Privacy

Effective May 21, 2020

Wave Life Sciences Ltd. and its affiliated companies (collectively, “Wave,” “we,” “us,” and “our”) are committed to respecting your privacy. This Privacy Policy explains how Wave collects and uses information from and about you as part of our business activities, including information we collect online through our websites, by email, and through other digital services and products we operate and that link to this Privacy Policy (collectively, “Wave Sites” or “Sites”), and offline, such as through trade shows and conferences, by telephone, and through other offline means.

This Privacy Policy describes the information we collect and how we collect it, how we use and share it, and the rights and choices you have in relation to your information.

Wave may also collect or receive information through special programs, such as clinical trials, that are subject to program-specific privacy notices and/or consent forms that we provide when you participate in those programs. Those notices and/or consent forms explain how any information we collect or receive through those programs will be handled. In those cases, the program-specific privacy notice and/or consent form will govern how we process the information we collect, instead of this Privacy Policy.

For more information on the Personal Information we collect, what, why, and how that Personal Information is processed, and the rights and choices you have in relation to your Personal Information see Privacy Notice  

For additional information which applies specifically to Patients involved in Wave sponsored Clinical Trials see Additional Information for Patients Involved in a Wave Sponsored Clinical Trial 

For additional information which applies specifically to Healthcare Professionals involved in Wave sponsored Clinical Trials see Additional Information for Healthcare Professionals Involved in a Wave Sponsored Clinical Trial 

For additional information which applies specifically to Partners, Contractors, and Consultants involved in Wave sponsored Clinical Trials see Additional Information for Partners, Contractors, and Consultants Involved in a Wave Sponsored Clinical Trial 

• The Information We Collect and How We Collect It
• How We Use Your Information
• How We Share Your Information
• How We Use Cookies and other Tracking Technologies
• Minors
• Your Choices
• International Data Transfers
• Data Security
• Links to Third-Party Websites
• How to Contact Us
• Wave Entities Covered by this Privacy Policy
• Changes to this Privacy Policy

The types of personal information that Wave collects, including through the Wave Sites and offline, depends on the nature of our relationship with you and the context of your interaction with us. This Section describes the personal information we collect and how we collect it. For purposes of this Privacy Policy, “personal information” means information that identifies you or that could reasonably be used to identify you.

Information You Provide

Wave collects personal information when you voluntarily provide it to us, such as when you submit it through the Wave Sites, email us, communicate with us by phone, or interact with us in person, such as at trade shows, conferences, and investor events. The types of personal information we collect through these methods include:

• contact information such as your name, address, phone number, and email address;
• information about your employment such as your employer, title, and business contact information;
• professional credentials, educational and professional history, institutional and government affiliations, certificates and licenses, background checks, other information included on your resume or curriculum vitae, information about your race and gender that we collect for compliance with government regulations and record-keeping guidelines, your veteran and disability status, and candidate account credentials (including email address and password) that we collect when you inquire about or apply for a job with us;
• health or medical information (such as information about medical conditions, diagnoses, and treatments, genetic information, and family medical history) that you may share with us when we recruit for research, provide patient support and advocacy programs, distribute and market our products, manage expanded access programs, and track adverse event reports;
• information about your preferences regarding communications from Wave; and
• any other information or content that you provide to us when you contact us by email or by phone, complete forms on the Wave Sites, or interact with us in person.

Information We Receive from Third-Party Sources

We may also receive personal information of the types listed above from third-party sources, including your company, government agencies, public records, our service providers and business partners, industry and patient groups and associations, social media or other public forums, and recruiters.

We may combine the information we receive from third-party sources with information that you provide and/or that we collect automatically when you use the Wave Sites.

Information We Collect Automatically through the Wave Sites

We collect certain information automatically when you visit and use the Wave Sites. This information may include the following:

• the Internet Protocol (“IP”) address of your computer, which may reveal your approximate location;
• information that can be used to recognize your device, including information such as your browser type and version;
• the dates and times of your visits to our Sites, the pages you visit, and other information about your interactions with our Sites;
• URLs that refer visitors to our Sites;
• search terms used to reach our Sites; and
• if you use a mobile device to access and use the Sites, mobile-specific information in including: device or advertising ID, device type, hardware type, media access control (“MAC”) address, international mobile equipment identity (“IMEI”), the version of your mobile operating system, the platform used to access or Wave Site (e.g., Apple, Google, Windows), and approximate location information.

We may collect some of this information through tracking technologies such as cookies and web beacons. For more information please see the How We Use Cookies and Other Tracking Technologies section of this Privacy Policy.

Wave uses the information we collect for the following purposes:

• to respond to your inquiries and otherwise communicate with you about our products and services;
• to provide and deliver resources you request, such as webinars, presentations, and publications;
• to offer and provide information, including marketing information, invitations to participate in surveys, or notifications about special programs or promotions regarding our products and services and similar or related products and services;
• to improve, develop, and evaluate our products, services, materials, and programs, and for other related internal business purposes;
• to administer our business, the Sites, and our services consistent with our Terms of Use and applicable laws, rules, regulations and our other legal obligations;
• to develop and execute investor relationship management activities, including the delivery of investor presentations and informational materials;
• to administer and analyze questionnaires, surveys and market research;
• to staff, facilitate, conduct, and manage clinical trials;
• to track and respond to safety and product quality concerns (including product recalls);
• to comply with regulatory monitoring and reporting obligations;
• to facilitate and arrange travel and other logistics for trade shows, conferences, and scientific and other events;
• to monitor user traffic patterns and preferences on the Wave Sites for site improvement, analytics and optimization;
• to make the Wave Sites easier to use and to navigate, and to personalize the content provided on Wave Sites by anticipating the information and services that may be of interest to you;
• to comply with legal or regulatory requirements, judicial process, and our company policies (including due diligence and contracting activities);
• to secure the Wave Sites and protect against, identify, investigate, and respond to fraud, illegal activity (such as incidents of hacking or misuse of the Wave Sites), and claims and other liabilities, including by enforcing our Terms of Use;
• to manage, facilitate, and improve our recruitment activities, including by processing employment applications, evaluating job candidates, and monitoring and analyzing recruitment and hiring statistics;
• to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, including as part of bankruptcy, liquidation, or similar proceeding; and
• any other purpose that you may authorize or direct at the time we collect you personal information.

To accomplish the purposes set out above, we may share your personal information with third parties. We do not sell or rent personal information to third parties for their own marketing purposes. The third parties with whom we may share your personal information include:

• our affiliated companies;
• service providers that perform services on our behalf;
• regulatory authorities, including in connection with monitoring, review and approval of our studies, products and services, and adverse event reporting;
• business partners with whom we jointly develop products or services;
• physicians, health care providers, and other health care professionals;
• researchers, academics, and public health organizations;
• other third parties as necessary to (a) protect or defend our interests and the legal rights or property; (b) protect the rights, interest and safety and security of the Sites, our organization, or members of the public; (c) protect against fraud, and (d) investigate and prosecute users who engage in behavior that is illegal or harmful to others or to others’ property;
• a buyer or other successor or organization in the event of an actual or potential merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, including as part of bankruptcy, liquidation, or similar proceeding; and
• with such other parties, or for such other purposes, as you may authorize or direct at the time we collect the information.

We may also collect information about your use of Wave Sites through tracking technologies such as cookies and web beacons. A “cookie” is a unique numeric code that is transferred to your computer to track your interests and preferences and to recognize you as a return visitor. A “Web beacon” is a transparent graphic image placed on a Web site, e-mail or advertisement that enables the monitoring of things such as user activity and site traffic. To learn more about cookies and other tracking technologies, including how to disable them, you can visit http://www.allaboutcookies.org/.

We and third-parties with whom we work use cookies and web beacons on the Wave Sites to improve user experience, to help remember your preferences and allow us to bring you the content and features that are likely to be of interest to you, including on the basis of “clickstream” data that shows your previous activities on Wave Sites, and to analyze the use of our Sites and to improve Site functionality.

One of the ways we do this is through the use of Google Analytics. For more information about how Google Analytics uses and processes data, please visit https://www.google.com/policies/privacy/partners/.  In addition to the standard Google Analytics implementation, the Wave Sites may use additional Google Analytics features, including but not limited to Demographics and Interest Reporting, which may collect non-identifiable demographic information, including your age and gender, and your interests. We do not connect identifiable information with non-identifiable information collected through these means.  You may opt out of the collection of this information by visiting: https://tools.google.com/dlpage/gaoptout/.

We and our third-party service providers and business partners may use cookies and web beacons to collect information about your online activities over time and across our Sites and third-party websites or online services third-party websites.

Wave does not knowingly collect or use any personal information directly from children on Wave Sites (Wave defines “children” as minors younger than 18). We do not knowingly collect information from children through the Wave Sites. If you are a parent and believe that your child has provided us with information, please contact us using one of the methods specified below, and we will work with you to address the issue.

We provide you with certain choices regarding your personal information. For example, you can choose not to give us the personal information we request, as described in the “Information You Provide” section of this Privacy Policy. However, in some cases, if you decide not to provide the personal information we request, we will not be able to provide the service or information you requested.

Other examples of your choices include:

• You can browse our website without registering or directly submitting any personal information to us. We may collect some limited information automatically, as described above.
• You can unsubscribe from receiving marketing or other commercial emails by sending an email to [email protected] or by following the instructions included in the marketing emails you receive from us. Please note that even if you opt out of receiving such communications, we may still send you non-marketing communications (such as product safety information).
• You may change your browser settings or take other steps to block, manage, or delete cookies. Our Sites do not currently respond to browser “do not track” signals, so you will need to use your browser settings to effectively manage cookies. In some cases, blocking or disabling cookies may cause our websites and applications not to work as intended and some features may not be available.

The Sites are operated from the United States, and therefore if you are visiting the Sites from a country other than the United States, your interactions with the Sites and with us will necessarily result in the transfer of information across international borders. In addition, information we collect in other contexts may be shared with our affiliates and other third parties that are located in other countries in accordance with this Privacy Policy.

The level of legal protection for Personal Information is not the same in all countries, and the laws in other countries may not provide the same level of protection for personal information as those in your country. By using this Sites and providing your information to us, you understand and agree that your Personal Information will be stored and processed in the United States and in any country to which we may transfer your information in the course of our business operations.

Wave maintains information security safeguards that are reasonably designed to protect your Personal Information from unauthorized access, use, and alteration. Please note however that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee the security of your personal information. PLEASE DO NOT SEND SENSITIVE HEALTH OTHER SIMILAR INFORMATION TO US VIA THE Wave SITES.

Wave Sites may contain links to other third-party websites. These websites are not subject to this Privacy Policy. These websites are not controlled by Wave and Wave is not responsible for their content or their privacy policies, which may differ from ours. We have not reviewed and make no representations about the accuracy of information on third-party websites, or about their information handling practices. Visits you make to these websites are at your own risk, and we encourage you to review their privacy policies.

To contact us with questions or concerns about this Privacy Policy, or to exercise any rights you may have under applicable law, please contact our Privacy Office by emailing us at [email protected]. You may also send a letter to the following address:

Wave Life Sciences USA, Inc.
Attn: Privacy Office
733 Concord Ave.
Cambridge, MA 02138
USA

Wave is committed to resolving your privacy concerns and any complaints. In all communications to Wave, please include your email address, and provide the web site address, mobile application, and/or other context in which we collected your personal information, along with a detailed explanation of your request. We may need to further confirm your identity in order to process certain requests.

This Privacy Policy covers the following Wave entities:

• Wave Life Sciences, Ltd., located at 7 Straits View #12-00, Marina One East Tower, Singapore
• Wave Life Sciences USA, Inc., located at 733 Concord Ave., Cambridge, MA 02138, USA.
• Wave Life Sciences Japan, Inc., located at 2438 Miyanoura-cho Kagoshima-shi Kagoshima pref. 891-1394, Japan
• Wave Life Sciences Ireland Limited, located at 1 Spencer Dock, North Wall Quay Dublin 1, Ireland
• Wave Life Sciences UK Limited, located at 1 Chamberlain Square CS, Birmingham, B3 3AX United Kingdom

We reserve the right to change the terms of this Privacy Policy at any time. Any changes to this Privacy Policy will be reflected on this page with a new effective date. We will continue to use and/or disclose information in accordance with the policy in effect at the time the data was collected. Wave encourages you to review this Privacy Policy regularly for any changes. Your continued use of the Wave Sites after we post changes is deemed to be acceptance to those changes.

Effective 22 June 2022

Wave Life Sciences Ltd. and its affiliated companies, including specifically Wave Life Sciences USA, Inc., Wave Life Sciences UK Limited, Wave Life Sciences Ireland Limited, and Wave Life Sciences Japan, Inc., (collectively, “Wave,” “we,” “us,” and “our”) are committed to respecting your privacy. This Privacy Notice explains how any Personal Information we collect or receive will be handled.  

This Privacy Notice describes the Personal Information we collect, what, why, and how that Personal Information is processed, and the rights and choices you have in relation to your Personal Information.  

For the purpose of this Privacy Notice, Wave will often reference the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”) for purposes of the collection and processing of Personal Information in the European Union (“EU”). This reference is intended to include the UK GDPR and UK Data Protection Act for purposes of the collection and processing of Personal Information in the United Kingdom (“UK”).  

As Wave is a global organization, the Personal Information we collect, and process may come from a variety of countries, states, or municipalities. Each location may have its own specific local privacy laws or regulations. For example, to the extent it aligns when it enters into force in September 2023, the Swiss New Act called the Federal Data Protection Act (FDPA) will also be incorporated herein. 

Please note that any companies in China wishing to do business with a Wave entity must comply with the Personal Information Protection Law (PIPL) and should not send any personal information to Wave unless it is necessary to enter into or perform a contract to which the individual is a party. Wave does not wish to receive any Personal Information from individuals residing in China. Contractual performance is the only basis by which Wave processes Personal Information, and it does so in line with the same provisions laid out in this Privacy Notice.  

While there may be slightly different or analogous terms used in each country where Personal Information is collected and/or processed, for the purpose of this Privacy Notice, Wave will use the general terms found in the GDPR, such as Data Controller and Data Processor, for ease of review. 

A Data Controller is an organisation that is responsible for making decisions and setting out the rules for how your information is collected and used by itself and other organisations it works with when processing your personal information. 

Wave is the Data Controller of the personal information provided to us by you (your Personal Information). 

A Data Processor is an organisation that receives your personal information from a Data Controller, but it must follow the rules given to it by the Data Controller. 

Our partners, contractors and consultants may act as a controller or processor depending upon the specific relationship, we have with them.  Through contractual agreements, we ensure the privacy, security, and confidentiality of your personal information. 

At Wave, we recognize the importance of, and are fully committed to protecting the privacy of your Personal Information. 

Wave’s Data Protection Officer (“DPO”) can be contacted at: [email protected]  

• What is Personal Information?
• What Personal Information Do We Collect?
• What is Sensitive Personal Information?
• The Legal Bases for Processing Your Personal Information
• Why We Collect Your Personal Information?
• How Do We Collect Your Personal Information?
• What is Pseudonymization?
• What Do We Do with Your Personal Information?
• Where is Your Personal Information Stored?
• Do We Share Your Personal Information?
• How Long Will We Keep Your Personal Information?
• What are Your Rights?
• How Can You Exercise Your Rights?
• Changes to this Privacy Notice
• Additional Information

Personal Information is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.  

‘Personal Information’ may be defined differently in other countries or regions. The provisions here outline the general practices for processing of Personal Information by Wave.  

Personal Information is any information about you that identifies you or that could reasonably be used to identify you.  Personal information covers obvious information such as your name and contact details, but it may also cover less obvious information.  

Personal Information collected online can come through Wave’s websites, by email, and through other digital services and products Wave may operate.  Such Personal Information can include, for example, the Internet Protocol (“IP”) address of your computer, which may reveal your approximate location.  Wave uses the Personal Information collected for various purposes which may include but are not limited to the following: to respond to your inquiries and otherwise communicate with you about our products and services; to provide and deliver services you request (webinars, presentations, and publications); to offer and provide information; to staff, facilitate, conduct and manage clinical trial; and comply with regulatory monitoring and reporting obligations.    

For further details and more specifics on what Wave collects online and how it is used, and for information on how we use Cookies and other tracking technologies please see our Privacy Policy.  

Personal Information collected by Wave through special programs, such as in connection with our sponsored clinical trials, depends on the context of your interaction with us. For additional information on what Wave collects in connection with our sponsored clinical trials please see “Additional Information.”

The Personal Information we collect depends on the nature of your interaction with Wave. In general, the types of Personal Information we may collect include but are not limited to the following: 

• Name
• Postal and/or email address (personal and/or business) 
• Phone number  
• Date of birth or partial date of birth
• Job title, profession 
• Correspondence, and other personal information relevant to the formation and execution of a contract between you and Wave 
• Adverse events or Complaints and correspondence 
• Data breach notifications and correspondence, if you are acting as a data controller, joint controller, or data processor 
• Information you provide us when you fill in forms or attend events 
• Information about the promotional, scientific and medical activities/interactions you have with us 
• Information collected from you during the course of a clinical trial 

Based on the nature of the interaction, Wave may also collect what is referred to as “sensitive” Personal Information. This type of Personal Information is treated with heightened protection due to the impact disclosure could have on a person’s livelihood, quality of life, and ability to participate in daily activities. For example, with our sponsored clinical trials, Wave would be aware of the disease state of the participants. In general, Wave does not normally collect sensitive PI outside of what is needed for our clinical trials.

The GDPR defines specific types of Personal Information as “Sensitive Personal Information,” which mean any information relating to an individual’s: 

• Race 
• Ethnicity 
• Political opinions 
• Religious or philosophical beliefs 
• Trade union membership 
• Health related data 
• Genetic data 
• Biometric data 
• Sex life 
• Sexual orientation 

Your Personal Information is obtained for the purposes of the interaction with Wave, and is necessary under one or more of the following legal bases: 

1. Consent: You provide your consent to us processing your personal information, having read and understood all the information made available to you. You may withdraw this at any time. Should you choose to provide your consent, you may later withdraw your consent by contacting us as described in the “How to Contact Us” section of Wave’s Privacy Policy. If you have consented to a particular purpose for our use of your personal information, then we may rely on your consent until you withdraw it. Please note that the withdrawal of consent will not affect processing that has already occurred, and may affect our ability to provide products, services, or communications to you that are subject to the relevant consent. 
2. Contract: We need to process personal data to fulfil our obligations under a contract, or enter into a contract, with the data subject. You may not be able to opt-out of this use, or your choice to opt-out may impact our ability to perform a contractual obligation otherwise owed to you. 
3. Legal obligation and Protection of Individuals: We need to process personal data to comply with applicable laws, such as EU law or the national law of an EU country, , as well as to protect you and other individuals from certain harms. 
4. Vital Interests: Where required for vital interests of any individual 
5. Compliance: The processing is necessary for our compliance with a statutory or legal obligation 
6. Legitimate Interest: In certain circumstances the processing information is necessary for Wave’s or a third party’s legitimate interest to process your personal information, consistent with your rights and appropriate to the context, including as necessary: 

• • to develop, administer and support our products and services;  
  • to operate, evaluate and improve our business;  
  • to facilitate and manage clinical trials and other patient advocacy and engagement programs;  
  • to promote scholarly research;  
  • for scientific and statistical research purposes;  
  • for drug safety and risk management purposes;  
  • to conduct business relationships and operations; 
  • to support our recruitment activities;  
  • to facilitate a sale of assets or merger or acquisition; or  
  • as necessary to protect against criminal offenses, and to maintain a safe workplace for staff.  

In these situations, we would take into account and balance your rights with our interests. 

Under the GDPR, or other applicable privacy laws, a legal basis for collecting and using personal information should exist (for a list of these bases see The Legal Bases for Processing Your Personal Information). The legal basis may be because the data is necessary for our performance of a contract with you or one of our clients, because you have consented to our use of your personal information, because it is in our legitimate business interests to use it, or for another legal basis.  

For example: 

• Conduct our business operations: responding to questions and comments, presenting at conferences and authoring publications, managing our collaboration and payments,  managing data where international or business travel is required for education or consultancy, advising on activities involving HCPs, Health Care Organizations (HCOs), Partners, Contractors and Consultants, patient organisations, individual patients and clinical studies organizations and providing HCPs and Partners, Contractors and Consultants with literature required to decide on treatment, and other commercial activities such as but not limited to the provision of scientific information. 
• Comply with legal, regulatory, industry best practices and ethical obligations: reporting of interactions with HCPs, Partners, Contractors & Consultants for transparency purposes, enforcing our Terms of Use or other legal rights; complying with applicable laws, regulations and requests from governmental agencies e.g., complying with industry standards and our policies. 
• Communications in the context of business operations: communications with the individuals, entities, and institutions in the context of the business activity. 
• Conduct security and fraud detection and prevention: to ensure security and confidentiality of your data, ensuring a safe environment at our facilities or networks. 
• Any other purpose that is relevant in the relationship between Wave and you. 

We will process information for further compatible purposes, where lawful to do so (such as for archiving, scientific or market research purposes) or when legally obliged to do so (such as reporting information for Wave’s risk management and drug safety obligations).

You provide it to us when you: 

• Use our website; 
• Provide it to us directly (email, phone, conversation); 
• Participate in a Wave sponsored clinical trial or other Wave sponsored special program; or 
• Through your doctors or healthcare providers, who provide it to us under your explicit and unambiguous consent via pseudonymization.  

Pseudonymization is a safeguard, where Personal Information or any information which could be used to identify an individual, is replaced with a pseudonym, or, in other words, a code which does not allow the individual to be directly identified. Pseudonymization makes it almost impossible to identify the Personal Information without the necessary key. A “key” is the link between the pseudonymized or coded information and the identifiable Personal Information. The sender retains the key, to help prevent reidentification of pseudonymized information or data.

Your personal information is processed by us or by one or more organisations acting on our behalf.  

We use appropriate technical and organisational measures to protect your Personal Information. When handling the information of HCPs, we take reasonable steps to protect it from loss, misuse, unauthorised access, disclosure, alteration, or destruction. 

We may store or transfer some or all of your Personal Information to countries that are not part of the European Union (including the EEA Member States Norway, Iceland, and Liechtenstein). These are known as “third countries” and may not have data protection laws that are as strong as those in the EU. This means that we will take additional steps in order to ensure that your personal information is treated just as safely and securely as it would be within the EU and under the GDPR. 

The confidentiality, privacy and security of your personal information is essential to us, and to protect your data, we take a number of important measures, including the following: 

• We obtain guarantees from organisations we use to process your personal information; we check that safeguards are in place, that include technical and organizational security of the processing for example storage, transfers  
• Where we process your information, we ensure that: 
  • All personal information is stored on secure databases with adequate protection and backup capabilities. We may use third-party providers for storage and have data protection agreements with them. 
  • Secure databases are accessed via our personnel or our third-party providers using authorised secure access employing usernames, passwords, and variable privilege rights. 
• Where paper records are created or obtained, we ensure that they are kept secure, and not accessed by unauthorised individuals. 

If any of your personal information is required by a third party, we will take steps to ensure that your personal information is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law. 

We may store in or transfer to some or all your personal information to countries that are not part of the EU. These countries may not have data protection laws that are as strong as those in the EU. This means that we will take additional steps to ensure that your personal information is treated just as safely and securely as it would be within the EU. 

We disclose individual information where this is reasonably required to pursue our legitimate business objectives and as required by law. Information will be disclosed only in accordance with applicable laws, and appropriate safeguards will be established, where possible, to protect your information. We may disclose information within Wave and our worldwide affiliates. 

In order to conduct our business, we may also disclose information to third parties such as public/regulatory authorities/governmental bodies (government, including social and benefits departments), third parties that provide services to us (such as conducting audits, IT services, assisting in our clinical trials and studies or health care compliance activities), business partners and collaborators (such as external scientists). 

If Wave or substantially all of our assets are acquired by a third party, personal information held by us about individuals will be included as transferred assets. 

We may also disclose information to enforce any agreements we have with you or to protect our rights or the rights, property or safety of our employees, patients or others (e.g., visitors to Wave premises). 

We will not keep your personal information for any longer than is necessary consistent with the reason(s) for which it was first collected. 

Under the GDPR, you have the following rights, which we will always work to uphold: 

1. The right to be informed about our collection and use of your personal information. This Privacy Notice should tell you everything you need to know. 
2. The right to access the personal information we hold about you. 
3. The right to have your personal information rectified if any of your personal information held by us is inaccurate or incomplete. 
4. The right to be forgotten, i.e., the right to ask us to delete or otherwise dispose of any of your personal information that we have. 
5. The right to restrict (i.e., prevent) the processing of your personal information. 
6. The right to object to us using your personal information for a particular purpose or purposes. 
7. The right to data portability. This means that, if you have provided personal information to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal information to re-use with another service or business in many cases. 
8. Rights relating to automated decision-making and profiling. We do not use your personal information in this way. 
9. The right to withdraw your consent at any time where we rely on your consent to use your personal information.  

If you have a complaint, we would like to have the opportunity to address it first, this does not stop you from making a complaint to the Data Protection Supervisory Authority.  

Further information about your rights can also be obtained from your national Data Protection Supervisory Authority or the Supervisory Authority in the country in the EU where Wave’s or the Data Protection Officer are based. A list can be found here: https://ec.europa.eu/digital-single-market/en/news/list-personal-data-protection-competent-authorities. 

We may refuse to comply with your rights where the rights of other persons would be violated, where any other legal exemptions may apply, where your request is not legitimate or applicable, or where it is not in our legitimate interests to the extent allowed by the data protection laws applicable in the EU and your country. If we refuse to comply, we will explain to you our reasons for doing so. 

We would encourage you to exhaust our complaints processes, however if you still feel that your personal information has not been handled appropriately according to the law, you can contact a Supervisory Authority and file a complaint with them. 

To exercise your rights, please contact us using the information provided in the “How to Contact Us” section of Wave’s Privacy Policy.

If you want to know what personal information, we have about you, you can ask us for details of that personal information and for a copy of it (if any such personal information is held). This is known as a “subject access request”. 

All subject access and other rights requests should be made in writing and sent to the Data Protection Officer at [email protected]. You can request a form from us to help make your request. 

There is not normally any charge for a subject access and other rights requests. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding. 

We will endeavor to respond to your subject access request within one month of receiving it. In some cases, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress. 

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal information protection. Modifications will be posted on Wave’s website, so please check back. 

If there are any changes to the purposes for which we have obtained your personal information, or the legal basis used, we will contact you. The changes shall be explained to you, and your agreement or disagreement obtained. 

If you are a (i) Patient involved in a Wave sponsored clinical trial; (ii) a Healthcare Professional involved in a Wave sponsored clinical trial; or (iii) a Partner, Contractor or Consultant involved in a Wave sponsored clinical trial, click one of the links below to learn more about Data Privacy. 

For additional information which applies specifically to Patients involved in Wave sponsored Clinical Trials see Additional Information for Patients Involved in a Wave Sponsored Clinical Trial 

For additional information which applies specifically to Healthcare Professionals involved in Wave sponsored Clinical Trials see Additional Information for Healthcare Professionals Involved in a Wave Sponsored Clinical Trial 

For additional information which applies specifically to Partners, Contractors, and Consultants involved in Wave sponsored Clinical Trials see Additional Information for Partners, Contractors, and Consultants Involved in a Wave Sponsored Clinical Trial 

Effective 22 June 2022 

In addition to the information found in the Privacy Notice, the following additional information applies specifically to patients involved in Wave’s Clinical Trials.  

While the information contained both here and in the Privacy Notice outlines the general practices and policies of Wave in relation to the processing of Personal Information, it is subordinate to the Informed Consent Form you signed as part of your enrollment in the Wave Sponsored Clinical Trial. This means that the Informed Consent Form is your primary reference for how Personal Information is processed in the Wave Sponsored Clinical Trial.

As part of participating in a Wave Sponsored Clinical Trial, you were required to sign an Informed Consent Form or ICF. The name of this document may be slightly different. For any questions on the ICF please consult the study doctor or site administrator. 

In general, the types of Personal Information collected in a Wave Sponsored Clinical Trial, may include the following: 

• Year of birth; gender, ethnicity 
• Sensitive healthcare information 

For specifics on the Personal Information to be collected in the Wave Sponsored Clinical Trial for which you are a participant, please refer to the ICF you signed and/or check with your study doctor or site administrator. 

Personal Information collected by Wave as part of a Wave Sponsored Clinical Trial is pseudonymized. That means it is replaced with a pseudonym, or, in other words, a code which does not allow you, the individual, to be directly identified. This process is called pseudonymization. The pseudonymized information is provided to Wave as part of the Wave Sponsored Clinical Trial and the study doctor retains the key to help prevent reidentification of pseudonymized information or data.   

Pseudonymization is a safeguard, where Personal Information or any information which could be used to identify an individual, is coded making it almost impossible to identify the Personal Information without the necessary key. A “key” is the link between the pseudonymized or coded information and the identifiable Personal Information. The sender, the study doctor in the case of Wave Sponsored Clinical Trials, retains the key to help prevent reidentification of pseudonymized information or data. 

While the information contained both here and in the Privacy Notice outlines the general practices and policies of Wave in relation to the processing of Personal Information, it is subordinate to the Informed Consent Form you signed as part of your enrollment in the Wave Sponsored Clinical Trial.   

We will not share any of your Personal Information, including pseudonymized information, provided to use directly or indirectly with any unauthorized third parties for any other purposes, subject to the following exceptions: 

• In some limited circumstances, we may be legally required to share certain personal information if we are involved in legal proceedings or when complying with legal obligations, a court order, or the instructions of a government authority. 
• We may sometimes contract with the third parties to supply hosted secure database services to us.  In some cases, those third parties may require limited access to some of your personal information for the purpose of maintaining that information in the database. 
• We have obtained your explicit and unambiguous consent.   

The Personal Data we collect from you may also be processed, accessed, or stored in a country outside the country where Personal Data was initially collected, which may not offer the same level of protection of Personal Data, including the US. If we transfer your Personal Data in other jurisdictions, we will make sure to protect your Personal Data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the  country where Personal Data was initially collected, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the “EEA”), or in the UK or Switzerland, unless otherwise specified, only transferring your Personal Data on the basis of the European Commission Standard Contractual Clauses, or another legal mechanism, as applicable. You may request additional information in relation to international transfers of Personal Data and obtain a copy of the adequate safeguard put in place by exercising your rights as described below. 

For intra-group transfers of Personal Data, the Wave has adopted Standard Contractual Clauses, or another equivalent legal mechanism as applicable, in an effort to ensure effective levels of data protection relating to transfers of Personal Data outside the EEA, Switzerland and UK.  

We may retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, to adhere to our policies, and for any period as legally required or permitted by applicable law. Under international and national regulations governing the research and development of medicines, we are required to keep your personal information and study coded information for the required period of time in your country (in general that is usually up to 25 years) after the end of the clinical trial and according to our Data Retention Policy. After this period, your personal information will be irreversibly destroyed or retained for a further period if required by law. Please refer to the Informed Consent Form for further details.  

Please remember that when your personal information is pseudonymized we cannot identify you directly.  Therefore, we recommend you contact your study doctor or healthcare institution if you wish to exercise the following rights. 

You can ask us to confirm that we are processing your personal information, and to request access to that personal information including to check its accuracy and to ask us to amend any inaccurate data.  

You may also ask us to restrict processing or object to the processing of your personal information. However, in a clinical trial, should you withdraw your consent to future processing, this would make it impossible for you to continue in the study. In addition, although you have the right to withdraw your consent at any time, this will not affect the lawfulness of us processing your personal information collected before your withdrawal. 

Where we process your personal information under our legitimate interests, your right to erasure is limited by our legitimate interest to continue the processing, our legal obligations, our public interest (public health – high standards of quality and safety of health care and of medicinal products, or medical devices), scientific research, historical research, or statistical purposes, or for the establishment, exercise or defence of legal claims. 

You can request that your personal information is provided to you or directly transmitted to another data controller nominated by you. This will be done in structured, commonly used, and machine-readable format. However, if we cannot retrieve your personal information because we cannot identify you directly or where it may infringe the privacy rights of other clinical trial subjects, we may refuse your request. 

We will provide you with a response to your request within 30 days upon receipt of your request and having verified your identity. Should there be any delay we will inform you within one month of the request; if appropriate we can extend this period by two further months, and we shall explain our reasons for doing so.  

In addition to the information found in the Privacy Notice and Informed Consent Form, the following additional information applies specifically to patients involved in Wave sponsored Clinical Trials. 

Wave has appointed DataRep as their Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries, the UK, and Norway & Iceland in the European Economic Rrea (EER), so that Wave’s customers can always raise the questions they want with them. 

If you want to raise a question to Wave, or otherwise exercise your rights in respect of your personal data, you may do so by: 

• sending an email to DataRep at [email protected] quoting <Wave Life Sciences> in the subject line, 
• contacting us on our online webform at www.datarep.com/wavelifesci, or 
• mailing your inquiry to Data Rep at the most convenient of their addresses. 

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Wave Life Sciences’, or your inquiry may not reach us. Please refer clearly to Wave Life Sciences in your correspondence. On receiving your correspondence, Wave Life Sciences is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you. 

If you have any concerns over how Data Rep will handle the personal data, we will require to undertake our services, please refer to our privacy notice at www.datarep.com/privacy-policy. 

Effective 22 June 2022 

In addition to the information found in the Privacy Notice, the following additional information applies specifically to Healthcare Professionals involved in Wave sponsored Clinical Trials.  

While the information contained both here and in the Privacy Notice outlines the general practices and policies of Wave in relation to the processing of Personal Information, it is subordinate to the Consent Form you signed as part of your involvement in the Wave Sponsored Clinical Trial. 

As a healthcare professional participating in a clinical trial sponsored by Wave, we may collect some or all of the additional following personal information as a result of your participation: 

• General information which can include photographs, digital imagery and sound recordings, payment-related information, government issued identification (e.g., driving license, passport, tax identification number). 
• Professional information which can include educational information, professional qualifications, prescribing history, work experience, medical/professional licenses, curriculum vitae (CV) networks and affiliates, programs and activities participated in, publications authored or co-authored, awards, board memberships, professional conferences and events, and employment status. 
• Assessment information: such as internal assessments, feedback and evaluations, classifications or performance ratings of your professional activities and outcomes. 
• Financial information: such as your bank details so that we can pay you for your expenses, or other compensation, this could include collecting information to validate or make claims for any required insurances. 
• Financial disclosure information to comply with 21 CFR Part 54. 

The above Personal Data will be processed for the following purposes: 

• to conduct clinical trials in accordance with GCP and applicable laws, 
• to support applications for marketing approval of any Drug studied under a clinical trial (“Study Drug”), 
• to support applications to vary the terms of any marketing approval granted in respect of a Study Drug,  
• to comply with the conditions of any marketing approval granted in respect of Study Drug, 
• to carry out research related to the development of pharmaceutical products, diagnostics or medical aids, 
• to comply with Financial Disclosure regulations, which are intended to ensure that financial interests and arrangements of clinical investigators that could affect the reliability of data that is submitted to the applicable governing regulatory authority are identified and disclosed to that regulatory authority, and 
• to contact you for further research projects. 

If applicable to a Study, your Personal Data (name and contact information) may be incorporated in subject recruitment advertisements (print media or on Internet). Any such advertisement would be approved by the Ethical Committee where required before it is made public. 

We will not sell, share, or otherwise transfer your Personal Data to third parties other than those indicated in this Privacy Notice. In the course of our activities and for the purposes listed in this Privacy Notice, your Personal Data can be accessed by, or transferred to the following categories of recipients, on a need-to-know basis to achieve such purposes:  

• Wave,  
• our personnel (including personnel, departments, or other Wave entities), 
• our Contract Research Organisations, 
• our independent agents or brokers (if any), 
• our suppliers and services providers that provide services and products to us, 
• our partners in the context of consortia or industry initiatives 
• our IT systems providers, cloud service providers, database providers and consultants, 
• our business partners who offer products or services jointly with us or with our subsidiaries or affiliates, 
• any third party to whom we assign or novate any of our rights or obligations, 
• our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets. 

The above third parties are contractually obliged to protect the confidentiality and security of your Personal Data in compliance with applicable law.  

Your Personal Data can also be accessed by or transferred to any national and/or international regulatory body, or Ethics Committee where necessary in order to fulfill the purposes outlined above. 

The Personal Data we collect from you may also be processed, accessed or stored in a country outside the country where Personal Data was initially collected, which may not offer the same level of protection of Personal Data, including the US. If we transfer your Personal Data in other jurisdictions, we will make sure to protect your Personal Data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the  country where Personal Data was initially collected, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the “EEA”), or in the UK or Switzerland, unless otherwise specified, only transferring your Personal Data on the basis of the European Commission Standard Contractual Clauses, or another legal mechanism, as applicable. You may request additional information in relation to international transfers of Personal Data and obtain a copy of the adequate safeguard put in place by exercising your rights as described below. 

For intra-group transfers of Personal Data, the Wave has adopted Standard Contractual Clauses, or another equivalent legal mechanism as applicable, in an effort to ensure effective levels of data protection relating to transfers of Personal Data outside the EEA, Switzerland and UK.

Unless we need to retain the data longer to comply with legal or regulatory requirements, or per your consent, Wave will retain your Personal Data for as long as required by local laws or regulations. For example, as part of the CSR, Wave would need to maintain this record in our TMF in compliance with country specific laws and regulations (for the majority of countries that would be for an additional 15-25 years). Furthermore, some of your Personal Data may be contained in Wave’s project management records, which we eventually archive and retain on an on-going basis. Wave and certain other third parties who receive your Personal Data as described above may retain your data for longer or shorter periods. 

In addition to the information found in the Privacy Notice and any agreements with Wave, the following additional information applies specifically to healthcare professionals involved in Wave sponsored Clinical Trials. 

Wave has appointed DataRep as their Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries, the UK, and Norway & Iceland in the European Economic Rrea (EER), so that Wave’s customers can always raise the questions they want with them. 

If you want to raise a question to Wave, or otherwise exercise your rights in respect of your personal data, you may do so by: 

• sending an email to DataRep at [email protected] quoting <Wave Life Sciences> in the subject line, 
• contacting us on our online webform at www.datarep.com/wavelifesci, or 
• mailing your inquiry to Data Rep at the most convenient of their addresses. 

 PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Wave Life Sciences’, or your inquiry may not reach us. Please refer clearly to Wave Life Sciences in your correspondence. On receiving your correspondence, Wave Life Sciences is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you. 

If you have any concerns over how Data Rep will handle the personal data, we will require to undertake our services, please refer to our privacy notice at www.datarep.com/privacy-policy. 

Effective 22 June 2022 

In addition to the information found in the Privacy Notice, the following additional information applies specifically to Wave’s Partners, Contractors and Consultants involved in Wave’s Clinical Trials.  

As a partner, contractor, or consultant with whom we have a business relationship, we may collect some or all of the additional following personal information from you directly, or indirectly through our partners, contractors, or consultants (that is the legal entity you work for) for the purposes of a clinical trial: 

• qualifications,  
• information contained in any CV you provide to us, as applicable,  
• Financial information, such for payments, and insurance, e.g., bank details, 
• Emergency communications in relation to, for example, staff, workers, 
• Electronic identification information (e.g., unique identifiers, logins, passwords, cookies, CCTV, logs, identity cards) through systems for the purpose of delivery products or services, 
• previous experience in clinical trials and type of GXP training received, 
• GXP is a general term for current international pharmaceutical requirements that regulated systems are required to comply with, including but not limited to, current Good Clinical Practice (GCP), current Good Laboratory Practice (GLP), current Good Manufacturing Practice (GMP), and current Good Distribution Practice (GDP), and
• financial interests in any of the Wave Life Sciences’ entities, as applicable. 

Personal Information will be processed for the following purposes: 

• to conduct clinical trials in accordance with GXP and applicable laws and regulations, 
• to support applications for marketing approval of any Drug studied under a clinical trial (“Study Drug”), 
• to support applications to vary the terms of any marketing approval granted in respect of a Study Drug,  
• to comply with the conditions of any marketing approval granted in respect of Study Drug,   
• to carry out research related to the development of pharmaceutical products, diagnostics or medical aids, 
• to comply with Financial Disclosure regulations, which are intended to ensure that financial interests and arrangements of clinical investigators that could affect the reliability of data that is submitted to the applicable governing regulatory authority are identified and disclosed to that regulatory authority, and 
• to contact you for future services. 

Wave will not sell, share, or otherwise transfer your Personal Data to third parties other than as indicated here, in your agreement with us, in the Consent Form you signed, or in the Privacy Notice.  

In general, your Personal Data may be accessed by, or transferred to the following categories of recipients, on a need-to-know basis:  

• Wave, 
• our personnel (including personnel, departments, or other Wave Life Sciences’ Affiliates), 
• our Clinical Research Organizations, 
• our sites participating in Wave sponsored clinical trials, 
• our independent agents or brokers (if any), 
• our suppliers and services providers that provide services and products to us, 
• our partners in the context of consortia or industry initiatives, 
• our IT systems providers, cloud service providers, database providers and consultants, 
• our business partners who offer products or services jointly with us or with our subsidiaries or affiliates, 
• any third party to whom we assign or novate any of our rights or obligations, and 
• our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets. 

The above third parties are contractually obliged to protect the confidentiality and security of your Personal Information in compliance with applicable law.  

Your Personal Information may also be accessed by or transferred to any national and/or international regulatory body, or Ethics Committee where necessary in order to fulfill the purposes of our interactions. 

The Personal Data we collect from you may also be processed, accessed, or stored in a country outside the country where Personal Data was initially collected, which may not offer the same level of protection of Personal Data, including the US. If we transfer your Personal Data in other jurisdictions, we will make sure to protect your Personal Data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the  country where Personal Data was initially collected, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the “EEA”), or in the UK or Switzerland, unless otherwise specified, only transferring your Personal Data on the basis of the European Commission Standard Contractual Clauses, or another legal mechanism, as applicable. You may request additional information in relation to international transfers of Personal Data and obtain a copy of the adequate safeguard put in place by exercising your rights as described below. 

For intra-group transfers of Personal Data, the Wave Life Sciences’ entities have adopted Standard Contractual Clauses, or another equivalent legal mechanism as applicable, in an effort to ensure effective levels of data protection relating to transfers of Personal Data outside the EEA, Switzerland and UK.

For personal information obtained from our partners, contractors, and consultants, Wave will generally retain personal information for a period of 10 years after discontinuation of our business relationship with you.