Privacy Policy

OVERVIEW

Retrophin, Inc., and its subsidiaries ("Retrophin", "Company", or "we") is a biopharmaceutical company specializing in identifying, developing, and delivering life changing therapies to people living with rare diseases. We process personal data in different contexts and we do so by fully respecting your privacy and your other rights and freedoms, as part of our unwavering commitment to ethical and responsible practices. We process personal data collected through our websites; we gather personal data for marketing and educational purposes; we process personal data for conducting clinical trials and we process the personal data of our employees. We recognize that innovation and new technology drive continual change in risk, expectations, and laws, so we follow privacy accountability standards and aim to promptly adapt how we apply those standards in response to those changes.

This Privacy Policy generally sets forth Retrophin's practices regarding the collection, use and disclosure of personal data and/or information that you may provide Retrophin. By using Retrophin sites, and other methods, whenever you submit personal data and/or information to Retrophin, you acknowledge and agree with the terms of this Privacy Policy.  Please read this entire Privacy Policy before using Retrophin sites and/or submitting personal data and/or information to Retrophin.

Retrophin also has specific policies for how we process personal data from our website (cookies), for clinical trials and personal data for our employees.

In principle: Retrophin collects, uses and stores the minimum amount of personal data that you voluntarily submit to Retrophin that is necessary for one or more legitimate business purposes and to comply with legal obligations.  Retrophin limits who has access to the personal data in our possession to only those who need it for a legitimate business purpose or if required by law.  Retrophin protects personal data through physical and technical security measures tailored to the sensitivity of the personal data we hold.  Retrophin communicates with our employees, customers, suppliers, business partners and others about how we intend to use personal data in our day-to-day operations.  Retrophin takes reasonable steps to ensure the personal data we process is accurate and up-to-date. Retrophin integrates privacy in the design of our projects that involve the use of personal data.

For European Union ("EU") data protection law purposes, we process personal data as a controller or joint-controller, depending on the context of the processing activity. The controller is the entity that, alone or jointly with others, establishes the purposes and the means of a processing activity. A "processing activity" is an activity that we engage in for a specific, identified purpose, and that involves the collection and use of personal data.

Retrophin complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States.  Retrophin has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit privacyshield.gov/

WHO WE ARE

We are Retrophin, Inc., and you can contact us via mail at 3721 Valley Centre Drive, San Diego, CA 92130, Suite 200, Attn: Legal Department, via email at dataprotection@retrophin.com, or you can call us at +1-760-260-8600.  For data protection purposes, including the EU data protection law, we are the controller of your personal data, and you can contact us with any inquiries you may have regarding the processing of your personal data.

TYPES OF PERSONAL DATA WE COLLECT AND USE

"Personal data", means any information related to an identified or identifiable individual. Depending on the context in which we process your personal data, we collect and otherwise process the following, by way of example and not limited to:

Information that you provide via a Retrophin website or by some other method and that can directly or indirectly identify or locate you: name, address, telephone number, e-mail address, and any other related information you submit to us.  Information that a Retrophin website collects automatically: the date and time of the website session, movements across the website, information about your browser, your IP address, and information related to your online activity gathered through our weblogs and cookies.  Personal data, including data related to an individuals' health or a clinical trial. Employment details and history, biographical information, educational history, benefits, compensation, contact details, performance, and use of Company resources by employees, contractors, and applicants in connection with their role or potential role for Retrophin.  Contact information for key personnel of customers and potential customers for the purpose of performing sales, services, education, research, and marketing.  Social Security Numbers to the extent necessary for compensation and/or Retrophin products and services.

Our Policy Towards Children

Our websites are not directed towards children. We do not knowingly collect personal data from children through our websites. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, please contact us. If we become aware that a child is using our websites and has provided us with personal data, we will delete such information from our files.  Some of our clinical trials process personal data of children. The consent of parents or legal representatives is sought in this case, and in accordance with the laws where the clinical trials are being conducted.

WHAT WE DO WITH YOUR PERSONAL DATA

In the case of personal data collected through our websites, we use it for educational and marketing purposes about our own commercial and pipeline products and related disease states. In the case of our employees, we collect personal data during the application process, we hire a third party to conduct background checks for successful applicants, we store biographic data, data related to health, identification data, bank accounts numbers, addresses, phone numbers that are all necessary for day-to-day business purposes or for compliance with a legal obligation. For security purposes we also monitor to a certain extent how employees use our IT systems. We have an Acceptable Use of Electronic Resources Policy that is made available to our employees. Our Employee Privacy Policy is available to all our employees and prospective employees. Please contact dataprotection@retrophin.com, or as noted below, if you have questions.

In the case of clinical trials, we collect, store and analyze your personal data generated via clinical trials we are conducting utilizing clinics, research institutions, clinical research organizations, and healthcare professionals that we contract with.

For the processing of Social Security Numbers, Retrophin has implemented reasonable technical, physical and administrative safeguards to help protect the Social Security numbers and other sensitive personal information from unlawful use and unauthorized disclosure. All Retrophin employees are required to follow these established procedures, both online and offline. In particular, access to Social Security numbers is limited to those employees and service providers who have a need to access this information to perform tasks for Retrophin.  We will only disclose Social Security numbers with those service providers, auditors, advisors, and/or successors in interest who are legally or contractually obligated to protect them, or as required or permitted by law.

PURPOSES FOR COLLECTING AND PROCESSING PERSONAL DATA

The purposes for which we collect and process your personal data are:

To ensure the proper operation of our day-to-day business and for complying with legal obligations.  To respond to your requests for information, products, and/or services.  If you apply for a job via our career center, to consider you for employment.  To contact you and provide you with disease state, product, and general services information.  If you have a business or professional relationship with Retrophin, we may use your personal information generally to develop our business relationship with you and/or further the advancement of services.  For legal and compliance obligations, such as adverse event reporting and for other everyday business purposes, such as website management, research and development, educational, and commercial purposes.

GROUNDS FOR PROCESSING

For those processing activities that fall under the EU data protection law, the legitimate grounds for processing personal data that Retrophin relies on are:

Consent for our clinical trials, for the collection and use of data through our website and for personal data processed for marketing and educational purposes.  To fulfill our legitimate business and healthcare initiative interests.  The necessity to enter a contract, where appropriate and for compliance with legal obligations

WHO HAS ACCESS TO YOUR DATA

Except as provided herein, Retrophin will not share your personal data with third parties unless you have consented to the disclosure.  We only share your personal data with our agents, contractors or partners in connection with services that these individuals or entities perform for, or with, Retrophin such as: sending e-mail messages, managing personal data, hosting our databases, providing personal data processing services, providing customer service, and facilitating the job application process.

These agents, contractors or partners are restricted from using one's personal data in any way other than to provide services for Retrophin, or services for the collaboration in which they and Retrophin are engaged (for example, some of our products are developed and marketed through joint agreements with other companies). For the purposes of EU data protection law, Retrophin enters controller-processor arrangements with our agents, contractors or partners that qualify as processor.

Retrophin will share personal data to respond to duly authorized subpoenas or other lawful information requests of governmental authorities, including to meet national security or law enforcement requirements, or where required by law. In exceptionally rare circumstances where national, state or Company security is at issue, Retrophin reserves the right to share our entire database of visitors and customers with appropriate governmental authorities.

DATA INTEGRITY

Retrophin takes reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. Retrophin also ensures personal data is limited to the information relevant for the purposes of processing as noted in this policy.

As a convenience, our websites may sometimes contain links to a number of other (non-Retrophin) websites that we believe may offer useful information. The Policy presented here does not apply to those non-Retrophin sites. You should contact these sites directly for information on their privacy policies, confidentiality procedures, and data collection, distribution and protection procedures.

Please note that linked non-Retrophin websites may also use cookies. Retrophin cannot control the use of cookies by these non-Retrophin sites. In addition, when you link from a Retrophin website to another website, that site may have the ability to recognize that you have come from a Retrophin site. If you do not want any other websites to know that you have been on one of Retrophin's websites, we recommend that you do not use the links provided in our sites.

TRANSFER OF DATA OVERSEAS & PRIVACY SHIELD PRINCIPLES

If you are located outside the United States (US) and you interact with us via one of our websites, mail, e-mail, phone, or you participate in one of our clinical trials, then your personal data is transferred to the US. If you are based in the EU or Switzerland, please be informed that the US did not obtain an adequacy decision for the level of protection afforded to personal data. However, we provide appropriate safeguards for your data in the US, as we elected to self-certify under the EU-US Privacy Shield and under the Swiss-US Privacy Shield.

Privacy Shield and its Principles:

Retrophin has elected to self-certify to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework ("Privacy Shield") for commercial, research and development, and employee data.  Retrophin processes the personal data we receive in the US from the EU, the EEA, and Switzerland in accordance with the Privacy Shield Principles, as applicable.  If there is any conflict between the terms in this policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  For personal data originating in the EU, the EEA, or Switzerland, this policy demonstrates our commitment to processing your personal data in accordance with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement, and Liability.  Under these principles, you have the right to access your own data that has been transferred to Retrophin under Privacy Shield, and request the correction, amendment or deletion of such data.  In accordance with this policy regarding disclosure and sharing of personal data, detailed herein, your personal data will only be shared as appropriate with third parties that process information on behalf of, or with, Retrophin. If we disclose personal data received under Privacy Shield to a third party, Retrophin ensures that the third party has contractual provisions or processes in place that require the same level of security and confidentiality safeguards as required under Privacy Shield, as the case may be. Under certain circumstances, Retrophin may remain liable for the acts of certain third parties if those third parties process the EU or EEA-originating personal data that Retrophin discloses to them in a manner that is inconsistent with the Privacy Shield Principles.

In compliance with the Privacy Shield Principles, Retrophin commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Retrophin at:

Retrophin, Inc.
Suite 200
3721 Valley Centre Drive
San Diego, CA 92130
Attn: Legal Department

Or calling Retrophin at +1-760-260-8600

Or e-mail: dataprotection@retrophin.com

If, after attempting to address privacy questions or concerns with Retrophin directly you still have a specific privacy concern that has not been resolved, you may choose to mediate your concern by a neutral third party. Retrophin has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit adr.org for more information or to file a complaint. The services of the American Arbitration Association are provided at no cost to you.

American Arbitration Association
Case Filing Services
877.495.4185: Toll free
877.304.8457: Fax
casefiling@adr.org

Contact your Data Protection Authority: If you are based in the EU or the EEA, you may choose to contact your local Data Protection Authority ("DPA"), or the Swiss Federal Data Protection and Information Commissioner, if you are based in Switzerland.  Your DPA or the Swiss Commissioner may refer your complaint directly to the Department of Commerce on your behalf. In this case, the Privacy Shield Team will then work to resolve your concern. Retrophin commits to cooperate with EU DPAs and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

US Department of Commerce's Privacy Shield Framework: you may also have the option to select binding arbitration for the resolution of your complaint under certain circumstances. For more information on binding arbitration, see US Department of Commerce's Privacy Shield Framework

For purposes of enforcing compliance with Privacy Shield, Retrophin is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about Privacy Shield and to view Retrophin's certification page, once posted by the US Federal Trade Commission, please visit the website of the US Federal Trade Commission on Privacy Shield located at: (privacyshield.gov).

In the context of an onward transfer, Retrophin has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Retrophin shall remain liable under the Privacy Shield Principles if its agent processes such personal information in a manner inconsistent with the Principles unless Retrophin is not responsible for the event giving rise to the damage.

HOW DO YOU CONTROL YOUR DATA

Whether you reside in the US, reside in or otherwise find yourself in the EU, Retrophin is committed to facilitate the exercise of your rights granted by EU data protection law and our commitment to privacy, noted above, in a timely manner – the right to access your data, to ask for erasure, correction, portability of your data or to object to the processing of your data. In order to be able to reply to your request and if we are not certain of your identity, we may need to ask you for further identification data to be used only for the purposes of replying to your request. If you have any inquiries, you may contact us at: 3721 Valley Centre Drive, San Diego, CA 92130, Suite 200, Attn: Legal Department, send an email to dataprotection@retrophin.com , or you can call us at +1-760-260-8600.

Access to Your Own Personal Data

You have the right to obtain confirmation of your personal data whether we process it or not, as well as the right to obtain information about the personal data we process about you and to obtain a copy of this data.

Erasure, correction and other requests including receiving communication

You have the right to obtain erasure, correction and portability of your personal data, under certain conditions. You also have the right to object at any time to receiving marketing/educational materials from us by following the opt-out instructions in our e-mails, as well as the right to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner, according to our legal obligations.

Please be sure to include your e-mail address if you are writing to unsubscribe to any service or materials we provide you. Also, please note that you may continue to receive materials while we are updating our lists.  For all the processing operations that are based on you consent, as described above, you can withdraw consent at any time and we will stop those processing operations. All processing of your personal data based on your consent before withdrawal remain lawful.  As to adverse event reporting and related personal data, Retrophin reserves the right to not remove or amend such personal data and/or adverse event information as required by law or regulation.  Retrophin does not engage solely in automated decision making or profiling using your personal data.

DATA SECURITY

We are committed to processing your personal data in a secure manner, by creating specific technical and organizational measures to prevent the personal data we hold from being accidentally or deliberately compromised.

We conduct information risk assessments, we ensure that our staff understands the importance of protecting personal data and we are responsibly managing access rights within the Company. We include both physical security and IT security in our overall data security approach. We are diligent in selecting vendors that process personal data on our behalf so that they also ensure appropriate technical and organizational measures to protect the data. Retrophin makes reasonable efforts to notify individuals and regulatory authorities, as required by law, if we reasonably believe that personal information has been stolen, disclosed, altered or infringed by an unauthorized person. We created and maintain a breach notification and reporting protocol. If there are questions or concerns regarding this policy or a potential breach, please contact at: 3721 Valley Centre Drive, San Diego, CA 92130, Suite 200, Attn: Legal Department, send an email to dataprotection@retrophin.com , or you can call us at 1-760-260-8600.

ACCEPTANCE OF TERMS

By using this site or any other Retrophin site and voluntarily providing your personally identifiable information to us, you consent to the collection and use of such personally identifiable information as set forth in this Policy.  If you do not agree to the terms of this Policy, please do not provide us with any information or personal data and do not use our websites.

CHANGES TO THIS NOTICE

We reserve the right, at any time, to modify, alter, or update this Policy, and any such modifications, alterations, or updates will be effective upon posting.  In the event we modify this Policy, your continued use of our sites will signify your acceptance of the modified Policy. The time stamp you see on the Policy will indicate the last date it was revised. We will duly inform you of any changes via our website and we provide you, as noted herein, the opportunity to express your consent for processing your data for different and new purposes.

This Policy was last updated on August 6, 2018