Privacy Policy

1 Introduction

Arrivent Biopharma, Inc. (referred to as “Arrivent”, “We”, “Our” or “Us”), are committed to protecting the privacy and security of your Personal Data.
This Arrivent Privacy Notice applies to you if you are:

  • A service user of this website (https://arrivent.com/);
  • An Arrivent clinical trial participant;
  • A healthcare professional conducting an Arrivent clinical trial;
  • An employee, contractor or other associated party associated with Arrivent or Arrivent’s affiliates;
  • An employee, contractor or other associated party contracted by Arrivent’s Service Providers; or,
  • Any other individual with whom Arrivent may conduct commercial operations.

We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.

2 Definitions

For the purposes of this Arrivent Privacy Notice:

Affiliate means an entity that controls, is controlled by, or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.

Company (referred to as either “Arrivent”, “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Arrivent Biopharma, Inc. 18 Campus Boulevard, Suite 100, Newtown Square, Pennsylvania (PA) 19073-3269.

Cookies are small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Data Controller, for the purposes of both UK and EU GDPR, refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data. For the purpose of both UK and EU GDPR, the Company is the Data Controller.

Data Processor, for the purposes of both UK and EU GDPR, refers to the Company’s Service Providers.

Data Protection Legislation, as defined in the Data Protection Legislation section below.

Device means any device that can access the Service such as a computer, a mobile phone, or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual. For the purposes of both UK and EU GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Service refers to the Website, unless otherwise stated.

Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. For the purpose of both UK and EU GDPR, Service Providers are considered Data Processors.

Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to the Arrivent website, accessible from https://arrivent.com/

You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under both UK and EU GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

3 Data Protection Legislation

Throughout this document we refer to Data Protection Legislation.

In the United Kingdom (UK), Data Protection Legislation means the Data Protection Act 2018 (‘DPA 2018’), United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and any legislation implemented in connection with the aforementioned legislation.

Where data is processed by a controller or processor established in the European Union (EU) or comprises the data of people in the European Union, it also includes the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’) as well as any local data protection implementation laws. This includes any replacement legislation coming into effect from time to time.
Arrivent Biopharma, Inc. is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated. In certain situations, Arrivent may act as the Data Processor (‘processor’) where we are processing your information upon the instructions of our Affiliates – in these instances our Affiliates act as the Data Controller.

We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. For further details on how you can contact our DPO, please see the Contact Us section below.

4 The information we collect

We only collect Personal Data that we know we will genuinely use and in accordance with the Data Protection Legislation and/or legislation related to clinical trials, such as the EU Clinical Trial Regulations (EU CTR). The type of Personal Data that we will collect on you will depend on whether you are a clinical trial participant, a healthcare professional, an employee, or a user of this website:

Clinical Trial participant

  • Your name*
  • Your date of birth*
  • Your contact information (telephone number or email address)*
  • Where applicable, the name of your legally authorized representative*
  • Your pseudonymised unique identification number(s)
  • Your health data

Healthcare professional (HCP)

  • Your name
  • Your employment details

Employees of Arrivent or Arrivent’s Service Providers

  • Your name
  • Your date of birth
  • Your contact information (telephone number, email address, or mailing address)
  • Your employment details
  • Where relevant, your pseudonymised unique identification number(s) (e.g., payroll no.)
  • Where relevant, your financial information (e.g., bank information)
  • Where relevant, your Right to Work information (e.g., nationality)
  • Where relevant, your health data (e.g., sick leave information)

Website User

  • Your name
  • Your contact information (email address)
  • Your Contact Us form responses
  • Your Usage Data (e.g., your IP address)
  • Cookies and Tracking Technologies

* This participant identifiable information is collected by Arrivent’s Research Sites, acting on their behalf as Data Processors. This data may be shared with clinicians, health authorities, ethics bodies and other personnel as authorised by Arrivent, but only where Arrivent is legally obligated to provide this data in accordance with Clinical Trial Regulations and other applicable laws. Arrivent will not directly receive participant identifiable information and will not instruct their Data Processors to process or share this information other than where the law requires.

You are under no statutory or contractual requirement or obligation to provide us with your Personal Data; however, we require at least the information above in order for us to deal with you as a Service User in an efficient and effective manner.

5 Cookies, Analytics and Tracking Technologies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service.

You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.
Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser. We use both session and persistent Cookies for the purposes set out below:

Necessary / Essential Cookies Type: Session Cookies Administered by: Us Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

Cookies Policy / Notice Acceptance Cookies Type: Persistent Cookies Administered by: Us Purpose: These Cookies identify if users have accepted the use of cookies on the Website.
Functionality Cookies Type: Persistent Cookies Administered by: Us Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
Tracking and Performance Cookies Type: Persistent Cookies Administered by: Third-Parties Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features, or functionality of the Website to see how our users react to them.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.
You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en.

6 How we use your information

We will only process your Personal Data when the law allows us to do so. We will have provided you with our lawful basis for processing your Personal Data at the point the information was initially collected from you. We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.
Under Data Protection Legislation, the lawful bases we rely on for processing your information are:

  • GDPR Article 6(1)(a) – your consent;*
  • GDPR Article 6(1)(b) – We have a contractual obligation;
  • GDPR Article 6(1)(c) – We have a legal obligation;
  • GDPR, Article 6(1)(d) – In order to protect the vital interests of You or a third party;
  • GDPR, Article 6(1)(e) – We have a public interest; or,
  • GDPR, Article 6(1)(f) – We have a legitimate interest.

* Where the lawful basis for processing is Consent, you are able to remove your consent at any time. You can do this by contacting our DPO using the contact details provided in the Contact Us section below.

We may use your information for the following purposes:

Processing Activity Lawful Basis
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Consent, to collect information from you and process your health information in order to conduct a clinical trial Consent
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Legitimate Interest, to collect information from you and process your health information in order to conduct a clinical trial Legitimate Interest
Where you are a Health Care Professional (HCP) involved in the planning, delivery, or oversight of Arrivent clinical trials, to collect information from you and process your employment information in order to conduct a clinical trial Legitimate Interest
Where you are an employee of Arrivent, to collect information from you and make available our services to you Contractual Obligation
Where you are an employee of Arrivent’s Service Providers, to collect information from you or your employer and make available our services to your employer Legitimate Interest
Where you are an employee of Arrivent’s Service Providers, to collect information from you and take payment from you, make a Contractual Obligation payment to you, give you a refund or request a refund Contractual Obligation
Where you are an employee of Arrivent’s Service Providers, to collect information from you or your employer and liaise with your employer about your contact details and/or the nature and performance of your work, as required Legitimate Interest
To collect information from you and monitor, provide and maintain our Service Legitimate Interest
To contact you following your enquiry where you have provided your contact information and to reply to any questions, suggestions, issues, or complaints, including any Data Subject Requests, about which you have contacted us Legitimate Interest
To collect your Usage Data in order to power our security measures and services so you can safely access our website and other Services Legitimate Interest
To contact you, where you have provided your contact information, about news and information relating to our Services through service messages Legitimate Interest
B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under UK PECR Legitimate Interest
B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are a sole trader, partnership or otherwise classified as an individual subscriber and/or the ‘soft opt-in’ does not apply under UK PECR Consent
To retain any accounting information generated during the course of our interaction for statutory accountancy retention periods Legal Obligation
To respond to and defend against legal claims, where you have provided us with information which may give rise to legal claims Legal Obligation

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7 Who we might share your information with

We may share your personal data with other organisations in the following circumstances:

  • From time to time, we may need to share your Personal Data with our strategic clinical trial partners, such as Shanghai Allist Pharmaceuticals Co., Ltd;
  • If the law or a public authority says we must share the Personal Data;
  • If we need to share Personal Data in order to establish, exercise or defend our legal rights – this includes providing Personal Data to others for the purposes of detecting and preventing fraud; or
  • From time to time, employ the services of other parties for dealing with certain processes necessary for the operation of our services.

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

  • Syneos Health, Inc. – our Contract Research Organisation (CRO) and EU representative;
  • Our Clinical Trial Data Processors, such as Medidata Solutions, Inc.; and,
  • Our IT Service Providers, such as Microsoft, Inc.

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us or further sub-processors who must comply with our Data Processor Agreement.

8 How long we keep your information for

We retain a record of your Personal Data in order to provide you with a high quality and consistent service. We will always retain your Personal Data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary. Arrivent follows a Retention Schedule which outlines how long Arrivent will retain your Personal Data. Arrivent considers the retention period to begin from the point at which Arrivent last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law. As such, unless otherwise required by law, your data will be retained for the period specified in the summarised table below and then securely deleted in accordance with our internal policies and procedures.

Purpose Retention Period
Processing data in relation to You as a clinical trial participant 25 years following the conclusion of the clinical trial,
as determined by EU Clinical Trial Regulations (EU-CTRs)
Processing data in relation to You as a Health Care Professional (HCP) involved in the planning, delivery, or oversight of an Arrivent clinical trial 25 years following the conclusion of the clinical trial,
as determined by EU Clinical Trial Regulations (EU-CTRs)
Processing data in relation to You as an employee, contractor or other associated party contracted by Arrivent 6 years following the termination of your employment
Processing data in relation to You as an employee, contractor or other associated party contracted by Arrivent’s Service Providers 6 years following the termination of your employment
Processing data in relation to You as a service user of this website (https://arrivent.com/) 1 year
Processing data in relation to You as any other individual with whom Arrivent may conduct commercial operations 6 years

9 How we keep you updated on our products and services

Where you are a clinical trial participant or a Health Care Professional involved in the planning, delivery, or oversight of an Arrivent clinical trial, we will contact you through Syneos – our Contracted Research Organisation (CRO) where it is necessary to do so.

Where you are an employee of Arrivent, we will contact you through existing Arrivent communication channels, including email, where it is appropriate to do so.
Where you are an employee of Arrivent’s Service Providers, a user of this website who has provided us with your contact information, or any other business contact, we will send you relevant news about our services in a number of ways including by email, but only if we have a Legitimate Interest to do so. Where we do not have a Legitimate Interest, we will not send you marketing communications unless we have asked for your consent.

We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity or have not otherwise provided their consent.

All email communications will have an option to unsubscribe and so if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences. Alternatively, you can contact our DPO using the contact details provided in the Contact Us section below.

10 Giving your reviews and sharing your thoughts

When using our website and other Services, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so you are comfortable with how your information is used and shared on them.

11 Your rights over your information

11.1.1 The right to be informed about our collection and use of personal data;
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

11.1.2 Right to Access Your Personal Data
You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed.

We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.

If you would like to exercise this right, please Contact Us as set out below.

11.1.3 Right to Rectify Your Personal Data
If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.

If you would like to exercise this right, please Contact Us as set out below.

11.1.4 Right to Erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data.

If you would like to exercise this right, please Contact Us as set out below.

11.1.5 Right to Restrict Processing
You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances.

If you would like to exercise this right, please Contact Us as set out below.

11.1.6 Right to Portability
The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.

If you would like to exercise this right, please Contact Us as set out below.

11.1.7 Right to Object
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.

If you would like to exercise this right, please Contact Us as set out below.

11.1.8 Rights Related to Automated Decision-Making
You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. Arrivent does not intend to conduct any automated decision-making for your Personal Data.

If you would like to contact us regarding this right, please Contact Us as set out below.

11.1.9 For more information about your privacy rights
In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: https://ico.org.uk/for-the-public

Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. If you have any questions about which supervisory authority applies in your jurisdiction, please Contact Us as set out below.

You can make a complaint to the ICO, or any other supervisory authority, at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

12 Security

Data security is of great importance to Arrivent. We have put in place appropriate technical and organisational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.

We take security measures to protect your information including:

  • Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies);
  • Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
  • Implementing access controls to our information technology; and,
  • Deploying appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.

Further information on our security measures can be found in Arrivent’s IT Security Policy.

13 International Transfers

Your Personal Data is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when Arrivent shares data with our strategic clinical trials partner – Shanghai Allist Pharmaceuticals Co., Ltd – or certain other Trusted Data Processors, your Personal Data, which will be pseudonymised in any case, would be stored and processed within China and possibly other third countries. Where this occurs, Arrivent will ensure that:

  • the security and confidentiality of your Personal Data is secure at all times;
  • any Data Controller receiving your Personal Data has entered into an agreement with Arrivent which contains standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
  • any Data Processor receiving your Personal Data has entered into an agreement with Arrivent which contains the required Data Processor clauses as well as standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.

Where you are based in the UK or EU and we were required to transfer your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data.

14 What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

15 Contact Us

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by one of the following means:

By email:
By telephone: +4402037971289
By post: The DPO Centre Ltd., 50 Liverpool Street, London, UK, EC2M 7PY

Arrivent’s EU Representative is The DPO Centre, who can be contacted:

By email: eurep@nullarrivent.com By telephone: +34919053074
By post at: Calle Méndez Álvaro 20, Madrid, 28045, Spain

Arrivent’s UK Representative is The DPO Centre, who can be contacted:

By email:
By telephone: +442037971289
By post at: 50 Liverpool Street, London, EC2M 7PR

16 Changes to Our Privacy Notice

Thank you for taking the time to read our Privacy Notice.
We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this Privacy Notice regularly to keep up-to-date.

This Notice was last updated on 2022-11-14.