Privacy Policy

Effective June 3, 2024

Karuna Therapeutics (also “Karuna”) recognizes the importance of protecting the privacy of the individuals we interact with through our website, direct contact and our clinical research.

This Privacy Notice describes the practices that we follow at Karuna regarding the personal data we collect, use and disclose for different purposes as well as how we ensure this personal data remains protected from the moment we collect it until we dispose of it. We also discuss what rights you have over your personal data and how to contact us when you have questions or concerns specific to the management of your personal data.

Privacy regulations with which Karuna complies

Karuna complies with applicable Privacy and Data Protection Regulations, including the General Data Protection Regulation (“GDPR”) in the EU, The Data Protection Act in the UK (“UK DPA”), the Personal Information Protection and Electronic Documents Act in Canada (“PIPEDA”) and the California Privacy Rights Act of 2020 (“CPRA”) in California.

What is personal data?

Personal data means any information relating to an identified or identifiable individual; this refers to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal data collection and processing at Karuna

We collect and process personal data for different purposes:

  • When you contact us for general inquiries or information about our clinical trials. If you send us an email or you call us directly, we collect personal data from you such as your name, email address, phone number and the reason for your communication. We use this data to respond to your inquiry or provide you with the information that you are looking for.
  • When you navigate our website. When you visit our website, we automatically collect your IP address, browser type and the pages that you navigate to. We use information about our website visitors to improve our website usability and experience.
  • When you apply for employment. If you decide to apply for a job with us, we collect your contact information and details related to your professional qualifications. We use this data to determine if your expertise fulfills the requirements of the role you are applying for and to contact you to continue the recruiting process if we believe you are potentially a match for the role.
  • When you attend symposia or conferences where we participate. We will collect your contact information as well as your qualifications if you visit the Karuna booth and also we will collect your contact information from conference organizers if they provide it to us. We use this information to answer any questions you may have about Karuna and to keep track of the number of visitors to the symposium or Karuna’s booth.
  • When you participate in our clinical trials. We do not collect personal data directly from the subjects that participate in our clinical trials. Subject data is collected by the sites [and Karuna’s vendors] that manage the trials that we sponsor. The subject data that we obtain from the sites is pseudonymized, meaning that a subject’s identifiable information is replaced with a code that we cannot link back to that individual.
  • Clinical trial data analysis. We perform analysis on the pseudonymized personal data collected from our clinical trials to determine the efficacy and safety of the investigational treatments that are being tested. This pseudonymized data is also submitted to health regulatory authorities when seeking approval of an investigational treatment.
  • Clinical trial site staff and investigators. We collect personal data from these individuals to review their credentials and ensure they are qualified to perform the work related to the clinical trial.
  • Educational and marketing efforts. We collect personal data including email addresses and online usage data to support our education and marketing activities.

Legal basis for processing personal data

Karuna only processes personal data if there is a legal basis for processing. The legal bases that we rely on are:

  • Legitimate interest from you:
    • To provide you with the information you request when you contact Karuna.
    • To start the recruitment process if you wish to apply to one of our open positions.
    • To provide you with a better navigation experience when you visit our website or visit our booths during symposia or conferences.
  • Legitimate interest from Karuna:
    • To conduct scientific research on the efficacy and safety of our investigational treatments.
    • To submit to regulatory authorities when seeking regulatory approval of our investigational treatments.
  • Explicit consent. Provided through the Informed Consent Form that clinical trial subjects sign prior to joining a clinical trial.
  • Legal obligation. To report any side effects that clinical trial subjects may experience while using the investigational treatments we test through our clinical trials.
  • Legal or regulatory obligation. To enable Karuna to ensure that the staff and investigators conducting clinical trials on our behalf have the required qualifications.

Personal data disclosure at Karuna

Karuna discloses personal data to the following parties under specific circumstances:

  • To Karuna’s employees in order to fulfill your request.
  • To third-party service providers that support or host our systems or support our activities, including the conduct of clinical trials and supporting our education and marketing activities. .
  • To authorities as required by law, court order, legal process or government or regulatory requirement or to protect the safety, rights, or property of the public or Karuna.
  • To a potential acquirer of all or part of our business, as permitted by applicable law.

Personal data protection

Karuna is committed to protecting the personal data we collect, process and disclose. We maintain appropriate safeguards and take reasonable steps to protect personal data, ensure that we limit its use and disclose it only to the parties that have a legitimate reason to have access to it.

We ensure that all parties that we disclose personal data to, whether internal or external to Karuna, have contractual obligations to protect the security and confidentiality of personal data.

Personal data retention

Karuna retains personal data only for the period of time that is necessary for the purpose for which it was collected.

  • For contact requests, Karuna retains the data for 2 years after the request has been fulfilled.
  • For clinical trials, Karuna will retain pseudonymized personal data for a minimum period of 15 years. This period may be longer depending on legal or regulatory requirements.
  • For job applications Karuna retains candidates’ data for 7 years.
  • For data related to education and marketing activities, we retain personal data for 7 years.
  • For information collected when you visit our website, please refer to Karuna Therapeutics’ Cookie Notice for further information.

Personal data rights

Subject to any exceptions provided by law, Karuna provides individuals with the right to exercise the following requests with respect to their personal data:

  • You have the right to access the personal data that Karuna maintains about you.
  • You have the right to request deletion of your personal data, update or correct your data, object to processing of your data, ask Karuna to restrict processing of your data or request portability of your data. In each particular case we will inform you of the implications of your request and if there are any exemptions to honoring your request based on legal, regulatory or contractual requirements.
  • If Karuna has collected and processed your personal data based on your explicit consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing Karuna conducted prior to your withdrawal.
  • You have the right to be notified about a data breach that may impact the integrity, availability or confidentiality of your personal data. Refer to our data breach notification section for more details.
  • You have the right to submit a complaint to a data protection authority about Karuna’s collection and processing of your personal data. However, we would appreciate if you gave us the opportunity to handle your complaint internally before contacting a data protection authority.

In order to exercise any of the rights you have over your personal data, please download and complete the Subject Access Request (SAR) form and email the completed SAR form to the following email address: privacy@karunatx.com.

EU Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Karuna has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:

Using EDPO’s online request form: https://edpo.com/gdpr-data-request/

Writing to EDPO at either: Regus Paris- Champs Elysées, 12/14 rond-point des Champs Elysées, Paris, 75008, France, or 53-55 Totleben Blvd, Sofia 1060, Bulgaria.

UK Representative

Pursuant to Article 27 of the UK GDPR, Karuna Therapeutics, Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR by:

Using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/

Writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

FADP Article 14 Swiss Representative

Pursuant to Article 14 of the FADP, Karuna Therapeutics, Inc. has appointed EDPO Switzerland as its Representative in Switzerland. You can contact EDPO Switzerland regarding matters pertaining to the FADP by:

Using EDPO Switzerland’s online request form: https://edpo.com/swiss-data-request/

Writing to EDPO Switzerland at Rue de Lausanne 37, 1201 Geneva, Switzerland

EU, UK and Swiss Individuals: Right to lodge a complaint with an EU, UK or Swiss Supervisory Authority

If you reside in the EU, UK or Switzerland and want to lodge a complaint with a Supervisory Authority (Data Protection Authority), you may do so in the EU Member State or country where you reside, where you work or where you may have experienced an issue with the processing of your personal data.

Personal data breach notification

We have put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Should we learn of a security breach that affects your personal data, we will notify you in order to explain how this breach may affect you and to provide you with advice on how to protect yourself. We will contact you through the email address we have on file or by posting a notice on our website.

California Privacy Rights

If you are a California resident, you have additional privacy rights. Visit our California Privacy Notice for more information.

Karuna’s contact information

If you have any further questions about how Karuna collects, uses, discloses or protects your personal data, or if you have any questions about this privacy notice, including any requests to exercise your personal data rights, you may contact us at privacy@karunatx.com.

Personal data transfers

Your personal data will be transferred to systems that reside in the US. The data will be protected and pseudonymized in some cases to ensure that the risks to your privacy are minimized.

Where required, we have implemented Standard Contractual Clauses with parties that reside in the EU that will transfer personal data to Karuna in the US.

Data Privacy Framework Compliance

Karuna complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Karuna has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Karuna has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction over Karuna’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Data Privacy Framework Complaint Resolution Mechanism

In compliance with the EU-US Data Privacy Framework Principles, the UK Extension to the EU-US DPF and the Swiss-US DPF, Karuna commits to resolve DPF Principles-related complaints about your privacy and our collection and use of your personal information transferred to the United States pursuant to the DPF Principles.  European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints regarding our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF should first contact Karuna at privacy@karunatx.com.

Karuna has further committed to refer unresolved privacy complaints under the DPF Principles concerning our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF to an independent dispute resolution mechanism based in the United States, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers  for more information and to file a complaint. This service is provided free of charge to you.

If your complaint involves human resources data transferred to the United States from the European Union, [the United Kingdom, or Switzerland] in the context of the employment relationship, and Karuna does not address it satisfactorily, Karuna commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), [the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner, as applicable] and to comply with the advice given by the DPA panel [ICO, or FDPIC, as applicable] with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction.  Complaints related to human resources data should not be addressed to the BBB NATIONAL PROGRAMS.

In compliance with the EU-US Data Privacy Framework Principles, the UK Extension to the EU-US DPF and the Swiss-US DPF, Karuna  commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-U.S. DPF in the context of the employment relationship.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

Onward Transfers to Third Parties

Karuna’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Karuna  remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Karuna proves that it is not responsible for the event giving rise to the damage.

Choices and Rights Over Your Personal Data

Pursuant to the Data Privacy Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should direct their query to privacy@karunatx.com. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@karunatx.com.

 

 

California Privacy Notice

This notice provides information on the privacy rights of California residents as per the California Consumer Privacy Rights Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).

Categories of Collected Personal Information

Karuna collects and uses the following categories of personal information.

Category Examples
Identifiers Name, email address
Demographic Age, gender, ethnic origin
Health Medical history
Professional or work-related experience Current and past job history
Online activity Browsing and search history, website navigation and interaction

Karuna collects these categories from the following sources:

  • Directly from the individuals the information is about.
  • Indirectly from the clinical trial sites that run our clinical trials.
  • Indirectly from an individual’s interaction with our website.

Collection, Use and Disclosure of Personal Information

We collect, use and disclose personal information in accordance with the main Privacy Notice sections under the headings “Personal Data Collection and Processing at Karuna” and “Personal Data Disclosure at Karuna.”

Sale of Personal Information

Karuna performs marketing campaigns where personal information is shared with Karuna third party vendors that is considered sale of personal information under CCPA/CPRA. If you want to opt-out of the sale of your Personal Information, may contact us at privacy@karunatx.com.

California Privacy Rights

Karuna provides California residents with the following privacy rights over their personal information, according to the requirements of CCPA and CPRA:

  • Right to access. You may request that we provide you a list of the categories of personal information we have collected about you over the last 12 months, the categories of sources from which it was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties to whom we disclosed or sold that information.
  • Right to rectify. You may request that we rectify any personal information that we hold about you if you believe it is not accurate. We will ensure that all references to such personal information within our systems is updated according to your request.
  • Right to delete. You may request that we delete any personal information that we have collected from you, apart from information that the law allows us to keep. When we respond to your request to delete, we will explain what (if any) information we have kept and why.  The foregoing does not apply to personal information exempted under the CCPA or CPRA.
  • Right to portability. You may also request that we provide you a copy of the specific pieces of personal information we have collected about you in the past 12 months in an electronic format. You may make a request to know up to two times in a 12-month period, subject to limitations described in the law.  For a list of general categories of information that we have collected and shared in the past 12 months, see the table above.  The foregoing does not apply to personal information exempted under the CCPA or CPRA.
  • Right to limit disclosure of sensitive information. You have the right to request that we limit the disclosure of your sensitive personal information unless the disclosure is required for the provision of our services to you or for any other regulatory or legal requirements.
  • Right to opt-out of sale of your personal data at any time.
  • Non-discrimination. You have the right to be free from discrimination for exercising your rights to know or delete. We will not deny you products or services, charge you different rates, or give you different discounts because you used any of these rights.

We aim to respond to your requests within 45 days from receipt. If we require more time to respond, we will let you know within this period. We will deliver our response by mail or electronically, depending on your preference.

Authorized Agent

You may designate an authorized agent to make requests on your behalf.  We will require verification that you did, in fact, authorize the agent.  Unless the law requires otherwise, your authorized agent must provide contact details for you.  We will contact you to confirm that you authorized the agent.  Once you confirm, we will promptly respond to the rights request.

How to Exercise Your Privacy Rights

To exercise your privacy rights you may contact us at privacy@karunatx.com. In order to fulfill your request, we may require additional personal information for purposes of verifying your identity. If you make a request through an authorized agent, we may require additional information to verify your authorization of the agent.

Automated Decision-Making

Karuna does not perform any automated decision-making with the personal information that we collect about you and does not plan to do so without further notice.

Karuna assumes no responsibility for the information, statements or other content you may encounter on third-party websites.

This site is intended for US Healthcare Providers.