Privacy Policy

(Effective: April 1, 2023)

I. INTRODUCTION

Mersana Therapeutics, Inc. (“Mersana” or the “Company”) is a biopharmaceutical company specializing in the discovery and development of antibody-drug conjugate (ADC) therapies to treat patients fighting cancer. In the course of pursuing its mission of developing new ADCs, Mersana may collect, process, store, share, use and analyze personal information of various individuals, including patients, vendors and healthcare professionals. The Company is committed to (a) complying with the evolving legal and regulatory standards for privacy and data protection applicable in the countries and regions where it conducts its activities, and (b) managing its data processing activities in a manner that promotes and protects the privacy rights of individual data subjects.

II. SCOPE AND DEFINITIONS

This Privacy Policy (the “Policy”) applies to all Personal Information (as defined below) collected, processed, stored, shared, used or analyzed by the Company in the context of its various business activities.

A.  Definition of Personal Information – What is Personal Information?

Personal Information” means all information that relates to an individual (also called a data subject) or information that can be used to identify a person, both directly (e.g., name or photograph) and indirectly (e.g., a medical insurance number, position in a company, or a study code assigned in a clinical trial).  In some countries, Personal Information may also include information such as medical device serial numbers, biological samples, internet protocol addresses, or information relating to a company.

B.  Data Subjects – Who are the Data Subjects?

Mersana processes Personal Information from the following data subjects in a fair and lawful manner:

  1. Prospective, Current and Former Clinical Trial Patients’ Personal Information.  To enhance privacy, data subjects’ names and other direct identifiers are not attached to records or samples collected by Mersana for research purposes. Instead, data subjects are only identified by a code.
  2. Healthcare Professionals Personal Information.  Mersana analyzes the professional profiles of doctors and other healthcare providers for the purpose of identifying potential investigators and ultimately to contract with certain investigators to assist in laboratory, clinical and medical research with regard to Mersana’s product candidates, across indications and patient populations.  The Company also occasionally engages in other kinds of research and development collaborations with healthcare providers. Across all these interactions, Mersana may generally collect and process the Personal Information of healthcare professionals for the purposes of executing the specific activities required by their respective agreements, to assist in laboratory, clinical or medical research and other aspects of product candidate development.
  3. Employees’ and other Personnel Personal Information. Mersana collects and processes employees’ Personal Information to fulfil its legal obligations to its employees, which may include the payment of wages and provision of employee benefit programs, and to track and assess employee performance. The Company also processes Personal Information of job applicants, or to a certain extent, ex-employees, as appropriate. Mersana also collects and processes the Personal Information of other personnel that it engages as part of its business activities. These individuals include, without limitation, actual and prospective directors, officers, consultants and contractors.
  4. Vendors’ Personal Information. Mersana interacts with various third parties and needs to record certain Personal Information of their staff to be able to conduct activities together.
  5. Web Visitors Data.  Mersana may collect Personal Information about visitors to the Company’s website(s) through the voluntary provision of information by the data subject, e.g., where a data subject applies for a job opening via the Company’s website or submits a request for research, scientific or medical information about the Company’s product candidates.  Through the use of cookie-based technologies, Mersana may collect various data linked to virtual identities allocated to visitors when they access the Company’s website(s). See Section III(D) below.

In the event Mersana tracks, collects or otherwise processes Personal Information from its website(s) in the future, the Company will not collect or maintain personally identifiable information for marketing, advertising or resale purposes, will not share any web visitor’s personally identifiable information with any other company or organization, except to the extent that any sharing is required.

C.  Categories of Personal Information collected – Which types of Personal Information?

Mersana collects various types of Personal Information that may include:

  • Identifiers, such as title, name, address, phone number, email address, username, social security number, government identification (e.g., driver’s license, passport), photo or image, login credentials, answers to security questions, medical license number, and internet protocol address(es);
  • Financial information, such as banking or credit card details;
  • Demographic information, such as nationality, ethnic origin, or gender;
  • Internet or other electronic network activity information, such as website navigational data, the name of the domain and host from which one accesses the internet, the browser software used and operating system, the date and time the Company website(s) or networks were accessed, and the internet address of the website from which one directly linked to Company website(s) or networks;
  • Professional or employment-related information, such as professional experience, professional qualifications, professional organization membership status;
  • Educational information, such as academic background or other educational interests. 

Company may also collect other information that is not Personal Information, such as business, company or institutional information.

In addition, for certain research and development activities, Mersana may collect information regarding patients’ medications, medical state and history and other healthcare-related information (collectively, “Health Information”), from individuals directly or indirectly from a third party (e.g., a clinical research organization supporting the Company’s clinical trials).

III. COLLECTION AND PROCESSING OF PERSONAL INFORMATION

A.  Principles – How does Company collect and use Personal Information?

Where mandated by applicable data privacy laws or regulations, Mersana will seek the consent of data subjects to collect, process, store, share, use and/or analyze their data consistent with the relevant privacy notice. Specific requirements may vary by jurisdiction.

As required by applicable law or regulation, the Company will:

  • Collect, process, store, share, use and/or analyze Personal Information only in instances where it has legal justification to do so.  For example, Mersana guidelines or local laws may require explicit consent of the data subject prior to the collection of Personal Information (e.g., informed consent for clinical trial participation);
  • Notify data subjects as to how their Personal Information will be used prior to collection of such information;
  • Collect only the Personal Information required for the specified business purpose;
  • Use Personal Information only for the specific business purpose described in the applicable consent form or privacy statement, or for purposes that would be reasonably anticipated by the data subject;
  • Use Personal Information in ways that do not infringe the rights of a data subject, unless and to the extent such use is permissible under applicable law or regulation; and
  • Anonymize or pseudonymize Personal Information where possible or appropriate.

Personal Information may be shared with other Company affiliates, government agencies and third parties on a “need to know” basis for legitimate business reasons or as otherwise allowed or required by applicable law.

To the extent required by applicable law, Mersana will provide an appropriate response to data subjects who exercise their individual rights to: (1) know what Personal Information is being processed, (2) object to processing or withdraw consent to processing, as applicable, and/or (3) request correction, erasure, or suppression of their Personal Information.

Mersana will take commercially reasonable and appropriate measures to protect Personal Information from unauthorized loss, use, access, disclosure, alterations, and/or destruction, taking into consideration the risks involved in the processing and the nature of the Personal Information. 

Company websites may contain links to websites outside of Company. Linked websites are not under the control of or endorsed by Mersana. This Policy does not apply to linked websites outside of the Company. Visitor should review the privacy policy of each individually linked website.

B.  Collection of Data – How is the Personal Information collected?

Mersana may collect Personal Information from the following sources, each, to the extent permissible under applicable law:

  • The Company may collect Personal Information from data subjects through various channels, including the Company’s website(s), in surveys, during business events, and when delivering programs or information to various persons.
  • The Company may provide opportunities to sign up to receive specific programs or information and may ask for contact information (e.g., name, home/contact address, home/contact phone number or personal/contact email address), so that Mersana can send specific information about its product candidates, programs, research or development efforts, with data subjects’ consent.
  • The Company may indirectly collect information about patients’ health condition, diagnosis, and treatment from healthcare professionals, but only where the healthcare professional has obtained consent to disclose that information to Mersana, as required by law.
  • The Company may collect various information from healthcare professionals as part of business, scientific, medical or educational activities, including first name, last name, age, gender, home/contact address, home/contact phone number, medical specialization, professional qualifications, license number and scientific society membership number.
  • When navigating the Company’s website(s), certain passive information may also be collected.  This type of information is used for the purposes of gathering data to provide improved administration of the Company’s website(s) and to improve the quality when interacting with them.
  • The Company may also collect Personal Information about data subjects from third-party sources to supplement information received from the data subjects themselves.
  • The Company may collect Personal Information to enable data subjects to use online social media resources offered either by Mersana or a third party.
    • When using an online social media resource offered by a third-party through or with Mersana, the user acknowledges that the Company may be able to access any information made public through such third-party (such as username, comments, posts and contacts) and other information the privacy settings on such third-party platform permits the Company to access.  Mersana will comply with the terms of this Privacy Policy and the privacy policies applicable to the social media resources it uses.

C.  Use of Data – What will happen to the Personal Information?

Company and its third party-service providers may use Personal Information in a variety of ways, including:

  • Providing programs and information requested by an individual;
  • Administrative purposes;
  • Research, scientific, medical and other development purposes;
  • Any other use in which Mersana has a legitimate interest in pursuing, such as individual or market research, anti-fraud protection, or any other disclosed purpose.

D.  Specific principles for Internet Users

A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions are enabled to the computers of visitors to the Company’s website(s) for the following purposes: to allow the site to deliver the information requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the Company to perform site analytics; and to help tailor information to the visitor based on previous browsing. The Company’s cookies are enabled and controlled by the Company, which is established in the United States. The online relationship with the Company may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on his/her computer, to delete or disable cookies, and to set “Do Not Track” as a function. Please note that disabling cookies may prevent a visitor from using certain features on Company websites.

The Company’s website may also contain links to third party websites and applications, such as social media platforms and data capture tools. In addition, the Company’s website is hosted by a third party, GoDaddy.com.  Each of these websites, applications and/or hosting sites are enabled and controlled by third parties, and each may enable and control cookies. They may also collect sensitive information about you, such as location information. This Policy does not apply to, and the Company is not responsible for, the practices of third parties that collect visitor personal information either through their websites, applications or otherwise. We encourage you to review the privacy policies of those third parties to learn about their information practices.

No part of Mersana’s online presence is directed to children.

E.  Transfers of Personal Information – What happens when the Personal Information goes to another country?

Mersana is part of an industry that is increasingly globalized in its approach to life sciences. Personal Information may be shared across international borders as required to support global research and development activities, particularly the conduct of clinical trials. The Company may host Personal Information in databases in different locations throughout the world. Mersana recognizes that many countries have regulations restricting the flow of Personal Information across international borders and will protect the Personal Information during any such transfer, in accordance with applicable laws and regulations.

 F.  Data Protection Impact Assessments

From time-to-time and as required by applicable laws, Mersana will conduct data protection impact assessments (each, a “DPIA”). Criteria for evaluating when a DPIA is appropriate can include the nature, scope, context and purposes of the data processing, whether new technology is being used for the processing, and whether the processing is likely to result in a high risk to the rights and freedoms of natural persons. A single DPIA may address a set of similar processing operations that present similar high risks.

 IV.  Contact

If you want to ask Mersana a question about this Policy, or otherwise exercise your rights with respect to your Personal Information, you may contact Mersana by sending an electronic communication to privacy@mersana.com. Alternatively, communications, queries, requests or complaints should be sent in writing to the attention of Mersana’s Privacy Office, c/o Chief Legal Officer, Mersana Therapeutics, Inc., 840 Memorial Drive, Cambridge, MA 02139.