Website Privacy Notice

Last Updated: September 12, 2023

This Privacy Notice applies to the processing of data related to the use of the website of www.astriatx.com (hereinafter "the Website").

Astria Therapeutics, Inc. (hereafter “Astria”, “we”, or “us”) respects the privacy of all individuals who visit our website. This Privacy Notice sets forth our practices regarding the collection, use and disclosure of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a natural person, such as a name, postal address, e-mail address, telephone number, that you may provide through your use of the Astria website.

Astria Therapeutics, as the Controller of the personal data, has committed to comply with:

Collectively referred as "Data Protection Laws". All terms relating to data protection must be interpreted in the light of GDPR.

With this Privacy Notice, Astria wants to make sure that you understand what personal data is collected about you, how your personal data is used and how it is kept safe.

General warning and use of social media

Access to the Website implies your full and unreserved acceptance of this Privacy Notice (hereinafter the “Notice”), as well as its general terms of use and the Cookies Notice.

You acknowledge having read the information below and authorize Astria to process, in accordance with the provisions of the Notice, the personal data that you communicate on the Website.

The Notice is valid for all pages hosted on the Website. It is not valid for the pages hosted by third parties to which Astria may refer and whose privacy policies may differ. Astria cannot therefore be held responsible for any data processed on these websites or by them. This Notice also applies to any other website that Astria may operate, including our Company pages on Facebook, X (formerly known as Twitter), Instagram, LinkedIn, Youtube, and TikTok.

Please, note that for the use of social media, Astria will be Joint-Controller with Facebook, X, Instagram, LinkedIn, Youtube andTtiktok only for the following activities: accessing and processing statistical aggregate data provided by social media platforms used. For any other processing on the platforms, social media platforms shall be considered as the sole Data Controllers except for publications published by Astria when they contain personal data.

Youtube, TikTok, Facebook, including Instagram, and LinkedIn have created an "addendum" to their user agreements for company pages for the processing for which they are Joint-Controllers with us. Such agreement is not currently provided by X.

1.Why, how and for how long do we collect your personal data?

Depending on the purpose for which we process your personal data, we need to process one or other personal data types. We will keep them for no longer than necessary to fulfill the purposes for which we collected it, including any legal requirements.

Depending on each case, the processing will therefore be as follows:

Purposes

Types of personal data

Legal basis

Retention period

To answer to your queries (e.g. questions regarding Astria’s Expanded Access policy)

Name, email address, telephone number

Please note that other Personal Data may be processed by Astria depending on your request and the information you provide us (including any attachment).

This processing is based on our legitimate interest in answering the requests or queries raised by you through the existing different contact channels, when you choose to submit your personal data to us, including through our contact, investor or career pages.

We understand that the processing of these data is also beneficial to you to the extent that it enables us to assist you adequately and answer the queries raised.

We will process your data for the time necessary to meet your request.

To send you newsletters

Name, email address

This processing is based on your consent.

You may unsubscribe from the Newsletter at any time without any cost.

We will process your data until you unsubscribe or cancel your subscription to the Newsletter.

For job application

Name, email, address, CV, background

This processing is then based on our legitimate interest for the purpose of our recruitment process in order to administer and review job applications.

We understand that the processing of these data is also beneficial to you to the extent that it enables you to get a job by providing a spontaneous application or answering an offer.

We will process your data for the time necessary to manage your application. Currently applications are only open for the US residents. You can unsubscribe by emailing Astria.

For statistical purposes

Aggregate statistical data (e.g., Company page on Twitter, Facebook, Instagram, LinkedIn)

We consider that we have lawful interest to understand the way our page is visited (e.g., how many times our page is consulted, from which country,...)

Statistical information is stored by X, Facebook, Instagram, LinkedIn , TikTok, YouTube, and consequently subject to their retention policy. We may export statistical reports, but we guarantee that this is only in an anonymous form.

Use of cookies for the functioning and managing of our website

Cookies may store in certain circumstances personal data which may include: IP addresses, browser type, location, operating system, etc.

Please, see our Cookies Notice for more information.

Please, see our Cookies Notice.

2.Data Sharing

We do not sell or trade your personal data to outside parties.

We may provide your Personal Data to our subsidiaries. We may also provide your Personal Data to third party service providers and suppliers who work on behalf of or with us to provide you with some of the services and features of our Website and to help us communicate with our users. However, these service providers and suppliers do not have any independent right to use this Data except to help us provide our Website to you. Astria has contracted with the following Services Providers to manage the Website that may have access to your personal data:

Please note that individual consultants may also have access to data when there is a need to help Astria to answer the emails. Astria shall ensure that consultants process your data exclusively for that purpose and in compliance with applicable data protection laws.

Sharing your personal data as explained above may involve a transfer of personal data to a country outside the European Economic Area (EEA). Astria is therefore committed to complying with the transfer rules under applicable Data Protection Laws and therefore ensure to:

You can contact our DPO (see contact details below) if you want to have more details about the mechanism supporting data transfer.

Other than our subsidiaries, we do not currently have a parent company, joint ventures, or other companies under common control (collectively, “Affiliates”). We may have additional Affiliates in the future, in which case we may share some or all of your personal data with these Affiliates and our Affiliates will, in turn, be required to honor this Privacy Notice.

In the event Astria goes through a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal data will likely be among the assets transferred. You acknowledge that such transfers may occur, and that any acquirer of Astria or its assets may continue to use your personal data consistent with this Privacy Notice.

We may disclose information we have collected from and about you (including personal data) if we believe in good faith that such disclosure is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants served on us; (b) to enforce any agreement we may have entered into with you and to enforce the Privacy Notice; or (c) to protect and defend the rights or property of us, other users of our Website, or third parties.

3.How do we protect your information?

Astria is committed to protecting the security and privacy of your information stored by implementing standard security safeguards. Astria treats your personal data in a confidential manner and provides for a sufficient and adequate level of protection of your personal data.

Your personal data are contained behind secured networks and are only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential.

However, no company, including Astria, can fully eliminate security risks associated with Personal data. Therefore, while Astria uses reasonable efforts to protect your Personal data, we cannot guarantee its absolute security but we are committed to putting all necessary measures in place to mitigate and solve the risks.

4.Your rights

According to the GDPR, you have the following rights:

Please note that all these rights are not absolute and will be assessed on a case-by-case basis by our Data Protection Officer. If you would like to exercise your rights, please let us know by contacting our DPO (see contact details below).

You have also the right to lodge a complaint if you consider that your personal data is not processed in accordance with the GDPR.

If you are an EEA or a UK resident: You have the right to lodge a complaint with the Data Protection Authority in the Member State of the European Union of your habitual residence, place of work or place of the alleged infringement.

Please find the contact information of all Authorities "Contacts Us" section of this Policy.

5.Children’s Privacy Protection

We do not intentionally collect or maintain data from persons under the age of 13. If you are under the age of 13, you should not use this Website or submit any personal data to this Website. If we receive personal data that we discover was provided by a child under the age of 13, we will attempt to delete the data as soon as possible. Please contact us at privacy@astriatx.com if you believe that any Personal Data has been submitted to us without parental or guardian consent.

6. Changes to this Privacy Notice

This Notice is effective as of the date stated at the top of this page. We may change this Notice from time to time. Please refer back to this Notice on a regular basis.

In the event we make material changes to this Privacy Notice, we will include a notification to that effect on the Website. Your continued use of the Website following any such revision constitutes your understanding and acceptance of these changes.

Contact Us

Please contact us at the address, phone or fax numbers provided below if you have any questions about this Privacy Notice.

Astria Therapeutics, Inc.
75 State Street
Suite 1400
Boston, MA 02109
+1 617.349.1971
+1 617.273.2637 (fax)

Please note that communications to this email address will not constitute legal notice to us or any of our officers, employees, agents or representatives in any situation where notice to us is required by contract or any law or regulation.

Data Protection Representative
Astria named MyData-TRUST France, Valpark – rue Louis Duvant, 1 – 59220 Rouvignies (FRANCE) to be its Data Protection Representative in the EU as required by law.

Data Protection Officer
UK/EU Residents: privacy@astriatx.com
Non-UK/EU Residents: USPrivacy@Astriatx.com

For EU Data Protection Authorities
https://edpb.europa.eu/about-edpb/about-edpb/members_en

For UK Data Protection Authority:
Information Commissioner’s Office (ICO)
https://ico.org.uk/