Ocular’s Compliance Program
Introduction
Ocular Therapeutix, Inc. (Company) is committed to establishing and maintaining an effective compliance program in accordance with the “Compliance Program Guidance for Pharmaceutical Manufacturers,” published by the Office of Inspector General, U.S. Department of Health and Human Services. Our Compliance Program is guided by the Company’s core values, and commitment to the highest standards of corporate responsibility. The Company’s Code of Business Conduct and other Company policies set forth the legal and ethical standards of conduct for employees, officers and directors of the Company. If we become aware of an alleged violation of law, regulation, or Company policy, we will investigate the matter and, where appropriate, take disciplinary action and implement corrective measures to prevent future violations. The Company continually assesses the effectiveness of its Compliance Program and implements changes as needed.
Leadership
The Company has a Chief Compliance Officer who is responsible for developing, operating, and monitoring the compliance program. The Chief Compliance Officer reports to the Chief Legal Officer and has the authority to report any compliance matters directly to the Board of Directors. The Company’s Chief Compliance Officer exercises independent judgment and can effectuate change within the organization as needed.
The Company also has a Compliance Committee, which is comprised of senior executives from different departments across the organization. The Committee assists in the implementation of the Compliance Program and advises the Chief Compliance Officer on compliance-related activities and issues.
Policies and Procedures
The Company has developed and distributes written policies and procedures that guide the conduct of our employees in complying with applicable laws, regulations and industry guidance. Specific to California, we have established an annual spending limit of $2,500.00 for educational items and promotional activities for each individual healthcare professional who prescribes or may influence prescribing in California.
Training
The Company employs a robust and ongoing training program that is designed to educate employees on their legal and ethical obligations. The Company regularly reviews and updates its training programs as needed.
Communication
The Company encourages a culture where every employee has the responsibility to ask questions, seek guidance, report suspected violations and express concerns regarding compliance openly or anonymously without fear of retaliation. The Company has an open-door policy to report any suspected violations, and a strong non-retaliation policy against any employee who reports such conduct. Employees or persons outside the Company may report any concerns or suspect violations of law, regulation or Company policy to the Chief Compliance Officer at [email protected] or on a confidential or anonymous basis, by contacting https://www.mycompliancereport.com/report?cid=OCUTX or (888) 423-8006.
Auditing and Monitoring
The Company’s Compliance Program includes ongoing efforts to monitor, audit and evaluate compliance with Company policies and procedures. The results of these activities are reported to senior management.
Potential Violations
The Company has an established process to investigate allegations of potential violations of law and/or Company policy. Each situation will be assessed and investigated on a case-by-case basis to ensure consistent and appropriate disciplinary action is taken in response to violations. Any violation can subject an employee to disciplinary action, including but not limited to termination.
Corrective Action
Upon the conclusion of an investigation, corrective actions and preventative measures will be implemented as appropriate to address inappropriate conduct and deter future violations.
Annual Declaration of Compliance for California, as of November 1, 2024
The Company declares that to the best of its knowledge and based on our good faith understanding of the statutory requirements, we have established a Comprehensive Compliance Program (CCP) compliant with the requirements of California Health and Safety Code §§ 119400-119402. Our CCP is designed to prevent, detect and address potential or actual instances of non-compliance. To request a copy of this Declaration and/or a copy of the Company’s Code of Conduct please email [email protected] or call (888) 423-8006.
Global Privacy Notice
Ocular Therapeutix Inc. and its affiliated entities (collectively, “Ocular,” “we,” “our,” or “us”) are committed to protecting that privacy of your Personal Data (as defined below). This Global Privacy Notice (“Notice”) describes Ocular’s privacy practices currently and during the past year, and the types of Personal Data we collect, use, share, and manage. This Notice also describes your choices with respect to our handling of your Personal Data.
A. PLEASE READ THIS PRIVACY NOTICE CAREFULLY BEFORE USING OUR SERVICES OR SHARING ANY PERSONAL DATA WITH US. IF YOU DO NOT AGREE WITH THE PRACTICES DESCRIBED IN THIS NOTICE, PLEASE DO NOT GIVE US YOUR PERSONAL DATA OR USE OUR SERVICES.
INTRODUCTION
This Notice applies to our collection and use of Personal Data we collect from you or about you when you access and use our websites and other online digital platforms (e.g., mobile apps), interact with us in other ways such as at special events, research programs, customer service, partner events we sponsor, under contractual arrangements with us, and as further described in this Notice (the “Services”). This Notice applies to Ocular and its affiliated entities that are linked to this Notice. However, some affiliates may have separate notices, depending on the nature of the services and practices, while others may have supplemental disclosures to this Notice. You should read these additional disclosures carefully as such disclosure may address additional practices not reflected in this Notice. However, this Notice always applies to our affiliates when they link to or provide you with this Notice.
When used in this Notice, “Personal Data” refers to any information that directly or indirectly — for example, through combining pieces of data so that you can be identified — identifies you specifically. Personal Data does not include information that is publicly available, de-identified, aggregated, or is otherwise not deemed to be personally identifying under applicable law in your jurisdiction. By using or receiving any of our Services that are linked to this Notice, you acknowledge our collection, use, and disclosure of your Personal Data as described in this Notice, including any additional notice referenced herein applicable to your location. We will not process your Personal Data without your consent where required under applicable law.
If you have any question concerning this Notice or our privacy practices, you can contact us using the information included in Section M, “How to Contact Ocular.”
B. PERSONAL DATA WE COLLECT
During the past year we have collected and maintained, and will continue to collect and maintain, several categories of Personal Data from and about you depending on the Services you access or receive from us, or the contractual arrangements with Ocular. This may include some or all categories of your Personal Data as follows:
Identity Data
First name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, and signature (wet and electronic)
Contact Data
Postal address, email address, unique network handlers, and phone numbers
Financial Data
Financial account numbers, payment details, insurance information, and other transactional data regarding Services you have received from us
Technical Activity and Usage Data
Internet protocol (IP) address, login data, browser type and version, time zone setting and general location, browser plug-in types and versions, operating system and platform types and versions, and other meta data related to devices you used to access or use our Services, interactions with digital marketing and advertising, interactions with social media pages, and information about how you use our Services (e.g., browsing history, search history, and interactions with our communications), in all cases to the extent linked to you or combined with other information that identifies you
Profile Data
Information regarding your communication preferences, feedback, and survey responses
Marketing and Communications Data
Electronic communications preference and profiling data, such as your personal choices in receiving materials regarding our or our partners’ products and services, language and communication preferences
Audio, Electronic, Visual, or Similar Information
Voice call or video recordings, pictures taken at our events, facilities, email or text exchanges, direct messages with us, and chat logs of your communications with us
Special Categories of Personal Data
Information concerning your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic and biometric data, precise geolocation, passport information, and other similar information that is defined as sensitive or a special category pursuant to applicable law
Voluntary Data
Any other personally identifying information you voluntarily provide to us when interacting with us and our Services
C. HOW WE COLLECT YOUR PERSONAL DATA
Our collection of your Personal Data depends on the nature of the Services, how you interact with our Services, and our relationships with third parties.
Personal Data You Provide
We ask and collect Personal Data directly from you, your representatives or agents, or through our Services, when, for example, you:
- Contact us by email, phone or mail, either using addresses or numbers posted on our websites or when you contact our employees directly;
- Sign up on our websites to receive clinical, promotional, disease awareness, or other information about products or services we offer or plan to offer in the future;
- Sign up for investor relations information, including our financial performance information;
- Process reports of Suspected Adverse Reactions or Product Quality Complaints; Request donations from us;
- Process complaints or allegations of non-compliance with company policy or law;
- Evaluate partnership opportunities with you or your organization;
- Subscribe to receive email notifications or other publications;
- When you call us or visit us (automatically), such as when we record calls to our call centers or use CCTV cameras in our facilities;
- Enter a promotion or survey;
- Give us some feedback;
- Provide unsolicited information to us;
- Provide information to us as our business partner;
- Apply for employment, consulting, outsourcing, or vendor opportunities with us or when you become an employee, consultant, service provider, or vendor;
- Provide, manage, and monitor access of our facilities, equipment, systems, and Services;
- Express interest in participating in our clinical trials or other studies and research programs; and/or
- Take steps towards consummating, managing, and performing a contractual relationship with Ocular, including compensation, payment, and compliance.
Depending on the Services and interactions with us, we may not be able to provide you with access to or use of the Service if you do not provide us with your Personal Data where required. Also, with respect to the Personal Data of another person, you are responsible for ensuring that you have the permission or legal right to provide us with such Personal Data.
Collected From Other Sources
Where permitted by applicable law, we may obtain your Personal Data from various other third-party sources, including the following categories:
- Our affiliated entities;
- Healthcare providers (including specialty pharmacies);
- Health insurance companies (health plans) and other payors;
- Your authorized/legal representatives, employer, family members, and caregivers;
- Payment processors and other financial institutions;
- Recruitment agencies, research facilitators, and clinical research organizations;
- Publicly available sources such as government records;
- Consumer reporting agencies and other third parties who verify the information you provide;
- Advertising partners and other third parties and vendors who provide digital marketing services;
- Third parties who provide website and online security services;
- Third parties who provide benefit verification, program enrollment, and product fulfillment services in connection with our products and Services;
- Third parties who help us maintain the accuracy of our data and data aggregators that help us complete and enhance our records;
- Third parties who provide digital marketing and analytics services for us using Usage Technologies that contain a unique identifier, such as an advertising ID;
- Third parties that provide access to information you make publicly available, such as social media platforms;
- Third parties who provide us with supplemental consumer data or data analytics and market research services, such as data aggregators;
- Third parties who assist us with fraud prevention, detection, and mitigation;
- Third parties who facilitate, process, and complete business processes for us, such as resellers, deliverers, sales agents, payment facilitators, program partners, and IT and business process outsourcing providers;
- Third-party contract research organizations managing clinical research on our behalf; and
- Academic institutions and data analytics providers.
Collected Through Automated Means
We also may obtain your information through automated means that identifies you or that is combined or linked with other Personal Data we collect from or about you. Such Personal Data includes the following:
- Technical Activity and Usage Data from analytics providers such as Google, advertising networks, search information providers, social media networks, and other digital marketing and advertising partners and providers;
For more information on the collection and use of Technical Activity and Usage Data through the use of Usage Technologies, see the section below “Cookies and Other Tracking Mechanisms” and our Cookie Notice.
Cookies and Other Online Tracking Mechanisms
Our online Services collect certain information automatically from the device or browser that is used to access and use such Services. This information is analyzed when interacting with these Services, our marketing or advertising, social media pages, and email communications. Some of this information is also automatically collected by others on our behalf. The collection is generally done through the use of technical activity and usage technologies, known as cookies, web beacons, tags, pixels, and other similar technologies (collectively, “Usage Technologies”) to recognize you, the device, or browser used to visit our digital Services, such as websites or mobile apps. Usage Technologies can consist of small bits of data cached or stored on your device while you use these Services, visit other third-party sites or tools, or navigate to our Services from such third-party sites or tools. Our emails to you also contain these Usage Technologies to help understand when you open an email, interact with images or links within it, or otherwise reply to the communication. We collect and use this information to help our Services function effectively, improve the Services, and assist us with our marketing. For more information on our use of Usage Technologies and the information we collect, see our Cookie Notice.
Combination of Information
Subject to and in accordance with applicable law, we combine the information we receive from and about you, including information you provide to us and information we automatically collect through our Services, as well as information collected from other online sources or from third-party sources, to help us tailor our communications to you and to improve our Services.
D. WHY WE PROCESS AND DISCLOSE YOUR PERSONAL DATA
Our Processing of Personal Data
During the past year we have used and disclosed, and will continue to collect and maintain, your
Personal Data to:
- Comply with or fulfill a request that you have made, including where coordination with third parties is required, such as to deliver Services that you have requested;
- Determine program, product, and service eligibility;
- Respond to your questions, comments, or concerns;
- Enter into, maintain, and develop our business, professional or contractual relationship with you and your representatives;
- Validate, confirm, verify, and track your account, and products or services you have ordered or received (including to contact you about these);
- Manage communications with you or about you;
- Run our business in the ordinary course, including improving user experience, ensuring the proper functioning of the company and our Services, to procure vendor/supplier products and services, to manage and satisfy our contractual relationships and obligations, for product and service development, improvement, and maintenance, engage in joint marketing initiatives, advertise and promote products and services, and provide access to, monitor, and secure our facilities and other property, for adverse experience and product complaint reporting, and manage outsourcing relationships and services;
- Provide and maintain personalization, including to process and manage your participation in unique interactive features of our Services (when you choose to do so), provide secure access to your account, technical support, respond to your inquires, deliver personalized content and communications, send you requested notifications, manage your enrollment in our programs and services, send you personalized surveys and feedback requests, and to analyze and better understand your needs, preferences, and interests, and that of others;
- Protect and manage the security and integrity of the Services, data, products, technology, and our business, and to enforce our policies, procedures and compliance;
- Provide access to, monitor, and secure our facilities, equipment, and other property;
- Conclude or consider a sale, merger, consolidation, change in control, transfer of substantial assets, reorganization, or liquidation of our business (in whole or in part);
- Convert your Personal Data into aggregate, non-identifying, anonymized, or pseudonymized information as permitted under applicable law;
- Interact with third-party services based on your requests or when use any of the Services to connect with third-party services; and
- For any other purpose where you have provided consent where it is legally required.
Marketing
In addition to the above, we may use your Identity Data, Contact Data, Technical Activity and Usage Data, and Profile Data for unique or interest-based marketing and advertisements, such as to form a view on what we think you may want or need, or what may be of interest to you, and to send or have sent to you information about products, services, and information you may want or need. Depending where you live, our use of your Personal Data for marketing and advertisements are based on the following permissions:
- At your request: You have requested this information from us.
- Consent/Opting in: You provided your express consent for our use and sharing of your Personal Data for marketing and advertising communications and related purposes.
- Opting out: You have not opted out from receiving our and our partners’ marketing communications using the features or preference tools made available to you under applicable law. Note, however, that even if you opt out of receiving these marketing communications, we may still email you in order to provide a product or service that you request.
- Usage Technologies: You have enabled the use and delivery of Usage Technologies in your device or browser which permits delivery and management of personalized or contextual marketing and advertising.
- Third-Party Analytics: You have not disabled or opted out from marketing, tracking, or profiling with third-party web analytics services (such as those of Google Analytics). For more information on third-party Usage Technologies, see the section “Cookies and Other OnlineTracking Mechanisms” above and our Cookie Notice.
Do-Not-Track Signals
Our system may not respond to Do Not Track requests or headers from some or all browsers. Certain parts of our digital Services also include advertisements from third parties. You can opt out of being targeted by certain third-party ad-servers and Ocular-served ads online by following the instructions described in our Cookie Notice.
Other Disclosures of Personal Data
In addition to the above, we may also disclose any Personal Data we collect to the following recipients for the purposes listed above:
- Our Affiliates and Business Partners: Our affiliates and business partners may use your Personal Data for the purposes described above, including for market research, academic research, evaluation of interest in clinical research, and business intelligence and analysis.
- Service Providers: We may share your personal data with contractors, suppliers, and other vendors who provide services on our behalf and at our instruction, such as assisting with processing and fulfilling orders; delivery and logistics; data storage; fraud prevention; data and services analytics, including the placement and use of Usage Technologies, our communications, advertising, and marketing, including to assess the effectiveness of our advertising and marketing efforts; or other services in support of our business.
- Third Parties as Required by Applicable Law: We may be required to disclose your Personal Data where required under applicable laws, such as to show compliance with a legal obligation, conduct audits, comply with our regulatory monitoring and reporting obligations, in defense of claims against us and to protect the health and safety of others, respond to a subpoena, enforce a contact, or to comply with specific disclosure obligations by the U.S. Customs and Border Protection, U.S. Internal Revenue Service, the U.S. Food and Drug Administration, and other government agencies, regulators and authorities.
- Professional advisers: advisors (e.g., lawyers, bankers, auditors and insurers) who, for example, may provide consultancy, banking, financial, legal, insurance and accounting and payroll services.
We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
E. DATA RETENTION
We will retain your Personal Data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements, or we are otherwise permitted to retain the Personal Data for other uses, such as to process returns, recalls, or other administrative needs related to our products and Services. Where Personal Data is used for more than one purpose, we will retain the Personal Data until the purpose with the longest retention period expires.
In some circumstances we may anonymize or pseudonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes. There may also be circumstances where data is retained until it is manually deleted by Ocular.
F. THIRD-PARTY SITES
Our digital Services may contain links to other third-party websites that are not owned, controlled, reviewed or monitored by us. Please be aware that we are not responsible for the privacy policies of such other sites or how these sites operate or treat your information. We encourage you to read the privacy policies and terms and conditions of each and every third-party website.
Please note that linked third-party websites may also use cookies or other Usage Technologies. We cannot control the use of these Usage Technologies by these third-party websites. For example, when you link from this site to a third-party website, that website may have the ability to recognize that you have come from our site by using Usage Technologies. If you have any questions about how third-party websites use these Usage Technologies, you should contact such third parties directly.
G. CHILDREN’S PRIVACY
Ocular does not expect that any portion of its Services will be used by persons under the age of 16, and we do not knowingly collect Personal Data from anyone under the age of 16. If we learn that we have received Personal Data from someone under the age of 16, we will delete that information in accordance with applicable law.
If a parent or guardian becomes aware that his or her child has provided us with Personal Data, he or she should contact us as described in Section M, “How to Contact Ocular.”
H. DATA SECURITY
We take appropriate measures to manage the privacy of your Personal Data and the security of the Services. We have implemented certain commercially reasonable physical, administrative, and technical measures to safeguard Personal Data from unauthorized or accidental loss, use, access or acquisition. While we take reasonable steps to protect the integrity and security of our data, network and systems, due to the nature of the Internet, there is a possibility that unsecured (unencrypted) email or Internet transmissions could be intercepted and read by third parties. Therefore, you should take special care in deciding what information you transmit via e-mail, in a sign-up form or via other Internet transmission, and that your connection is secure.
When we share your Personal Data with our third-party providers and business partners, we impose obligations of confidentiality and security consistent with this Notice.
I. CROSS-BORDER TRANSFERS OF PERSONAL DATA
International data transfers refer to transfers of your Personal Data outside the country in which you reside, either directly by you (such as when you access our Services located in the U.S. from outside the U.S.) or by a third-party exporter that has collected your Personal Data on our behalf. This includes the transfer of Personal Data to a jurisdiction that may not have the same levels of data protection as the country where you reside. In certain cases, we may need to share, transfer, store, or otherwise process your Personal Data in locations outside of the jurisdiction in which you reside or are located. When we transfer Personal Data, we do so in accordance with applicable laws.
Where we transfer data outside of the European Economic Area or the United Kingdom to other countries, we adopt appropriate and suitable safeguards, including the European Commission’s Standard Contractual Clauses and the United Kingdom’s Addendum thereto, to safeguard Personal Data being transferred to countries where an adequate level of protection is not already guaranteed. For more information on our safeguards, contact us using the information in Section M, “How to Contact Ocular.”
Australia has adopted the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (collectively “Australian Privacy Laws”). If you are in Australia, you acknowledge and consent to us not being required to take any steps to ensure that overseas recipients of your Personal Data comply with the Australian Privacy Laws. If the overseas recipient handles your Personal Data in breach of the Australian Privacy Laws, we will not be liable, and you will not be able to seek redress under the Act.
J. YOUR PRIVACY RIGHTS AND CHOICES
If you are a clinical trial subject, please contact the Principal Investigator on the relevant study to inquire about and exercise your data protection rights.
All other individuals may have various choices with respect to how and when we collect, use, or share Personal Data. For example:
- You may choose to opt out of receiving direct marketing, commercial emails, and other educational materials from us about our products and services by following the instructions contained in the communications we send or, at any time. Please allow five (5) business days for your request to be processed. Please also note that even if you unsubscribe, we may still send you transactional or administrative communications, including, for example, to manage any account you have with us, respond to your requests, execute agreements with you, provide you with products requested, and manage your interaction with us.
- If you are located in the European Economic Area or the United Kingdom, we will only send you direct marketing communications with your consent, unless otherwise permitted by applicable law.
You may opt out from the collection of your Personal Data through automated means, such as Usage Technologies, as explained in our Cookie Notice. - Ocular may require you to provide certain Personal Data in order for you to, for example, receive additional product information or information about a disease state. You could decide not to submit any Personal Data at all by not entering it into any forms or data fields and not using any available personalized services.
- If you have filled out a form that stores data within our database and wish for the data to be anonymized or removed, or believe the Personal Data we have collected is out of date or incorrect, you may contact us as provided in Section M, “How to Contact Ocular.”
You may also have certain data protection rights and choices under applicable data protection laws concerning the processing of your Personal Data, in addition to those described elsewhere in this Notice. For example, in some locations, including the European Economic Area, the United Kingdom, and certain U.S. states (such as California), privacy or data protection laws may give you certain rights with respect to your Personal Data. These rights may include:
- The right to request access to your Personal Data, which includes the right to obtain confirmation from us as to whether or not Personal Data concerning you is being processed, and where that is the case, access to the Personal Data and information related to how it is processed;
- The right to rectification or erasure of your Personal Data, which includes the right to have incomplete Personal Data completed, including by means of providing a supplementary statement, and certain rights to request that we erase your Personal Data without undue delay;
- The right to restrict or object to processing concerning your Personal Data, which includes restricting us from continuing to process your Personal Data under certain circumstances (e.g., where you contest the accuracy of your Personal Data, processing is unlawful, your Personal Data is no longer needed for the purposes of processing, or you have otherwise objected to processing related to automated individual decision-making);
- The right to data portability, which includes certain rights to have your Personal Data transmitted from us to another controller;
- Where data processing is based on your consent, the right to withdraw consent at any time; and
- The right to lodge a complaint with the competent supervisory authority.
Ocular will not discriminate against you for exercising a privacy right granted to you by law.
Otherwise, to find out more about your legal rights or to exercise any privacy rights that apply to you, please contact us using the information included in Section M, “How to Contact Ocular.” In your email, please include your full name, zip code or postal code, the email address at which you prefer to be contacted, and the privacy right(s) you are requesting, such as the removal of information about a particular transaction or the correction of specific information. Please check your incoming email messages in case we need to ask you more questions about your request. Note that there applicable law may restrict or otherwise provide exceptions to the exercise of these rights depending on the jurisdiction where you reside or whose laws apply to your request. We will note these for you when responding to your request.
Certain laws allow an authorized agent acting on your behalf to make these requests, which they may do by following the instructions above. When you use an authorized agent to submit a request, you must provide the authorized agent with written permission to do so, and, in certain circumstances, we may ask you to verify your own identity directly with us. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.
K. ADDITIONAL NOTICE FOR U.S. CONSUMERS
This additional notice applies only to information collected about residents (“consumers”) of California, Colorado, Connecticut, Maryland, Minnesota, New Jersey, Texas, Tennessee, Utah, Kentucky, and Virginia, which have comprehensive privacy legislation (collectively, “U.S. Privacy Laws”) that requires provision of a consumer privacy notice. For additional disclosures required by the Washington My Health My Data Act, the Nevada My Health My Data Act and Nevada Revised Statutes Chapter 603A:
NOTICE TO NEVADA RESIDENTS
Section 603A of the Nevada Revised Statutes permits Nevada residents who are Ocular Therapeutix “consumers” to at any time, submit a request to an “operator” of a website in Nevada directing the operator not to make any sale of any “covered information” the operator has collected or will collect about the consumer. We do not currently “sell” or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email to [email protected] or calling 877-628-8998 to opt out of sales and we will record your instructions and incorporate them in the future if our policy changes. We will respond within the time required by law.
This section supplements Ocular’s disclosure of privacy practices in other sections of this Notice and provides additional instructions for submitting requests. Some portions of this section apply only to consumers of particular states. In those instances, we have indicated that such language applies only to those consumers.
The following sections also apply to this section with respect to the Personal Data we collect from or about U.S. consumers (Section B, “Personal Data We Collect”) and the sources from which we collect Personal Data (Section C, “How We Collect Your Personal Data”). We have also explained our purposes for collecting Personal Data and how we disclose it to others (Section D, “Why We Process and Disclose Your Personal Data”). Finally, you can find information about how to exercise your privacy rights (Section J, “Your Privacy Rights and Choices”) and how we retain Personal Data (Section E, “Data Retention”) above.
Please also note that this Notice does not address our collection and processing of Personal Data from employees, job applicants, other individuals with whom we interact in an employment-related context, healthcare professionals (HCPs), or other business-to-business contacts. California residents who fall into one of those categories may access our privacy disclosures applicable to them by selecting the notice that applies to them below.
- For California HCPs, click here
- For California non-HCP Business Contacts, click here
- For California Job Applicants, click here
Defined Terms User in This Section
The term “Personal Data” or “Sensitive Personal Data” as used in this section includes corresponding terms such as “Personal Information” and “Sensitive Personal Information” as defined by U.S. Privacy Laws. The terms “Third-Party” and “Vendor” also have the meanings as defined by U.S. Privacy Laws. To the extent other terms used in this section are defined by U.S. Privacy Laws, such terms shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the U.S. Privacy Laws, the definitions applicable to you are those provided in the statute for the state in which you are a consumer. For example, if you are a Virginia consumer, terms used in this section that are defined terms in the Virginia Consumer Data Protection Act (VCDPA) and shall have the meanings afforded to them in the VCDPA to the extent this section applies to you as a consumer residing in Virginia at the time we collect your Personal Data.
Additional Collection, Processing and Disclosure of Personal Data
During the past 12-month period, we and our Vendors have and will collect the following additional categories of Personal Data about U.S. consumers, and disclose to Vendors and Third Parties for a business purpose:
- Medical information: Information in possession of or derived from a healthcare provider, healthcare service plan, pharmaceutical company, or contractor regarding medical history, mental or physical condition, or treatment.
- Health insurance information: Insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify you, or any information in your application and claims history.
- Data Relating to a Protected Class: Characteristics of protected classifications under U.S. state or federal law.
- Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Inference Data: Information about inferences drawn from Personal Data to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes, including inferences used to indicate Sensitive Personal Data; and
- Sensitive Personal Data: State identification card, account log-in information; financial account number in combination with any required security or access code, password, or credentials for allowing access to an account; contents of a consumer’s email and text messages, unless the business is the intended recipient.
Retention of Personal Data
In addition to how Ocular determines retention of Personal Data as provided in Section E, “Data Retention,” retention periods for Personal Data subject to U.S. Privacy Laws are also designated in Ocular’s Record Retention Policy.
Sale and Sharing of Personal Data
State privacy laws may permit consumers to opt-out of the sale of Personal Data, including when that Personal Data is provided to others in exchange for non-monetary value or to facilitate targeted advertising. Ocular does not engage in these activities as they are defined in the state consumer privacy laws applicable to Ocular.
- Disclosure for California Consumers: We will not sell or share any of the categories of Personal Data we collect about you, and we have not sold or shared Personal Data about California consumers in the past twelve months. Relatedly, we do not have actual knowledge that we sell or share Personal Data of California consumers under 16 years of age.
- Disclosure for Consumers in Other States with U.S. Privacy Laws: We do not sell or share Personal Data to Third Parties or process Personal Data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer as the terms “sell,” “share,” “process,” “targeted advertising, “ and “profiling” are defined in such U.S. Privacy Laws.
Purposes for Processing & Disclosing Personal Data During the Prior 12 Months
We and our Vendors have and will collect and process your Personal Data (excluding Sensitive Personal Data) for the purposes described in Section D, “Why We Process and Disclose Your Personal Data” and to identify you and your device(s) for any/all purposes identified above, including to monitor your use of and interactions with programs, products, Services, and advertisements for such purposes or to help ensure the integrity of our programs and the preservation of your privacy.
We and our Vendors have and will collect and process the Sensitive Personal Data for purposes described in Section D, “Why We Process and Disclose Your Personal Data” to the extent authorized by the CCPA and its implementing regulations. When we collect and process Sensitive Personal Data, we do so as reasonably necessary and proportionate for such purposes. This includes short-term, transient use, including non-personalized advertising shown as part of a consumer’s current interaction with us; provided that we will not disclose the consumer’s Personal Data to a Third-Party and or build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with our business.
For each category of Personal Data identified in Section D, “Why We Process and Disclose Your Personal Data,” we disclose such Personal Data to the following categories of Third Parties: Healthcare providers (including specialty pharmacies); Health insurance companies (health plans) and other payors; Authorized/legal representatives, family members, and caregivers; Third Parties that help administer, manage, and analyze our programs and services; Third Parties with whom we have joint marketing and similar arrangements; Third Parties who provide benefit verification, program enrollment, and product fulfillment services in connection with our products and services; Payment processors, financial institutions, and others as needed to complete transactions and for authentication, security, and fraud prevention; Third Parties who deliver our communications, such as the postal service and couriers; Third Parties who provide marketing and data analytics services, such as social media platforms used to deliver our ads, website/email optimization providers, email marketing vendors, and data analytics vendors; Third-Party network advertising partners; Third Parties who assist with our information technology and security programs; Third Parties who assist with fraud prevention, detection, and mitigation; Third Parties as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings); Third Parties as necessary to complete transactions and provide our products/services, including delivery companies, agents, and manufacturers; Consumer reporting agencies; Our lawyers, auditors, and consultants; and Legal and regulatory bodies and other Third Parties as required by law.
We may also disclose your Personal Data to any Third-Party with your consent or at your direction.
State Privacy Rights
You may exercise the privacy rights applicable to you by using the contact information specified in Section M, “How To Contact Ocular”. Consumers in some states may also authorize an agent to make data subject requests on their behalf.
California, Colorado, Connecticut, Maryland, Minnesota, New Jersey, Texas, Tennessee, Utah, Kentucky, and Virginia consumers have the rights with respect to the collection and use of their Personal Data specified in Section J, “Your Privacy Rights and Choices.” In addition, please note the following:
- Right to Know: You may request that we provide you with information about the following aspects of how we have handled your Personal Data specifically in the 12 months preceding your request, which is also disclosed above:
- The categories of Personal Data we collected about you;
- The categories of sources from which we collected such Personal Data;
- The business or commercial purpose for collecting, selling, or sharing Personal Data about you;
- The categories of Personal Data about you that we disclosed and the categories of Third Parties with whom we disclosed such Personal Data;
- The categories of Personal Data about you that we sold, shared, or used for targeted advertising purposes, if applicable, and the categories of Third Parties with whom we sold or shared such Personal Data;
- If we collect Sensitive Personal Data, the categories of Sensitive Personal Data to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and
- The length of time we intend to retain each category of Personal Data, or if that is not possible, the criteria used to determine that period.
- Right to Access Specific Pieces of Personal Data or Data Portability: You may not exercise this right more than two times in a calendar year.
- Right to Deletion: Please note that we may not be required to delete information under certain circumstances when applicable U.S. Privacy Laws include exemptions that allow us to retain the data in response to a request for deletion when, for example, necessary to comply with legal obligations, including those pertaining to the quality, safety, or effectiveness of a product or activity regulated by the Food and Drug Administration (FDA); complete a transaction; detect security incidents; or for certain other internal purposes.
- Verification of Data Subject Requests. We may ask you to provide information that will enable us to verify your identity in order to comply with your data subject request. We use a third-party verification service for that purpose. To verify your identity, you must provide the required information when completing the online request form or making a request, including the last 4 digits of your social security number. We will ask you to provide your contact information and additional identifiers based on your relationship with us. Before we process your request, we may match these data points with a third-party identity verification service and data points we currently maintain to verify your identity and your relationship with us.
- Appeals. California, Colorado, Connecticut, Maryland, Minnesota, New Jersey, Texas, Tennessee, Utah, Kentucky, and Virginia consumers have the right to appeal to our decisions on their requests. This section does not apply to California or Utah consumers. To appeal our decision on your data subject requests, you may contact us using the contact information included in Section M, “How to Contact Ocular.” Please enclose a copy of or otherwise specifically reference our decision on your request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.
Other California Disclosures
- California Residents Under Age 18.
- Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Data to other entities for their direct marketing purposes in the preceding calendar year. We do not distribute your Personal Data to third parties (as defined by California Civil Code § 1798.83) for their own direct marketing purposes. If you are a resident of California under the age of 18 and a registered user of any of the Services, then you may request that we remove any of your posts, comments, or other forms of user-generated content you have publicly posted on or in the Services. To request this removal, please send a request with a detailed description of the specific post to us using the contact information located in Section M, “How To Contact Ocular.” You also may be able to log in to your account and delete your posts. Please note that our deletion of posts may not ensure complete or comprehensive removal of your content online, as various public search and archiving services may have retained this public information, or others may have reposted your content. This content may also be stored in backup media, cached or otherwise retained by Ocular for administrative or legal purposes. Ocular may also be required by law to not remove (or allow removal) of your content
- Financial Incentives for California Consumers. Under California law, we do not provide financial incentives to California consumers who allow us to collect, retain, sell, or share their Personal Data. We will describe such programs to you if and when we offer them to you.
L. ADDITIONAL INFORMATION FOR NON-U.S. RESIDENTS
How this Notice Applies To You
If you reside outside the U.S. and use our Services or otherwise interact with us from outside the U.S., you may have certain rights under your local data protection laws, such as the European Union’s General Data Protection Regulation if you reside in a Members State of the European Union. We recognize the privacy rights of persons residing in a country outside the U.S. with data protection laws that apply to Ocular. If you are using our Services from outside the U.S. with such data protection laws and have questions concerning this Notice, you may contact our Global Data Protection Officer using the contact information in Section M, “How To Contact Ocular.”
The following sections also apply to this section with respect to the Personal Data we collect from or about residents in a country outside the U.S. with data protection laws (Section B, “Personal Data We Collect”) and the sources from which we collect Personal Data (Section C, “How We Collect Your Personal Data”). We have also explained our purposes for collecting Personal Data and how we disclose it to others (Section D, “Why We Process and Disclose Your Personal Data”). Finally, you can find information about how to exercise your privacy rights (Section J, “Your Privacy Rights and Choices”) and how we retain Personal Data (Section E, “Data Retention”) above.
Our Legal Bases for Processing Personal Data
Some non-U.S. data protection laws require us to designate one or more legal bases for processing your Personal Data. When applicable, we rely on the following legal bases:
- Contractual Obligations. We use Personal Data to provide the products or services you request, including validating your access to our Services; processing your purchase orders; providing customer service; and sending you administrative or transactional communications.
- Our Legitimate Interests. We use Personal Data when we have legitimate interests in doing so, as long as our legitimate interests are compatible with your rights and expectations of privacy. We rely on our legitimate interests to operate, maintain, and improve the Services and our products; perform analytics and conduct customer research; and improve our customer service and overall user experience.
- Our Legal Obligations. We use Personal Data as needed to comply with our legal obligations, including as needed for fraud prevention; public safety; complying with public authorities and courts; and enforcing or defending our rights and those of others.
- Your Consent. We may use Personal Data as described in this Notice with your “opt-in” consent, including when needed for marketing communications and use of Usage Technologies. When you consent, you may revoke this consent at any time.
M. HOW TO CONTACT OCULAR
If you have additional questions about this Notice or our privacy practices, you may contact us as follows:
Global Data
Protection Officer
Telephone
+1-877-628-8998 (toll free in the U.S.)
Address
Ocular Therapeutix, Inc.
15 Crosby Drive
Bedford, MA 01730
Attn: VP, Legal, Chief Compliance Officer and Privacy Officer
For individuals residing in the UK and European Economic Area, the data controller(s) is Ocular Therapeutix, Inc.
N. REVISIONS TO THE NOTICE
Ocular reserves the right, at its sole discretion, to change, modify, add, remove, or otherwise revise portions of this Notice at any time. If we do, we will make you aware of the change(s) on the Services by including a copy of the previous version of the Notice. The date this Notice was last revised is identified at the top of the page. Your continued use of the Services following the posting of changes to this Notice means you acknowledge these changes. If we change this Notice in a material way, we will provide appropriate notice to you.
HOW TO CONTACT OCULAR THERAPEUTIX
If you have questions or comments about this Privacy Policy, please send an email to [email protected]. You may also call us at 877-628-8998 or send us a letter addressed to the following address by First Class Postage Prepaid U.S. Mail or overnight courier:
Ocular Therapeutix, Inc.
15 Crosby Drive
Bedford, MA 01730
Attn: Legal Department
This Privacy Policy was last revised as of June 2025.
OCULAR THERAPEUTIX TERMS AND CONDITIONS OF USE
INTRODUCTION
Welcome to the Ocular Therapeutix, Inc. (“Ocular Therapeutix”) website. We refer to this and other websites owned or controlled by Ocular Therapeutix as “our websites.” You may use our websites, provided you comply with these Terms and Conditions of Use governing the use of our websites. Please read these Terms and Conditions of Use carefully before using our websites.
ACCEPTANCE OF TERMS AND CONDITIONS OF USE
By accessing and using our websites you agree to follow and be bound by these Terms and Conditions of Use. If you do not agree to follow and be bound by these Terms and Conditions of Use, please do not use or download materials from our websites. You may be subject to additional terms that may apply when you access particular services or materials on certain areas on our websites, or by following a link from our websites. You may use our websites in accordance with these Terms and Conditions of Use for lawful purposes only.
INTENDED AUDIENCE
Our websites are intended for the use of residents of the United States (“U.S.”) and any of its territories by users who are 18 years of age or older. It is not intended for use by children. Ocular Therapeutix makes no claim that our websites are appropriate for access or use by individuals outside of the U.S.
THESE TERMS AND CONDITIONS OF USE MAY CHANGE
Ocular Therapeutix reserves the right to update or modify these Terms and Conditions of Use at any time without prior notice. Your use of our websites following any such change constitutes your agreement to follow and be bound by the Terms and Conditions of Use as changed. For this reason, we encourage you to review these Terms and Conditions of Use every time you use our websites. In the event you violate any of these Terms and Conditions of Use, all rights granted to you thereunder shall be terminated immediately, with or without prior notice.
LIMITATION OF LIABILITY
YOUR USE OF OUR WEBSITES IS AT YOUR OWN RISK. OCULAR THERAPEUTIX AND ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND THIRD-PARTY PARTNERS (“COLLECTIVELY, “OCULAR THERAPEUTIX PARTIES”) SPECIFICALLY DISCLAIM ANY LIABILITY, WHETHER BASED IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR SPECIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH ACCESS TO OR USE OF OUR WEBSITES, INCLUDING BUT NOT LIMITED TO RELIANCE BY ANY PARTY ON ANY CONTENT OBTAINED THROUGH THE USE OF OUR WEBSITES, OR THAT ARISES IN CONNECTION WITH MISTAKES OR OMISSIONS IN, OR DELAYS IN TRANSMISSION OF, INFORMATION TO OR FROM THE USER, INTERRUPTIONS IN TELECOMMUNICATIONS, CONNECTIONS TO OUR WEBSITES, OR VIRUSES, WHETHER CAUSED IN WHOLE OR IN PART BY NEGLIGENCE, ACTS OF GOD, TELECOMMUNICATIONS FAILURE, THEFT OR DESTRUCTION OF, OR UNAUTHORIZED ACCESS TO OUR WEBSITES, OR RELATED INFORMATION OR PROGRAMS.
THE ABOVE DOES NOT AFFECT ANY LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
DISCLAIMER OF WARRANTIES
ALL CONTENT ON OUR WEBSITES IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, AND NON-INFRINGEMENT. OCULAR THERAPEUTIX PARTIES MAKE NO WARRANTY AS TO THE ACCURACY, COMPLETENESS, CURRENCY, OR RELIABILITY OF ANY CONTENT AVAILABLE THROUGH OUR WEBSITES. YOU ARE RESPONSIBLE FOR VERIFYING ANY INFORMATION BEFORE RELYING ON IT. USE OF OUR WEBSITES AND THE CONTENT AVAILABLE ON OUR WEBSITES IS AT YOUR SOLE RISK. OCULAR THERAPEUTIX PARTIES MAKE NO REPRESENTATIONS OR WARRANTIES THAT USE OF OUR WEBSITES WILL BE UNINTERRUPTED OR ERROR-FREE. YOU ARE RESPONSIBLE FOR TAKING ALL NECESSARY PRECAUTIONS TO ENSURE THAT ANY CONTENT YOU MAY OBTAIN FROM OUR WEBSITES IS FREE OF DELETERIOUS PROGRAM MATERIAL INCLUDING MALWARE, WORMS, VIRUSES AND OTHER EXECUTABLE CODE.
THE ABOVE DOES NOT AFFECT ANY WARRANTIES THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
INDEMNIFICATION
YOU AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS OCULAR THERAPEUTIX PARTIES FROM AND AGAINST ALL LOSSES, LIABILITIES, EXPENSES, DAMAGES AND COSTS, CLAIMS, ACTIONS, AND DEMANDS, INCLUDING REASONABLE ATTORNEYS’ FEES, RESULTING FROM YOUR VIOLATION OF THESE TERMS AND CONDITIONS OF USE OR YOUR ACCESS TO, OR USE OR MISUSE OF, THE CONTENT OR OUR WEBSITES.
NO MEDICAL OF PROFESSIONAL SERVICES ADVICE
The content on our websites is intended to be a general information resource regarding the subject matter covered but is provided solely on an “as is” and “as available” basis as noted on these Terms and Conditions of Use.
Our websites do not provide medical, healthcare or other professional advice. The information provided on our websites is intended for informational purposes only. This information is not a substitute for actual medical care or for the advice provided by your own doctor or other medical professional. Persons requiring diagnosis or treatment, or who have specific questions related to their condition or care, are urged to contact their health care provider.
GOVERNING LAW
The laws of the state of Delaware shall govern these Terms and Conditions of Use, without giving effect to choice or conflict of law rules. Any legal action or proceeding based on, arising out of or related to these Terms and Conditions of Use or your use of our websites (including any information they contain) shall be brought exclusively in a federal or state court of competent jurisdiction sitting in Delaware, and all parties waive any objection to the personal jurisdiction of and venue in such courts.
Ocular Therapeutix makes no representation that the information on the websites is appropriate or available for use in other locations, and access to our websites from territories where the content of our websites may be illegal is prohibited. Nothing herein should be considered a solicitation or promotion for any product or indication for any product that is not permitted by U.S. laws or regulations. Those who choose to access our websites from other locations do so on their own initiative and are responsible for compliance with applicable local laws.
INTELLECTUAL PROPERTY RIGHTS
All content of our websites is protected by U.S. copyright and other intellectual property laws. You may not copy, modify, upload, download, post, transmit, republish or distribute any of the content, including without limitation, the code contained in our websites without the express written permission of Ocular Therapeutix, except for your own personal, non-commercial purposes. Except as provided in the preceding sentence, nothing contained in our websites shall be construed as granting a license or other rights under any patent, trademark, copyright or other intellectual property of Ocular Therapeutix or any third party. Unauthorized use of any Ocular Therapeutix trademark, service mark or logo may be a violation of federal and state trademark laws. All rights are reserved by the owners of each trademark, service mark, logo, or other intellectual property, except as otherwise described in these Terms and Conditions of Use.
SEVERABILITY
In the event that any provision of these Terms and Conditions of Use shall, in whole or in part, be determined to be invalid, unenforceable, or void for any reason, the remainder of these Terms and Conditions of Use shall not be affected in any way thereby.
THIRD-PARTY WEBSITES
Our websites may contain links to websites operated by other parties. Third-party websites are not under the control of Ocular Therapeutix, and Ocular Therapeutix is not responsible for the privacy practices or content on any third-party websites. Such links do not imply Ocular Therapeutix’s endorsement of material on any other website. Ocular Therapeutix provides links to other websites as a convenience to users, and access to any other websites linked to this website is at your own risk. OCULAR THERAPEUTIX DISCLAIMS ALL LIABILITY WITH REGARD TO YOUR ACCESS TO SUCH THIRD-PARTY WEBSITES.
QUESTIONS
If you have any questions about these Terms and Conditions of Use, please contact us by visiting the “Contact Us” section of our corporate website or the contacts listed in Section M of the Global Privacy Notice: “How to Contact Us.”
These Terms and Conditions of Use were last revised as of June 2025.