Last updated: 11.23.2022
Bolt respects your privacy as part of our commitment to ethical, compliant, and responsible practices. We collect and process personal data to conduct our business operations and operate this Site.
NOTICE TO EUROPEAN USERS: Please see the Special Notice to European Users section for additional information for individuals located in the European Economic Area (which we refer to as “Europe”, and “European” should be understood accordingly) below.
IMPORTANT NOTE: this Notice does not apply in respect of matters beyond the processing of your personal data described above. For example, it does not apply in respect of our processing of personal data in performance of clinical trials we sponsor, nor in respect of our processing of personal data relating to applications for a job or other engagement with Bolt.
Personal Data We Collect
We collect different types of personal data depending on how you interact with the Site/us.
Bolt collects the following types of personal data:
- User-provided Information. If you contact us (such as through our Contact IR page) or we receive your personal data from you through any other method (e.g. email), we may collect and store any information about you that you provide, including your name and email address, professional title and company name, phone number, and we may link this information with other information about you.
- Marketing and Communications Information. We will store your preferences relating to our promotional emails, and your communication preferences.
- Device and Usage Information. We may receive information from your device, including IP address (including approximate geolocation inferred from that address), web browser type, operating system version (to the extent applicable), and device identifiers. We receive information about your interactions with our Site, such as the time spent interacting with content and the dates and times of your visits. This may include certain information collected via cookies and similar technologies (including your preferences in respect of the use of those technologies) – for more information on these technologies, please see our Cookie Notice.
How We Use Your Personal Data
The purposes for which we collect and use your personal data varies depending on your relationship or how you interact with the Site/us.
We use personal data we collect or receive in a variety of ways such as for Site functionality and for operating our business, including the following:
- Dealing with inquiries and contacts. To provide you with requested information or answer your inquiry or otherwise to deal with any contact you might make with us (such as using our Contact IR page or any ‘Contact Us’ or similar function on the Site) or any other method of communication (e.g. email), as well as any issues arising from such contacts (including replying to you) and interactions.
- Business operation. We use your personal data that we collect or receive through the Site to operate our business.
- Site operation. To operate and make available the Site, including through use of strictly necessary Cookies. This may include tracking issues that might be occurring on the Site and our systems and generally keeping our Site, services and associated systems operational and secure.
- Marketing and promotion. To send you marketing communications relating to our operations and activities (e.g., as part of a newsletter that you may be able to subscribe for via the Site) and other informational materials and content, as well as other communications that may include invitations to events or webinars hosted or sponsored by Bolt.
- Analytics. For website analytics purposes, which we may do to improve and refine the Site and our operations, including creation of aggregated, de-identified or other anonymous data (e.g., through the use of analytics cookies used to monitor and record the number of unique and repeat users on the Site, how long users stay on the Site for, and what parts of functionalities of the Site they visit and use etc). For more information on these technologies, please see our Cookie Notice.
- R&D. To conduct research and development activities on new technical features of the Site or associated functionalities. As part of these activities, we may create aggregated, de-identified or anonymized data from personal data. We may use this aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Site and promote our business.
- Legal Compliance. To comply with legal (including contractual), regulatory, or other requirements, including court orders or in the course of litigation or defense from legal claims
- Protection and enforcement of rights. To protect, maintain and enforce the rights, property, or safety of Bolt, or any of our respective business partners, or other third parties in accordance with applicable laws.
- Cooperation with law enforcement. To cooperate with law enforcement authorities in investigating and prosecuting users who violate our rules or engage in behavior that is illegal or harmful to other users, including suspected fraud, or situations involving potential threats to the physical safety of any person.
- Further uses. In some cases, we may use your personal data for further uses beyond those listed above, in which case, we will ask for your consent to use of your personal data for those further purposes they are not compatible with the initial purpose for which information was collected.
Disclosure of Personal Data
We may disclose your personal data to third parties in the following circumstances:
- Disclosures to Third Parties Assisting in Our Operations. We work with third-party service providers to provide services for us. These third parties may have access to or process your personal data where reasonably necessary for them to perform their functions and provide their services to us.
- Disclosures to Professional Advisers. We may disclose your personal data to lawyers, bankers, auditors and insurers and other professional advisers, such as those who provide consultancy, banking, legal, insurance, accounting or similar services to us.
- Disclosures to Government Authorities. We may disclose your personal data if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws, local or foreign laws, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.
- Disclosures Required by Law. We also reserve the right to disclose your personal data that we believe, in good faith, is appropriate or necessary to: (i) take precautions against liability; (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity; (iii) investigate and defend ourselves against any third‑party claims or allegations; (iv) protect the security or integrity of the Site and any facilities or equipment used to make the Site available; or (v) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.
- Corporate Events. Personal data of our users may be disclosed in the context of actual or prospective corporate events (e.g., investments in Bolt, financing of Bolt, or the sale, transfer or merger of all or part of our business, assets or shares) where we may need to share certain personal data with prospective counterparties and their advisers. Personal data of our users may also be transferred to an acquirer, successor, or assignee of Bolt as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal data is transferred to one or more third parties as one of our business assets.
- Marketing and Analytics. We may make certain aggregated, automatically collected, or otherwise non-directly identifying personal data available to third parties for use by those third parties on our behalf to enable them to provide certain marketing and/or analytics services to us.
The Site may contain features or links to websites and services provided by third parties. Any information you provide on third-party sites or services is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through our Site. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through our Site. We encourage you to learn about third parties’ privacy and security policies before navigating to those sites and providing them with information.
You may decline to share certain personal data with us, in which case we may not be able to provide to you some of the features and functionality of the Site. If you wish to access, amend or delete any personal information we hold about you, you may contact us at firstname.lastname@example.org. Please note that while any changes you make will be reflected in active user databases within a reasonable period of time, we may retain all personal data you submit for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal or regulatory obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.
If you receive commercial email from us, you may unsubscribe at any time by following the instructions contained within the email (e.g., by clicking the ‘Unsubscribe’ link in the footer of such an email). You may also opt out from receiving commercial email from us by sending your request to us by email at email@example.com.
Please be aware that if you opt out of receiving commercial email from us or otherwise modify the types of emails and alert communications you receive from us, it may take up to ten business days for us to process your request – and you may continue receiving promotional communications from us during that period – however, we will ordinarily process these types of opt-out requests more quickly.
When you use the Site, we may send one or more cookies – small text files containing a string of alphanumeric characters – and other tracking technologies to your device.
For more information on cookies and other tracking devices and ways to exercise preferences regarding them, see our Cookie Notice. Please note that if you delete, or choose not to accept, cookies from the Site, you may not be able to utilize the features of the Site to their fullest potential.
Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
According to our retention policy, we only keep personal data in our records as long as they are necessary for the purposes they have been processed or as required by applicable laws or regulations. After the retention period expires, the personal data is deleted or anonymized – if this is not technically possible in the circumstances (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible (e.g., at the time at which that backup is replaced in line with our established schedule). If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you. The retention periods are established considering the purposes defined in this Notice, all relevant legal and regulatory requirements, and the context in which we process your personal data. We also consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any applicable legal requirements to retain such data.
We use certain physical, managerial, and technical safeguards that are designed to improve the integrity and security of information that we collect and maintain. Please be aware that no security measures are perfect or impenetrable. We cannot and do not guarantee that information about you will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
Bolt stores personal data by using physical, technical, and administrative safeguards designed to secure data against foreseeable risks, such as unauthorized use, access, disclosure, destruction, or modification.
In addition, our information security team has developed policies, standards, and procedures to support and enforce preventive and detective operational controls designed to protect the confidentiality, integrity, and availability of all data collected and managed by Bolt.
Our Policy Towards Children
Bolt does not knowingly collect information directly from or about persons under 18 years old via the Site or in any other context covered by this Notice. If you are under 18 years old, do not use or provide any information on or via the Site or otherwise.
Changes to this Privacy Notice
Please revisit this page periodically to stay aware of any changes to this Notice, which we may update from time to time. If we modify this Notice, we will make it available through the Site, and indicate the date of the latest revision. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify you of the change. For example, we may generate a pop-up or similar notification when you access the Site for the first time after such material changes are made. Your continued use of the Site after the revised Notice has become effective indicates that you have read and understood the current version of this Notice.
You can check the “last updated” date posted to see when the Privacy Notice was last updated.
Please contact us with any questions or comments about this Notice, information we have collected or otherwise obtained about you, our use and disclosure practices, or your consent choices by email at firstname.lastname@example.org.
Bolt Biotherapeutics, Inc.
900 Chesapeake Drive
Redwood City, CA 94063
Special Notice to European Users
The information provided in this “Special Notice to European Users” section applies only to individuals in the European Economic Area (i.e., “Europe” as defined at the top of this Notice).
European-specific information about us
Controller. Bolt is the controller of the processing of your personal data covered by this Notice for purposes of European data protection legislation, including the General Data Protection Regulation of the European Union (the “GDPR”). See the Contact Information section above for our contact details.
Personal Data. For European users, references to your “personal data” in this Notice should be understood to include a reference to your “personal data” (as defined in the GDPR) – i.e., information about you, from which you are either directly identified or can be identified. It does not include ‘anonymous data’ (i.e., information where your identity has been permanently removed).
Our Representative in Europe. Our EU representative appointed under the GDPR is Data Protection Representative Limited t/a DataRep. You can contact them:
- By email to: email@example.com (quoting “Bolt Biotherapeutics, Inc.” in the subject line) .
- By postal mail to: 12 Northbrook Road, Dublin, Ireland.
Our Data Protection Officer. The GDPR requires us to appoint a “Data Protection Officer”, this is a person who is responsible for independently overseeing and advising us in relation to our compliance with the GDPR (including compliance with the practices described in this Notice). If you want to contact our Data Protection Officer directly, you can email: firstname.lastname@example.org.
Legal Basis of our Processing of your Personal Data
In respect of each of the purposes for which we use your personal data, the GDPR requires us to ensure that we have a “legal basis” for that use. Our legal bases for processing your personal data described in this Notice are listed below:
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each Purpose we use your personal data for is set out in the table below.
- where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
- Where we have your specific consent to carry out the processing for the purpose in question (“Consent”).
We have set out below, our legal basis in respect of each relevant purposes for which we use your personal data as well as the particular types of your personal data used in that processing activity.
|Purpose||Category(ies) of personal data typically involved||Legal basis|
|Dealing with inquiries and contacts||
||Legitimate Interests. It is in our and your interests that we are able to respond to and deal with your inquiries and contacts, and otherwise manage our interactions with you.|
||Legitimate Interests. It is in our and your interests that we are able to operate our business and carry out our internal business activities.|
||Legitimate Interests. It is in our and your interests that we are able to provide and administer this Site in a functional and secure way (including associated processing of your personal data via use of strictly necessary Cookies).
Consent, in respect of any optional cookies used for this purpose.
|Marketing and promotion||
||Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation.
Consent, in circumstances or jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications.
Legitimate Interests. We have a legitimate interest in making sure our Site and other services are the best they can be and analyzing how these elements are used and/or engaged with etc.
||Legitimate interests. We have a legitimate interest in improving and developing the Site and its features and functionalities.|
|Legal Compliance (including associated data sharing)||
||Compliance with Law.
Legitimate interest. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting and following legal process.
|Protection and enforcement of rights (including associated data sharing)||
||Compliance with Law.
Legitimate interest. We and any relevant third parties have a legitimate interest of ensuring the protection, maintenance and enforcement of our and their rights, property, and/or safety.
|Cooperation with law enforcement (including associated data sharing)||
||Compliance with Law.
Legitimate interest. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in assisting and cooperating with law enforcement (e.g., in respect of voluntary disclosure of information germane to law enforcement proceedings).
|Data sharing in the context of corporate events||
||Legitimate interest. We and any relevant third parties have a legitimate interest in providing information to relevant third parties who are involved in an actual or prospective corporate event (including to enable them to investigate – and, where relevant, to continue to operate – all or relevant part(s) of our operations). However, we would take appropriate steps to minimize the amount and sensitivity of any personal data shared in this context.|
||The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the personal data was collected.
Consent, if the relevant further use is not compatible with the initial purpose for which the personal data was collected.
Data Processing outside Europe
We are a U.S.-based company and many of our service providers, advisers, partners or other recipients of data are also based in the U.S. This means that, if you use the Site or interact with us, your personal data will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe.
It is important to note that that the US is not the subject of an ‘adequacy decision’ under the GDPR – basically, this means that the U.S. legal regime is not considered by relevant European bodies to provide an adequate level of protection for personal data, which is equivalent to that provided by relevant European laws.
Where we share your personal data with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it by making sure one of the following mechanisms is implemented:
- Transfers to territories with an adequacy decision. We may transfer your personal data to countries or territories whose laws have been deemed to provide an adequate level of protection for personal data by the European Commission (from time to time).
- Transfers to territories without an adequacy decision.
- We may transfer your personal data to countries or territories whose laws have not been deemed to provide an adequate level of protection for personal data by the European Commission (e.g., the U.S., see above).
- However, in these cases:
- we may use specific appropriate safeguards, which are designed to give personal data effectively the same protection it has in Europe – for example, requiring the recipient of personal data to enter into the relevant form of the European Commission’s so-called ‘Standard Contractual Clauses’; or
- in limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your personal data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.
You may contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Europe.
Data Protection Rights
European data protection legislation gives you certain rights regarding your personal data in certain circumstances. If you are located within Europe, you may ask us to take the following actions in relation to your personal data that we hold:
- Right to Request Access, Rectification, Restriction of Processing, Erasure, and Data Portability. We provide you with access to your own personal data and information about our processing of your personal data. In addition, we will rectify your personal data when it is incorrect or inaccurate, and we will give effect to requests to exercise the right to erasure, portability, and to restriction of processing as and when those rights are available in the circumstances (e.g., where they are not incompatible with other legal obligations or conflict with our legitimate interest to process).
- Right to Object. This right exists where we are relying on a Legitimate Interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Right to Withdraw Consent at Any Time. When we use your personal data based on your consent, you have the right to withdraw such consent at any time. If you withdraw your consent, we may not be able to provide you with access to the certain specific functionalities of our Site. We will advise you if this is the case at the time you withdraw your consent.
- Right to Lodge a Complaint with your Supervisory Authority. If you are not satisfied with our response or how we process your personal data, you can make a complaint to the data protection authority of your habitual residence. A list of the European authorities is available here.
- Automated Decision Making. Bolt does not engage in automated decision making, including profiling
Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time.
Requests to exercise your Data Privacy Rights requests should be submitted as follows:
- To exercise your rights, or for any further privacy-related question or concerns you may have, you can contact us by email at email@example.com or by phone at (650) 665-9295. We will attend to your request in a timely manner within 30 days after receiving your request. If for any reason we need to extend this period of time, we will contact you.
- You also have the right to lodge a complaint with a supervisory authority.
- A list of the European authorities is available here.