection, the use of the Google Search Console is harmless, because no user or tracking data is transmitted from our Website to Google, but we only receive data from Google about our web presence.
11.3 Google Web Fonts
This Website uses so-called web fonts, which are provided by Google, for the uniform representation of fonts. The provider is Google. When you access a website, your browser loads the web fonts you need into its browser cache to display text and fonts correctly.
For this purpose, the browser you are using must connect to Google’s servers. This will enable Google to know that your IP address has been used to access our Website. The use of Google Web Fonts is in the interest of a uniform and appealing presentation of our online services. This represents a legitimate interest within the meaning of Art. 6(1)(f) of the GDPR. If your browser does not support web fonts, a standard font will be used by your computer.

12. Google Maps

We have embedded the map service “Google Maps” of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ireland”) into our website. We use a link between Google Ireland and our website. This means that when you visit our site, initially no personal data is passed on to Google Ireland.
Google Ireland only receives the information that you have accessed the map from our Website when you click on the embedded map. If you are logged in to Google, your personal information will be directly associated with your Google Account. If you do not want your interaction with Google Maps to be associated with your Google Account, you will need to log out before viewing the map.
We will transfer your personal data within the scope of the use of Google Maps based on your consent. The processing therefore is based on Art. 6(1)(f) of the GDPR. Our legitimate interest is to provide you with a map on our contacts page.
You will find further information on the purpose and scope of the processing of personal data by Google and Google Ireland in their privacy policy (https://policies.google.com/privacy?hl=en&gl=en). There you will also find further information on your rights in this regard and browser setting options to protect your privacy.

1. Transfer of personal data to third parties

Except in the cases mentioned in this Privacy Policy, your personal data concerning the Website will not be disclosed to third parties. Personal data may be disclosed to third parties who act on our behalf to process the personal data in accordance with its original purpose, such providing technical support or answering questions. These third parties are contractually obligated by us under statutory designated agreements to use personal data only for the agreed purpose or not to disclose your personal data to other parties without permission, unless required by law.
We transfer your personal data processed through to countries outside the EU and the EEA (so- called third countries), in particular to the USA. If so, we will ensure that the specific requirements of Artt. 44 ff. of the GDPR are met. You may contact our DPO to obtain a copy of the appropriate or suitable safeguards.