Privacy Commitment
Last Updated: January 29, 2024
Incyte Corporation (including its affiliates in its worldwide group of companies) (collectively, “Incyte,” “we” or “us”) honors its trusted relationships with patients, healthcare professionals, caregivers, consumers, employees and business partners by being transparent about how we collect, use, share, transfer and retain personal information when you visit one of Incyte’s websites, mobile applications or social media accounts¹. We encourage you to explore this webpage, and the webpages and policies to which it links, in order to learn more about our privacy practices.
¹ While this commitment sets forth the general privacy principles under which Incyte operates, some of our websites, mobile apps and social media accounts contain specific privacy policy information that relates to that particular media. Please consult this information where available.
Click below to access our privacy notices/policies relating to the areas identified.
Job Candidates
Learn what we do with your personal information when you apply for a job at Incyte.
Study Participants
Learn what we do with your personal information when you are in an Incyte-sponsored clinical trial or other research project.
Non-Research Patients
Learn what we do with your personal information when you use an Incyte drug.
Healthcare Professionals
Learn what we do with your personal information when we interact with you as a healthcare professional.
English (CA) View PDF
English (EU) View PDF
English (UK) View PDF
English (US) View PDF
Danish View PDF
Dutch View PDF
Finnish View PDF
French View PDF
German View PDF
Italian View PDF
Japanese View PDF
Mandarin (China) View PDF
Mandarin (Taiwan) View PDF
Norwegian View PDF
Portuguese View PDF
Spanish View PDF
Swedish View PDF
Business Contacts
Learn what we do with your personal information when you interact with us in the course of business.
When you provide your personal information to us, we take technical, physical and organizational measures to protect it from misuse or unauthorized alteration, loss or access consistent with applicable privacy and data security laws. However, no Internet transmission is ever 100% secure, so we cannot guarantee the security of the personal information you transmit to our websites or mobile applications and any transmission is at your own risk.
Third-Party Websites: If one of our websites contains links to other websites controlled by third parties, including social media, you should be aware that we are not responsible for the privacy practices of those or any other third-party sites and they are not covered under this privacy policy. If you have questions about how those websites collect and use your personal information when you visit them, you should carefully read the privacy policies of those websites. Our advertising partners may collect information about your use of our websites and apps through cookies, web beacons and similar technologies to display advertisements that are tailored to your interests on other websites and services. We are not responsible for the privacy practices of these advertising partners, we do not exchange information with them for money or anything of value, and this privacy policy does not apply to those websites. You agree that we are not responsible for the availability of such websites and do not review or endorse and shall not be liable, directly or indirectly, for:
- How these websites treat your personal information
- The content of such websites
- The use that others make of these websites
User Age Requirements and Children’s Privacy: Incyte does not knowingly collect personal information directly from minors—persons under the age of 13 or another age of a minor as defined by the applicable law of your jurisdiction—other than when required to comply with the law or for safety or security reasons. If you are a parent or guardian of a minor who has provided personal information without your knowledge or consent, you may submit a request to remove the minor’s information by emailing us at privacy@incyte.com. If we become aware that anyone under the age of 13 has submitted personal information to our site, we will delete it and we will not use it for any purpose whatsoever.
Cookies: When you visit one of our websites, basic information is passively collected through your browser via use of tracking technologies (or “Cookies”) which utilize various files sent from our servers to your computer hard drive. Some Cookies are mandatory and strictly necessary in order to make the website work and some are optional and placed with your consent. You can learn more about Incyte’s collection of Cookies in our Cookie Policy².
Google Analytics: Google Analytics is a service provided by Google, Inc. (“Google”). We use Google Analytics to collect statistics in order to improve our websites. Google Analytics collects and provides to us:
- The domain name and IP address from which you accessed our site
- The type of browser and operating system you use
- The date, time and length of your visit
- The specific page visited, graphics viewed and any documents downloaded
- The specific links to other sites you accessed from our site
- The specific links from other sites you used to access our site
In addition to using Cookie Settings you can selectively disable Google Analytics by installing the opt-out component provided by Google on your browser.
We use the personal information that Google Analytics collects to compile generic reports about popular pages on our website and to see how you (and other customers and followers) are accessing our website. We then use those reports to administer the website, make your activities more convenient and efficient, and to enhance the functionality of our website, such as by remembering certain details of your information and thereby saving you time³.
Mobile Device Information: If you access an Incyte website from a phone or other mobile device, the mobile services provider may transmit uniquely identifiable mobile device information to us, which allows us to then collect mobile phone numbers and associate them with the mobile device identification information. Some mobile phone service providers also operate systems that pinpoint the physical location of devices, and we sometimes receive this information as well. We use this information in the same way that we use personal information collected by Google Analytics as described above.
Social Plug-Ins: This website may use social plug-ins (e.g., the Facebook “Like” button) to enable you to easily share information with others. The social plug-in may place a cookie on your computer which enables the social media website to see who previously visited our website. The social plug-in also allows that social media website to receive information about your visit to particular pages on our website if you have logged into that social media before visiting us. The social plug-in may also allow the social media website to share information about your activities on our websites with other users of their site. Incyte does not collect or process personal information from these plug-ins. For further details about the information shared via a particular social media plug-in, you should refer to the social media site’s privacy policy.
Voluntarily Submitted Information: If you participate in certain activities on our websites, mobile applications or social media accounts, you may need to provide us with personal information such as your name, email address, mailing address, phone number or fax number. For example, if you choose to send us an email or fill out an online form, you are voluntarily providing personal information to us. We do not sell, rent or trade voluntarily submitted personal information with third parties. If you choose not to provide your personal information, you may not be able to participate in those activities; however, you will still be able to access information available on the website to the general public.
² Please note that certain applicable laws place limitations on the use of certain cookies. Please refer to the annex at the end of this Privacy Policy for the country in which you live for more information.
³ For more information about Google Analytics, please refer to the links below:
- Google Analytics Opt-out Browser Add-on
- Google Analytics Support
- My Account Google Analytics
- Learn more about Google Analytics and Privacy. Please note that certain applicable laws place limitations on the use of Google Analytics. Please refer to the annexes at the end of this Privacy Policy for the country in which you live
Your personal information will be used for the purposes listed below.
Categories of PI Collected
Applicable Categories of Individuals
Name, Contact Information and Unique Identifiers: Identifiers, such as a real name, alias, postal address, telephone number, unique personal identifier, online identifier, device ID, Internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers—as well as demographic information—such as date of birth, place of birth, country of residence, income, family size etc., and an individual’s written or digital signature.
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Investigators, Site Staff and Participants
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Financial Information: Bank account number, credit or debit card number, credit reports, background checks or other financial information.
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Investigators
Medical Information: Any information in possession of or derived from yourself, a healthcare provider, a healthcare insurer, a healthcare service plan, a pharmaceutical company or a contractor regarding an individual’s medical history, mental or physical condition, or treatment. This includes an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in the individual’s application and claims history (including prescription information).
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Participants
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Protected Characteristics: Characteristics of legally protected classifications such as race, gender, age, nationality, physical or mental disability, and religion.
Employees
Candidates for Employment
Clinical Trial Participants
Patients
Purchase History and Tendencies: Information regarding products or services purchased, obtained or considered.
Healthcare Providers
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Biometric Information: Physiological, biological, or behavioral characteristics that can establish an individual’s identity, including DNA, face, iris or retina imagery, fingerprint, voice recordings and sleep, health or exercise data that contain identifying information.
Employees
Contractors
Clinical Trial Participants
Patients
Customers
Network Activity: Internet or other electronic network activity information, such as browsing history, search history and information regarding an individual’s interaction with an internet website, application or advertisement. Includes analytics evaluation and cookies.
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Investigators and Site Staff
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Geolocation Data: Precise geographic location information about a particular individual or device.
Employees
Candidates for Employment
Contractors
Healthcare Providers
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Electronic and Sensory Data: Audio, electronic, visual or similar information (e.g., a recording of a customer service call or a profile photograph).
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Investigators, Site Staff and Participants
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Education and Professional Information: An individual’s academic information and records, licenses, professional or employment-related information and professional interactions with Incyte.
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Investigators, Site Staff and Participants
Website Visitors
Inferences: Inferences drawn from any of the information listed above to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Employees
Candidates for Employment
Contractors
Healthcare Providers
Clinical Trial Investigators, Site Staff and Participants
Patients
Customers
Website Visitors
Caregivers
Authorized Representatives
Households
We and our service providers collect personal information in a variety of ways, including from:
- You directly or an authorized representative
- Government entities
- Public records
- Research partners
- Data resellers
- Marketing vendors
- Business service providers
We use your personal information for the purposes we have described below in this Privacy Policy or for purposes which are reasonably compatible with the ones described. We will not use it for other purposes without your permission unless we have a legal obligation to do so.
To manage our relationship with you4.
We will use your personal information:
- To respond to your requests
- To improve our level of service
- To provide our products and services to you
- To promote our products and services
- To manage your account, if necessary
- To provide you with information when you request it, or when we believe it may be of interest to you
- To invite you to provide your views on our products and services, participate in research or attend events
- To report any product adverse events that you notify us about
- To consider your application for employment
- To perform analytics and understand your preferences
- To provide access where required to our sites and facilities
- To gain insights and feedback on our products and services in order to correct or improve them, by analyzing information from external sources such as Google, Facebook and Twitter (and others)
- For our own administrative and quality assurance purposes
- For other purposes that may be detailed on a website or mobile application which will be described at the time the information is collected
To manage and improve our processes and our business operations.
We will use your personal information:
- To manage our network and information systems' security
- To manage our workforce effectively
- To prepare and perform management reporting and analysis, including analytics and metrics
To achieve other purposes.
We will use your personal information:
- To follow applicable laws and regulations
- To respond to lawful requests from competent public authorities
- To tell you about changes to our terms, conditions and policies
- To exercise or defend Incyte against potential, threatened or actual litigation
- To protect Incyte’s or your vital interests, or those of another person
- To disclose any transfers of value made to you in relation to expert services that you provide to us
- For the purpose of authorship of a scientific publication
- To respond to and handle your queries or requests
- When we sell, assign or transfer all or part of our business
4Marketing Opt-in: In some locations, by law you must opt-in before receiving materials such as newsletter or product alerts via text or email from us. Once you have opted-in, if you then decide you don’t want to receive such materials, you may opt-out at any time by following the opt-out instructions below.
Marketing Opt-out: If applicable law does not require your opt-in, you may still opt-out of receiving materials such as newsletter or product alerts by following the opt-out instructions in the email or other communication, or the opt-out details provided to you through the applicable program. You may also opt-out by accessing our data subject request form or by emailing privacy@incyte.com. When we receive your opt-out request, we will take reasonable steps in a timely manner to remove your name from our distribution lists. However, it may take a period of time to remove your name from our lists after your request and therefore you may still receive materials for a period of time after you opt-out.
Incyte is committed to ensuring that our communications are accessible to individuals with disabilities. To submit accessibility-related requests or report barriers to accessibility, please use the contact information below.
Incyte Corporation
Attention: Global Data Privacy Officer
1801 Augustine Cut-Off
Wilmington, Delaware 19803
USA
privacy@incyte.com
For EU, UK and Swiss Residents please contact:
Incyte Biosciences International Sàrl
Attention: Data Protection Officer
Rue Docteur-Yersin 12, 1110, Morges,
Switzerland
privacy@incyte.com
We share your information in the manner and for the purposes described below:
- We engage third-party companies to provide us with website, hosting, content development and marketing services either to help us in our business, or to perform functions we would otherwise perform ourselves. These companies will have incidental access to your information, including your personal information, as part of the work they perform
- We may share information with regulators, which may include data protection authorities, and with courts and law enforcement to comply with all applicable laws, regulations and rules and requests of law enforcement, regulatory and other governmental agencies
- We may share in an aggregate, statistical form, information that is not considered personal information, about the visitors to our website, traffic patterns and website usage with our advertising partners (including social media sites such as Facebook, Twitter, LinkedIn and YouTube, etc.)
- If, in the future, we sell or transfer some or all of our business or assets to a third party, or invite investment in our company, we may disclose information to a potential or actual third-party purchaser of our business or assets
Incyte will keep your personal information for as long as needed or permitted for the purpose(s) for which it was obtained and consistent with applicable law. In some cases, we may also retain your personal information in order to resolve queries or disputes that may arise from time to time.
As technology improves the efficiency of our organization and activities, it may also increase our risk. Incyte has a robust Cybersecurity program, with a comprehensive suite of tools and processes. These include technical and administrative safeguards such as penetration testing, vulnerability assessment and remediation; privacy and cybersecurity assessment of business partners; end-to-end security tools; cloud security and protection mechanisms for patient data and intellectual property. Incyte also focuses on regularly improving cybersecurity awareness among employees and contingent workers through mandatory cybersecurity training during orientation, annual refreshers and “Cybersecurity Awareness Month” activities, which are supplemented by periodic phishing simulation testing campaigns with additional training for users who do not pass the tests.
Depending on where you are located, you may have certain rights regarding your personal information under applicable privacy and data protection laws (including but not limited to the European Union's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) (collectively, "Privacy Laws")
If you wish to exercise your rights, please complete the information in this data subject request webform. Upon receipt of the completed form, we will process your request within the timelines required under applicable privacy laws. If additional information is necessary to process your request, we will contact you using the contact information that you provide in the data subject request form.
The information that you provide in connection with your request will be processed solely for the purpose of responding to your request.
If you are a California resident, you may also contact Incyte’s Privacy Office at 1-855-446-2983.
We live in the same connected world you do. Although headquartered in the United States, we conduct business, among other places, in Switzerland and many of the countries comprising the European Economic Area (“EEA”). Since our commitment to transparency and trust in matters of privacy does not end at the U.S. border, for information transferred from those countries to our United States operations, we comply with the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. You can verify our good standing under these Frameworks by searching our name here.
This Data Privacy Framework Statement sets forth the privacy principles Incyte follows in connection with the transfer and protection of personal information from the European Economic Area (“EEA”) and Switzerland to the United States, in addition to the EU and Swiss Standard Contractual Clauses we have with third parties and our Intragroup Data Transfer Agreement between our affiliates that provide the actual basis for these data transfers. The EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework were developed to provide U.S. organizations with a means of satisfying the requirements under the EU Directive on data protection and Article 6 of the Swiss Federal Act on Data Protection respectively, and Incyte continues to abide by these Frameworks while not using them as the basis for our data transfers.
Consistent with Incyte’s goal to protect personal privacy, Incyte is fully committed to complying with the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from EEA member nations and Switzerland to the United States. Incyte has certified to the Department of Commerce that it adheres to both the EU-U.S. and Swiss-U.S. Data Privacy Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability as set forth below (the “Principles”). The United States Federal Trade Commission (FTC) has jurisdiction over our compliance with the Data Privacy Framework and we are subject to the FTC’s investigatory and enforcement powers. Information regarding the Data Privacy Framework program and evidence of our certification can be found by visiting https://www.dataprivacyframework.gov/s/.
This Data Privacy Framework Statement is effective as of October 1, 2023, and has not been amended since that date.
Scope
This Data Privacy Framework Statement governs all personal information received by Incyte in the United States from Incyte’s operations and business partners in the EEA and Switzerland. As used in this Data Privacy Framework Statement, “personal information” has the meaning given to it under the applicable local law of the country from which it was originally collected. Generally, it means information that identifies or can directly or indirectly lead to the identification of an individual, including such things as an individual’s name, address, telephone number, fax number, email address, social security number and date of birth.
Data Privacy Framework Principles
The Data Privacy Framework is predicated on seven core Principles:
- Notice
- Choice
- Accountability for Onward Transfer
- Security
- Data Integrity and Purpose Limitation
- Access
- Recourse, Enforcement and Liability
We adhere to and have implemented policies and procedures regarding these core Principles in the following ways:
Notice. Herein we disclose our participation in the Data Privacy Frameworks and our commitment to subject to the Principles all personal data received from the European Economic Area and Switzerland in reliance on the Data Privacy Frameworks. When we collect personal information from individuals in the EEA and Switzerland, we tell them in clear and conspicuous language about the types of personal information being collected, the purposes of our collection and the nature of our intended uses, the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements and, where applicable, we tell them about the U.S. entities or U.S. subsidiaries of the organization also adhering to these Principles. We also advise them of the types of third parties—such as vendors with cloud-based software licensed in support of our operations and clinical research organizations—to whom we further disclose such information, the purposes for which we disclose to such third parties, and the choices and means, if any, we offer for limiting use and disclosure, as well as how to contact us with inquiries or complaints, including any relevant establishment in the European Economic Area and Switzerland that can respond to such inquiries or complaints and the availability of independent dispute resolution bodies. We use a variety of different context-specific means to provide such policy information. For instance, in our research activities, we use industry-standard informed consent forms.
Choice. We will offer those individuals whose personal information we have collected a choice. They may “opt-out” to having their personal information disclosed to third parties and/or used for purposes other than for the purposes for which it was originally collected or subsequently authorized. For the types of personal information that the laws of Switzerland and the EEA countries deem “sensitive,” rather than having to opt-out after the fact, we afford affected individuals, at the time of collection, an opportunity to “opt-in” and specifically consent to have their information disclosed to third parties or used for purposes other than those for which it was originally collected or subsequently authorized. Just as we do in fulfilling our Policy obligations, we use a variety of different, context-specific means to provide the choices described here or otherwise required by the Data Privacy Framework.
Accountability for Onward Transfer. Our accountability for the personal information we receive and subsequently transfer to third parties is described in the Privacy Framework Principles. In summary, we remain responsible and liable under the Privacy Framework Principles if third-party agents that we engage to process your personal information on our behalf do so in a manner inconsistent with the Principles, unless we can prove that we are not responsible for the event that gives rise to any harm you may incur.
Security. At a minimum, we take reasonable and appropriate precautions to protect the personal information in our possession from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation. We only use the personal information we collect in ways that are consistent with the purposes for which it was originally collected or for which we subsequently obtained authorization from the affected individuals. We take reasonable steps to ensure that the information is reliable for its intended use, accurate, complete and current. To accomplish this, we necessarily rely on individual data subjects to exercise their Access rights to keep us apprised of any changes in their personal information.
Access. If an individual from whom we have collected data writes to us and asks to have access to their personal information, we will take all reasonable steps to ensure such access is granted. Obviously, the relevant information must be in our possession or under our reasonable control for us to do so. Once such access is granted, affected individuals have the right under the Data Privacy Framework to have us correct, amend or delete their information where it is determined to be factually inaccurate. There are, however, certain limitations to an individual’s rights to such access. These include situations where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the rights of persons other than the individual would be violated.
Recourse, Enforcement and Liability. We implement processes and procedures to verify our compliance with this Data Privacy Framework Statement. If individuals believe that we are not compliant, or if they have other complaints related to this Data Privacy Framework Statement or our conduct under it, we encourage those individuals to contact us using the contact information listed at the end of this Data Privacy Framework Statement. We commit to investigate and attempt to remedy all such valid complaints.
Dispute Resolution. In compliance with the EU-U.S. and Swiss-U.S. Data Privacy Framework Principles, Incyte commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Incyte at:
Global Data Privacy Officer
1801 Augustine Cut-off
Wilmington, Delaware 19803
USA
privacy@incyte.com
For EU, UK and Swiss Residents please contact:
Incyte Biosciences International Sàrl
Attention: Data Protection Officer
Rue Docteur-Yersin 12, 1110, Morges,
Switzerland
privacy@incyte.com
Incyte has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints [bbbprograms.org] for more information and to file a complaint. This service is provided free of charge to you.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Data Privacy Framework Panel.
Additionally, for disputes involving human resources data, Incyte cooperates and complies with the EU Data Protection Authorities and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, with respect to such data.
Limitation of Principles
Adherence to this Data Privacy Framework Statement may be limited to the extent required to satisfy legal obligations (including, but not limited to, subpoenas and court orders) and/or meet national security, law enforcement or public interest requirements. We may be required, under certain circumstances, to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. The law also provides certain express exceptions and variations to our obligations under this Data Privacy Framework Statement. For instance, some of the access and consent principles are modified for pharmaceutical companies like us who use personal information to engage in ongoing research for the good of the public health.
Changes to this Data Privacy Framework Statement
We reserve the right to change or update this policy from time to time. Please check our site periodically for such changes since all information collected is subject to the policy in place at that time. Typically, we will indicate the effective/amendment date at the beginning of this policy. If we feel it is appropriate, or if the law requires, we will also provide a summary of changes we have made near the end of a new policy.
Contacting Us
If you have questions about this Data Privacy Framework Statement, our privacy practices, or would like to submit a complaint, please contact our Privacy Office:
Incyte Corporation
Attention: Global Data Privacy Officer
1801 Augustine Cut-off
Wilmington, Delaware 19803
USA
privacy@incyte.com
For EU, UK and Swiss Residents please contact:
Incyte Biosciences International Sàrl
Attention: Data Protection Officer
Rue Docteur-Yersin 12, 1110, Morges,
Switzerland
privacy@incyte.com
In addition to the general policies above, Incyte follows all privacy laws in the markets where it operates, including but not limited to the below.
Canada
Quebec
If you are a resident of Quebec, please read this section.
Scope of Policy
This Policy applies to Incyte Biosciences Canada Corporation and any other affiliates from time to time (collectively, Incyte Biosciences Canada Corporation or “we” or “us”) in respect to processing activities that are subject to federal and provincial privacy legislation.
Accountability
Incyte Biosciences Canada Corporation is responsible for personal information under its control. We have designated a Privacy Officer who is responsible for Incyte Biosciences Canada Corporation compliance with this Policy. Incyte Biosciences Canada Corporation will, on request, provide information regarding its complaint procedures.
For further information about our Privacy Policy, please use our data subject request webform or you may contact:
Nicholas Apruzzi, Canada Privacy Officer
1801 Augustine Cut-off
Wilmington, Delaware 19803
USA
privacy@incyte.com
European Economic Area (EEA), United Kingdom and Switzerland
If you live, work or travel in the EEA, Switzerland or the United Kingdom (UK)—or visit an EEA, Swiss or UK website—please read this section to learn more about the General Data Protection Regulation (GDPR) or UK Data Protection Act and how it applies to the personal data collected and used by Incyte as described in this Privacy Policy.
Your personal information will be used for the purposes listed below. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis, as described below, to do so. The legal basis we rely upon may impact which rights you have in relation to your personal information (see section below on those rights for more details).
Purpose
Legal Basis
Responding to your queries submitted to Incyte's contact details by email, telephone or mail.
Legitimate interest in responding to voluntarily submitted queries.
Using authorized features and apps to post or upload messages, comments, screen names, files and other materials. These features include comment fields on our content posted on and use of social media sites such as Facebook, Twitter, YouTube, LinkedIn, Pinterest, Instagram and any of the many other available external third-party social media platforms, as well as mobile or other apps we’ve created and distributed to let our customers and followers view our site or otherwise interact with our content.
Performance of a contract (relevant user terms) or legitimate interest in providing features which allow for user submitted content.
Sending you our newsletter, promotional materials or other materials.
Consent or, where permissible by law, Incyte’s legitimate interest in providing the information.
Enhancing your experience on our website through the processing of automatically collected information.
Consent or, where permissible by law, legitimate interest in providing a personalized user experience.
Improving the functionality of the website for the benefit of all users.
Legitimate interest in providing improved functionality to the benefit of all users.
Where we rely upon a "legitimate interest" as our legal basis, we make sure that our interest is not outweighed by any impact on your rights and freedoms. We do this by using your personal information in a way which is proportionate and respects your privacy.
WHERE IS YOUR PERSONAL INFORMATION USED OR STORED?
We may transfer your personal data to other countries outside of your location. Your personal data may be transferred:
- To Switzerland and Japan: Switzerland and Japan are considered as providing adequate data protection standards by the European Union (for further details, see here)
- To other countries where data protection standards have not been determined to be adequate by the European Union: these countries include the United States, India, and China. In these cases, we will ensure that any recipients of your personal data are bound by contract to the European, Swiss and UK data protection standards
Google Analytics. Incyte does not use Google Analytics in countries where the respective Data Protection Authority has deemed it unlawful.
Cookies. Incyte uses only Strictly Necessary cookies in countries where the respective Data Protection Authority has deemed other categories of cookies are unlawful, example being France.
WHAT ARE YOUR RIGHTS?
You have a number of rights which apply to our use of your personal data. The availability of some of these rights depends upon our lawful basis for processing your personal data, and your rights may also be subject to certain conditions and restrictions. Your rights may include:
- To obtain access to your personal data together with information about how and on what basis that personal data is processed
- To rectify inaccurate personal data (including the right to have incomplete personal information completed)
- To erase your personal data in limited circumstances where it is no longer necessary in relation to the purposes for which it was collected or processed
- To restrict processing of your personal data where:
- the accuracy of the personal data is contested
- the processing is unlawful but you object to the erasure of the personal data
- we no longer require the personal data for the purposes for which it was collected, but it is required for the establishment, exercise or defense of a legal claim
- To challenge processing which we have justified on the basis of a legitimate interest
- To object to decisions which are based solely on automated processing (to the extent that these are taken) and to restrict processing based on your objection
- To obtain a portable copy of your personal data or to have a copy transferred to a third-party controller
- To obtain more information as to safeguards under which your personal data is transferred outside of the EEA (if relevant)
- To lodge a complaint with the data protection/supervisory authority noted below
We may ask you for additional information to confirm your identity and for security purposes before disclosing the personal data requested to you.
WHO CAN YOU CONTACT REGARDING YOUR RIGHTS?
Data Controller: The entity that determines why and how your personal data is processed is called a Controller. For online visitors, this is the Incyte organization or affiliate whose website you are visiting. A list of all Incyte companies is available here. For Incyte organizations or affiliates located outside of the EEA, Incyte has elected Incyte Biosciences Benelux BV as its legal representative.
Data Protection Officer Incyte: privacy@incyte.com
Data Protection Authority/Supervisory Authority: The Data Protection Authority/Supervisory Authority for the processing of your personal data is the authority located in the country of the Incyte organization or affiliate whose website you are visiting or the country where you live, work, or the place of the alleged infringement. More information about how to contact these authorities in the European Union can be found here. For Switzerland information, please visit the office of the Federal Data Protection and Information Commissioner. For United Kingdom information, please visit the Information Commissioner’s Office (ICO).
United States
Supplemental U.S. State Privacy Notice
If you are a resident of California, Connecticut or Washington, please read this section to learn more about state privacy laws and how they apply to the personal information collected and used by Incyte as described in this Privacy Policy.
This Supplemental U.S. State Privacy Notice (“Supplemental Notice”) applies only to information collected about Consumers of U.S. states with comprehensive privacy legislation that requires provision of a privacy notice. Specifically, it provides information required under comprehensive state privacy legislation in California and Connecticut that apply to Incyte’s activities, (collectively, “U.S. Privacy Laws”).
This notice also includes additional disclosures for compliance with the Washington My Health My Data Act that applies to Incyte’s activities. These disclosures are included at the end of this Supplemental Notice. The remaining portions of this Supplemental Notice do not apply to Washington consumers.
This Supplemental Notice describes Incyte Corporation (including its affiliates in its worldwide group of companies) (collectively, “Incyte,” “we” or “us”) practices regarding the collection, use, and disclosure of Personal Information and provides instructions for submitting data subject rights requests. This Supplemental Notice is parallel in scope to our notices above.
Some portions of this Supplemental Notice apply only to Consumers of particular states. In those instances, we have indicated that such language applies only to those Consumers.
Please note that this Supplemental Notice does not apply to individuals with whom we interact in an employment-related context or a business context. For our disclosures applicable to California Consumers with whom we interact in those contexts, please see our Job Candidates and Business Contacts notices above.
During the past 12 months we may have engaged in delivering online advertising that was tailored to your interests, and may have involved the transfer of your device ID and URL to third parties, but we did not disclose data that would identify you by name, address or phone number.
A. Definitions
- "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Personal Information includes "personal data" as that term is defined in the U.S. Privacy Laws. Personal Information also includes "Sensitive Personal Information," as defined below, except where otherwise noted.
- "Sensitive Personal Information" means Personal Information that reveals a Consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious beliefs, or union membership; contents of email or text messages; and genetic data. Sensitive Personal Information also includes Processing of biometric information for the purpose of uniquely identifying a Consumer and Personal Information collected and analyzed concerning a Consumer’s health, sex life, or sexual orientation. Sensitive Personal Information also includes "sensitive data" as that term is defined in the U.S. Privacy Laws.
- "Third-Party" has the meanings afforded to it in the U.S. Privacy Laws.
- "Vendor" means a service provider, contractor, or processor as those terms are defined in the U.S. Privacy Laws.
To the extent other terms used in this Supplemental Notice are defined terms under the U.S. Privacy Laws, they shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the U.S. Privacy Laws, the definitions applicable to you are those provided in the statute for the state in which you are a Consumer. For example, if you are a California Consumer, terms used in this Supplemental Notice that are defined terms in the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”) shall have the meanings afforded to them in the CCPA as this Supplemental Notice applies to you.
B. Collection & Processing of Personal Information
We, and our Vendors, collect the following categories of Personal Information about Consumers. We also have collected and Processed the following categories of Personal Information about Consumers in the preceding 12 months:
- Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
- Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
- Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
- Commercial information, such as transaction information and purchase history;
- Biometric information;
- Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements;
- Geolocation data, such as device location;
- Audio, electronic, visual and similar information, such as call and video recordings;
- Professional or employment-related information, such as work history and prior employer;
- Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and
- Sensitive personal information, including:
- Personal Information that reveals:
- Social security, driver’s license, state identification card, or passport number;
- Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
- Precise geolocation;
- Racial or ethnic origin, religious or philosophical beliefs, or union membership;
- Contents of a Consumer’s email and text messages, unless the business is the intended recipient thereof; or
- Genetic data, including Raw DNA sequence data, genotypic and phenotypic information generated from sequence analysis, and self-reported health data submitted to an entity that is analyzed in connection with raw sequence data.
- Biometric data Processed for the purpose of uniquely identifying a Consumer;
- Personal Information collected and analyzed concerning a Consumer’s health conditions, treatment and medications; and
- Personal Information collected and analyzed concerning a Consumer’s sex life or sexual orientation.
- Personal Information that reveals:
C. Purposes for Processing Personal Information
We, and our Vendors, collect, Process, and disclose the Personal Information (excluding Sensitive Personal Information) described in this Supplemental Notice to:
- Operate, manage, and maintain our business;
- Provide, develop, improve, repair, and maintain our products and services;
- Personalize, advertise, and market our products and services;
- Conduct research, analytics, and data analysis;
- Maintain our facilities and infrastructure;
- Undertake quality and safety assurance measures;
- Conduct risk and security controls and monitoring;
- Detect and prevent fraud;
- Perform identity verification;
- Perform accounting, audit, and other internal functions, such as internal investigations;
- Comply with law, legal process, and internal policies;
- Maintain records;
- Exercise and defend legal claims; and
- Otherwise accomplish our business purposes and objectives.
We, and our Vendors, collect and Process the Sensitive Personal Information described in this Supplemental Notice only for:
- Performing the services or providing the goods reasonably expected by an average Consumer who requests those goods or services;
- Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information;
- Resisting malicious, deceptive, fraudulent, or illegal actions directed at us and prosecuting those responsible for those actions;
- Ensuring the physical safety of natural persons;
- Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a Consumer’s current interaction with us, provided that we will not disclose the Consumer’s Personal Information to a Third Party and will not build a profile about the Consumer or otherwise alter the Consumer’s experience outside of their current interaction with us;
- Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf;
- Verifying or maintaining the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and improving, upgrading, or enhancing the service or device that is owned, manufactured by, manufactured for, or controlled by us; and
- Collecting or Processing Sensitive Personal Information where such collection or Processing is not for the purpose of inferring characteristics about a Consumer.
Retention of Personal Information. We retain your Personal Information for the period reasonably necessary to provide goods and services to you and for the period reasonably necessary to support our business operational purposes listed in Section C.
D. Categories of Personal Information We Disclose to Vendors & Third Parties
We disclose and have disclosed the following categories of Personal Information to Vendors and Third Parties for a business purpose in the past twelve months:
- Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
- Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
- Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
- Commercial information, such as transaction information and purchase history;
- Biometric information;
- Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements;
- Geolocation data, such as device location;
- Audio, electronic, visual and similar information, such as call and video recordings;
- Professional or employment-related information, such as work history and prior employer;
- Education information, as defined in the federal Family Educational Rights and Privacy Act, such as student records and directory information;
- Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and
- Sensitive personal information, including:
- Personal Information that reveals:
- Social security, driver’s license, state identification card, or passport number;
- Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
- Precise geolocation;
- Racial or ethnic origin, religious or philosophical beliefs, or union membership;
- Contents of a Consumer’s email and text messages, unless the business is the intended recipient thereof; or
- Genetic data.
- Personal Information collected and analyzed concerning a Consumer’s health; and
- Personal Information that reveals:
E. Sources from Which We Collect Personal Information
We collect Personal Information directly from Consumers, as well as from joint marketing partners, public databases, providers of demographic data, publications, professional organizations, social media platforms, and Vendors and Third Parties, such as healthcare providers and caregivers, when they disclose Personal Information to us.
F. Categories of Entities to Whom We Disclose Personal Information
- Affiliates & Vendors. We disclose the categories of Personal Information listed in Section B to our affiliates and Vendors for the purposes described in Section C of this Supplemental Notice. Our Vendors provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, customer service, infrastructure provision, technology services, email delivery services, credit card processing, legal services, and other similar services. We generally grant our Vendors access to Personal Information only to the extent needed for them to perform their functions, and we require them to protect the confidentiality and security of such information.
- Third Parties. We may also disclose the categories of Personal Information listed in Section B for the purposes described in Section C of this Supplemental Notice to the following categories of Third Parties. During the past 12 months we may have engaged in delivering online advertising that was tailored to your interests, and may have involved the transfer of your device ID and URL to third parties, but we did not disclose data that would identify you by name, address or phone number.
- At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction.
- Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
- Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.
G. Data Subject Rights
- Exercising Data Subject Rights. Consumers who reside in states with U.S. Privacy Laws have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. For compliance with California’s and Colorado’s requirements, we provide detailed information below regarding the data subject rights available to California and Colorado Consumers. Consumers who reside in other states with U.S. Privacy Laws have similar rights and can find more details by referencing the U.S. Privacy Law applicable to them.
- Data Subject Rights Disclosure for California Consumers: California Consumers have the following rights regarding our collection and use of their Personal Information, subject to certain exceptions.
Right to Receive Information on Privacy Practices: You have the right to receive the following information at or before the point of collection:
- The categories of Personal Information to be collected;
- The purposes for which the categories of Personal Information are collected or used;
- Whether or not that Personal Information is Sold or Shared;
- If the business collects Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is Sold or Shared; and
- The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.
We have provided such information in this Supplemental Notice, and you may request further information about our privacy practices by contacting us as at the contact information provided below.
- Right to Deletion: You may request that we delete any Personal Information about you we that we collected from you.
- Right to Correction: You may request that we correct any inaccurate Personal Information we maintain about you.
- Right to Know: You may request that we provide you with information about what Personal Information we have collected about you, including:
- The categories of Personal Information we have collected about you;
- The categories of sources from which we collected such Personal Information;
- The business or commercial purpose for collecting, Selling, or Sharing Personal Information about you;
- The categories of Third Parties to whom we disclose such Personal Information; and
- The specific pieces of Personal Information we have collected about you.
- Right to Receive Information About Onward Disclosures: You may request that we disclose to you:
- The categories of Personal Information that we have collected about you;
- The categories of Personal Information that we have Sold or Shared about you and the categories of Third Parties to whom the Personal Information was Sold or Shared; and
- The categories of Personal Information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
- Right to Opt-Out of the Sale and Sharing of Your Personal Information and Right to Limit the Use of Your Sensitive Personal Information. California residents also have the right to request that their information not be sold for value or transferred to third parties. Incyte does not knowingly sell personal information; however, some third parties may derive an unintended benefit from Incyte’s online advertising. You also have the right to limit the use of your Sensitive Personal Information to the purposes authorized by the CCPA. We do not use Sensitive Personal Information for purposes beyond those authorized by the CCPA, and we have not used Sensitive Personal Information of California Consumers in the preceding twelve months for purposes beyond those authorized by the CCPA.
- Opt-Out Preference Signal. We process opt-out electronic preference signals of California Consumers through functionality in our cookie banner.
- Household. There may be some types of personal information that can be associated with a household (a group of people living together in a single home). Requests for access or deletion of household Personal Information must be made by each member of the household. We will verify each member of the household using the verification criteria explained below. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.
- Right to Non-Discrimination: You have the right not to be discriminated against for exercising your data subject rights. We will not discriminate against you for exercising your data subject rights.
- Exercising Data Subject Rights. Consumers who reside in states with U.S. Privacy Laws have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. For compliance with California’s requirements, we have provided detailed information herein regarding the data subject rights available to California Consumers. Consumers who reside in other states with U.S. Privacy Laws have similar rights and can find more details by referencing the U.S. Privacy Law applicable to them.
You may exercise the data subject rights applicable to you under the U.S. Privacy Laws by contacting our Privacy Office. Please contact Incyte via our data subject request webform. - Verification of Data Subject Requests. We may ask you to provide information that will enable us to verify your identity in order to comply with your data subject request. Further, when a Consumer authorizes an agent to make a request on their behalf where permitted by U.S. Privacy Laws, we may require the agent to provide proof of signed permission from the Consumer to submit the request, or we may require the Consumer to verify their own identity to us or confirm with us that they provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.
- Non-Discrimination. We will not discriminate against you for exercising your data subject rights. For example, we will not deny goods or services to you, charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.
- Appeals. Consumers of certain states have the right to appeal our decisions on their data subject requests. This section does not apply to California, or to Consumers who reside in other states where the applicable U.S. Privacy Law does not give them the right to appeal Controllers’ decisions regarding data subject rights. To appeal our decision on your data subject requests, you may contact our Privacy Office at privacy@incyte.com or by calling toll free at 1-855-446-2983. Please enclose a copy of or otherwise specifically reference our decision on your data subject request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.
H. Other Disclosures
- California Residents Under Age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by writing to privacy@incyte.com. Please note that your request does not ensure complete or comprehensive removal of the content or data as, for example, some of your content or data may have been reposted by another user.
- California Shine the Light. California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents to annually request, free of charge, information about the personal information (if any) disclosed to third parties for direct marketing purposes in the preceding calendar year. No information is shared by Incyte with third parties for their own marketing purposes.
- Financial Incentives for California Consumers. We do not provide financial incentives to California Consumers who allow us to collect, retain, Sell, or Share their Personal Information. We will describe such programs to you if and when we offer them to you.
I. Washington My Health My Data Act Disclosures. This section only applies to Consumers as the term “Consumer” is defined by the Washington My Health My Data Act. Terms used in this section that have defined meanings under the Washington My Health My Data Act shall have the meanings afforded to them in those statutes as this section applies to Consumers of that state. We Collect and Share the below categories of Consumer Health Data from Consumers, and we Process such categories of Consumer Health Data for the purposes and in the manners listed in Section C:
- Health conditions and treatment
- Diagnosis diagnostic testing, treatment and/or medication
- Efforts to research services and products
- Biometric data
- Genetic data, including Raw DNA sequence data, genotypic and phenotypic information generated from sequence analysis, and self-reported health data submitted to an entity that is analyzed in connection with raw sequence data
We Collect these categories of Consumer Health Data from the sources listed in Section E, and we Share these categories of Consumer Health Data with the categories of entities listed in Section F. Consumers may exercise their data subject rights, including obtaining access to and requesting changes to their Consumer Health Data, under the Washington My Health My Data Act by contacting us via the methods listed in Section G.
We limit Third-Party Collection of Consumer Health Data over time and across different websites or online services when the Consumer uses our websites or online services. We do this by ensuring that entities whose cookies, pixels, and other online trackers we use on our websites and online services are our Vendors under applicable U.S. Privacy Laws and under the Washington My Health My Data Act. Nonetheless, please note that Third Parties may still be able to Collect Consumer Health Data from you over time and across different websites depending on your browser, browser add-ons, and associated permissions you set on your device. This Collection of Consumer Health Data by those Third Parties is unrelated to Incyte’s Collection of Consumer Health Data from you, and we encourage you to view those Third Parties’ privacy notices for more information about their Processing of Consumer Health Data and the methods they provide to allow you to opt out of such Processing.
J. Changes to our Supplemental Notice.
We reserve the right to amend this U.S. State Privacy Supplemental Notice in our discretion and at any time. When we make material changes to this Supplemental Notice, we will notify you by posting an updated Supplemental Notice on our website and listing the effective date of such updates.
Contact Incyte’s Privacy Office
If you have any questions about our privacy notices or practices, you may contact Incyte's Privacy Office at:
Incyte Corporation
Attention: Global Data Privacy Officer
1801 Augustine Cut-off
Wilmington, Delaware 19803
USA
privacy@incyte.com
For EU, UK and Swiss Residents please contact:
Incyte Biosciences International Sàrl
Attention: Data Protection Officer
Rue Docteur-Yersin 12, 1110, Morges,
Switzerland
privacy@incyte.com