Privacy policy


INTRODUCTION

Welcome to Geron Corporation’s Privacy Policy.

Your privacy is important to us. Therefore, we have developed this Privacy Policy to describe how Geron Corporation (“Geron”, “we” or “us”) collects, stores, uses, and otherwise processes personal data in compliance with applicable data protection laws, including the European General Data Protection Regulation (GDPR) and applicable UK privacy laws (collectively, “European Privacy Legislation”).

This Privacy Policy applies to the personal data we collect on our website(s) that link to this Privacy Policy, as well as through social media, our marketing activities, our live events and other activities described in this Privacy Policy (collectively, the “Service”). This Privacy Policy also explains the rights and choices available to individuals whose personal data we maintain.

Geron may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal data. In particular, please note that this Privacy Policy (with the exception of the section titled “Data Privacy Framework” as applicable to individuals located in the European Economic Area (“EEA”)and Switzerland) does not apply to personal data of clinical trial participants and clinical site staff (including investigators) that we handle in connection with clinical trials. Our privacy practices in connection with clinical trials are governed by applicable clinical trial protocols and additional privacy notices that may be specific for each clinical trial. In some circumstances, we may provide additional privacy notices to you in connection with your participation in our programs, events, or other engagements with Geron. Such in-time notices will govern our privacy practices in connection with those engagements to the extent there is any conflict between this Privacy Policy and the in-time notice.

INFORMATION AND DATA WE COLLECT

Information you provide to us. Personal data and other information you may provide to us through the Service or otherwise includes:

  • Contact data, personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, and phone number);
  • Communications that we exchange with you, including when you contact us through the Service;
  • Job application data, professional credentials, educational and professional history, institutional affiliations, background checks, and information of the type included on a resume or curriculum vitae (such as work experience, education, salary, and languages spoken);
  • Other information you provide to us (such as your photograph, social media handle, or digital or electronic signature, in emails, on phone calls, in market research surveys, or in other correspondence with us or our service providers or business partners);
  • Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.

Automatic data collection. We, our service providers, and our business partners may automatically collect information about you (such as IP Address, your device’s operating system, your Internet service provider and location, browser type and language, and website content you access) and information about the date, time and duration of your visit; and identifiers that are used to identify your mobile device such as your unique device ID , hardware type, medial access control address (“Device and online activity data”).

Cookies and similar technologies. We may use cookies and similar technologies. We may set cookies when you use our Services to understand how you use the Services, help you navigate between pages efficiently, remember your preferences and generally improve your browsing experience. Service providers and our business partners may also set cookies on our Services. In addition to cookies, our Services and emails may use pixel tags (also known as web beacons and clear GIFs) to compile statistics about use of the Services, measure the success of our marketing campaigns, and indicate whether recipients of our emails open or click links within them. Please refer to the Cookie Policy for more details.

We may combine other publicly available information, such as information related to the organization for which you work, with the personal data that you provide us.

HOW WE USE THE DATA WE COLLECT

Geron may use your personal data for the following purposes:

To manage our relationship with you. We may use your personal data to:

  • provide you with investor, media or other materials;
  • send you copies of our press releases or other information;
  • send you surveys or other marketing communications, but you may opt out of receiving them as described in the “Your Choices” section below;
  • operate, provide and improve our Service and our business;
  • better understand your needs and interests, and personalize your experience with the Service and our communications;
  • respond to your comments, questions, and service-related requests;
  • provide support and maintenance for the Services;
  • communicate with you about the Service, including by sending announcements, updates, security alerts, and support and administrative messages;
  • personalizing the Service, including remembering your selections and preferences as you navigate the Service;
  • understand your needs and interests, and personalize your experience with the Service and our communications.

    Digital development. We may use your personal data for digital development purposes, including to analyze and improve the Service and our business and to develop new digital products and services. As part of these activities, we may create aggregated, de-identified or other anonymous data from personal data we collect. We make personal data into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.

    Marketing. We and our service providers may collect and use your personal data for marketing purposes:

    1. Direct marketing. We may send you direct marketing communications. You may opt-out of marketing-related communications by following the opt-out or unsubscribe instructions provided (e.g.: at the bottom of the email), or by contacting us at privacy@geron.com. Please note that if you choose to opt-out of marketing-related communications, you may continue to receive service-related and other non-marketing communications.
    2. Interest-based advertising. We may engage third party advertising and social media companies to display ads on the Service and on other online services. These companies may use cookies and similar technologies to collect information about over time across the Service, our communications and other online services, and use that information to serve ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms.

    To manage our recruiting and process job applications. We may use personal data, such as data submitted to us in a job application, to facilitate our recruitment activities and process job applications, such as by evaluating a candidate for a job, and monitoring recruitment statistics.

    Compliance and protection. We may also use your personal data as we believe necessary or appropriate to:

    • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
    • enforce the terms and conditions that govern the Service;
    • protect our rights, privacy, safety or property, and/or that of you or others; and
    • protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

      Cookies and similar technologies. In addition to the other uses included in this section, we may use the Cookies and similar technologies described above for the purposes described in our Cookie Policy.

      Use for new purposes. We may use your personal data for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it.

      YOUR CHOICES

      Opt out of marketing communications. You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email. If you opt out, you will continue to receive service-related and other non-marketing emails.

      Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals.  To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

      SECURITY

      Geron takes reasonable measures to protect your personal data from unauthorized access and against loss, misuse or alteration. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal data.

      LEGAL BASIS

      Legal bases for processing. In respect of each of the purposes for which we use your personal data, the European Privacy Legislation requires us to ensure that we have a legal base for that use. The legal bases of our processing of your personal data as described in this Privacy Policy will depend on the type of personal data and the specific context in which we process it. However, the legal bases we typically rely on are set out in the table below. If you have questions about the legal basis of how we process your personal data, contact us at privacy@geron.com.

      Processing purpose

      Details regarding each processing purpose listed below are provided in the section above titled “How we use the data we collect”.

      Categories of personal data involved

      Details regarding the categories of personal data listed below are provided in the section above titled “information and data we collect”.

      Legal basis
      1. To manage our relationship with you: We need to process your personal data operate the Service, including responding to your requests or inquiries, providing you with access to content or information you requested, etc.
      • Contact data
      • Communications data
      • Device and online activity data
      • Other data
      Processing is necessary to perform the contract governing our provision of our Service or to take steps that you request prior to signing up for the Service.
      2. To manage our recruiting and process job applications: We may need to process your personal data to process your job application.
      • Contact data
      • Job application data
      In these scenarios, the processing of the personal data you voluntarily provide to us is based on your consent. Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent or in the services.
      3. For digital development: We may use your personal data for digital development purposes, including to analyze and improve the Service and our business. Any and all data types relevant in the circumstances These activities constitute our legitimate interests. We do not use your personal data for these activities where our interests are overridden by the impact on you.
      4. We may need to process your personal data for additional purposes, such as:

      • To ensure access and maintenance of the Service, and to ensure their proper functioning
      • For compliance, fraud prevention and safety
      • For sharing your personal data with third parties as described in this Privacy Policy
      • To disclose your personal data to a prospective or actual purchaser or seller in the context of a merger, acquisition or other reorganization or sale of our business or assets.
      • For the collection of statistical information about the use of the Service
      • To protect our interests as a company, for different purposes, such as:
        • Enforcement of the Terms of Service
        • Assess claims that any content violates the rights of third-parties
        • Establishment or exercise our legal rights or defending against legal claims
      • Contact data
      • Communications data
      • Device and online activity data
      • Marketing data
      • Other data
      We rely on our legitimate interests to process your personal data when performing these processing activities. We do not use your personal data for these purposes where our interests are overridden by the impact on you.
      5. For marketing and advertising purposes: We and our third-party advertising partners may collect and use your personal data for marketing and advertising purposes.
      • Contact data
      • Communications data
      • Device and online activity data
      • Marketing data
      Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal data for these purposes based on our legitimate interests in promoting our business.
      6. Compliance with legal obligations and protection purposes: We are subject to certain legal obligations that may oblige us to disclose your personal data to courts, law enforcement or regulatory authorities. Any and all data types relevant in the circumstances Processing is necessary to comply with our legal obligations.

      Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We and any relevant third parties may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our and their rights, property, and/or safety.

      7. Further uses: We may use your personal data for reasons not described in this Privacy Policy. Any and all data types relevant in the circumstances The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the personal data was collected.

      Consent, if the relevant further use is not compatible with the initial purpose for which the personal data was collected.

       

      YOUR RIGHTS

      You have certain rights regarding your personal data. You may ask us to take the following actions in relation to your personal data we hold:

      • Right of access: provide you access to your personal data.
      • Right to correct: correct or update your personal data.
      • Right of deletion: delete your personal data.
      • Right to data portability: transfer your personal data in machine readable form to you or a third party of your choosing.
      • Right to Restrict: restrict processing of your personal data.
      • Right to object: object to our reliance on our legitimate interests as the basis of our processing of your personal data.
      • Right to withdraw consent at any time: where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

      You may submit these requests by contacting us at privacy@geron.com. If permitted by law, we may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal data or response to your requests regarding your personal data, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

      THIRD-PARTY SITES AND SERVICES

      We may provide links to third-party applications, services or websites that are not owned or operated by Geron. These links are not an endorsement, authorization, or representation that we are affiliated with that third-party. You understand that when you click on these links any data which you provide to the third party is subject to that third-party’s privacy policy and not to ours. We do not control websites, mobile applications or online services operated by third-parties, and we are not responsible for their actions the content, safety, privacy or security of any third-party application, service or website.

      HOW WE DISCLOSE THE DATA WE COLLECT

      We may share your personal data with the following parties and as otherwise described in this Privacy Policy or at the time of collection.

      • We may engage other companies and individuals to perform services on our behalf, including:
        • Companies that analyze data and provide business support (such as data storage and technology services);
        • Event planning and travel organizations that help facilitate our programs and services; Companies that support us in product marketing and commercialization; and

      These agents and service providers may have access to your personal data in connection with the performance of services for Geron. We may sometimes share your personal data with partners or enable partners to collect information directly via our Service.

      • Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
      • We may disclose your personal data to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to comply with applicable law and lawful requests and legal process.
      • We may disclose your personal data in connection with any business deal (or potential business deal) such as a merger, consolidation, sale of some or all of our business or assets, financing or acquisition, reorganization, or in the event of bankruptcy.

      Please keep in mind that whenever you voluntarily make your personal data available for viewing by third parties or the public on or through our Service, that information can be seen, collected and used by others. We are not responsible for any use of such information by others.

        DATA RETENTION

        We retain your personal data for as long as needed to fulfill the purposes for which we collected it, including for the purposes of complying with our legal obligations, resolving disputes, and enforcing our agreements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. When we no longer require the personal data, we have collected about you, we will either delete or anonymize it. If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

        OUR POLICY REGARDING CHILDREN

        The Service is not intended for use by anyone under 13 years of age. We do not knowingly collect or solicit personal data from anyone under the age of 13 through our Services, or knowingly allow such persons to use our Services. In the event that we learn that we have collected personal data from a child under age 13 without the consent of the child’s parent or guardian as required by law through our Services, we will comply with applicable legal requirements to delete that personal data. If you believe that we might have any personal data from or about a child under the age of 13, please contact us.

        INTERNATIONAL TRANSFER

        We are headquartered in the United States and may use service providers that operate in other countries. Your personal data may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.

        Please note that these countries and jurisdictions may not have the same data protection laws as your own jurisdiction. Regardless, we take reasonable steps to maintain adequate safeguards to enable transfer of personal data to the U.S. and other jurisdictions. If we transfer your personal data from the EEA and/or Switzerland to a country outside of it, we will apply additional safeguards as appropriate depending upon the legal mechanism(s) used to transfer your personal data.

        For personal data subject to Swiss privacy laws Geron transfers the personal data to the following countries:

        • U.S.(transfer mechanism: Swiss-U.S. Data Privacy Framework and EU Commission Approved Standard Contractual Clauses (where applicable));
        • United Kingdom (transfer mechanism: EU Commission Adequacy Decision)

        If you have questions about the mechanism(s) upon which we rely for the transfer of your personal data, please contact us.

        DATA PRIVACY FRAMEWORK

        Geron complies with the (i) EU-U.S. Data Privacy Framework (EU-U.S. DPF)], and (ii) the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (collectively, the “Data Privacy Framework”) as set forth by the U.S. Department of Commerce. Geron has certified to the U.S. Department of Commerce that it adheres to (i) the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the EU in reliance on the EU-U.S. DPF, and (ii) to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). If there is any conflict between the terms in this Privacy Policy (or the relevant applicable privacy notice that also addresses the Data Privacy Framework and is provided to individuals such as in the context of clinical trials in the informed consent forms or privacy notices to clinical trial staff (including investigators)) and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework, and to view our certification, please visit the Data Privacy Framework website.

        With respect to personal data received or transferred pursuant to the Data Privacy Framework, the U.S. Federal Trade Commission has jurisdiction over Geron’s compliance with the Data Privacy Framework.

        Geron may collect, use, and disclose categories of personal data received in reliance upon the Data Privacy Framework for the purposes as described in this Privacy Policy. The types of third parties to which Geron may share personal data received in reliance on the Data Privacy Framework and for which purposes are set out in the section of this Privacy Policy entitled “HOW WE DISCLOSE THE DATA WE COLLECT.” If recipients to whom Geron has disclosed personal data in reliance upon the Data Privacy Framework process it in a manner that does not comply with the DPF Principles, Geron may be liable for such acts or omissions.

        Depending upon the context in which Geron processes personal data received in reliance upon the Data Privacy Framework, relevant individuals may have rights to access personal data about them, and choices to limit the use and disclosure of their personal data. Please submit a written request to exercise your rights or choices to the contact information provided in this Privacy Policy (see the section entitled “CONTACT INFORMATION”). We may request specific information from you to confirm your identity in an effort to respond to your request.

        Geron may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

        In compliance with the Data Privacy Framework, Geron commits to resolve complaints about its collection or use of your personal data. EEA and Swiss individuals with inquiries or complaints regarding the handling of personal data received in reliance on the Data Privacy Framework should first submit inquiries to Geron as specified in the Contact Information of Data Controller section of this Privacy Policy.

        In compliance with the Data Privacy Framework, Geron commits to refer unresolved complaints concerning our handling of personal data received in reliance on the Data Privacy Framework to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

        In compliance with the UK Extension to the EU-U.S. DPF, Geron commits to cooperate and comply respectively with the advice of the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

        Additionally, under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. For more information on this option, please see the Data Privacy Framework website: Annex I.

        CHANGES TO THIS POLICY

        We may update this Privacy Policy to reflect changes to our data and personal data privacy practices. If we make any material changes to this Privacy Policy we will take appropriate steps to notify you of such changes. We encourage you to periodically review this page for the latest information on our privacy practices.

        CONTACT INFORMATION

        Controller. Geron Corporation is the is the controller of your personal data covered by this Privacy Policy for purposes of European Privacy Legislation. You can contact us at:

        Geron Corporation
        919 E. Hillsdale Blvd., Suite 250
        Foster City, CA 94404
        Attn:  Legal Department
        Data Protection Officer. Our data protection officer can be contacted at:
        DPO Centre, privacy@geron.com.

        Data Protection Representative. You may also contact our EU and UK Representative via email, webform or physical mailing address. The contact information for our data representatives in the UK, EU and Switzerland are as follows:

        UK: DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom

        EU: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland

        Switzerland: DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland

        Please refer to this document for contact information in the EU.

        Last updated: March 14, 2024

        Copyright © 2024 Geron. All rights reserved