Last updated on: February 27, 2026
Upstream Bio, Inc. (“Upstream Bio”, “we”, “us”, “our”) takes the protection of personal data (“Personal Data”) very seriously. This privacy notice (the “Notice”) addresses individuals whose Personal Data we process in the following contexts: in the ordinary course of our business, and when we act as sponsor for clinical trials. It does not cover the data of Upstream Bio’s employees/contractors. This Notice outlines what Personal Data we process in reliance on the EU-U.S Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension to the EU-U.S. DPF”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF” and, collectively with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, the “DPF”), how we protect it, and what rights you may have under the DPF.
Upstream Bio complies with the DPF as set forth by the U.S. Department of Commerce. Upstream Bio has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Upstream Bio has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
Upstream Bio is responsible for the processing of Personal Data we receive under the DPF and subsequently transfer to a third party acting as an agent on our behalf. We comply with the DPF for all onward transfers of personal data from the EU, Switzerland, and UK, including the onward transfer liability provisions. In the context of this Notice, Upstream Bio acts as a data controller for the Personal Data we process.
To learn more about the Data Privacy Framework Program, visit https://www.dataprivacyframework.gov/. To view Upstream Bio’s certification, look for”Upstream Bio, Inc.” here: https://www.dataprivacyframework.gov/s/participant-search.
We process a variety of categories of Personal Data about the clinical trial participants and healthcare practitioners involved in our clinical trials, as well as users who visit our websites and who utilize the online site-facing platform for site personnel and other health care practitioners involved in conducting certain of the clinical trials sponsored by Upstream Bio (the “ePortal”). For instance, we process the Personal Data of clinical trial participants and healthcare practitioners for the general purpose of conducting our clinical biomedical research, and we process the Personal Data of visitors to our websites for the general purpose of running, improving, and maintaining the security of our websites.
For a detailed description of the categories of Personal Data that we process about clinical trial participants, the purposes for which we process such Personal Data, and the service providers to whom we disclose such Personal Data, please see our Privacy Notice for Clinical Study Participants.
For a detailed description of the categories of Personal Data that we process about healthcare practitioners involved in our clinical trials, the purposes for which we process such Personal For a detailed description of the categories of Personal Data that we process about clinical trial participants, the purposes for which we process such Personal Data, and the service providers to whom we disclose such Personal Data, please see our Privacy Notice for Clinical Study Participants.
For a detailed description of the categories of Personal Data that we process about healthcare practitioners involved in our clinical trials, the purposes for which we process such Personal Data, and the service providers to whom we disclose such Personal Data, please see our EEA Investigators and Site Personnel Notice.
For a detailed description of the categories of Personal Data that we process about visitors to our websites, the purposes for which we process such Personal Data, and the service providers to whom we disclose such Personal Data, please see our Privacy Notice.
For a detailed description of the categories of Personal Data that we process about visitors to the ePortal, the purposes for which we process such Personal Data, and the service providers to whom we disclose such Personal Data, please see our ePortal Privacy Notice.
Role of Service Providers
We disclose Personal Data to our service providers, who process Personal Data on our behalf. Our service providers may be located outside of your jurisdiction; however, we will either obtain your explicit consent to transfer your Personal Data to such third parties, or we will require those third parties to maintain at least the same level of confidentiality that we maintain for such Personal Data ourselves. Upstream Bio remains liable for the protection of your Personal Data that we transfer to our service providers, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.
Other Disclosure of Your Personal Data
We may disclose your Personal Data (i) to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, or (ii) if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change, or (iii) to our subsidiaries or affiliates only if necessary for business and operational purposes as described in the section above.
We reserve the right to use, transfer, sell, and share aggregated, anonymous data, which does not include any Personal Data, for any legal business purpose, such as analyzing usage trends and seeking compatible advertisers, clients, and customers.
If we must disclose your Personal Data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your Personal Data will maintain the privacy or security of your Personal Data.
Upstream Bio acknowledges the right of EU, Swiss, and UK individuals to access their Personal Data pursuant to the DPF and will grant individuals reasonable access to Personal Data it received pursuant to the EU-U.S.DPF Principles or the Swiss- Swiss-U.S. DPF Principles. In addition, Upstream Bio will take reasonable steps to permit individuals to correct, amend, or delete such Personal Data that is demonstrated to be inaccurate or processed in violation of the EU-U.S. DPF Principles or the Swiss-U.S. DPF Principles. An individual may request access to their Personal Data, or otherwise correct, amend, or delete their Personal Data in line with the EU-U.S. DPF Principles or the Swiss-U.S. Privacy Principles by contacting Upstream Bio using the information in the “Contact Us” section below.
Access & Review
If you are a data subject about whom we store Personal Data, you may have a right to request access to, and the opportunity to update, correct, or delete, such Personal Data. To submit such requests or raise any other questions, please contact us using the information in the “Contact Us” section below or by any of the methods listed our Privacy Notice for Clinical Study Participants, EEA Investigators and Site Personnel Notice, or Privacy Notice.
Choice
You may opt out of having your Personal Data shared with third parties by us, and you may revoke your consent that you have previously provided for us to share your Personal Data with third parties, except as required by law. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. To do this, you may send your request to us using the information in the “Contact Us” section below or by any of the methods listed our Privacy Notice for Clinical Study Participants, EEA Investigators and Site Personnel Notice, or Privacy Notice.
In compliance with the DPF, Upstream Bio commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, Swiss, and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the DPF should first contact Upstream Bio using the information in the “Contact Us” section below.
If DPF-related complaints cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
Binding Arbitration
If your dispute or complaint related to your Personal Data that we received in reliance on the DPF cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework, the text of which is available here.
U.S. Regulatory Oversight
Upstream Bio is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Supervisory Oversight
If the EU General Data Protection Regulation (“GDPR”) applies to our processing of your Personal Data, you also have the right to lodge a complaint with a data protection regulator in one or more of the European Union Member States. Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or where the alleged violation of the GDPR occurred. If the UK GDPR applies to our processing of your Personal Data, you can lodge a complaint with the UK Information Commissioner’s Office.
If we make any material change to this Notice, we will post the revised Notice to this web page and update the “Last updated” date above.
Contact Us
If you have any questions about this Notice or our processing of your Personal Data, please write to our privacy team by email at info@upstreambio.com or by postal mail at:
Upstream Bio, Inc.
890 Winter Street, Suite 200
Waltham, MA 02451
Please allow up to four weeks for us to reply.