Executive Statement

Allovir respects the privacy of the patients, HCPs, colleagues and other third parties with whom we interact.  Protecting the Personal Data that we receive from individuals and entities is a responsibility we take very seriously.  We comply with all applicable privacy laws and regulations in the collection, protection, and use of this information.

That’s why we have established a comprehensive privacy program designed to help us respect and protect privacy rights. To protect your privacy, Allovir will ensure all personal data is handled in a secure way and used only as outlined in the sections below. This privacy policy informs you what personal data we collect, how we use it and the measures we take to keep it safe. This policy is our commitment to privacy and includes provisions on processing of personal data related to clients, consumers, citizens and employees.

This privacy policy applies to all subsidiaries, business units and personal data processing activities under the responsibility of Allovir. All business units are accountable for ensuring that personal data is protected in all processes across its entire life cycle, keeping privacy measures top of mind. All of our employees are responsible for compliance with this policy.

Scope

This policy applies to all personal data processed by all employees, contractors and partners doing business on behalf of Allovir, as well as all legal entities/all subsidiaries of Allovir. This policy excludes joint ventures where there is less than a 50% share by Allovir.

Allovir will adhere to privacy laws in all jurisdictions where it operates. Any mandatory registration provisions that may exist according to legal requirements must be observed. In case of uncertainty, leaders of legal entities/subsidiaries of Allovir and stakeholders must consult the PO and/or general counsel.

Collection of personal data by — and the disclosure to — governmental institutions and authorities will be carried out only on the basis of specific legal provisions. In all cases, this privacy policy imposes those restrictions that are necessary to meet the legal requirements of the respective laws.

Guiding Regulations

GDPR, ISO270001, 22CFR 120,15CFR 730-774, Data Protection Act 2018, etc

Logging Practices

Allovir’s web servers automatically record the Internet Protocol (IP) addresses of visitors. Note, however, that if you have a broadband connection, depending on your individual circumstance, the IP address that we collect may contain data that could be deemed identifiable. This is because, with some broadband connections, your IP address doesn’t change (it is “static”) and could be associated with your personal computer or device.

As well as recording the IP addresses of users, Allovir may also keep track of sites that users visited immediately prior to visiting Allovir’s website and the search terms they used to find it. The web server keeps track of the pages visited on Allovir’s website, the amount of time spent on those pages, the types of searches done on them, and products looked at. Your searches remain confidential and anonymous. Allovir uses this information only for statistical purposes, to find out which pages users find most useful and to improve the website.

Allovir servers also capture and store information that your browser transmits. This includes:

• Browser type/version/plug-ins used or security levels
• Operating system used
• Media Access Control (MAC) address
• Screen resolution
• Date and time of the server request
• Location-related data (such as the geographic location of the IP address)
• Volume of data transferred
• Access status (“file transferred,” “file not found” and so on)

This data will be used to generate statistics that help us to further optimize our websites to meet your individual needs. We will not deduce personal information from this data.  Depending on the selection of privacy settings upon visiting Allovir’s website, additional personal data processing may take place following your preferences.

Cookies

Cookies are small text files that are placed on your computer by websites to track your individual movements on that website over time.

At Allovir, we use the following categories of cookies:

• Essential cookies — These are used to authenticate you, prevent fraud and provide you with the services that you have requested.
• Functional cookies — These are used to remember you and recall your settings or preferences (such as language) when you return to our website. These cookies are not used to track you when you visit other websites.
• Performance cookies — These are used to measure the performance of our website and online services. We use the information gathered from these cookies to improve our sites, as well as the products and services we offer.

Cookies used by Allovir may be session-based or persistent. Session-based cookies last only for the duration of a user’s session, while a persistent cookie remains on the user’s hard drive. A persistent cookie can help us recognize you when you return to our website and recall your settings or preferences.

If you do not want a cookie placed on your computer as a result of using a Allovir website, you can disable cookies altogether by modifying the preferences section of your web browser. Note that if you do so, some aspects of Allovir websites may be unavailable to you. If you choose to accept cookies on your hard drive, but wish to be informed of their appearance, you may turn on a warning prompt by modifying the cookie-warning section also located in the preferences section of your web browser.  For additional privacy protection, you may also use your web browser’s “do not track” (DNT) settings, which Allovir will adhere to.

Depending on your cookie consent selection of settings upon first visiting the Allovir website, tracking cookies, third-party cookies and other technologies such as web beacons may be used to process additional information, enable noncore functionalities on the Allovir website and enable referenced third-party functions (such as a social media “share” link).

Web Beacons/Pixels

Allovir’s websites may use a technology known as “web beacons” — sometimes called “single-pixel GIFs,” or “pixels” — that allow the sites to collect website log information. These are designed to track pages viewed or messages opened. Website log information is gathered during your visit. We may also include web beacons in promotional email messages to determine whether the messages have been opened.

Do Not Track (DNT)

Our web servers honor the DNT setting in all web browsers that currently support it. This means that you can opt out of our and third-party tracking services, including behavior advertising.  To find out more about "Do Not Track," please visit http://www.allaboutdnt.com

External Links Disclaimer

Some of Allovir’s websites link to other sites created and maintained by other public- and/or private-sector organizations. Allovir provides these links solely for your information and convenience. When you transfer to an outside website, you are leaving the Allovir domain, and Allovir’s information management policies no longer apply. Allovir encourages you to read the privacy statement of each external website that you visit before you provide any personal data.

Security

Allovir implements commercially reasonable technical and organizational security controls to protect your personal data against theft, loss or misuse. Your data will be stored in a secure operating environment that is not accessible without authorization. Allovir applies mitigation measures following periodic risk assessments to ensure an adequate level of protection of your personal data.

Please note for business continuity and disaster recovery purposes, Allovir may store data in a location outside the jurisdiction(s) in which we normally operate. In such scenarios, we will implement all commercially reasonable measures to protect your personal data against theft, loss or misuse.

Allovir has put in place appropriate physical, technical and administrative procedures to safeguard and secure the information from loss, misuse, unauthorized access, disclosure, alteration or destruction. Allovir cannot guarantee the security of information on or transmitted via the internet.

Inquiries

If you have any questions about our privacy policy or practices, please make inquiries through our “Contact Us” page.

Personal Data About Minors and Children

Allovir does not knowingly collect data from or about children under 13. If we learn that we have collected personal data from a child under 13, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at privacy@Allovir.com.

Applicable Law

This privacy policy is governed and will be interpreted in accordance with the laws of the United States of America

If you use our services and reside outside the United States of America, your information will be transferred to the United States of America and will be processed and stored there under United States of America privacy standards. By using our services and providing information to us, you consent to such transfer to the United States of America and processing there.

Collaboration With Authorities

Allovir has appointed and mandated a privacy officer who represents the regulatory authorities inside the Allovir organization, and in return represents the Allovir organization to regulatory authorities.

Allovir’s privacy officer will ensure proper communication with the relevant regulatory authority for privacy. The privacy officer will lead investigative action, complaint handling and data breach notification. The privacy officer will also monitor regulatory changes and consult the regulatory authority where implementation of a regulatory or technological change lead to doubt.

What Personal Data We Use

The types of personal data that Allovir collects and shares depends on the nature of the relationship you have with us and the requirements of applicable laws. We may collect:

Health and medical data (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) that we collect in connection with managing clinical trials, conducting research, formulating and administering gene therapies and immunotherapies, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports

• Personal and business contact data and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
• Biographical and demographic data (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians)
• Professional credentials, educational and professional history, and institutional affiliations
• Payment-related data we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information)
• If you are a health care professional, we collect data about the programs and activities in which you have participated, your prescribing of our products and the agreements you have executed with us
• Your photograph, social media handle or digital or electronic signature
• Publicly available information (such as comments describing support for and experience with Allovir products or therapies)
• Other information you provide to us (such as in emails, on phone calls, in market research surveys, or in other correspondence with us or our service providers or business partners)

We may combine other publicly available data, such as information related to the organization for which you work, with the personal data that you provide through the Services.

How We Use

Personal Data Allovir uses the data collected to provide a safe, efficient and customized experience. Here are some of the details on how we do that:

• To operate the website
• If you use our website, we use your personal data to:
• operate, maintain, administer and improve the website
• better understand your needs and interests, and personalize your experience with the website
• provide support and maintenance for the website
• respond to your Service-related requests, questions and feedback
• To perform and administer clinical trials, research and product-improvement activities
• We may use your personal data when necessary to facilitate our clinical trials, research, studies, and related activities that support product improvement, including to:
• staff and manage clinical trials, including by recruiting investigators and participants
• track and respond to safety and product quality concerns (including product recalls)
• support public health initiatives, symposia, conferences, and scientific, educational and volunteer events
• developing our gene therapies and immunotherapies
• facilitate medication adherence programs
• define and manage appropriate patient engagement activities, and patient support programs (including to provide co-pay and other financial assistance where available)
• identify and engage thought leaders and external experts
• award scholarships and grants
• attribute authorship to academic and promotional materials
• To provide the Services
• We use your personal data  as necessary to provide Allovir Services, including to:
• manage access to our products, including where access is limited by law to licensed physicians
• pay for services that physicians, researchers and other individuals may provide to us
• deliver our gene therapies and immunotherapies

To comply with law

We use your personal data as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.

To comply with regulatory monitoring and reporting obligations

We use your personal data as we believe necessary or appropriate to comply with regulatory monitoring and reporting obligations, such as those related to adverse events, product complaints, patient safety, and financial disclosures.

With your consent

Allovir shall not use Personal Data for any purpose except:

• With the explicit consent of the party whose Personal Data was collected;
• As required or permitted by applicable laws or regulations;
• If necessary, to comply with a legal, regulatory, or ethical obligation;
• As consistent with legal and privacy guidance associated with the activity

In some cases, we may ask for your consent to collect, use or share your personal data, such as when required by law or our agreements with third parties.

To create anonymous data for analytics

We may create anonymous data from your personal data and other individuals whose personal data we collect.  We make personal data into anonymous data by excluding information that makes the data personally identifiable to you and use that anonymous data for our lawful business purposes.  

For compliance, fraud prevention and safety

We use your personal data as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our websites, mobile apps, products and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

How Long We Use Personal Data

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) in which case we may use this data indefinitely without further notice to you.

Who Else May Process Personal Data

Allovir may share the data collected with third parties to provide a safe, efficient and customized experience. Here are some of the details on how we do that:

• To provide services: Allovir may share your personal data with agents, contractors or partners of Allovir in connection with services that these individuals or entities perform for or with Allovir. These agents, contractors or partners are restricted from using this data in any way other than to provide services for Allovir, or for the collaboration in which they and Allovir are engaged. For example, some of our products are developed and marketed through joint agreements with other companies. We may, for example, provide your data to agents, contractors or partners for hosting our databases, data processing or mailing you information that you requested.
• To respond to legal requests and prevent harm: Allovir reserves the right to share your data to respond to duly authorized information requests of governmental authorities or where required by law. In exceptionally rare circumstances where national, state or company security is at issue (such as terrorist attacks), Allovir reserves the right to share our entire database of visitors and customers with appropriate governmental authorities.

We never sell your personal data to third parties, such as marketers, without your consent. We do not provide any personal data to “people finder,” “public directory” or “white pages” sites.

If our company is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your data may be sold or transferred as part of that transaction. The promises in this privacy policy will apply to your data as transferred to the new entity.

Your Right to Access Personal Data

To keep your Personal Data accurate, current, and complete, please contact us as specified below. We will take reasonable steps to update or correct Personal Data in our possession that you have previously submitted via this website.

Please also feel free to contact us if you have any questions about the Company’s Privacy Policy or the data practices of this website.

You may contact us as follows: privacy@Allovir.com

In addition to the information that is available on Allovir’s website, you have the right to access the personal data that Allovir holds about you, all subject to the exemptions as contained in applicable laws and regulations. If you request the data, then Allovir will assist you. Your identity will need to be confirmed before you are provided with access to personal data.

Generally, Allovir does not charge for providing information, but if the request requires significant staff time, Allovir reserves the right to charge a fee for such requests.

All formal access requests will be directed to the privacy officer, who will then review each request to determine whether Allovir will disclose the requested data. The privacy officer will also receive and address all privacy complaints that Allovir receives. You may submit these requests by email to privacy@Allovir.com or our postal address provided on our “Contacts Us” page

You will be notified if access to the records you have requested is granted or denied, and which exemptions apply.

Your Right to Correct or Amend Personal Data

If you believe there is a mistake in your personal data, you have a right to ask for the data to be corrected. Send correction/amendment request to privacy@Allovir.com

Cross Boarder Data Transfer

If we export your personal data from the European Economic Area (“EEA”) to a country outside of it and are required to apply additional safeguards to that personal data under European data protection legislation, we will do so. Such safeguards may include applying the European Commission model contracts for the transfer of personal data to third countries described here. Please contact us at privacy@Allovir.com for further information about any such transfers or the specific safeguards applied.

Enforcement and Audit

Allovir uses a self-assessment approach to ensure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible, and in conformity with privacy principles.

Complaints

We encourage anyone interested to raise any concerns using the contact information provided in our “Contact Us” page. We will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of personal data.