Last updated on September 20, 2023
Your privacy is important to Keros Therapeutics Inc. and its affiliates (hereinafter “we” and/or “us” and/or “Keros”) and we recognize the responsibility you entrust us with when providing your personal data. This Privacy Notice explains how we handle and treat your personal data when you visit our site: https://kerostx.com or associated sites or pages (the ‘Website”). The purpose of this Privacy Notice is to provide you with clear explanation of what personal data we collect, when, why and how we collect, use and share your personal data and it explains your statutory rights.
We strongly urge you read this notice and make sure you fully understand our practices in relation to personal data before you access or use our Website. If you read and fully understand this Privacy Notice, but remain opposed to our practices, you must immediately leave our website, and avoid or discontinue all use of any of our services. Where you have read this notice but would like further clarification, please contact us at email@example.com.
Our website is not intended to children under 16 years old and we do not knowingly process personal data about children under 16 years old. Parents and guardians should supervise their children’s activities at all times. If we learn we have collected or received personal data from a person under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a person under 16, please contact us at firstname.lastname@example.org.
If you are located in the European Economic Area or the United Kingdom, please consult the EEA/UK GDPR supplemental notice below.
1. What personal data do we collect and how do we collect it?
Personal data is information that can be used to contact or identify you, such as your name, email address, phone number, etc.
Information you provide to us directly:
- When you contact us using our “Contact us” form: we collect your first and last name; your email address; as well as any information you decide to share with us.
- When you contact us using our “Investor contact” form: we and/or our business partner collect your first and last name; your email address; the name of your company; as well as any information you decide to share with us.
- When you register to a social event that we organize, participate in or sponsor: we and/or our business partner collect your first and last name; your email address; the name of your company; as well as any information you decide to share with us.
- When you want to listen to webcasts on news about our company, watch or listen recordings of events that we organize, participate in or sponsor: we and/or our business partner collect your first and last name; your email address; the name of your company; as well as any information you decide to share with us.
- When you sign up to receive our newsletter(s), we collect your email address. If you apply to one of our open positions published in our Career page, we will process your personal data in accordance with our Job Applicant Privacy Notice.
Information collected by automated means from your browser and device through cookies and other tracking technologies:
2. How do we use your personal data?
- To respond to your request or communicate with you: We use your personal data to respond to your request and/or queries about our company and our business activities.
- To provide you with information and content you have requested: We and/or business partners use your personal data to provide you access to webcasts, event recordings, newsletters, etc.To register your attendance to social events that we organize, participate in or sponsor: We and/or business partners process your personal data to ensure that you can participate in such events.
- To process job applications: please consult our Job Applicant Privacy Notice.
- For internal business purposes, such as:
- To ensure access to and maintenance of our Site, to ensure its proper functioning and to carry out statistical analyses on the use of the Site and the frequency of visits;
- to improve our Website and customize your browsing experience; and
- to track any fraudulent activities and other inappropriate activities and monitor content integrity on our website.
3. With Whom Do We Share your Personal Data?
We share your personal data with third parties only where it is necessary, and for purposes described in this Privacy Notice. We may share your personal data with the following categories of third parties:
- Affiliates: We may share your personal data with our subsidiaries and affiliates.
- Business partners / Services providers: We may transfer your personal data to our business partners / service providers as necessary for them to provide services to us in connection with our fulfilment of the purpose set out above. For example, we may rely on service providers to host and maintain our website, perform backup and storage services, and transmit communications. Our business partners / service providers include without limitation, Intrado and Solebury Trout.
- Government Agencies, Regulators and Professional Advisors: Where permitted or required by applicable law, we may also need to transfer your personal data to government agencies and regulators (e.g., tax authorities, courts, and government authorities) to comply with our legal obligations, and to external professional advisors as necessary to defend our legal interests.
- Organizations Involved in Business Transfers: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, will be transferred to the surviving entity in a merger or the acquiring entity. Such information will be transferred in accordance with applicable law.
4. How Do We Protect Personal data?
We are committed to keeping the personal data provided to us secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal data that we have under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. We have put in place procedures to deal with any suspected breach of personal data and will notify individuals and any applicable regulator of a breach where we are legally required to do so.
5. How long do we keep your personal data?
We may retain your personal data as long as necessary for the purpose for which it was collected, and beyond such time to the extent legally permitted and based on our legal obligations or legitimate interests (e.g. in retaining data for the purposes of responding to possible disputes or complaints).
6. Your Privacy Rights
Under applicable laws, you may have rights to access, update, rectify, or erase certain personal data that we have about you or restrict or object to certain activities in which we engage with respect to your personal data. If you have such rights and your request complies with the requirements under applicable laws, we will give effect to your rights as required by law.
To exercise any rights you may have under applicable privacy laws, please contact us using the details in the “Contact Us” section below. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
7. International Data Transfers
Your personal data may be transferred and stored outside your place of residence, that are subject to different standards of data protection. In particular, you should be aware that your personal data may be shared with, and transferred to Keros, and Keros’ affiliates and third-party busines partners / service providers who are located outside the European Economic Area (EEA) or the United Kingdom. We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable laws, including by complying with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF (collectively, the “Data Privacy Framework”) as set forth by the U.S. Department of Commerce. Our Data Privacy Framework policy can be found here. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/.
8. Links to Other Websites
Our website may contain links to other websites, which may have privacy policies or notices that differ from ours. We are not responsible for the collection, processing or disclosure of personal data collected through other websites. We are also not responsible for any information or content contained on such websites. Links to other websites are provided solely for convenience. Your usage and browsing on any such website are subject to that website’s own policies. Please review the privacy notices posted on other websites that you may access through our website. We may provide you with additional or different privacy notices in specific instances which describe how your personal data is collected and used for a specific service.
9. Contact us
You may contact us using the following details:
- Email address: email@example.com;
- Postal address: Keros Therapeutics Inc., 1050 Waltham Street, Suite 302, Lexington, MA 02421
10. Changes to this Privacy Notice
We may make changes to this Privacy Notice from time to time. To ensure that you are always aware of how we use your personal data we will update this Privacy Notice from time to time to reflect any changes to our use of your personal data. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Please regularly check these pages for the latest version of this Privacy Notice.
EEA/UK GDPR supplemental notice
If you are located in the European Economic Area or the United Kingdom, and access our website, this EEA/UK GDPR supplemental notice applies to you.
1. Who is the Controller?
Keros Therapeutics Inc., established at 1050 Waltham Street, Suite 302, Lexington, MA 02421, is the controller of your personal data.
Keros has appointed Vivenics Consultancy BV as its EU representative, which can be contacted at firstname.lastname@example.org.
Pursuant to Article 27 of the UK GDPR, Keros Therapeutics, Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
- by using EDPO UK’s online request form: https://edpo.com/uk-gdpr-data-request/
- by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom
Keros’ Data Protection Officer can be contacted at email@example.com.
2. What Are Our Legal Bases for Processing Personal Data?
|Purposes of processing||Legal basis|
|To manage our relationship with you, including responding to your request and/or inquiries; providing you access to content or information you requested|
|To send you our newsletters|
|To ensure access to and maintenance of our Site, and to ensure its proper functioning|
|To understand what may be of interest to you, deliver relevant website content to you, to measure or understand the effectiveness of the content we serve to you, and to use data analytics to improve our website|
|To comply with legal obligations that apply to us, including but not limited to disclosing your personal data to courts, law enforcement or regulatory authorities|
|To disclose your personal data to third party business partners / services providers|
|Disclose your personal data to a prospective or actual purchaser or seller in the context of a merger, acquisition or other reorganization or sale of our business or assets.|
3. Your rights
You have the following rights in relation to the personal data we hold about you:
- Right of access: you can ask us to ^provide you with information about our processing of your personal data and give you access to your personal data;
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified;
- Right to erasure: You can ask us to delete or remove personal data where there is no lawful reason for us continuing to store or process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons that will be notified to you, if applicable, at the time of your request;
- Right to restrict processing: you can ask us to suspend the processing of your personal data if, (i) you want us to establish the data’s accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Right to object: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
- Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to withdraw consent at any time: where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal data or where certain exemptions apply.
To exercise any of these rights, please contact us using the contact details provided above.
Although we urge you to contact us first to find a solution for every concern you may have, you always have the right to lodge a complaint with your competent data protection authority.
4. How Do We Protect Personal Data if we transfer it internationally?
We may transfer your personal data outside of the EEA and/or UK. Some of these recipients are located in countries in respect of which either the European Commission and/or UK Government (as and where applicable) has issued adequacy decisions, in which case, the recipient’s country is recognized as providing an adequate level of data protection under UK and/or European data protection laws (as applicable) and the transfer is therefore permitted under Article 45 of the GDPR.
Some recipients of your personal data may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, the United States is a Restricted Country. Where we transfer your personal data to a recipient in a Restricted Country, we will either:
- enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time under GDPR Art. 46 by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or
- rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
You may ask for a copy of such appropriate data transfer agreements by contacting us using the contact details above.