Privacy Policy

Effective Date: April 2023

Prometheus Biosciences (“Prometheus Biosciences,” “us,” “e” or “our”) is a clinical-stage biotechnology company engaging in the discovery, development, and commercialization of novel therapeutics and companion diagnostics products for the treatment of immune-mediated diseases. We have created this privacy policy (“Policy”) in order to comprehensively inform individuals about our privacy practices and to demonstrate our firm commitment to privacy. This Policy describes how we collect, use, disclose, transfer, store, retain or otherwise process your personal information in the course of our operating our business, which includes the administration of the website www.prometheusbiosciences.com and its sub-domains (the “Website”) (collectively, our “Services”).

When we refer to “you” or “your,” we mean the person about whom we collect personal information or data. If the person accessing the Website does so on behalf of, or for the purposes of, another person, including a business or other organization, “you” or “your” also means that other person, including a business organization, if applicable.

We provide our Services to businesses and not to individual consumers. Therefore, most of the data that we collect is regarding businesses. However, in the course of providing our Services, we may collect personal information of individuals, as will be described in this Policy. This may include personal information that we collect about you when you visit our Website, your business contact information if we provide our Services to a company that you work with, or if you are a sole proprietorship and you engage with our Services.

Our Policy is supplemented by the following policies which are located immediately proceeding this Policy:

International Privacy Policy, and
Cookies Policy

1. GENERAL DISCLOSURES

Our data centers and Website are hosted in the United States. If you are visiting this Website from outside of the United States, please note that by providing us your information it is being stored or processed in the United States where our data center and servers are located and operated. Depending on your state or country of residence, applicable privacy laws may provide you the ability to request access to, correction of or deletion of your information, as further outlined below.

If you are located outside the United States, please see the provisions under our International Policy. If you are outside the United States and do not wish to allow the collection and storage of your personal information within the United States, you should not use this Website and you should opt-out of the collection of cookies by following the guidelines in our section titled “How To Restrict Cookies”. For more information about how we utilize cookies, view our “Cookies Policy”.

This Policy applies only to Prometheus Biosciences’ Website and Services, and not to other companies’ or organizations’ websites, mobile applications and services to which we may link. We are not responsible for the privacy practices of other businesses or the content of other websites, including any websites that may indicate a special relationship or partnership with us (such as co-branded pages or “in cooperation with” relationships). To ensure protection of your privacy, always review the privacy policy of the companies with whom you engage.

2. WHAT INFORMATION WE COLLECT

A. Information You Provide to Us Directly

Prometheus Biosciences may collect different information from or about you depending on how you use our sites or Services. The following examples are provided to help you better understand the information we may collect.

For Patients: We may collect, use, store and transfer different kinds of personal information about you, which we have grouped together as follows:

Identity Information such as age, date of birth, gender, ethnicity, race and Social Security Number.
Medical Information such as medical conditions, psychological trends, disabilities, hospital reports, physical characteristics/descriptions, and injury information.
Insurance Information such as health insurance number and policy/plan information.
Genetic Data such as genomic data.
Activity Information such as your history, actions and experiences that are relevant to our Services.

For Website Visitors: We may also collect, use, store and transfer the following kinds of personal information about you (including at your first website connection):

Identity Information such as first name, last name.
Contact Information such as email address and telephone number.
Technical Information such as internet protocol (IP) address, pages visited, pages viewed, order of pages viewed, domain names, browser language, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Usage Information such as information about how you use our website, products and services.

For Vendors and Suppliers: We may also collect, use, store and transfer the following kinds of personal information about you:

Identity Information such as first name and last name;
Contact Information such as postal address, email address and telephone number; and
Financial Information such as bank account information.

B. Collection of Technical Information and Usage Information

When you access the Website, we automatically collect certain information. This information may include without limitation: (a) technical information about your computer or Wireless Device, such as your IP address, geolocation information, device type, operating system type and version, unique device ID, browser, browser language, domain and other systems information or platform types (collectively “Technical Information”); and (b) usage statistics about your interaction with the Website, including pages accessed, referring website address(es) time spent on pages, pages visited, search queries, click data, date and time and other information regarding your use of the Website (collectively “Usage Information”).

C. Deidentified and Aggregated Information

We may process your personal information into aggregated, anonymized or de-identified form for any purpose. Aggregated, anonymized or de-identified information is information that can no longer reasonably identify a specific individual and is no longer “personal information.” We will only maintain and use this type of information in deidentified form and we will not attempt to reidentify this information, except for the purposes of validating our deidentification process.

3. HOW WE USE YOUR INFORMATION

We may use information about you for a number of purposes, including:

A. Providing Public Health and Medical Science Research

Reviewing and analyzing information for purposes of conducting our clinical trials and researching and developing therapeutic treatments and diagnostic tests;
Assisting and facilitating medical care for purposes of preventing disease, reporting adverse reactions to medications, preventing or reducing a serious threat to anyone’s health or safety, reporting suspected abuse, neglect, or domestic violence;
Performing our contractual obligations with our customers;
Maintaining and improving our Services; including performing safety and quality controls of the Services;
Developing new products and Services;
Delivering the information and support you request; and
Improving, personalizing and facilitating your use of our Services.

B. Communicating With You About Our Services

Responding to questions or concerns; and
Sending you information we think you may find useful or which you have requested from us about our Services.

C. Protecting Our Services and Maintaining a Trusted Environment

Enforcing our Terms of Service or other applicable agreements or policies;
Verifying your identity;
Complying otherwise with any applicable laws or regulations, or in response to lawful requests for information from the government or through legal process;
Fulfilling any other purpose disclosed to you in connection with our Services; and
Contacting you to resolve disputes and provide assistance with our Services.

D. Website Functionality and Statistical Purposes

Reviewing and understanding Technical Information and Usage Information;
Improving our website, and
Evaluating potential uses of our Services, research and products.

4. WHEN AND WITH WHOM DO WE DISCLOSE YOUR INFORMATION

A. Sale of Personal Information

We do not sell your personal information and have not sold your personal information in the past 12 months.

B. Disclosure of Personal Information to Others

In the course of our business we may disclose your personal information to others. We will only disclose your information with the following service providers or other external entities under the circumstances described below and solely to the extent that it is necessary to accomplish the goal and purpose of the disclosure. Therefore, we may disclose your personal information:

To our contract research organizations, laboratories or other testing facilities. We may disclose personal information to assist or facilitate our clinical trials or research relating to medical conditions, or to develop or refine diagnostic tests or therapies.
To hospitals, healthcare organizations or other entities. We may disclose your personal information to utilize or improve our diagnostic tests and to develop new and improved therapies and services.
To healthcare authorities or public institutions. We may disclose personal information for purposes of reporting adverse reactions to medications, preventing or reducing a serious threat to anyone’s health or safety, reporting suspected abuse, neglect, or domestic violence.
To our database hosting vendors. Like many organizations, we utilize cloud databases to host our data, including your personal information, so that we can effectively and safely operate the Website and perform our Services.
To our auditors. We may be subject to audits from a number of entities as well as due to our own internal auditing policies. In order to accomplish an effective audit, we must provide information, which may include your personal information, to external auditors. We always ensure that your information is safely disclosed and stored and that auditors can only use your information for the purposes of completing an audit.
To individuals or entities you authorize. We may disclose your personal information to individuals or entities at your direction.
Our affiliates. We may share your personal information with our affiliates for the purposes of administering our business and providing our Services.
In corporate transactions. We may share all or part of your personal information with other entities in connection with the sale, assignment, merger or other transfer of all or a portion of our organization or assets to such entities (including due to a sale in connection with a bankruptcy). We will require any such purchaser, assignee or other successor organization to honor the terms of this Policy.
For legal purposes. We may disclose all or part of your personal information to courts, litigants, regulators, arbitrators, administrative bodies or law enforcement when we have reason to believe that disclosing this information is necessary to resolve actual or suspected claims. We may disclose or access personal information when we believe in good faith that the law requires it, to establish our legal rights or to defend against legal claims.

5. PERSONAL INFORMATION RELATING TO CHILDREN

The Children’s Online Privacy and Protection Act (COPPA) regulates online collection of information from persons under the age of 13. It is our policy to refrain from knowingly collecting or maintaining personal information relating to any person under the age of 18. If you are under the age of 18, please do not supply any personal information through the Website. If you are under the age of 18 and have already provided personal information through the Website, please have your parent or guardian contact us immediately using the information provided under Contact Us so that we can remove such information from our files. Please delete all Prometheus Biosciences related cookies and restrict further collection of cookies using the methods outlined in the section How to Restrict Cookies in our Cookies Policy.

6. HOW LONG WE RETAIN YOUR INFORMATION

We may retain your personal information for a period of time that is consistent for us to perform our Services, as well as to comply with applicable law, applicable statute of limitations and our data retention practices. We may also retain your personal information as we believe is reasonably necessary to comply with legal process or governmental request, to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems, to assist with investigations, to enforce other applicable agreements or policies or to take any other actions consistent with applicable law.

7. MARKETING AND PROMOTIONAL COMMUNICATIONS

You may opt-out of receiving marketing and promotional messages from us, if those messages are powered by us, by following the instructions in those messages. If you decide to opt-out, you will still receive non-promotional communications that are necessary in the performance of our Services.

8. LINKS TO OTHER SITES

This Website may link to other websites. Once you link to another site, you are subject to the privacy policy of the new site and its operator. We encourage you to carefully review the privacy policy of each entity to which you provide information.

9. SECURITY

We take reasonable measures, including administrative, technical, and physical safeguards, to protect your information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. If you have additional questions regarding security, please contact us directly using the information provided under Contact Us.

10. CALIFORNIA CONSUMERS

The California Consumer Privacy Act (“CCPA”) permits residents of California to have the following additional rights. For more information, or if you have questions, you can contact us using the information provided under Contact Us. For your protection, before Prometheus Biosciences can respond to your request, Prometheus Biosciences may be required to collect certain information from you to verify your identity. This may include asking for your full name, aliases, current home addresses or alternative e-mail address. The information you provide to verify your identity will only be used for verification purposes, and a record of your request, including certain information contained within it, will be maintained by Prometheus Biosciences for its files.

A. California residents have the right to request Prometheus Biosciences disclose what information it collects, uses, and discloses.

California residents have the right to request that Prometheus Biosciences disclose what personal information Prometheus Biosciences collects, uses and discloses about them. The general categories of personal information Prometheus Biosciences collects about California residents are listed above under What Information We Collect. If you are a California resident and would like to request the specific personal information that Prometheus Biosciences collects, uses and discloses about you, please contact us at the email or toll-free number provided in this Policy.

B. California residents have the right to request the deletion of their personal information maintained by Prometheus Biosciences.

California residents have the right to request that Prometheus Biosciences delete the personal information Prometheus Biosciences maintains about them. Prometheus Biosciences will make every effort to comply with California residents’ requests to delete their personal information, however, certain laws or other legal requirements might prevent some personal information from being deleted. If you are a California resident and would like to request the deletion of your personal information, please contact Prometheus Biosciences at the email or toll-free number provided under Contact Us. To verify any request to delete personal information, you will be required to provide the information contained in the Request Form. Failure to do so could result in Prometheus Biosciences’ inability to comply with your request.

C. California residents have the right to non-discrimination for the exercise of their privacy rights under the CCPA.

Under the CCPA, California residents have the right not to receive discriminatory treatment by Prometheus Biosciences for the exercise of their privacy rights. However, the exercise of certain privacy rights by California residents will make it so that Prometheus Biosciences is no longer able to provide those residents with certain services. For example, if, at the request of a California resident, Prometheus Biosciences deletes all of the California resident’s personal information that it maintains, Prometheus Biosciences will no longer be able to send marketing communications to that California resident.

D. California residents have the right to opt-out of the sale of the personal information.

Under the CCPA, California residents can request that a company stop selling their personal information. However, as described above, Prometheus Biosciences does not sell your personal information.

E. California residents can designate an authorized agent to make a request under the CCPA on their behalf.

California residents can designate an authorized agent to make requests under the CCPA related to the residents’ personal information. Prometheus Biosciences can deny any request made by an agent who does not submit proof that he or she has been authorized by the California resident to act on the California resident’s behalf. For more information on submitting a request on behalf of a California resident as an authorized agent, you can contact us using the information provided under Contact Us.

F. Do Not Track.

Do Not Track (“DNT”) is an optional browser setting that allows you to express your preferences regarding tracking across websites. Most modern web browsers give you the option to send a Do Not Track signal to the websites you visit, indicating that you do not wish to be tracked. However, there is no accepted standard for how a website should respond to this signal, so we do not take any action in response to this signal. Prometheus Biosciences does not have a mechanism in place to respond to DNT signals. Instead, in addition to publicly available external tools, we offer you the choices described in this Privacy Policy to manage the collection and use of information about you.

Prometheus Biosciences does track some activity across websites (including your search terms, the website you visited before you visited or used the Services and other clickstream data) and we may continue to collect information in the manner described in this Privacy Policy from web browsers that have enabled DNT signals or similar mechanisms.

11. NEVADA CONSUMERS

Nevada law provides Nevada residents the ability to opt-out of the sale of their personal information. However, we do not sell the personal information of Nevada residents as described by Nevada law. Prometheus Biosciences does not disclose your personal information unless the disclosure is (i) to an entity that processes personal information on our behalf as a service provider or (ii) for purposes which are consistent with the reasonable expectations of a consumer considering the context in which we collected it.

12. CHANGES TO THIS PRIVACY POLICY

We may amend this Policy at any time by posting revisions on our Website.

13. CONTACT US

To submit questions or to inquire about or submit a request relating to data rights, you can contact us by:

Calling our toll-free number at 844-306-0547
E-mailing us directly at: privacy@prometheusbiosciences.com

INTERNATIONAL PRIVACY POLICY

The above general Policy still applies to those individuals who reside outside of the United States or who have had personal information collected by Prometheus Biosciences or its agents in a country other than the United States. However, due to various international regulations, those individuals may be entitled to additional disclosures and rights. This International Privacy Policy (the “International Policy”) supplements the above general Policy, but where the provisions of the general Policy and this International Policy cannot be construed consistently, this International Policy will govern.

Please note that by visiting the Website or by having personal information collected by Prometheus Biosciences as the controller of your data, your personal information is being stored or processed in the United States where our data center and servers are located and operated. The United States may not have privacy laws that are as strong or comprehensive as the privacy laws in your own country. Your personal information may also be stored in a multi-tenant cloud environment hosted by our service providers.

Depending on your country of residence, you may have data rights as provided by various laws, regulations and codes, which can include the Canadian Personal Information Protection and Electronic Documents Act, the European Union General Data Protection Regulation, the UK Data Protection Act 2018, the Swiss Revised Federal Act on Data Protection 1992 and Ordinance on the Federal Act on Data Protection, the New Zealand Privacy Act 2020 or the Australian Privacy Act 1988, among others. An interactive map showing the various privacy and protection laws around the world can be found here.

THIS INTERNATIONAL POLICY APPLIES TO ALL PERSONAL INFORMATION ABOUT YOU THAT WE COLLECT, HOLD, USE AND DISCLOSE, REGARDLESS OF THE WAY IN WHICH WE COLLECT IT (I.E. WHETHER THROUGH THE WEBSITE, THE SERVICES OR OTHERWISE).

1. COLLECTION OF PERSONAL INFORMATION

You can find specific details about the personal information that we collect about you in the sections titled “What Information We Collect From You And For What Purposes” and “Your Information That We Receive From External Sources” of the general Policy.

Where we are the data controller with regards to the personal information that we process, you may exercise your rights as a data subject, including the right to object to the processing of your personal information when it is processed based on legitimate interests, as described in this International Policy. Where we are collecting your personal information on behalf of another entity (i.e., we are not the data controller), we will provide you with the identity of the data controller so that you may exercise your rights as a data subject directly with them.

2. PSEUDONYMIZED DATA AND AGGREGATED INFORMATION

Whereas aggregated and anonymized information is information that can no longer identify a specific individual and is no longer “personal data” as per GDPR regulation, pseudonymized information means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. We will only maintain and use this type of information in pseudonymized form and we will not attempt to reidentify this information, except for the purposes of validating our deidentification process.

3. HOW WE USE PERSONAL INFORMATION

As a general matter, we collect your personal information to perform our Services and administer our Website. You can find specific details about the purposes for which we collect personal information about you in the sections titled “What Information We Collect From You And For What Purposes” and “Your Information That We Receive From External Sources”.

4. THE BASIS ON WHICH WE PROCESS YOUR PERSONAL INFORMATION

We will only collect and process your personal information as is reasonably necessary for, or directly related to, one or more of our functions or activities, including for administering our Website, or providing our Services to you or our customers.

Where required by law, we rely on the following legal grounds to process your personal information, namely:

Performance of a contract: We may need to collect and use your personal information to enter into a contract with you or to perform a contract or provide services that you have requested from us.
Consent: Where required by law, we will obtain your explicit consent for collecting and processing of your personal information.
Legitimate interests: We may use your personal information for our legitimate interests of detecting and preventing fraud, maintaining the security of Prometheus Biosciences’ network and information systems, and conducting our clinical trials and performing research relating to medical conditions and related tests and therapies.
Legal matters: We may process your personal information when its collection, use or disclosure is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim.

5. OBTAINING CONSENT

Except when otherwise permitted by law or binding regulation, we will obtain the requisite consent from you prior to collecting and, in any case, prior to using or disclosing your personal information for any purpose other than as disclosed in this International Policy. You may provide your consent to us orally, in writing, by electronic communication, through your actions or any other means reasonably capable of conveying your consent. Generally, we will seek to obtain your explicit consent if we collect, use or disclose sensitive personal information about you.

6. THIRD PARTIES

We remain responsible for all personal information communicated to other entities for processing on our behalf. As such, we ensure that other entities that are engaged to provide products or services on our behalf and are provided with personal information are required to observe the intent of this International Policy by having comparable levels of security protection or, when required, by assuring us (through a confidentiality agreement) that they will not use or disclose the personal information for any purpose other than the purpose for which the personal information was communicated. You can find specific details about to whom Prometheus Biosciences discloses your personal information in the section titled When And With Whom Do We Disclose Your Information.

7. LIMITATIONS

We only collect the personal information necessary to fulfill the purposes identified to you prior to or at the time of collection, or any other reasonable and legitimate purposes or as required by law. We do not use or disclose your personal information, except for the purposes for which it was collected, or new purposes to which you have consented, or as required or otherwise permitted by applicable law. We do not, as a condition of providing the Website or performing the Services, or as an administrative or management requirement, require consent to the collection, use or disclosure of personal information beyond what is reasonably required for such purposes, or to comply with our obligations under applicable law or regulation.

8. RETENTION OF PERSONAL INFORMATION

We may keep a record of your personal information, including correspondence or comments, in a file specific to you. We will utilize, disclose, or retain your personal information only for as long as necessary to fulfill the purposes for which it was collected and for legal or business requirements. We will establish minimum and maximum retention periods and procedures for maintaining and destroying your personal information. When personal information is retained to make a decision about you, we will retain such information for the period required in order to comply with our internal data retention policies.

9. ACCESS AND RIGHTS TO YOUR PERSONAL INFORMATION

There are a number of data privacy laws that provide specific data subject rights to residents of certain jurisdictions. This section of this International Policy describes the rights available to those individuals who are entitled to them. Not all individuals about whom we possess information will have access to these rights and we may not be able to provide these rights to everyone due to legal and jurisdictional limitations. We may not be able to comply with your request for a number of reasons, including:

you do not live in a jurisdiction that grants you the specific right that you have requested;
the information that you’ve requested is not subject to the regulation that grants you the right to make a request in relation to your personal information;
we are prevented by law, regulation or rule from complying with your request;
we are not able to comply with your request without incurring disproportionate burden or expense; or
if complying with your request conflicts with the integrity of our services or the ability to administer our business, to administer our business and related relationships or to establish, defend or administer legal claims.

If any of the above reasons apply, we will let you know in our response to your request. Note that we may be required to gather additional information from you in order to process your request. We will only use this information in the context of evaluating and responding to your request. If you fail or refuse to provide the necessary information, we may not be able to process your request.

Subject to the exceptions provided by applicable law or regulation, and depending on your country of residence, you may have the following rights regarding your personal information:

to know what personal information Prometheus Biosciences maintains or processes about you;
to access personal information maintained about you;
to ensure that your personal information is accurate and complete;
to correct incomplete, inaccurate or out-of-date personal information;
to erasure, deletion or the right to be forgotten;
to restriction or suppression of processing of personal information;
to data portability with regards to your personal information;
to withdraw consent to the processing of your personal information if consent was previously provided;
to information about the entities with which we have shared your personal information;
to know how and from whom we received your personal information;
to opt-out of transfers of your personal information to a third party; and
to opt-out of any direct marketing communications received from Prometheus Biosciences, to the extent that you receive any.

You can request to exercise these rights by using the information provided under Contact Us. Please be as specific as possible in your request so that we can meet the applicable handling timelines.

Finally, you have the right to raise a complaint with Prometheus Biosciences or the appropriate data protection authority of your country of residence if you feel that Prometheus Biosciences’ processing of your personal information violates your individual rights, is not in line with this International Policy or violates the privacy principals, laws or regulations of your country of residence.

You can contact Prometheus Biosciences’ data protection officer by using the information provided under Contact Us. We will promptly investigate any complaint and will respond within the timeframes described in this International Policy.

10. RESPONSE TIME

We will make every reasonable effort to respond to your written request no later than 30 days after receipt of such request. We will advise you in writing if we cannot meet your request within this time limit. When applicable, you have the right to make a complaint to the appropriate supervisory authority, as detailed in this International Policy, with respect to this time limit.

11. COSTS

We expect to be able to respond to your request without charge as a general matter. However, where allowed by law, we reserve the right to collect a reasonable charge when you request the transcription, reproduction or transmission of such information. We will notify you, following your request, of the appropriate amount that will be charged. You will then have the opportunity to withdraw your request.

12. IDENTIFYING YOU IN CONNECTION WITH REQUESTS

We may require that you provide to us additional information to identify yourself before we provide information about the existence, use or disclosure of your personal information in our possession. Any such information that you provide to us shall be used only for this purpose.

13. OPT-OUT AND UNSUBSCRIBE

14. ACCURACY

We will use reasonable efforts to ensure that your personal information is kept as accurate, complete and up to date as possible. We do not routinely update your personal information in our possession, unless such a process is necessary. In order to help us maintain and ensure that your personal information is accurate and up to date, you must inform us, without delay, of any change in the data that you have provided to us.

You can at any time, challenge the accuracy or completeness of the personal information we have about you, subject to the exceptions provided by applicable law. If you demonstrate that the personal information we have on you is inaccurate or incomplete, we will amend the personal information as required. Where appropriate, we will transmit the amended data to third parties to whom we have communicated your personal information.

15. SAFEGUARDS

We use security safeguards appropriate to the sensitivity of personal information to protect it from loss or theft, as well as unauthorized access, disclosure, copying, use or modification. These safeguards include physical measures, such as restricted access to offices and equipment, organizational measures, such as security clearances and publishing this policy to appropriate personnel with instructions to act in accordance with its principles (for example, limiting access on a “need to know” basis), and technological measures, such as the use of passwords and/or encryption.

To administer our business and provide our services, we may share your personal information with our affiliates or with third parties in locations around the world. When we transfer your personal information outside your jurisdiction, we will take steps to ensure that such data transfers comply with applicable data privacy laws. If you live in the European Economic Area (EEA) or the UK, your personal information therefore may be stored and processed outside the EEA and the UK and in countries that are not subject to an adequacy decision by the European Commission or the UK’s Information Commissioner’s Office and which may not provide for the same level of data protection. If we transfer or store personal information outside of the EEA, UK or other countries or economies that require legal protection for international data transfer, we will ensure that an adequate level of protection is provided, as further described below, entering into written intra-group data processing agreements with recipients that require them to provide the same level of protection, or relying on other legally-approved transfer mechanisms.

If you are a resident of the UK, Switzerland or European Economic Area (EEA), and your personal information is transferred outside of the UK or the EEA, we will:

Process it in a territory which the European Commission (or similar applicable authority) has determined provides an adequate level of protection for personal information;
Implement appropriate safeguards to protect your personal information, including transferring it in accordance with applicable transfer mechanisms, including the following:
- European Commission’s Standard Contractual Clauses (available here);
- The UK’s Information Commissioner’s Office International Data Transfer Agreement (available here); or
- Switzerland’s Transborder Data Flow Agreement (available here); and
Entering into intra-group data processing agreements with non-EU recipients that require them to provide the same level of protection, or relying on other legally approved transfer mechanisms.

16. CONTACT US

To submit questions or to inquire about or submit a request relating to data rights, you can contact our Data Protection Officer and EU Data Protection Representative:

Data Protection Officer:
Email: DPO@prometheusbiosciences.com

EU Data Protection Representative:

PharMarketing,
8 rue Roublot
94120 Fontenay-sous-Bois, France

Lumis Life Science Consulting GmbH,
Giesebrechtstr. 15 · 10629 Berlin, Germany

COOKIES POLICY

Last Modified: March 31, 2023

Effective as of the date listed above, Prometheus Biosciences, and its subsidiaries & affiliates, (collectively, the “Prometheus Biosciences” or “we” or “us” or “our”) have adopted this Cookies Policy. This Cookies Policy is designed to be read in conjunction with our general Privacy Policy. For the purposes of this Cookies Policy, when we say the “Website,” we mean www.prometheusbiosciences.com website and its sub-domains.

Like many website operators, Prometheus Biosciences and its analytics vendors use server logs and automated data collection tools, such as browser cookies, pixel tags, scripts and web beacons. These tools are used for analytics purposes to enable us to understand how users interact with the Website.

What is a cookie?

A cookie is a small text file that is placed on your hard drive by a web page server. Cookies contain information that can later be read by a web server in the domain that issued the cookie to you. There are several types of cookies:

Session cookies provide information about how a website is used during a single browser session while a user is visiting a website and usually expire after the browser is closed.
Persistent cookies remain on your device between different browser sessions for a set amount of time in order to enable the website to remember user preferences, settings, or actions across other sites. A persistent cookie will remain on a user’s device for a set period of time specified in the cookie.
First-party cookies are cookies set by the operator of the website you are visiting.
Third-party cookies are cookies set by third parties that are different from the operator website you are visiting.
Web beacons, tags and scripts may be used in the Website or in our emails to help us to deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon. More information about each cookie can be found by viewing our current cookie table below, which is updated periodically.

Our collection of cookies

We, our marketing partners, affiliates, and analytics or service providers use cookies and other similar technologies. We group the cookies that we collect into the following categories based upon their function (note that all types of cookies, as described above, will be found in each category):

Category	Description
Essential Cookies	Essential cookies are sometimes called “strictly necessary” as without them we cannot operate and administer the Website. For example, essential cookies help remember your preferences as you move around the Website.
Analytics Cookies	These cookies track information about visits to the Websites so that we can make improvements and report our performance. For example: analyze visitor and user behavior so as to provide more relevant content or suggest certain activities. They collect information about how visitors use the Websites, which site the user came from, the number of each user’s visits and how long a user stays on the Websites. We might also use analytics cookies to test new ads, pages, or features to see how users react to them.
Functionality or Preference Cookies	During your visit to the Websites, cookies are used to remember information you have entered or choices you make (such as your username, language or your region) on the Websites. They also store your preferences when personalizing the Websites to optimize your use of the Website, for example, your preferred language. These preferences are remembered, through the use of the persistent cookies, and the next time you visit the Websites you will not have to set them again.
Targeting or Advertising Cookies	These Third Party Cookies are placed by third party advertising platforms or networks in order to deliver ads and track ad performance, enable advertising networks to deliver ads that may be relevant to you based upon your activities (this is sometimes called “behavioral” “tracking” or “targeted” advertising) on the Websites. They may subsequently use information about your visit to target you with advertising that you may be interested in, on the Websites and other websites. For example, these cookies remember which browsers have visited the Websites.

Specific disclosure of what cookies we collect and for what purposes are found in the Cookie Table below. You can stop the use of cookies by the Website by following the instructions in this Cookies Policy.

Cookie Table

Cookie Name	Cookie Purpose	Duration	Category
https://www.prometheusbiosciences.com/
_ga	Used to distinguish users	2 years	Essential
_gid	Used to distinguish users	24 hours	Essential
_gat	Used to throttle request rate	1 minute	Essential
AMP_TOKEN	Contains a token that can be used to retrieve a client ID from AMP Client ID service.	30 seconds to 1 year	Functionality
_gac_<property-id>	Contains campaign related information for the user.	90 days	Analytics
https://ir.prometheusbiosciences.com/investor-relations
SSESSXXXXXXXXXXXX	Logging into the CMS	Session	Essential
SimpleSAMLSessionID	Logging into the CMS	Session	Essential
SimpleSAMLAuthToken	Logging into the CMS	Session	Essential
ak_bmsc	Bot manager	2 hours	Essential
bm_sv	Bot manager	2 hours	Essential
bm_mi	Bot manager	2 hours	Essential
_GRECAPTCHA	Spam Protection	179 days	Essential
JSESSIONID	Platform Performance	Session	Essential
DrupalVisitorMobile	Mobile Device Detection	Session	Essential
GZIP	Stock Chart, standard compression, decompression flag	Retention	Functionality
XXXX%5F0	Generated for all requests for dynamic stock charts	Session	Functionality
XXXX%5F1	Stores the username to remember a user’s login	Session (expires after 60 mins)	Functionality
Drupal.visitor.auth_token	Remembers authentication token for users visiting protected sites or pages	24 hours	Functionality
omn_data	Allows customers to single sign on into their Adobe report suite.	Session	Functionality
s_cc	Tests whether or not the user accepts cookies.	Session	Analytics
s_sq	Tracks the last link clicked by the user for use in the analytics suite. This cookie is set and read by javascript code.	Session	Analytics
s_vi	This cookie is used to identify a unique visitor	2 years	Analytics
AMCV_###@AdobeOrg	Unique visitor IDs used by Experience Cloud Solutions.	2 years	Analytics
AMCV_###@AdobeOrg	Flags whether a session has been initialized. Its value is always 1 and discontinues when the session has ended.	Session	Analytics

Third-party cookies

The Website may allow third-parties to place cookies on your Internet-connected device in order to deliver advertisements based upon your web-browsing habits and history. Further, in order to provide interoperability and plug-ins from various social media websites (like LinkedIn), the Website may allow these third-parties to place and collect cookies on your Internet-connected device. However, you can restrict the third-party collection of cookies through the instructions provided in the section “How to Restrict Cookies” below.

Do Not Track

Do Not Track (“DNT”) is an optional browser setting that allows you to express your preferences regarding tracking across websites. Most modern web browsers give you the option to send a Do Not Track signal to the websites you visit, indicating that you do not wish to be tracked. However, there is no accepted standard for how a website should respond to this signal, so we do not take any action in response to this signal. Prometheus Biosciences does not have a mechanism in place to respond to DNT signals. Instead, in addition to publicly available external tools, we offer you the choices described in this Cookies Policy to manage the collection and use of information about you.

How to Restrict Cookies

You can adjust the settings in your browser in order to restrict or block cookies that are set by the Website (or any other website on the Internet). Your browser may include information on how to adjust your settings. Alternatively, you may visit the U.S. Federal Trade Commission’s website www.consumer.ftc.gov to obtain comprehensive general information about cookies and how to adjust the cookie settings on various browsers.

You can control and delete these cookies through your browser settings through the following:

Google Chrome
Mozilla Firefox
Safari
Opera
Microsoft Internet Explorer
Microsoft Edge
Safari for iOS (iPhone and iPad)
Chrome for Android

Or you can also use the following cookie management and disposal tool from Google Analytics by downloading and installing the browser plug-in from the following link: https://tools.google.com/dlpage/gaoptout .

Please be aware that restricting cookies may impact the functionality of the Website. For example, refusing cookies will not allow Prometheus Biosciences to present the Website in your preferred language or remember your log-in information. Additional general information about cookies, including how to be notified about the placement of new cookies and how to disable cookies, can be found at www.allaboutcookies.org.

Changes to this policy

If there are any material changes to this Policy, you will be notified by the posting of a prominent notice on our Websites prior to the change becoming effective. We encourage you to periodically review this page for the latest information on the Policy. Your continued use of the Websites constitutes your agreement to be bound by such changes to this Policy. Your only remedy, if you do not accept the terms of this Policy, is to discontinue use of and access to the Websites. The content of this Policy is for your general information and use only. These cookies are subject to change without notice. You acknowledge that this information may contain inaccuracies or errors and is subject to change and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.