Abivax SA Privacy Policy

Effective as of 20 December 2024.

This Privacy Policy describes how Abivax SA (“Abivax,” “we,” “us,” or “our”) processes personal data that we collect through our website (www.abivax.com) which links to this Privacy Policy, as well as through social media, our marketing activities and other activities described in this Privacy Policy (collectively, the “Service”).

Abivax may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal data. In particular, please note that this Privacy Policy does not apply to personal data of clinical trial participants and clinical site staff (including investigators) that we handle in connection with clinical trials and translation studies associated with where relevant. Our privacy practices in connection with clinical trials are governed by applicable clinical trial protocols and additional privacy notices that may be specific for each clinical trial. In some circumstances, we will provide additional privacy notices to you in connection with your participation in our programs, events, or other engagements with Abivax. Such in-time notices will govern our privacy practices in connection with those specific clinical trial and translational studies engagements to the extent there is any conflict between this Privacy Policy and the in-time notice.

TABLE OF CONTENTS

  1. GENERAL

  2. HOW DO WE PROCESS YOUR PERSONAL DATA?

  3. HOW DO WE USE YOUR PERSONAL DATA?

  4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL DATA?

  5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

  6. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

  7. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

  8. IS YOUR PERSONAL DATA TRANSFERRED INTERNATIONALLY?

  9. DO WE COLLECT PERSONAL DATA FROM CHILDREN?

  10. IN SUMMARY

  11. WHAT ARE YOUR PRIVACY RIGHTS?

  12. CONTROLS FOR DO-NOT-TRACK FEATURES

  13. OTHER SITES AND SERVICES

  14. SECURITY

  15. DO WE MAKE UPDATES TO THIS PRIVACY POLICY?

  16. HOW CAN YOU CONTACT US ABOUT THIS PRIVACY POLICY?

  17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. GENERAL

Controller: Abivax is the Data Controller in respect of the processing of your personal data covered by this Privacy Policy. See the ‘How to contact us’ section below for our contact details.

Our Data Protection Officer: We have appointed a “Data Protection Officer,” this is a person who is responsible for independently overseeing and advising us in relation to our compliance with the GDPR in accordance with Article 39 (including compliance with the practices described in this Privacy Policy). If you want to contact our Data Protection Officer directly, you can email: [email protected].

2. HOW DO WE PROCESS YOUR PERSONAL DATA?

Data you provide to us or that we may generate about you. Personal data you may provide to us through the Service or otherwise or that we may generate about you includes:

  • Contact data, such as your first and last name, salutation, email address, postal address, and phone number.

  • Communications data, based on our exchanges with you, including and not limited to newsletters, communication on social media (E.g.LinkedIn, etc.), conferences/webinars, when you contact us through the Service, for example data you provide to send us a request for information.

  • Human Resources data, National Personal Identifier (E.g. National Security Card, passport,) Social Security number, date of birth, gender, bank account details…..and all mandatory details required by Laws (E.g. to address Human Resources management process such as pay slips, insurance aspects or communication with mandatory local administrations)

  • Job application data, professional credentials, educational and professional history, institutional affiliations, background checks, and information of the type included on a resume or curriculum vitae (such as work experience, education, salary and languages spoken).

  • Other data, not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Third-party sources. We may combine personal data we receive from you with personal data we obtain from other sources, such as:

  • Private sources, such as data providers and social media platforms.

  • Marketing partners, such as joint marketing partners and event co-sponsors.

  • Third-party services, such as social media services that you may link to your account on the Service. This data may include your username, profile picture and other information associated with your account on that third-party service that is made available to us based on your account settings on that service.

We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Service, our communications and other online services, such as:

  • Connection data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G) and general geographic area.

  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.

  • Communication interaction data such as your interactions with our email or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.

Cookies and similar technologies. Some of our automatic data collection is facilitated by cookies and similar technologies. For more information, refer to section 5 below. We will also store a record of your preferences in respect of the use of these technologies in connection with the Service.

3. HOW DO WE USE YOUR PERSONAL DATA?

We may use your personal data for the following purposes or as otherwise described at the time of collection:

Service delivery and operations. We may use your personal data to:

  • provide and operate the Service and our business;

  • to allow us to communicate with you and respond to your requests or inquiries;

  • to allow you access to online services, applications and platforms;

  • keep track of our interactions and meeting such as when you contact us for information and support;

  • personalizing the service, including remembering the devices from which you have previously logged in and remembering your selections and preferences as you navigate the Service;

  • enable security features of the Service, such as by remembering devices from which you have previously logged in;

  • communicate with you about the Service, including by sending Service-related announcements, updates, security alerts, and support and administrative messages;

  • understand your needs and interests, and personalize your experience with the Service and our communications; and

  • provide support for the Service, and respond to your requests, questions and feedback.

To manage our recruiting and process job applications and usual Human Resources. We may use your personal data, such as data submitted to us in a job application, to facilitate our recruitment activities and process job applications, such as by evaluating a candidate for a job and monitoring recruitment statistics.

Research and development. We may use your personal data for research and development purposes, including to analyze and improve the Service and our business and to develop new products and services. As part of these activities, we may create aggregated, de-identified and/or anonymized data from personal data we collect. We may make personal data into de-identified or pseudonymized data by removing information that makes the data personally identifiable to you. We may use this aggregated, de-identified or otherwise pseudonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.

Service improvement and analytics. We may use your personal data to analyze your usage of the Service, improve the Service, improve the rest of our business, help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service, as well as user interactions with our emails, and to develop new products and services.

4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL DATA?

In respect of each of the purposes for which we use your personal data, the GDPR requires us to ensure that we have a “legal basis” for that use.

Our legal bases for processing your personal data described in this Privacy Policy are listed below.

A Legal obligation, compliance and protection (“Compliance with Law”). We may use your personal data to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities;

  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);

  • audit our internal processes for compliance with legal and contractual requirements or our internal policies;

  • enforce the terms and conditions that govern the Service; and

  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

With your consent. In some cases, we may specifically ask for your consent to collect, use or share your personal data, such as when required by law.

With the existence of a contract with third-parties. Where we need to execute a contract, we are about to enter into or have entered into with you (“Contractual Necessity”). We contract with several suppliers, 3rd parties involved for processing personal data on our behalf. All those partners have been contracted with specific agreements settled in place. All those suppliers act as “Data Processor” and/or “Data (Co-)Controller”, for the execution of the activities agreed with and approved by us. Their compliance with Data Privacy is carefully performed upon contracts negotiation to ensure all those processors commit to written obligations regarding their security controls and protection.

As a Legitimate Interest. Pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data. More detail about the specific legitimate interests pursued in respect of each purpose we use your personal data for is set out in the table below.

No Automated Decision-Making and Profiling. As part of the Service, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We use cookies and similar technologies for data collection. For more details, please refer to our Cookie Policy.

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We strictly process and store your Personal Data only for the period necessary to achieve the purpose of the storage, or as permitted by law. The criteria used to determine the period of storage of information is the respective statutory retention period. After expiration of that period, the corresponding information would be permanently deleted, preventing any further processing, to the extent it is no longer necessary for the fulfillment of Legal Obligations.

We retain personal data for as long as necessary to fulfil the purposes for which we collected it, in accordance with applicable law, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for Compliance and protection purposes.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the personal data, we have collected about you, we will either delete or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

7. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

We may share your personal data with the following parties and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.

Affiliates. Our corporate parent, subsidiaries, and affiliates.

Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, customer support, email delivery, marketing, consumer research and website analytics).

Linked third-party services. If you log into the service with, or otherwise link your Service account to, a social media or other third-party service, we may share your personal data with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.

Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above.

Business transferees. We may disclose personal data in the context of actual or prospective business transactions (e.g., investments in or financings of Abivax, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares). We may also disclose your personal data to an acquirer, successor, or assignee of Abivax as part of any merger, acquisition, sale of assets, whether full or partial, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal data is transferred to one or more third parties as one of our business assets.

8. IS YOUR PERSONAL DATA TRANSFERRED INTERNATIONALLY?

We are headquartered in France, however we may use service providers that operate in other countries. Your personal data may be transferred outside of the European Economic Area to countries where privacy laws may not be as protective as those in the European Economic Area and which may not be regarded as providing the same level of protection as the jurisdiction you are based in. This means that if you use the Service, your personal data may be accessed and processed in countries outside the European Economic Area, and it may also be provided to recipients in other countries outside the European Economic Area.
see “WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?” above for more details of Personal Data that may be transferred.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this privacy notice and applicable laws.
Where we share your personal data with third parties who are based outside of the European Economic Area, we will apply additional safeguards as appropriate depending on the legal mechanism used to transfer your personal data. In adequacy with Article 46 of EU GDPR/UK GDPR, Abivax does have put in place appropriate safeguards in respect the data transfer using the Standard Contractual Clauses and Transfer Impact Assessment where appropriate.
You may contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the European Economic Area. You may have the right to receive a copy of the appropriate safeguards under which your personal data is transferred by contacting us at [email protected].

9. DO WE COLLECT PERSONAL DATA FROM CHILDREN?

The Service is not intended for use by anyone under 18 years of age. If you are a parent or guardian of a child from whom you believe we have collected personal data in a manner prohibited by law, please contact us. If we learn that we have collected personal data through the Service from a child without the consent of the child’s parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.

10. IN SUMMARY

Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”).

  • Where we need to comply with a legal or regulatory obligation

  • Where we have your specific consent to carry out the processing for the purpose in question (“Consent”).

  • We have set out below the legal bases we rely on in respect of the relevant purposes for which we use your personal data – for more information on these purposes and the data types involved, see ‘How we use your personal data’.

Purpose

Categories of personal data involved

 

Legal basis

Data Processed accessible by

Service delivery and operations

Contact data

Communications data

Data from Third Party Services

Connection data

Communication interaction data

Compliance with Law. If we are legally obliged to respond to your request.

Consent. In respect to any optional cookies we may use.

Legitimate Interest. In all other cases – our legitimate interests to develop, improve and communicate about our organization.

Contractual necessity.

Us and affiliates

Service PROVIDERS, Advertising partners and Linked third-party service

Authorities and others

Professional advisors

Research and development

Any and all data types relevant in the circumstances

Legitimate Interests. We have legitimate interest in learning about how our users use the Service, and in taking steps to ensure that we derive such learnings in a privacy-preserving manner.

Us and affiliates

Service PROVIDERS,

Authorities and others

Professional advisors

Advertising partners

To manage our recruiting and process job applications & Human Resources

Contact data

Job application data

Human Resources data

Consent

Legitimate interest,

Compliance with Law

Us and affiliates

Service PROVIDERS,

Authorities and others

Professional advisors

Business transferees

Compliance and protection

Any and all data types relevant in the circumstances

Compliance with Law

Us and affiliates,

Professional advisors

Authorities and others

Business transferees

Further uses

Any and all data types relevant in the circumstances

Legitimate interest if the relevant further use is compatible with the initial purpose for which the personal data was collected and was shared already.

Consent. If the relevant further use is not compatible with the initial purpose for which the personal data was collected.

Us and affiliates,

Business transferees

11. WHAT ARE YOUR PRIVACY RIGHTS?

In this section, we describe the rights and choices available to all users.

You may ask us to take the following actions in relation to your personal data that we hold:

  • Access. Provide you with information about our processing of your personal data and give you access to your personal data.

  • Correct. Update or correct inaccuracies in your personal data.

  • Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

  • Portability. Port a machine-readable copy of your personal data to you or a third party of your choice.

  • Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.

  • Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.

  • Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to [email protected] or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Whether we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.

Please also note that, upon the legal basis applying with the specific data processing, some of those rights are not applicable.

  • In case, the legal basis is a legal obligation (E.g. Human Resource processing for complying with law), the rights to oppose, to erase and of portability are not applicable,

  • In case, the legal basis is the legitimate interest (E.g. Marketing/communication processing ), the right of portability is not applicable.

Your Right to Lodge a Complaint with your Supervisory Authority. In addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal data, you can make a complaint to the data protection regulator in your habitual place of residence. The contact information for the data protection regulator in your place of residence can be found here:https://edpb.europa.eu/about-edpb/board/members_en

Opt-out of communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.

Cookies.For information about cookies employed by the Service and how to control them, see our Cookie Notice.

Blocking images/clear gifs: Most browsers and devices allow you to configure your device to prevent images from loading. To do this, follow the instructions in your particular browser or device settings.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
Linked third-party platforms. If you choose to connect to the Service through your social media account or other third-party platform, you may be able to use your settings in your account with that platform to limit the information we receive from it. If you revoke our ability to access information from a third-party platform, that choice will not apply to information that we have already received from that third party.

13. OTHER SITES AND SERVICES

The Service may contain links to websites and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites, mobile applications and online services you use.

14. SECURITY

Privacy by design is set in force and we employ a number of technical; physical and logical measures; organizational measures to protect from loss, misuse, disclosure, unauthorized access, alteration, unavailability and destruction your personal data that we process and/or collect.
However, the website may contain links to other websites. We are not responsible for the privacy practices of any other 3rd party website and we recommend you to review the privacy statements of any 3rd party website you may visit in addition to review their privacy practices. Also, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal data.

15. DO WE MAKE UPDATES TO THIS PRIVACY POLICY?

We reserve the right to modify this Privacy Policy at any time. If we make any changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). You should consult this Privacy Policy regularly for any changes.

16. HOW CAN YOU CONTACT US ABOUT THIS PRIVACY POLICY?

  • Email: [email protected]

  • Address: PharMarketing, Data Protection Officer for Abivax, 8 rue Roublot, 94120 Fontenay sous Bois, France

17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please send an email at [email protected].