Website Privacy Notice

Your privacy is important to SpringWorks Therapeutics, Inc. (the “Company,” “we,” “our,” or “us”). This Privacy Notice explains the types of personally identifiable data (“Personal Data”) we collect, why we collect it, and how we use and share it in connection with this website (our “Website”) and for other purposes identified in this Privacy Notice.

1. Who is responsible for the Processing and how can you contact them?

The Company is the data controller or data owner responsible for determining why and how Personal Data discussed in this Privacy Notice is collected, maintained, used, and shared (“Processed”).

If you have any questions about our Processing practices or your data rights, please contact us at the address, telephone number, or email address noted below, and please share your question and where you live:

SpringWorks Therapeutics
100 Washington Blvd
Stamford, CT 06902
privacy.office@springworkstx.com
Telephone: +1 203-883-9490

You may also contact our Data Protection Officer with questions. Our Data Protection Officer is:

HewardMills LTD

77 Farringdon Rd
London EC1M 3JU
UK

dpo@hewardmills.com
Telephone: +44 20 4540 5853

If you are based in the European Economic Area or the United Kingdom and wish to contact us via our General Data Protection Regulation (“GDPR”) Representative, DataRep, you may do so at:

datarequest@datarep.com

www.datarep.com/datarequest

 

The Cube

Monahan Road

Cork, T12 H1XY, Republic of Ireland

or

107-111 Fleet Street

London, EC4A 2AB, United Kingdom

2. What types of Personal Data do we Process?

We collect Personal Data from people who use our Website; from individuals who seek to enroll, or are enrolled in, our clinical trials or our compassionate use program; from personnel who run the clinical trials; and from service providers or vendors who provide services or products to us.

As we explain further down in this Privacy Notice, the types of Personal Data we Process depends on which of the above groups you fall into.  We may Process your name and email address, along with other information that can be used to identify you, such as your telephone number, work and home address, professional experience, education, and other background information collected from you, from third parties, and from publicly available sources such as websites, directories, and industry networks.  We might also collect more sensitive information, such as health information.

Contact and other information you send to us

If you choose to contact us through the Website or by email or other means, we will collect your contact information, such as your name, email address, phone number or other contact information that you provide to us so we can communicate with you. If you write a message to us, we will store the message so we can reference it when responding to you. If you inquire about a career opportunity, we will collect and store the information you share related to that opportunity.

Website visitor data and cookies

We collect visitor information via our Website either directly or through third-party data analytics services. Website visitor information may include your IP address and server log data, (i.e., the address of the web page you visited before using our Website, your browser type and settings, the date and time of your use of the Website, and language preferences). We may gather information about the device you are using to access our Website, including what type of device it is, what operating system you are using, device settings, application IDs, location, unique device identifiers, and crash data. Other data is collected, including data generated by your use of the Website and links you interact with.

We gather this information by using cookies and related technologies. A cookie is a small piece of data (text file) that is stored on your device so we can remember information about you. Cookies that we set or that are set by a third-party service provider on behalf of our Website are called first-party cookies.

We use first-party cookies and related tracking technologies for the essential functions of our Website, including assisting you in navigation of our Website. (These are called essential cookies.) With your consent, we also use first-party cookies and related tracking technologies to analyze your use of our Website. (These are called performance cookies.)

We have defaulted your settings on our Website to allow us to run essential cookies only. We will process Personal Data collected through performance cookies only if you give your consent by opting in.  You can change your cookie preferences at any time by clicking here. Please note that withdrawal of consent applies only to future actions. Processing that was carried out before the withdrawal of consent is not affected.

Personal Data of clinical trial and compassionate use participants and of principal investigators, clinical trial staff, and other individuals involved in implementing our clinical trials and compassionate use program

If you apply to or are enrolled in one of our clinical trials or our compassionate use program, we will Process your Personal Data as described in a separate notice that is provided at the time Personal Data is collected for the clinical trial or the compassionate use program, as may be required by applicable law.

If you are a principal investigator, clinical trial staff, or other individual involved in implementing one of our clinical trials or our compassionate use program (“Study Personnel”), we will Process your Personal Data as described in a separate notice provided to you in connection with the implementation of the clinical trial or the compassionate use program, as may be required by applicable law.

Personal Data of representatives of service providers and vendors

If you or your company is or becomes our service provider or vendor, we will Process your Personal Data to fulfill the contract and maintain a business relationship with you. We Process limited Personal Data for this purpose, such as contact name, address, email address, phone number and other contact details that you may provide to us to allow us to communicate with you.

3. On what legal basis do we Process Personal Data and how do we use it?

We Process Personal Data in accordance with data privacy laws applicable to us in the context of Processing your Personal Data.

Lawful basis for Processing Personal Data of Website users

In connection with your use of our Website, we Process your Personal Data based on our legitimate interests in performing the essential functions of our Website and to communicate with you in response to any inquiry or request you make of us. We Process Personal Data collected through performance cookies based on your consent.

Lawful basis for Processing Personal Data of clinical trial and compassionate use participants and of Study Personnel

We Process the Personal Data of clinical trial and compassionate use participants for our legitimate interests, legal obligation, scientific research, public interest in the area of public health, or based on the participant’s explicit consent. The legal basis relied on in a particular trial or in the compassionate use program will be described in a separate notice provided to the clinical trial or compassionate use program participant, as may be required by applicable law.

We Process the Personal Data of Study Personnel based on several different legal bases, depending on the purpose of the Processing.  For example, we may Process Personal Data based on our legitimate interests in communicating administrative details, to meet contractual obligations under an agreement with the study site or with other parties, and in connection with certain business transactions.  We might also need to Process Personal Data based on our legal obligation to ensure compliance with proper protocols and applicable regulatory requirements.  The legal bases relied on will be described in a separate notice provided to Study Personnel, as may be required by applicable law.

Lawful basis for Processing Personal Data of service providers and vendors

We Process Personal Data of our vendors and service providers for the legitimate interests of addressing our contractual obligations with them. Our Processing of Personal Data allows us to provide or receive goods and services pursuant to these contracts or to carry out pre-contractual measures that occur as part of a request by a customer or service providers.

Legal obligation and other legitimate interests

We also Process Personal Data for the purposes of addressing legal obligations and for other legitimate interests pursued by us or a third party on our behalf. These legal obligations and other legitimate interests include:

Legal obligations

  • as required by law including, but not limited to, complying with a subpoena or other legal process, regulatory requirement, judicial proceeding, or court order served on us, or to comply with government reporting obligations; and
  • asserting legal claims and defenses in legal disputes.

Legitimate interests

  • when we believe in good faith that disclosure is necessary to detect, prevent, or respond to fraud or violations of law; for corporate audits; to investigate or respond to a complaint or security threat; and connection with other bonafide business administrative and compliance activities; and
  • in connection with the negotiation or completion of a merger, acquisition, partnership, business reorganization, debt financing, insolvency, bankruptcy, receivership, sale of all or a portion of our assets, or other similar business transaction.

In each case where the legal basis for the Processing is our legitimate interests, you have the right to object to the Processing of your Personal Data by submitting your request to privacy.office@springworkstx.com, and we will consider and respond to the request in accordance with applicable law.

4. Who receives your Personal Data?

We share Personal Data within the Company only with personnel who need access to it to perform their roles and responsibilities in line with the  purposes described in this Privacy Notice.

We may share Personal Data with third parties in the context of the applicable lawful basis set forth in this Privacy Notice, or if we are required to share it by law or as directed by a regulatory authority. For example, we may share Personal Data with law enforcement or data protection regulatory authorities or auditors. We may also share your Personal Data with service providers or other third parties for purposes of conducting and managing the Website, addressing legal or other official obligations, or as otherwise necessary to carry out our relationship with you or to satisfy other purposes described in this Notice. We may further share Personal Data in connection with a business transition, merger, acquisition, partnership, business reorganization, debt financing, insolvency, bankruptcy, sale of assets or similar business transaction. Your Personal Data may be part of any assets transferred.

Some of these parties may be located outside of the country where your Personal Data was originally collected.

5. Will your Personal Data be transferred to a third country or an international organization?

We may collect or receive Personal Data outside of the U.S. in connection with the purposes described in this Privacy Notice. Personal Data collected or received by or on behalf of the Company is stored in the U.S., the European Union (“EU”), and in other countries and may be Processed by parties located both inside and outside of the U.S.  If you live outside the U.S., be aware that the U.S. and other countries may not have the same level of data protection as your country. The party in the U.S. or other country without an adequate level of data protection may agree to standard data contractual clauses (“SCCs”) to safeguard the Personal Data it receives. If Personal Data is transferred to the U.S. based on SCCs, the parties to the SCCs will consider the circumstances surrounding the transfer and document supplementary measures as required by law to protect the Personal Data. If legally permissible, we may also rely on your explicit consent in other instances to transfer Personal Data.  In some cases, Personal Data may also be transferred to the U.S. or other countries in other ways permitted under applicable law. If you would like to request the specific safeguards applied to the export of your Personal Data, if applicable, send your request to privacy.office@springworkstx.com.

6. How long will your Personal Data be Processed?

We keep Personal Data as long as necessary to address the reason we collected or received it, including to address legal requirements. We Process Personal Data collected through cookies for different time periods depending on the type of cookie used. We Process data collected through essential cookies for up to 1 year. Personal Data collected through performance cookies is Processed for up to 5 years. If you are a clinical trial or compassionate use participant, a principal investigator, clinical trial staff, or other individual involved in implementing our clinical trials, we will Process your Personal Data for up to 25 years, and possibly longer if a regulatory authority requires it. If you are a vendor or service provider, we will Process your Personal Data for no longer than 7 years following the completion of our business relationship with you. If required by law or by a legal order, we may Process your Personal Data for a longer period consistent with the law or legal order or our contractual rights. For example, we may need to keep your Personal Data longer to fulfill obligations to preserve records under tax law or for accounting purposes, or if we are obligated to hold Personal Data because of a legal prohibition against removing or deleting it.

7. How we protect your information

We take reasonable and appropriate measures to protect your Personal Data against unauthorized use, access, disclosure, and destruction. Please be aware that, despite our best efforts, security measures are not impenetrable.

8. What data privacy rights do you have?

Subject to some exceptions and limitations under applicable law, you have several rights, including:

  • The right to access, which allows you to obtain a copy of your Personal Data, on request;
  • The right to rectification, which requires the Company to change incorrect or incomplete data about you;
  • The right to restrict and object to Processing, which requires the Company to limit or stop Processing your Personal Data under certain circumstances;
  • The right to erasure, which requires the Company to erase your data; and
  • If applicable, the right to data portability, which allows you to transfer your Personal Data from the Company to another individual or entity.

When we Process your Personal Data based on your consent as the lawful basis (as opposed to our legitimate interests, for example), you can withdraw consent at any time. Please note that withdrawal of consent applies only to future actions. Processing of Personal Data that was carried out before the withdrawal of consent is not affected.

You may exercise any of these rights by sending an email indicating your request to privacy.office@springworkstx.com. Furthermore, if you believe your legal rights are being infringed, you have the right to lodge a complaint with us, with our DPO at dpo@hewardmills.com, or with your local data protection authority in the country where you live, where you work, or where the alleged violation occurred, as applicable. For individuals residing in the EU, the list of Data Protection Authority by EU country can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.  If you are based in the European Economic Area or the United Kingdom and wish to contact us via our GDPR Representative, DataRep, you may do so at: datarequest@datarep.com.

9. Are you obligated to provide Personal Data?

In the context of responding to an inquiry you have made or to address another lawful purpose, you must provide all Personal Data that is required (as applicable) for that purpose. Without this Personal Data, we are not able to respond properly to your inquiry or address the purpose.

10. To what extent does the Company engage in automated decision-making?

In the general course of establishing and carrying out our normal business processes, we do not engage in automated decision-making with respect to your Personal Data. If we do so, we will inform you of the automated decision-making in connection with the relevant transaction.

11. Will the Company use my Personal Data for marketing?

We use Personal Data for marketing only if you request information that may be considered marketing materials, in which case we send that information to you. We will otherwise ask for your consent before sending you marketing communications. Each marketing communication will also include a means for opting out of future marketing communications.

12. Social media

If you click on our social media links (such as Twitter, YouTube, and LinkedIn), you will be directed to a third-party platform, and any information you share on those websites will be covered by their privacy policies, not this Privacy Notice.

13. Links

This Website may contain links to other third-party websites. Please be aware that we are not responsible for the privacy practices of third parties and their other websites. This Privacy Notice applies only to the information we collect on our Website. We encourage you to read the privacy policies of other websites you link to from our Website or otherwise visit.

14. Minors

Our Website is not directed at nor intended for use by individuals under eighteen (18). If you learn that a child under eighteen (18) has provided us with Personal Data without consent, please contact us. If we become aware that a child under eighteen (18) has provided us with his or her Personal Data, we will promptly delete such data.

15. Do-not-track

You may have implemented a “do-not-track” signal through your browser. As there currently is no fixed standard for do-not-track signals, we currently do not respond to do-not-track signals from your web browser.

16. Changes

We may revise this Privacy Notice from time to time. If we decide to change this Privacy Notice, we will post the revised Privacy Notice on our Website. If changes materially affect your rights under this Privacy Notice, we may provide a more prominent notification on our Website. In certain cases, we may also provide email notification of the revised Privacy Notice and either seek your consent or give you the right to opt out of our use of your Personal Data in accordance with the revised Privacy Notice, if required. However, because we may make changes at any time, we suggest that you periodically consult this Privacy Notice. Please note that our data protection practices will be based on the Privacy Notice in effect at the time the Personal Data is Processed.

17. Contact

We endeavor to review and reply promptly to communications sent to us. If you have any questions about this Privacy Notice, please feel free to reach out to us at:

SpringWorks Therapeutics, Inc.
100 Washington Blvd
Stamford, CT 06902
privacy.office@springworkstx.com

This Privacy Notice was last updated April 21, 2022.