Privacy Policy
Last updated on: March 29, 2024
Washington Residents: If you are a Washington resident and when you provide your Health Data to us, we collect, use, and disclose your Health Data in accordance with Arcus’s Washington Health Data Privacy Policy.
CALIFORNIA NOTICE AT COLLECTION
This Notice at Collection, applicable to California Residents, explains:
- The categories of Personal Data that we collect about residents of California;
- The purpose(s) for which the categories of Personal Data are collected and used;
- Whether each category of Personal Data is sold or shared; and
- The length of time we intend to retain each category of Personal Data.
You can review our complete Privacy Policy here.
|
Categories of Personal Data We Collect from California Residents |
Purpose(s) for Collection and Use |
|
Personal identifiers |
|
|
Financial information |
|
|
Medical information |
|
|
Internet and other electronic activity information |
|
|
Characteristics of protected classifications |
|
|
Professional or employment-related information, and educational information |
|
Categories of Personal Data We Sell or Share (for cross-context behavioral advertising)
Depending on the relationship we have with you, we may share the following categories of Personal Data for cross-context behavioral advertising:
- Personal identifiers
- Medical information
- Internet or other electronic activity information
- Professional or employment-related information
Right to Opt-out of the Sale/Sharing of Personal Data
You have the right to opt-out of the sale and sharing of your Personal Data. To opt-out of the sale or sharing of your Personal Data, please visit “DO NOT SELL/SHARE MY PERSONAL INFORMATION”, contact us at [email protected] or call us at 1-888-914-9661, PIN 149825. You may also find our Notice of Right to Opt-out of Sale/Sharing by visiting the “DO NOT SELL/SHARE MY PERSONAL INFORMATION” form.
You may also opt out by sending an opt-out preference signal, specifically the Global Privacy Control (GPC) signal which is a browser setting that notifies us that you are opting-out of the sale or sharing of your Personal Data. To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use.
Retention of Personal Data
We only retain your Personal Data as long as is necessary to fulfill the purposes for which we collected it. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. In exceptional cases (e.g., in pending litigation matters or where the law requires us to) your Personal Data may need to be kept for longer periods of time.
ARCUS PRIVACY POLICY
We at Arcus Biosciences, Inc. (‘Arcus’; ‘we’; ‘our’) care about your privacy. This Privacy Policy describes how we process your Personal Data when you visit or interact with our websites, including https://arcusbio.com, http://trials.arcusbio.com, and http://investors.arcusbio.com (the ‘Site’), when we market Arcus and Arcus clinical trials, products, and services, when you provide services to us, when you apply for a job with us, when you visit our facilities, or when you connect to our wireless network (‘Wi-Fi’) while at our facilities. This Privacy Policy does not apply to Personal Data collected:
- by us (or our vendors), offline or through any other means, about patients, investigators, and study personnel participating in our clinical trials, in which case we will provide you with a separate privacy notice;
- about our employees, which is governed by a separate policy found in our Employee Handbook;
- by any third party, including through any application or content (including advertising) that may link to or be available from the Site.
Arcus acts as a controller under the General Data Protection Regulation (‘GDPR’), a business under the California Consumer Privacy Rights Act of 2018 as amended by the California Privacy Rights Act of 2020 (‘CCPA’), and other similar designations under other relevant data protection laws for the processing activities described in this Privacy Policy. ‘Personal Data’ as used in this Privacy Policy means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.
PERSONAL DATA WE COLLECT AND PROCESS
We collect and process the categories of Personal Data identified below. For CCPA purposes, these are also the categories of Personal Data that we collected in the 12-month period prior to the date of this Privacy Policy.
- Personal identifiers such as your name, email address, phone number, postal address, social security number, driver’s license number, Internet Protocol (IP) address, national provider identification number, and mobile device identification numbers;
- Financial information such as your tax identification number and financial account information that may be collected when you work with us or provide services to us;
- Medical information/ Health data such as your health condition or status, disease, or diagnosis that may be collected when you request information about our clinical trials or when you request or provide information relating to our support or advocacy programs for patients;
- Internet or other electronic activity information such as your browser type, operating system, regional and language settings, hardware ID, geographic location, the websites you visited before and after visiting the Site, the pages you view and links you click on within the Site, information about your interactions with e-mail messages, such as the links clicked on and whether the messages were received, opened, or forwarded; and Standard Server Log Information;
- Characteristics of protected classifications/ special category data may be collected when you apply for a job with us, such as race and/or ethnicity, gender, disability status, veteran status, marital status, and national origin;
- Professional or employment-related information and educational information may be collected such as your business contact details, employer, work history, academic background, details obtained from your personal websites or LinkedIn profiles, your CV, and other information you may voluntarily submit to us when filing your application for a job with us; data related to criminal convictions and offenses may be collected when you apply for a job with us to carry out background checks to which you consent;
- Any other information you voluntarily provide to us when you contact us for any reason.
SOURCES OF PERSONAL DATA
We collect Personal Data directly from you when you visit our Site, request information about our business or clinical trials, when you register to attend events with us, submit a job application or inquire about positions, visit our facilities, connect to our Wi-Fi, and when you otherwise voluntarily provide us with your Personal Data.
We may also collect your Personal Data from third parties with which we do business or that we engage such as service providers engaged to promote Arcus and our clinical trials or for online advertising and analytics services. We may also collect your Personal Data from public records databases.
As is now common with most websites, our Site uses cookies and may use other online tracking tools (e.g., web beacons) to automatically collect information about your IP address, your use of the Site, or other websites you may visit after ours. Cookies are small data files generated by a website and saved by your web browser. They are used to help users navigate websites efficiently as well as to provide information to the owner of the websites. To find out more about what cookies we use and how we use them, please consult our Cookies Policy here. Please note that if we cannot use certain types of cookies, the website may not function properly (please refer to our Cookie Policy and the meaning of “essential cookies”), or we may otherwise not be able to service you (e.g. provide you customer service).
If you have applied for a job with us, we may collect your Personal Data from your previous employer or references, from third party vendors (e.g. a background check vendor), and from publicly-available sources such as LinkedIn and social media profiles (but only to the extent they are publicly available). We will seek your consent before doing so where such is required by law.
HOW WE USE YOUR PERSONAL DATA: PURPOSES AND LEGAL BASES OF THE PROCESSING
We use and process your Personal Data for the purposes and legal bases set out below:
| Use/Purpose | Lawful Basis |
|
Communicating with you, providing you with information about our business and other information you have requested, considering you for participation in patient advocacy and support programs, and operating and improving our website |
Arcus has a legitimate interest to operate its website, manage its business, and communicate with you upon your request (Article 6(1)(f), GDPR) |
|
Provide you with access to our facilities and to our Wi-Fi |
Arcus has a legitimate interest to manage its business (Article 6(1)(f), GDPR)
We may also ask for your consent prior to granting you access to our facilities and our Wi-Fi |
| Contact you with respect to clinical trials offered by us which we believe may interest you (including direct marketing) | Arcus has a legitimate interest to operate its website and communicate with you upon your request (Article 6(1)(f), GDPR)
Depending on your location, we may also ask for your consent prior to sending you direct marketing |
| Marketing and advertising Arcus and our clinical trials, and any future marketing of products and services | Depending on your location, we may also ask for your consent prior to marketing and advertising our clinical trials, products, and services online |
| Carrying out audits and investigations, and to investigate and resolve complaints, grievances or misconduct | Arcus has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)
Arcus has a legal obligation to do so (Article 6(1)(c), GDPR) |
| Preparing for and acting in relation to enquiries, investigations or proceedings, by governmental, administrative, judicial or regulatory authorities, including civil litigation | Arcus has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)
Arcus has a legal obligation to do so (Article 6(1)(c), GDPR) |
| In connection with a potential asset or stock acquisition of Arcus, or the outsourcing or insourcing of services provided by employees, providing reasonable diligence material to a third party or meeting any disclosure obligations as required by law | Arcus has a legitimate interest to manage its business (Article 6(1)(f), GDPR) |
If you are applying for a job with us we will process your Personal Data in order to make a decision about recruitment or appointment, including the right to work. For these purposes we may process your characteristics of protected classifications and special categories of Personal Data.
If you are in the European Economic Area (“EEA”) or the UK, you have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfill this request in all instances.
DISCLOSURE OF PERSONAL DATA
The following chart describes the categories of Personal Data we disclose to third parties and which we will continue to disclose. For CCPA purposes this chart also describes the categories of Personal Data we disclosed to third parties for a business purpose in the 12 months prior to the date of this Privacy Policy.
| Categories of Consumers’ Personal Data | Categories of Third Parties With Which We Disclosed Personal Data (for a Business Purpose) |
| Personal identifiers |
Service providers (i.e., vendors) that we retain to undertake the following activities: manage the Personal Data, facilitate email communications, process job applications, provide our wireless network, support our clinical trials, manage patient advocacy and support programs, provide advertising and marketing assistance, provide security services and cloud-based data storage, host and manage our Site and assist with other IT-related functions, provide analytics information, provide legal, insurance, financial and accounting services, and host conferencing services. |
| Financial information |
Service providers (i.e., vendors) that we retain to undertake the following activities: manage the Personal Data, provide security services and cloud-based data storage, host and manage our Site and assist with other IT-related functions, and provide legal, insurance, financial and accounting services. |
| Medical information/ Health data such as health condition or status, disease, or diagnosis |
Service providers (i.e., vendors) that we retain to undertake the following activities: manage the Personal Data, facilitate email communications, support our clinical trials, manage patient advocacy and support programs, provide advertising and marketing assistance, provide security services and cloud-based data storage, host and manage our Site and assist with other IT-related functions, provide analytics information, and provide legal services. |
| Internet and other electronic activity information |
Service providers we retain to undertake the following activities: provide our wireless network, provide advertising and marketing assistance, provide security services and cloud-based data storage, host and manage our Site and assist with other IT-related functions, and provide analytics information. |
| Characteristics of protected classifications |
Service providers that we retain to undertake the following activities: manage the Personal Data, facilitate email communications, support our clinical trials, manage patient advocacy and support programs, process job applications, new hire onboarding, and provide legal services. |
| Professional or employment-related information, educational information, and data related to criminal convictions and offenses |
Service providers that we retain to undertake the following activities: provide recruiting services, process job applications, new hire onboarding, undertake background checks and other screening services for job applicants, provide security services and cloud-based data storage, host and manage our Site and assist with other IT-related functions, and provide analytics information. |
We also disclose your Personal Data as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We also disclose your Personal Data with third parties to help detect and protect against fraud or data security vulnerabilities. And we may transfer your Personal Data to a third party in the event of a sale, merger, reorganization of our entity or other restructuring.
SALE OR SHARING (FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING) OF PERSONAL DATA
In the last 12 months, depending on the relationship we have with you, we may have disclosed your Personal Data in ways that could be deemed a “sale” for purposes of the CCPA and we may have shared the following categories of Personal Data for cross-context behavioral advertising with the categories of third parties listed below:
|
Categories of Consumers’ Personal Data |
Categories of Third Parties To Whom the Personal Data was Sold or Shared |
Purpose for Selling or Sharing the Personal Data |
| Personal identifiers | Service providers that we retain to provide advertising and marketing assistance, such as advertising agencies and other third-party ad-tech providers. | To market and advertise Arcus and our clinical trials, as well as any future marketing of products and services |
| Medical information | Service providers that we retain to provide advertising and marketing assistance, such as advertising agencies and other third-party ad-tech providers. | To market and advertise Arcus and our clinical trials, as well as any future marketing of products and services |
| Internet and other electronic activity information | Service providers that we retain to provide advertising and marketing assistance, such as advertising agencies and other third-party ad-tech providers. | To market and advertise Arcus and our clinical trials, as well as any future marketing of products and services |
| Professional or employment-related information | Service providers that we retain to provide advertising and marketing assistance, such as advertising agencies and other third-party ad-tech providers. | To market and advertise Arcus and our clinical trials, as well as any future marketing of products and services |
We do not have actual knowledge that we sell or share the Personal Data of minors under 16 years of age.
For purposes of Nevada’s Consumer Health Data Privacy Law, we do not allow third parties to collect your Health data over time and across different internet websites or online services when you use our Site.
YOUR RIGHTS IF YOU ARE IN THE EEA/UK
If you are in the EEA/UK, you have a number of rights over the Personal Data which we process about you which may be subject to limitations and/or restrictions. These include the right to:
(a) request access to and rectification or erasure of your Personal Data;
(b) obtain restriction of processing or to object to the processing of your Personal Data; and
(c) ask for a copy of your Personal Data to be provided to you, or a third party, in a digital format.
To submit a request for any of the above, you may contact us at [email protected] or use this form. You also have the right to lodge a complaint about the processing of your Personal Data with the competent data protection authority.
YOUR RIGHTS IF YOU ARE A CALIFORNIA RESIDENT
If you are a California resident, you may have separate rights regarding your Personal Data, in accordance with California law.
California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020
The CCPA grants California residents certain rights with respect to their Personal Data, including, as described below, the right to know about, delete, and correct their Personal Data and the right to opt-out of the sale or sharing of your Personal Data. Where exceptions to the CCPA apply to a request you submit, we will provide you with an explanation. California residents should be aware of the following information about these rights:
Right to request disclosure of information we collect or share about you. You can submit a request to us for the following data regarding the Personal Data we have collected about you in the 12 months prior to our receipt of your request (a “request to know”):
- The categories of Personal Data we have collected.
- The categories of sources from which we collected the Personal Data.
- The business or commercial purposes for which we collected, sold, or shared the Personal Data.
- The categories of third parties with which we disclosed the Personal Data.
- The specific pieces of Personal Data we collected.
Right to request the deletion of Personal Data we have collected from you. Upon request, we will delete the Personal Data we have collected about you, except for situations where specific information is necessary for us to provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law.
The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
Right to request the correction of inaccurate Personal Data we have collected from you. Upon request, we will correct, if appropriate, the Personal Data we have collected about you that you have identified as inaccurate.
How can you make a request to exercise your rights? To submit requests to know, delete, or correct, you may contact us at [email protected] or through our toll-free number, 1-888-914-9661, PIN 149825, or this form.
Right to opt-out of the sale or sharing of Personal Data. You have the right to opt-out of the sale and sharing of your Personal Data. To opt-out of the sale or sharing of your Personal Data, please visit “DO NOT SELL/SHARE MY PERSONAL INFORMATION,” contact us at [email protected], or call us at 1-888-914-9661, PIN 149825. You may also find our Notice of Right to Opt-out of Sale/Sharing by visiting the “DO NOT SELL/SHARE MY PERSONAL INFORMATION” form.
You may also opt out by sending an opt-out preference signal, specifically the Global Privacy Control (GPC) signal which is a browser setting that notifies us that you are opting-out of the sale or sharing of your Personal Data. To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use.
How we will handle a request to exercise your rights. For requests to know, delete, or correct inaccurate Personal Data, we will first acknowledge receipt of the request within 10 business days of receipt of your request. We will provide a substantive response to your request within 45 days from receipt of your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we’ll let you know.
When you make a request to know, delete, or correct your Personal Data, we will take steps to verify your identity. These steps may include asking you for Personal Data, such as your name, address, or other information we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial.
You are also entitled to submit a request for Personal Data that could be associated with a household as defined in the CCPA. To submit a request to know, delete, or correct household Personal Data, such requests must be jointly made by each member of the household, and we will individually verify all of the members of the household using the verification criteria explained above, and separately verify that each household member making the request currently resides in the household. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.
You may also designate an authorized agent to submit requests on your behalf. If you do so, you will be required to verify your identity by providing us with certain Personal Data as described above. Additionally, we will also require that you provide the agent with written and signed permission to act on your behalf, and we will separately confirm with you that you provided the agent with permission to submit the request. We will deny the request if the agent is unable to submit proof to us that you have authorized them to act on your behalf or if any of the above verification criteria are not met.
We are committed to honoring your rights. If you exercise any of the CCPA rights explained in this Privacy Policy, we will continue to treat you fairly.
Shine the Light Law
California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California residents asking about the business’ practices related to disclosing certain types of Personal Data to third parties for the third parties’ direct marketing purposes. We do not disclose Personal Data to such entities, for such purposes.
YOUR RIGHTS IF YOU ARE A NEVADA RESIDENT
If you are a Nevada resident, you may have separate rights regarding your Personal Data in accordance with Senate Bill 370, Nevada’s Consumer Health Data Privacy Law. Where exceptions to the Nevada Consumer Health Data Privacy Law apply to a request you submit, we will provide you with an explanation.
Nevada’s Consumer Health Data Privacy Law provides Nevada residents with the following rights:
- obtain confirmation on whether we collect, share, or sell your Personal Data;
- request that we provide you with a list of third parties with whom we have shared or sold your Personal Data;
- request access to and changes to your Personal Data;
- request that we stop collecting, sharing, or selling your Personal Data; and
- request deletion of your Personal Data.
To submit a request for any of the above, you may contact us at [email protected] or through this form.
Right to op-out of sale of Personal Data. Nevada residents have the right to opt-out of the sale of Personal Data in accordance with Nevada law. We do not sell Personal Data within the meaning of Nevada law.
DO NOT TRACK
“Do Not Track” is a privacy preference that users can set in certain web browsers. We do not respond to browser do not track signals at this time.
For California residents, we do recognize Global Privacy Control signals which is a browser setting that notifies us that you are opting-out of the sale or sharing of your Personal Data.
INTERNATIONAL DATA TRANSFERS
The Personal Data that has been collected from you will be processed in the United States, where we are located. Your Personal Data may also be transferred to service providers some of which may be located in countries outside the EEA and/or UK and which are not considered to provide an adequate level of data protection.
Your Personal Data will only be transferred from the EEA/UK to a recipient in a country which is not considered to provide an adequate level of data protection when the transfer is in compliance with applicable data protection law requirements including the GDPR.
HOW LONG WE RETAIN PERSONAL DATA
We only retain your Personal Data as long as is necessary to fulfill the purposes for which we collected it. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. In exceptional cases (e.g., in pending litigation matters or where the law requires us to) your Personal Data may need to be kept for longer periods of time.
HOW WE PROTECT YOUR PERSONAL DATA
We are committed to protecting the security and privacy of your Personal Data. We maintain reasonable security measures to protect the security, confidentiality, and integrity of Personal Data. While we are committed to safeguarding your Personal Data through our information security program, even the most stringent security program may not be able to prevent all security breaches.
OTHER WEBSITES
Our Site provides links to other websites. These websites may operate independently from us and may have their own privacy notices or policies, which we advise you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content.
PERSONAL DATA OF MINORS
Our products and services are not directed to minors under the age of 13. We do not knowingly collect, sell, or share the Personal Data of minors under 16.
CHANGES TO THIS POLICY
We will review and update this Privacy Policy as required to keep current with rules and regulations, new technologies and security standards. We will post those changes on the website or update the “last updated” date of the Privacy Policy. In certain cases and if the changes are material, you will be notified via email or a notice on our website.
ACCESSIBILITY
We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact us at [email protected].
HOW TO CONTACT US
If you wish to contact us about this Privacy Policy:
- You may contact us by writing to 3928 Point Eden Way, Hayward, CA 94545, USA or by emailing us at [email protected].
- For privacy related inquiries, you can also contact our Data Protection Officer at [email protected]. You can also contact our EU Data Protection Representative at Arcus Biosciences Europe Limited, 88 Harcourt Street, Dublin 2, D02 DX18, Ireland, Telephone: 353 1 6915848 or our UK Data Protection Representative at 37 Albert Embankment, London SE1 7TL, United Kingdom, https://verasafe.com/public-resources/contact-data-protection-representative
