Privacy Policy

Last Updated on November 24, 2025 

This Privacy Policy describes the practices of Arrowhead Pharmaceuticals, Inc. including our service providers and other vendors (collectively, “Arrowhead”, “we”, “us”, or “our”), regarding the collection, use, and disclosure of your Personal Information (as defined below), including when you visit our websites (the “Websites”) and when you enroll in or inquire about patient support or patient access services. The Privacy Policy also describes your privacy rights in connection with Personal Information we collect about you, including the rights of residents of California, Connecticut, Texas, and Nebraska, and individuals located in the European Economic Area (“EEA”) or the United Kingdom (“UK”). For purposes of EEA and UK data protection laws, we are the controller of Personal Information processed in the context of this Privacy Policy.

Click here to see our separate Consumer Health Data Privacy Notices applicable to residents of Nevada and Washington state.

This Privacy Policy will not apply to Personal Information collected and processed by us:

• should you participate in a clinical trial that we sponsor or report adverse medication effects;
• if you are a healthcare professional and the processing of your Personal Information falls within scope of the Privacy Notice for Healthcare Professionals;
• should you apply for a job with us; or
• in the course of your employment with us.

By accessing the Websites, you agree to our Terms of Use, including the collection and use of your Personal Information as described in this Privacy Policy. However, this does not equate to consent for the processing of your Personal Information for purposes of EEA and UK data protection laws.

For purposes of this Privacy Policy, “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The term does not include aggregated information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.

Notice at Collection: Personal Information We Collect

We collect the following categories of Personal Information:

• Personal identifiers: Name, email address, home address, telephone numbers, IP address. *Additionally, governmental ID information, date of birth, social security number, signature
• Protected class information: Gender, race or ethnicity, age over 40
• Health information: Health conditions or diagnosis*; medications prescribed
• Insurance information: Health insurance information
• Financial information: Bank account and payment information; financial information used to verify income or account balance information (for patient access programs)
• Commercial information: Records of products considered or purchased; other purchasing or consumer histories or tendencies
• Internet and other electronic activity information: Device and browser type and version, operating system; your use and interaction with our Websites and other sites,*
• Professional information: Job title and related information, information about your employer,*
• Audio, visual and electronic information: recordings of calls made to patient support service lines and medical information phone lines; patient testimonials via video or recordings of live testimonials
• Inferences generated from the foregoing categories of Personal Information*

Of these categories of Personal Information, the following may constitute “Sensitive Personal Information” under applicable data privacy laws:  Personal identifiers: Governmental IDs; Social Security number; Health information. 

With respect to the categories of Personal Information listed above that are marked with an asterisk (*), we have collected the same categories of Personal Information in the 12 months prior to the date of this Privacy Policy. We have only recently started to collect the other categories of Personal Information. 

Notice at Collection: Purposes for Collection of Personal Information

Set out below is a description of how we use your Personal Information (referred to as “processing purposes” below), and, for individuals located in the EEA or the UK, we explain which of the legal bases we rely on for each processing activity, where applicable.

Categories of Personal Information	Processing Purposes	Legal Basis (where you are located in the EEA or the UK)
Personal identifiers; protected class information; financial information; health information; audio information	To provide our patient support services and patient access services: including to provide care coordination services, reimbursement support, and other patient support services	Not applicable; U.S. only
Personal identifiers; internet and other electronic activity information	To provide you with information concerning Arrowhead: provide news and notify you about changes to our Websites and/or the services and products we provide. You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may not opt-out of service-related communications (e.g., updates to features of the Website, technical and security notices).	For service-related communications: To pursue our legitimate interests to operate our business, and to manage and administer our relationship with you. For direct marketing communications: With your consent (to the extent required by applicable law). Where required by applicable law, we use a double opt-in mechanism (i.e., in the sign-up form and in the follow-up email that verifies consent) to ensure valid consent.
Personal identifiers; health information; internet and other electronic activity information	Direct advertising and marketing via an online form submission. With your consent, to provide you with information about the services and products we provide. Where required by applicable law, when you voluntarily provide your Personal Information via an online form on the Website, we will send you a confirmation email requiring you to confirm your agreement to receive marketing communications (double opt-in) and only after confirmation will you begin receiving marketing communications. You can withdraw your consent at any time and stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications or by contacting us. You may not opt-out of service-related communications (e.g., updates to features of the Websites, technical and security notices).	With your consent (to the extent required by applicable law).
Personal identifiers; internet and other electronic activity information; commercial information; health information; audio, visual, and electronic information; inferences	Additional advertising and marketing: conduct marketing and advertising, and analytics	Not applicable; U.S. only
Personal identifiers; internet and other electronic activity information	Personalization: administer, analyze, improve and personalize our Websites (including, testing, trouble-shooting and research)	To pursue our legitimate interests to provide the Website and process Personal Information to see if and how our Websites can be improved, so that we can offer you a better user experience in the future.
Personal identifiers; internet and other electronic activity information	Network and Information Security: to ensure network and information security, including monitoring users’ access to our Website for the purpose of preventing cyber-attacks, unauthorized use of our systems and Websites, prevention or detection of crime and protection of Personal Information.	To pursue our legitimate interests to ensure our systems / Websites are secure and that individuals are using our systems / Websites correctly and in compliance with our Terms of Use.
Personal identifiers; internet and other electronic activity information; professional information	Transactions with other businesses: to engage in business transactions with entities we do business with any market to or engage in diligence with those entities	To pursue our legitimate interests to administer the management of our business.
Personal identifiers	Transactions: To enable any due diligence and other appraisals or evaluations for an actual or proposed merger, acquisition, financing transaction or joint venture contemplated by Arrowhead.	To pursue our legitimate interests to administer the management of our business.
Personal identifiers; internet and other electronic activity information	Legal Claims: To defend and enforce our rights including, against legal claims that involve us, and to manage regulatory matters, investigations, data breaches, and/or data subject requests.	To comply with our legal obligations. In such cases, if you do not provide this Personal Information when requested, we may not be able to comply with our legal obligations and we may have to terminate our relationship with you. To pursue our legitimate interests to enforce or defend our rights and interests.

If you are located in the EEA or the UK: You have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. Please note, however, that we may not be able to fulfill such requests in all instances.  

Notice at Collection: Categories of Personal Information We Sell or Share or Use for Targeted Advertising

When we engage in digital advertising in the United States, we may sell the following categories of Personal Information (according to the broad definition of “sell” under select state privacy laws), share them for purposes of cross-context behavioral advertising, or use them for targeted advertising: personal identifiers (including IP address, mobile advertising IDs), health information, and internet or other electronic activity information, and inferences we may make about you.

These categories of Personal Information are sold to or shared for cross-context behavioral advertising or targeted advertising with advertising networks, data brokers and other companies that facilitate or engage in digital advertising. We engage in such sales and sharing to facilitate personalized advertising, including to advise you about new treatment options and other products and services. We do so by allowing third parties to place cookies or other tracking technologies on our Websites and in our advertisements which may collect information about your interactions with our Websites, advertisements, and your online activities over time and across different websites or applications. We may also share information with advertising networks about preferences or interests we have inferred about you. Please note that in some jurisdictions in which we operate, we do not engage in these practices. For more information about the use of cookies and other tracking technologies, see the Cookies and Other Technologies section below.

To opt out of such sales and sharing and the use of your Personal Information for targeted advertising, please email us at dpo@arrowheadpharma.com. 

We do not sell or share for cross-context behavioral advertising or use for targeted advertising any of the other categories of Personal Information we collect.

Notice at Collection: Retention Periods

We retain the categories of Personal Information we collect for as long as we need for a legitimate business purpose. The criteria used to determine the retention periods include: (i) how long the Personal Information is needed to provide the Services and operate the business; (ii) the type of Personal Information collected; and (iii) whether we are subject to a legal, contractual or similar obligation to retain the Personal Information (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation or disputes).

Sources From Which We Collect Personal Information

We may collect your Personal Information through the Websites, your interactions with us and our service providers that provide patient support services and operate patient access programs, our advertisements and emails, and when you voluntarily provide us with your information, including through written, video, or live testimonials. We may also collect your Personal Information from data brokers, ad networks and social media providers, and data aggregators.

Sensitive Personal Information

From time to time, we may use and disclose your Sensitive Personal Information to create profiles or infer characteristics about you so that we can let you know about products or other company information that we believe will be of interest to you. Residents of California, Connecticut, Texas and Nebraska can direct us to not use such data for those purposes by emailing dpo@arrowheadpharma.com.  

No Profiling to Facilitate Decisions with Legal or Other Significant Effects

We do not engage in the automated processing of Personal Information to create profiles about individuals that are used in furtherance of decisions with legal or other similarly significant effects, such as the provision or denial of medical services; financial or lending services, housing, insurance, or access to essential goods or services.

Cookies and Other Technologies

We may collect certain Personal Information referred to in this Privacy Policy through the use of “cookies” and other similar technologies.  Cookies are small, sometimes encrypted, text files that are stored on computer hard drives by websites that you visit. They are used to help users navigate websites efficiently as well as to provide information to the owner of the website, and for digital advertising.  For detailed information on the cookies we use on the Websites and the purposes for which we use them, please see our Cookie Policy.

Additionally, we use Google Analytics to evaluate the use of our Websites. Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what webpages they visit on a website, and what other websites they visited prior to visiting a website. To learn more about how Google Analytics collects Personal Information, please see Google’s Privacy Policy.

Disclosure of Your Personal Information For Business Purposes

The following chart describes the categories of Personal Information we disclosed to service providers (processors) for business purposes in the 12 months prior to the date of this Privacy Policy:

Categories of Personal Information	Categories of Service Providers to Which We Disclosed Personal Information
Personal identifiers: Name, email address, home address, telephone numbers, IP address	Service providers that manage website visitor information, facilitate email communications, provide security services and cloud-based data storage, host our Websites and assist with other IT-related functions, market our company, provide analytics information
Internet and other electronic activity information: Device and browser type and version, operating system; your use and interaction with our Websites	Service providers that manage website visitor information, facilitate email communications, provide security services and cloud-based data storage, host our Websites and assist with other IT-related functions, provide analytics information
Professional information: Job title and related information	Service providers that facilitate communications
Inferences	Service providers that assist with analytics, marketing and advertising other than cross-context behavioral advertising

Business Purposes for Disclosures of Personal Information

We may disclose Personal Information for the following business purposes: to facilitate email communications; manage contacts; work with vendors and suppliers; manage our Websites, operate our IT systems and secure our systems; prevent fraud and other illegal activities; for marketing and analytics. We also permit our service providers to have access to certain types of Personal Information to provide patient support and patient access services and for analytics.

We may also disclose Personal Information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We may also disclose your Personal Information to third parties to help detect and protect against fraud or data security vulnerabilities.  We may transfer your Personal Information to a third party in the event of an actual or contemplated sale, merger, reorganization of our entity or other restructuring.

Deidentified Information

We may have access to deidentified information for our internal analytics purposes. We will not attempt to reidentify this information. 

Security

We take reasonable steps, consistent with generally accepted industry standards, including technical, administrative, and physical safeguards to protect Personal Information we process from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, please note that, as no system is fully secure, we cannot guarantee the security of your Personal Information. 

International Transfers of Personal Information

We are located in the U.S. All Personal Information collected via the Websites will in turn, be processed in the U.S.. Where we disclose Personal Information originating in the EEA/UK to a third party (e.g., a service provider) located outside of the EEA/UK we will as deemed necessary, enter into an appropriate data transfer agreement (e.g., the EU Standard Contractual Clauses and, for the UK, the International Data Transfer Agreement or UK Addendum to the Standard Contractual Clauses) with that third party, seek to rely on the third party’s Binding Corporate Rules or otherwise make the transfer in reliance on a derogation under EEA/UK data protection laws (e.g., where the transfer is necessary for the defense of legal claims). If you would like further information in relation to, or a copy of, the relevant safeguards, you can contact us using the details set out below.

Children’s Privacy

The Websites is not directed to minors under the age of 18.

Third Party Links

Our Websites may contain social media buttons or links to third-party websites, which may have privacy policies that differ from our own. We are not responsible for the activities and practices that take place on those social media platforms or third-party websites.

Your Data Privacy Rights

1.         EEA/UK Data Privacy Rights

If you are located in the EEA or the UK you have the following data privacy rights which may be subject to certain limitations / restrictions:

• The right to request access to your Personal Information;
• The right to request that your Personal Information be corrected or deleted;
• The right to request that we restrict our processing of your Personal Information;
• The right to object to the processing of your Personal Information where it is carried out (i) for our legitimate interests – unless we can demonstrate compelling legitimate grounds for the processing; and/or (ii) for direct marketing purposes;
• The right to withdraw consent to the processing of your Personal Information; and
• The right to request that Personal Information be provided to you or a third party in a machine-readable format.

Please contact us using the details set out below in case you wish to exercise any of the above rights.

You also have the right to file a complaint with the competent data protection authority if you have any reason to believe we have not properly handled your Personal Information or have not respected your rights.

2.         US State Data Privacy Rights

We provide residents of the following states with rights under their state’s privacy law with respect to the Personal Information we may collect about them: California, Connecticut, Texas, and Nebraska. The rights provided under these various state laws are similar in many respects, with some differences from state to state. We list below the rights that may be applicable to our business under these laws:

Right to Know: The right to confirm whether or not we are processing a resident’s Personal Information and to access such data. 

• California’s privacy law gives residents the right to request the following additional information collected since January 1, 2022: Categories of Personal Information we have collected about them; categories of sources from which such Personal Information was collected; categories of Personal Information that the business sold or disclosed for a business purpose about the consumer; categories of third parties to whom the Personal Information was sold or disclosed for a business purpose; and the business or commercial purpose for collecting or selling your Personal Information.

Right to Access / Copy: The right to access or request a copy of the Personal Information we have collected from the resident, subject to certain exceptions.

Right to Delete: The right to request deletion of their Personal Information that we have collected from or about the resident and to have such information deleted, subject to certain exceptions.

Right to Correct: The right to request that we correct inaccuracies in the resident’s Personal Information, taking into account the nature of personal data and purposes of processing such information. 

Right to Limit the Use of Sensitive Personal Information: California’s law gives residents the right to request that we not use or disclose their sensitive Personal Information for inferring characteristics about a consumer or for purposes other than to provide goods and services, protect and investigate fraud and other security-related issues, non-personalized advertising, and similar purposes described in the law.  

Rights to Opt Out: Various rights to request that we stop using the resident’s Personal Information for one or more of the following purposes:

• Sale of Personal Information: The right to request that we stop selling f their Personal Information, consistent with the definition of “sale” in each law.
• Targeted Advertising: The right to request that we stop processing their Personal Information for targeted advertising, subject to exceptions in some state laws. 
• Sharing for Cross-Context Behavioral Advertising: California’s law provides the right to request that we stop sharing Personal Information for cross-context behavioral advertising. 

Right to Revoke Consent: In some jurisdictions or states, we may obtain consent to process or sell Personal Information. If consent has been provided, you can notify us about your desire to revoke consent by emailing us at dpo@arrowheadpharma.com.

Please note, California’s law is the only law that applies to all state residents, irrespective of the context in which they interact with us (e.g., a customer, a business contact, a vendor).  Laws in other states apply only to people when acting in an individual or household context.

Consumer Rights Under U.S. State Consumer Health Data Privacy Laws

We have a separate Consumer Health Data Privacy Notice that relates to rights provided under consumer health data privacy laws in Nevada and Washington state to residents of those states acting in an individual or household context with respect to their consumer health data. Washington’s law may also apply to individuals whose consumer health data is processed in that state. You can access our Consumer Health Data Privacy Notices here.

California Shine the Light

With reference to California Civil Code Section 1798.83, also known as the “Shine the Light” law, we allow California residents to opt out of the disclosure of Personal Information to third parties for those third parties’ direct marketing purposes. To exercise that opt-out option, please email us at dpo@arrowheadpharma.com  

Exercising Your Rights and How We Will Respond

We will respond to requests from residents of states with data privacy laws that apply to us and will do so with respect to the rights that are provided under the requestor’s state law as of the effective date of that law. The laws in some states listed above may not be in effect as of the date of this Privacy Policy.

To exercise rights to know, access/copy, delete, correct, or know third parties to whom Personal Information is disclosed, or to ask a question, contact us at 626-304-3400 or email us at dpo@arrowheadpharma.com or use the contact details set out at the end of this Privacy Policy. 

To exercise the right to limit the use of sensitive Personal Information, submit a request by emailing dpo@arrowheadpharma.com  

To exercise opt-out rights, submit your request by emailing dpo@arrowheadpharma.com  

Opt-out Preference Signals and Do Not Track

An opt-out preference signal is sent by a platform, technology, or mechanism on behalf of consumers and communicates a consumer’s choice to opt out of the sale and sharing of Personal Information for cross-context behavioral advertising with all businesses that recognize the signal, without having to make individualized requests.  The signal can be set on certain browsers or through opt-out plug-in tools. 

We recognize the Global Privacy Control signal for IP addresses from California, Connecticut, Nebraska and Texas and do so at the browser level; This means that if the signal is sent through a specific browser, we will recognize it for that browser only, and only with respect to the identifiers for that browser. If you would like more information about opt-out preference signals, including how to use them, the Global Privacy Control website has such information (https://globalprivacycontrol.org/).

We do not respond to the DNT or “Do Not Track” signal. 

Verification of Identity – Access, Deletion or Correction Requests

We will ask you for identifying information and attempt to match it to information that we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request.  We will notify you to explain the basis of the denial. 

Exercising Your Rights Using Authorized Agents Agents may submit opt-out requests on behalf of individuals under several state data privacy laws; this is not an option that is available under Texas law. California residents can designate an agent to submit all other types of requests. If the agent submits an opt-out request on your behalf, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the opt-out request on your behalf. Agents can submit opt-out  by emailing dpo@arrowheadpharma.com.  

If you are a California resident and you use an agent to submit other types of requests, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf.  You will also be required to verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request. Agents can submit requests on behalf of California residents (other than opt-out requests) by emailing dpo@arrowheadpharma.com. 

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney.  Any such requests will be processed in accordance with state law pertaining to powers of attorney.

Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination

If you exercise any of the rights explained in this Privacy Policy, we will continue to treat you fairly. 

Changes to Our Privacy Policy

We may revise or supplement this Privacy Policy from time to time. If we make any substantial changes in the way we use or share your Personal Information, we will notify you by posting a notice on our Websites prior to the change becoming effective. We encourage you to refer to this Privacy Policy on an ongoing basis, so you understand our current privacy practices.

Accessibility

To make accessibility-related requests or report barriers, please contact us at peopleservices@arrowheadpharma.com.

Contact Us

Questions, comments and requests regarding this Privacy Policy are welcomed, including requests relating to exercising any of your data privacy rights.