Arcutis Biotherapeutics

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (collectively, the “CCPA”), gives California residents certain rights and requires businesses to make certain disclosures regarding their collection, use, and disclosure of Personal Information. This Privacy Notice for California Health Care Professionals (the “Notice”) provides such notice to California-resident health care professionals whom Arcutis Biotherapeutics, Inc. (“Arcutis,” “we,” “us,” or “our”) interacts with in a business-related capacity (collectively “HCPs”).

Please note that this Notice only addresses Arcutis’ collection, use, and disclosure of HCP Personal Information and only applies to residents of California. This Notice does not apply to individuals who are residents of other U.S states or other countries and/or who do not interact with Arcutis in a business-related capacity. For further details about our privacy practices pertaining to non-HCP Personal Information, please see our Privacy Notice at www.arcutis.com/privacy. 

A. Definitions

• “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information includes Sensitive Personal Information, that we specifically describe in this Notice.
• “Third Party” means any non-affiliated person that is not a Service Provider.
• “Service Provider” means a service provider, contractor, or processor which collects, stores, or otherwise handles data for us and is bound by contractual obligations to use your Personal Information only as directed by us.

Other terms used herein that are defined under the CCPA shall have the meanings afforded to them in the CCPA, whether or not capitalized, unless context indicates otherwise.

B. Overview of Personal Information Processing

1. Collection of HCP Personal Information. We collect and we have collected in the past twelve months the following categories of Personal Information from HCPs:

• Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description
• Contact and financial information, including phone number, address, email address, financial information, medical information
• Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status
• Commercial information, such as transaction information and purchase history
• Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements
• Geolocation data, such as device location
• Audio, electronic, visual and similar information, such as call and video recordings
• Professional or employment-related information, such as work history and prior employer
• Education information, as defined in the federal Family Educational Rights and Privacy Act, such as student records and directory information
• Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics
• Sensitive Personal Information, including:
  • Personal Information that reveals:
    • Social security, driver’s license, state identification card, or passport number
    • Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account
    • Precise geolocation
    • Racial or ethnic origin, religious or philosophical beliefs, or union membership

2. Purpose for collection, Processing, and Disclosing HCPs Personal Information. We collect, process, and disclose the categories of HCPs Personal Information listed in Section B.1 for the following business purposes:

• Provide you with a service or take an action that you request
• Identify and engage scientific and other experts
• Identify speakers and invitees to conferences and other scientific and educational programs we host or sponsor
• Determine your potential involvement in future activities with Arcutis and contact you in relation to these activities
• Communicate with you when you participate in, or request to be considered to participate in Arcutis events, clinical studies, or other programming
• Respond to your requests for information about our products and services
• Communicate other information that we think may be of interest to you through our websites and via email, call centers, postal mail, and other channels, including promotional communications, about our products and services
• Process and report information pertaining to adverse events and product complaints
• Track and report payments and other transfers of value to health care providers in accordance with financial disclosure transparency requirements
• Conduct auditing related to our current interactions with you
• Analyze and better understand your needs, preferences, and interests
• Tailor our messaging and communications to you, including messaging and communications for promotional purposes
• Personalize your website experience
• Better understand the market for our existing products and services, and potential new products and services, and adjust our research, development, and marketing strategies accordingly
• Detect security incidents and other fraudulent activity
• Monitor and improve our website functionality and security
• Conduct business and marketing research
• Meet our contractual obligations to you, if you provide us with services
• Analyze the quality of services provided, including by analyzing call recordings
• Monitor and secure our facilities, equipment, and other property
• Comply with laws and regulations, including, without limitation, applicable tax, health and safety, anti-discrimination, immigration, labor and employment, and social welfare laws
• Monitor, investigate, and enforce compliance with and potential breaches of Arcutis policies and procedures and legal and regulatory requirements
• Comply with civil, criminal, judicial, or regulatory inquiries, investigations, subpoenas, or summons
• Exercise or defend the legal rights of Arcutis and its employees, affiliates, customers, contractors, and agents

We collect, process, and disclose the Sensitive Personal Information of HCPs described in Section B.1 only for:

• Performing the services or providing the goods reasonably expected by an average Consumer who requests those goods or services
• Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information
• Resisting malicious, deceptive, fraudulent, or illegal actions directed at us and prosecuting those responsible for those actions
• Ensuring the physical safety of natural persons
• Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with us, provided that we will not disclose your Personal Information to a Third Party and will not build a profile about you or otherwise alter your experience outside of your current interaction with us
• Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf
• Verifying or maintaining the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and improving, upgrading, or enhancing the service or device that is owned, manufactured by, manufactured for, or controlled by us
• Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a Consumer

3. Sources of HCP Personal Information. We obtain the Personal Information listed in Section B.1 from the following sources: directly from your interactions with us, including with the website, our devices and software, desktop and mobile applications, by email, and phone; social media sites; web browsers; advertising, marketing, and analytic service providers; mailing list providers; technology service providers; publicly available sources; mailing list vendors; Service Providers and Third Parties when they disclose information to us.

4. Disclosure of HCP Personal Information. We disclose, and in the past twelve months have disclosed the categories of Personal Information of HCPs listed in Section B.1 for the purposes listed in Section B.2 as follows:

• To Service Providers we hire to perform services or functions on our behalf such as marketing and advertising service providers, technology service providers, security service providers, analytics service providers, and mailing and shipping providers. We grant our Service Providers access to Personal Information only to the extent needed for them to perform their functions, and require them to protect the confidentiality and security of such information.
• To Third Parties who process personal information for their own purposes, including marketing and analytics companies.
• To Third Parties as necessary to protect our rights, defend or prosecute a legal claim, or investigate or prosecute illegal activities.
• To Third Parties at your direction or with your consent.
• To government or judicial authorities to comply with a court order, subpoena, search warrant, law, regulation, or government investigation.
• To a successor entity or purchaser upon a merger, consolidation, or other corporate reorganization in which we participate, a sale of all or a portion of our assets, or pursuant to a financing arrangement. In this situation, we will seek assurances that the successor entity or purchaser will process personal information collected by us in accordance with this Notice.

5. Disclosures of Personal Information Defined as Sale or Sharing Under CCPA and Right to Opt Out.

For purposes of the CCPA, a “sale” is the disclosure of personal information to a third party for monetary or other valuable consideration, and a “share” is the disclosure of personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. While we do not disclose personal information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by the CCPA) internet and electronic network activity information, profiles and inferences, and identifiers to third party advertising companies and analytics providers. When we use cookies, for example, we do so at your instruction based on your permission to use cookies associated with this processing. Where you direct us to do so, we and certain third-party advertising partners, may collect personal information using cookies and other technologies when you visit or interact with our site. This is done in order to improve and evaluate our advertising campaigns, monitor and measure site performance, and better reach customers and prospective customers with more relevant ads and content. We do not use or disclose sensitive personal data for purposes other than permitted under applicable local law. For more information, please see the Cookies section of our Privacy Notice. The following is additional information on these types of disclosures.

• Categories of Personal Information Disclosed:
  • Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description
  • Contact and financial information, including phone number, address, email address, financial information, medical information
  • Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status
  • Commercial information, such as transaction information and purchase history
  • Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements
  • Geolocation data, such as device location
  • Audio, electronic, visual and similar information, such as call and video recordings
  • Professional or employment-related information, such as work history and prior employer
  • Education information, as defined in the federal Family Educational Rights and Privacy Act, such as student records and directory information
  • Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics
  • Sensitive Personal Information, including:
    • Personal Information that reveals:
      • Social security, driver’s license, state identification card, or passport number
      • Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account
      • Precise geolocation
      • Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Categories of Entities to Which this Information is Disclosed:
  • Affiliates & Service Providers. We may disclose HCP Personal Information to our affiliates and service providers for the purposes described in Section B.2 of this Notice. Our service providers provide us with website services, web hosting, data analysis, customer service, infrastructure services, technology services, email delivery services, legal services, marketing services, and other similar services. We grant our service providers access to HCP Personal Information only to the extent needed for them to perform their functions and require them to protect the confidentiality and security of such information.
  • Third Parties. We disclose Personal Information to the following categories of Third Parties for business purposes:
    • At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction.
    • Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
    • Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.
• Purposes for Disclosure of Personal Information: to better understand HCPs needs and interests and to tailor our messaging and communications to you, including messaging and communications for promotional purposes.
• We do not have actual knowledge that we sell or share personal information of California consumers under 16 years of age.
• California consumers have the right to opt out of the sale and sharing of their personal information and can do so by contacting our Privacy Office at privacy@arcutis.com, by calling us toll free at 844‑4ARCUTIS, or by clicking here.

6. Retention of HCP Personal Information. We retain each category of Personal Information listed in Sections B.1 for the duration of your business relationship with us, as applicable, and longer as may be required by applicable laws or necessary for our legitimate business purposes.

C. Your Rights & Choices.

As a California resident, you have the following rights regarding our collection and use of your Personal Information, subject to certain exceptions:

• Right to Know: You have the right to know the following details about our privacy practices at or before the point of collection. We have provided such information in this Notice. You may also request that we provide you with information about the following aspects of how we have handled your Personal Information specifically in the 12 months preceding your request: (i) the categories of Personal Information we have collected about you; (ii) the categories of sources from which we collected such Personal Information; (iii) the business or commercial purpose for collecting, Selling, or Sharing Personal Information about you; (iv) the categories of Personal Information about you that we disclosed and the categories of Third Parties to whom we disclosed such Personal Information; (v) the categories of Personal Information about you that we sold or shared, and the categories of Third Parties with whom we sold or shared such Personal Information; (vi) if we collect Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and (vii) the length of time we intend to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.
• Right to Deletion: You may request that we delete any Personal Information about you that we collected from you.
• Right to Correction: You may request that we correct any inaccurate Personal Information we maintain about you.
• Rights to Opt-Out of the Sale and Sharing of Your Personal Information: You have the right to opt-out of the Sale and Sharing of your Personal Information.

Do Not Sell or Share My Personal Information

• Right to Limit the Use of Your Sensitive Personal Information: You also have the right to limit the use of your Sensitive Personal Information to the purposes authorized by the CCPA. We do not use or disclose Sensitive Personal Information of HCPs for purposes beyond those authorized by the CCPA.
• Right to non-discrimination: You have the right not to receive discriminatory treatment by Arcutis for exercising privacy rights conferred by the CCPA and the right not to be retaliated against for exercising your rights conferred by the CCPA.

D. Exercising Your Rights.

Submit a Request. To submit a request to exercise your data subject rights listed in Section C, please contact Arcutis by emailing privacy@arcutis.com, by calling 844‑4ARCUTIS, or by clicking here.

Authorized Agent. You may designate an authorized agent to make a request under the CCPA on your behalf. Authorized agents may submit a request on your behalf using the methods described above. To be able to act, authorized agents must submit proof that they are authorized to act on your behalf. We may deny requests from claimed authorized agents who do not submit adequate proof that they are authorized to act on your behalf.

Verifying Requests. To help protect your privacy and maintain security, we will take steps to verify your identity before complying with your requests. For example, for requests to know, correct, and delete, we will attempt to match your identity to the information stored in our files. If we cannot, we will ask you to provide additional identifying information. We will use information you provide in your request for the purpose of verifying your identity or authority to make the request.

Opt-Out Preference Signals. We recognize opt-out preference signals that we are required to recognize for compliance with applicable law. Where required by the CCPA, we treat such opt-out preference signals as a valid request to opt-out of sale/share as applicable, for the browser or device through which the signal is sent and any consumer profile we have associated with that browser or device, including pseudonymous profiles. Further, if we know the identity of the consumer from the opt-out preference signal, we will also treat the opt-out preference signal as a valid request to opt out of sale and sharing for such consumer. Consumers may use opt-out preference signals by downloading or otherwise activating them for use on supported browsers and setting them to send opt-out preference signals to websites they visit.

E. Other Disclosures.

Financial Incentives for California Consumers. We do not provide financial incentives to California Consumers who allow us to collect, retain, sell, or share their Personal Information. We will describe such programs to you if and when we offer them to you.

California Residents Under Age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by writing to privacy@arcutis.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.

F. Contact Us.

More information about our privacy practices can be found in our Privacy Notice, available at www.arcutis.com/privacy. If you have any questions regarding this Notice or Arcutis’ collection and use of your Personal Information, or would like to exercise your data subject rights or submit a request under the CCPA, please contact Arcutis at privacy@arcutis.com, by calling 844‑4ARCUTIS, or by clicking here.

We may update this Notice from time to time. When we do so, we will post the updated version of our Notice here.

Last Updated: September 30, 2024