Privacy Policy

Last Updated on February 8, 2024 

Arrowhead Pharmaceuticals, Inc. (“Arrowhead”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy describes our practices regarding the collection, use, and disclosure of your Personal Information (as defined below) when you visit our websites (including arrowheadpharma.com) (collectively, the “Website”) or otherwise provide Personal Information to us.  The Privacy Policy also describes your privacy rights in connection with Personal Information we collect about you, including the rights of California residents and individuals located in the European Economic Area (“EEA”) or the United Kingdom (“UK”).  For purposes of EEA and UK data protection laws, we are the controller of Personal Information processed in the context of this Privacy Policy.

This Privacy Policy will not apply to Personal Information collected and processed by us:

• should you participate in a clinical trial that we sponsor;
• if you are a healthcare professional and the processing of your Personal Information falls within scope of the Privacy Notice for Healthcare Professionals;
• should you apply for a job with us; or
• in the course of your employment with us.

By accessing the Website, you agree to our Terms of Use the collection and use of your Personal Information as described in this Privacy Policy. However, this does not equate to consent for the processing of your Personal Information for purposes of EEA and UK data protection laws.

For purposes of this Privacy Policy, “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The term does not include aggregated information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.

Notice at Collection: Personal Information We Collect

If you have already submitted your information and would like us to remove it from our files, please contact us at info@arrowheadpharma.com 

Non-personally Identifiable Information is Collected Automatically 

• Personal Identifiers: Name, email address, home address, telephone numbers, IP address.
• Internet and other electronic activity information: Device and browser type and version, operating system; your use and interaction with our Website.
• Professional information: Job title and related information, information about your employer.

We have collected the same categories of Personal Information in the 12 months prior to the date of this Privacy Policy.

Notice at Collection: Purposes for Collection of Personal Information

We collect and otherwise process your Personal Information to provide our Services; to contact you from time to time; to provide you with information about our business; for customer support purposes; to deliver advertisements and marketing promotions; to respond to your inquiries; and to customize your experience while using the Website

We also use Personal Information to monitor or improve our Website and applications; for internal business analysis; to prevent fraud, activities that violate our Terms of Use, or other contracts, or any illegal activities; and to protect our rights and the rights and safety of our users or others.

For those who interact with us in a commercial capacity, we use your Personal Information to engage in business transactions with the entity you represent and market to or engage in diligence with the entities you represent.  

Notice at Collection: No Sale or Sharing Personal Information

We do not sell Personal Information and we do not share Personal Information for use in cross-context behavioral advertising.  

Notice at Collection: Retention Periods

We retain the categories of Personal Information we collect for as long as we need for a legitimate business purpose. The criteria used to determine the retention periods include: (i) how long the Personal Information is needed to provide the Services and operate the business; (ii) the type of Personal Information collected; and (iii) whether we are subject to a legal, contractual or similar obligation to retain the Personal Information (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation or disputes).

Sources From Which We Collect Personal Information

We may collect your Personal Information through the Website, your interactions with us, and when you voluntarily provide us with your information. 

Sensitive Personal Information

We do not use or disclose sensitive Personal Information under this Privacy Policy to create profiles or infer characteristics about individuals.  

Automated Decision-Making / Profiling

We do not process your Personal Information on the basis of any automated decision-making, including profiling.

Cookies and Other Technologies

We may collect certain Personal Information referred to in this Privacy Policy through the use of “cookies” and other similar technologies.  Cookies are small, sometimes encrypted, text files that are stored on computer hard drives by websites that you visit. They are used to help users navigate websites efficiently as well as to provide information to the owner of the website.  For detailed information on the cookies we use on the Website and the purposes for which we use them, please see our Cookie Policy.

Additionally, we use Google Analytics to evaluate the use of our Website. Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what webpages they visit on a website, and what other websites they visited prior to visiting a website. To learn more about how Google Analytics collects Personal Information, please see Google’s Privacy Policy.

How We Use The Personal Information We Collect

Set out below is a description of how we use your Personal Information (referred to as “processing purposes” below), and, for individuals located in the EEA or the UK, we explain which of the legal bases we rely on for each processing activity.

Categories of Personal Information	Processing Purposes	Legal Basis (where you are located in the EEA or the UK)
Personal identifiers; Internet and other electronic activity information.	To provide you with information concerning Arrowhead: provide news and notify you about changes to our Website and/or the services and products we provide.   You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may not opt-out of service-related communications (e.g., updates to features of the Website, technical and security notices).	To pursue our legitimate interests to operate our business, and to manage and administer our relationship with you. With your consent (to the extent required by applicable law).
Personal identifiers; Internet and other electronic activity information.	Personalization: administer, analyze, improve and personalize our Website (including, testing, trouble-shooting and research)	To pursue our legitimate interests to provide the Website and process Personal Information to see if and how our Website can be improved, so that we can offer you a better user experience in the future.
Personal identifiers; Internet and other electronic activity information	Network and Information Security: to ensure network and information security, including monitoring users’ access to our Website for the purpose of preventing cyber-attacks, unauthorized use of our systems and Website, prevention or detection of crime and protection of Personal Information.	To pursue our legitimate interests to ensure our systems / Website are secure and that individuals are using our systems / Website correctly and in compliance with our Terms of Use.
Personal identifiers	Transactions: To enable any due diligence and other appraisals or evaluations for any actual or proposed merger, acquisition, financing transaction or joint venture contemplated by Arrowhead.	To pursue our legitimate interests to administer the management of our business.
Personal identifiers; Internet and other electronic activity information.	Legal Claims: To defend and enforce our rights including, against legal claims that involve us, and to manage regulatory matters, investigations, data breaches, and/or data subject requests.	To comply with our legal obligations. In such cases, if you do not provide this Personal Information when requested, we may not be able to comply with our legal obligations and we may have to terminate our relationship with you. To pursue our legitimate interests to enforce or defend our rights and interests.

If you are located in the EEA or the UK: You have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. Please note, however, that we may not be able to fulfill such requests in all instances.  

Disclosure of Your Personal Information For Business Purposes

The following chart describes the categories of Personal Information we disclosed to third parties for a business purpose in the 12 months prior to the date of this Privacy Policy:

Categories of Personal Information	Categories of Third Parties to Which We Disclosed Personal Information for Business Purposes
Personal identifiers: Name, email address, home address, telephone numbers, IP address	Service providers that manage Website visitor information, facilitate email communications, provide security services and cloud-based data storage, host our Website and assist with other IT-related functions, market our company, provide analytics information
Internet and other electronic activity information: Device and browser type and version, operating system; your use and interaction with our Website	Service providers that manage Website visitor information, facilitate email communications, provide security services and cloud-based data storage, host our Website and assist with other IT-related functions, provide analytics information
Professional information: Job title and related information	Service providers that facilitate communications

Business Purposes for Such Disclosures

We may disclose the aforementioned categories of Personal Information to the categories of third parties identified above for the following purposes: to facilitate email communications; manage contacts; work with vendors and suppliers; manage our Website, operate our IT systems and secure our systems; prevent fraud and other illegal activities; and for marketing and analytics.

We may also disclose Personal Information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We may also disclose your Personal Information to third parties to help detect and protect against fraud or data security vulnerabilities.  We may transfer your Personal Information to a third party in the event of an actual or contemplated sale, merger, reorganization of our entity or other restructuring.

Security

We take reasonable steps, consistent with generally accepted industry standards, including technical, administrative, and physical safeguards to protect Personal Information we process from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, please note that, as no system is fully secure, we cannot guarantee the security of your Personal Information. 

International Transfers of Personal Information

We are located in the U.S. All Personal Information collected via the Website will in turn, be processed in the U.S.. Where we disclose Personal Information originating in the EEA/UK to a third party (e.g., a service provider) located outside of the EEA/UK we will as deemed necessary, enter into a data transfer agreement (e.g., standard contractual clauses) with that third party, seek to rely on the third party’s Binding Corporate Rules or otherwise make the transfer in reliance on a derogation under EEA/UK data protection laws (e.g., where the transfer is necessary for the defence of legal claims). If you would like further information in relation to, or a copy of, the relevant safeguards, you can contact us using the details set out below.

Children’s Privacy

The Website is not directed to minors under the age of 16. We do not have any actual knowledge that we collect Personal Information from minors. 

Third Party Links

Our Website may contain social media buttons or links to third-party websites, which may have privacy policies that differ from our own. We are not responsible for the activities and practices that take place on those social media platforms or third-party websites.

Your Data Privacy Rights

1.         EEA/UK Data Privacy Rights

If you are located in the EEA or the UK you have the following data privacy rights which may be subject to certain limitations / restrictions:

• The right to request access to your Personal Information;
• The right to request that your Personal Information be corrected or deleted;
• The right to request that we restrict our processing of your Personal Information;
• The right to object to the processing of your Personal Information where it is carried out (i) for our legitimate interests – unless we can demonstrate compelling legitimate grounds for the processing; and/or (ii) for direct marketing purposes;
• The right to withdraw consent to the processing of your Personal Information; and
• The right to request that Personal Information be provided to you or a third party in a machine-readable format.

Please contact us using the details set out below in case you wish to exercise any of the above rights.

You also have the right to file a complaint with the competent data protection authority if you have any reason to believe we have not properly handled your Personal Information or have not respected your rights.

2.         California Data Privacy Rights

If you are a California resident, you may have specific rights regarding your Personal Information, in accordance with California law.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) gives California residents rights described below with respect to their Personal Information.

Your Right To Request Disclosure of Information We Collect and Share About You

We are committed to ensuring that you know what Personal Information we collect. To that end, you can ask us for any or all of following types of information regarding the Personal Information we have collected about you since January 1, 2022:

• Specific pieces of Personal Information we have collected about you;

• Categories of Personal Information we have collected about you;

• Categories of sources from which such Personal Information was collected;

• Categories of Personal Information that the business sold or disclosed for a business purpose about the consumer;

• Categories of third parties to whom the Personal Information was sold or disclosed for a business purpose; and

• The business or commercial purpose for collecting or selling your Personal Information.

Your Right To Request Deletion of Personal Information We Have Collected About You 

You have the right to ask us to delete Personal Information we have collected from you.  We will do so, subject to the exceptions in the CCPA and other applicable laws.

Your Right to Request to Correct Personal Information We Hold About You

You have the right to request that we correct Personal Information we hold that you believe is not accurate. We will take steps to determine the accuracy of the Personal Information that is the subject of your request to correct, and in doing so will consider the totality of the circumstances relating to the Personal Information you have identified as being incorrect. We may ask that you provide documentation regarding your request to correct to assist us in evaluating the request. 

Exercising Your Rights and How We Will Respond

To exercise any of the rights above, or to ask a question, contact us at 626-304-3400 or email us at dpo@arrowheadpharma.com or use the contact details set out at the end of this Privacy Policy.

For requests for access, deletion, or correction we will first acknowledge receipt of your request within 10 business days of receipt of your request. We will provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. 

If we expect your request is going to take us longer than normal to fulfill, we will let you know.

Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination

If you exercise any of the rights explained in this Privacy Policy, we will continue to treat you fairly.  If you exercise your rights under this Privacy Policy, you will not be treated differently than others.

Verification of Identity – Access, Deletion or Correction Requests

We will ask you for identifying information and attempt to match it to information that we maintain about you. 

If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request.  We will notify you to explain the basis of the denial. 

Authorized Agents

You may designate an agent to submit requests on your behalf.  The agent must be a natural person or a business entity that is registered with the California Secretary of State.  

If you would like to designate an agent to act on your behalf, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf.  We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney.  Any such requests will be processed in accordance with California law pertaining to powers of attorney.  

California Shine the Light

California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of Personal Information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.  We do not provide Personal Information to third parties for their marketing purposes.

California Do Not Track (DNT) Signals 

We do not recognize “Do Not Track” (DNT) signals. 

Changes to Our Privacy Policy

We may revise or supplement this Privacy Policy from time to time. If we make any substantial changes in the way we use or share your Personal Information, we will notify you by posting a notice on our Website prior to the change becoming effective. We encourage you to refer to this Privacy Policy on an ongoing basis, so you understand our current privacy practices.

Accessibility

We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact us at peopleservices@arrowheadpharma.com.

Contact Us

Questions, comments and requests regarding this Privacy Policy are welcomed, including requests relating to exercising any of your data privacy rights.