Last updated on December 14, 2021

Your privacy is important to Keros Therapeutics, Inc. and its affiliates (hereinafter “we” and/or “us” and/or “Keros”) and we recognize the responsibility you entrust us with when providing your personal data. This Privacy Notice explains to our prospective employees, workers and contractors (“job applicants”) how we handle and treat their personal data when they submit an application to Keros, including via our site: or associated sites or pages (the “Website”). The purpose of this Privacy Notice is to provide you with a clear explanation of what personal data we collect, when, why and how we collect, use and share your personal data and explains your statutory rights.

We strongly urge you to read this notice and make sure you fully understand our practices in relation to personal data before you submit your application to Keros. If you have read this notice but would like further clarification, please contact us at .

If you are located in the European Economic Area or the United Kingdom, please consult the EEA/UK GDPR supplemental notice below.

Please note that when you visit our Careers webpage, we will also process your personal data in accordance with our Website Privacy Notice.

1. What personal data do we collect and how do we collect it?

Personal data is information that can be used to contact or identify you, such as your name, email address, phone number, etc.

Information you provide to us directly:

  • When you submit your application online via our Careers webpage: We provide you with the possibility to send us your application, including CV and cover letter by email. We will thus collect the information that you provide in your CV and cover letter, your email address, as well as any information that you decide to share with us.
  • If we invite you for an interview: We will collect information about your professional history and education, information relevant to assess your suitability for our job opening, as well as any other information that you decide to share with us.

    Information we obtain from social media platforms:

  • If you apply to our job openings advertised on social media, such as LinkedIn: When you visit or interact with our pages on social media platforms, such as LinkedIn, and other third party platforms, you are agreeing to the platform provider’s privacy policy. This may include sharing with us your name, profile, photos, reactions and comments to our posts, etc. The platform provider’s privacy policy applies to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Notice.

    Information collected indirectly from other sources:

  • Our recruitment agency: From which we collect your application form, including your CV and cover letter.
  • Our background and reference check provider: From which we collect evidence of qualifications or work history
  • Your named referee(s): From whom we collect references regarding your application at Keros.

2. Why do we collect your personal data?

We process your personal data in order to:

  • manage the recruitment and intake processes;
  • assess your capabilities and qualifications for a job;
  • carry out background and reference checks;
  • respond to your inquiries and communicate with you about your application;
  • process a job offer, should you be successful;
  • inform about you about any new relevant job vacancies.

3. With Whom Do We Share your Personal Data?

We share your personal data with third parties only where it is necessary, and for purposes described in this Privacy Notice. We may share your personal data with the following categories of third parties:

  • Affiliates: We may share your personal data with our corporate parent, subsidiaries, and affiliates.
  • Services Providers: We may transfer your personal data to our business partners / service providers as necessary for them to provide services to us in connection with our fulfilment of the purpose set out above. For example, we rely on our background and reference checks provider, Good Egg, and recruitment agencies.
  • Government Agencies, Regulators and Professional Advisors: Where permitted or required by applicable law, we may also need to transfer your personal data to government agencies and regulators (e.g., tax authorities, courts, and government authorities) to comply with our legal obligations, and to external professional advisors as necessary to defend our legal interests.
  • Organizations Involved in Business Transfers: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, will be transferred to the surviving entity in a merger or the acquiring entity. Such information will be transferred in accordance with applicable law.

4. How Do We Protect Personal data?

We are committed to keeping the personal data provided to us secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal data that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss.  We have put in place procedures to deal with any suspected breach of personal data and will notify individuals and any applicable regulator of a breach where we are legally required to do so.

5. How long do we keep your personal data?

We may retain your personal data as long as necessary for the purpose for which it was collected, and beyond such time to the extent legally permitted and based on our legal obligations or legitimate interests (e.g. in retaining data for the purposes of responding to possible disputes or complaints).

6. Your Privacy Rights

Under applicable laws, you may have rights to access, update, rectify, or erase certain personal data that we have about you or restrict or object to certain activities in which we engage with respect to your personal data. If you have such rights and your request complies with the requirements under applicable laws, we will give effect to your rights as required by law.

To exercise any rights you may have under applicable privacy laws, please contact us using the details in the “Contact Us” section below. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

7. International Data Transfers

Your personal data may be transferred and stored outside your place of residence, that are subject to different standards of data protection. In particular, you should be aware that your personal data may be shared with, and transferred to Keros, and Keros’ affiliates and third-party business partners / service providers who are located outside the European Economic Area (EEA) or the United Kingdom. We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable laws.

8. Contact us

You may contact us using the following details:

  • Email address:
  • Postal address: Keros Therapeutics Inc. established at 1050 Waltham Street, Suite 302, Lexington, MA 02421, Attention: General Counsel

9. Changes to this Privacy Notice

We may make changes to this Privacy Notice from time to time. To ensure that you are always aware of how we use your personal data, we will update this Privacy Notice from time to time to reflect any changes to our use of your personal data. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Please regularly check these pages for the latest version of this Privacy Notice.

EEA/UK GDPR supplemental notice

If you are located in the European Economic Area or the United Kingdom, and apply at Keros, this EEA/UK GDPR supplemental notice applies to you.

1. Who is the Controller?

Keros Therapeutics, Inc., located at 1050 Waltham Street, Suite 302, Lexington, MA 02421, is the controller of your personal data.

Keros has appointed Vivenics Consultancy BV as its EU representative, which can be contacted at .

Pursuant to Article 27 of the UK GDPR, Keros Therapeutics, Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

Keros’ Data Protection Officer can be contacted at .

2. What Are Our Legal Bases for Processing Personal Data?

We process your personal data based on the following legal bases:

  • in order to take steps prior to entering into a contract with you;
  • where it is necessary to comply with a legal obligation to which we are subject to ensure compliance with applicable employment, social security laws and regulations;
  • where it is necessary for our legitimate business interests of Keros (such as ensuring that we have the appropriate work force); or
  • (only if legally required) with your consent.

In those cases where processing is based on consent and subject to applicable local law which provides otherwise, you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent.

3. Your rights

You are entitled to the following rights:

  • Right of access: you can ask us to provide you with information about our processing of your personal data and give you access to your personal data;
  • Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified;
  • Right to erasure: You can ask us to delete or remove personal data where there is no lawful reason for us continuing to store or process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons that will be notified to you, if applicable, at the time of your request;
  • Right to restrict processing: you can ask us to suspend the processing of your personal data if, (i) you want us to establish the data’s accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Right to object: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  • Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Right to withdraw consent: You have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent.

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal data or where certain exemptions apply.

To exercise any of these rights, please contact us using the contact details provided above.

Although we urge you to contact us first to find a solution for every concern you may have, you always have the right to lodge a complaint with your competent data protection authority.

4. How Do We Protect Personal Data if we transfer it internationally?

We may transfer your personal data outside of the EEA and/or UK. Some of these recipients are located in countries in respect of which either the European Commission and/or UK Government (as and where applicable) has issued adequacy decisions, in which case, the recipient’s country is recognized as providing an adequate level of data protection under UK and/or European data protection laws (as applicable) and the transfer is therefore permitted under Article 45 of the GDPR.

Some recipients of your personal data may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, the United States is a Restricted Country. Where we transfer your personal data to a recipient in a Restricted Country, we will either:

  • enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time under GDPR Art. 46 by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or
  • rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.

You may ask for a copy of such appropriate data transfer agreements by contacting us using the contact details above.