Privacy Policy

INTRODUCTION
Rhythm Pharmaceuticals, Inc. and its affiliates and subsidiaries (collectively, Rhythm,” “we,” “our,” or “us”) has created this privacy statement (“Privacy Policy”) to describe how we collect, use, and disclose personal information, meaning information about you that is personally identifiable, as you interact with us online through rhythmtx.com, geneticobesity.com, and all other Rhythm websites and applications that link to this policy (collectively, the “Online Services”) or that you provide to us through other means. By using the Online Services, you consent to the processing of your information as described in this Privacy Policy. Your use of the Online Services is governed at all times by the Rhythm Terms of Use.

INFORMATION WE COLLECT
Information You Provide. We and our service providers may collect any information that you provide when you use the Online Services or otherwise interact with us, including when you contact us with questions or requests for information or submit information to participate in a study or research initiative or use social media to interact with us, or to share something from our Online Services with others. The information that you provide us may include, but is not limited to:
(a) your name, phone number, email address, physical address, and other contact information;
(b) symptoms, diagnoses, and other information to help assess the prevalence, impact, and progression of certain medical conditions, and/or your eligibility, or that of someone for whom you provide care, for participation in a study or research initiative; and
(c) other information you provide when you contact us, including any health-related information.

Information Automatically Collected. We and our authorized service providers may automatically collect certain technical information over time and across different websites about your use of the Online Services, such as your Internet Protocol address or other device identifier, browser type, operating system, the pages you view on the Online Services, the pages you view immediately before and after you access the Online Services, your movement between different Rhythm websites, and the search terms you enter on the Online Services. This information allows us to recognize you and personalize your experience, and to improve the Online Services and the services and information we provide. We and our service providers may collect this information using “cookies,” which are small text files that the Online Services save on your computer using your web browser, or similar technologies. Please see “Your Choices,” below, for more information.

Information We Receive From Third Parties. We may combine the information we collect from you with information that we receive about you from other sources, such as public databases, providers of demographic information, joint marketing partners, social media platforms, and other third parties.

Recruitment and Job Applications. You may provide us with personal information, such as that contained on a resume or a curriculum vitae, in connection with a job application or inquiry. We may use this information throughout Rhythm for the purpose of employment consideration or your inquiry. We may keep your information on file for future consideration.

USE OF COLLECTED INFORMATION
There are different legal bases we may rely on to use your personal information. These may include where the use of your personal information may be necessary to perform a contract that you have with us, where we have obtained your consent to use personal information, and where the use of personal information may be in our legitimate interests, among other legal bases permitted by applicable law.

Where required by applicable law, we will ask for your explicit consent to collect information considered to be sensitive personal information (such as health information ). You may withdraw your consent at any time by contacting us at the details below.

Consistent with these legal bases, we may use the information we collect for a number of purposes, including to:
• Administer patient support programs;
• Provide you with products, services, or information you request;
• Provide you with information about the Online Services or required notices;
• Respond to your inquiries;
• Deliver marketing communications, promotional materials, or advertisements that may be of interest to you;
• Administer participation in special events, programs, offers, surveys, and other market research;
• Customize your experience when using the Online Services, such as by providing interactive or personalized elements and providing you with content based on your interests;
• Improve our websites, patient support programs, and other products and services and/or develop new products or services;
• Perform quality control activities, conduct data analyses, and develop references for other users and/or health care providers to better understand symptoms or conditions;
• Generate and analyze aggregate traffic patterns throughout the Online Services;
• Diagnose website technical problems;
• Protect our, your, or others’ rights and property;
• Protect someone’s health, safety, or welfare;
• Comply with a law or regulation, court order, or other legal process;
• Detect, prevent, and respond to fraud, intellectual property infringement, violations of our Terms of Use, violations of law, or other misuse of the Online Services.

As noted above, we may use your personal information for marketing purposes, but we will not rent, sell, or share your personal information for third parties to directly market to you for their own purposes, unless we have your permission or as otherwise permitted by applicable law. See the “Your Choices” section below for information about your choices related to marketing.

We may use aggregate or de-identified information (i.e., information that does not personally identify you) for any purpose, except where prohibited by law.

DISCLOSURE OF COLLECTED INFORMATION
Service Providers. We may share your information with third parties that provide services to us in connection with our business operations and that have agreed to keep the information confidential.

Other Parts of Our Business and Our Business Partners. We may share your information with other parts or departments at Rhythm or with our business partners for events or activities that we provide jointly, such as a research study. In such cases, our business partners are limited to using your information for the purposes of the joint event or activity.

Mergers, Acquisitions and Bankruptcy. If Rhythm should ever file for bankruptcy or merge with another company, or if Rhythm should decide to buy, sell, or reorganize some part or all of its business, Rhythm may disclose your information to prospective or actual purchasers. It is Rhythm’s practice to seek appropriate protection for information disclosed in these types of transactions.

As Required by Law and Other Legal-Related Disclosures. We may disclose your personal information if we believe in good faith that disclosure is necessary: (a) to comply with the law, such as to report possible adverse events or to respond to legal process (e.g., court order, subpoena, search warrant) or other legal requirements of any governmental authority; (b) to protect the integrity of the Online Services; (c) to protect and defend our, your, or others’ rights, property, safety or interests; or (d) to detect, prevent, or respond to fraud, intellectual property infringement, violations of our Terms of Use, violations of law, or other misuse of the Online Services.

Aggregate and De-Identified Information. We may disclose aggregate or de-identified information for any purpose, except where prohibited by law.

YOUR CHOICES
Rhythm takes reasonable steps to keep personal information up-to-date for the purposes for which the information was collected. If you wish to inquire about, make changes to, or request deletion of the personal information we have collected about you, please submit a request to privacy@rhythmtx.com.

Marketing. If you no longer wish to receive marketing communications from us, please submit a request to privacy@rhythmtx.com or using the unsubscribe mechanism in our promotional emails. Please note that you may not opt-out of receiving non-promotional, administrative messages, including messages relating to your account, technical notices, transactional confirmations, safety information, or other Online Services-related emails.

Cookies and Similar Technologies. We and our service providers may collect information by automated means such as cookies, web beacons, log files, and similar technology. A “cookie” is a file that websites send to a visitor’s internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon,” also known as an internet tag, pixel tag, action tag, or clear GIF, is a clear graphic image that may be loaded by a web browser to record visits to a particular website or may be embedded in an email to record when the email is opened. A “log file” is a file that records how users interact with websites or a server. If you do not want the Online Services to collect information through the use of cookies, you can set your web browser to reject cookies from the Online Services. Each browser is different, so you should check your browser’s “Help” menu to learn how to change your cookie preferences. If you reject or block cookies from the Online Services, however, the Online Services may not function as intended.

Google Analytics. We may use third-party web analytics services on the Online Services, including Google Analytics. The analytics providers that administer these services use technologies such as cookies, web beacons, and log files to collect information to help us analyze how visitors use our Online Services and improve the overall performance and user experience of the Online Services. These analytics providers may also collect information about your use of other websites over time, if those other websites also use the same analytics providers. To learn more about how Google Analytics uses your information and what choices you have, please visit https://www.google.com/policies/privacy/partners/.

Do Not Track. Some browsers may transmit “do-not-track” signals to websites with which the browser communicates. Our websites do not currently respond to these “do-not-track” signals or other mechanisms that provide a method to opt out of the collection of information across websites and over time.

ADDITIONAL COLLECTION AND USE
To administer special programs or provide certain services, we may need to collect and use information other than as described in this Privacy Policy. In these cases, we will provide further explanation and, where required by applicable law, will ask for your additional consent before collecting and using your information for those programs and services.

SECURITY
We take steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy. Rhythm has put in place physical, technical, and administrative safeguards to protect personal information, consistent with legal obligations and industry practices. However, no information system can be 100% secure, so we cannot guarantee the absolute security of any information you provide to us.

By using the Online Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Online Services.

LINKS TO THIRD-PARTY SITES
The Online Services may contain links to third-party sites. Please be aware that Rhythm is not responsible for and cannot control the privacy practices of these other sites. We encourage you to read the privacy policies for these other sites prior to using such sites, as they may differ from ours.

CHILDREN’S INFORMATION
Under Age 13
The Online Services are not directed to, nor do we knowingly collect information from, children under the age of 13 without verifiable parental consent. This does not affect health information about minors that a healthcare professional or caregiver using the Online Services may provide in connection with our services directed to those individuals. If we learn that a child under the age of 13 has submitted personally identifiable information online without parental consent, we will take all reasonable measures to delete such information from our databases and to not use such information for any purpose (except where necessary to protect the safety of the child or others as required or allowed by law). If you become aware that your child or any child under your care has provided us with information without your consent, please contact us at the contact information listed below.

Under Age 18
Minors under 18 years of age may have the personal information that they provide to us online deleted by contacting us at the contact information listed below, requesting deletion.  Please note that, while we make reasonable efforts to comply with such requests, deletion of your personal information does not ensure complete and comprehensive removal of that data from all systems.

INTERNATIONAL DATA TRANSFERS AND PROCESSING
To the extent that personal information is transferred out of the country where a user or other individual whose information is provided to us over the Online Services lives, such as to our affiliates, business partners, and service providers in other countries, there may be different standards that apply to how personal information may be used and protected. Rhythm has put in place appropriate safeguards in accordance with applicable legal requirements to ensure that data is adequately safeguarded and protected irrespective of the country. For more information on the appropriate safeguards in place, please contact us at the details below.

YOUR CALIFORNIA PRIVACY RIGHTS
This Privacy Policy describes how we may share your information for marketing purposes, as described above. California residents are entitled to request and obtain from us once per calendar year information about any of your personal information shared with third parties for their own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. To request this information and for any other questions about our privacy practices and compliance with California law, please contact us as explained below.

CHANGES TO THIS PRIVACY POLICY
Rhythm reserves the right to change this Privacy Policy at any time. If we update this Privacy Policy, we will notify you by posting a new Privacy Policy on this page. If we make any revisions that materially change the ways in which we use or share the information previously collected from you through the Online Services, we will make reasonable efforts to provide notice (such as by sending you an email or posting a notice on this website prior to the changes becoming effective) and obtain any necessary consent to any such new uses as may be required by law. We encourage you to review this Privacy Policy each time you visit this website.

CONTACTING US
Rhythm Pharmaceuticals, Inc. is based in the US and is the controller responsible for the personal information that it collects and processes. If you have any questions about this Privacy Policy, the Terms of Use, or our use of your information collected through the Online Services, you can contact privacy@rhythmtx.com.

Effective Date: September 24, 2018