Effective January 10, 2023

Karuna Therapeutics (also “Karuna”) recognizes the importance of protecting the privacy of the individuals we interact with through our website, direct contact and our clinical research.

This Privacy Notice describes the practices that we follow at Karuna regarding the personal data we collect, use and disclose for different purposes as well as how we ensure this personal data remains protected from the moment we collect it until we dispose of it. We also discuss what rights you have over your personal data and how to contact us when you have questions or concerns specific to the management of your personal data.

Privacy regulations with which Karuna complies

Karuna is expected to comply with different Privacy and Data Protection Regulations such as the General Data Protection Regulation (“GDPR”) in the EU, The Data Protection Act in the UK (“UK DPA”), and the California Privacy Rights Act of 2020 (“CPRA”) in California.

What is personal data?

Personal data means any information relating to an identified or identifiable individual; this refers to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal data collection and processing at Karuna

We collect and process personal data for different purposes:

  • When you contact us for general inquiries or information about our clinical trials. If you send us an email or you call us directly, we collect personal data from you such as your name, email address, phone number and the reason for your communication. We use this data to respond to your inquiry or provide you with the information that you are looking for when you navigate our website. When you visit our website, we automatically collect your IP address, browser type and the pages that you navigate to. We use information about our website visitors to improve our website usability and experience.
  • Candidates for employment. If you decide to apply for a job with us, we collect your contact information and details related to your professional qualifications. We use this data to determine if your expertise fulfills the requirements of the role you are applying for and to contact you to continue the recruiting process if we believe you are potentially a match for the role.
  • When you attend symposia or conferences where we participate. We will collect your contact information as well as your qualifications. We use this information to answer any questions you may have about Karuna and to keep track of the number of visitors to the symposium or Karuna’s booth.
  • Clinical trials. We do not collect personal data directly from the subjects that participate in our clinical trials. Subject data is collected by the sites that manage the trials that we sponsor. The subject data that we obtain from the sites is pseudonymized, meaning that a subject’s identifiable information is replaced with a code that we cannot link back to that individual.
  • Clinical trial site staff and investigators. We collect personal data from these individuals to review their credentials and ensure they are qualified to perform the work related to the clinical trial.

Legal basis for processing personal data

Karuna only processes personal data if there is a legal basis for processing. The legal bases that we rely on are:

  • Legitimate interest from you. To provide you with the information you request when you contact Karuna or to start the recruitment process if you wish to apply to one of our jobs.
  • Legitimate interest from Karuna. To provide you with a better navigation experience when you visit our website or visit our booths during symposia or conferences.
  • Explicit consent through the Informed Consent Form that clinical trial subjects sign prior to joining a clinical trial.
  • Legal or regulatory obligation. Karuna needs to ensure that the staff and investigators conducting clinical trials on our behalf have the required qualifications.

Personal data disclosure at Karuna

Karuna discloses personal data to the following parties under specific circumstances:

  • To Karuna’s employees in order to fulfill your request.
  • To third-party service providers that support or host our systems or support activities related to clinical trials.
  • To authorities as required by law, court order, legal process or government or regulatory requirement or to protect the safety, rights, or property of the public or Karuna.
  • To an acquirer of all or part of our business, as permitted by applicable law.

Personal data protection

Karuna is committed to protecting the personal data we collect, process and disclose. We maintain appropriate safeguards and take reasonable steps to protect personal data, ensure that we limit its use and disclose it only to the parties that have a legitimate reason to have access to it.
We ensure that all the parties that we disclose personal data to, internal and external to Karuna, have contractual obligations to protect the security and the confidentiality of personal data.

Personal data retention

Karuna retains personal data only for the period of time that is necessary for the purpose for which it was collected.

  • For contact requests, Karuna retains the data for 2 years after the request has been fulfilled
  • For clinical trials, Karuna will retain personal data for a minimum period of 15 years. This period may be longer depending on legal or regulatory requirements.
  • For job applications we retain candidate’s data for 7 years.
  • For information collected when you visit our website, please refer to Karuna Therapeutics’ Cookie Notice for further information.

Personal data rights

Subject to any exceptions provided by law, Karuna provides individuals with the right to exercise the following requests with respect to their personal data:

  • You have the right to access the personal data that Karuna maintains about you.
  • You have the right to request deletion of your personal data, update or correct your data, object to processing of your data, ask us to restrict processing of your data or request portability of your data. On each particular case we will inform you of the consequences of your request and if there are any exemptions to honoring your request based on legal, regulatory or contractual requirements.
  • If Karuna has collected and processed your personal data based on your explicit consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing Karuna conducted prior to your withdrawal.
  • You have the right to be notified about a data breach that may impact the integrity, availability or confidentiality of your personal data. Refer to our data breach notification section for more details.
  • You have the right to complain to a data protection authority about Karuna’s collection and processing of your personal data. However, we would appreciate if you gave us the opportunity to handle your complaint internally before contacting a data protection authority.

In order to exercise any of the rights you have over your personal data, please download and complete the Subject Access Request (SAR) form and email the completed SAR form to the following email address: privacy@karunatx.com.

EU representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Karuna has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:

Sending an email to privacy@edpo.com

Using EDPO’s online request form: https://edpo.com/gdpr-data-request/

Writing to EDPO at either: Regus Paris- Champs Elysées, 12/14 rond-point des Champs Elysées, Paris, 75008, France, or 53-55 Totleben Blvd, Sofia 1060, Bulgaria.

EU individuals: right to lodge a complaint with an EU Supervisory Authority

If you reside in the EU and want to lodge a complaint with a Supervisory Authority (Data Protection Authority) you may do so in the Member State where you reside, where you work or where you may have experienced an issue with the processing of your personal data.

Personal data breach notification

We have put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Should we learn of a security breach that affects your personal data, we will notify you in order to explain how this breach may affect you and to provide you with any advice on how to protect yourself. We will contact you through the email address we have on file or by posting a notice on our website.

California privacy rights

If you are a California resident, you have additional privacy rights. Visit our California Privacy Notice more information.

Karuna’s contact information

If you have any further questions about how Karuna collects, uses, discloses or protects your personal data or if you have any questions about this privacy notice, including any requests to exercise your personal data rights, you may contact us at privacy@karunatx.com.

Personal data transfers

Your personal data will be transferred to systems that reside in the US. The data will be protected and pseudonymized in some cases to ensure that the risks to your privacy are minimized.

We have implemented Standard Contractual Clauses with the parties that reside in the EU and that will transfer personal data to Karuna in the US.

Karuna complies with the EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland. Karuna has certified that it adheres to the Privacy Shield Principles. If there is any conflict between the policies in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshied.gov/list.

With respect to personal data received or transferred pursuant to the EU-US Privacy Shield Framework, Karuna is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the Privacy Shield Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to them in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@karunatx.com. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@karunatx.com.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Karuna’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Karuna remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Karuna proves that it is not responsible for the event giving rise to the damage.

On July 16, 2020 the Court of Justice of the European Union issued a judgement declaring the EU-US Privacy Shield framework invalid. Because Karuna is committed to the data protection principles as stated in the GDPR as well as the principles of the EU-US Privacy Shield framework, we will remain an active participant of the framework.

After the ruling from the Court of Justice of the European Union and whenever Karuna performs data transfers from the EU into the US, we will make sure to implement alternative measures that are deemed valid data transfer mechanisms and we will work with partners that follow the appropriate legal, technological and operational frameworks to ensure the validity of data transfers.

If you have any questions about Karuna’s personal data transfers from the EU to the US, you may contact us at privacy@karunatx.com

EU-US – Swiss-U.S. Privacy Shield complaint resolution mechanism

In compliance with the Privacy Shield Principles, Karuna commits to resolving complaints about your privacy and our collection or use of EU, UK, or Swiss personal data transferred to the United States pursuant to EU-US Privacy Shield. European Union, UK, and Swiss individuals with EU-US Privacy Shield inquiries or complaints should first contact Karuna by email at privacy@karunatx.com.

Karuna has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

Karuna commits to cooperate with the EU and UK Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by the EU and UK Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner with regard to human resources data transferred from the EU, UK or Switzerland in the context of the employment relationship.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

California privacy notice

This notice provides information on the privacy rights of California residents as per the California Privacy Rights Act of 2020 (“CPRA”).

Categories of collected personal information

Karuna collects and uses the following categories of personal information.

Karuna collects and uses the following categories of personal information.

Category Examples
Identifiers Name, email address
Demographic Age, gender, ethnic origin
Health Medical history
Professional or work-related experience Current and past job history
Online activity Browsing and search history, website navigation and interaction

Karuna collects these categories from the following sources:

  • Directly from the individuals the information is about.
  • Indirectly from the clinical trial sites that run our clinical trials.
  • Indirectly from an individual’s interaction with our website.

Collection, use, and disclosure of personal information

We collect, use and disclose personal information in accordance with the main Privacy Notice sections Personal Data Collection and Processing at Karuna and Personal Data Disclosure at Karuna.

Sale of personal information

Karuna has not sold personal information to third parties during the 12 months prior to the Effective Date of this Privacy Notice, and do not plan to do so without further notice to you (except for a sale in connection with the sale or transfer of the business or our assets).

California privacy rights

Karuna provides California residents with the following privacy rights over their personal information, according to the requirements of CPRA:

  • Right to access. You may request that we provide you a list of the categories of personal information we have collected about you over the last 12 months, the categories of sources from which it was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties to whom we disclosed or sold that information.
  • Right to rectify. You may request that we rectify any personal information that we hold about you if you believe it is not accurate. We will ensure that all references to such personal information within our system is updated according to your request.
  • Right to delete. You may request that we delete any personal information that we have collected from you, apart from information that the law allows us to keep. When we respond to your request to delete, we will explain what (if any) information we have kept and why.  The foregoing does not apply to personal information exempted under the CPRA.
  • Right to portability. You may also request that we provide you a copy of the specific pieces of personal information we have collected about you in the past 12 months in an electronic format. You may make a request to know up to two times in a 12-month period, subject to limitations described in the law.  For a list of general categories of information that we have collected and shared in the past 12 months, see the table above.  The foregoing does not apply to personal information exempted under the CPRA.
  • Right to limit disclosure of sensitive information. You have the right to request that we limit the disclosure of your sensitive personal information unless the disclosure is required for the provision of our services to you or for any other regulatory or legal requirements.
  • Right to opt-out of sale of your personal data at any time.
  • Non-discrimination. You have the right to be free from discrimination for exercising your rights to know or delete. We will not deny you products or services, charge you different rates, or give you different discounts because you used any of these rights.

We aim to respond to your requests within the established 45 days from receipt. If we require more time to respond, we will let you know within this period. We will deliver our response by mail or electronically, depending on your preference.

Authorized agent

You may designate an authorized agent to make requests on your behalf.  We will require verification that you did, in fact, authorize the agent.  Unless the law requires otherwise, your authorized agent must provide contact details for you.  We will contact you to confirm that you authorized the agent.  Once you confirm, we will promptly respond to the rights request.

How to exercise your privacy rights

To exercise your privacy rights you may contact us at privacy@karunatx.com. In order to fulfill your request, we may require additional personal information for purposes of verifying your identity. If you make a request through an authorized agent, we may require additional information to verify your authorization of the agent.

Automated decision-making

Karuna does not perform any automated decision-making with the personal information that we collect about you and do not plan to do so without further notice.