×

Important Information

This section of the website (the “Microsite”) of Mereo BioPharma Group plc (the “Company”) has been prepared solely for your information and for the purpose of providing background information on the Company, its business, the upcoming general meeting of the Company’s shareholders, and the industry in which the Company operates or any particular aspect thereof. For further information, please see the shareholder circular published by the Company in connection with the General Meeting which is available at www.mereobiopharma.com/GeneralMeeting2022 or at sec.gov.

The information contained in the Microsite has not been independently verified and no representation or warranty, express or implied, is made or given by or on behalf of the Company or any of its subsidiaries, or any of any such person’s directors, officers, employees, agents, affiliates or advisers, as to, and no reliance should be placed on, the accuracy, completeness or fairness of the information or opinions contained in the Microsite and no responsibility or liability is assumed by any such persons for any such information or opinions or for any errors or omissions. All information presented or contained in the Microsite is subject to verification, correction, completion and change without notice. In making available the Microsite, none of the Company or any of its subsidiaries, or any of any such person’s directors, officers, employees, agents, affiliates or advisers, undertakes any obligation to amend, correct or update the information contained in the Microsite or to provide the recipient with access to any additional information that may arise in connection with it. Accordingly, undue reliance should not be placed on any of the data contained in the Microsite.

Forward-Looking Statements

The Microsite and the information in it contain “forward-looking statements.” All statements other than statements of historical fact are forward-looking statements within the meaning of Section 27A of the United States Securities Act of 1933, as amended, and Section 21E of the United States Securities Exchange Act of 1934, as amended. Forward-looking statements relate to future events, including, but not limited to, statements regarding future clinical development, efficacy, safety and therapeutic potential of clinical product candidates, including expectations as to reporting of data, conduct and timing and potential future clinical activity and milestones and expectations regarding the initiation, design and reporting of data from clinical trials. Forward-looking statements are often identified by the words “believe,” “expect,” “anticipate,” “plan,” “intend,” “foresee,” “should,” “would,” “could,” “may,” “estimate,” “outlook” and similar expressions, including the negative thereof. The absence of these words, however, does not mean that the statements are not forward-looking. These forward-looking statements are based on the Company’s current expectations, beliefs and assumptions concerning future developments and involve risks and uncertainties that could cause actual results, performance, or events to differ materially from those expressed or implied in such statements. You should carefully consider the foregoing factors and the other risks and uncertainties that affect the Company’s business, including those described in the “Risk Factors” section of its latest Annual Report on Form 20-F, reports on Form 6-K and other documents furnished or filed from time to time by the Company with the Securities and Exchange Commission. You should not place undue reliance on any forward-looking statements, which speak only as of the date hereof. The Company undertakes no obligation to publicly update or revise any forward-looking statements after the date they are made, whether as a result of new information, future events or otherwise, except to the extent required by law. The Microsite and the information in it also contain estimates, projections and other information concerning the Company’s business and the markets for the Company’s product candidates, including data regarding the estimated size of those markets, and the incidence and prevalence of certain medical conditions. Information that is based on estimates, forecasts, projections, market research, or similar methodologies is inherently subject to uncertainties and actual events, or circumstances may differ materially from events and circumstances reflected in this information. Unless otherwise expressly stated, the Company obtained this industry, business, market and other data from reports, research surveys, clinical trials studies and similar data prepared by market research firms and other third parties, from industry, medical and general publications, and from government data and similar sources.

OK

Privacy Notice

PRIVACY NOTICE FOR MEREO BIOPHARMA GROUP PLC

Contents

REVISION HISTORY

 

 

 

1.     Introduction

This Privacy Notice (this “Notice”) is made available by Mereo Biopharma Group plc and its affiliated entities (referred to as “Mereo”, “we”, “us” or “our”), and is intended to assist you in understanding how we collect, process, secure, and transfer personal data. We also describe how you can contact us to learn more information about our privacy practices. The terms “you”, “your” or “user” refer to the person interacting with Mereo via this website or in any other capacity including as a professional adviser, employee or contractor, investor, vendor or any other entity interacting with us on behalf of another person.

2.     Link with other Privacy Notices

If you are an employee of Mereo, the information about how we handle your personal information is located in IRIS and will have been notified to you when you first joined Mereo.  If you are a contractor, the information will be available on Mereo’s intranet.

If you are a prospective employee or job applicant of Mereo, we will provide you with information about how we handle your personal information for recruitment purposes in our “Recruitment Privacy Notice.” This will be provided to you when you commence any of our recruitment initiatives.

If you are a vendor, we will provide you with our privacy notice for vendors and business partners as part of our vendor onboarding process.

It is important that you read this Notice together with any other privacy notice that we may provide you with so that you are fully aware of how and why we are using your data. This Notice supplements any other privacy notices and privacy policies that we may provide to you and is not intended to supersede them.

3.     Who we are 

Mereo Biopharma Group Plc is the Data Controller and is responsible for the processing of your personal data.

4.     The data we collect about you 

Mereo will collect and may utilize your personal data for the purposes described below:

Category of Data

Purpose for Data Processing

Contact details (Example, your name, nationality, postal address, telephone number, e-mail address)

  • Facilitating communications.
  • Communicating to provide you with information.
  • Responding to your requests or communications.

Identification information such as passport ID, date of birth, other paper copies of identity

  • Verifying your identity as part of our vendor / employee onboarding process.
  • Facilitating compliance with applicable laws, regulations or other requirements.

Data about your directors, employees and/or agents

  • Maintaining, tracking, or interacting with marketing leads.

Relationship Data e.g. your connection/ relationship with Mereo and your mode of interaction with Mereo.

  • Maintaining records of your relationship with Mereo, including  carrying out your instructions to us.
  • Assessing, analysing and improving our service and training our staff.
  • Managing our relationship with you - including (if you agree or unless you tell us otherwise) telling you about our pipeline products, or carrying out market research

Payment Transactions Data (e.g. bank account details, payment order or other financial data including information regarding your tax status or the source of your assets)

  • Preparing, providing and the provision of requested services.
  • Billing, maintaining accounts, and preparing invoices.
  • Managing and administering your accounts and holdings.
  • Facilitating compliance with applicable laws, regulations, or other requirements.

Risk Data/Ratings including credit risk ratings and risk identification information, predicted transactional behaviour, client/vendor due diligence and periodic review results, financial crime risk management (FCRM) rating, external intelligence reports and screening alerts (e.g. KYC data, Transaction Screening, Name Screening, AML), unusual activity information (SARs and UARs).

  • Detecting and preventing fraud and money laundering.
  • Identifying politically exposed persons.
  • Corresponding with solicitors, and third-party intermediaries; assessing your investment requirements and/or eligibility for certain investment products.
  • Managing our internal operational requirements for risk management.
  • System product development and planning, insurance, audit and administrative purposes.

 

Investigations Data (Structured or unstructured personal information derived from investigations on internal Mereo business practices, processes and operations). Grey information e.g. allegations of wrongdoing, considered unproven or highly sensitive.

  • Managing our internal operations requirements for risk management purposes.

 

Information Security Risk Data such as employee’s email addresses in connection with potential data breaches

 

  • §  To manage the information security threat environment.

Other Financial Data including investment portfolio/fund details, investment fund details

and Market Trades data including information about ownership by individuals or organisations.

  • Keeping track of all financial transactions connected to Mereo.

 

Communications Data including e-mail information, third party information, chat information, instant messages, corporate and media broadcasts, disputes or litigation, correspondence between solicitors and stakeholders and transcripts or minutes.

 

  • Keeping track of our communication with you, managing our relationship with you.
  • Maintaining a technology-related log or monitoring significant events.
  • To check your instructions to us, assess, analyse and improve our service, train our staff, manage risk or to prevent and detect fraud and other crimes.

Internal investigations data including content and meta-data related to communication between and among individuals, organisations, workers, prospects, customers, other stakeholders and Mereo regarding any Mereo activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfilment.

  • Investigating matters connected with you.

Complaints information including personal data contained in disputes/litigation case files, legal documents,  legal billing and time booking information.

  • To investigate complaints involving Mereo.

We also collect, use and share Aggregated Data for various purposes. For example, your website usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.

We do not collect on our website, any Special Categories of Personal Data about you (example, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health or about criminal convictions and offences). However, where this is collected regarding our employees or as part of a clinical trial, we will clearly indicate in the relevant privacy notice what special category of personal data is collected and the purposes and legal bases for processing the data.

5.     Legal basis for processing your personal data

Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates). We will only use your personal data when the law allows us to. We may also use your personal data, where necessary in the following circumstances:

  • to perform our obligations under our contract with you;
  • to comply with legal and regulatory obligations;
  • to establish, exercise or defend our legal rights and/or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
  • with your consent.

Generally, we do not rely on consent as a legal basis for processing your personal data in circumstances where: (i) the law specifies that we have to process your personal data; (ii) we need to process your data to perform a contract with you; (iii) we have a public interest to do so; or (iv) we have a legitimate business reason for doing so.

6.     Disclosures of your personal data

Where necessary to fulfil the purposes described in this Notice, Mereo may disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.

Whenever Mereo shares your personal data with companies acting as our authorized agents and service providers, these companies agree to use your personal data only for specified purposes. Furthermore, the recipient will implement and maintain reasonable security procedures and practices appropriate to the nature of your information to protect your personal data from unauthorized access, destruction, use, modification or disclosure.

We will transfer and disclose your personal data to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:

Category of Third-Party  

 

Purpose for Disclosure

 

Subsidiaries and affiliated entities

 

  • Internal business requirements.
  • In connection with investment opportunities.
  • Internal research and statistical analysis purposes.

Service Providers

who work for, or provide services to us (including their employees, sub-contractors, directors, officers or any professional service provider, such as accountants, auditors, lawyers)

 

 

  • To support Mereo’s commercial/business objectives.
  • To render professional advice where there is a dispute over a transaction.
  • IT performance-related monitoring, maintenance, or security.
  • Performing analytics to help in website or application planning and development.

Cloud storage solutions

  • To store Mereo data.
  • To ensure the safety and security of our data.

Vendors or suppliers

  • Billing, maintaining accounts, and preparing invoices.

Law enforcement, government, courts or regulators, or fraud prevention agencies

  • To verify your identity.
  • Mereo’s public or legal duty to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights.

Professional Consultants

  • To provide professional/expert advice in connection with Mereo’s business objectives.

Other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents.

  • To meet our legal, regulatory and compliance obligations.

Any prospective or new Mereo companies (e.g. if we restructure, or acquire or merge with other companies) or any businesses that buy part of or all of a Mereo company.

  • In relation to compliance / due diligence / Transfer of Undertakings Protection of Employees (TUPE).

Companies that do marketing or market research for us (where required, with your permission)

  • To market Mereo’s pipeline products.
  • In connection with the commercialisation of Mereo’s assets.

Entities dealing with Mereo in relation to your investment and contract with us - e.g. financial adviser, your beneficiaries, intermediary, agent banks, clearing houses or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us.

  • For purposes connected to your investment, dealings and contract with Mereo.

7.     International cross-border data transfers

Because Mereo operates globally, your data may be transferred outside of the country in which you interact with Mereo, including to countries whose data protection laws substantially differ from the country in which you work or reside. To accomplish the purposes described in this Notice, we may also disclose and transfer personal data to personnel and other departments throughout Mereo. For example, your personal data may be transferred or accessed by Mereo and its affiliate entities in the United States of America.

Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see here.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see here or here, for transfers from the United Kingdom.

Please contact us here if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

8.     Data security

Mereo will implement appropriate technical and organizational security measures necessary to adequately safeguard your personal data. These safeguards will include, for example:

Security Measures

  • Access to Personal Data is limited and provided only where necessary, to those employees, agents, contractors and other third parties who have a business need to know.
  • All employees handling Personal Data receive security and privacy awareness training, will only process your personal data on our instructions and are subject to a duty of confidentiality.
  • Employees with access to Personal Data are given the least privilege necessary
  • We have robust procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
  • A disciplinary policy is enforced to prevent unauthorized access
  • where technically feasible, data is encrypted in transit and at rest

9.     Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.  By law, we have to keep basic information about our clients (including contact, identity, financial and transaction data) for six years after they cease being clients for tax purposes.

In some circumstances you can ask us to delete your data: see your legal rights below for further information.

In some circumstances we will anonymise your personal data (so that it is no longer your personal information as it cannot be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

10.   Your legal rights

You may have rights relating to your Personal Data. Depending on the applicable data privacy law, you may have the right to direct Mereo to take certain actions related to your personal data. You may have the right to request confirmation as to whether Mereo is processing your personal data, and if so:

  • You may have the right to request information relating to the categories of data involved, purposes of processing, recipients of your data, retention periods/criteria, and your rights as a Data Subject.
  • You may have the right to access any of your personal data that Mereo is processing.
  • You may have the right to rectify any inaccurate or incomplete personal data that Mereo is processing.
  • You may have the right to request erasure or restriction of any personal data that Mereo is processing, subject to certain exceptions.
  • You may have the right to obtain a copy of your personal data in a commonly-used and machine-readable format.
  • You may have the right to request your information not be sold or otherwise disclosed to a third-party.
  • You may have the right to lodge a complaint with your local Data Protection Authority or Supervisory Authority.

To exercise the rights described above, please email dpo@mereobiopharma.com with a description of your request.

If you a resident of California, you may submit your request by phone at 833-967-0008 or use the contact information above.

11.   Changes to the Notice

We keep our privacy notices under regular review. This version was last published in April 2022.

We reserve the right, at our discretion, to change, modify, add or remove sections of this Notice at any time. You are encouraged to review this Notice from time to time for updates, or to contact Mereo for more information.

12.   Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. You are responsible for making sure the information you give us is accurate and up to date.  You must tell us if anything changes, as soon as possible.

13.   Consequences of Not Providing Personal Information to us

Providing your personal data to Mereo is voluntary for you. Should you choose not to provide your personal information to us, your interaction with us may be adversely impacted. Also, the provision of your personal information may be necessary to allow us to perform a contract with you and/or to provide services to you.

Providing Mereo with other people’s data

If you give us any personal information that does not relate to you (e.g., information about your financial adviser and/or your employees), you must ensure that you have the required legal basis to collect and share such personal information. You must also tell them what information you have given to us, and make sure they agree we can use it as set out in this policy. You must also tell them how they can see what information we have about them and correct any mistakes.

14.   Third-Party Links 

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.  When you leave our website, we encourage you to read the privacy policy of every website you visit.

Questions?

If you have any questions about this Notice, the use of your data, or if you would like to make a request to exercise your data protection rights, please contact the Data Protection Officer using the details set out below.

Email: dpo@mereobiopharma.com and mark your query “For the urgent attention of the Data Protection Officer”.

Post: Data Protection Officer, Mereo Biopharma Group Plc, 1 Cavendish Place, London, W1G 0QF, United Kingdom.

Glossary:

“Data Controller” means the person or organisation that determines how and why your data is being collected and used.

“Personal data” refers to any information relating to an identified or identifiable natural person, whether that information can be used alone or in conjunction with other information to identify a natural person.

“Aggregated Data” means summarised data derived from your personal data. Examples are statistical or demographic data. It is not considered personal data in law as this data will not directly or indirectly reveal your identity.

“Process” (or “Processing”) means any operation or set of operations which is performed on personal data or sets of personal data, whether by automated means, such as collection, use, and erasure.

REVISION HISTORY

Effective Version

Description of changes

Effective date

1.0

First Version

[TBA]