TREVI THERAPEUTICS
GDPR Data Protection Notice

Trevi Therapeutics (the “Company,” “we,” “our”, or “us”) is committed to protecting personal data it collects and processes. This Notice applies in the context of Company’s personal data processing activities linked to Our websites, and only to the extent the activities are subject to data protection requirements in the European Union (EU), European Economic Area (EEA), Switzerland and/or the United Kingdom (UK) (“Applicable Data Protection Laws”).

This Notice is valid for all pages hosted on the Website. It is not valid for the pages hosted by third parties to which the Company may refer and whose privacy policies may differ. The Company cannot therefore be held responsible for any data processed on these websites or by them. This Notice also applies to any other website that the Company may operate, including our Company pages on LinkedIn and X, caring4cough.com website, and social media pages for Caring4cough campaign (LinkedIn, X, Instagram and Facebook).

We want to be sure you understand our privacy practices when we are engaged in processing personal data affecting you as individuals in the EU, Switzerland or UK. This Notice explains the types of personal data we collect, why we collect it, how we use and share it, and the rights of data subjects. If there is any conflict between this Notice and our U.S. Website Privacy Notice, this Notice will apply instead of the U.S. Website Privacy Notice with respect to our processing activities in relation to persons located in EU, Switzerland or UK.

If we collect your personal data in connection with your participation in or operation of one of our clinical trials in the EU, Switzerland or UK, we will provide you with a separate information notice (which may be a part of a consent form) at the time we collect your personal data for those purposes. The notice will describe how your personal data is processed and the responsibilities of the respective controllers in the context of the clinical trial.

We may revise this Notice from time to time. If we decide to change this Notice, we will post the revised Notice on our website (“Website”). If changes materially affect your rights under this Notice, we may provide a more prominent notice on the Website. In certain cases, we may also provide email notification of the revised Notice and either seek your consent or give you the right to opt out of our use of your personal data in accordance with the revised Notice, if required. However, because we may make changes at any time, we suggest that you periodically consult this Notice. Please note that our data protection practices will be based on the Notice in effect at the time the personal data is processed.

  1. Who Is Responsible for the Data Processing and How Can I Contact Them? 

The Company is the data controller responsible, under Applicable Data Protection Laws, for determining the purposes and means of the personal data processing discussed in this Notice.

If you have any questions about this Notice or our data processing practices, please contact our Data Protection Officer at the address or email noted below, and specify that your inquiry concerns Trevi Therapeutics’ processing of personal data, your country of residence, and the nature of your question.

Trevi Therapeutics contact details:

195 Church Street, 16th Floor

New Haven, CT 06510

(203) 304-2499

QAC@trevitherapeutics.com

Our Data Protection Officer (DPO) is:

MyData-TRUST SA, Boulevard Initialis 7/3, 7000 Mons, Belgium
Email: trevi.dpo@mydata-trust.info

Our EU Data Protection Representative (EU DPR) is:

MyData-TRUST SA, Boulevard Initialis 7/3, 7000 Mons, Belgium

trevi.dpr@mydata-trust.info

Our UK Data Protection Representative (UK DPR) is:

MyData-TRUST LTD, Belmont Building, Belmont Road – Uxbridge, UB8 1HE (UNITED KINGDOM)

trevi.dpr@mydata-trust.info

Apaydin is a law firm specializing in family law, both for Turkish citizens and for foreigners subject to Turkish laws and obligations arising from international private laws and contracts.

Website: https://apaydinhukuk.com/en/

Contact: dpr.tr@mydata-trust.info

  1. What are the Types of Personal Data We Collect and How do We Use Your Personal Information?

We collect personal data from people who use our Website such IP addresses and email.

Contact and Other Information You Communicate to Us

If you choose to contact us through the Website (e.g. via a contact form) or by email through an email address provided on our Website, we’ll collect your contact information, such as your name, email address, phone number or other contact information that you provide to us so we can communicate with you. If you write a message to us, we will store the message so we can reference it when responding to you.  If you inquire about a career opportunity or to apply to it, we will collect and store the information you share related to that opportunity and your application.

Website Visitor Data and Cookies (Technical Data)

Cookies on our website may store in certain circumstances personal data which may include your IP addresses, browser type, location, operating system. For more information on purposes of the processing and data collected, please consult our Cookies Notice.

Personal Data of Representatives (points of contact) of Service Providers and Vendors

If you or your company is or becomes our service provider or vendor, we may further process your personal data as a point of contact to fulfill the contract and maintain a business relationship with you or your company.  We process limited personal data for this purpose, such as contact name, address, email address, phone number and other contact details that you or your company may provide to us to allow us to communicate with you.

Personal Data of Mailing List/Email Alerts Subscribers

If you chose to subscribe our Mailing List or to receive real time email alerts, we will collect your email address. We will process your personal data to manage your subscription to the Mailing List/Email alerts.

Publication Reference Data

If you wrote a publication that is of interest in relation to the Company’s activities (scientific publication in the area of company’s targeted disease), we may quote your name and the tittle and references of your publication on our websites.

Aggregate Data

We may process aggregate statistical data (e.g. coming from Company page on LinkedIn, X and social media pages for Caring4cough campaign on LinkedIn, X, Instagram and Facebook *). Some information related to follower’s visits are collected in an aggregate way by LinkedIn, Instagram, Facebook and X. We can access statistics provided by those social media in order to have information on the way our page is consulted. In addition, we are also using  a social media management platform to analyze the performance of our social networks pages through aggregated data (how many persons saw our posts, shared it, traffic on our pages,…).

*For the use of social media, we will be joint-controller with LinkedIn, Instagram, Facebook and X only for the following activities: accessing and processing statistical aggregate data provided by LinkedIn, Instagram, Facebook and X in relation to the Company Page. For any other processing on the platform, social media platform shall be considered as the sole data controller.

LinkedIn and Facebook have created an “addendum” to their user agreements for company pages for the processing for which they are joint-controllers with us. Such agreement is not currently provided by X or Instagram.

  1. On What Legal Basis Do We Process Personal Data?

We process personal data in accordance with data privacy laws applicable to us in the context of processing your personal data.

Contact and Other Information You Send to Us

We process the personal data of our Website users as described in this Notice based on our legitimate interests to communicate with you in response to any inquiry or request you make of us.  We also process the data you would submit to us in the context of an application process or to enquire about job opportunities, in order to take steps at your request prior to entering into a contract.

Website Visitor Data and Cookies (technical data)

See our Cookies Notice.

Personal Data of Representatives of Service Providers and Vendors

We process personal data of our vendors and service providers’ point of contacts for the legitimate interests of addressing our contractual obligations with them.  Our processing of personal data allows us to provide or receive goods and services pursuant to the contracts with our Services providers and vendors, or to carry out pre-contractual measures that occur as part of a request by a customer or service providers.

Lawful Basis for processing Personal Data of Mailing List Subscribers

The legal basis for processing the use of your personal data for our Mailing List is your consent. Please, remember that you may unsubscribe from the Mailing List at any time without any cost.

Publication Reference Data

We may quote your name and publication references as it is our legitimate interest to refer to scientific publications that are of interest, in relation to Company’s activities.

Aggregate data

We consider that we have legitimate interest to understand the way our page is consulted (e.g. how many times our page is consulted, from which country,…).

  1. Who Receives My Data?

Within the Company, persons will have access to the data on a need-to-know basis, meaning solely persons that needs your data to accomplish the purposes listed above will have access to it.

In addition, we may share your personal data with third parties only if necessary for the purposes above and as set forth in this Notice, or if legal requirements demand it. In any case, some of these third-parties may be located outside of the country where you accessed this Website or where your information was originally collected.

For Aggregate data, please note that they are also hosted on LinkedIn, Facebook, Instagram and X. Once shared with them, data processing they perform will be subject to their Privacy Policy. As explained above, aggregated data about the use of our social media is also processed (analyzed and then hosted) by our social media management platform.

We do not share statistical reports coming from those sources and that we may own with other recipients.

  1. Will Data Be Transferred to a Third Country or an International Organization?

Personal data collected by Company is stored in the EU or UK, and in the U.S.

Especially, personal data we collect or receive in the EU or UK may be transferred from those countries to the U.S. The party in the U.S. receiving the personal data may have agreed to standard data contractual clauses (SCCs) under which the receiving party promises to safeguard the personal data it receives. Personal data will then be transferred to the U.S. taking into account the circumstances surrounding the transfer and an assessment of supplementary measures that demonstrate that the U.S. law does not impinge on the promise of adequate data protection set forth in the SCCs. It is also possible that the transfer of your data outside of the EU or UK will be based on another mechanism under applicable data protection laws, such as an adequacy decision, another appropriate safeguard, or a derogation. In particular, if the recipient has not entered into SCCs, we may rely on your explicit consent to transfer your personal data.  If you would like to request a copy of the specific safeguards applied to the export of your personal data (if applicable), send your request to Our Data Protection Officer (see contact details above).

  1. For How Long Will My Personal Data Be Stored?

Your personal data will be kept as long as necessary to complete the purposes above, and in accordance with Company’s internal retention policies. Especially, if you are a Website visitor and send us information through an email or other means, we will keep your personal data as long as necessary to address or respond to your inquiry. If you apply for a job, we will keep your data as long as necessary to manage the recruitment process, and then in accordance with our internal policies in relation to retention period of applicants’ data. For data collected through cookies (technical data), please see our Cookie Notice.


If you are a representative (point of contact) of our vendor or service provider, we will process and store your personal data for no longer than 7 years following the completion of our business relationship with you or your company.

Regarding data collected for the Mailing List subscription, we will process your data until you unsubscribe or cancel your subscription to the Mailing List.

For aggregate data, statistical information that are stored by LinkedIn, Facebook, Instagram and X are subject to their retention policy. We may export statistical reports, in an aggregated form.

If required by law or by a legal order, we may process and store your personal data for a longer period consistent with the law or legal order or our contractual rights.  For example, we may need to keep your personal data longer if necessary to fulfill obligations to preserve records under tax law or for accounting purposes, or if we are obligated to hold information because of a legal prohibition against removing or deleting the data.

  1. What Data Privacy Rights Do I Have?

Subject to some exceptions and limitations, you have several rights, including:

  • The right to access, which allows you to obtain a copy of your personal data, on request;
  • The right to rectification, which requires the Company to change incorrect or incomplete data about you;
  • The right to restrict and object to processing, which requires the Company to limit or stop processing your data under certain circumstances;
  • The right to erasure, which requires the Company to erase your data;
  • If applicable, the right to data portability, which allows you to transfer your personal data from the Company to another individual or entity; and
  • If we ever process your personal data based on your consent as the lawful basis, you have the right to withdraw consent at any time.  Please note that withdrawal of consent applies only to future actions.  Processing that was carried out before the withdrawal of consent is not affected.

You may exercise any of these rights by sending an email indicating your request to our Data Protection Officer (see contact details above).  Please note however that those rights are not absolute, and will be subject to a case-by-case analysis of the Company, with its Data protection Officer’s assistance. Furthermore, if you believe your legal rights are being infringed, you have the right to lodge a complaint with us or with your local data protection authority in the country where you live, where you work or where the alleged violation occurred, as applicable.  The list of Data Protection Authority by EU Member State can be found here  https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Contact details of the UK Supervisory authority can be found here: https://ico.org.uk/global/contact-us/

  1. Am I Obligated to Provide Personal Data?

When the legal basis for the processing is its necessity for the performance of a contract or a legal obligation, you must provide all personal data that is required (as applicable) for that purpose.  Without this data, we are indeed not able to accomplish the purposes defined, for example implementing the trial or program or executing a contract with you.

  1. To What Extent Is There Automated Decision-Making?

In the general course of establishing and carrying out our normal business processes, we do not use any automated decision-making.  If we do so in connection with an individual transaction, we will inform you of the automated decision-making in connection with that transaction.

  1. Will the Company Use My Personal Data for Marketing?

We do not use personal data for marketing, unless you request information that may be considered marketing materials (in which case we send that information to you) or you otherwise give your consent to such marketing communications. Each marketing communication will also include a means for withdrawing your authorization for future marketing communications.

  1. Children’s Data 

This Website is not directed to, nor do we knowingly collect information from, anyone under the age of 18. If you become aware that your child or any minor under your care has provided us with information via this Website without your consent, please contact us at the contact information listed above.

  1. How does the Company protect my information? 

The Company treats your personal data in a confidential manner and uses at least the same level of care in safeguarding your personal data that it uses with its own confidential information of similar nature.

Your personal data are contained behind secured networks and are only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential.

For aggregate data, data are hosted LinkedIn, Facebook, Instagram, X and social media management platform’s servers, and are therefore subject to their Privacy Policy. The statistics reports are stored on our servers and the same security measures apply.

This notice was last updated: March 20, 2023.