© 2024 Corcept Therapeutics, Incorporated
Last Revised on August 1, 2024
INTRODUCTION
Corcept Therapeutics Incorporated and its subsidiaries and affiliates (together, “Corcept,” “we”, “our”, “us”) are committed to protecting and respecting your privacy. The purpose of this Privacy Notice is to provide you with information on how we will collect, use, disclose, protect, and otherwise process personal information and explain the rights and choices available to individuals with respect to their personal information. We are a public company established in the United States (the “US”) with a registered office at 101 Redwood Shores Parkway, Redwood City, CA 94065, and, for the purposes of the General Data Protection Regulation (the “GDPR”) and the United Kingdom’s Data Protection Act 2018 (including the UK General Data Protection Regulation (“UK GDPR”)), we are the data controller.
This Privacy Notice sets out the basis on which we will process personal information or usage information we collect from you, or that you provide to us, in connection with your use of the following Corcept websites and related services or relationships described herein:
- Corcept.com;
- Korlym.com;
- Cortisolmatters.com;
- CortisolInControl.com; and
- Social media or online platforms hosted by Corcept (e.g., Cushing’s Connection on Facebook)
(together, the “Sites” and each a “Site”).
We may provide additional privacy notices to different categories of individuals at the time we collect their data, including as follows:
- If you are an employee or contractor of Corcept, please refer to the privacy notice we provided to you at the start of your employment/engagement with us (as it may be amended and updated from time to time), which can also be accessed on our internal portal.
- If you are a participant in a clinical trial, please refer to the informed consent document provided to you in connection with your participation in the clinical trial (if needed, ask the physician responsible for the clinical trial for a copy).
- If you are a clinical investigator or study personnel engaged by us (or by a contract research organization on our behalf) in connection with a clinical trial sponsored by us, please refer to the specific privacy notice to clinical trial investigators and study personnel.
- If you are a participant in our Corcept Cares Patient Advocate Program, our use and disclosure of your health-related information and other personal information will be pursuant to the HIPAA Authorization that you have signed as part of the Patient Enrollment Form, and as detailed further below in this Privacy Notice.
- If you are a clinical investigator submitting a proposal for our Investigator-Initiated Studies Program, please note that this is hosted outside of our Sites and that your submissions will be subject to Benevity Privacy Policy which can be accessed at https://benevity.com/privacy-policy.
Please read this notice carefully so that you understand your rights in relation to your personal information, and how we will collect, use and process your personal information. If there is any conflict between this notice and a separate, more specific privacy notice provided to you by Corcept, you should rely on the more specific notice to determine your rights and how your data will be used and processed.
We do not “sell” your personal information in the traditional sense of the word “sale.” We may, however, share certain information about you with contracted third-parties to provide better services and advertising to you. You may opt out of sharing this information, by contacting us via the “How to Contact Us” section below.
Please note that if you consented to receiving text messages from us (e.g., as part of our Patient Advocate Support program), your telephone number will not be shared with third-parties for marketing purposes.
If you do not agree with this Privacy Notice in general or any part of it, you should not access the Sites.
INFORMATION WE COLLECT
Information you give us, or we collect about you.
We may obtain some or all the following information when you contact us via our Sites or email, telephone, or otherwise through your interaction with us or use of our Sites:
- Name;
- Company affiliation;
- Email address;
- Telephone number;
- Fax number;
- Physical address;
- Whether you are (or are not) a healthcare professional and what your specialty is;
- Your photograph, social media handle or digital or electronic signature;
- Information that you choose to share with us on social media or other public forums, including our social media sites (e.g., Cushing’s Connection on Facebook or our page on LinkedIn);
- Publicly available information (such as comments describing support for and experience with Corcept products);
- Health and medical information (such as information you provide about a suspected or actual diagnosis, or information about a diagnosis received by a person you know), if support services are requested from our Patient Advocate Support program;
- Information contained in a medical information request submitted by you;
- Other information that may be required for you to use the Sites; and
- Information from third-parties such as industry and patient groups and associations.
Job applicants. Additionally, if you apply for a job via our Corcept.com Site, you may also provide us with the following information:
- Your current city and state of residency;
- Your referral source;
- Information regarding your prior employment;
- Your contact information;
- Your education;
- Your gender; and
- Your ethnicity.
This includes information provided in resumes, emails, and cover letters we receive electronically or are uploaded directly to the Site by you.
Technical Usage Information. When you visit the Sites, we collect the information sent to us by your computer, mobile phone, or other access device. This information includes:
- Your IP address;
- Device information including, but not limited to, identifier, name, and type of operating system;
- Internet service provider and mobile network information;
- Date and time of your visit;
- Time spent on our site;
- Standard web information, such as your browser type and the pages you access on our Sites; and
- Websites visited just before and just after our Sites (including any third-party websites that link to our Sites, if you followed a link to or from our Sites).
HOW WE USE INFORMATION ABOUT YOU
In order to be responsive to you and to maintain our relationship, as a matter of our legitimate interests, we may use your information to:
- Communicate with you;
- Identify our users;
- Administer and provide services for you;
- Optimize or improve the content, services, and features of the Sites;
- Enforce our Sites’ terms and conditions;
- If you have opted into marketing, communicate with you about products, services, promotions, events and other news and information we think will be of interest to you;
- Create anonymized and aggregated data sets that may be used for a variety of functions, including research, internal analysis, analytics, and other functions;
- Process your application for employment;
- Comply with any legal obligations or respond to legal proceedings; or
- Detect, investigate, and prevent activities that may violate our policies or be illegal.
In addition, we will use some or all the information described in this notice to comply with any applicable legal obligations.
To the extent you are located in the European Economic Area (EEA) / UK, where you have provided health information (see section “Special Categories of Data” below) or ethnicity information as described above, we will use this information for the above purposes on the basis of your explicit consent, which we will ask you to provide before providing any health or ethnicity information to us.
Technical Usage Information: we use technical usage information about you to:
- Personalize our Sites to ensure content from the Sites is presented in the most effective manner for you and your device;
- Monitor and analyze trends, usage activity in connection with our Sites and services to improve the Sites;
- Administer the Sites and for internal operations, to conduct troubleshooting, data analysis, testing, research, statistical and survey analysis;
- Keep the Sites safe and secure; and
- Measure and understand the effectiveness of the content we serve to you and others.
Special Categories of Data: for residents of the EEA / UK, with your consent, we will use your health-related information (i.e., special categories of personal data under the GDPR and UK GDPR) described in this Privacy Notice to:
- Register you for optional support via our Korlym Patient Advocate Support program on the Korlym.com Site;
- Register you to receive opt-in updates relating to hypercortisolism and other information on any of the Sites; or
- Respond to your submitted medical information requests or social media comments via any of the Sites.
HOW AND WHERE WE STORE, SHARE AND TRANSFER YOUR PERSONAL INFORMATION
To the extent you are located in the EEA / UK, please note that the information that we collect from you may be stored/processed in the US. We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this notice. We may share your information with the following categories of recipients:
- Corporate Affiliates, for a variety of purposes, including business, operational, and marketing purposes;
- Cloud storage providers, to store the personal information you provide and for disaster recovery services, as well as for the performance of any contract we enter with you;
- IT Service providers, which provide us with SaaS services we use to store our customer relationship management, emails and Site information;
- Advertisers and advertising networks, which, provided you have consented, require the data to select and serve relevant advertisements to you and others; and
- Background reference agencies, which, provided you have consented, collect your information for the purpose of performing background checks, as part of our hiring process.
To the extent you are located in the EEA / UK, and your personal information is transferred to the above recipients in the US or to any other country not deemed to provide an adequate level of protection by the European Commission or UK government, such information will be transferred pursuant to the European Commission’s model contracts for the transfer of personal information to third-countries (i.e., the standard contractual clauses). Please contact us at corcept.dpo@mydata-trust.info if you wish to examine the data transfer safeguards entered by us.
We will share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:
- Comply with a legal obligation, process or request;
- Enforce our terms and conditions for using our Sites and other agreements, including investigation of any potential violation thereof;
- Detect, prevent or otherwise address security, fraud or technical issues; or
- Protect the rights, property or safety of us, our users, a third-party or the public as required or permitted by law (exchange information, with other companies and organizations for the purposes of fraud protection and credit risk reduction).
We will also disclose your information to third-parties:
- If we sell any business or assets that requires the transfer of your information; or
- If we, or substantially all our assets, are acquired by a third-party, in which case information held by us about our users will be one of the transferred assets.
In the event any of the above situations apply, the buyer of our business or assets will be subject to the terms and conditions of this notice.
We may also provide third-parties with statistical information about our users (but those third-parties will not be able to identify any individual user from that information).
We will retain your information as follows:
- information provided by you in connection with a request for communication using one of the Sites will be kept for as long as necessary to fulfil your request, unless you unsubscribe from communication; and
- job applicant information for approximately 4 years for unsuccessful candidates, and for successful candidates, the duration of employment and approximately 4 years thereafter. For unsuccessful applicants from France, we will keep your information for six months.
- Effective January 1, 2022, California employers must preserve employee records for four years from a non-hire application and four years from an employee’s termination date.
We will also retain and use your information in identifiable form to the extent necessary to comply with our legal obligations, resolve disputes and enforce our terms and conditions, other applicable terms of service, and our policies. Following this period, we will store your information in an aggregated and anonymised format; we may use this information indefinitely without further notice to you.
All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third-parties.
APPLICABLE REGULATIONS
We collect and use your personal information in compliance with applicable privacy and data protection regulations, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”)), the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, “ePrivacy”), The California Consumer Privacy Act (“CCPA”), The Californian Online Privacy Protection Act (“COPPA”) and any applicable law.
CCPA NOTICE FOR CALIFORNIA RESIDENTS
The California Consumer Privacy Act (“CCPA”) regulates how businesses handle “personal information” (as such term is defined in the CCPA) of California residents and gives California residents certain rights with respect to their personal information. If you are a resident of California, we are required to inform you of how we use and disclose your personal information and certain rights you may have under the CCPA.
In the chart below, we have described the categories of personal information that we have collected and shared over the past twelve (12) months, the purposes for such collection and the types of entities with whom we have shared such information.
| CATEGORY OF PERSONAL INFORMATION | SOURCES OF INFORMATION | PURPOSE OF COLLECTION | WHOM WE SHARE PERSONAL INFORMATION WITH |
|---|---|---|---|
| Identifiers / Categories of Personal Information described in Cal. Civil Code § 1798.80(e), such as your name, username, email address, IP address, health-related information. | We collect this information directly from you. | We collect this information to communicate with you, provide, personalize and improve the Sites, and to perform other business purposes. | Certain professional service providers that help us provide the Sites and services. |
| Internet or other electronic network activity information, such as cookies, web logs, IP address, and information about how you use our Sites. | We collect this information from your computer or your device. | We collect this information to personalize and improve the Sites and to perform other business purposes. | Advertising networks, internet service providers, professional services providers (incl. data analytics providers), operating systems and platforms, social networks. |
| Professional or employment-related information, such as your company name and address and any information that you provide in your job application you provide to us. | We collect this information directly from you as well as from third-party sources, such as recruiters and employment websites; and from publicly available sources, like government records, or from information you have made public, including by posting or publishing it online. | To consider you for employment and otherwise provide employee-related services. | Service providers and government agencies. |
| Protected classificationsunder California or federal law (i.e., race, religion, sexual orientation, gender identity, gender expression, age). | Directly from you and from third-parties, including those to whom you have previously provided data. | For our everyday business purposes such as to process your requests, inquiries, or other communications with us.To conduct research related to our current or prospective products or services.
To respond to law enforcement requests as required by applicable law, court order, or government regulation. |
Service providers and government agencies. |
| Education information, such as your college records. | We collect this information directly from you as well as from third-party sources, such as recruiters and employment websites. | To consider your application for employment. | Service providers and government agencies. |
| Inferences drawn from any of the information identified above, such as your preferences, interests, and other information used to personalize your experience. | This information is derived from the categories above. | We collect this information to personalize and improve the Sites and to perform other business purposes. | Service providers |
You can turn off tracking and sharing of your personal information in the Cookie Notice section below.
MHMDA NOTICE FOR WASHINGTON RESIDENTS
If you are a resident of Washington, please read this notice carefully. It explains Corcept’s collection, use and sharing of Consumer Health Data as that term is used in the Washington My Health My Data Act (“Washington Health Act”), as well as the rights you may have.
Consumer Health Data We Collect
The types of Consumer Health Data that we may collect include:
- Patient advocacy program-related health information, such as information about your health-related conditions, symptoms, statuses, diagnoses, testing, treatment, social, psychological, behavioral and medical interventions, and medication when we interact with you in connection with our Corcept Cares Patient Advocate Program or provide to you other patient advocacy programs (collectively, “Corcept Patient Programs”).
- Information related to our health educational materials, such as information about how you interact with resources that we may make available to you, including through our websites and email communications, that describe symptoms of certain health conditions and other related educational materials. Such information may include your IP address, online identifier, browser details, and other technical information about your interactions with the educational content.
- Information related to care support groups that we host or support, such as Cushing Connection on Facebook. This includes information about your membership in such groups, and other information that you choose to share within or about the groups on social media platforms. Such information may include your profile, biography, content that you post, and technical information about your interactions with the groups.
Sources of Consumer Health Data
We may collect Consumer Health Data about you:
- Directly from you. We may collect Consumer Health Data about you when you enroll in Corcept Patient Programs and as you utilize elements of these programs. This may include, for example, when you communicate with patient advocates and other parties involved in delivering Corcept Patient Programs, update your account information, respond to surveys and other requests for information from Corcept.
- Automatically from you. We may collect Consumer Health Data about you when you interact with our websites, including certain educational content that we may make available, as further described above.
- Through service providers and third parties. We may collect Consumer Health Data from or through service providers and third parties that help us provide the Corcept Patient Programs, our websites (including educational content), care support groups, and other products or services. These may also include entities that help us administer, analyze, and improve our products and services, including for clinical trial and research purposes.
How We Use Consumer Health Data About You
We may use Consumer Health Data about you to manage our Corcept Patient Programs and for the purposes listed under the “How We Use Information About You” tab in our Privacy Notice.
How We Share Consumer Health Data About You
We may share the categories of Consumer Health Data with service providers and third parties as described above and as listed under the “How and Where We Store, Share and Transfer Your Personal Information” tab in our Privacy Notice.
How to Exercise Your Rights
Depending on where you reside, you may have certain rights under the Washington Health Act, such as:
- to obtain access to the Consumer Health Data that we collect about you, together with a list of all third parties and affiliates with whom we share your Consumer Health Data and contact information for these third parties and affiliates,
- to withdraw any consent you may have provided for the use or sharing of your Consumer Health Data, or
- to delete the Consumer Health Data that we collect about you.
To exercise the rights described above, please submit a verifiable consumer request to us by:
- Contacting our DPO at dataprotectionofficer@corcept.com;
- Completing our online form on our website, by clicking here;
- If you are based in the United States, by calling Us at Our toll-free telephone number 1-855-212-CORT (1-855-212-2678)
The Washington Health Act also allows you to contact the Washington State Attorney General if you are not satisfied with the outcome of a rights request made to us – visit www.atg.wa.gov/ for contact information.
SOCIAL FEATURES
Certain features of the Sites permit you to initiate interactions between the Site and third-party services or platforms, such as social networks (“Social Features”). Social Features include features that allow you to click and access Corcept’s pages on certain third-party platforms, such as Facebook and Twitter, and from there to “like” or “share” our content on those platforms. Use of Social Features may entail a third-party’s collection and/or use of your data. If you use Social Features or similar third-party services, information you post or otherwise make accessible may be publicly displayed by the third-party service you are using. Both Corcept and the third-party may have access to information about you and your use of both the Site and the third-party service. See below for more information on third-party websites and links.
THIRD-PARTY WEBSITES AND LINKS
Our Site may contain links to other online platforms operated by third-parties. We do not control such other online platforms and are not responsible for their content, their privacy policies, or their use of your information. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms (such as Facebook or Twitter) may also be viewable by other users of the Site and/or users of those third-party online platforms without limitation as to its use by us or by a third-party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators except as disclosed on the Site. We expressly disclaim any and all liability for the actions of third-parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third-parties. Any information submitted by you directly to these third-parties is subject to that third-party’s privacy policy.
THE SECURITY OF YOUR PERSONAL INFORMATION
Unfortunately, the transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted through the Sites or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organizational measures to safeguard your personal information against loss, theft and unauthorized use, access or modification.
YOUR RIGHTS AND HOW TO CONTACT US
Depending on which Data Protection Laws are applicable to you, you may have rights in relation to the personal information we hold about you. Below is an outline of those rights and how to exercise them. Please note that we will require you to verify your identity before responding to any requests to exercise your rights. Please also note that these rights are not absolute and will be assessed on a case-by-case basis by Corcept’s Data Protection Officer. In case of denial of a request, we will let you know the reasons for such denial.
- Access. You have the right to obtain information related to the processing of personal information, including categories and types of personal information processed, reasons for the processing, the length of time such personal information is kept, third parties to whom your personal information was made available, and a copy of the personal information being processed.
- Rectification. You have the right to require rectification of inaccurate or incomplete data about you.
- Deletion (“Right to be forgotten”). You have the right to request the deletion of your personal information.
- Restrict processing. You have the right to restrict processing of your personal information under certain specified circumstances.
- Data portability. You have the right to request the transfer of your personal information either to yourself or to another organization, in a machine-readable form.
- Object to processing. You have the right to object, on grounds relating to your particular situation, at any time to the processing of your data.
- Right to withdraw consent. When you have given your explicit consent for the processing of your personal information, you can withdraw it at any time without any cost nor justification.
- The right to equal services and prices. You have the right not to be denied goods or services, not to be charged a higher price, and not to be provided a different level or quality of goods or services based on the exercise of your rights.
If you would like to exercise your rights, please let us know by:
- Contacting our DPO at dataprotectionofficer@corcept.com;
- Completing our online form on our website, by clicking here;
- If you are based in the United States, by calling Us at Our toll-free telephone number 1-855-212-CORT (1-855-212-2678)
You also have the right to lodge a complaint with the respective authorities of your place of residence if you consider that your personal information is not processed in accordance with Data Protection Laws.
CHILDREN
We do not knowingly collect or solicit personal information from anyone under the age of 18. If we learn that we have collected personal information from a child under age 18, we will delete that information. If you believe that we might have any such information from or about a child under 18, please contact us at dataprotectionofficer@corcept.com.
CHANGES
Any changes we will make to this Notice in the future will be posted on this page. Please check back frequently to see any updates or changes to this Notice.
COOKIE NOTICE
COOKIES AND OTHER TRACKING TECHNOLOGIES
We and certain third-parties, use cookies and other technologies (“Tracking Technologies”) to collect personal data and to store information or gain access to information stored on your device, when you use our Sites. This notice tells you more about Tracking Technologies and how we use them in our Sites. When you enter our Sites, you can accept our cookies, or you can manage your cookie preferences through your browser settings. In some cases, when you disable certain cookies, some functions of the Sites may not work.
WHAT ARE TRACKING TECHNOLOGIES?
Tracking Technologies can remain on your device for different periods of time. Some Tracking Technologies exist only while your browser is open. These are deleted automatically once you close your browser. Other Tracking Technologies are “permanent”, meaning that they survive after your browser is closed. They can be used to recognise your device when you open your browser and browse the internet again.
- Cookies. Cookies are small text files, stored on your browser, that uniquely identify your browser or device. Cookies improve your user experience, for example, by enabling our Sites to recognise you when you re-visit, remember your preferences, and provide you with the ability to use customised features. Cookies are also used to make websites work in an efficient way and to ensure adverts you see online are relevant to you and your interests. You can find more information about cookies at www.allaboutcookies.org.
- Pixels. Pixels are small portions of code that we use as part of our Sites. We use pixels to learn whether you have clicked on certain web content. This helps us measure and improve our services and personalize your experience.
- Web beacons. Web beacons are invisible picture files that we use as part of our Sites. We use web beacons to see how you interact with our Sites and to understand how often you view certain content so that we can make our Sites more efficient and easier to use. Our Sites may also carry web beacons placed by third-party advertisers.
- Mobile device IDs. Mobile device IDs are a unique identifier which can be used to identify a mobile device. We use these to run analytics and ensure our Sites are useful to you. Our advertising partners use these to show you ads that are useful to you and also to make sure they don’t show the same ad to you twice.
- Local storage. We also use local storage to store data on your device such as the last time you visited a webpage, to remember which items you put in our shopping cart or to welcome you to our site.
- HTML5 local storage. We occasionally store information locally on your device using HTML5. This allows information to be stored in your browser after the browser has been closed and reopened. We only use HTML5 to store non-sensitive information, such as the previous page you viewed, the name of the current page you are viewing, and some of your preferences. We do use HTML5 local storage to collect personal data from you. You can choose whether the data in HTML5 local storage should be kept beyond your current browser session or deleted. Depending on your browser, you can remove local storage, including HTML5, when clearing your cache and cookies.
HOW DO WE USE TRACKING TECHNOLOGIES?
We use first-party and third-party Tracking Technologies. First-party Tracking Technologies are set directly by us whereas third-party Tracking Technologies are set by a third-party (such as analytics providers, our advertisers and business partners).
We use Tracking Technologies that perform the following functions:
- Essential Tracking Technologies, which are essential to the functioning of our Sites, to provide a service requested by you or to comply with the law (e.g. the security requirements of data protection law). We do not need to obtain your consent in order to use these Tracking Technologies and these Tracking Technologies cannot be turned off as we cannot provide the Sites without them.
- Functionality Tracking Technologies, which allow us to remember choices you make and provide enhanced and personalised features e.g. to show you when you are logged in.
- Performance Tracking Technologies, which enable us to collect information about your online activity (e.g. the duration of your use of the Sites), including behavioural data and content engagement. They allow us to provide you with a better user experience and to maintain, operate and continually improve the Sites.
- Social Media Tracking Technologies, our Sites include social media features, such as Facebook “Like” or “Share” buttons. These features are hosted by a third-party and enable us or the social network to obtain information about how you interact with our Sites or the social network. In addition, where we have a presence on social media platforms, those platforms will set Tracking Technologies on your device when you visit our pages on their platforms so that we can obtain statistical information about how you interact with our social media presence. The cookies notice of the social media platform should explain how you can manage the Tracking Technologies that they set, or you may also be able to manage these Tracking Technologies through using your browser settings.