Privacy Statement

Last Updated: March 22, 2021

What does this Privacy Statement apply to?

This Privacy Statement (“Statement”) explains how Aurinia Pharmaceuticals Inc. and its subsidiaries and affiliates (collectively, “Aurinia”, “we”, “us”, or “our”), collects, uses, discloses, protects, and otherwise processes Personal Information about you when you access or use our website https://www.auriniapharma.com, and any other website or application owned and operated by Aurinia that links to this Statement (collectively, the “Site").

Your Personal Information includes information or a combination of information that could directly or indirectly be used to identify you or your household (“Personal Information”). This includes identifiers like name, contact details, birthday, online identifier, or other factors about physical, physiological, genetic, mental, economic, cultural, or social identity. Please note, the definition of Personal Information can vary by region. If we collect information that is considered Personal Information in your region, then we will treat it as such in accordance with this Privacy Statement and applicable local law. We follow country and state data protection laws and we cooperate with data protection authorities.

If you have a question about how your Personal Information is being used, you can contact us by using the information in the "Contact Us" below. Please also refer to the section regarding Laws and Rights that May Apply to You.

What Personal Information do we collect and how?

You hereby acknowledge and agree that we collect Personal Information you choose to provide when engaging in certain activities on our Sites, e.g. through registrations, applications, surveys, and in connection with your inquiries. For example, you may choose to provide your name, contact information, health, and/or financial information in connection with a promotion, a patient assistance or support program. You may choose to provide information relating to your specialties and professional affiliations.

In addition, we may gather information about you automatically through your use of the Site, e.g. your IP address and how you navigate our Site. See also the section below on Use of Cookies and Other Technologies.

From time to time, we may use or augment the Personal Information we have about you with information obtained from third parties. For example, we may use such third-party information to confirm contact or financial information, to verify licensure of users, or to better understand your interests by associating demographic information with the information you have provided. Aurinia may receive your data indirectly from the following categories of sources:

• Consumers
• Services Providers and Contractors
• Third Parties like Data brokers, data analytics providers, background check providers
• Third Parties with whom you associate (e.g. social media networks of you use those to link to the Site); and
• Affiliates

You hereby undertake that your Personal Information provided by you as prescribed in this Privacy Statement is correct, up-to-date, and true, and you shall be responsible for its correctness. In no case shall we be liable for any incorrectness of the personal information you provided.

You understand and agree that if you provide us any Personal Information pertaining to a third party, you shall be responsible for obtaining their consent and you shall hold us harmless from any claim of any type from any third party for using their personal information.

Aurinia may collect and process the following categories of Personal Information:

• Identifiers: such as first and last name, email address, or unique online identifiers
• Personal Information contained in Customer records: such as physical characteristics or description, insurance policy number, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
• Protected classification characteristics: such as race, date of birth, religion, sexual orientation, gender identity, gender expression, age.
• Data Concerning Health such as Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
• Internet or other similar network activity includes but is not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
• Employment or Educational Information information that is not publicly available personally identifiable information
• Sensitive Data such as digital signature, passwords, demographic information, financial information, and government issued information.
• Data for agreements with customers or vendors This includes the assessment and acceptance of a customer or vendor. For example, we may collect credit status or information publicly available on sanctions or watch lists. Company name, Tax Forms, payment details, company contact details.
• Information collected from our Sites and social media pages: This includes information collected when you interact with us. For example, comments, photos, or other information that you post through blogs, message boards, or social networking.
• Other information we have collected from you with your explicit consent.
• Third-party service and advertising partners may also collect information automatically

Use of Cookies and Other Technologies

Some Aurinia Sites or pages use “cookies,” or small data files that the Site places on your hard drive, for identification purposes. Your web browser may be programmed not to accept “cookies” or it may allow you to be notified when you are receiving a “cookie,” thus giving you the option of accepting it or rejecting it. You are free to decline our cookies if your browser permits but doing so may interfere with your use of the Site.

We and our third-party service providers may also use technologies like cookies to track your interaction with the Site. Some of these technologies may include web beacons, pixels, tags, web server logs, geo-location technologies, and Flash objects. As with cookies, you are free to decline such technologies if your browser permits. You should refer to your browser’s instructions to remove cached history and images from your device. Deleting or disabling cookies will not remove Flash objects. You should refer to Adobe’s website (http://www.adobe.com) for more information on how to disable these objects. The Site may use Google Analytics to analyze traffic.

You can find out more information about Google Analytics cookies here: Google Analytics Cookie Usage on Websites. To opt-out of Google Analytics relating to your use of the Site, you can download and install the Browser Plugin available via this link: Google Analytics Opt-out Browser Add-on. Aurinia and the third parties who assist in operating the Site do not respond differently or limit their practices under the terms of this Statement when you access those online services with a browser that uses a do not track signal or similar mechanism.

Please note that linked, non-Aurinia websites may also use cookies. Aurinia cannot control the use of cookies by these non-Aurinia websites. We also want you to know that when you link from a Aurinia website to another website, that website may have the ability to recognize that you have come from a Aurinia website. If you do not want any other websites to know that you have been on this website, we recommend that you do not use the links provided in our website.

How we use your Personal Information?

Aurinia may use the information that it gathers for the following purposes:

• to contact you or your company to provide information, products, or services;
• to provide support for, promote, and improve the Site and Aurinia offerings;
• to customize the Site to provide content most relevant to you;
• to compare information for accuracy and verify our records; and
• to detect, investigate, and prevent activities that may violate our policies or rules or that may be otherwise illegal.

Aurinia may also use the information to communicate with you, in instances such as when we make changes to our policies; to respond to your inquiries; to contact you about your account; or to send you or your company information about promotions, offerings, and other marketing materials.

How will we share and disclose your Personal Information?

We may share your Personal Information with our employees, agents, affiliates, representatives, service providers, contractors, Government entities, Internet service providers, data analytics providers, operating systems and platforms, acting on our behalf, all of whom are under a duty of confidentiality to use your Personal Information only as necessary for the purpose it was collected for. This may include sharing Personal Information with service providers who are authorized to use your Personal Information only as necessary to support our business operations, such as those who provide data storage, technology support and services, customer service, risk solution provision, analytics, fraud prevention, legal services, and marketing services. We may also share some of your Personal Information as otherwise permitted or required by law or as authorized by you. Although Aurinia makes every effort to preserve your privacy, Aurinia may need to disclose or provide access to Personal Information if Aurinia has a good faith belief that such action is necessary to comply with the law, such as in connection with a judicial proceeding, court order or other legal process.

No Sale of Personal Information

Aurinia will not sell Personal Information and does not share PersonalInformation withunaffiliated third parties for their use for marketing purposes. However, in the event Aurinia goes through a business transition, such as a merger or an acquisition of its equity interests or assets, or a business reorganization, your Personal Information contained or stored by Aurinia may be part of the assets transferred.

Additional Helpful Information

How is my data secured?

We use commercially sound efforts to maintain administrative, technical, and physical safeguards that are designed to protect the privacy and security of Personal Information. 

Please note that we cannot guarantee the security of our databases or Site, nor can we guarantee that information will not be intercepted while being transmitted over the Internet.

We recommend that you also take additional measures to protect your Personal Information. For example, install up-to-date anti-virus software, close browsers after use, keep confidential your login credentials and passwords, and regularly update software and apps to ensure you have the latest security features.

Where is your information stored and processed?

Personal Information we collect or receive may be stored and processed in Canada, the United States, or any other country where we or our service providers have facilities. The servers and databases storing Personal Information may be located outside the country from which you accessed this website and in a country that does not have the same privacy laws as your country of residence.

International Transfer of Personal Information?

We retain and store your Personal Information only for as long as we have a legitimate business purpose and in accordance with our data retention policies. The retention period may also be based on 1) the length of time we have a relationship with you, or 2) the need to fulfill legal obligations to which we are subject (retention periods will vary depending on the specific legal requirements or jurisdiction).

When retention is no longer necessary or required, we will delete, anonymize, de-identify, or aggregate the Personal Information that is no longer associated with you.

What about Personal Information that is publicly available?

We may offer chat rooms, message or bulletin boards, or interactive areas where visitors may post comments or information. If there is a chat room, bulletin or message board, social networking opportunities or other interactive areas, be sure to check posted rules. You will be bound by posted rules, as well as our Site Terms of Use. Rules for participation may establish age and other restrictions, such as posting abusive, offensive, or inflammatory content. Anything you post online is public information. We are not responsible for anything you voluntarily post online. Users should use caution when disclosing Personal Information online.

Other Sites and Services

We may provide links to other websites and online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications, or online services, and we are not responsible for the privacy practices of these third parties. Other websites and services follow different rules regarding the collection, use and sharing of your Personal Information. We encourage you to read the privacy policies and terms of use of the other websites, mobile applications, and online services you use.

For this Site, you are only obligated to provide us with your Personal Information if you would like us to fulfill a service, such as participating in a survey, contacting customer service, providing feedback, or signing up for email updates or other promotional materials.If you do not provide us Personal Information that is needed for these services, we may not be able to provide such services to you.

How We Respond to Do-Not-Track Disclosures

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

How we Communicate with You

Aurinia may use your contact information to promote Aurinia’s products or services or replying to your inquiries. This may include you receiving promotional e-mails if you signed up for such.

Even if you choose not to receive promotional emails, you may still receive emails that facilitate, complete, or confirm a commercial transaction that you have already agreed to enter with us. These include communications about completion of your registration, correction of user data, transaction confirmations, shipping notices, and other communications essential to your transactions with us.

We may also offer text/SMS messaging to you. We require you to opt-in to receive text messages from us. At any time, you may opt-out of receiving particular text messages from us (other than text appointment reminders) by texting STOP in response to any text message.

Message, data rates and other charges may apply. You are liable for any mobile phone charges incurred (usage, subscription, etc.) as a result of using any of our products or services. Please consult your mobile service carrier’s pricing plan to determine the charges for sending and receiving text messages.

Children

The Sites are not intended for children under the age of 18 and none of our Sites are designed to attract such children. We do not knowingly collect personal information from children under the age of 18 (or applicable age in your country). If you are a parent or guardian and you learn that your Child has provided us with Personal Information, please contact us at privacy@auriniapharma.com. If we discover that a child has provided us with Personal Information, we will take reasonable steps to delete such information from our servers.

Laws and Rights that May Apply to You

Depending on your residence, the rights available to you may differ in some respects. Aurinia will respond to any rights request in accordance with local legal regulations. If you wish to make a request related to any of these rights, please contract us via:

Toll Free Phone: +1 (888) 500 2905
E-mail: privacy@auriniapharma.com

In some cases, state laws such as the California Consumer Privacy Act of 2018 require us to verify the identity of the individual submitting a request for their Personal Information before providing a substantive response to the request. Consistent with those requirements, and because we take the privacy and security of your Personal Information seriously, we will verify your identity by asking you to provide certain information about yourself. Once your identity is verified, we will work to provide you with your requested information in a timely manner.

If you choose to empower an “authorized agent” to submit requests on your behalf, we will require the authorized agent to have a written authorization confirming that authority.

Please be aware that the following right may not apply to you as it depends on your residence.

For specific data protection rights regarding users from California, Nevada, Europe, Switzerland, and the United Kingdom please see specific sections below.

Right of Access

You may have the right to get confirmation about whether or not your Personal Information is being processed. If so, you have the right to access the Personal Information and other information, such as the purposes, the categories of Personal Information, the recipients (or categories of recipients) to whom the Personal Information have been or will be disclosed, for particular recipients in third countries or international organisations, where possible, the predicted period that the Personal Information will be stored, or, if not possible, the criteria used to determine that period, your rights, etc.

Where feasible and permitted by law, we will provide a copy of the Personal Information we are processing. For any further copies, we may charge a reasonable fee based on administrative costs. If you make the request by electronic means, and unless otherwise requested, the information shall be provided in electronic form.

Right to rectification

You may have the right to request that Aurinia correct any information you believe is inaccurate and to complete information you believe is incomplete.

Right to erasure (‘right to be forgotten’)

You may have the right to the erasure of your Personal Information in certain circumstances.

Right to restriction of processing

You may have the right to restrict the processing for the below reasons.

• You contest the accuracy of your Personal Information, for a period enabling us to verify the accuracy of the Personal Information
  
• The processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of their use
  
• We no longer need the Personal Information for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims
  
• You exercised your right to object to processing pending the verification whether our legitimate grounds override yours
  

Right to data portability

You may have the right to receive the Personal Information that you have given us, in a structured, commonly used and machine-readable format. You have the right to send that Personal Information to another controller if the processing is based on consent pursuant or on a contract and is carried out by automated means.

Right to Object

You may have the right to object, on grounds relating to your particular situation, to processing of your Personal Information which is based on our legitimate purposes. We will stop processing the Personal Information unless we have compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. If Personal Information is processed for direct marketing purposes, including profiling, you may object at any time.

Automated individual decision-making, including profiling

You may have the right not to be subject to a decision based solely on automated processing, including profiling, except under certain exceptions under local law.

Right to Withdraw Consent

Where the processing of Personal Information is based on your consent, you may have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

Right to anonymity

You may also have a right to request anonymity. This means that your Personal Information would not be collected or processed. If you choose to exercise this right, we may not be able to provide you with your requested goods or services.

Right to lodge a complaint with a supervisory authority

You may have the right to lodge a complaint with a supervisory authority.

Job Applicants

When you visit the “Careers” portion of our website, we collect the information that you provide to us in connection with your job application. We use this information to facilitate our recruitment activities and process employment applications.

Contact Us

Toll Free 1 (888) 500 2905
E-mail: privacy@auriniapharma.com

Changes to this Privacy Statement

Aurinia reserves the right, at our discretion, to change, modify, add, or remove portions of this Privacy Statement at any time by posting the amended Privacy Statement on the Site. You should review this Statement periodically, and especially before you provide any Personal Information. Your continued use of the Site after we post any modifications to the Privacy Statement will constitute your acknowledgment of the modifications and your consent to our privacy practices as described in the modifications. If we decide to use particular information collected about you in a manner materially different from that stated at the time it was collected, we will let you know through the Site, by email, or other communication.

Nevada Privacy Rights

Updated: March 22, 2021

Although we do not currently conduct sales of Personal Information, Nevada residents may submit a request directing us to not sell Personal Information we maintain about them if our practices change in the future.

To exercise this right, please contact us by e-mail at privacy@auriniapharma.com

California Privacy Rights

Updated: March 22, 2021

This section contains additional disclosures not covered in the above which are required by the California Consumer Privacy Act (“CCPA”) and applies only to “Personal Information” that is subject to the CCPA.

Categories of Personal Information We Collect

We collect the categories of Personal Information about California consumers identified in the above section called: What Personal Information do we collect and how?. In the past 12 months, we have disclosed California consumers’ Personal Information to third parties for business or commercial purposes.

Please note that we do not “sell” Personal Information for monetary or other valuable consideration.

Why We Collect, Use, and Share California Information

We use and disclose the Personal Information we collect for our commercial and business purposes, as further described in this Privacy Statement. These commercial and business purposes include, without limitation:

• Our commercial purposes, including enabling commercial transactions, providing the services to you, marketing, and advertising.
• Our business purposes as identified in the CCPA, include:
  • Auditing related to our interactions with you
  • Legal compliance
  • Detecting and protecting against security incidents, fraud, and illegal activity
  • Debugging;
  • Performing services (for us or our service provider) such as account servicing, processing orders and payments, and analytics;
  • Marketing
  • Internal research for technological improvement;
  • Internal Operations
  • Activities to maintain and improve our services; and
  • Other one-time uses.
    

Your Rights Regarding Personal Information

California residents have certain rights with respect to the Personal Information collected by businesses. If you are a California resident, you may exercise the following rights regarding your Personal Information, subject to certain exceptions and limitations:

• The right to know the categories and specific pieces of Personal Information we collect, use, disclose, and sell about you, the categories of sources from which we collected your Personal Information, our purposes for collecting or selling your Personal Information, the categories of your Personal Information that we have either sold or disclosed for a business purpose, and the categories of third parties with which we have shared Personal Information;
• The right to request that we delete the Personal Information we have collected from you or maintain about you.
• The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA.
  

To exercise any of the above rights, please contact us using the following information and submit the required verifying information, as further described below:

• By email at privacy@auriniapharma.com
• By toll free 1 (888) 500 2905

Note that there are restrictions on the number of times you can exercise some of these rights.

If we are unable to comply with all or a portion of your data privacy request, we will explain the reasons for declining to comply with the request.

European Economic Union, United Kingdom, Switzerland Privacy Rights

Updated: March 22, 2021

This section contains additional disclosures required by the European Union General Data Protection Regulation (“GDPR”) and applies only to “Personal Information” that is subject to the GDPR.

About Us and How to Contact Us

Aurinia is a global pharmaceutical company with operations in the United States, the EEA, and globally. Aurinia makes decisions on how your information is used and disclosed and shall be responsible as a ‘controller’ for ensuring that the GDPR is followed and your Personal Information are kept secured and used lawfully.Where required by law, Aurinia has appointed representatives to fulfill its obligations under the GDPR. For information on our representatives, or to exercise your rights or make requests concerning the processing of your Personal Information, please contact us at:

Aurinia Pharmaceuticals Inc.
#1203-4464 Markham Street
Victoria, BC V8Z 7X8, Canada
Attention: Legal and Compliance: Privacy

Aurinia’s Data Protection Officer (“DPO"):

Our DPO may be contacted at: privacy@auriniapharma.com or at the mailing address above.

Legal Basis for Lawfully Using Your Personal Information

Aurinia lawfully processes your Personal Information and relies on one or more of the following bases:

• Your Consent
• To negotiate, execute, or perform a contract with you
• To comply with a legal obligation that applies to Aurinia
• To carry out tasks for the public interest, which may include clinical research
• For our legitimate business interests only where it does not override the rights or freedoms of individuals who’s Personal Information we are using

Aurinia will not sell Personal Information and does not share Personal Information with unaffiliated third parties for their use for marketing purposes.

Our Legitimate Interests

Aurinia may lawfully process your Personal Information by relying on performing our legitimate interests. This includes our business operations, such as data storage, technology support and services, customer service, risk solution provision, analytics, fraud prevention, legal services, and marketing services. We will only use your Personal Information under this basis as long as your rights or freedoms are not overridden by our legitimate interest.

Cross Border Transfers of Your Personal Data:

When transferring your Personal Information to recipients in other jurisdictions, we ensure that safeguards are put in place to protect your Personal Information as required by applicable laws. These safeguards may include entering into agreements with recipients containing Standard Data Protection Clauses that have been approved by the European Commission.

To obtain a copy of safeguards taken, please contact us at privacy@auriniapharma.com.

Rights Over Your Personal Information

Under the law, you have certain rights regarding your Personal Information. You have the Right of Access, Right to rectification, Right to withdraw consent (withdrawal of consent will not affect the lawfulness of processing before your withdrawal), Right to object, Right to erasure (‘right to be forgotten’), Right to restriction of processing, the right to not be subject to Automated individual decision-making, including profiling, or Right to data portability (where appropriate). Please see the description of the individual rights under Laws and Rights that May Apply to You.

Please make your request at privacy@auriniapharma.com.We may need to verify your identity before fulfilling your request.

Filing a Complaint with a Supervisory Authority

You also have the right to complain about how we handle your Personal Information to a supervisory authority that is responsible for enforcing data protection law.A list of European Union supervisory authorities is available here:http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm