Data Privacy Policy

Last Updated: February 18, 2025

PURPOSE

Astria Therapeutics Inc (“Company”, “us” or “we”) processes Personal Data (also referred to as “Personal Information”) relating to you and other individuals (“Data Subjects”) in different ways and for different purposes as defined below. In this privacy policy (Policy), you will find information on how we Process Personal Data and the handling of Personal Data, such as the collection, use, and disclosure of Personal Data.

In the course of the Company’s business, the Company collects and analyzes Personal Data of various individuals, including patients, vendors, and healthcare professionals. This Privacy Policy explains our Processing of Personal Data received by us through:

• visits to our websites at Astriatx.com and Astriatrials.com
• contacts under a contract,
• contacts via email, letter, a contact form, etc.,
• participation in our research and development programs, and
• other business.

The purpose of this Policy is to ensure that the Company complies with all applicable standards and requirements set out in applicable laws and regulations, in particular, but not limited to GDPR.

This Policy shall apply, unless more stringent requirements are set forth in specific jurisdictions, in which case, the local requirements shall prevail.

This Policy is not part of a contract. Company may amend this Policy at any time. The version published on this website is the current version.

SCOPE

This Policy applies to all Astria entities and Astria personnel, including consultants and contractors working on behalf of the company, on a permanent or temporary basis when Processing Personal Data. This Policy also applies to the Processing of Personal Data carried out by Astria partners and third-party service providers, acting for and on behalf of Astria as Processors.

For data Processing under this Privacy Policy, the Company (with more specific details below) is primarily responsible for compliance with the Policy under data protection law and is referred to as Controller under certain legislation:

Astria Therapeutics, Inc.
22 Boston Wharf Road, 10^th Floor
Boston, Massachusetts 02210
United States
Email: Privacy@astriatx.com

General

This Privacy Policy applies to all Personal Data collected, Processed, shared, or used by Company in the context of its various activities as it becomes known to us and to account for any changes over time.

A. PROCESSING PERSONAL DATA

Company may collect and Process Personal Data only when:

• There is a legitimate, specified, and explicit business purpose for collecting Personal Data that is acceptable under the local law where the information is collected;
• The Personal Data is collected, Processed, and deleted appropriately, consistent with applicable legal requirements; and
• It is not further Processed in a manner that is incompatible with the original business purpose.

We Process Personal Data for various purposes, including:

• Identifying potential investigators for our clinical trials
• Clinical or medical research
• Improvement of our services and for the development of services
• Communication purposes
• Ensuring business operations and other security purposes
• Compliance, investigations, and legal proceedings

If possible and if legally required, we will notify Data Subjects separately about any additional purposes for Processing their Personal Data.

B. TYPES OF PERSONAL DATA

• Master data and contact information: Data that we may need to Process for our business relationships which relates directly to individual characteristics (e.g., first and last name, home address, phone number, email address, username, language skills, nationality, ethnic origin, gender, relations to the company for which you are employed, government identification (e.g., driver’s license or passport), photo or image, login credentials, answers to security questions, medical license number, banking or credit card details)
• Contract data: Information related to the creation or the handling of a contract (e.g., contract details, services provided, and information gathered in the preparation of the contract).
• Health Data: Health information received directly or indirectly from a third party (e.g., information regarding patients’ health status, medications, medical history, and other healthcare-related information).
• Communication data: Data in connection with our communications with Data Subjects (e.g., from emails, written correspondence, telephone conversations etc).
• Technical data: Data generated in connection with the use of our websites (e.g., the IP address of the device and device ID; date and time of access to the websites and your approximate location, etc).
• Applications, professional career, education, and training: Information of job applicants, employees, ex-employees, and healthcare professionals (e.g., work history, qualifications, education, and other data).
• Other data: We may also Process Personal Data that we cannot list exhaustively here.

C. COLLECTION & PROCESSING OF PERSONAL DATA

Where mandated by law, or as determined by Company, Company will obtain consent to collect, use, and disclose Personal Data consistent with the relevant privacy notice and this Policy. Specific requirements may vary by jurisdiction and must always be followed.

As required under applicable law, Company shall:

• Collect and use Personal Data only in instances where it has legal justification to do so (e.g., informed consent for clinical research);
• Notify Data Subjects as to how their Personal Data will be used before collection of such information;
• Collect only that Personal Data that is required for the specified business purpose(s);
• Use Personal Data only for the specific business purpose(s) described in the applicable consent form or privacy statement or for purposes that would be reasonably anticipated by the Data Subject;
• Use Personal Data in ways that do not adversely impact Data Subjects unless such use is justified by law; and
• Anonymize or pseudonymize Personal Data where possible or appropriate.

Company understands that responsible handling of Personal Data is necessary to protect privacy rights and comply with data privacy laws and regulations. 

Company’s websites may contain links to other websites not operated or controlled by Company (Thid Pary Websites). The information that a Data Subject shares with Third Party Websites will be governed by the specific privacy policies and terms of service of the Third-Party Websites and not by this Policy. Company does not imply that we endorse or have reviewed these Third-Party Websites. Data Subjects are encouraged to read the privacy policies of such Third-Party Websites before disclosing personal data on Third Party Websites.

Company may collect Personal Data from the following sources:

• From individuals through various channels, including Company’s websites, in surveys, during business or marketing events, when delivering programs and services, or when receiving services.
• Company may provide opportunities to sign up to receive specific information or services and may ask for contact information.
• Company may indirectly collect information about patients’ health conditions, diagnoses, and treatments from healthcare professionals, but only where the healthcare professional has obtained consent to disclose that information to Company, as required by law.
• Company may also collect information about individuals from third-party public sources to supplement information received from the individuals.
• Company may, to the extent permitted by law, collect various information from healthcare providers as part of marketing or educational activities to healthcare professionals (i.e., first name, last name, age, gender, address, phone number, medical specialization, professional qualifications, license number, and scientific society membership number).
• When navigating Company’s websites, certain passive information may also be collected.
• Company may collect Personal Data to enable individuals to use online social media resources offered either by the Company or a third party.

When using an online social media resource offered by a third-party through Company websites, the user acknowledges that Company may be able to access any information, including Personal Data, made public through such third-party (e.g., username, comments, posts, and contacts) and other relevant information as per the privacy settings on such third-party social media portals in accordance with all applicable notices. Company will comply with the terms of this Privacy Policy and the privacy policies applicable to the social media resources it uses.

We use third-party services for our websites to assess and improve the user experience of our websites and online advertising campaigns. To do this, we may embed third-party services on our websites, which themselves may use cookies. To read more about cookies and principles for internet users please click on the following link: Cookies Notice.

No part of the Company’s online presence is directed to children. The services made available through Company’s websites are not directed to, and we do not intend to, or knowingly, collect or solicit personal data from children or minors under the age of 18. If you are under the age of 18, do not provide us with any Personal Data by any means. If a child under the age of 18 has provided Personal Data to us, we encourage the child’s parent or guardian to contact us as provided below to request that we remove the Personal Data from our systems.

We may rely on the following legal bases for Processing Personal Data:

• consent.
• for the performance of a contract or pre-contractual measures.
• for the assertion or defense of legal claims or civil proceedings.
• compliance with domestic or foreign legal provisions.
• there is a legitimate interest in the data Processing.

D. TRANSFERS OF PERSONAL DATA

It is important to note that your Personal Data may be transferred to jurisdictions outside of your state, province, country, or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction. By using the websites, you agree to the transfer of information to jurisdictions outside of your jurisdiction of residence.

E. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

As required by applicable laws, Company will conduct data protection impact assessments (DPIA).  A DPIA is a documented process that helps organizations identify and minimize risks related to the collection and Processing of Personal Data. Criteria for evaluating when a DPIA is required include the nature, scope, context, and purposes of the Processing, and whether the Processing is likely to result in a high risk to the rights and freedoms of individuals.

F. DATA DISCLOSURES

Where allowed by applicable laws and in accordance with this Policy, we may share the Personal Data of Data Subjects with third parties in the following ways:

• Service providers: Third party service providers who perform services on our behalf may have access to Personal Data while providing services to us (e.g., IT services and support providers). We require these service providers by contract to keep Personal Data confidential, and to only use Personal Data on our behalf and in accordance with this Policy.
• Legal proceedings, governmental authorities, and official agencies: We may disclose Personal Data to legal or government regulatory authorities in response to their requests for such information or to assist in investigations. We may also disclose Personal Data to third parties in connection with claims, disputes, or litigation, when otherwise required by law, if we determine its disclosure is necessary to protect the health and safety of you, us, or others or to enforce our legal rights or contractual commitments that you have made.
• Business Transfers or Acquisitions: If we are involved in a merger, acquisition, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, Personal Data may be transferred (under a confidentiality agreement) to a successor or affiliate as part of that transaction along with other assets, or to acquirers, assignees or new service providers, and their respective professional advisers in connection with a sale, assignment, or other transfer.

Personal Data may be shared with other Company affiliates, government agencies, service providers and third parties on a “need to know” basis for legitimate business reasons or as otherwise allowed or required by law.

G. DATA RETENTION

Personal Data will be retained by us for the intended purposes in accordance with applicable data protection laws and Company policies. Once Personal Data is no longer needed, and subject to any obligations we may have under applicable data retention laws or regulations, it will be deleted without undue delay or anonymized in accordance with our policies.

DATA SECURITY AND PROTECTION

We take appropriate technical (e.g., access regulations and restrictions) and organizational measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alterations, and destruction, and continually adapt these to technological measures, taking into consideration the risks involved in the Processing and the nature of the Personal Data.

DATA SUBJECT RIGHTS

Data Subjects have certain rights with respect to Personal Data Processed by us. These rights include:

• The right to opt-out. Data Subjects have the right to request us to stop sending direct marketing and other communications.
• The right of access. Data Subjects have the right to request us to provide access to their Personal Data.
• The right to rectification. Data Subjects have the right to request that we update or correct inaccuracies in their Personal Data. Data Subjects also have the right to request us to complete information that they believe is incomplete.
• The right to erasure. Data Subjects have the right to request that we delete their Personal Data, under certain conditions.
• The right to restrict Processing. Data Subjects have the right to request that we restrict the Processing of their Personal Data, under certain conditions.
• The right to object to Processing. Data Subjects have the right to object to our Processing of their Personal Data, under certain conditions.
• The right to data portability. Data Subjects have the right to request that we transfer a machine-readable copy of their Personal Data to them or a third party of their choice, under certain conditions

Some of these rights may not apply in individual cases, and we may be entitled or obligated to restrict or postpone the fulfilment of a right. We will inform Data Subjects accordingly in such a case.

CONTACT AND REPORTING

All communications, queries, requests to exercise Data Subjects’ rights (e.g., access to data), or complaints should be addressed to Privacy@Astriatx.com.

Data Subjects also have the right to lodge a complaint with the relevant supervisory authority at any time if they do not agree with our Processing of their Personal Data.

In order for Company to be able to prevent misuse, Company needs to identify the requestor.

 

DEFINITIONS

Applicable Data Protection Laws	The relevant laws for data protection and data privacy in the different countries where Astria is active, as amended from time to time, including, without limitation, the relevant federal and State laws in the United States and the General Data Protection Regulation in the European Economic Area.
California Consumer Privacy Act (CCPA)	Is a law that protects the privacy of California residents. The CCPA gives consumers rights over their personal data, including the right to know what information is collected and how it’s used.
Data Controller (Controller)	A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of personal data.
Data Processor (Processor)	A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller (e.g., CROs, investigators, other service providers, hospital, analytics, laboratories, etc.).
Data Protection Impact Assessment (DPIA)	Assessment of the impact of data Processing operations identifying and minimizing risks regarding the rights and the freedoms of Data Subjects.
Data Protection Officer (DPO)	A person with expert knowledge of relevant Data Protection laws and practices advising and assisting the Data Controller or Data Processor in EEA and monitoring internal compliance with said legislation.
Data Protection Representative (DPR)	The Data Protection Representative in the EE, Switzerland and the UK explicitly designated by a written mandate of Astria to act on its behalf regarding its obligations under the applicable Data Protection laws.
Data Subject	An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identify of that natural person.
Data Transfer	Any transfer (including remote access) of Personal Data which are being processed or is intended for Processing after transfer to a third country or an international organization located outside of the relevant country and/or region.
General Data Protection Regulation (“GDPR”)	Regulation (EU) n°2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Data, and repealing Directive 95/46/EC.
Health Insurance Portability and Accountability Act (HIPAA)	A federal law that establishes national standards for protecting sensitive patient health information.
Personal Data	Any information relating to an identified or identifiable natural person (Data Subject).
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Privacy Notice	A document that sets out all the information regarding the Processing of Personal Data in order to make the Processing of Personal Data transparent for the Data Subject.
Processing of Personal Data (Processing)	Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Sensitive Personal Data	Sensitive Personal Data (or special categories of Personal Data) are Personal Data that require a higher level of protection under applicable Data Protection laws.  i.e., Personal Data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; and the Processing of genetic or biometric data to identify a natural person uniquely, data concerning health; or data concerning a natural person’s sex life and sexual orientation; and data relating to criminal convictions and offenses.

Annex I Data Subject Rights for the residents in the European Economic Area, the United Kingdom and Switzerland

If a Data Subject is located in the European Economic Area (“EEA”), Switzerland (“CH”), or the United Kingdom (“UK”), their Personal Data may be protected by data protection laws in the EEA, CH, or UK, such as the European Union General Data Protection Regulation (GDPR). Company will comply with these data protection laws when it uses and shares a Data Subject’s Personal Data as described in this Privacy Policy.

When using or sharing Personal Data as described in this Privacy Policy (including transfers out of the EEA, CH, and UK described below), Company relies on the following lawful bases, as appropriate:

• Company’s legitimate interests,
• Performance of an employment contract or other contract with a Data Subject;
• Compliance with Company’s legal obligations;
• A Data Subject’s consent, when applicable.

Company is headquartered in the United States, and as a result, Personal Data will be processed by Company in many jurisdictions including the United States. Company may contract with service providers to process a Data Subject’s Personal Data on Company’s behalf; these service providers may be located outside of the EEA, CH, and UK. Data protection laws in the United States or other countries may not offer a Data Subject the same protections as the laws of the country in which the Data Subject resides. By using this Site and by submitting Personal Data to Company, you, the Data Subject, understands your Personal Data could be transferred to other countries. Company commits to ensure the protection of Personal Data during such transfers in accordance with applicable laws and this Privacy Policy.

By submitting an employment application to Company through a third-party employment website (like LinkedIn), you, the Data Subject, are consenting to Company’s processing of your Personal Data (including special categories of data) in connection with Company’s consideration of your application and for Company’s compliance with applicable laws.

In addition to the Data Subject’s rights listed in this Policy, Data protection laws in the EEA, CH, and UK may also provide a Data Subject with the following additional rights:

• The right to withdraw consent at any time, if the Company is Processing Personal Data on the basis of consent
• To access the Personal Data of a Data Subject that Company has collected
• To request that Company rectify or erase a Data Subject’s Personal Data
• To request that Company restrict the way it uses or shares a Data Subject’s Personal Data
• To object to the way Company uses or shares their Personal Data
• To ask Company to transfer their Personal Data to someone else
• To lodge a complaint with a data protection authority in the EEA, CH, or UK

Company’s ability or obligation to comply with a Data Subject’s request may be limited by applicable law.

To request to exercise one of these rights, please contact us at Privacy@astriaTx.com

Astria’s legal representative in the EU is:

MyData-TRUST France 
140b Rue de Rennes – 75006 Paris (FRANCE)  
Contact: Gautier Sobczak 
+33 9 70 70 20 09 
Mail: astria.dpr.eu@mydata-trust.info  

Annex II Data Subject Rights for California Residents

The California Consumer Privacy Act, as amended by the California Privacy Rights Acts (CCPA) grants certain rights to California residents. For this section, Personal Data has the meaning given to it under the CCPA. To the extent the CCPA applies to Company’s processing of a Data Subject’s Personal Data, they would be entitled to the following rights:

1. Right to Know
Data Subjects have the right to request that Company discloses certain information to them about Company’s collection of their Personal Data. Upon Company’s receipt of a verified request from a Data Subject, Company will provide them with:

• The categories of Personal Information Company has collected about them
• The categories of sources from which Company has collected their Personal Data
• Company’s business or commercial purpose(s) for collecting their Personal Data
• The categories of third parties with whom Company has shared their Personal Data
• The specific pieces of Personal Data Company has collected about a Data Subject

A Data Subject has the right to request that Company discloses certain information to the Data Subject about Company’s disclosures and sales of a Data Subjects Personal Data; however, Company does not sell Personal Data. Upon our receipt of a verified request from a Data Subject, Company will provide them with:

• The categories of Personal Data Company has collected about them; and
• The categories of Personal Data that Company disclosed about a Data Subject for a business purpose.

2. Right to Opt-Out of Targeted Advertising or Sale
Data Subjects have the right to opt-out of the sale of their Personal Data, however, Company does not sell Personal Data.

3. Right to Delete
Data Subjects have the right at any time to request that Company deletes their Personal Data.

4. Right to Correct
Data Subjects can ask Company to correct inaccurate Personal Information that Company has about them.

5. Right to Nondiscrimination
Company will not discriminate against a Data Subject for exercising their rights. This generally means Company will not deny a Data Subject any goods or services, charge different prices or rates, provide a different level of service or quality of goods, or suggest that a Data Subject might receive a different price or level of quality for goods.

If you are a California resident and want to submit a request exercising your rights, please contact us at Privacy@AstriaTx.com or by mail at the address listed below. You must provide us with sufficient information that allows us to reasonably verify who you are and describe your request with sufficient detail to allow us to properly evaluate and respond to it. If we are unable to verify your identity with the information provided, we may ask you for additional pieces of information. We may also require the Individual do either of the following: (1) verify their own identity directly with the business. (2) directly confirm us that they provided the authorized agent permission to submit the request. If you are an authorized agent making a request on behalf of another individual, you must provide us with signed documentation that you are authorized to act on behalf of that individual.

Please note that we are not obligated to respond to more than two Right to Know/Access requests for the same individual’s Personal Data within a 12-month period.

California law also permits California residents to request certain information about our disclosure of Personal Data to third parties for their own direct marketing purposes during the preceding calendar year. As discussed elsewhere in this Notice, we do not currently share the Personal Data of California residents with third parties for their own direct marketing purposes. However, if you have further questions about our privacy practices and compliance with California law, please contact us as explained below.