Data Privacy Framework Policy

Last updated: May 31, 2024

Scope

This Policy sets forth the privacy principles that X4 Pharmaceuticals, Inc. and its subsidiaries (collectively, “X4”) follow with respect to Personal Data received from the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”), under the EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, “the DPF”).

X4 has certified that it adheres to the DPF Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability, as set forth by the US Department of Commerce. To learn more about the DPF program, and to view our certification page, please visit https://www.dataprivacyframework.gov/s/. Additionally, you can access to our global Website Privacy Policy at: https://www.x4pharma.com/privacy-policy/.

This Policy applies to the processing of Personal Data that X4 receives in the United States concerning individuals who reside in the EEA, Switzerland and the UK. This Policy does not cover data from which individual persons cannot be identified.

X4 employees who handle Personal Data from the EEA, Switzerland or the UK are required to comply with the principles stated in this Policy.

Information Collected

X4 may collect Personal Data about healthcare professionals, including clinical investigators and their staff; X4 suppliers, contractors, and their personnel; and X4’s current, prospective and former employees. Information collected includes curriculum vitae data, business contact information and other non-sensitive information.

Sensitive information may be collected in certain instances, including from patients or potential patients, with the consent of the individual or where required by applicable law. In some instances, prospective patients or their family members may choose to provide Personal Data to X4 via our websites in order to request information.

Purposes of Processing

X4 processes Personal Data to facilitate the development and commercialization of its products and for its business purposes. Personal Data may be used for purposes of clinical research, business development, marketing and sales, regulatory affairs, procurement, human resources management, and other X4 business activities.

X4 transfers Personal Data to third-party processors providing a variety of services, including, but not limited to, clinical trial operations, payroll, systems hosting, and sales and marketing activities.

Onward Transfers to Third Parties

X4 will take measures to obtain assurances from third-party service providers that process Personal Data on X4’s behalf that they will process such information in a manner consistent with X4 policies and DPF Principles. X4 remains responsible under the DPF Principles if third-party service providers that X4 engages to process Personal Data on its behalf do so in a manner inconsistent with the DPF Principles, except where X4 is not responsible for the event giving rise to the damage. X4 will take measures to only disclose Personal Data that is necessary for the third parties to provide the agreed upon services to X4. Where X4 has knowledge that a third-party business partner is using or disclosing Personal Data in a manner contrary to X4’ privacy policies or DPF Principles, X4 will take reasonable steps to prevent or stop the use or disclosure.

X4 may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Access

Upon request, and as required by DPF Principles and applicable law, X4 will provide individuals with reasonable access to Personal Data about them. X4 will also take reasonable steps to allow individuals to review Personal Data for the purposes of correcting, amending or deleting such information in instances where Personal Data is demonstrated to be incomplete or inaccurate.

You may request that X4 no longer share your personal data with parties that may use such data for their own purposes.  If your personal data will be used for purposes other than those detailed in this notice, X4 will inform you and provide an opportunity to opt out of such secondary use.

Individuals can contact X4 at dataprivacy@x4pharma.com in order to request access or to make inquiries regarding limiting the use and disclosure of Personal Data about them.

Dispute Resolution

X4 is subject to the investigatory and enforcement powers of the US Federal Trade Commission.

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the X4 addresses provided below. X4 will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data by reference to DPF Principles.

In addition, X4 has agreed to participate in the following independent dispute resolution procedure in the investigation and resolution of complaints to resolve disputes pursuant to the DPF Principles:

  • JAMS

Information about how to file a complaint with the JAMS DPF program can be found at: https://www.jamsadr.com/DPF-Dispute-Resolution

An individual may invoke binding arbitration, at his or her own cost, subject to procedures set forth by the DPF.

Changes to this Policy

This Policy may be amended from time to time, consistent with the requirements of the DPF Principles. X4 will provide appropriate notice about such amendments.

Contact Information

If you have any questions or concerns about this Policy or would like to request this Privacy Policy in an alternative format due to a disability, you may contact us at dataprivacy@x4pharma.com, call us at 857-529-8300, or write to us at:

X4 Pharmaceuticals, Inc.

61 North Beacon Street,

4th Floor
Boston, MA 02134