Privacy Policy

Last updated: February 15, 2024

X4 Pharmaceuticals, Inc. and its subsidiaries (“X4”, “we”, “us”, or “our”) recognize the importance of protecting your privacy. This Policy describes how X4 collects, uses, discloses or otherwise processes Personal Information in connection with this Website and any of our other websites, mobile applications, or online services that link to this Privacy Policy (collectively referred to as the “Sites”). If you do not agree with the terms of this Privacy Policy or the Terms of Use, or other terms and conditions on our Sites, then do not use our Sites.

Personal Information We Collect

Information you choose to provide to us. We may collect and store Personal Information that you provide voluntarily when using the Sites or otherwise share with us. This includes:

  • Personal and Business Contact information, such as your first name and last name, postal address, email address, phone number, job title, and employer name;
  • Professional credentials, such as educational and work history, institutional affiliations and other information of the type that would be included on a resume or curriculum vitae;
  • Profile information, such as your username and password, industry, interests and preferences;
  • Feedback and correspondence, such as information you provide when you contact us with questions, report a problem with the Sites, receive customer support, respond to online surveys or otherwise correspond with us;
  • Transaction information, such as details about programs, events or other activities you register for through the Sites;
  • Usage information, such as information about how you use the Sites and interact with us; and
  • Marketing information, such as your preferences for receiving marketing communications.

Any communications relating to clinical trials should be made through the communication channels described in the applicable informed consent, patient information sheet or other instructions provided to clinical trial participants.

Information we collect automatically. We may automatically collect Personal Information about you when you visit any page on the Sites such as site usage information and information about your computer or mobile device. For example, we may record visitors’ host, domain name, pages visited, length of user session, browser type and/or IP address. We collect this information about you using cookies. Please refer to the section entitled Cookies and Similar Technologies below for more details.

How We Use Your Personal Information

We may use your Personal Information for the following purposes:

To operate our Sites. We may use your Personal Information to:

  • Operate, maintain, administer and improve our Sites;
  • Process and manage registrations you make through our Sites;
  • Provide information about our research and development;
  • Communicate with you regarding our programs, events, or activities for which you may have registered, including by sending you technical notices, updates, security alerts, and support and administrative messages;
  • Understand your needs and interests, and personalize your experience with our Sites;
  • Provide support and maintenance for our Sites; and
  • Respond to your service-related requests, questions and feedback.

To send you marketing and promotional communications. We may send you X4-related marketing communications, as permitted by applicable law. You will have the ability to opt out of our marketing and promotional communications as described in the Opt-Out of Marketing section below.

To comply with law. We use your Personal Information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal processes, such as to respond to requests from government authorities.

With your consent. We may use or share your Personal Information with your consent, such as when you consent to let us post your testimonials or endorsements on our Sites, you instruct us to take a specific action with respect to your Personal Information, or you opt into third party marketing communications.

To create anonymous, aggregated or de-identified data. We may create anonymous, aggregated or de-identified data from your Personal Information. We may use this data and share it with third parties for our lawful business purposes, including to analyze and improve the Sites and promote our business.

For compliance, fraud prevention and safety. We may use your Personal Information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern use of our Sites; (b) protect our rights, privacy, safety or property; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

How We Disclose Your Personal Information

We may disclose your Personal Information to certain third parties in the following circumstances:

  • Affiliates. We may disclose your Personal Information to our subsidiaries and corporate affiliates for purposes consistent with the Privacy Policy.
  • Services Providers. We may share your Personal Information with third parties that provide services on our behalf (such as hosting, analytics, email delivery, marketing, and database management services). These third parties use Personal Information as directed by us and in a manner consistent with this Privacy Policy.
  • Professional advisors. We may also disclose Personal Information collected on the Sites to professional advisors, such as lawyers, auditors, bankers, and insurers, where necessary in the course of the professional services that they render to us.
  • Business transfers. We may also disclose your Personal Information to acquirers and other relevant participants in business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, X4 (including, in connection with a bankruptcy or similar proceedings), in which case we will make reasonable efforts to require the recipient to honor this Privacy Policy.
  • Compliance with Laws and Law Enforcement; Protection and Safety. We may also disclose Personal Information collected on the Sites, in accordance with applicable law, to assert or defend our rights and property, to prevent harm to others, to collect a debt, or in response to legal processes such as subpoenas. We may also provide (or reserve the right to provide) Personal Information to credit reporting agencies and to cooperate with law enforcement authorities and other governmental authorities consistent with applicable laws.

Your Rights

In this section, we describe the rights and choices available to all users.

Opt-out of marketing communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of each such email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.

Do Not Track. Although our Sites currently do not have a mechanism to recognize the various web browser Do Not Track signals, we do offer you choices to manage your preferences as described in the sections above. To learn more about browser tracking signals and Do Not Track please visit: http://www.allaboutdnt.org.

Links To Third Party Sites

This Sites may contain links to other third-party websites. X4 does not control the privacy policies or practices of these third-party websites. You should review those policies before providing any information. X4 is not responsible for the content or practices of any linked third-party websites, and we provide these links solely for the convenience and information of our visitors.

Security

X4 uses reasonable administrative, physical, and technical safeguards designed to protect the Personal Information we collect. However, security risk is inherent in all internet and information technologies, and we cannot guarantee complete security of your Personal Information. Any email or other communication purporting to be from one of our Sites asking you to provide sensitive information (including medical information) via email, should be treated as unauthorized and suspicious and should be reported to us immediately by emailing at dataprivacy@x4pharma.com

International Data Transfer

We are headquartered in the United States and we may use service providers that operate in other countries. Your Personal Information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country. We will process and transfer your Personal Information in accordance with applicable law and this Privacy Policy regardless of where your Personal Information is stored or accessed. Our third-party service providers are contractually bound to treat Personal Information in a manner that is consistent with this Policy and applicable data protection laws.

Children

This Sites are not directed at children and we do not knowingly collect Personal Information from children under the age of 16. If we learn that we have received Personal Information from a child under the age of 16, we will immediately delete it from our databases, systems and applications. If you learn that your child has provided us with Personal Information without your consent, you may contact us at dataprivacy@X4pharma.com.

Residents of the European Economic Area, the United Kingdom or Switzerland

If you reside in the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland, we are required to inform you of the legal bases of our processing of your Personal Information on our Sites, which are described in the table below.

Processing purpose

Legal basis

  • To provide services
Processing is necessary to provide services to you or to take steps that you request prior to providing those services.
  • For operation of the Sites
  • To communicate with you
  • For compliance, fraud prevention
    and safety purposes
  • To create anonymous analytics
These processing activities are based on our legitimate interests.  We consider and balance potential impact on your rights and do not process your Personal Information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • To comply with law
Processing is necessary to comply with our legal obligations.
  • With your consent
Processing is based on your consent. Where we rely on consent, you have the right to withdraw it at any time.

Retention of Data

We will only retain your Personal Information collected as described in this Policy for as long as necessary to fulfil the purposes for which it was collected (or for any subsequent purpose that is compatible with the original purpose). This does not affect your right to request that we delete your Personal Information before the end of its retention period. In some circumstances we may anonymize your Personal Information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you. Rights Regarding Your Personal Information If you reside in the EEA, UK, or Switzerland, you may request that we take the following actions in relation to your Personal Information:

  • Access.  Provide you with information about our processing of your Personal Information and give you access to your Personal Information.
  • Correct.  Update or correct inaccuracies in your Personal Information.
  • Delete.  Delete your Personal Information, so long as its processing is no longer necessary or obligatory for the compliance with a legal obligation of X4, or the defense of a lawful interest.
  • Transfer.  Transfer a machine-readable copy of your Personal Information to you or a third party of your choice.
  • Restrict.  Restrict the processing of your Personal Information.
  • Object. Object to our legitimate interests as the basis of our processing of your Personal Information.

To submit a request, residents of the UK, EEA or Switzerland can write to us at our postal address provided below. We will request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you reside in the UK, EEA or Switzerland and would like to submit a complaint about our use of your Personal Information or response to your requests regarding your Personal Information, you may contact us or submit a complaint to the data protection regulatory authority in your country. All other inquiries regarding your Personal Information can be directed to dataprivacy@X4pharma.com.

Cookies and Similar Technologies

How We Use Cookies We may collect information using “cookies”. Cookies are alphanumeric identifiers that are transferred to your computer’s hard drive through your web browser to help us identify you when you come to our Sites. Our Sites use cookies to distinguish you from other users of our Sites. This helps us to provide you with a better experience when you use our Sites and allows us to improve our Sites. By virtue of their operation, cookies fall under the following categories:

  • Strictly Necessary Cookies: These cookies are required for the operation of our Sites. These cookies cannot be switched off. You can set your browser to block these cookies, but as a result, some parts of our Sites will not work as designed.
  • Functionality Cookies: These cookies allow our Sites to remember choices you make when you use our Sites. The purpose of these cookies is to provide you with a more personal experience and to avoid you from having to re-select your preferences every time you visit our Sites.
  • Analytics and Performance Cookies: These cookies are used to collect information about traffic to our Sites and how users use our Sites. The information gathered may include the number of visitors to our Sites, the websites that referred them to our Sites, the pages they visited on our Sites, what time of day they visited our Sites, whether they have visited our Sites before, and other similar information. We use this information to help operate our Sites more efficiently, to gather demographic information and to monitor the level of activity on our Sites.

Information on Google Analytics

We may use third parties, such as Google Analytics or other analytics providers, to analyze traffic to a Sites. Google Analytics does not create individual profiles for visitors and only collects aggregate data. To disable Google Analytics, download the browser add-on for the deactivation of Google Analytics provided by Google at https://tools.google.com/dlpage/gaoptout. For more information on the use of personal data by Google Inc. please visit the Google privacy policyDisabling Cookies If you do not accept our cookies, you may experience some inconvenience in your use of our Sites. For example, we may not be able to recognize your computer or mobile device and you may need to log in every time you visit our Sites. Your choices for managing use of cookies include:

  • Blocking cookies in your browser. Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings.  Many browsers accept cookies by default until you change your settings.  For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit https://allaboutcookies.org/
  • Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
  • Advertising industry opt-out tools. You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:

Pixel tags We may also use pixel tags (which are also known as web beacons and clear GIFs) on our Sites to track the actions of users on our Sites. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a Sites, pixel tags are embedded invisibly on webpages. Pixel tags measure the success of our marketing campaigns and compile statistics about usage of the Sites, so that we can manage our content more effectively. The information we collect using pixel tags is not linked to our users’ Personal Information.

Changes to this Privacy Policy

X4, reserves the right to change this Policy to respond to new laws, regulations, technology, or for other business reasons. Please check the Sites from time to time to review any such changes. If we make material changes to this Policy, we will notify you by updating the date of this Policy and posting it on the Sites or other appropriate means. Any modifications to this Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting).

Governing Law and Jurisdiction

You agree that any claim, action or proceeding arising out of this Policy, or your use of the Sites, shall be governed by and construed in accordance with the laws of the United States and the Commonwealth of Massachusetts, without regard to principles of conflict of laws. Any claim, action or proceeding related to this Policy will be resolved exclusively in the state or federal courts located in the Commonwealth of Massachusetts, and you consent to the jurisdiction of those courts.

Contact Information

If you have any questions or concerns about this Policy or would like to request this Privacy Policy in an alternative format due to a disability, you may contact us at dataprivacy@X4pharma.com, call us at 857-529-8300, or write to us at: X4 Pharmaceuticals, Inc. 61 North Beacon Street, 4th Floor Boston, MA 02134   If you reside in the UK, EEA or Switzerland and you seek to exercise any of your statutory rights, you may contact your local privacy Supervisory Authority. You may also contact our Data Protection Officer by sending an email to dataprivacy@x4pharma.com with the subject line DATA PROTECTION OFFICER.