General Privacy Notice for individuals in the EU and UK
Last updated: March 10, 2025
Non-EU and non-UK residents should refer to the Privacy Notice for non-EU and non-UK individuals.
Introduction and overview
4DMT is a clinical-stage biopharma company inventing and developing innovative products to unlock the full potential of genetic medicine to treat large market diseases. We use our transformative vector discovery platform, termed Therapeutic Vector Evolution, to create customized and proprietary gene delivery vehicles (i.e., vectors) to deliver therapeutic payloads to specific tissue types associated with the underlying disease via the optimal route of administration. Our product design, development and manufacturing engine empowers us to efficiently create our valuable and diverse product pipeline. This combination of bold innovation and relentless execution gives 4DMT the capability to revolutionize genetic medicines and to strive for potential curative therapies.
You can find out more about 4DMT and Our services on our websites:
Throughout this Privacy Notice, we will refer to 4D Molecular Therapeutics, Inc., “4DMT”, “We”, “Our” or “Us”.
This Privacy Notice applies to all information which is obtained and processed by 4DMT and for which 4DMT is the Data Controller.
When are We acting as a Data Controller?
This Privacy Notice provides you with information on how We manage your personal data in your interactions with Us, regardless of your location.
Depending on your relationship with Us, We will hold and manage your information differently. 4DMT could be in possession of your information as a:
- User or visitor to our websites (linked above) or,
- Investor, or
- Vendor, or
- Service provider, or
- Delegate at an event, or
- Any other member of the public providing Us with unsolicited personal data, or
- If you contact Us by any other means.
This Privacy Notice details how We manage your information in all the above situations as a Data Controller unless otherwise stated. Unless otherwise stated, this Privacy Notice applies when We are acting as a Data Controller for your information.
In some cases, where We are collecting information for new or novel purposes, We will provide specific privacy information at the point that We collect your information. If We have provided the following to you, you should read Our:
- Healthcare Professional Privacy Notice
- Participant Informed Consent Form
If you are a website visitor, this Privacy Notice should be read together with our Cookie Notice.
Where there is a conflict between local law and the provisions of this Privacy Notice, local law will prevail.
Children
While Our website is designed for a general audience, We will not knowingly collect personal data of children. If you believe We might have any personal data from or about a child, please email Us at privacy@4dmt.com.
How does 4DMT collect my personal data?
Where We are acting as a Data Controller, We may have obtained your personal data directly or indirectly through a number of channels.
We may have collected your information directly from you when you have:
- Visited Our website
- Completed a contact form
- Contacted Us by phone
- Signed up to receive marketing material
- Responded to one of Our surveys
- Met with or engaged with Us at an event, exhibition or conference
- Visited Our office
- Interacted with Us on social media platforms (such as LinkedIn)
- Supported our clinical trials
In some circumstances, We may collect your information indirectly, such as:
- From publicly available sources when it is in Our legitimate interest to do so.
What personal data does 4DMT collect about me?
We collect the below categories of information when We are acting as a Data Controller:
| Personal data category | Personal data |
|---|---|
| Contact information | Any information you provide to Us that allows Us to contact you, e.g., your first and last name, your email address, mailing address, or telephone number. |
| Account information | Bank or other account details to facilitate payments. |
| Surveys and opinions | Information you provide when you participate in Our surveys or provide feedback. |
| Complaint information | Nature of your complaint. |
| Cookies | Please refer to Our Cookie Notice. |
| Website security | Cookies necessary for security purposes. Please refer to Our Cookie Notice.
Google reCAPTCHA: ReCAPTCHA collects personal information from users to make this determination of whether they are human and not a bot to prevent spam. The reCAPTCHA algorithm checks to see if there is a Google cookie placed on the computer being used. An additional reCAPTCHA-specific cookie will then be added to the user’s browser allowing a complete snapshot of the user’s browser window at that moment in time. Information gathered includes: All cookies placed by Google over the last 6 months; how many mouse clicks you have made on that screen (or touches if on a touch device); the Cascading Style Sheets (CSS) information for that page; the date; the language your browser is set to; any plug-ins you have installed on the browser; all JavaScript objects; and the data you supply via Our forms. More information can be found at Google reCAPTCHA and Google’s Privacy Policy. |
| Other information | Any other personal data that you choose to share with Us. |
We do not intentionally or knowingly collect or process special category data or criminal convictions and offences data where We are acting as a Data Controller under this Privacy Notice.
What is the purpose and lawful basis for processing my personal data?
The applicable lawful basis for Our processing will differ depending on the legislation that is applicable:
- Where you are from the UK, UK data protection legislation applies
- Where you are from the EU, EU data protection legislation applies
Please see below for information on the personal data processed, purpose, and the applicable lawful basis:
| What is the purpose of the processing? | What personal data Category is processed? | What is the lawful basis for processing personal data under the EU and UK General Data Protection Regulation (GDPR)? |
|---|---|---|
| To contact you, following your enquiry or to reply to any questions. | Contact information | Legitimate Interest (EU/UK) |
| Customer service enquiries, reply to suggestions, issues, or complaints you have contacted Us about. | Contact information; Complaint information; Other information | Legitimate Interest (EU/UK) |
| To manage data subject right requests. | Contact information; Other information | Legal Obligation (EU/UK) |
| To manage our investors, including anti-money laundering, anti-bribery and “know your client” processes, administration of investment, provision of investor services legal and regulatory compliance, and relationship management. | Contact information; Account information; Other information | Legitimate Interest, Contract, Legal Obligation (EU/UK) |
| To manage our vendors and service providers in general. | Contact information; Account information | Legitimate Interest (EU/UK) |
| Taking payment from you or giving you a refund and associated financial accounting. | Contact information; Account information | Legitimate Interest (EU/UK) |
| To ensure that Our IT network is safe and secure. | Contact information; Account information; Surveys and opinions; Complaint information; Other information | Legitimate Interest; Legal Obligation (EU/UK) |
| Contacting you about relevant news stories. | Contact information | Consent (EU); Legitimate Interest (UK) |
| Marketing and analytics from Our website using cookies. | Cookies; Website security | Consent (EU/UK) |
We may, in further dealings with you, extend this personal data to include your purchases, services used, subscriptions, records of conversations and agreements, and payment transactions.
The legal basis for processing your personal data is based on compliance with a Legitimate Interest, Legal Obligation, Contract, or your Consent that We will have requested/stated at the point the information was initially provided, therefore, We will not store, process, or transfer your data unless We have an appropriate lawful reason to do so.
We will only use your personal data for the purposes for which We collected it, unless We reasonably consider that We need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, We will notify you and We will explain the legal basis which allows Us to do so.
Please note that We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How We keep you updated on Our products and services
We will send you relevant news about Our services in a number of ways, including by email, but only if We have a Legitimate Interest or your Consent to do so. Where We rely on Legitimate Interest, We have completed a Legitimate Interest Assessment for the processing activity, or, for data of UK residents acting in a business environment, We rely on the Corporate Subscriber exemption.
When We send you marketing by email, each email communication will have an option to object to the processing. If you wish to amend your marketing preferences, you can do so by following the link in the email you receive from Us and updating your preferences, or by contacting Us at privacy@4dmt.com.
How long does 4DMT keep my personal data?
The period for which We will retain personal data will vary depending on the purposes that it was collected for, as well as the requirements of any applicable law or regulation. We retain data in line with our Data Retention Policy and Schedule.
We may also retain your personal data for longer periods where We need to exercise, establish, or defend against legal claims. When personal data is no longer required, We delete or anonymise data in line with Data Protection Legislation and appropriate industry guidance.
What are my data rights and can I object to you processing my personal data?
It is important that the personal data We hold about you is accurate and current. Please keep Us informed if your personal data changes during your engagement with Us.
Where We are acting as a Data Controller, and under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a Data Subject Access Request). This enables you to receive a copy of the personal data We hold about you.
- Request correction of the personal data that We hold about you. This enables you to have any incomplete or inaccurate information We hold about you corrected.
- Request erasure of your personal data. This enables you to ask Us to delete or remove personal data where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete or remove your personal data where you have exercised your right to object to processing.
- Object to processing of your personal data where We are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where We are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask Us to suspend the processing of personal data about you.
- Request the transfer of your personal data to another party.
- Right to withdraw Consent. In the limited circumstances where We are processing your data on the basis of Consent you have provided Us, and We have no other legal justification or obligation to continue the processing, you have the right to withdraw your Consent for that specific processing at any time.
For your protection and to protect the privacy of others, We may need to verify your identity before completing your request.
If you object to Us using your personal data or withdraw Consent for Us to use your personal data (when We are processing your personal data based on your Consent) after initially giving it to Us, We will respect your choice in line with applicable law.
If you would like to exercise any of these rights or would like to confirm the accuracy of your information, please contact privacy@4dmt.com.
Automated decision making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Data security
We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.
Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to the 4DMT Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the 4DMT Website.
Will 4DMT share my Personal Data with other organisations?
We may disclose the personal data We hold about you to:
- Business partners to ensure that you receive the best service.
- With companies affiliated with Us when this is necessary to deliver Our services.
- Your employer or the corporate entity that you represent, solely for the purposes of providing the Services to you and/or your employer where We have a contract with your employer or the company you represent.
- Third party companies in the event that We are involved in a corporate transaction, such as an actual or potential merger, joint venture, consolidation, or asset sale. We may, from time to time, expand or reduce Our business and this may involve the sale and/or the transfer of control of all or part of Our business. Any personal data that you have provided will, where it is relevant to any part of Our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by Us.
- Our professional advisors, such as lawyers, accountants, auditors, financial services providers, and other professionals.
- Our service providers as Data Processors on Our behalf, including IT hosting companies. We may engage other companies and individuals to perform functions on Our behalf. We use Data Processors who are third parties who provide elements of services for Us. We have Data Processor Agreements in place with Our Data Processors. This means that they cannot do anything with your personal data unless We have instructed them to do it. They will not share your personal data with any organisation apart from Us or further Sub-Processors who must comply with Our Data Processor Agreement. They will hold your personal data securely and retain it for the period We instruct. Further, they must process the personal data in accordance with this Privacy Notice and as permitted by applicable data protection laws. Examples include data storage and hosting, sending newsletters, analysing data, providing marketing assistance, and providing customer services.
- Law enforcement agencies, courts, and other relevant tribunals.
Will my data be processed outside my home country?
Your data will be processed in the U.S as We are a U.S. based company. Our third-party Data Processors may be based outside your home country, in countries such as the US.
Where We transfer personal data to Data Processors or other third parties outside of the European Economic Area or UK, We will ensure that those transfers take place in accordance with the applicable data protection laws designed to ensure the privacy of your personal data, including by entering into data transfer agreements with recipients. If you would like more information about how your personal data may be transferred, please contact Us at privacy@4dmt.com.
How can I make a complaint?
You have the right to make a complaint if you are unhappy about how your personal data is processed. However, We would appreciate the chance to deal with your complaint before you approach the Supervisory Authority, so please contact Us in the first instance at privacy@4dmt.com. Your satisfaction is extremely important to Us and We will always do Our very best to solve any problems you may have. If you remain dissatisfied, you may wish to contact the Supervisory Authority.
You have the right to complain about the use of your personal data to the local Supervisory Authority.
If you are located within the EEA, you can find the contact details for your local Supervisory Authority on the link below
In the UK, the Supervisory Authority is the Information Commissioner’s Office, they can be contacted by:
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Email: icocasework@ico.org.uk
- Online
Updates and changes to this Privacy Notice
We may change this Privacy Notice from time to time, for example, if the law changes. Any changes become effective when We publish an update to this Privacy Notice. Any changes will be effective immediately upon posting of the revised Privacy Policy and updating the “last modified” date above. If there are significant changes, providing that we have your email address, We may contact you to notify you of the update.
Contact Us
If you would like to exercise one of your rights as set out in this Privacy Notice, or you have a question, query, or complaint about this Privacy Notice or the way your personal data is processed, please contact Our Data Protection Officer by email on privacy@4dmt.com.
We have appointed DPO Centre Europe as Our EU Representative and DPO Centre Limited as Our UK Representative for data protection matters. The contact details for Our EU and UK Representative can be found below.
For EU residents:
- Email: EURep@4dmt.com
- Phone: +39 02 3031 5236
For UK residents:
- Email: UKRep@4dmt.com
- Phone: +44 (0) 203 797 6340
For residents in all other countries, please contact Us by email on privacy@4dmt.com.