Privacy Policy

1. Introduction

1.1. Liminal BioSciences Inc. (Canada), as data controller, is responsible for the processing of your personal data obtained through our website, www.liminalbiosciences.com (the “Website”) or otherwise provided by or about you in the course of our business. Our Website is owned and operated by Liminal BioSciences Inc. and its subsidiaries (“Liminal”) for your personal and non-commercial use and information. When referring to “Liminal”, “we” or “us” in this Policy, it refers to Liminal.

The EU representative for Liminal BioSciences globally is recognised as Liminal BioSciences Ltd and can be contacted at dataprotection@liminalbiosciences.com.

Please carefully read this Policy. This Policy outlines our practices to ensure that we provide adequate level of protection to your personal data and it explains:

  • what personal data we collect about you when visiting our Website or otherwise in in the course of your engagement with us;
  • for what purpose we collect your personal data and how we use it,
  • who it is disclosed to and how long we keep it;
  • your legal rights in respect of your personal data that we collect, including how to access and update the information we hold about you.

1.2. By using our Website and/or by providing us with your personal data, you are agreeing to the terms of this Privacy Policy (the “Policy”). Please also refer to our Cookie Policy to find out what personal data we collect about you, the purpose why we collect it, who it is transferred to, how long we keep it and the reasonable steps taken to protect your personal data. These Policies also describe your rights in respect of the personal data we collect about you.

Click to go back to menu

2. What personal data we collect about you and for what purpose

2.1 The reasons and methods for collecting, using and transferring your personal data varies depending on why and how you use our services. Please select the relevant category from the below list to see more specific information regarding how we process your personal data in connection with the services you receive from us. Are you:

  1. A patient or representative of a patient (e.g. physician, family member, health care professionals) participating in our clinical trials or in our compassionate use programs?
  2. Health care professional or consultant?
  3. One of our service providers?
  4. Applying for a job with us?
  5. A visitor to one of our offices?
  6. An investor or potential investor?
  7. A donor donating plasma in one of our plasma collection centres?
  8. One of our customers?

2.2 Regardless of how you engage our services, we will generally process personal data about you in the below circumstances:

  • If you are visiting our Website (including as a customer or job applicant): We may collect and process data about your use of our Website and services (“usage data”), for Website analytics, such as your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. We will not store or use this information except as required for system administration of our web server – see our Cookie Policy for further details. Our legal basis for doing this is legitimate interests (system administration, market research and improving our business offering, and to protect the security and integrity of our Website).
  • For marketing purposes (but only where you have given your consent for us to do so): We may collect and process personal information that you provide to us when subscribing to our emails, or raising enquiries regarding our goods and services (“enquiry data”) for the purpose of subscribing to our email notifications, marketing materials, webinars and/or newsletters (“notification data”). The notification data may be processed for the purposes of sending you the relevant notifications, webinar information, marketing materials and/or newsletters. Our legal basis for doing this is your consent, you give at the time of submitting your relevant personal data, which you may withdraw at any time.
  • For responding to enquiries and communications you make with us: We may collect and process information contained in or relating to any communication or enquiries that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be collected and processed for the purposes of communicating with you and any other parties necessary for that communication (e.g. other parties cc-ed into the correspondence) and record- keeping for the proper administration of our Website and for business operations. Our legal basis for doing this is for performance of a contract with you or taking pre-contractual steps at your request.
  • For our legitimate business purposes: We may collect and process any of your personal data where we believe in good faith is reasonably necessary for our business purposes, including:
    • to negotiate and enter into commercial or corporate transactions;
    • for audits, monitoring and prevention of infringement or other misuse of our products, services and/or other intellectual property rights;
    • for the establishment, exercise or defence of legal claims and enforce our legal rights, whether in court proceedings or in an administrative or out-of-court procedure or as part of any criminal or other legal investigation;
    • to manage risks or obtain professional advice;
    • operating and ensuring the security of our Website and Services and maintain back-ups of our databases; and
    • to obtain or maintain insurance coverage.

The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others, and the proper protection of our business against risks.

Click to go back to menu

3. Disclosing your personal data to others

3.1 When we share data with these third parties, we put contractual arrangements and security mechanisms in place as appropriate to protect your personal data.

3.2 We may disclose your personal data to any member of our group of companies (this means to Liminal and all of its affiliates worldwide) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.

3.3 We may disclose your personal data to third parties who act on our behalf, for further processing, such as our insurers, contract research organizations, service providers, healthcare professionals, and/or professional advisers for further processing in accordance with the purpose for which the data was originally collected or insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, obtaining technical support, management of clinical trials, collection of plasma, to protect your safety or the safety of others, ensure our Website integrity and security or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure or in connection with a criminal or other legal investigation.

3.4 We may share usage data that is collected/transferred to third party sites including Google Analytics, Pardot and Uberflip. We use your usage data to monitor and improve our Website and services. The legal basis for this processing is monitoring and improving our Website and services.

3.5 Financial transactions relating to our Website and services are handled by our payment services providers, WorldPay and PayPal. We will share account data and transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers’ privacy policies and practices at:

https://www.worldpay.com/uk/privacy-policy, https:// www.paypal.com/en/webapps/mpp/ua/privacy-full.

3.6 We may disclose your enquiry data to one or more of those selected third-party suppliers of goods and services identified on our website for the purpose of enabling them to contact you so that they can offer, market and sell you relevant goods and/or services. Each such third party will act as a data controller in relation to the enquiry data that we supply to it; and upon contacting you, each such third party should supply to you a copy of its own privacy policy, which should govern that third party’s use of your personal data. The legal basis for this processing is your consent, which you may withdraw at any time.

3.7 In addition to the specific disclosures of personal data set out in this Section 3, we may disclose your personal data where we believe in good faith that such disclosure is reasonably necessary for compliance with a legal obligation to which we are subject, or in order to protect your legal interests or the legal interests of another person. We may disclose your personal data to a third party in the event that our business, or a part of our business, is sold, assigned or transferred, in which case we will require such third party to process your personal data in compliance with this Privacy Policy. We may also disclose your personal data where such disclosure is necessary pursuant to applicable law or regulations, requests from governmental authorities, for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure or in connection with a criminal or other legal investigation.

Click to go back to menu

4. International transfers of your personal data for individuals residing in the EEA or UK

4.1 In this Section 4, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA), and the UK.

4.2 We are an organisation headquartered in Canada and many of our third-party providers are located there. We also have offices in the USA [and the Isle of Man] and many of the external parties we work with to provide our services are based outside of the EEA and UK. The hosting facilities for our Website are situated in Ohio – USA. This means that your personal data may be transferred to another country with different data protection laws.

4.3 Transfers any recipients outside of the EEA (including to Liminal’s affiliates) will be protected by appropriate safeguards, namely:

  • Ensuring recipients reside in countries benefitting from an “adequacy decision” by the European Commission, namely Canada and the US (in instances where the recipients have been certified under the Privacy Shield Framework); or
  • By entering into EU Commission approved standard contractual clauses with the relevant recipients.

Information stored for backup purposes will be stored securely. You can obtain further information about how we manage any transfers of your personal data abroad, including the safeguards in place for your international transfers of personal data by contacting us (see “Contact Us” below) and the Privacy Shield scheme at www.privacyshield.gov.

Click to go back to menu

5. Retaining your personal data

The following section only applies if you are based in the EEA or in the UK.

5.1 We will only retain your personal data for as long as is necessary to fulfil that purpose or those purposes for which it was collected or for as long as such retention is necessary for compliance with a legal obligation or a legal basis to protect our interest to which we are subject, or in order to protect your interests or the interests of another natural person.

5.2 If you require further information around retention periods in relation to your personal data, please contact dataprotection@liminalbiosciences.com.

Click to go back to menu

6. Amendments

6.1 We may update this policy from time to time by publishing a new version on our website.

6.2 You should check this page regularly to ensure you are happy with any changes to this policy.

6.3 We may contact the data subject with details of change where appropriate by email or otherwise.

Click to go back to menu

7. Your rights

The following section only applies if you are based in the EEA or in the UK.

7.1 Under certain circumstances, you have rights under the General Data Protection Regulation in relation to the personal data we hold about you. You can request to:

  • access the personal data information we hold about you. Please note that we reserve the right to request for proof of your ID to process your request, and to charge you a reasonable administrative fee for any repetitive, manifestly unfounded or excessive requests. If we refuse your request to exercise this right, we will give reasons for our refusal and allow you to challenge our decision.
  • rectify any incorrect or incomplete personal data we hold about you. It is both in our interest and yours that any personal information we hold about you is accurate, complete and current.
  • delete, restrict or remove the personal data we hold about you.
  • transfer the personal data we hold about you to another party.
  • object to any further processing of your personal data.

You can make all such requests via emailing our Data Protection Committee dataprotection@liminalbiosciences.com.

Please note that in respect of all these rights we reserve the right to refuse your request based on the exemptions set out in the applicable data protection laws.

In most cases no fee will be charged. However, if a request is manifestly unfounded or excessive a fee may be charged for the administrative costs of complying with the request. Such fee will be based on the administrative costs of providing further copies.

If you have any concerns about how we process your personal data, please contact us at dataprotection@liminalbiosciences.com. If you are not satisfied after we’ve tried to resolve your issue, you’ll be entitled to lodge a complaint with our main supervisory authority in the EU, the Information Commissioner’s Office (ICO) in the UK. Please see the ICO’s website for further details, www.ico.org.uk.

Click to go back to menu

8. Third party websites

8.1 Our website includes hyperlinks to, and details of, third party websites.

8.2 We have no control over, and are not responsible for, the privacy policies and practices of third parties.

Click to go back to menu

9. Personal data of children

9.1 Our website is targeted for people over the age of 18. Except if a minor is participating in a clinical trial or compassionate use program, we do not knowingly collect personal data from minors (under 18).

9.2. If a minor (under 18) is participating in a clinical trial or compassionate use program, please refer to 11.1 of this Policy.

Click to go back to menu

10. Updating information

10.1 Please let us know if the personal information that we hold about you needs to be corrected or updated.

Click to go back to menu

11. Changes to this policy

11. 1 We may from time to time review and amend this Privacy Policy to take into account changes in law, technology and our operations. We will post any changes to this Privacy Policy on our Website from time to time and where appropriate, notify you by email. Please periodically review this Privacy Policy before using our Website as continued use of our Website shall indicate your acceptance of any changes. All personal information held by us will be governed by the most recent Privacy Policy posted on our Website.

Click to go back to menu

12. Contact us

12.1 If you wish to contact us about this Privacy Policy or wish to exercise your data privacy rights, you can contact us by emailing dataprotection@liminalbiosciences.com.

Click to go back to menu

Appendix A

Specific information about your data

Please click the relevant headings below to see more specific information about the personal data that we may collect and process about you, our purposes for collecting this data and our legal grounds for doing so on top of the processing activities listed in section 2 above.

1. If you are a patient or representative of a patient (e.g. physician, family member) participating in our clinical trials

We, or the third parties acting on our behalf, may collect and process personal data about you as a patient or representative of a patient enrolled or being screened in connection with our clinical studies or compassionate use programs. Such personal data may include:

  • Personal information about you, such as name, age, gender, title, date of birth, relationship to patient, photo of your face
  • Contact information, such as email, phone number, address, postcode
  • Patient health data, such as medical history, diagnosed conditions, treatment log, medicinal allergens
  • Verification/identification information such as passport/driving licence numbers, details of practitioner licences/ qualifications and any other personal information contained within these documents (e.g. photos, gender, age, nationality, date of birth)
  • Contractual information, e.g. details about your chosen trial products
  • Financial information, such as your bank account details for managing reimbursement of fees

Why do we or third parties acting on our behalf, collect and process your personal information and on what grounds?

Purpose for processing Legal Basis
Processing our clinical trial application Performance of a contract (submitted to the regulatory authority)
Scientific Research (in respect of your patient health data)
Verifying your identity and preventing fraud (e.g. ID checks) Compliance with our legal obligations
Screening of potential subjects in connection with one or more clinical trials

Performance of our clinical trials and contractual obligations related thereto

Fulfilling any legal or regulatory obligations, including reporting of safety issues and adverse events Compliance with our legal obligations
Completing any requests you make Performance of a contract Scientific Research (in respect of your sensitive medical data)
Keeping you updated with important communications about your test results Performance of a contract Scientific Research (in respect of your sensitive medical data)
Managing our relationship with you Performance of a contract
Assessing and developing our products, systems, prices and brand, including by analysing test results and exploring new ways to meet our patients’ needs* Our legitimate interests (market research and improving our business offering)

Scientific research (in respect of your sensitive personal data)

Using your bank details to process any payments Performance of a contract
Sending you marketing emails and contacting you about our products and services Your consent (if received)
Publishing your personal data and photos of your face identifying you as patient case studies* Your consent (if received)

*Note: We may combine, aggregate or anonymize your personal data with data that we collect from other sources, such as other clinical trial patients, or compassionate use patients, public databases, providers of demographic information, social media platforms and others third parties. We may process such combination, aggregation or anonymized data for any purpose, including scientific and market research, scientific and medical publications, medical conferences, clinical trial design, disease state awareness and continuous reporting obligations.

Click to go back to menu

2. If you are a health care professional or consultant

Information that we may collect or process about you includes the following:

  • Contact information, such as email, phone number, address, postcode
  • Verification/identification information such as passport/driving licence numbers, details of practitioner licences/ qualifications and any other personal information contained within these documents (e.g. photos, gender, age, nationality, date of birth)
  • Basic business contact information about you, such as your name and contact details
  • Financial information, such as your bank account details for wire transfers

Why do we collect your personal information and on what grounds?

Purpose for processing Legal Basis
Verifying your identity and preventing fraud (e.g. ID checks) Compliance with our legal obligations
Managing our relationship with you Performance of a contract
Verifying your identity and preventing fraud (e.g. KYC and AML checks) Compliance with our legal obligations
Assessing and developing our products, systems, prices and brand, including by analysing test results and exploring new ways to meet our patients’ needs* Our legitimate interests (market research and improving our business offering)

Scientific research (in respect of your sensitive personal data)

Using your bank details to process any payments Performance of a contract
Sending you marketing emails and contacting you about our products and services Your consent (if received)

*Note: We may combine, aggregate or anonymize your personal data with data that we collect from other sources, such as other clinical trial patients, or compassionate use patients, public databases, providers of demographic information, social media platforms and others third parties. We may process such combination, aggregation or anonymized data for any purpose, including scientific and market research, scientific and medical publications, medical conferences, clinical trial design, disease state awareness and continuous reporting obligations.

3. If you are one of our service providers

Information that we may collect or process about you includes the following:

  • Basic business contact information about you, such as your name and contact details
  • Financial information, such as your bank account details for managing transactions and payment of fees

Why do we collect your personal information and on what grounds?

Purpose for processing Legal Basis
Managing our relationship with you Performance of a contract
Verifying your identity and preventing fraud (e.g. KYC and AML checks) Compliance with our legal obligations
Completing any requests you make Performance of a contract
Using your bank details to process any payments Performance of a contract

Click to go back to menu

4. If you are applying for a job with us

Information that we may we collect and process about you includes the following:

  • Personal information about you, e.g. name, age, gender, title, date of birth, ethnicity, religion, veteran status and disabilities
  • Contact information, e.g. email, phone number, address, postcode
  • Employment history and education, e.g. employer company name, company registration number, company address, job title at company
  • Contractual information, e.g. details about your application, such as your chosen role, employment requirements (e.g. contractual days/hours), date available and desired pay
  • Any personal information contained in your CV or supporting application, e.g. visa requirements, qualifications, details of any disability requiring reasonable adjustment requirements to the recruitment process

Why do we collect and process your personal information and on what grounds?

Purpose for processing Legal Basis
Processing your job application and managing communications with you in respect of the application process Performance of a contract with you (by taking steps at your request prior to entering into a contract)
Storing your details on our database for future suitable job opportunities Our legitimate interests (marketing similar services to those previously requested)
Ensuring appropriate levels of interview and assessment support for candidates requiring reasonable adjustments or special consideration due to specific impairments Compliance with our legal obligations
Keeping records of recruitment track records for internal analytics and research purposes Our legitimate interests (improving our recruitment practices)
To comply with government reporting regulations for example in relation to equal opportunity recruitment Compliance with our legal obligations

Click to go back to menu

5. If you are a visitor to one of our offices

Information that we may collect and process about you includes the following:

  • CCTV (Close Circuit TeleVision) images, e.g. images of you or your vehicle as you visit our premises
  • Personal information about you as a visitor, e.g. your name and details of whom you are visiting or making a delivery to, job title
  • Company information, e.g. employer company name
  • Identification information, e.g. ID card or similar

Why do we collect your personal information and on what grounds?

Purpose for processing Legal Basis
The prevention, investigation and detection of crime (including sharing images of you to the police or other law enforcement agency) Our legitimate interests (in helping to keep our staff, visitors and our premises free from crime)
To enhance the safety of staff and the public (including sharing images of you to the police or other law enforcement agency) and to ensure the security of our offices and protection of our tangible and intangible assets. Our legitimate interests (in helping to keep our staff, visitors and our premises free from crime)
To identify you and facilitate your visit to our premises Our legitimate interests (in running our business, receiving deliveries and holding meetings at our premises)

Click to go back to menu

6. An investor or potential investor

Information that we may collect and process about you includes the following:

  • Personal information about you, e.g. name, age, gender, title, date of birth, National Insurance number, information about your investments and experience in investing
  • Contact information, e.g. email, phone number, address, postcode
  • Company information, e.g. employer company name, company registration number, company address, job title at company
  • Event attendance information (where applicable), e.g. attendance at events, special dietary requirements
  • Contractual information, e.g. details of your shareholding, amounts invested and products invested in
  • Verification/identification information e.g. passport/driving licence numbers, tax certificate records and any other personal information contained within these documents (e.g. photos, gender, age, nationality, date of birth). Note that this may include ‘special categories’ of data about you such as your racial or ethnic origin or past criminal convictions.
  • Financial information, e.g. your bank account details for managing payment of fees or returns on investments, your current investments and investment experience.

Why do we collect your personal information and on what grounds?

Purpose for processing Legal Basis
Sending you marketing emails and contacting you about our business and investment opportunities Our legitimate interests (direct marketing to corporate recipients)

Your consent (if you are acting as an individual, sole trader or partnership)

Fulfilling any legal or regulatory obligations (e.g. producing HMRC or international tax reports, performing suspicious transactions checks, and provide bi-annual investment reports to the FCA) Compliance with our legal obligations
Completing any requests you make while you are an investor Performance of a contract
Administering your transactions and holdings Performance of a contract
Keeping you updated about your investment with regular reports Performance of a contract
Maintaining a backup of the investment register for business continuity purposes Performance of a contract

Click to go back to menu

7. A donor donating plasma in one of our plasma collection centres

Information that we may collect and process about you includes the following:

  • Personal information about you, such as name, age, gender, title, date of birth, relationship to patient, photo of your face
  • Contact information, such as email, phone number, address, postcode
  • Patient health data, such as medical history, diagnosed conditions, treatment log, medicinal allergens
  • Verification/identification information such as passport/driving licence numbers, details of practitioner licences/ qualifications and any other personal information contained within these documents (e.g. photos, gender, age, nationality, date of birth)
  • Contractual information, e.g. details about your chosen trial products
  • Financial information, such as your bank account details for managing reimbursement of fees
Purpose for processing Legal Basis
Verifying your identity and preventing fraud (e.g. ID checks) Compliance with our legal obligations
Fulfilling any legal or regulatory obligations, including reporting of safety issues and adverse events Compliance with our legal obligations
Administering and making arrangements for your plasma donation Scientific Research (in respect of sensitive medical data collected as part of your donation)

Performance of a contract (in respect of other administrative details relating to your appointment or donation)

Keeping you updated with important communications about your test results Performance of a contract

Scientific Research (in respect of your sensitive medical data)

Managing our relationship with you Performance of a contract
Assessing and developing our products, systems, prices and brand, including by analysing test results and exploring new ways to meet our patients’ needs* Our legitimate interests (market research and improving our business offering)

Scientific research (in respect of your sensitive medical data)

Using your bank details to process any payments Performance of a contract
Sending you marketing emails and contacting you about our products and services Your consent (if received)
Publishing your personal data and photos of your face identifying you as patient case studies* Your consent (if received)

*Note: We may combine, aggregate or anonymize your personal data with data that we collect from other sources, such as other clinical trial patients, or compassionate use patients, public databases, providers of demographic information, social media platforms and others third parties. We may process such combination, aggregation or anonymized data for any purpose, including scientific and market research, scientific and medical publications, medical conferences, clinical trial design, disease state awareness and continuous reporting obligations.

Click to go back to menu

8. If you are one of our customers

Information that we may collect and process about you includes the following:

  • Basic business contact information about you, such as your name and contact details
  • Contractual information, e.g. details about your purchase
  • Financial information, such as your bank account details for managing transactions

We collect this personal data from you when you complete the relevant registration form on our Website or otherwise correspond with us.

Purpose for processing Legal Basis
Sending you marketing emails and contacting you about our business and products which we think may be of interest to you Our legitimate interests (direct marketing to corporate recipients)

Your consent (if you are acting as an individual, sole trader or partnership)

Verifying your identity and preventing fraud (e.g. ID checks) Compliance with our legal obligations
Using your bank details to process any payments and bill you for products and services you request Performance of a contract
Managing our relationship with you (including provision of customer support) Performance of a contract
Providing the products and services you request from us Performance of a contract

Click to go back to menu

Appendix B

Third Parties

Sales Force https://www.salesforce.com/uk/campaign/gdpr/
Mailchimp https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation
Pardot https://www.salesforce.com/gdpr/pardot/

https://www.salesforce.com/company/privacy/

Campaign monitor https://www.campaignmonitor.com/trust/gdpr-compliance/
Microsoft products: Outlook, Excel, Word https://www.microsoft.com/en-us/TrustCenter/CloudServices/office365/GDPR
Syspro ERP https://eu.syspro.com/product/gdpr/
Simply HR https://recruiting.simplyhrjobs.co.uk/what-is-gdpr/
DHL https://www.logistics.dhl/global-en/home/footer/global-privacy-notice.html
FedEx https://www.fedex.com/en-gb/privacy-policy.html

Updated contracted in shared SecuriSynce file

Royal Mail log books https://www.royalmail.com/privacy-notice
Barclays Bank https://wealth.barclays.com/banking-and-investing-overseas/en_gb/home/others/controlling-your-data.html
Sage https://www.sage.com/en-gb/gdpr/
Dayforce https://www.ceridian.com/company/corporate/general-data-protection-regulation-gdpr/gdpr-ceridian
Wordfence https://www.wordfence.com/privacy-policy/
WorldPay https://www.worldpay.com/uk/worldpay-privacy-notice
PayPal https://www.paypal.com/uk/webapps/mpp/ua/privacy-full
Amazon https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/
Uberflip https://www.uberflip.com/gdpr/https://www.uberflip.com/legal/data-processing-amendment/
Google https://privacy.google.com/businesses/compliance/#?modal_active=none
Contact Form 7 https://contactform7.com/faq/is-contact-form-7-compliant-with-gdpr/
CDA (Confidential Disclosure Agreements)
MTA (Material Transfer Agreements)
TMF (trial master files) study files

Click to go back to menu