Privacy Policy

SAREPTALLY PRIVACY POLICY

Last Reviewed: July 2024

INTRODUCTION

SareptAlly is a global program designed to help patients, families, and physicians gain access to resources and information about Sarepta clinical trials and potential treatment options. SareptAlly is dedicated to helping physicians and families in two important ways:

Sarepta clinical trial identification and matching - Well-designed clinical trials are the best way to determine the safety and effectiveness of investigational therapies and for patients to gain access prior to regulatory approval. SareptAlly connects patients with research physicians conducting Sarepta-sponsored clinical research. If a trial is identified, patients may be assessed for trial eligibility by the research physician based on their clinical status and the study protocol.
Local Treatment Assessment - When a clinical trial is not identified, SareptAlly serves as a resource for physicians, patients, and families seeking potential treatment options. SareptAlly responds to inquiries, walks through steps in the process for potentially securing treatment, and identifies resources to help make the process easier.

SareptAlly is held by Sarepta Therapeutics, Inc. ("Sarepta", "Company", “Sponsor”, “we” or “us”) and managed by Impatients N.V., trading under the name myTomorrows (“myTomorrows”). With regards to your personal data, Sarepta acts as the data controller and myTomorrows as the data processor, as these terms are defined in article 4 of the Regulation EU 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

Sarepta and myTomorrows respect your privacy and are committed to protecting your personal data through our compliance with this policy. This policy describes the types of personal data we may collect from you or that you may provide when you visit www.sareptally.com or https://mytomorrows.com/sareptally/en/start (the “Websites ”), or during your contacts with one of the Patient Navigators dedicated to the Program by phone, email or online application, and our practices for collecting, using, maintaining, protecting and disclosing that personal information.

This policy applies to personal data. “Personal data” is any information—as electronically or otherwise recorded—that can be used to identify a person or that we can link directly to an individual, such as name, address, email address, or telephone number, as applicable. This policy applies only to personal data we may collect:

on SareptAlly Websites;
through e-mail, text and other electronic messages between you and SareptAlly Websites;
through mobile and desktop applications downloaded from SareptAlly Websites, which may provide dedicated non-browser-based interaction between you and such Websites; and
when you interact with our Patient Navigators, through phone-calls or emails.

myTomorrows’ privacy policies also apply to the processing of your personal data and you can access myTomorrows privacy policy at https://mytomorrows.com/en/privacy-statement. We may have other unique privacy policies that apply to certain specific situations, such as if you participate in a clinical trial we sponsor. To the extent you were provided with a different privacy notice or policy that applies, that notice or policy will govern our interactions with you, not this one.

This policy does not apply to information collected by:

us offline or through any other means not included in the above-provided definition of our Websites; or
any third party, including through any application or content (including advertising) that may link to or be accessible from or on the Website.

Please read this policy carefully to understand our policies and practices regarding your personal data and how we will treat it. If you do not agree with our policies and practices, you should not use our Websites or register for the services and information we offer. By accessing or using our Websites, you agree to this privacy policy.

Please be aware that personal data we collect and process from the SareptAlly Websites may be transferred and maintained outside of your state, province, country, including in and to the United States. Please note that the laws of the United States pertaining to the use and protection of personal information may differ from that of other countries, but Sarepta has put in place appropriate safeguards to protect your personal information.

CHANGES TO OUR PRIVACY POLICY

We will post any changes we make to our privacy policy on this page. If we make material changes to how we treat your personal information, we will notify you by email to the primary email address specified in your account and/or through notices on our Websites. The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our Websites and this privacy policy to check for any changes. Your continued use of our Websites after we make changes to our privacy policy is deemed to be acceptance of those changes, so please check the policy periodically for updates.

CHILDREN UNDER THE AGE OF 16

No one under age 16 may provide information on our Websites. Our Websites are not directed at minors under 16 and we do not knowingly collect, maintain, disclose, or otherwise process personal information of minors below the age of 16 without the permission of such minor’s parents or legal guardians. If you believe we have any personal information from or about a minor under 16 without parental or guardian consent, please contact us at websiteadmin@sarepta.com so that we may identify and delete that personal information.

INFORMATION WE COLLECT ABOUT YOU AND HOW WE COLLECT PROCESS, AND SHARE IT

“Personal data” is any information—as electronically or otherwise recorded—that can be used to identify an individual directly or indirectly, such as name, address, email address, telephone number, or credit card number, as applicable. Personal data in some jurisdictions can include information that indirectly identifies a person even absent other identifying information.
Personal data may include information considered sensitive in some jurisdictions, such as biometric information, genetic information, medical and health information, financial account information, geolocation, ethnic or racial origin, information concerning your sex life or your sexual orientation, and other information.
We will process any personal information we collect in accordance with applicable law and as described in this privacy policy (unless, as explained above, a separate policy or notice governs).
Below is a summary of how we collect, process, and use personal information and the potential recipients of your personal information, and how we have done so in the preceding 12 months. Some jurisdictions require us to state the legal bases for processing your personal information, which are included below, but please note that not all jurisdictions may recognize all legal bases.

Examples of the types of personal information we process:	How do we collect the personal information?	Why do we process the personal information?	What are the legal bases for processing?	Who could receive the personal data?*
Personal data, such as: first and last name email address postal address phone number username and password age gender marital status date of birth Sensitive personal data, such as: disability genetic test report/results Visual Information, such as: pictures and videos Technical Information, such as: Internet Protocol (IP) addresses (which may identify your general geographic location or company) browser type and browser language device type advertising IDs associated with your device (such as Apple’s Identifier for Advertising (IDFA) or Android’s Advertising ID (AAID)) date and time you used the Websites Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving the Websites activity on the Websites data collected from cookies or similar technologies**** geolocation information Anonymized / De‑identified Data Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified and the information is no longer considered Personal Data under data protection laws.	From you directly; From the devices you use From third parties we work with;	to respond to your inquiries for information, and to provide you with information about Sarepta and its products and services, by email, regular mail, text message or phone according to your preferences to provide you the requested identification/matching to our clinical trials or potential treatment options present our Websites and their contents to you according to your preferences to develop statistics and analysis to improve and further develop our Websites and the information and services we may offer from time to time to request your participation in Sarepta surveys and other market research which can include requests for demographic, geographic or other personal information as well as questions regarding a patient’s medical condition and other data which Sarepta may use to create useful services and information for users of our Websites and for other lawful business purposes to fulfill any other purpose for which you provide it to provide you with notices and updates according to your preferences to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, our Terms of Use and for billing and collection to notify you about changes to our Website or any products or services we offer or provide though it to allow you to participate in interactive features through our Websites in any other way we may describe when you provide the information to identify and authenticate you to detect security incidents to protect against malicious or illegal activity for short-term, transient use for administrative purposes for quality assurance to meet our legal and regulatory obligations	for the purposes of developing our business the consent you provide us to process your data to comply with a legal obligation in preparation for or to perform a contract for other lawful purposes as may be required or allowed by law*	Our affiliates, subsidiaries, and related companies Clinical trial sites through secure platform to assess eligibility for trials Partners or service providers that assist us in administering our business, such as our Case Management System*** Regulatory authorities, such as the Food and Drug Administration (FDA);

Examples of the types of personal information we process:

How do we collect the personal information?

Why do we process the personal information?

What are the legal bases for processing?

Who could receive the personal data?*

Personal data, such as:

first and last name
email address
postal address
phone number
username and password
age
gender
marital status
date of birth

Sensitive personal data, such as:

disability
genetic test report/results

Visual Information, such as:

pictures and videos

Technical Information, such as:

Internet Protocol (IP) addresses (which may identify your general geographic location or company)
browser type and browser language
device type
advertising IDs associated with your device (such as Apple’s Identifier for Advertising (IDFA) or Android’s Advertising ID (AAID))
date and time you used the Websites
Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving the Websites
activity on the Websites
data collected from cookies or similar technologies****
geolocation information

Anonymized / De‑identified Data
Anonymized data is data for which your individual personal characteristics have been removed such that you are not identified and the information is no longer considered Personal Data under data protection laws.

From you directly;
From the devices you use
From third parties we work with;

to respond to your inquiries for information, and to provide you with information about Sarepta and its products and services, by email, regular mail, text message or phone according to your preferences
to provide you the requested identification/matching to our clinical trials or potential treatment options
present our Websites and their contents to you according to your preferences
to develop statistics and analysis to improve and further develop our Websites and the information and services we may offer from time to time
to request your participation in Sarepta surveys and other market research which can include requests for demographic, geographic or other personal information as well as questions regarding a patient’s medical condition and other data which Sarepta may use to create useful services and information for users of our Websites and for other lawful business purposes
to fulfill any other purpose for which you provide it
to provide you with notices and updates according to your preferences
to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, our Terms of Use and for billing and collection
to notify you about changes to our Website or any products or services we offer or provide though it
to allow you to participate in interactive features through our Websites
in any other way we may describe when you provide the information
to identify and authenticate you
to detect security incidents
to protect against malicious or illegal activity
for short-term, transient use
for administrative purposes
for quality assurance
to meet our legal and regulatory obligations

for the purposes of developing our business
the consent you provide us to process your data
to comply with a legal obligation
in preparation for or to perform a contract
for other lawful purposes as may be required or allowed by law*

Our affiliates, subsidiaries, and related companies
Clinical trial sites through secure platform to assess eligibility for trials
Partners or service providers that assist us in administering our business, such as our Case Management System***
Regulatory authorities, such as the Food and Drug Administration (FDA);

*The legal bases we rely upon include those enumerated in Articles 6 and 9 of the European Union’s General Data Protection Regulation (GDPR), depending on the type of Personal Data.

**We do not sell or share your personal information for cross-context behavioral advertising.

***In limited circumstances, recipients may include, (1) in the event of a sale, assignment, or transfer, to the buyer, assignee, or transferee; and, (2) government or regulatory officials, law enforcement, courts, public authorities, or others when permitted by this Policy or required by law.

****Please see our Notice on Cookies | Sarepta Therapeutics for more information on how we use cookies and similar technologies.

Information collected by myTomorrows

Impatients N.V., trading under the name myTomorrows, acts as Sarepta’s service provider and the processor of your personal data. Sarepta has hired myTomorrows to assist with the SareptAlly program as described in the introduction of this Privacy Policy. MyTomorrows will process your personal data for the purposes described in the table above and as described in their privacy policy (https://mytomorrows.com/privacy-statement/).

myTomorrows is a company established under the laws of the Netherlands. The information you submit to myTomorrows will be stored on a secured database in the European Economic Area and will only be shared in a deidentified format with Sarepta. Sarepta will not receive your full name or any other information that can directly identify you. The transfer will take place with appropriate security safeguards.

Any data processed by myTomorrows will be processed on the basis of the consent you provide on the SareptAlly landing page and during your conversation with a Patient Navigator, or if myTomorrows’ team finds that you may be eligible for a Sarepta-sponsored clinical trial and you decide, in consultation with your physician, to be referred to a trial site.

You may withdraw your consent at any time and upon withdrawal, we will promptly assess your request and delete your personal data, except to the extent required by applicable laws. For more information about your rights regarding your personal data, please see below. For more information or question about how myTomorrows processes your personal data on behalf of Sarepta, you may refer to myTomorrows’ privacy statement linked above or reach out at dataprotection@mytomorrows.com.

User-Generated Information

You also may provide information to be used, published or displayed (hereinafter, "posted") on public areas of our Websites, or to be transmitted to other users of our Websites (collectively, "User-Generated Information"). When you provide User-Generated Information, you do so at your own risk. Although in some cases you may be able to establish certain privacy settings for your User-Generated Information that is posted on our Websites, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of our Websites with whom you may choose to share your User-Generated Information. Therefore, we cannot and do not guarantee that your User-Generated Information will not be viewed by unauthorized persons.

Information Collected Automatically

The information about you that we collect automatically does not identify you personally, but rather only by reference to the device you use to access our Websites. This information tells us about your usage of our Websites, which helps us to improve our Websites and to deliver a better and more personalized service to you. By enabling us to take into account your Website usage patterns and preferences, this information helps us to customize our Websites according to your individual interests, to speed up your searches, and to recognize you when you return to our Websites.

The technologies we use for this automatic data collection may include:

Cookies (browser or flash cookies). A browser cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. Certain features of our Websites may also use local stored objects (or flash cookies) to collect and store information about your preferences and navigation to, from and on our Websites. You are able to limit access of flash cookies to your computer with add-ons and other tools available online. If you limit access of cookies, you may be unable to access certain parts of our Websites. Unless you have adjusted your settings so that it will refuse cookies, our system will issue cookies when you direct your browser to our Websites.
Web Beacons. Pages of our Websites and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

For more information about these technologies and how to manage or opt out of them, please see our Notice on Cookies | Sarepta Therapeutics.

Although the information we collect automatically does not personally identify you, we may link that information to information that does personally identify you that we otherwise collect as described in this policy.

Website Analytics

The Websites may use Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses cookies to analyze use patterns and may collect information about your use of the website, including your IP address. More information on Google Analytics can be found here: www.google.com/policies/privacy/partners/. If you would like to opt-out of having your data used by Google Analytics, please use the Google Analytics opt-out available here: https://tools.google.com/dlpage/gaoptout/. Please note that we make no representations regarding the functionality of Google opt-out mechanisms, and further, opting out of Google Analytics will not preclude the use of your data by other analytics services that we may use.

Cookies on myTomorrows' pages

If you visit a website operated by myTomorrows, myTomorrows’ cookie statement (https://mytomorrows.com/cookie-statement/) will apply. myTomorrows will not place cookies other than strictly necessary cookies, without your prior consent. Please refer to the information mentioned on the pages operated by myTomorrows for more information about how myTomorrows uses cookies and similar technologies.

CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION

We strive to provide you with reasonable choices regarding the collection and use of information about you. For example, you may: (1) choose not to provide personal information on our Websites, (2) set your browser preferences and use web tools available to block the cookies sent in connection with your use of our Websites, (3) follow the instructions to unsubscribe from our services included on our Websites and the communications sent to you, and/or (4) email a request to delete your personal data to dataprotection@mytomorrows.com

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

Please note that in many circumstances, we cannot effectively do business with you without processing some Personal Data about you (e.g., your contact information).

Depending on your location and applicable data protection laws, you may have the right to exercise the following rights with respect to some or all of your Personal Data:

to request access to the Personal Data we hold about you;
to request that we rectify or erase your Personal Data;
to request that we restrict or block the processing of your Personal Data;
- this includes the right to opt out of solicitations;
to request a copy of your data to provide your Personal Data directly to another party, i.e., a right to data portability;
when we previously obtained your consent, to withdraw consent to processing; and
to lodge a complaint with the data protection authority in your area.

You can make a request with respect to your Personal Data by (1) emailing us at dataprotection@mytomorrows.com (2) mailing us at Anthony Fokkerweg 61, 1059 CP, Amsterdam, The Netherlands; or (3) calling us at +31 20 225 5066. We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. We may, after receiving your request, require additional information from you to honor the request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

Kindly note that, if you delete your User-Generated Information from any of our Website, copies of your User-Generated Information may remain viewable in cached and archived pages, or might have been copied or stored by other Website users. Proper access and use of information provided on our Website, including User-Generated Information, is governed by our Terms of Use.

DATA SECURITY

We have implemented measures designed to secure your personal information from unauthorized access, use, alteration and disclosure. All information you provide to us is stored on our secure servers behind firewalls.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Websites. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on our Websites.

HOW LONG YOUR PERSONAL INFORMATION WILL BE RETAINED

We generally retain personal information for as long as needed for the specific purpose or purposes for which it was collected or as follows:

For those who submit their personal data and are consequently enrolled in a program: personal data is retained for 2 years from the moment of confirmation of termination of their participation in a program.
For those who submit their personal data but no program is available for them, personal data is deleted as soon as it is confirmed there’s no option available for them or, if they elect to remain being contacted for purposes of receiving information and updates on programs that may be relevant to them and provide specific informed consent for such purposes, data is retained for 5 years from the date of consent.

In some cases, we may be required to retain personal information for a longer period of time by law or for other necessary business purposes. Whenever possible, we aim to anonymize the information or remove unnecessary identifiers from records that we may need to keep for periods beyond the specified retention period.

Upon reaching the retention period, we will dispose of your information by deleting it.

CONTACT INFORMATION

To ask questions or comment about this privacy policy and our privacy practices, contact us at:

Sarepta Therapeutics
Attn: Corporate Communications
215 First Street
Cambridge, MA 02142
1-888-SAREPTA (1-888-727-3782)
privacy@sarepta.com

Impatients N.V.
Attn: Data Protection Officer
Anthony Fokkerweg 61
1059 CP Amsterdam
The Netherlands
+31 20 225 5066