cells

Privacy Policy

Last Updated: September 2021

ABOUT THIS PRIVACY POLICY

We at Arcus Biosciences, Inc. (‘Arcus’; ‘we’; ‘us’) care about your privacy. This Privacy Policy describes how we process your Personal Data when you visit our website https://arcusbio.com (the ‘Site’) or when you apply for a job with us . This Privacy Policy does not apply to Personal Data collected:

Arcus acts as controller under the General Data Protection Regulation (‘GDPR’) for the processing activities described in this Privacy Policy. ‘Personal Data’ as used in this Privacy Policy means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.

PERSONAL DATA WE COLLECT AND PROCESS

We collect and process the categories of Personal Data identified below. For CCPA purposes, these are also the categories of Personal Data that we collected in the 12-month period prior to the date of this Privacy Policy.

SOURCES OF PERSONAL DATA

We collect Personal Data directly from you when you visit our Site, request information about our business or clinical trials, when you register to attend events with us, submit a job application or inquire about positions, and when you otherwise voluntarily provide us with your Personal Data.

As is now common with most websites, our Site uses cookies and may use other online tracking tools (e.g., web beacons) to automatically collect information about your IP address, your use of the Site, or other websites you may visit after ours. Cookies are small data files generated by a website and saved by your web browser. They are used to help users navigate websites efficiently as well as to provide information to the owner of the websites. To find out more about what cookies we use and how we use them, please consult our Cookie Policy .  Please note that if we cannot use certain types of cookies, the website may not function properly (please refer to our Cookie Policy and the meaning of “essential cookies”), or we may otherwise not be able to service you (e.g. provide you customer service).

If you have applied for a job with us, we may collect your Personal Data from your previous employer or references, from third party vendors (e.g. a background check vendor), and from publicly-available sources such as LinkedIn and social media profiles (but only to the extent they are publicly available). We will seek your consent before doing so where such is required by law.

HOW WE USE YOUR PERSONAL DATA: PURPOSES AND LEGAL BASES OF THE PROCESSING

We use and process your Personal Data for the purposes and legal bases set out below:

Use/Purpose Lawful Basis
Communicating with you, providing you with information about our business,  customer service, operating and improving our website Arcus has a legitimate interest to operate its website and communicate with you upon your request (Article 6(1)(f), GDPR)
Contact you with respect to products and/or services offered by us which we believe may interest you (including direct marketing) Arcus has a legitimate interest to operate its website and communicate with you upon your request (Article 6(1)(f), GDPR)

Depending on your location, we may also ask for your consent prior to sending you direct marketing

Carrying out audits and investigations, and to investigate and resolve complaints, grievances or misconduct Arcus has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)

Arcus has a legal obligation to do so (Article 6(1)(c), GDPR)

Preparing for and acting in relation to enquiries, investigations or proceedings, by governmental, administrative, judicial or regulatory authorities, including civil litigation Arcus has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)

Arcus has a legal obligation to do so (Article 6(1)(c), GDPR)

In connection with a potential asset or stock acquisition of Arcus, or the outsourcing or insourcing of services provided by employees, providing reasonable diligence material to a third party or meeting any disclosure obligations as required by law Arcus has a legitimate interest to manage its business (Article 6(1)(f), GDPR)

If you are applying for a job with us we will process your Personal Data in order to make a decision about recruitment or appointment, including the right to work. For these purposes we may process your Special Categories of Personal Data.

If you are in the European Economic Area (“EEA”) or the UK, you have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.

SHARING OF PERSONAL DATA

The following chart describes the categories of Personal Data we disclose to third parties and which we will continue to disclose. For CCPA purposes this chart also describes the categories of Personal Data we disclosed to third parties for a business purpose in the 12 months prior to the date of this Privacy Policy.

Categories of Consumers’ Personal Data Categories of Third Parties With Which We Shared Personal Data (for a Business Purpose)
Personal identifiers: name, email address, telephone numbers, IP address or other unique identifier Service providers (i.e., vendors) that we retain to undertake the following activities:  manage customer information, facilitate email communications, process job applications, provide security services and cloud-based data storage, host our Sites and assist with other IT-related functions, provide analytics information, provide legal, insurance, financial and accounting services, and host conferencing services.
Internet and other electronic activity Service providers we retain to undertake the following activities: conduct analytics regarding website use to detect any problems with the website and provide information about how the website is used, and provide advertising and marketing assistance.
Professional and educational information Service providers that undertake background checks and other screening services for job applicants.

We also share your Personal Data as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We also share your Personal Data with third parties to help detect and protect against fraud or data security vulnerabilities.  And we may transfer your Personal Data to a third party in the event of a sale, merger, reorganization of our entity or other restructuring.

In the 12 months prior to the date of this Privacy Policy, we have not sold, and we do not sell, your Personal Data.

YOUR RIGHTS IF YOU ARE IN THE EEA/UK

If you are in the EEA/UK, you have a number of rights over the Personal Data which we process about you which may be subject to limitations and/or restrictions. These include the right to:

To submit a request for any of the above, you may contact us at [email protected] or use this form . You also have the right to lodge a complaint about the processing of your Personal Data with the competent data protection authority.

ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS

If you are a California resident, you may have separate rights regarding your Personal Data, in accordance with California law.

California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018 (the “CCPA”) grants California residents certain rights with respect to their Personal Data, including, as described below, the right to know about, and delete, their Personal Data.  These rights are subject to certain limitations, however, such as that they do not all apply to certain uses of Personal Data about employees, job applicants, and contractors, or information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). Where exceptions to the CCPA apply to a request you submit, we will provide you with an explanation.  California residents should be aware of the following information about these rights:

Right to request disclosure of information we collect or share about you.  You can submit a request to us for the following data regarding the Personal Data we have collected about you in the 12 months prior to our receipt of your request (a “request to know”):

Right to request the deletion of Personal Data we have collected from you.  Upon request, we will delete the Personal Data we have collected about you, except for situations where specific information is necessary for us to provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law.

The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.

How can you make a request to exercise your rights?  To submit requests to know or delete, you may contact us at [email protected] or through our toll-free number, 1-888-914-9661, PIN 149825, or this form.

How we will handle a request to exercise your rights. For requests to know or delete, we will first acknowledge receipt of the request within 10 business days of receipt of your request.  We will provide a substantive response to your request within 45 days from receipt of your request, although we may be allowed to take longer to process your request under certain circumstances.  If we expect your request is going to take us longer than normal to fulfill, we’ll let you know.

When you make a request to know or delete your Personal Data, we will take steps to verify your identity.  These steps may include asking you for Personal Data, such as your name, address, or other information we maintain about you.  If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request.  We will notify you to explain the basis of the denial.

You are also entitled to submit a request for Personal Data that could be associated with a household as defined in the CCPA.  To submit a request to know or delete household Personal Data, such requests must be jointly made by each member of the household, and we will individually verify all of the members of the household using the verification criteria explained above, and separately verify that each household member making the request currently resides in the household.  If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request.  We will notify you to explain the basis of our denial.

You may also designate an authorized agent to submit requests on your behalf.  If you do so, you will be required to verify your identity by providing us with certain Personal Data as described above.  Additionally, we will also require that you provide the agent with written and signed permission to act on your behalf, and we will separately confirm with you that you provided the agent with permission to submit the request.  We will deny the request if the agent is unable to meet submit proof to us that you have authorized them to act on your behalf or if any of the above verification criteria are not met.

We are committed to honoring your rights.  If you exercise any of the CCPA rights explained in this Privacy Policy, we will continue to treat you fairly.

Shine the Light Law

California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California residents asking about the business’ practices related to disclosing certain types of Personal Data to third parties for the third parties’ direct marketing purposes.  We do not disclose Personal Data to such entities, for such purposes.

DISCLOSURE FOR NEVADA RESIDENTS

Beginning October 1, 2021, Nevada residents will have the right to opt-out of the sale of Personal Data in accordance with Nevada law.  We do not sell Personal Data within the meaning of Nevada law.

INTERNATIONAL DATA TRANSFERS

The Personal Data that has been collected from you will be processed in the United States, where we are located. Your Personal Data may also be transferred to service providers some of which may be located in countries outside the EEA and/or UK and which are not considered to provide an adequate level of data protection.

Your Personal Data will only be transferred from the EEA/UK to a recipient in a country which is not considered to provide an adequate level of data protection when the transfer is in compliance with applicable data protection law requirements including the GDPR.

HOW LONG WE RETAIN PERSONAL DATA

We only retain your Personal Data as long as is necessary to fulfil the purposes for which we collected it. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. In exceptional cases (e.g., in pending litigation matters or where the law requires us to) your Personal Data may need to be kept for longer periods of time.

HOW WE PROTECT YOUR PERSONAL DATA

We are committed to protecting the security and privacy of your Personal Data. We maintain reasonable security measures to protect the security, confidentiality, and integrity of Personal Data.  While we are committed to safeguarding your Personal Data through our information security program, even the most stringent security program may not be able to prevent all security breaches.

OTHER WEBSITES

Our Site provides links to other websites. These websites may operate independently from us and may have their own privacy notices or policies, which we advise you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content.

DO NOT TRACK

We may collect Personal Data about your online activities over time and across different websites when you visit our Site; however, we do we allow third parties to do so.  “Do Not Track” is a privacy preference that users can set in certain web browsers.  We do not respond to browser do not track signals at this time.

PERSONAL DATA OF MINORS

Our products and services are not directed to minors under the age of 13.  We do not knowingly collect or sell the Personal Data of minors under 16.

CHANGES TO THIS POLICY

We will review and update this Privacy Policy as required to keep current with rules and regulations, new technologies and security standards. We will post those changes on the website or update the “last updated” date of the Privacy Policy. In certain cases and if the changes are material, you will be notified via email or a notice on our website.

ACCESSIBILITY

We are committed to ensuring that our communications are accessible to people with disabilities.  To make accessibility-related requests or report barriers, please contact us at [email protected]

HOW TO CONTACT US

If you wish to contact us about this Privacy Policy: