This Kythera Labs External Privacy Policy (the “Policy”) sets forth our policies and procedures for protecting the privacy of Personal Data, as defined below.
“Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control of Kythera Labs, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.
“Customer Data” means any data, information or material originated by Customer that Customer submits to Kythera Labs, collects through its use of the Subscription Services or provides to Kythera Labs in the course of using the Subscription Services.
“Data Controllers” are those entities that determine how and whether Personal Information is processed. Kythera Labs and our Affiliates are Data Controllers for purposes of these procedures.
“Data Processors” are those entities that process Personal Information on behalf of a Data Controller.
“Data Subjects” are the people to whom the Personal Data relates.
“Personal Data” means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Properly anonymized and de-identified or aggregate data is not Personal Data.
“Process” is used very broadly to indicate performing any action on Personal Data, such as collecting, recording, organizing, storing, transferring, modifying, using, retaining, or deleting.
Privacy protection is integral to Kythera Labs’ operation. We take many steps to ensure we do not collect and process Personal Data. Much of the data we work with is fully anonymized prior to entering Kythera Labs’ controlled systems. However, in the course of doing business, we collect Personal Data in a few ways, including from the following:
Kythera Labs’ policy is to minimize the unnecessary collection or use of Personal Data and use anonymized and de-identified or aggregate data wherever possible.
Prior to the collection and processing of Personal Data, Kythera Labs must obtain consent from the Data Subject in a manner appropriate to the context. Most of the time, consent is implied from the circumstances. For instance, when a Data Subject signs up for email updates regarding Kythera Labs news, they expect the information to be used to send newsletters and to communicate with them about product releases, but they would not expect that information to be sold to a third-party for re-targeting purposes. When Personal Data is used in ways that are not reasonably implied from the apparent circumstances, Kythera Labs will seek consent on an opt-in or opt-out basis.
To provide notice and receive informed consent, Kythera Labs will disclose the following before collecting Personal Data when it is not otherwise clear from the circumstances:
Kythera Labs does not need not obtain consent from the Data Subject in the following limited circumstances:
Consent to the collection and use of Personal Data may be withdrawn, subject to contractual and legal restrictions and reasonable notice.
Withdrawal of consent may have consequences, such as no longer being able to provide certain services or communicate in certain ways. In certain circumstances, consent may not be withdrawn with respect to certain necessary uses and disclosures of Personal Data, such as with respect to certain legal and contractual obligations.
Our Personal Data systems are designed to allow for the effective withdrawal of consent. Communications are made subject to opt-out lists maintained by Kythera Labs.
When Personal Data is used, Kythera Labs uses the Personal Data in a way that is compatible with the purposes for which it was collected, or for a reasonably related purpose. If Personal Data needs to be used for another purpose or handled in a way that the Data Subject has not provided consent, Kythera Labs obtains the consent of the Data Subject for the new or different use.
Only Kythera Labs personnel or third parties working on behalf of Kythera Labs with a legitimate business purpose may access or use Personal Data, and even those individuals may access such Personal Data only for legitimate purposes required by their positions.
Kythera Labs has posted this Privacy Policy so that Data Subjects can contact the appropriate person with inquiries or complaints regarding the use of their Personal Data. Kythera Labs makes reasonable efforts to grant Data Subjects’ requests to access their Personal Data. In accordance with these procedures, Data Subjects may ask Kythera Labs whether it maintains Personal Data about them, and the contents, if any, of that data. If Kythera Labs denies access, Kythera Labs will provide the Data Subject the reasons for such denial and allow the Data Subject to challenge the denial.
Kythera Labs uses its best efforts to process accurate Personal Data. To this end, Data Subjects may make reasonable requests for the correction of any incorrect or misleading Personal Data about them. To the extent reasonably feasible, Kythera Labs will, as appropriate, correct or destroy Personal Data that is inaccurate, misleading, or out-of-date. If Kythera Labs does not make a requested correction, the request should be noted in the Data Subject’s file to the extent feasible and explained to the Data Subject.
Kythera Labs does not keep Personal Data longer than necessary for the purpose for which it was collected. Kythera Labs securely destroys Personal Data from its systems when it is no longer required to accomplish the purpose for which it was collected. Kythera Labs may, however, retain some Personal Data to comply with applicable laws, regulations, rules, and court orders.
If the Data Subject is a customer, upon termination or expiration of their agreement, Kythera Labs shall, in accordance with the terms of the Agreement, delete or make available to customer for retrieval all relevant Personal Data (including copies) in Kythera Labs' possession, save to the extent that Kythera Labs is required by any applicable law to retain some or all of the Personal Data. In such an event, Kythera Labs shall extend the protections of the agreement to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as Kythera Labs maintains the Personal Data.
Kythera Labs takes reasonable administrative, technical, and physical measures to safeguard against unauthorized processing or use of Personal Data, and against the accidental loss of, or damage to, Personal Data. These measures include:
Kythera Labs may share the Personal Data with Affiliates and third parties that provide services to our customers to the extent such third parties are contractually required to follow the procedures set forth herein, or substantially equivalent standards, and to protect Personal Data in accordance with all relevant laws, regulations and rules, and subject to any appropriate security measures and directions from Kythera Labs. Personal Data may not be sold, transferred, or disclosed to other third parties except as authorized in writing.
Kythera Labs employees and third-party contractors may not disclose information made available on Kythera Labs systems and networks, including to other Kythera Labs personnel, except as expressly authorized by the appropriate manager. The duty of nondisclosure and confidentiality extends to interactions with third parties, including other employees, customers, business partners, and vendors.
The suspected theft, loss, or unauthorized processing of data, including Personal Data, must be immediately addressed. Kythera Labs will take immediate steps to investigate the cause of the security breach and make every effort to contain the breach. Kythera Labs must follow the steps set forth in the Data Security Incident Response Plan when responding to security incidents.
Kythera Labs has designated an individual to handle complaints and disputes regarding the use of Personal Data. This person may be contacted by Data Subjects for complaints or disputes about how their Personal Data is handled. These complaints and disputes shall be addressed by Kythera Labs management. The Privacy Officer is the person authorized to handle complaints and disputes.
Kythera Labs employees who violate this Policy may be subject to disciplinary actions, up to and including termination of employment.
As is appropriate, Kythera Labs may modify its procedures for the handling of Personal Data, but material changes to the handling of Personal Data cannot be applied retroactively without the express consent of the Data Subject or customer unless consent was not necessary to collect and use the Personal Data.
To facilitate compliance with this Policy and to protect its workers, systems, information, and assets; Kythera Labs may review, audit, monitor, intercept, access, and disclose information processed or stored on Kythera Labs equipment and technology, or on personally owned devices accessing Kythera Labs networks.
If you have any questions about this guidance, or for additional information or training, please contact us at privacy@KytheraLabs.com.
Kythera Labs’ management may monitor, assess, and promote compliance with this Policy by
All Kythera Labs employees shall receive annual training on our privacy and security programs and procedures.
For questions related to the implementation of this Policy, contact Privacy@KytheraLabs.com.
Contact:
George Coleman
Legal Counsel George@KytheraLabs.com
Version 1.0 - April 2024
