Privacy Policy

Effective January 10, 2023

Karuna Therapeutics (also “Karuna”) recognizes the importance of protecting the privacy of the individuals we interact with through our website, direct contact and our clinical research.

This Privacy Notice describes the practices that we follow at Karuna regarding the personal data we collect, use and disclose for different purposes as well as how we ensure this personal data remains protected from the moment we collect it until we dispose of it. We also discuss what rights you have over your personal data and how to contact us when you have questions or concerns specific to the management of your personal data.

Privacy regulations with which Karuna complies

Karuna is expected to comply with different Privacy and Data Protection Regulations such as the General Data Protection Regulation (“GDPR”) in the EU, The Data Protection Act in the UK (“UK DPA”), and the California Privacy Rights Act of 2020 (“CPRA”) in California.

What is personal data?

Personal data means any information relating to an identified or identifiable individual; this refers to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal data collection and processing at Karuna

We collect and process personal data for different purposes:

  • When you contact us for general inquiries or information about our clinical trials. If you send us an email or you call us directly, we collect personal data from you such as your name, email address, phone number and the reason for your communication. We use this data to respond to your inquiry or provide you with the information that you are looking for when you navigate our website. When you visit our website, we automatically collect your IP address, browser type and the pages that you navigate to. We use information about our website visitors to improve our website usability and experience.
  • Candidates for employment. If you decide to apply for a job with us, we collect your contact information and details related to your professional qualifications. We use this data to determine if your expertise fulfills the requirements of the role you are applying for and to contact you to continue the recruiting process if we believe you are potentially a match for the role.
  • When you attend symposia or conferences where we participate. We will collect your contact information as well as your qualifications. We use this information to answer any questions you may have about Karuna and to keep track of the number of visitors to the symposium or Karuna’s booth.
  • Clinical trials. We do not collect personal data directly from the subjects that participate in our clinical trials. Subject data is collected by the sites that manage the trials that we sponsor. The subject data that we obtain from the sites is pseudonymized, meaning that a subject’s identifiable information is replaced with a code that we cannot link back to that individual.
  • Clinical trial site staff and investigators. We collect personal data from these individuals to review their credentials and ensure they are qualified to perform the work related to the clinical trial.

Legal basis for processing personal data

Karuna only processes personal data if there is a legal basis for processing. The legal bases that we rely on are:

  • Legitimate interest from you. To provide you with the information you request when you contact Karuna or to start the recruitment process if you wish to apply to one of our jobs.
  • Legitimate interest from Karuna. To provide you with a better navigation experience when you visit our website or visit our booths during symposia or conferences.
  • Explicit consent through the Informed Consent Form that clinical trial subjects sign prior to joining a clinical trial.
  • Legal or regulatory obligation. Karuna needs to ensure that the staff and investigators conducting clinical trials on our behalf have the required qualifications.

Personal data disclosure at Karuna

Karuna discloses personal data to the following parties under specific circumstances:

  • To Karuna’s employees in order to fulfill your request.
  • To third-party service providers that support or host our systems or support activities related to clinical trials.
  • To authorities as required by law, court order, legal process or government or regulatory requirement or to protect the safety, rights, or property of the public or Karuna.
  • To an acquirer of all or part of our business, as permitted by applicable law.

Personal data protection

Karuna is committed to protecting the personal data we collect, process and disclose. We maintain appropriate safeguards and take reasonable steps to protect personal data, ensure that we limit its use and disclose it only to the parties that have a legitimate reason to have access to it.

We ensure that all the parties that we disclose personal data to, internal and external to Karuna, have contractual obligations to protect the security and the confidentiality of personal data.

Personal data retention

Karuna retains personal data only for the period of time that is necessary for the purpose for which it was collected.

  • For contact requests, Karuna retains the data for 2 years after the request has been fulfilled.
  • For clinical trials, Karuna will retain personal data for a minimum period of 15 years. This period may be longer depending on legal or regulatory requirements.
  • For job applications we retain candidate’s data for 7 years.
  • For information collected when you visit our website, please refer to Karuna Therapeutics’ Cookie Notice for further information.

Personal data rights

Subject to any exceptions provided by law, Karuna provides individuals with the right to exercise the following requests with respect to their personal data:

  • You have the right to access the personal data that Karuna maintains about you.
  • You have the right to request deletion of your personal data, update or correct your data, object to processing of your data, ask us to restrict processing of your data or request portability of your data. On each particular case we will inform you of the consequences of your request and if there are any exemptions to honoring your request based on legal, regulatory or contractual requirements.
  • If Karuna has collected and processed your personal data based on your explicit consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing Karuna conducted prior to your withdrawal.
  • You have the right to be notified about a data breach that may impact the integrity, availability or confidentiality of your personal data. Refer to our data breach notification section for more details.
  • You have the right to complain to a data protection authority about Karuna’s collection and processing of your personal data. However, we would appreciate if you gave us the opportunity to handle your complaint internally before contacting a data protection authority.

In order to exercise any of the rights you have over your personal data, please download and complete the Subject Access Request (SAR) form and email the completed SAR form to the following email address: privacy@karunatx.com.

EU representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Karuna has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:

Sending an email to privacy@edpo.com.

Using EDPO’s online request form: https://edpo.com/gdpr-data-request/

Writing to EDPO at either: Regus Paris- Champs Elysées, 12/14 rond-point des Champs Elysées, Paris, 75008, France, or 53-55 Totleben Blvd, Sofia 1060, Bulgaria.

EU individuals: right to lodge a complaint with an EU Supervisory Authority

If you reside in the EU and want to lodge a complaint with a Supervisory Authority (Data Protection Authority) you may do so in the Member State where you reside, where you work or where you may have experienced an issue with the processing of your personal data.

Personal data breach notification

We have put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Should we learn of a security breach that affects your personal data, we will notify you in order to explain how this breach may affect you and to provide you with any advice on how to protect yourself. We will contact you through the email address we have on file or by posting a notice on our website.

California privacy rights

If you are a California resident, you have additional privacy rights. Visit our California Privacy Notice for more information.

Karuna’s contact information

If you have any further questions about how Karuna collects, uses, discloses or protects your personal data or if you have any questions about this privacy notice, including any requests to exercise your personal data rights, you may contact us at privacy@karunatx.com.

Your personal data will be transferred to systems that reside in the US. The data will be protected and pseudonymized in some cases to ensure that the risks to your privacy are minimized.

Where required, we have implemented Standard Contractual Clauses with the parties that reside in the EU and that will transfer personal data to Karuna in the US.

Personal data transfers

Your personal data will be transferred to systems that reside in the US. The data will be protected and pseudonymized in some cases to ensure that the risks to your privacy are minimized.

Where required, we have implemented Standard Contractual Clauses with the parties that reside in the EU and that will transfer personal data to Karuna in the US.

Karuna’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Karuna remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Karuna proves that it is not responsible for the event giving rise to the damage.

Data Privacy Framework Compliance

Karuna complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Karuna has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Karuna has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction over Karuna’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Data Privacy Framework Complaint Resolution Mechanism

In compliance with the EU-US Data Privacy Framework Principles, the UK Extension to the EU-US DPF and the Swiss-US DPF, Karuna commits to resolve DPF Principles-related complaints about your privacy and our collection and use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints regarding our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF should first contact Karuna at our Contact Information.

Karuna has further committed to refer unresolved privacy complaints under the DPF Principles concerning our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF to an independent dispute resolution mechanism based in the United States, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

In compliance with the EU-US Data Privacy Framework Principles, the UK Extension to the EU-US DPF and the Swiss-US DPF, Karuna commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-U.S. DPF in the context of the employment relationship.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

If you have any questions about Karuna’s personal data transfers from the EU, UK or Switzerland to the US, you may contact us at privacy@karunatx.com.

California privacy notice

This notice provides information on the privacy rights of California residents as per the California Privacy Rights Act of 2020 (“CPRA”).

Categories of collected personal information

Karuna collects and uses the following categories of personal information.

Karuna collects and uses the following categories of personal information.

Category Examples
Identifiers Name, email address
Demographic Age, gender, ethnic origin
Health Medical history
Professional or work-related experience Current and past job history
Online activity Browsing and search history, website navigation and interaction

Karuna collects these categories from the following sources:

  • Directly from the individuals the information is about.
  • Indirectly from the clinical trial sites that run our clinical trials.
  • Indirectly from an individual’s interaction with our website.

Collection, use, and disclosure of personal information

We collect, use and disclose personal information in accordance with the main Privacy Notice sections Personal Data Collection and Processing at Karuna and Personal Data Disclosure at Karuna.

Sale of personal information

Karuna has not sold personal information to third parties during the 12 months prior to the Effective Date of this Privacy Notice, and do not plan to do so without further notice to you (except for a sale in connection with the sale or transfer of the business or our assets).

California privacy rights

Karuna provides California residents with the following privacy rights over their personal information, according to the requirements of CPRA:

  • Right to access. You may request that we provide you a list of the categories of personal information we have collected about you over the last 12 months, the categories of sources from which it was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties to whom we disclosed or sold that information.
  • Right to rectify. You may request that we rectify any personal information that we hold about you if you believe it is not accurate. We will ensure that all references to such personal information within our system is updated according to your request.
  • Right to delete. You may request that we delete any personal information that we have collected from you, apart from information that the law allows us to keep. When we respond to your request to delete, we will explain what (if any) information we have kept and why.  The foregoing does not apply to personal information exempted under the CPRA.
  • Right to portability. You may also request that we provide you a copy of the specific pieces of personal information we have collected about you in the past 12 months in an electronic format. You may make a request to know up to two times in a 12-month period, subject to limitations described in the law.  For a list of general categories of information that we have collected and shared in the past 12 months, see the table above.  The foregoing does not apply to personal information exempted under the CPRA.
  • Right to limit disclosure of sensitive information. You have the right to request that we limit the disclosure of your sensitive personal information unless the disclosure is required for the provision of our services to you or for any other regulatory or legal requirements.
  • Right to opt-out of sale of your personal data at any time.
  • Non-discrimination. You have the right to be free from discrimination for exercising your rights to know or delete. We will not deny you products or services, charge you different rates, or give you different discounts because you used any of these rights.

We aim to respond to your requests within the established 45 days from receipt. If we require more time to respond, we will let you know within this period. We will deliver our response by mail or electronically, depending on your preference.

Authorized agent

You may designate an authorized agent to make requests on your behalf.  We will require verification that you did, in fact, authorize the agent.  Unless the law requires otherwise, your authorized agent must provide contact details for you.  We will contact you to confirm that you authorized the agent.  Once you confirm, we will promptly respond to the rights request.

How to exercise your privacy rights

To exercise your privacy rights you may contact us at privacy@karunatx.com. In order to fulfill your request, we may require additional personal information for purposes of verifying your identity. If you make a request through an authorized agent, we may require additional information to verify your authorization of the agent.

Automated decision-making

Karuna does not perform any automated decision-making with the personal information that we collect about you and do not plan to do so without further notice.

 

 

Karuna assumes no responsibility for the information, statements or other content you may encounter on third-party websites.

This site is intended for US Healthcare Providers.