1. ABOUT US
Wren Therapeutics Limited is a company registered in England and Wales under company number 10054518 ("Wren" / "we" / "our" / "us"). Our registered office is at Clarendon House, Clarendon Road, Cambridge, CB2 8FH, UK. Wren is the data controller in respect of your personal data. This means that we are responsible for deciding how we hold and use personal data about you. This policy applies to personal data we collect from you, or that you provide to us when using our website http://www.wrentherapeutics.com/ or otherwise interacting with us.
2. WHAT INFORMATION WE COLLECT AND HOW WE WILL USE IT
The information we collect depends on the context of your interactions with us and our website. It also depends on the choices you make, for example, the functions you use and your privacy settings. You may choose not to provide certain information but if you do, and that information is necessary to provide a particular feature, then you may not be able to use that feature. We will only use your personal data where we have a valid lawful basis to do so.
The table below summarises what information we collect about you, explains how we intend to use it and what our legal basis is for using it. Some of the reasons for processing set out in the table above will overlap and there may be more than one legal basis for our use of your personal data.
|What information will we collect about you?||How will we collect information about you?||Why are we processing information about you?||What is our legal basis for processing information about you?|
Name, job title, address, email address and phone number
Feedback, questions and other information you provide when you contact us
Collected when you contact us with an enquiry, meet us, (including at an event), sign up for email updates on our website, and wish to receive further communications from us, or otherwise correspond with us.
To perform essential business operations
To deal with enquiries and correspondence and to discuss future collaborations or other opportunities with Wren.
To communicate and personalise communications with you regarding information that you request from us
To send you, with your consent, news updates, press releases and notifications.
To enable us to pursue our legitimate interests, and, subject to any necessary consent, to market the company to you.
|Name, job title, address, email address and phone number, payment information, name, address, email address and phone number, correspondence, associated records.||Collected from you or received from relevant third parties. Collected when we place an order for your goods or services (including in proposal documents or emails between us).||
To complete any transactions we have entered into with you to provide us with goods or services.
|To pursue our legitimate business interests, (as applicable) where necessary to comply with our legal obligations and/or where necessary to perform our contractual obligations and/or to take steps in advance of entry into a contract.|
|Name, contact details, job title, areas of interest and other biographic details including details of patents and your contribution to our work or the work of others in relevant fields||Collected from you, identified from public registers, documented in internal or collaboration work.||To undertake our own R&D activities, to maintain awareness of the activities of others in the fields in which we operate and/or to discuss future collaborations or other opportunities with us.||To pursue our legitimate business interests, in particular our R&D activities, and/or where necessary in connection with actual or potential future legal claims.|
Device and usage data including IP addresses and device identifiers
Device event information including crash logs, hardware settings, browser type and browser language
Automatically collected and stored in our server logs when you interact with our website
Collected from IP address, GPS and other sensors
To improve user experience of our website, for example to offer you tailored content
Protect security of our website and to prevent fraud
To enable us to pursue our legitimate interests to:
|Anonymised usage data including navigation history, actions taken on our website, session duration and any errors||Collected using Google Analytics cookies||
To improve user experience and performance of our website, for example to offer you tailored content
Protect security of our website and to prevent fraud
To enable us to pursue our legitimate interests to:
and/or (where required) subject to your consent.
|Name, contact details, vehicle registration details, entry and exit times, CCTV images, special needs/requests data||Collected from you when visiting our premises and/or from our own systems and processes.||To assist us with keeping our site secure and complying with our health and safety obligations and to assist with any accommodations or requests made of us.||To pursue our legitimate interests in relation to site security and to prevent crime and/or where necessary to comply with legal obligations.|
|Personal data associated with contracts||Present on the contract documents themselves and/or associated documents.||Any purpose necessary in connection with performance of the contract and, as necessary, holding the contract and associated documents in archive.||As applicable: where necessary in relation to our performance of our contractual obligations; where necessary for the establishment, exercise and defence of legal claims; and/or in connection with our legitimate business activities.|
|Personal data associated with patents, lab books, other R&D data and documents and any associated correspondence||Collected from the individual, provided by third parties and/or generated by us.||In connection with our R&D, commercial and intellectual property strategies and possible/actual legal claims.||To pursue our legitimate business interests and/or where necessary in connection with the establishment, exercise and defence of legal claims.|
More about the information we collect and why
Where consent is required for our use of your personal data we will ask you to positively opt-in. For example, we will only send you news updates and press releases if you have consented by signing up through the contact form on our website and you may withdraw this consent at any time. To amend these preferences or withdraw your consent, simply click the “unsubscribe” link present in emails you receive via our Mailchimp mailing list system or please contact us by email at firstname.lastname@example.org.
3. CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process your personal data without your knowledge or consent, in compliance with the above provisions, where this is required or permitted by law.
4. AUTOMATED DECISION-MAKING
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
(a) where we have notified you of the decision and given you 21 days to request a reconsideration;
(b) where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights; and
(c) in limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal data, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
5. SHARING YOUR INFORMATION
5.1 We may share your personal data as necessary with selected third party service providers and other companies within our group that support us in the performance of the activities set out in the table above.
5.2 We may transfer your personal data outside the European Economic Area (EEA) including to the USA and other jurisdictions in connection with our operations and as necessary for the performance of any contract that we may have with you. Wren consultants, board members and other employees may also access personal data from outside the EEA using our IT systems. If we do share your personal data in these ways, we will ensure that your personal data receives an adequate level of protection and is treated in a way that is consistent with EU and UK laws on data protection.
5.3 We may also share your personal data with other third parties, for example with service providers (such as payment services providers, credit reference agencies, IT solution providers and any of our suppliers and sub-contractors who process data on our behalf in order to assist us with our business activities) or in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or otherwise to comply with the law.
5.4 We require all our third party service providers and all other companies within our group to take appropriate and stringent security measures to protect your personal data in line with our policies. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.
Why might you share my personal data with third parties?
We may share your personal data with third parties where required by law or where we have another legitimate interest in doing so that is not overridden by your interests and fundamental rights. For example, to protect our customers or to operate and maintain the security or our computer systems.
Which third party service providers process my personal data?
The following third party service providers process personal data about you for the following purposes:
Analytics and search engine providers – We use Google Analytics to collect standard internet log information and details of visitor behaviour patterns. We do not make and do not allow Google to make, any attempt to find out the identities of those visiting our website.
IT solutions providers – We use Onespace Media to manage and host our website.
6. STORING YOUR INFORMATION
6.1 The personal data that we hold about you will either:
a) be processed and stored within the European Economic Area;
b) be processed and stored outside the European Economic Area (EEA) to the US by a third party provider. We will take all steps reasonably necessary to ensure that your personal data receives an adequate level of protection and is treated in a way consistent with EU and UK laws on data protection. To ensure that your personal data does receive an adequate level of protection we have put in place the following appropriate measure to ensure that your personal data are treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: our marketing provider Mailchimp has signed up to the EU-US Privacy Shield. If you require further information about this you can request it from Gemma Marlow, Data Protection Officer at email@example.com.
6.2 We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting obligations.
Personal data obtained through the contact form on our website will be held until the data subject 'unsubscribes ' to receiving communications from us via the Mailchimp email or by emailing the request to firstname.lastname@example.org, or after 12 months if the subscriber is not opening our communications.
Unless we inform you otherwise (or you request that we erase your personal data) we will retain your personal data for as long as we continue to be in contact with you and for a period of time after that is necessary for legal purposes. For any personal data that we retain relating to agreements, we will retain the personal data for the duration of the agreement and thereafter for a certain period of time depending on the nature of the agreement. We will periodically review personal data that we have in our possession to ascertain whether it should still be retained. In some circumstances, we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
7. KEEPING YOUR INFORMATION SECURE
7.1 All information that you provide to us is stored on secure servers. We have put in place appropriate measures to protect the security of your information.
7.2 The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the information transmitted to our site and you acknowledge that any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access or inadvertent disclosure.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
8. YOUR RIGHTS
8.1 You have the right under data protection laws to access information held about you, subject to certain conditions, and to request its rectification or deletion.
8.2 If you would like to access, update or amend the information which we hold about you or would like us to stop using your personal data please contact Gemma Marlow, Data Protection Officer at email@example.com.
Your rights in connection with your personal data
By law, you have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction or erasure of your personal data (unless we have the legal right to retain it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
- Change your data processing preferences at any time. If you have changed your mind you can contact us by email at firstname.lastname@example.org, and in respect of marketing messages, you can unsubscribe by using the “unsubscribe” link at the bottom of our marketing messages.
You should be aware that if you ask us to stop processing your personal data in a certain way or erase your personal data, and this type of processing or data is needed, for example, to facilitate your use of the website you may not be able to use the website as you did before. This does not include your right to object to direct marketing, which can be exercised at any time without restriction.
If you want to exercise any of the above rights, please contact us by emailing us at email@example.com.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data are not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where we are relying on your consent as the legal basis to process your personal data for a particular purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact Gemma Marlow at firstname.lastname@example.org. Once we know that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. Withdrawal of your consent will not affect the lawfulness of processing based on consent before the withdrawal.
9. ABOUT COOKIES
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
10. COOKIES USED BY US AND OUR SERVICE PROVIDERS
10.1 Wren does not directly use or store any cookies when you visit or use our website.
Please also refer to the table in section 2 of this policy referencing cookies used on our website.
11. MANAGING COOKIES
11.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
a) https://support.google.com/chrome/answer/95647 (Chrome);
d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
11.2 If you wish to turn off anonymous Google Analytics cookies: You can install a Google Analytics browser “plug in” to prevent the website sending information about your visit to Google Analytics. For further information please visit: www.google.com/analytics/learn/privacy
11.3 Blocking all cookies will have a negative impact upon the usability of many websites.
11.4 If you block cookies, you will not be able to use all the features on our website.
12. OTHER WEBSITES
14. HOW TO CONTACT US AND COMPLAINTS
If you are still not happy, you have the right to make a complaint to the Information Commissioner’s Office; see https://ico.org.uk/global/contact-us/.