Last Updated: 04/08/2025
Spyre Therapeutics, Inc. (“Spyre“ or the “Company” or “us” or “we”) recognizes and respects the privacy rights of individuals regarding their personal data and are committed to complying with all applicable data privacy laws. When we address “personal data,” we mean any information relating to an identifiable natural person. This Privacy Statement explains what types of personal data we may collect from you; how and why that data are collected, used, processed and protected; as well as how to exercise any privacy rights you may have with respect to the management of your personal data. This Privacy Statement applies to information we collect about you through our interactions with you, including when you visit our website(s).
We may update this Privacy Statement from time to time. Please check this Statement periodically for any changes. When we update our Privacy Statement, we will take appropriate measures to inform you, consistent with the significance of the changes we make. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the top of this Privacy Statement.
For questions, please contact complianceofficer@spyre.com or 650-239-3102 ext. 908. You may also send requests to exercise rights with respect to your data to privacy@spyre.com.
Spyre may collect, use, store, process, and or share personal data from the following broad categories:
You may choose to interact with us directly by completing forms or corresponding with us by electronic or written means or even by speaking to us over the phone. For example, you might sign up to receive clinical, educational, disease awareness, promotional or other information from Spyre; you might provide us with feedback or complete a survey; you might send us unsolicited information; or might otherwise express interest in participating in our offerings or research programs. During such interactions we will ask you to provide certain information voluntarily, which may include various categories of data like Identity Data, Contact Data, and in some instances, Special Categories of Personal Data.
When you visit and interact with our website(s), we may collect certain information automatically from you and about you, such as Technical Data, which may include information from your device like your IP address, device type, unique device identification numbers, browser-type, preference settings, broad geographic location (e.g., country or city-level location) and other technical information. Some of this information is collected using cookies and similar tracking technologies. Collecting this information enables us to better understand the visitors who come to our website(s), where they come from, and what content on our website(s) is of interest to them. We use this information, including information collected using such technologies, for our internal analytics and marketing purposes, to improve the quality and relevance of our website(s) to our visitors, to track and respond to concerns, and to comply with regulatory monitoring and reporting obligations. You can find more information about our use of cookies and other tracking technologies in our “Cookies and Other Tracking Technologies” section below.
We may receive categories of personal data about you from various third parties and public sources, such as:
Spyre and/or our affiliates or service providers may use your personal data for various relevant purposes including, for example, to:
We strive to provide you with choices regarding certain personal data uses, particularly around communications related to Spyre, our products and services. We may use your categorized Identity Data, Contact Data, Technical Data, Usage Data, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and materials may be relevant for you. We have established the following personal data control mechanisms:
We do not sell your personal data. We may share your personal data with the following categories of parties for the purposes described in this Statement:
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Spyre will only collect, process, and use the personal data described above where applicable laws allow us to do so. Simply put, we will do so only when we have your consent and/or when we have a legitimate business interest. In some cases, we may also have a legal or regulatory obligation to collect personal information from you, such as if there is a requirement to report an adverse event for our products. Please note that we may process your personal data based upon more than one lawful basis and legitimate interest depending upon the specific purpose(s) for which we are using the personal data. Spyre’s primary legitimate interests include the research, development, production, and promotion of next generation therapeutics at the heart of our corporate mission.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided under the “How To Contact Us” section above.
We have put in place technical and organizational security measures to prevent your personal data from being accidentally lost, impermissibly altered, disclosed, used, or accessed in an unauthorized way while it is under our control. In addition, we limit access to your personal data to those employees, agents, designees, and other third parties who have a business need to do so. Those parties will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have implemented reasonable procedures to guard against and address data breaches. In the unlikely event of a breach implicating your personal data that requires notification, we will do so and fulfill all our related legal obligations.
As we have stated earlier, we may automatically collect some personal data when you visit and engage with our website(s) using Internet server logs, cookies, beacons, and/or other tracking technologies.
Cookies are small files that are automatically stored on your computer when you visit a website. Cookies are used to (a) recognize your device; (b) store your preferences and settings; (c) understand the web pages of the website you have visited; (d) perform searches and analytics; and (e) assist with security functions. Cookies perform many functions, such as allowing you to navigate between pages efficiently, remembering your preferences, and generally improving the user experience.
A web server log is a file where website activity is stored. An IP address is a number assigned to your device whenever you access the Internet that allows devices and servers to recognize and communicate with each other. Spyre may collect IP addresses to conduct system administration and report aggregate information to affiliates, business partner and/or service providers to conduct website and application analysis and performance reviews.
Beacons are small strings of code that are placed in websites, email messages, and/or online ads. Sometimes called "tracking pixels" or “pixel tags,” beacons are most often used in conjunction with cookies to track activity on websites. Since beacons are typically used in combination with cookies, if you disable cookies the beacons will only detect an anonymous website visit. When used in an email, beacons enable us to know whether you have received or opened the email and may be used for other analytics, personalization, and advertising.
If you do not wish to have cookies on your system, you can set your browser preferences to refuse them or to alert you when cookies are being sent. You are able to change our setting to notify you when a cookie is being placed or to block cookies altogether. For additional information, consult your browser's “Help” section because controls and settings vary by browser. If you choose to decline all cookies, you may not be able to fully experience all the features of our website(s). Some web browsers may transmit “do-not-track” signals to websites with which the browser communicates. Websites linked to this Privacy Statement do not currently respond to these “do-not-track” signals.
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Spyre may have additional privacy statements or notices that are directed to and tailored for the different ways your personal data is collected. For example, applicants for employment may be provided with a separate privacy statement and clinical trial participants are provided with separate notices related to their personal data as collected for the trials.
If you receive a privacy statement or notice provided to you for a specific purpose, the terms of the more specific statement or notice will control to the extent that other statements or notices may differ from this Privacy Statement.
Spyre may offer links to other sites that we believe may offer useful information to visitors of our website(s). The inclusion of a link on the Spyre website(s) does not imply our endorsement of the linked site or service. Spyre is not responsible for content that exists on third party websites. When you click on one of these links, you will be transferred from the website and be connected to the site of the organization or company that you selected. At such point, this Privacy Statement will not apply to your activity on the non-Spyre website(s). Each of these linked sites maintains its own independent privacy policies and procedures, which you should consult before providing any of your personal information.
Please note that linked third-party websites may also use cookies or other tracking technologies. We cannot control the use of cookies or other tracking technologies by any such third-party websites. For example, when you link from this site to a third-party website, that website may have the ability to recognize that you have come from our site by using cookies. If you have any questions about how third-party websites use cookies, you should contact such third parties directly.
After choosing to move to a third-party’s website, our Privacy Statement will no longer apply.
We do not intend for our website(s) or online services to be used by anyone under the age of 18. In some limited instances we may collect personal data about children, but we will do so only with the proper consent of a parent or guardian. We do not otherwise knowingly collect or solicit data about or from children without the express consent of a parent or guardian. If a parent or guardian becomes aware that his or her child has provided us with personal data without proper adult consent, he or she should contact us as described in the “How to Contact Us” section above. In such an event, we will take reasonable steps to delete such data.
We do not knowingly collect personal data from children under the age of 13 on our website. If we become aware that we have collected personal data from children under the age of 13 on our website, we will take reasonable steps to delete such data.
California's Shine the Light Law (California Civil Code Section 1798.83) permits certain California residents who are individual customers to request certain information regarding its disclosure of "personal information" to third parties for their direct marketing purposes. To make such a request, please contact us using our contact information listed in the “How to Contact Us” section above.
Be sure to include your name and address. You can include your email address if you want to receive a response by email. Otherwise, we will respond by postal mail within the time required by law.
Section 603A of the Nevada Revised Statutes permits certain Nevada residents who are "consumers" to submit a request at any time to an "operator" of a website in Nevada directing the operator not to make any sale of any "covered information" the operator has collected or will collect about the consumer. Spyre does not currently "sell" or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email or contacting us by using the information provided in the “How to Contact Us” section above.
If you are resident within European Union ("EU"), European Economic Area or United Kingdom, please read this section carefully as it will supplement the other provisions of this Privacy Statement.
We will use your personal data only when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:
Generally, you will have the right to withdraw your consent at any time by contacting us using the contact information listed in the “How to Contact Us” section above.
We have set out below, in a table format, a description of all the ways we may use your personal data, and which of the corresponding legal bases we rely upon to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need additional details about the specific legal basis we are relying on to process your personal data where more than one basis has been set out in the table below.
Purpose/Activity | Category of personal data | Lawful basis for processing |
---|---|---|
To engage you as a new vendor or other service provider, contractor or employee | (a) Identity (b) Contact | (a) Performance of a contract with you (b) Necessary for our legitimate interests (c) To operate our business |
To process and deliver products or services including: (a) Managing payments, fees and charges (b) Collecting and recovering money owed to us | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary for our legitimate interests (c) To operate our business (d) To keep accurate and updated business records (e) To recover debts due to us |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or Privacy Statement (b) Asking you to provide feedback or take a survey (c) Other communications as a contractor or an employee (d) Responding to your requests | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Financial (g) Professional or Employment-related | (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (d) To keep our records updated (e) To study how customers use our products/services (f) To manage our employee relationships. |
To enable you to complete a survey | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary for our legitimate interests (c) To study how customers use our products/services (d) To obtain feedback and grow our business |
To administer and protect our business and our intranet and website(s) (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Profile (d) Technical (e) Usage | (a) Necessary for our legitimate interests (b) For running our business (c) For provision of IT services and network security (d) To prevent fraud (e) Necessary to comply with a legal obligation |
To deliver relevant content on website(s)and marketing to you and understand the effectiveness of our marketing activities | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical | (a) Necessary for our legitimate interests (b) To study how customers use our products and services (c) To develop our products and services (d) To grow our business (e) To inform our marketing strategy |
To use data analytics to improve our website(s), products/services, marketing, customer relationships and experiences | (a) Technical (b) Usage | (a) Necessary for our legitimate interests (b) To define types of customers for our products and services (c) To keep our website (s) updated and relevant (d) To develop our business (e) To inform our marketing strategy |
To make suggestions and recommendations to you about goods or services that may be of interest to you | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile | (a) Necessary for our legitimate interests (b) To develop our products and services (c) To grow our business |
To conduct a research program (including conducting clinical trials) | (a) Identity (b) Contact (c) Financial (d) Special Categories (health data) | (a) Necessary for our legitimate interests (b) To improve healthcare (c) To facilitate and manage the research study (d) To conduct and analyze the research study (e) To develop our products (f) Necessary to comply with a legal obligation (g) To comply with safety and adverse event reporting requirements (h) To comply with clinical trial practice requirements (i) Necessary for scientific research purposes |
We will only use your personal data for the purposes for which we collected it, unless we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
To the extent that Spyre may undertake clinical trial studies within the EEA or UK, we may also use information from clinical trial participants’ medical records and other health data in order to conduct clinical or scientific research to improve healthcare. Spyre may contract with specialized service providers, such as Contract Research Organizations (“CROs”), clinical trial sites or other service partners, typically as data processors, to collect the personal data of the participants of the clinical trial and to manage the clinical trials that we sponsor. We may then process key-coded or pseudonymized personal data of clinical trial participants which means that we do not have direct or immediate access to their identifiable personal data (except, for example, to comply with legal requirements such as those related to our pharmacovigilance obligations).
We would have a legitimate interest in using information related to your health for research studies when you agree to take part in a research study by providing your informed consent to participate. Our exception to the general provision at Article 9(1) of the GDPR not to process special categories of data is that processing is necessary for scientific research purposes in accordance with Article 89 of the GDPR. This means that we will use your personal data collected in the course of a research study when we act as the data controller for such studies in the ways needed to conduct and analyze the research study. Your rights to access, change or move your personal data may be limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use only the minimum personal data needed for these purposes.
In addition, the personal data of potential and actual site investigators, employees or contractors may also be collected directly by Spyre or through the CRO that we may work with and is typically used, for example, to verify the individual’s qualifications, satisfy documentation requirements for the purpose of the clinical trial, to verify financial disclosures to avoid any conflict of interest and to otherwise conduct and analyze the research study.
Please see the "How We Use Your Personal Data" section of this Supplemental Statement above for additional information about the collection and use of personal data.
Spyre is based outside the EEA and the UK, so the processing of your personal data may involve a transfer of data outside the EEA or the UK.
Whenever we transfer your personal data out of the EEA or UK, we ensure an adequate and similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
This section provides information on the rights that you have under EEA or UK law in relation to your personal data. Under certain circumstances, individuals located in the EEA or UK have the following data protection rights:
To exercise any of the rights described above, please send a message to privacy@spyre.com. Please be aware that your rights in relation to clinical research data may be limited.
For advice or to make a complaint, you can also contact the applicable Supervisory Authority within the EEA at this link (https://edpb.europa.eu/about-edpb/board/members_en) or the Information Commissioner's Office within the UK at this link (https://ico.org.uk/make-a-complaint/).
You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee or refuse to comply with your request if it is clearly unfounded, repetitive or excessive.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests in a timely fashion and as may be required by applicable law. Occasionally it may take us longer than usual if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.