Content on this website is intended for United States residents only.

Crystalys Therapeutics Inc.,

GLOBAL PRIVACY NOTICE

Crystalys Therapeutics Inc., (“Crystalys”) understands your concerns regarding your privacy when it comes to your Personal Information (PI).  We operate globally and, as laws relating to privacy and security of information may vary between States and countries, we have aligned our organization wide privacy practices with the highest standard expected regarding:

  • clinical trial subjects,
  • employees, consultants, contractors, collaborators,  and healthcare professionals
  • service providers
  • website visitors,
  • our social media pages,
  • through other interactions by email,
  • surveys,
  • telephone,
  • and when you visit one of our properties (the “Service”).

to ensure that you can be confident in how we securely manage the information we process.

In order to be transparent about the practices we have adopted we have compiled this following to provide you with key information.

WHAT INFORMATION YOU WILL FIND HERE  

This Privacy Notice aims to inform you how we collect, use, maintain and disclose PI that could identify you.

Below is a summary of the information; you can read the document throughout or click on the links below to take you to the area most relevant to you.

Please be sure to read this before submitting information to us so that you can make a fully informed decision as to whether you share your PI with us.

WHAT IS PERSONAL INFORMATION?

Personal Information (PI), or Personal Data, is information that can be used to identify an individual. It can be obvious things such as your first and last names, home address, email address, telephone number, and job title. However, it can also include information that can indirectly identify you; examples can include your user ID, login and password, profile picture, qualifications, organization name, industry sectors, or any other information which might reasonably be used in combination with each other to identify you.

It does not include information to which the public has access if the disclosure is provided by law, such as official documents.

Sensitive personal information is a subset of PI. As this can be defined differently, Crystalys has brought together all of these elements to give the broadest definition. We therefore treat an individual's:

  • Racial or ethnic origin,
  • Political, religious or philosophical beliefs and union membership,
  • Data concerning health,
  • Genetic data,
  • Biometric data for the purpose of uniquely identifying someone,
  • Precise geolocation,
  • Mail, e-mail and text messages (unless from our employees within their role with us)

as sensitive information, including, but not limited to, whether we collect it in the first place, to whom we share it with and how we secure it.

How and what information is collected, and for what purposes

In general terms we collect personal Information:

  • Directly from you, such as when you contact us, are enrolled in a clinical trial or apply for a position within our organization
  • Through our website
  • From health care organizations (e.g., physician practices, hospitals, clinics, pharmacies)
  • From contract research organizations and clinical trial investigators
  • From government agencies or public records
  • From third-party service providers, or business partners such as recruiters and employment websites
  • From web research, social media and public sources
  • The organizations with which you are employed or affiliated
  • When you visit or interact with our clinical trial software or mobile apps or those services outside of a clinical research trial, we may collect information that identifies or is capable of being associated with you directly or indirectly from your operating system and platforms.
  • From service providers, consultants/contractors for procurement of services
  • From clinical sites for regulatory and clinical compliance

Personal and business contact information

We collect this information which you provide voluntarily via the website. This may be when you submit a query through, for example, the ‘Contact Us’ form.

We may use this information:

  • To communicate with you,
  • Providing you with information you request related to Crystalys,
  • Employment purposes such as processing a job application.

In some areas the provision of PI is identified as necessary to complete the task you have requested, for example, requesting your contact details in order to respond to a query. However, the decision to submit any data is entirely voluntary, and we aim to provide you with knowledge and opportunities to determine to what extent you share your data with us and for what purposes.

If you decide to opt-in to Crystalys email notifications on our website you will receive information that may include company news, updates or events.

If, at any time, you would like to unsubscribe from Crystalys email notifications,  detailed instructions are included at the bottom of each email.

If you submit a job application via our website, or through other means, we will retain your information in line with Crystalys’s personal data retention policy and it will be used in line with the sections relevant to you below.

Health related data

Crystalys collects health related information, often termed as Personal Health Information (PHI), only when it is voluntarily provided directly from you or someone who has your permission or a responsibility to do so, for example, your healthcare professional.

We may use this information to:

  • Conducting clinical trials to develop new medicines and to show that those medicines are safe and effective. Initially, when you first show interest in a clinical trial, we will collect only sufficient data to determine if your medical history would be suitable for the trial in question.

If your eligibility for the trial is confirmed you will be asked to provide further information to us. Giving your consent to a clinical trial is also a medical ethics issue, and Crystalys ensures that information will be at hand for you to base that decision on before making your decision whether to give your consent. This is in the form of an informed consent form or patient information sheet about the clinical trial.

For Data protection purposes, we additionally aim to make sure that it is clear that you have agreed to allow us to process your personal information, including sensitive information, within these forms. They will therefore also say what we will do with the data and why we need it.

Your personal information is then processed by one or more organizations acting on our behalf. These organizations may be located in the European Economic Area (EEA), United Kingdom (UK), United States (U.S.), or another country. The data is collected, processed, and stored electronically; in some cases, in paper records which will be kept confidential and secure. For more information on who this information is shared with and why see below.

Healthcare Professionals, employees, CONSULTANTS, CONTRACTORS, and service Providers

As a healthcare professional, employee , consultant, contractor, and services provider of Crystalys throughout the E.U., we may collect some or all of the following personal information about you:

  • General information: name, postal and/or email address, phone number, date of birth and other information such as photographs, digital imagery and sound recordings, payment-related information, government issued identification (e.g., driving license, passport, tax identification number), agreements made with Crystalys.
  • Professional information: such as a job title, educational information, professional qualifications, prescribing history, work experience, medical/professional licenses, curriculum vitae (CV), networks and affiliates, programs and activities participated in, publications authored or co-authored, awards, board memberships, professional conference, attendance at events and employment status.
  • Assessment information: such as internal assessments, feedback and evaluations, classifications or performance ratings of your professional activities and outcomes.
  • Financial information: such as your bank details so that we can pay you for your expenses, or other compensation, this could also include collecting information to validate or make claims for any required insurances.
  • Other information: we may be required to collect and process other personal information as required by law. An example is financial disclosure information to comply with the U.S. Food and Drug Administration regulation, 21 CFR Part 54.

User information, Cookies and similar technologies

An Internet Protocol (IP) address is a number assigned to your computer by your Internet Service Provider so you can access the Internet. Our web server captures the IP addresses of each connection to our website and the specific web pages, resources and files visited during that connection.

We may use what are commonly known as cookies, as well as other similar technologies. Simply put, Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work as intended, or be more efficient, as well as to provide information to the owners of the site. Cookies can be divided into three broad categories:

  • Strictly necessary cookies that are essential for you to properly use the site and cannot be switched off. For example, they allow you to save your personalization settings (choice of language, presentation of a service, diagnosing problems with our server, reporting aggregate information, determining the fastest route for your computer to use in connecting to the website etc.).
     
  • Functional cookies are used to collect information about how visitors use our website, which is then used to improve our website performance.  They include analytics and performance cookies that are used to collect information about website traffic and how users use the site. For example, the information gathered may include the number of visitors to the site, the websites that referred you, the pages you visited, the time of day and duration you visited, whether you have visited before, and other similar information.

The information is collected and processed in a way that does not directly identify anyone as once the information is collected the IP address and browser details of a visitor is assigned an alternative code that changes every 24 hours. The IP address and specific browser details are immediately forgotten and never stored.

Although the IP address and related information collected is stored in the server log files, no individual is authorized to access those files for any purpose other than system maintenance.

Laws and regulations governing the processing of your Personal Information

Crystalys processes your PI as permitted by law. In some areas (for example, the European Union) this means that we must define the legal basis as described below:

  1. Some of the PI collected will be processed to meet legal obligations, for example, around safety reporting in relation to the protection of health or for employment purposes. As the processing will involve special category health data, Crystalys provides suitable and specific measures to safeguard your rights.
  2. Crystalys may also use the PI collected in the public interest purposes compatible with public health during the clinical trial but not specified within a specific legal obligation. In this instance, there is a legitimate interest of Crystalys in processing your Personal Information as there is potential for new knowledge about medical conditions; thereby improving the quality of life for a number of people. We will consider the reasonable expectations you have in allowing your information to be processed in relation to the clinical trial and ensure that the manner in which we collect and use the PI is proportionate to the aim pursued, respects the essence of the right to data protection, and we will provide suitable and specific measures to safeguard the fundamental rights and the interests of you as a data subject.

Throughout the clinical trial Crystalys will assess the balance of your interests with our own to ensure that we do not override yours. If we do, the reasons will be explained to you. (See the section labelled “YOUR RIGHTS AND CHOICES ABOUT YOUR PERSONAL INFORMATION”).

  1. An additional basis for processing your PI would be our legitimate business interests, as Crystalys may obtain financial rewards as a result of the processing. To the extent that we use PI to improve our website or for analyzing statistics, the basis for collection of data is also in our legitimate interest to conduct such improvements and analysis.

As with the preceding points, Crystalys must consider the reasonable expectations you have in allowing your information to be processed (it must be proportionate to the aim pursued, respecting your rights with regard to data protection and providing suitable and specific measures to safeguard them).

  1. The processing of information is in anticipation of entering into engagements or a contractual service with you or your institution or company.
  2. As we outlined in the section on health information, consent is a legal basis for processing PI under global privacy laws and under the comprehensive privacy legislation that is applicable to some states in the U.S. This may also mean using your PHI where required for the vital interests of an individual or yourself.

Crystalys does not knowingly collect any PI from children under 13 years old through this website. However, if the parent or the guardian of a child under 13 believes that the child has provided us with Personally Identifiable Information, the parent or guardian of that child should contact us at [CONTACT INFO], or they can utilize the Data Protection Officer email address below to request the deletion of this information from our files if they reside in the EU.

Anyone under 18 years old should seek their parent's or guardian's permission prior to using or disclosing any PI on this website.

How we keep your data safe and secure

Crystalys takes reasonable steps to protect your personal data as you transmit your information from your computer to our website. We protect it from loss, misuse and unauthorized access and disclosure, its alteration or destruction.

To do this Crystalys adopts appropriate data collection and processing practices, as well as employing security measures during data transmission and storage. We consider the nature, scope, context and purposes of processing, within the limits of current security principles and technologies.

You should keep in mind, however, that no internet transmission is ever 100% secure or error free. In particular, email sent to or from our website may not be secure, and you should therefore take special care in deciding what information you send to us via email.

Sharing personal information

With regards to PHI collected for use in clinical trials we may be legally required to share certain personal information if we are involved in legal proceedings or when complying with legal obligations, a court order, or the instructions of a government authority.

In addition, we will share your personal information with healthcare regulatory authorities.

We may share your personal information with commercial collaborators and authorized third parties (for example, if we sell a medicinal product for which you participated in the clinical trial).

We may sometimes contract with third parties to supply hosted secure database services to us. In some cases, those third parties may require limited access to some of your personal information for the purpose of maintaining that information in the database.

In all these cases, your personal information will remain ‘pseudonymized’ (i.e., we cannot identify you directly by name, address, or hospital number).

At the end of the clinical trial, your study-coded information will form part of a clinical study report that may eventually be made available to regulatory agencies worldwide in order to approve the medicine for general use.

For healthcare professionals, employees, consultants, contractors and service providers, we disclose individual information only as reasonably required within Crystalys and our worldwide affiliates, to pursue our legitimate business aims and as required by law. Appropriate safeguards will be established, where possible, to protect your information.

As a sponsor of clinical trials we may also disclose your PI to third parties such as public/regulatory authorities/governmental bodies (including social and benefits departments), third parties that provide services to us (such as conducting audits, IT services, assisting in our clinical trials and studies, or health care compliance activities), business partners and collaborators (such as external scientists).

In addition, we may disclose personal information about you (a) if we are required or permitted to do so by law or legal process, for example due to a court order or a request from a law enforcement agency, (b) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (c) in connection with an investigation of suspected or actual fraudulent or other illegal activity, and (d) in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation).

Crystalys does not and will not sell, trade, or otherwise transfer to third parties your PI for their own direct marketing use unless it provides clear notice regarding this and obtains your explicit consent for your data to be shared in this manner.

With regards to the strictly necessary cookies outlined above, when you use our website you are accepting that your PI can be transmitted to our website hosting and editing partners and other sub-contractors who assist Crystalys in providing this service, so long as those sub-contractors undertake to process the information only according to our instructions and to comply with the applicable law regarding the protection of personal identification information.

With regard to the cookies, you will have voluntarily accepted any sub-contractors that undertake to process the information; they do so only according to our instructions and in compliance with applicable laws.

In addition, Crystalys may transfer PI to third parties in the event of sale or transfer of all or substantially all of its shares or assets, in cases of mergers or in case of negotiations with respect to the foregoing.

Crystalys may also transfer PI to its service providers and subcontractors in order to keep you up to date on any information you may like to hear about either from Crystalys or from its business partners if you have opted for these types of communications.

Crystalys may release PI when it is necessary to comply with valid legal processes such as a warrant, a subpoena, or other court order if, following a review of the request and if it believes it is lawful, that it is reasonably necessary to comply with (for example, it does not ask for too much information).

Crystalys may transfer PI to third parties to investigate or respond to a complaint or security threat and to defend itself against third party claims and assist in fraud prevention or investigation.

Data retention

Crystalys takes all reasonable measures to ensure that your PI is processed for the minimum period necessary for the purposes set out in this Privacy Notice and consistent with the reason(s) for which it was first collected.

Under international and national regulations governing clinical trials, we are required to keep your personal information and study coded information for up to 25 years after the end of the clinical trial or according to our Personal Data Retention Policy.

After this period, your personal information will be irreversibly destroyed or retained for a further period if required by law. You may request a copy of our Data Retention Policy.

PI obtained from healthcare professionals that is required to be kept as key documents under international and national regulations applying to clinical research will be retained for a period of 25 years following completion of clinical development.

For employees, consultants, contractors, and service providers, PI will be retained in accordance with our retention policy, which may be for a period of up to 10 years after the discontinuation of our business relationship with you where applicable laws or regulations require or allow us to do so. For further information, please contact us using the information provided below.

In general PI will be retained by Crystalys according to the following criteria:

  • as long as Crystalys maintains an ongoing relationship with the you (e.g., where you are in receipt of our services, or you are lawfully included in Crystalys’s mailing list as you have not unsubscribed);
  • as long as your PI is necessary in connection with the purposes set out in this Privacy Notice, and for which Crystalys has a valid legal basis as outlined above;
  • with your prior consent, until the expiry of any additional retention period.

Crystalys undertakes to securely delete PI upon expiry of the retention period as described above.

Data accuracy and minimization

We take reasonable measures:

  • to ensure that your PI is accurately kept up to date; and
  • that PI is collected only as needed in connection with the purposes set out in this Privacy Notice.

Your rights and choices about your Personal Information

Crystalys has developed a compliance program designed to enable us to comply with all applicable laws and regulations. We strive to ensure that each person whose PI we process benefits from the following rights within the limits of any contractual or legal obligation:

  • a right to be informed about what PI is being collected relating to you. If you want to know what personal information we have about you, you can ask us for details of that personal information and for a copy of it (if any such personal information is held). This is known as a “Data Subject Access Request” (DSAR);
  • a right of access to the PI collected about you;
  • a right to modify and correct your PI;
  • a right to oppose or restrict the processing of your PI;
  • the right to erase your PI; 
  • and a right to portability of their PI.

For PI processed in relation to clinical trials your personal information is pseudonymized and we cannot identify you directly. Therefore, we recommend you contact your study doctor or healthcare institution if you wish to exercise the following rights. Additionally, if you should withdraw your consent to future processing, this would make it impossible for you to continue in the study.

You have the right to withdraw your consent in a clinical trial at any time, but this will not affect the lawfulness of us processing personal information that was collected before your withdrawal either due to our legal obligations outlined above. Where we process your personal information under our legitimate interests, your right to erasure is limited by our legitimate interest to continue the processing, our legal obligations, our public interest (public health – high standards of quality and safety of health care and of medicinal products, or medical devices), scientific research, historical research, for statistical purposes, or for the establishment, exercise or defense of legal claims.

You can request PI be provided to you or directly transmitted to another organization nominated by you. This will be done in a structured, commonly used, and machine-readable format. However, for clinical trial subjects if we cannot retrieve your personal information because we cannot identify you directly or where it may infringe the privacy rights of other clinical trial subjects, we may refuse your request.

All DSAR and other rights requests should be made in writing and sent to: dpo@crystalystx.com

You can request a form from us to help make your request.

There is not normally any charge for a DSAR and other rights requests. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding or we may refuse your request.

We will provide you with a written response to your request within 30 calendar days of the receipt of your request after having verified your identity. Should there be any delay due to

  • your request being complex or
  • there are multiple requests

We will inform you within 30 calendar days of the receipt of the request.  If appropriate we may extend this period by two further months, but we shall explain our reasons for doing so.  

We may refuse to comply with your request to enforce your rights where;

  • the rights of other persons would be violated,
  • where any other legal exemptions may apply,
  • where your request is not legitimate or applicable,
  • or where it is not in our legitimate interests to the extent allowed by the data protection laws.

If we refuse to comply, we will explain to you our reasons for doing so.

We would encourage you to use our complaints processes with any concerns you have about how your personal information is being handled dpo@crystalystx.com.

However, if you still feel that your personal information has not been handled appropriately according to the law, you can contact a Data Protection Authority and file a complaint with them.

These rights are consistent with Californian residents’ privacy rights under the California Consumer Privacy Act and the General Data Protection Regulation (GDPR) in the EU and UK (see below).

HOW TO CONTACT US OR OUR REPRESENTATIVES TO EXERCISE YOUR RIGHTS and regional specific statements

Crystalys Therapeutics, Inc, (“Crystalys”), a U.S. company with registered office at 12544 High Bluff Dr., #310, San Diego, CA 92130, USA.

The United States of America and State Comprehensive Data Privacy Laws

If you are an American resident and wish to request for us to provide you with your rights, you may submit a request to us through the following ways:

  • By email at dpo@crystalystx.com
  • By postal mail at Privacy Officer (Legal), 12544 High Bluff Dr., #310, San Diego, CA 92130, USA

EUROPEAN UNION AND COMPREHENSIVE Data Privacy Laws

For residents of the EU and UK Crystalys has a Data Protection Officer (DPO) that can assist with your DSARs.  The DPO and/or the EU Data Protection Representative appointed by Crystalys shall be contacted by using the following information:

DPO: MWB Consulting SARL

Address: 1 La Cour, 50210 Belval, France

Email: dpo@mwbconsulting.com

EU Representative: Data Protection Representative Limited (DataRep)

Address: 77 Camden Street, Dublin, D02 XE80, Ireland

Telephone: +44 7904 290 762

Email: info@datarep.com, datarequest@datarep.com

Additionally, any questions about our Global Privacy Notice may be directed to  dpo@crystalystx.com.

Further information about your rights in Europe can also be obtained from your national Data Protection Authority or the Supervisory Authority. A list can be found here: https://digital-strategy.ec.europa.eu/en/library/list-personal-data-protection-competent-authorities. In the UK, the Data Protection Authority is the Information Commissioner’s Office (https://ico.org.uk/make-a-complaint/).

You additionally have a right to lodge a complaint with the supervisory authority from your country of residence, or from the country where you are located when the PI is collected.

International data transfers

With regards to transfers pertaining to EEA/UK residents Crystalys does not transfer PI to any third party country nor to any international organization, except as the case may be on the basis of:

  • where there is an adequacy decision in place, i.e., where the European Commission has determined that there is a comparative level of protection for your data as there is within the EU;
  • where there are suitable Standard Contractual Clauses in place, as issued by the European Commission; or
  • other valid transfer mechanisms under GDPR.
  • Crystalys relies on the first two options the majority of the time.

Changes

Because this policy is subject to change without notice, you should check this Global Privacy Notice regularly for any changes. Crystalys will therefore revise the “last update date” at the bottom of this page. Users acknowledge and agree that it is their responsibility to review this Global Privacy Notice periodically and become aware of modifications.

This Privacy Notice is applicable from August 11, 2025.

Back To Top

We use cookies to give you the best online experience. If you disable the cookies, you may not be able to access some parts of the website. It may also not work as intended. You can find out more about how to manage and delete cookies by visiting www.allaboutcookies.org. Your use of this site is subject to our posted Terms of Use. Please also see our Privacy Notice.

I agree to the Terms of Use.