Privacy Policy

1. Introduction

This Privacy Notice (this “Notice”) is made available by Mereo Biopharma Group plc and its affiliated entities (referred to as “Mereo”, “we”, “us” or “our”), and is intended to assist you in understanding how we collect, process, secure, and transfer personal data. We also describe how you can contact us to learn more information about our privacy practices. The terms “you”, “your” or “user” refer to the person interacting with Mereo via this website or in any other capacity including as a professional adviser, employee or contractor, investor, vendor or any other entity interacting with us on behalf of another person. The Osteogenesis Imperfecta Federation of Europe, the OI Foundation, and Wickenstones Ltd, partners of the IMPACT Survey alongside Mereo BioPharma, are also responsible for the collection, processing, securing, and transferring of personal data collected through the IMPACT Survey website.

2. Who we are

Mereo Biopharma Group Plc, Wickenstones Ltd, Osteogenesis Imperfecta Federation of Europe, and the Osteogenesis Imperfecta Foundation are the Data Controllers and are responsible for the processing of your personal data.

3. The data we collect about you

Mereo will collect and may utilize your personal data for the purposes described below:

Category of Data

Contact details (Example, your name, nationality, postal address, telephone number, e-mail address)

Purpose for Data Processing

  • Facilitating communications.

  • Communicating to provide you with information.

  • Responding to your requests or communications.

  • To respond to your request to access IMPACT data. A representative of the Data Management Committee will contact you

We also collect, use and share Aggregated Data for various purposes. For example, your website usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice. We do not collect on our website or events, any Special Categories of Personal Data about you (example, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health or about criminal convictions and offences) unless you give us specific permission to collect that information.

4. Legal basis for processing your personal data

Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates) for example to monitor, provide and maintain secure access to our website We will only use your personal data when the law allows us to. We may also use your personal data, where necessary in the following circumstances:

  • We process your data under our legitimate interest;

  • to comply with legal and regulatory obligations;

  • to establish, exercise or defend our legal rights and/or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and

  • with your consent.

5. Legal basis for processing your personal data

Where necessary to fulfil the purposes described in this Notice, Mereo may disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.

Whenever Mereo shares your personal data with companies acting as our authorized agents and service providers, these companies agree to use your personal data only for specified purposes. Furthermore, the recipient will implement and maintain reasonable security procedures and practices appropriate to the nature of your information to protect your personal data from unauthorized access, destruction, use, modification or disclosure. We will transfer and disclose your personal data to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:

Category of Third-Party

Subsidiaries and affiliated entities

Purpose for Disclosure

  • Internal business requirements.

  • Internal research and statistical analysis purposes.

Category of Third-Party

Service Providers who work for, or provide services to us (including their employees, sub- contractors, directors, officers or any professional service provider, such as accountants, auditors, lawyers)

Purpose for Disclosure

  • To support Mereo’s commercial/business objectives.

  • To enable the Data Management Committee to respond to requests for access to the IMPACT Survey data

  • To render professional advice where there is a dispute over a transaction.

  • IT performance-related monitoring, maintenance, or security.

  • Performing analytics to help in website or application planning and development.

Category of Third-Party

Cloud storage solutions

Purpose for Disclosure

  • To store Mereo data.

  • To ensure the safety and security of our data.

Category of Third-Party

Law enforcement, government, courts or regulators, or fraud prevention agencies

Purpose for Disclosure

  • To verify your identity.

  • Mereo’s public or legal duty to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights.

Category of Third-Party

Professional Consultants

Purpose for Disclosure

  • To provide professional/expert advice in connection with Mereo’s business objectives.

Category of Third-Party

Any prospective or new Mereo companies (e.g. if we restructure, or acquire or merge with other companies) or any businesses that buy part of or all of a Mereo company.

Purpose for Disclosure

  • In relation to compliance / due diligence / Transfer of Undertakings Protection of Employees (TUPE).

6. International cross-border data transfers

Because Mereo operates globally, your data may be transferred outside of the country in which you interact with Mereo, including to countries whose data protection laws substantially differ from the country in which you work or reside. To accomplish the purposes described in this Notice, we may also disclose and transfer personal data to personnel and other departments throughout Mereo. For example, your personal data may be transferred or accessed by Mereo and its affiliate entities in the United States of America.

Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and the ICO in the UK. For further details, see here.

  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see here or here, for transfers from the United Kingdom.

    Please contact us here if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

7. Data security

Mereo will implement appropriate technical and organizational security measures necessary to adequately safeguard your personal data. These safeguards will include, for example:

Security Measures

  • Access to Personal Data is limited and provided only where necessary, to those employees, agents, contractors and other third parties who have a business need to know.

  • All employees handling Personal Data receive security and privacy awareness training, will only process your personal data on our instructions and are subject to a duty of confidentiality.

  • Employees with access to Personal Data are given the least privilege necessary

  • We have robust procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

  • A disciplinary policy is enforced to prevent unauthorized access

  • Where technically feasible, data is encrypted in transit and at rest

8. Data retention

We will retain your data for no longer than necessary to fulfil the purposes we collected it for. You can find out more details by contacting our DPO. In some circumstances you can ask us to delete your data: see your legal rights below for further information. In some circumstances we will anonymise your personal data (so that it is no longer your personal information as it cannot be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. Your legal rights

You may have rights relating to your Personal Data. Depending on the applicable data privacy law, you may have the right to direct Mereo to take certain actions related to your personal data. You may have the right to request confirmation as to whether Mereo is processing your personal data, and if so:

  • You may have the right to request information relating to the categories of data involved, purposes of processing, recipients of your data, retention periods/criteria, and your rights as a Data Subject.

  • You may have the right to access any of your personal data that Mereo is processing.

  • You may have the right to rectify any inaccurate or incomplete personal data that Mereo is processing.

  • You may have the right to request erasure or restriction of any personal data that Mereo is processing, subject to certain exceptions.

  • You may have the right to obtain a copy of your personal data in a commonly-used and machine-readable format.

  • You may have the right to request your information not be sold or otherwise disclosed to a third-party.

  • You may have the right to lodge a complaint with your local Data Protection Authority or Supervisory Authority.

To exercise the rights described above, please email dpo@mereobiopharma.com with a description of your request.

10. Changes to the Notice

We keep our privacy notices under regular review. This version was last published in May 2024. We reserve the right, at our discretion, to change, modify, add or remove sections of this Notice at any time. You are encouraged to review this Notice from time to time for updates, or to contact Mereo for more information.

11. Third-party links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

12. Questions

If you have any questions about this Notice, the use of your data, or if you would like to make a request to exercise your data protection rights, please contact the Data Protection Officer using the details set out below.

Email: dpo@mereobiopharma.com and mark your query “For the urgent attention of the Data Protection Officer”. Post: Data Protection Officer, Mereo BioPharma Group Plc, 1 Cavendish Place, London, W1G 0QF, United Kingdom.

OIFE email: Ingunn Westerheim at ingunn.westerheim@oife.org and mark your query “For the urgent attention of the Data Point of Contact”. OI Foundation email: bonelink@oif.org and mark your query “For the urgent attention of the Data Point of Contact”

Wickenstones Ltd email: GDPR@wickenstones.co.uk and mark your query “For the urgent attention of the Data Protection Officer”.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

13. Glossary

“Data Controller” means the person or organisation that determines how and why your data is being collected and used.

“Personal data” refers to any information relating to an identified or identifiable natural person, whether that information can be used alone or in conjunction with other information to identify a natural person.

“Aggregated Data” means summarised data derived from your personal data. Examples are statistical or demographic data. It is not considered personal data in law as this data will not directly or indirectly reveal your identity.

“Process” (or “Processing”) means any operation or set of operations which is performed on personal data or sets of personal data, whether by automated means, such as collection, use, and erasure.