Arcutis Biotherapeutics

Other terms used herein that are defined terms under U.S. Privacy Laws shall have the meanings afforded to them by the U.S. Privacy Laws, whether or not capitalized, unless the context indicates otherwise. As there are some variations between such definitions across the U.S. Privacy Laws, the definitions applicable to you are those provided in the statute for the U.S. state in which you are a consumer. For example, if you are a California consumer, terms used in this Privacy Notice that are defined terms in the California Consumer Privacy Act (“CCPA”) shall have the meanings afforded to them in the CCPA as this Privacy Notice applies to you.

B. Overview of Personal Information Processing

1. Collection of Personal Information. We collect and we have collected in the past twelve months the following categories of personal information:

• Contact details, such as name, email address, address, and telephone number
• Professional information, such as your employer and business contact information
• Insurance information, such as insurance policy number or health insurance information
• Financial information, such as total income
• Commercial information, such as products or services purchased, obtained, or considered
• Audio/electronic recordings, such as recordings of customer service calls
• Identifiers, such as Internet Protocol (IP) addresses, mobile advertising IDs, and other unique identifiers
• Geolocation data, such as device location
• Sensitive Personal Information, such as Personal Information concerning your health
• Internet or other network information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement
• Inferences drawn from any of the information listed above to create a profile about you reflecting your preferences, characteristics, behavior, and attitude

Children’s Personal Information. We generally do not knowingly collect or process Personal Information of children under 13 years of age. If and when we do so, we will comply with the Children’s Online Privacy Protection Act (“COPPA”). For more information, please see our Privacy Notice.

2. Sources of Personal Information. We collect these categories of Personal Information directly from consumers, from cookies and other tracking technologies, from our Service Providers and third parties when they disclose personal information to us, and from public data bases and social media.

3. Purpose for Collection, Processing, and Disclosure of Personal Information. We collect, process, and disclose the categories of Personal Information listed in Section B(1) to:

• Respond to your questions and communicate with consumers
• Operate, manage, and maintain our business and maintain records
• Provide, develop, improve, repair, and maintain our products and Services
• Analyze and better understand consumers’ needs, preferences, and interests and conduct internal business analysis and research
• Advertise and promote our products and services, including by contacting consumers regarding products, services, and topics that may be of interest to them
• Engage with current and prospective advertisers, advocacy organizations, service providers, and third parties
• Undertake quality and safety assurance measures and conduct risk and security controls and monitoring
• Detect and prevent fraud and perform identity verification
• Perform accounting, audit, and other internal functions, such as internal investigations
• Comply with law, legal process, and internal policies
• Exercise and defend legal claims
• For any other purpose you may agree to at or before the time the Personal Information is collected

We may also aggregate and/or anonymize personal information and analyze those data for statistical or any other purposes permitted by law.

We collect, process, and disclose the Sensitive Personal Information described in Section B(1) only for:

• Performing the services or providing the goods reasonably expected by an average Consumer who requests those goods or services
• Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information
• Resisting malicious, deceptive, fraudulent, or illegal actions directed at us and prosecuting those responsible for those actions
• Ensuring the physical safety of natural persons
• Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with us, provided that we will not disclose your Personal Information to a Third Party and will not build a profile about you or otherwise alter your experience outside of your current interaction with us
• Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf
• Verifying or maintaining the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and improving, upgrading, or enhancing the service or device that is owned, manufactured by, manufactured for, or controlled by us
• Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a Consumer

4. Disclosure, Sale, and Sharing of Personal Information

We disclose, and in the past twelve months have disclosed, the categories of Personal Information as described in the table below to:

• Service Providers who process personal information on our behalf, including Service Providers who provide data hosting, information technology support, email hosting, marketing and analytics services, and other services for the operation of our business. We impose contractual limitations on our Service Providers’ use of personal information they collect in conjunction with providing services to us.
• Third Party marketing and advertising and analytics companies, who may process Personal Information for their own purposes
• Other third parties with your consent or at your direction
• Other third parties protect our rights, defend or pursue a legal claim, or investigate or prosecute illegal activities
• Government or judicial authorities to comply with a subpoena, court order, governmental inquiry, legal process, legal obligation, or to protect the rights, property, or safety of other users or the public
• Successor entity or purchaser upon a merger, consolidation, or other corporate reorganization in which we participate, a sale of all or a portion of our assets, or pursuant to a financing arrangement. In this situation, we will seek assurances that the successor entity or purchaser will process personal information collected by us in accordance with this notice.

We may also disclose aggregated and/or anonymized data to any other entities to the extent permitted by law.

While our processing of personal information varies based upon our relationship and interactions with you, the table below generally identifies the categories of personal information we have collected in the past 12 months, as well as the categories of non-affiliated persons or third parties to whom we may disclose this information for a business or commercial purposes.  We may, for example, use cookies for marketing purposes.  When we use cookies, we do so at your instruction based on your permission to use cookies associated with this processing.  Where you direct us to do so, we and certain third-party business partners, such as our advertising partners, may collect personal information using cookies and other technologies when you visit or interact with our site.  These partners also may use cookies and other technologies to collect your health data over time across different websites depending on the associated permissions you set.  We do not use or disclose sensitive personal data for purposes other than permitted under applicable local law.

We Sell and Share, and have Sold and Shared in the past twelve months, Personal Information as described in the table below in order to analyze and better understand consumers’ needs, preferences, and interests, and to advertise and promote our products and services, including by contacting consumers regarding products, services, and topics that may be of interest to them. Residents of states with U.S. Privacy laws have the right to opt-out of the disclosure of their Personal Information and can do so by contacting our Privacy Office at privacy@arcutis.com, by calling us toll free at 844‑4ARCUTIS, or by clicking here .

We do not have actual knowledge that we Sell or Share personal information of California consumers under 16 years of age.

5. Retention of Personal Information

We retain each category of Personal Information listed in Section B(1) for the time needed to fulfill our legitimate and lawful business purposes and comply with applicable regulations.

C. Do Not Track & Opt-Out Preference Signals

We recognize opt-out preference signals that we are required to recognize for compliance with applicable law. Where required by U.S. Privacy Laws, we treat such opt-out preference signals as a valid request to opt-out of sale, sharing, and processing for purposes of targeted advertising, as applicable, for the browser or device through which the signal is sent and any consumer profile we have associated with that browser or device, including pseudonymous profiles. Further, if we know the identity of the consumer from the opt-out preference signal, we will also treat the opt-out preference signal as a valid request to opt out of sale and sharing for such consumer. Consumers may use opt-out preference signals by downloading or otherwise activating them for use on supported browsers and setting them to send opt-out preference signals to websites they visit. However, our sites do not respond to “Do Not Track” signals sent by browsers, which are different from the opt-out preference signals described above.

D. Your Rights & Choices

Residents who reside in states with U.S. Privacy Laws have the following rights regarding our collection and use of the Personal Information, subject to certain exceptions. Please read this section carefully as some rights vary by state.

• Right to Know: You have the right to know the following details about our privacy practices at or before the point of collection. We have provided such information in this Supplemental Notice. You may also request that we provide you with information about the following aspects of how we have handled your Personal Information specifically in the 12 months preceding your request: (1) the categories of Personal Information we have collected about you; (2) the categories of sources from which we collected such Personal Information; (3) the business or commercial purpose for collecting, Selling, or Sharing Personal Information about you; (4) the categories of Personal Information about you that we disclosed and the categories of Third Parties to whom we disclosed such Personal Information; (5) the categories of Personal Information about you that we sold, shared, or used for targeted advertising purposes, and the categories of Third Parties with whom we sold or shared such Personal Information; (6) if we collect Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is Sold or Shared; and (7) the length of time we intend to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.
• Right to Deletion: You may request that we delete any Personal Information about you that we collected from you.
• Right to Correction: You may request that we correct any inaccurate Personal Information we maintain about you. Please note this right does not apply to Iowa and Utah residents.
• Right to Access Specific Pieces of Personal Information and Data Portability: You may ask to obtain the specific pieces of Personal Information we have collected about you in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the Personal Information to another entity without hindrance. You may not exercise this right more than two times in a calendar year.
• Right to Opt-Out of Sale: You have the right to opt out of the Sale of your Personal Information.
• Right to Opt-Out of the Sharing of Your Personal Information or the Use of Your Personal Information for Targeted Advertising: You have the right to opt-out of the Sharing of your Personal Information or our use of your personal Information for targeted advertising purposes.
• Right to Opt-Out of Profiling: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (which means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services). Please note, however, that we do not use Personal Information for profiling in furtherance of decisions that produce legal or similarly significant effects.

E. Exercising Your Rights

To exercise your data subject rights, contact our Privacy Office at privacy@arcutis.com, call us toll free at 844-4ARCUTIS , or click here . Authorized agents may also submit requests via these methods, where permitted by U.S. Privacy Laws.

We will not discriminate against you for exercising your data subject rights. For example, we will not deny services to you or provide a different level of quality of services to you as a result of you exercising your data subject rights.

F. Verification of Data Subject Requests & Appeals

As permitted or required by U.S. Privacy Laws, we may ask you to provide information that will enable us to verify your identity in order to comply with your data subject request. In particular, when a consumer authorizes an agent to make a request on their behalf, we may require the agent to provide proof of signed permission from the consumer to submit the request, or we may require the consumer to verify their own identity to us or confirm with us that they provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable privacy laws. We will respond to your request consistent with U.S. Privacy Laws.

To appeal our decision on your data subject requests, you may contact us at privacy@arcutis.com. Please enclose a copy of or otherwise specifically reference our decision on your data subject request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.

G. Other Disclosures for California Consumers

• California Residents Under Age 18. If you are a resident of California under the age of 18 and a registered user of our Services, you may ask us to remove content or data that you have posted to the Services by writing to privacy@arcutis.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.
• Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of personal information to other entities for their direct marketing purposes in the preceding calendar year. To make such a request, please send an email to privacy@arcutis.com with the subject “Shine the Light Request.”
• Financial Incentives for California Consumers. We do not provide financial incentives to California consumers who allow us to collect, retain, sell, or share their personal information. We will describe such programs to you if and when we offer them to you.

H. Disclosures for Nevada Consumers

We sell “Covered Information” as defined under Nevada law, but we generally do not disclose or share “Personal Information” as defined under Nevada law for commercial purposes. Under Nevada law, you have the right to direct us to not sell your Covered Information to third parties, as defined under Nevada law. To exercise this right, if applicable, you or your authorized representative may contact us at privacy@arcutis.com or call us toll free at 844-4ARCUTIS.

I. Contact Us

If you have any questions regarding this Supplemental Notice or our Services generally, please contact us at privacy@arcutis.com.

Arcutis may amend this Supplemental Privacy Notice from time to time to reflect technological advancements, legal and regulatory changes and good business practices. If Arcutis changes its privacy practices, a revised Supplemental Privacy Notice will be posted here.

This Supplemental Privacy Notice was last updated on September 30, 2024.